GDPR Archives - Legal Cheek https://www.legalcheek.com/tag/gdpr/ Legal news, insider insight and careers advice Wed, 10 Jul 2024 08:12:56 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.5 https://www.legalcheek.com/wp-content/uploads/2023/07/cropped-legal-cheek-logo-up-and-down-32x32.jpeg GDPR Archives - Legal Cheek https://www.legalcheek.com/tag/gdpr/ 32 32 GDPR vs. Freemium: why social media giants are winning https://www.legalcheek.com/lc-journal-posts/gdpr-vs-freemium-why-social-media-giants-are-winning/ https://www.legalcheek.com/lc-journal-posts/gdpr-vs-freemium-why-social-media-giants-are-winning/#comments Wed, 10 Jul 2024 07:37:11 +0000 https://www.legalcheek.com/?post_type=lc-journal-posts&p=206464 Aberdeen law student Iakov Shuvalov assesses GDPR's effectiveness in 'freemium' models, where 'free' services may compromise privacy

The post GDPR vs. Freemium: why social media giants are winning appeared first on Legal Cheek.

]]>

Aberdeen law student Iakov Shuvalov examines GDPR’s effectiveness in regulating ‘freemium’ business models, where ‘free’ services may compromise privacy


In the digital age, data has been regarded as the currency of the future. As a result, data is an asset that has grown in value and in its need for protection, and that is why the European Union (EU) implemented the General Data Protection Regulation (GDPR) in 2018. Aiming to empower individuals with control over their data and establish stricter privacy standards, the GDPR promised a paradigm shift and has received praise. However, a closer look reveals a critical shortcoming: the GDPR’s struggle to effectively apply, particularly to freemium models, a business model with significant presence in the average person’s life due to social media.

In the age of ubiquitous online services, the concept of “free” often comes at a hidden cost: our personal data. Freemium business models, particularly prevalent in social media platforms, thrive on collecting and monetizing user information. The current application of the GDPR falls short in its ability to regulate businesses that rely on data collection and monetization as their core revenue stream. This is because the application of the GDPR suffers from critical flaws in several areas, these being in the initial drafting and wording of the GDPR, in the GDPR’s application, and in the GDPR’s enforcement.

Issues in application

Widespread non compliance

A central argument for the GDPR’s ineffectiveness lies in the demonstrably high rate of non-compliance among websites. A web-scanning service analysing the 100 most popular websites in each of the 28 EU member states revealed a concerning lack of GDPR adherence. This study, while limited in its ability to definitively identify non-compliance within a website’s entire system, clearly demonstrates that many websites lack even the most basic GDPR implementation measures on their public interfaces. This widespread disregard for the regulation casts doubt on the ability of the GDPR to achieve its goals of data privacy protection.

This disregard is particularly worrying within the freemium landscape, where data collection and monetization are central to the business model.  Unlike other websites, data collection and user profiling are core functionalities for freemium services. Non-compliance with the GDPR in these areas directly undermines the service’s ability to operate its business model. But the most significant concern here is that if the GDPR is not effectively enforced within this sector, users are left unaware of how their data is being collected and used.

Issues in enforcement

Disproportionate impact

The GDPR’s application creates a concerning imbalance between small and medium-sized businesses (SMBs) and large corporations, particularly those operating under freemium models. While achieving GDPR compliance is crucial, the resources required – legal expertise, technical security measures, and ongoing data practice maintenance –  pose a significant burden for SMBs. These businesses often lack the financial and technical muscle of their larger counterparts.

This disparity creates a two-tiered system where resource constraints force many SMBs to fall short of full compliance, leaving them vulnerable to legal repercussions while for freemium social media giants whose business models rely heavily on data collection, potential GDPR fines become a mere cost of doing business. Their vast resources allow them to navigate GDPR complexities with relative ease.

This uneven playing field undermines the very purpose of the GDPR – a level playing field for data protection practices.  Currently, the system favours large corporations, particularly those in the freemium space. This stifles competition and innovation within the digital economy, as smaller businesses become discouraged from adopting data-driven technologies for fear of non-compliance.

Overall enforcement issues

The effectiveness of the GDPR in curbing privacy violations by freemium businesses is further hampered by significant challenges in its enforcement. While the GDPR outlines hefty fines for non-compliance, several factors create a lacuna in which freemium giants are less likely to face serious consequences.

One issue is the resource constraints of DPAs. Data Protection Authorities (DPAs) in each EU member state often lack the resources to adequately monitor and investigate the complex data practices of large, international freemium platforms. Furthermore, freemium services often operate across multiple jurisdictions. This makes it difficult for DPAs to determine which authority has oversight and hinders effective enforcement action. In addition to this, investigating large-scale data breaches or complex privacy violations involving freemium models can be a lengthy and time-consuming process. This delays any potential penalties and weakens the deterrent effect.

These enforcement challenges create a scenario where freemium businesses may be more likely to gamble on non-compliance. The potential for hefty fines may seem less threatening when weighed against the vast resources these companies possess and the complexities involved in pursuing enforcement actions. This ultimately weakens the GDPR’s ability to effectively protect user privacy within the freemium landscape.

Want to write for the Legal Cheek Journal?

Find out more

Issues in drafting

Loopholes and subjectivity

The GDPR’s reliance on the concept of “legitimate interest” as a legal basis for data processing introduces a significant loophole and element of subjectivity. While the GDPR outlines situations where “legitimate interest” might apply, it ultimately leaves companies with a degree of discretion in interpreting this clause. This subjectivity creates a risk of freemium services prioritizing their own interests over user privacy.

For example, the concept of “legitimate interest” can be used to justify the placement of certain cookies without obtaining explicit user consent. This raises concerns, as freemium business models can potentially interpret “legitimate interest” broadly to encompass a wide range of data collection activities. The lack of clear guidelines and the potential for abuse of this clause weaken the GDPR’s ability to ensure user control over their data.

Cookie notices

The GDPR’s reliance on cookie notices to inform users and gain consent for data collection presents a particular challenge. While intended to empower users, cookie notices often achieve the opposite effect in the freemium context.

As highlighted in a study by Advance Metrics, a staggering 76% of website visitors either ignore cookie banners altogether or simply click through them without engaging with the content. This behaviour stems from several factors such as many cookie notices being intrusive and disrupting the user experience, leading to frustration and a desire to dismiss them as quickly as possible. Another point to note is that the complex nature of cookie categories and the sheer volume of information presented overwhelm users, making it difficult to understand and manage their consent preferences. Finally, when faced with the choice between a seamless browsing experience and delving into complex cookie settings, users often prioritize convenience and sacrifice some control over their data privacy. It is for this reason that as of now there does not exist a lucrative market for businesses to sell enhanced privacy to their customers.

For freemium services, cookie notices become a flawed system that fails to achieve the GDPR’s goals of informed consent and user control over data. The pressure to access the “free” service and the complexity of cookie notices create a situation where users are unlikely to engage meaningfully with them. This ultimately undermines the effectiveness of the GDPR in protecting user privacy within the freemium landscape

Conclusion

The GDPR’s noble aim of protecting user data privacy faces a challenge of growing significance and importance in the freemium landscape created by social media. While the regulation outlines a framework for user control and data protection, its current application struggles to effectively address the practices of freemium business models. The widespread non-compliance, subjectivity of the “legitimate interest” clause, and ineffectiveness of cookie notices all create loopholes that freemium giants can potentially exploit.  Furthermore, the challenges of enforcement leave these companies with a lower risk of facing serious consequences for privacy violations.

It is clear that the current application of the GDPR falls short of its intended purpose. Moving forward, a re-evaluation of the regulation and its enforcement mechanisms is necessary. This may involve strengthening enforcement measures, clarifying subjective elements within the regulation, and exploring alternative approaches that incentivize user privacy alongside innovation. Only through such changes can the GDPR truly empower individuals and create a more secure and transparent digital environment for all.

The ongoing evolution of the digital landscape demands a robust and adaptable data protection framework. By addressing the shortcomings of the GDPR’s application within the freemium space, we can move towards a more balanced approach that protects user privacy without stifling innovation. Only then can the GDPR truly fulfil its promise of empowering individuals and fostering a more secure and transparent online environment, especially for users who rely on valuable “free” services offered by freemium businesses.

Iakov Shuvalov is a final year law student at the University of Aberdeen and has interests in Cybersecurity and Data Privacy Law.

The post GDPR vs. Freemium: why social media giants are winning appeared first on Legal Cheek.

]]>
https://www.legalcheek.com/lc-journal-posts/gdpr-vs-freemium-why-social-media-giants-are-winning/feed/ 1
Life as a cyber security leader at an international law firm https://www.legalcheek.com/lc-careers-posts/life-as-a-cyber-security-leader-at-an-international-law-firm/ Fri, 29 Jan 2021 11:43:15 +0000 https://www.legalcheek.com/?post_type=lc-careers-posts&p=158537 Christian Toon, chief information security officer (CISO) at Pinsent Masons, reveals the risks and opportunities associated with digitalisation, as well as how a career in cyber security may be of interest to those studying law

The post Life as a cyber security leader at an international law firm appeared first on Legal Cheek.

]]>
Christian Toon, chief information security officer (CISO) at Pinsent Masons, reveals the risks and opportunities associated with digitalisation, as well as how a career in cyber security may be of interest to those studying law

Christian Toon, chief information security officer at Pinsent Masons

Christian Toon, a man with “many hats”, holds both the positions of chief information security officer (CISO) and head of office for business operations in Birmingham at Pinsent Masons LLP.

