Could the General Data Protection Regulation save our online privacy?
In 2016 the General Data Protection Regulation (GDPR) entered into force. The GDPR aims to give control to individuals over their personal data and to simplify the regulatory environment for international businesses by unifying regulation within the EU. PhD candidate Helena Ursic-Vrabec examined the operation of the GDPR and she will defend her thesis on 7 February.
'The focus of my research were data subject rights, a set of data protection provisions that are directly linked to the concept of individual control', Ursic-Vrabec says. 'Given that nowadays everyone is more or less involved in the data economy, if only because he or she owns a smart phone or browses the Internet, my topic is highly relevant. After all, who has not yet heard about the right to be forgotten and the famous Google Spain case?' The outcome of that ruling is that an Internet search engine must consider requests from individuals to remove links to freely accessible web pages resulting from a search on their name.
The objective of the GDPR was to strengthen data protection and adapt it to the changed circumstances in our globalised and interconnected world. The amendments also introduced some substantial improvements in the section on data subject rights.
Main purposes of GDPR:
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89, not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
Source: European Commission
As a data protection lawyer at software company Palantir Technologies in New York, privacy and data protection are daily business to Ursic-Vrabec. 'In the light of the fast-changing economic and technological environment, I noticed a gap between data subject rights when understood as law in the books and when applied in practice. By using the analysis of legal sources and academic literature, my thesis explored whether the data subject rights under the GDPR are effective in the data-driven economy, and if not, what are possible solutions to overcome the shortcomings.'
The outcome of her research is clear: the law in the books appears promising, but fails in action. 'As it would be utopian to expect that the developments in the data economy would soon cease, alternative solutions for data subject rights and control should be sought.' She suggests three (self-) regulatory approaches to enhance individual control over personal data beyond the system of data subject rights: a) introducing new technological solutions that promote values such as privacy, fairness, and control; b) complementing data subject rights with the mechanisms from the duty side of data protection law such as privacy by design; and c) leveraging on the overlaps between data protection and other legal areas such as consumer protection and competition law.
As part of a data protection team, she already applies her outcomes in practice to some extent. 'As with every data-driven company, we deal with data subject requests on a regular basis and the knowledge that I gained during my PhD years certainly comes into use. However, more than these practical aspects, what the PhD experience really gave me is deep understanding of technological and economic risks to our privacy and related rights. I feel this knowledge and understanding strongly inspires my work and will continue to do so in the future.'
Co-supervisor Dr. B.H.M. Custers on the research conducted by Helena Ursic-Vrabec:
'As a result of the enormous increase in the amount of information and the improved effectiveness with which information can be distributed, (personal) data has become a valuable commodity in the data economy. In her doctoral thesis, Helena Ursic-Vrabec considers the rights of those involved and the risks that people run of losing control of their personal data. Despite the EU General Data Protection Regulation which took effect last year, which strengthened various rights of persons involved and incorporated new rights, Helena Ursic-Vrabec demonstrates that there are still many open ends when it comes to the rights of the persons involved actually being strengthened. People have de facto little control of what happens to their data.
Helena Ursic-Vrabec is a highly talented researcher who graduated cum laude and received many prizes for her work, including last year's Meijers prize. She received a Fulbright scholarship for Yale University in the United States. She currently works in New York as a lawyer for Palantir, a software business specializing in big data. In addition to her doctoral thesis, in recent years Helena Ursic-Vrabec has also written several scholarly publications and presented her work at a number of international conferences.'
Text: Floris van den Driesche