Abstract
The discussion on the regulation on citizens’ right to privacy grows parallel to the widespread usage and collection of Big Data. This chapter analyses from a law and economics perspective the discussion on the European Union (EU) citizens’ rights to privacy with regards to collection, retention, analysis and transfer of personal data in light of the EU General Data Protection Regulation (GDPR). The GDPR is drafted in coherence with the EU Digital Market Strategy, which aims to create the correct incentives for digital networks and services to flourish by providing trustworthy infrastructure supported by the right regulations. A significant part of achieving this aim would require the EU citizens to trust in using digital services. The GDPR is designed to increase the citizens’ trust to use online and digital services by obliging the service providers to comply with the GDPR. This chapter analyses two key compliance requirements of the GDPR through the economic analysis lens and proposes possible changes to the GDPR in line with the Digital Single Market Strategy of the EU. The scope of this chapter’s analysis is limited to how to cure information asymmetries between the citizens and the data collectors in order to increase the citizens’ trust in using digital services given the fast-changing and delicate legal issues arising from collecting the personal data of the EU citizens. This chapter concludes by suggesting three improvements to the GDPR; more frequent controls for issuing the EU Data Protection Seal, increased independence of the Data Protection Controller and issuance of publicly available, frequent privacy ratings.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
European Commission 2015a.
- 2.
Geographic information systems (GIS) that collect and analyse geographic data is used extensively in crime mapping in order to accurately guess future criminal activity. For more information, see Spencer and Ratcliffe 2013. Global positioning systems (GPS) integrated on individuals’ cell phones enhance the use of GIS technologies by allowing guesses on locating of an individual with an accuracy of one-centimetre. For more information, see Harries 1999, see Caplan et al. 2011.
- 3.
For a discussion on the economic value of right to privacy see Posner 1981, 1983. The author bases his economic analysis on the assumption that people who do not have anything to hide would not benefit from an extended right to privacy. Similarly, in 2009, the CEO of Google Eric Schmidt replied to questions on how Google respects and manages individuals’ privacy by publicly stating ‘If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place’ Esguerra 2009. For arguments against Posner see Solove 2007.
- 4.
Bradford 2012, p. 23.
- 5.
Charter of Fundamental Rights of the European Union (2000) C 364/01, entered into force on December 1, 2009.
- 6.
- 7.
CJEU, Maximillian Schrems v. Data Protection Commissioner, joined party: Digital Rights Ireland Ltd, Judgement, 6 October 2015, Case C-362/14, [hereinafter “Digital Rights Ireland” case]. Safe Harbour scheme included principles that would allow the United States an “adequate level of protection in line with the EU regulations” to collect, retain, and process EU citizens’ private data.
- 8.
Ibid.
- 9.
Court of Justice of the European Union 2015.
- 10.
European Commission 2012a.
- 11.
Public Law 114–23, 2 June 2015, Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015.
- 12.
Public Law 107–56, 26 October 2001, Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.
- 13.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC [hereinafter “General Data Protection Regulation”]. The institutions that collect and administer individuals’ data are referred to as “data controllers” in Article 4. See also, European Commission 2015c.
- 14.
European Commission 2015b, shows the results of a survey on EU citizens’ trust in digital environments.
- 15.
GDPR above n 13.
- 16.
European Commission 2012 app. 1–2.
- 17.
Acquisti et al. (forthcoming).
- 18.
CJEU, Google Spain SL, Google Inc. v. Agencia Espanola de Proteccion de Datos (AEPD), Mario Costeja Gonzalez [hereinafter “Google Spain”], Judgement, 13 May 2014, Case C-131/12.
- 19.
Ibid.
- 20.
Vermeulen and Gutwirth 2013.
- 21.
Hill 2012.
- 22.
Digital Rights Ireland case, above n 7.
- 23.
Schrems 2015.
- 24.
Google Spain case, above n 18.
- 25.
Data Protection Directive, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.
- 26.
European Council Framework Decision, 2008/977/JHA of 27 November 2008 on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters.
- 27.
European Parliament Resolution of 25 November 2009 on the Communication from the Commission to the European Parliament and the Council: An Area of Freedom, Security and Justice Serving the Citizen, Stockholm Programme.
- 28.
European Commission 2010.
- 29.
European Commission 2012.
- 30.
Ibid.
- 31.
European Commission 2012b.
- 32.
Acquisti and Grossklags 2005. ‘Further evidence of simplified mental models comes from comments that expanded respondents’ answers. For example, some commented that if a transaction with the merchant was secure, nobody else would be able to see data about the transaction. However, the security of a transaction does not imply its privacy. Yet, security and privacy seem to be synonyms in simplified mental models of certain individuals.” On the use of metadata and US surveillance practices see Schneider 2015.
- 33.
European Union, Council Framework Decision 2008/977/JHA of 27 November 2008 on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters, 30 December 2008.
- 34.
For an analysis of consumer law within the European Framework see Helberger et al. 2013.
- 35.
Akerlof 1970.
- 36.
GDPR above n.13.
- 37.
Article 8(1) of the Charter uses the words “him or her” instead of “them” based on the English version of the official document.
- 38.
European Commission 2012, p. 2.
- 39.
Morey et al. 2015.
- 40.
Akerlof 1970.
- 41.
Spence 1973.
- 42.
Stiglitz 1975.
- 43.
Spence 1973, pp. 355–374.
- 44.
Stiglitz 1975.
- 45.
More examples on how the GDPR enables more user control can be seen on Article 8(2). The Article continues by emphasizing the right of the individuals over their personal data by defining a right to “access” to and to “rectify” data. The Charter provides the individuals with limited rights over their data. Accessing or rectifying the collected data over oneself does not stop institutions to reuse this data. The GDPR introduces a broader protection by introducing individuals’ right to “delete” their previously collected personal data in para 30 of the introductory section of the GDPR. In the press release regarding the GDPR, it is stated that individuals can request their personal data to be deleted unless there is no “legitimate ground for retention” of this data. Defining the “legitimate ground” is still ambiguous, such as the “fair” processing of personal data. Another important aspect of para 30 is that it provides a clear definition on the precondition for requesting personal data to be deleted. The precondition is that the data collected about an individual has to be “inaccurate” for the individual to legally request its deletion. Even if it is an improvement in comparison to Article 8(2) of the Charter, once again the European regulation remains silent on the reuse of the previously collected data by institutions after its deletion.
- 46.
European Commission 2015a.
- 47.
See NASA (n.d.) and Schulz 2015.
- 48.
European Commission 2016.
- 49.
Data Protection Officers can also prepare privacy reports or data protection reports as an integrated part of the financial reports in order to enhance their companies’ reputation regarding their privacy respecting practices. Similar to environmental reporting, privacy reporting as an integrated part of the financial reports would allow privacy respecting practices of companies to become publicly observable to the third parties.
References
Acquisti A, Grossklags J (2005) Privacy and rationality in individual decision-making. IEEE Secur Priv 1:26–33
Acquisti A, Taylor C, Wagman L (forthcoming) The economics of privacy. J Econ Lit:6
Akerlof G (1970) The market for lemons: Qualitative uncertainty and the market mechanism. Q J Econ 84:488–500
Bradford A (2012) The Brussels effect. Nw UL Rev 107:23
Caplan J, Kennedy L, Miller J (2011) Risk terrain modelling: brokering criminological theory and GIS methods for crime forecasting. Justice Q 28(2):360–381
Court of Justice of the European Union, 2014 ECLI:EU:C:2014:317, Judgment of 13 May 2014 in Case C-131/12, Google Spain SL, Google Inc. v. Agencia Espanola de Proteccion de Datos (AEPD), Mario Costeja Gonzalez
Court of Justice of the European Union, 2015 ECLI:EU:C:2015:650, Judgment of 6 October 2015, Case C-362/14, Maximillian Schrems v. Data Protection Commissioner, joined party: Digital Rights Ireland Ltd
Court of Justice of the European Union (2015) Press Release, No. 117/15, Luxembourg, 6 Oct 2015. http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf. Accessed on May 31, 2016
Esguerra R (2009) Google CEO Eric Schmidt dismisses the importance of privacy, Electronic Frontier Foundation official website, December 10, https://www.eff.org/deeplinks/2009/12/google-ceo-eric-schmidt-dismisses-privacy. Accessed 10 Nov 2016
European Commission (2010) Communication, “Europe 2020: a strategy for smart, sustainable and inclusive growth”. COM (2010) 2020
European Commission (2012a) Communication, “Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)”, COM (2012), 2012/0011 (COD)
European Commission, Press Release (2012b) IP/12/46, “Commission proposes a comprehensive reform of data protection rules to increase users” Control of their data and to cut costs for businesses’, http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en. Accessed 15 Oct 2015
European Commission (2015a) Communication, “Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A Digital Single Market Strategy for Europe”, COM (2015) 192
European Commission (2015b) Eurobarometer 431. http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_sum_en.pdf. Accessed 31 May 2016
European Commission (2015c) Official website. Who can collect and process personal data? http://ec.europa.eu/justice/data-protection/data-collection/index_en.htm. Accessed 12 Nov 2015
European Commission (2016) Horizon 2020 Call on EU Cooperation and International Dialogues in Cybersecurity and Privacy Research and Innovation. http://ec.europa.eu/research/participants/portal/desktop/en/opportunities/h2020/topics/2422-ds-05-2016.html. Accessed 31 May 2016
Harries K (1999) The integration of GIS and GPS in mapping crime: principle and practice. U.S. Department of Justice, Washington
Helberger N, Guibault L, Loos M, Mak C, Pessers L and Sloot B (2013) Digital consumers and the law: towards a cohesive European framework (No. 28). Kluwer Law International, Alphen aan den Rijn
Hill K (2012) Max Schrems: the Austrian thorn in Facebook’s side. http://www.forbes.com/sites/kashmirhill/2012/02/07/the-austrian-thorn-in-facebooks-side/#2715e4857a0b1d8384d06b30. Accessed 3 Feb 2016
Morey T, Forbath T, Schoop A (2015) Customer data: designing for transparency and trust. Harvard Bus Rev https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust. Accessed 20 Mar 2016
NASA (n.d.) QuAIL: Quantum computers. http://www.nas.nasa.gov/quantum/quantumcomp.html. Accessed 12 Nov 2015
Posner R (1981) The economics of privacy. Am Econ Rev 71(2):405–409
Posner R (1983) The economics of justice. Harvard University Press, Cambridge
Schneider B (2015) Data and Goliath: the hidden battles to collect your data and control your world. WW Norton & Company, New York City, New York
Schrems M (2015) Data Protection Authorities in Ireland, Belgium and Germany requested to review and suspend Facebook’s data transfers over US spy programs. http://www.europe-v-facebook.org/prism2_en.pdf. Accessed 5 Apr 2016
Schulz T (2015) Rechner-revolution: Google und NASA präsentieren Quantencomputer. Spiegel Online. http://www.spiegel.de/netzwelt/web/google-und-nasa-praesentieren-ihren-quantencomputer-a-1066838.html. Accessed 12 Oct 2015
Schwartz P (2013) The EU-US privacy collision: a turn to institutions and procedures. Harvard Law Rev 126:1
Solove D (2007) “I’ve got nothing to hide” and other misunderstandings of privacy. San Diego Law Rev 44:745
Spence M (1973) Job market signalling. Q J Econ 87:355–374
Spencer C, Ratcliffe J (2013) GIS and crime mapping. Wiley, Hoboken
Stiglitz J (1975) The theory of screening, education, and the distribution of income. Am Econ Rev 65:283–300
Vermeulen M, Gutwirth S (2013) Empowering social network site users through creating new rights: analysing the right to be forgotten and the right to data portability in the EU. User Empowerment in a Social Media Culture, EMSOC, Belgium
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 T.M.C. Asser press and the authors
About this chapter
Cite this chapter
Erdemoglu, E. (2016). A Law and Economics Approach to the New EU Privacy Regulation: Analysing the European General Data Protection Regulation. In: de Zwaan, J., Lak, M., Makinwa, A., Willems, P. (eds) Governance and Security Issues of the European Union. T.M.C. Asser Press, The Hague. https://doi.org/10.1007/978-94-6265-144-9_7
Download citation
DOI: https://doi.org/10.1007/978-94-6265-144-9_7
Published:
Publisher Name: T.M.C. Asser Press, The Hague
Print ISBN: 978-94-6265-143-2
Online ISBN: 978-94-6265-144-9
eBook Packages: Law and CriminologyLaw and Criminology (R0)