Skip to main content
SpringerLink
Log in

A Law and Economics Approach to the New EU Privacy Regulation: Analysing the European General Data Protection Regulation

  • Chapter
  • First Online:
Governance and Security Issues of the European Union

Abstract

The discussion on the regulation on citizens’ right to privacy grows parallel to the widespread usage and collection of Big Data. This chapter analyses from a law and economics perspective the discussion on the European Union (EU) citizens’ rights to privacy with regards to collection, retention, analysis and transfer of personal data in light of the EU General Data Protection Regulation (GDPR). The GDPR is drafted in coherence with the EU Digital Market Strategy, which aims to create the correct incentives for digital networks and services to flourish by providing trustworthy infrastructure supported by the right regulations. A significant part of achieving this aim would require the EU citizens to trust in using digital services. The GDPR is designed to increase the citizens’ trust to use online and digital services by obliging the service providers to comply with the GDPR. This chapter analyses two key compliance requirements of the GDPR through the economic analysis lens and proposes possible changes to the GDPR in line with the Digital Single Market Strategy of the EU. The scope of this chapter’s analysis is limited to how to cure information asymmetries between the citizens and the data collectors in order to increase the citizens’ trust in using digital services given the fast-changing and delicate legal issues arising from collecting the personal data of the EU citizens. This chapter concludes by suggesting three improvements to the GDPR; more frequent controls for issuing the EU Data Protection Seal, increased independence of the Data Protection Controller and issuance of publicly available, frequent privacy ratings.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    European Commission 2015a.

  2. 2.

    Geographic information systems (GIS) that collect and analyse geographic data is used extensively in crime mapping in order to accurately guess future criminal activity. For more information, see Spencer and Ratcliffe 2013. Global positioning systems (GPS) integrated on individuals’ cell phones enhance the use of GIS technologies by allowing guesses on locating of an individual with an accuracy of one-centimetre. For more information, see Harries 1999, see Caplan et al. 2011.

  3. 3.

    For a discussion on the economic value of right to privacy see Posner 1981, 1983. The author bases his economic analysis on the assumption that people who do not have anything to hide would not benefit from an extended right to privacy. Similarly, in 2009, the CEO of Google Eric Schmidt replied to questions on how Google respects and manages individuals’ privacy by publicly stating ‘If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place’ Esguerra 2009. For arguments against Posner see Solove 2007.

  4. 4.

    Bradford 2012, p. 23.

  5. 5.

    Charter of Fundamental Rights of the European Union (2000) C 364/01, entered into force on December 1, 2009.

  6. 6.

    United States jurisdiction is an example for defining right to privacy as a contractual right in Bradford 2012, p. 22., for comparison on how approaches to privacy differs between the EU and the US, see Schwartz 2013.

  7. 7.

    CJEU, Maximillian Schrems v. Data Protection Commissioner, joined party: Digital Rights Ireland Ltd, Judgement, 6 October 2015, Case C-362/14, [hereinafter “Digital Rights Ireland” case]. Safe Harbour scheme included principles that would allow the United States an “adequate level of protection in line with the EU regulations” to collect, retain, and process EU citizens’ private data.

  8. 8.

    Ibid.

  9. 9.

    Court of Justice of the European Union 2015.

  10. 10.

    European Commission 2012a.

  11. 11.

    Public Law 114–23, 2 June 2015, Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015.

  12. 12.

    Public Law 107–56, 26 October 2001, Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.

  13. 13.

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC [hereinafter “General Data Protection Regulation”]. The institutions that collect and administer individuals’ data are referred to as “data controllers” in Article 4. See also, European Commission 2015c.

  14. 14.

    European Commission 2015b, shows the results of a survey on EU citizens’ trust in digital environments.

  15. 15.

    GDPR above n 13.

  16. 16.

    European Commission 2012 app. 1–2.

  17. 17.

    Acquisti et al. (forthcoming).

  18. 18.

    CJEU, Google Spain SL, Google Inc. v. Agencia Espanola de Proteccion de Datos (AEPD), Mario Costeja Gonzalez [hereinafter “Google Spain”], Judgement, 13 May 2014, Case C-131/12.

  19. 19.

    Ibid.

  20. 20.

    Vermeulen and Gutwirth 2013.

  21. 21.

    Hill 2012.

  22. 22.

    Digital Rights Ireland case, above n 7.

  23. 23.

    Schrems 2015.

  24. 24.

    Google Spain case, above n 18.

  25. 25.

    Data Protection Directive, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

  26. 26.

    European Council Framework Decision, 2008/977/JHA of 27 November 2008 on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters.

  27. 27.

