GDPR: Societal Retribution

Merve Bektas, Yasmim Pessoa, Kaia Socha, Laura Basiacco, Justyna Zawada, Artaban Micali Drossos

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.

We have all undoubtedly seen this request pop up in front of our faces as we navigate literally every website we decide to surf. Let’s be honest, how many of us even know to what exactly we are agreeing to? Yet every day we put our trust in the hands of companies without knowing the specifics of their terms and conditions. The willingness to login quickly, to buy a distinct product, or book an Airbnb overpowers the one of reading the 20 pages dedicated to those terms.


Can someone blame us for not wanting to read those tedious conditions?

At first, this does not seem to be an issue, but as we look more in depth to the core objective, things are slightly more complicated. The data you share online is a mere reflection of your consumer behavior, shopping patterns, your pictures, and even sensitive health data, all of these constitute a digital version of yourself. It comes down to the point where it basically tracks down your every move, where you have been and perhaps in the future predict what you will do next. i.e. Some data experts have compiled algorithms that can geo-locate you based on the frequency and location you give as you tweet throughout the day. Although the European Union built a framework with the Data Protection Directive (95/46/EC) which was implemented in 1995 with the increasingly fast development of tech giants and their business practices, this directive has become obsolete. The reason is, directives are carried out differently across each Member State, enabling digital giants like Facebook, Google and Amazon have had too much freedom in spreading their webs and have had the opportunity to massively exploit the collected data of users. To do so, they cherry-picked the countries with the least protection policies on data privacy and information systems which would suit them best.


Without the appropriate laws, there is little to protect us from data misuse. As you can see, the scandal regarding Cambridge Analytica and Facebook, this is precisely what we are trying to avoid. Personal data of 87 million users, of which 2,7 million European citizens, were harvested for economic or political purposes. There are still ongoing investigations regarding this issue, and the number of people affected by this breach could increase significantly.

The sole purpose of a ruling such as the General Data Protection Regulation (GDPR) to come into force makes it all the more relevant. The new European regulation while finally materialize itself next month in order to protect every European citizen. GDPR is one of main objectives of the EU Digital Single Market. In 2014 the European Commission proposed this novel regulation and hence, was approved. This novel regulation means that all businesses acting on the EU market, as of May, will be obliged to comply with these new set of rules.

Andrus Ansip, the Vice-President of the Digital Single Market at the European Commission, stated the following: “Data protection is at the heart of the digital single market: it builds a strong basis to help Europe make better use of innovative digital services like big data and cloud computing.” Another important purpose of this regulation is to grant users more control over their personal data.


Briefly, here are a few points which will change on May 25th, 2018: Citizens will have the (1) right to be forgotten, which means companies must delete all personal data from their databases if asked for by users. Companies will also be responsible to inform third parties who have access to the personal data. Secondly, (2) the informed consent; all users must be informed when their data is being processed. The users’ consent must be asked clearly and in an understandable language without using long terms and conditions. Third, (3) the right to information and transparency, users must be informed at all times on how their data is processed and for which purposes. Companies will be required to send out a (4) breach notification within 72 hours. Companies who fail to comply with GDPR will (5) fined up to 4% of their annual global turnover. One could disclose that Facebook got off easily with it this time since the Cambridge Analytica breach happened prior to the enforcement of GDPR. However, this incident should be taken as an example of how serious this issue is and how to better prepare themselves for the upcoming evolution.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s