Interview Personal-data privacy

New EU rules are ‘a giant step, given the current situation’

For the researcher Olivier Ertzscheid, author of the New Declaration of Independence of Cyberspace, the forthcoming European General Data Protection Regulation is an important step forward for internet users.

Published on 23 April 2018 at 20:35

VoxEurop: Does the General Data Protection Regulation (GDPR), which enters into force on 25 May, represent progress in returning autonomy to internet users or is it just another restriction on use of the internet by platforms and users?


Olivier Ertzscheid: It is undeniably an important step forward, both for the rights of internet users and also to provide a sufficiently coercive legal framework for the major platforms. Coercion which can ultimately be virtuous, as the Facebook-Cambridge-Analytica scandal is currently showing. Who would have believed only a few months ago that Mark Zuckerberg would become a zealous defender of the GDPR?

Will the planned penalties be effective against platforms whose turnover approaches the figures of certain European countries' GDP?

Receive the best of European journalism straight to your inbox every Thursday

One can always point to the ratio between the platforms' revenues and the financial penalties which seem small in comparison. But we should not lose sight of what is important. The taxation issue must be dealt with and I support much heavier penalties than the current ones. The amount of the fine is less important than having guarantees that fines will be issued and paid. But in the case of the GDPR and personal-data protection, platforms can now clearly see what is at stake in terms of image and public opinion. Having leverage on their popularity and brand image is often more effective than the threat of financial penalties.

Is the system of opt-ins concerning personal data not an obstacle to the development of online business and, in the end, an obstacle to the digitalization of the economy?

I do not think so. Google recently announced that it was going to deploy "non-personalized" adverts, and Facebook has indicated that it will not only apply the GDPR in Europe but also use it as inspiration elsewhere. It is for states and Europe to create a dynamic, a virtuous cycle, in which the digital economy can continue to prosper, while tackling rent-seeking and reducing the abuses encouraged by the current lack of a legal framework around personal data. Many analysts fear that the GDPR will be an additional burden on European business in a globalized market, but really the Cambridge Analytica affair shows that this new framework can be an example of harmonization which does not hinder competition and indeed allow new actors to compete on terms which better respect our privacy.

Do the regulation's measures allow users to express genuinely informed consent as to the use of their personal data?

They are a first step. A giant step, given the current situation.

In 2019 the ePrivacy regulation, on privacy protection, is due to enter into force. It will replace the eponymous directive. Taken together with the GDPR, will this ensure the protection of European citizens?

Such a claim would be premature. We will need to see, in particular, how the major platforms implement it in practice. The fact that they seem inclined today to do so properly does not mean that the European institutions, or the tax authorities, can lower their guard.

In your New Declaration of Independence of Cyberspace you claim that "Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you." And yet membership of platforms and social networks is voluntary and users must approve the terms of service (ToS) before signing up, is that not correct?

Yes but everyone knows that reading the ToS is a fool's game. Nobody reads them really, and for those who do make the effort it is difficult to understand everything. As a congressman remarked to Mark Zuckerberg during his hearing on 10-11 April, the ToS need to be much shorter and clearer if the average user is to understand them.

What is the best way of ensuring that users really understand the ToS of the services they use?

Prior and explicit consent for the collection of all data – that is a first step. The reason for collecting data must also be made explicit: why, by whom, in what conditions and to what ends will the data be collected? And for how long. In terms of ergonomy and design, tools must be created to allow users to engage more easily with the ToS. And it must be possible to check, regularly, that the ToS have not changed.

What is the digital "social contract" that you mention?

The same one (but more modestly of course) as Rousseau's. Cyberspace is a "milieu" and not a distinct space from that of the law. The same laws as those of nations must therefore be applied, but we also need a coherent legal framework which takes account of certain characteristics of this milieu. An example is the Creative Commons copyright licences, proposed by Lawrence Lessig when he was professor of law at Harvard. These provide a framework which respects the rights of content creators while taking into account the internet's logic of mass distribution and appropriation.

More generally this "social contract" must be defined by the yardsticks of emancipation and capacitation. Digital ecosystems bring these benefits "naturally" but, because of an entirely deregulated economic model, they have too often been turned into tools of alienation.

The internet was conceived and born as a democratic space par-excellence. Is that still the case?

I believe so. At least if we are talking about that space outside the "walled gardens" and "applications" that stifle us and have nothing democratic about them. But, these apart, there fortunately still exist spaces of genuine freedom where, contrary to popular belief, anonymity and pseudonymity do not prevent well-reasoned debate where all opinions are respected.


Europeans will benefit a state-of-the-art data protection

On 25 May the General Data Protection Regulation (GDPR), which aims at "protecting and empowering all EU citizens data privacy and to reshape the way organizations across the region approach data privacy" will become enforceable, thus directly binding and applicable by the EU member states. It will replace the data protection directive of 1995.

The regulation was adopted on 27 April 2016 and intends to "strengthen and unify data protection for all individuals within the European Union”. It also addresses the export of personal data outside the EU, and to "give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU." The biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process 'in context of an establishment'. Under GDPR organizations in breach of GDPR can be fined up to 4 percent of annual global turnover or €20 Million (whichever is greater). The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms of service full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.

Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

In 2019 GDPR will be flanked by the ePrivacy regulation, which will particularise and complement it as regards electronic communications data that qualify as personal data, such as the requirements for consent to the use of cookies and opt-out options. The scope of the ePrivacy Regulation will apply to any business that provides any form of online communication service, that utilises online tracking technologies, or that engages in electronic direct marketing. It will repeal the ePrivacy Directive.


Was this article useful? If so we are delighted!

It is freely available because we believe that the right to free and independent information is essential for democracy. But this right is not guaranteed forever, and independence comes at a cost. We need your support in order to continue publishing independent, multilingual news for all Europeans.

Discover our subscription offers and their exclusive benefits and become a member of our community now!

Are you a news organisation, a business, an association or a foundation? Check out our bespoke editorial and translation services.

Support independent European journalism

European democracy needs independent media. Join our community!

On the same topic