    European Parliament Resolution of 25 November 2009 on the Communication from the Commission to the European Parliament and the Council: An Area of Freedom, Security and Justice Serving the Citizen, Stockholm Programme.

  28. 28.

    European Commission 2010.

  29. 29.

    European Commission 2012.

  30. 30.

    Ibid.

  31. 31.

    European Commission 2012b.

  32. 32.

    Acquisti and Grossklags 2005. ‘Further evidence of simplified mental models comes from comments that expanded respondents’ answers. For example, some commented that if a transaction with the merchant was secure, nobody else would be able to see data about the transaction. However, the security of a transaction does not imply its privacy. Yet, security and privacy seem to be synonyms in simplified mental models of certain individuals.” On the use of metadata and US surveillance practices see Schneider 2015.

  33. 33.

    European Union, Council Framework Decision 2008/977/JHA of 27 November 2008 on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters, 30 December 2008.

  34. 34.

    For an analysis of consumer law within the European Framework see Helberger et al. 2013.

  35. 35.

    Akerlof 1970.

  36. 36.

    GDPR above n.13.

  37. 37.

    Article 8(1) of the Charter uses the words “him or her” instead of “them” based on the English version of the official document.

  38. 38.

    European Commission 2012, p. 2.

  39. 39.

    Morey et al. 2015.

  40. 40.

    Akerlof 1970.

  41. 41.

    Spence 1973.

  42. 42.

    Stiglitz 1975.

  43. 43.

    Spence 1973, pp. 355–374.

  44. 44.

    Stiglitz 1975.

  45. 45.

    More examples on how the GDPR enables more user control can be seen on Article 8(2). The Article continues by emphasizing the right of the individuals over their personal data by defining a right to “access” to and to “rectify” data. The Charter provides the individuals with limited rights over their data. Accessing or rectifying the collected data over oneself does not stop institutions to reuse this data. The GDPR introduces a broader protection by introducing individuals’ right to “delete” their previously collected personal data in para 30 of the introductory section of the GDPR. In the press release regarding the GDPR, it is stated that individuals can request their personal data to be deleted unless there is no “legitimate ground for retention” of this data. Defining the “legitimate ground” is still ambiguous, such as the “fair” processing of personal data. Another important aspect of para 30 is that it provides a clear definition on the precondition for requesting personal data to be deleted. The precondition is that the data collected about an individual has to be “inaccurate” for the individual to legally request its deletion. Even if it is an improvement in comparison to Article 8(2) of the Charter, once again the European regulation remains silent on the reuse of the previously collected data by institutions after its deletion.

  46. 46.

    European Commission 2015a.

  47. 47.

    See NASA (n.d.) and Schulz 2015.

  48. 48.

    European Commission 2016.

  49. 49.

    Data Protection Officers can also prepare privacy reports or data protection reports as an integrated part of the financial reports in order to enhance their companies’ reputation regarding their privacy respecting practices. Similar to environmental reporting, privacy reporting as an integrated part of the financial reports would allow privacy respecting practices of companies to become publicly observable to the third parties.

References

Download references

Author information

Authors and Affiliations

  1. The Hague University of Applied Sciences, The Hague, The Netherlands

    Elif Erdemoglu

Authors
  1. Elif Erdemoglu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elif Erdemoglu .

Editor information

Editors and Affiliations

  1. Faculty of Governance, Law and Security (BRV), The Hague University of Applied Sciences, The Hague, The Netherlands

    Jaap de Zwaan

  2. Faculty of Management & Organisation, The Hague University of Applied Sciences, The Hague, The Netherlands

    Martijn Lak

  3. Faculty of Governance, Law and Security (BRV), The Hague University of Applied Sciences, The Hague, The Netherlands

    Abiola Makinwa

  4. Faculty of Governance, Law and Security (BRV), The Hague University of Applied Sciences, The Hague, The Netherlands

    Piet Willems

Rights and permissions

Reprints and permissions

Copyright information

© 2016 T.M.C. Asser press and the authors

About this chapter

Cite this chapter

Erdemoglu, E. (2016). A Law and Economics Approach to the New EU Privacy Regulation: Analysing the European General Data Protection Regulation. In: de Zwaan, J., Lak, M., Makinwa, A., Willems, P. (eds) Governance and Security Issues of the European Union. T.M.C. Asser Press, The Hague. https://doi.org/10.1007/978-94-6265-144-9_7

Download citation

  • DOI: https://doi.org/10.1007/978-94-6265-144-9_7

  • Published:

  • Publisher Name: T.M.C. Asser Press, The Hague

  • Print ISBN: 978-94-6265-143-2

  • Online ISBN: 978-94-6265-144-9

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation