Most people consider privacy or data protection to be an annoying and boring topic. What do I care if Amazon knows that I might want to buy Birkenstock sandals? On the contrary, it might even be interesting for me to get personalized ads and offers, it saves me some time from having to do all the research. That's the way many people think when they're looking, for instance, for a nice bikini — they are certainly not looking for extensive juridical treatises on cookie settings. Many people don't want to think too much about data protection. And that's okay, too. But it would be better if this decision was made consciously. That is, in full knowledge of what we reveal about ourselves, about who makes the big money from it, and what the personal consequences can be.
What is data protection and why is data protection important?
Every time we browse online, we leave traces. Which advertisements do we find interesting? Which vacation destinations do we head to, or which comedians do we find particularly funny? This data is collected in several ways: Each time we visit a website, small text files, the famous cookies, are placed in our browsers. Some are necessary for technical purposes, such as our location, so that website operators can deliver the correct language version. However, website operators often allow other companies, also called " third parties", to install cookies that analyze our behavior.
With these huge collections of data, a comprehensive digital profile of all Internet users is compiled, which is constantly updated and stored in the databases of major companies. This data is sometimes very intimate and it may include: our names, age, gender, location, email address, our search and purchase history, articles, videos and movies we have viewed, our social media activity, consultations with psychologists, information about our health, education level, financial situation, political orientation, sexual behavior and much more.
Companies can access your profile and use this data to form an (often inaccurate) picture of you and even try to manipulate you. For example, by using targeted advertising. But there are other risks as well. For example, insurance companies might deny you cheaper rates based on your medical history. Banks could classify you as insolvent and refuse a loan just because you live in a precarious neighborhood. Politicians could be sending to you to influence your voting behavior - think back to the , where a company helped Trump win the presidential election by collecting and analyzing data from Facebook profiles of U.S. voters. In countries with less liberal views, minorities, such as LGBTQ individuals, could even place themselves at risk.
That's why our data must be protected by rules and laws. Therefore, data protection is far more than just protection against the collection and misuse of our data, it means protection against manipulation, disadvantage, and discrimination.
What does the GDPR say?
After years of debate and negotiation between stakeholders from the private sector, civil society and policymakers across the EU, the became effective on May 25, 2016. However, it did not apply until May 25, 2018. With a two-year grace period, the EU wanted to give companies time to implement the new rules. Since then, companies have to inform users that their data is being collected and they must provide them with the opportunity to limit this collection.
The GDPR is the world's most stringent data protection law. It can be divided into three main points: more transparency, self-determination and stronger enforcement.
- More transparency: consumers have a right to information. Companies are legally obliged to disclose, upon request, what data they store about us. Furthermore, the GDPR requires companies to inform consumers "in a concise, transparent, intelligible and easily accessible form, using clear and plain language" (Article 12) about how they use our data. This puts an end to the seemingly interminable General Terms and Conditions (T&Cs) that no one reads anyway.
- More self-determination: the GDPR gives us more control over our data. For instance, we have the right to be forgotten. If there is no reason to store our data, companies have to delete it at our request. In addition, the GDPR requires companies to provide more privacy-friendly default settings. This is commonly referred to as privacy by default: operators of a website are only allowed to collect the minimum amount of data from visitors, unless they have given their explicit consent. Many companies have used cookie banners to force consent from Internet users, making it much easier to "accept" data collection than to "refuse" it. The Belgian data protection authority, in consultation with other European data protection authorities, on this issue in early February 2022 and declared this use of cookie banners to be illegal, a move that may very well have .
- Stronger enforcement: the GDPR also strengthens the enforcement of data protection law. Data protection authorities can now issue much heavier fines: up to €20 million or 4% of a company's annual global turnover. The market location principle also applies: the GDPR applies to all companies that offer services in the European market, even if they are not based in the EU. The previous record fine was imposed on Amazon by the Luxembourg data protection authority: the tech giant is to pay a total of 746 million euros for abusive online targeting. It still remains to be seen whether this will actually happen.
In Germany, each state has its own data protection authority. They monitor compliance with data protection laws and they are responsible for handling complaints from individuals and organizations alike. These authorities also work closely with the and other national data protection authorities. Liberties, along with its partner organizations, has already filed several complaints against violations of the GDPR with data protection authorities: for instance, in 2020, against , or in 2019, against
Data protection around the world
As already mentioned, the GDPR is the strictest data protection regulation in the world. However, laws have also been passed in other countries in recent years to protect citizens' data. In China, for example, a new data protection law has been in force since November that, like the GDPR, provides for data minimization and purpose limitation. It also gives Internet users more of a right to self-determination and control over their data. But it is only companies that are bound by these rules; the state can continue to monitor people without hindrance.
In the U.S., there is no overarching data protection law like the GDPR. Companies abide by industry-specific rules, but the authorities have significantly more powers than in the EU, especially after the Patriot Act came into force following the attacks of September 11, 2001. Security authorities can tap into personal data without a court order. Similarly, in India or Russia, security authorities and intelligence agencies have unrestricted access to Internet users' data across a wide range of areas. New areas are often added, of course without the consent of the users. This is often justified by alleged national security and counterterrorism interests.