Joining the international law firm in 2017, having previously worked at one of the Big Four professional services firms, Toon is responsible for Pinsent Masons’ “cyber and information security strategy”. More specifically, Toon works to safeguard the business and its clients against cyber threats and risks that come through information security breaches.

Toon summarises his day-to-day responsibilities using three Ps: “PowerPoint, People, and Politics”. In this context, ‘PowerPoint’ refers to his overall efforts in communication and collaboration — namely “ensuring that all our people understand and appreciate their role they need to play in keeping us safe. Making sure our teams have the right skills, behaviours and awareness to securely go about their day job”.

With regards to the ‘People’, this is about making sure the security team and others across the firm are in their best position to deliver on their objectives. Supporting them as a line manager, mentor or confidante that allows them all to come together and succeed as one.

Then there is the ‘Politics’. “Information and cyber security are not the only risks to our business and are also not all the opportunities we’re exploring,” says Toon. “There are many seats at the table of which we’re only one, so it’s important that we work with others for the greater good of the Firm. Sometimes this means standing down on some of our activity so that others may flourish, and vice versa. This involves a lot of stakeholder management, compromise and negotiation. Especially when it involves trying to keep cyber security at the forefront of everyone’s minds as the remote working revolution continues.”

Inevitably, the pandemic has impacted the quantity and content of Toon’s work, as a shift to remote working has upped our dependency on technology. “Traditionally, the legal sector has underinvested in both technology and security, and the pandemic has brought these deficiencies to light”, says Toon, “as suddenly you are at home and all you have to work with is the laptop in front of you”. Toon reflects upon the “rapid period of adjustment” that we have seen in early 2020, particularly in the legal sector, which has included relaxing some security controls to enable people to work from home effectively, as well as investing in new legal tech, or fixing and improving existing technologies. Good security is about understanding and managing the risks, not controlling the business so much it can’t function.

The biggest risks facing law firms now, Toon tells me, are those around data loss, cyber-enabled financial crime and fraud and disruption to business through something like Ransomware. As such, it is important to ensure that the new technologies being used across the profession have been deployed, implemented and maintained professionally and securely, so as not to leave the business vulnerable to exposure or exploitation further down the line.

Find out more about training at Pinsent Masons

A challenge deriving from this, is the way in which controlling the use of these new technologies can encroach upon the culture and purpose of a business: “There is a fine line on the security front between maintaining the confidentiality, integrity and availability of a business, without being overly invasive in this approach and making your people feel monitored”. Toon remarks that the increased sensitivity we have seen around GDPR in recent years, relating to the use and storage of personal data, only increases the challenge.

Drawing upon the ‘People’ element of Toon’s work responsibilities, his position as head of office for business operations in Birmingham involves developing a sense of “togetherness”, or “virtual togetherness”, in order to mitigate the current absence of face-to-face interactions and social gatherings. One way in which Toon has been able to do this is by offering drop-in virtual AMA’s (Ask Me Anything’s) to answer questions and address concerns amongst those in the office.

Toon also tells me how well Pinsent Masons has been doing with regards to maintaining social interaction amongst staff. Some of the stand-out virtual gatherings that he’s been involved with so far have included virtual bingo, wine tasting, cheese making, cocktail masterclasses, virtual escape rooms, and even a virtual black-tie awards! “People have become very creative in supporting virtual events, everything gets delivered home and you just need to get dressed up and switch on your webcam!”

After spending several years working in London and travelling across the world, Toon felt a calling to return to Birmingham, his first home, and take on a role that would allow him to spend more time with his family. By no means is Toon missing the London life, however, describing Birmingham as a “multi-cultural hotpot of people and places”. Birmingham is very much a vibrant city, having enjoyed an increase in funding over recent years and a huge regeneration of the city centre. The progression of HS2 is also set to develop the connection between Birmingham and London, thereby offering many exciting opportunities for young graduates.

Reflecting upon his career journey so far, Toon says, “I don’t regret much in my life, but I wish I’d gone into cyber security a lot earlier”. According to Toon, over the next three to five years, there is going to be a huge technological revolution in the ways that businesses operate, particularly within the legal industry as it tries to play “catch up”. Toon foresees that the opportunities to develop technologies within the profession will “flood the market”, and so, developing digital and legal skills will help graduates stand out.

For those interested in the legal industry, although perhaps not the legal route specifically, Toon encourages a consideration of cyber, data and technology as potential career paths, naming these as “three of the most employable industries across the globe right now”.

Christian Toon will be speaking alongside other panellists at ‘Secrets to Success Midlands’, a virtual student event taking place on Wednesday 3 February. You can apply to attend the event, which is free, now.

Find out more about training at Pinsent Masons

About Legal Cheek Careers posts.

The post Life as a cyber security leader at an international law firm appeared first on Legal Cheek.

]]>
How technology will shape the legal profession over the next decade https://www.legalcheek.com/lc-careers-posts/how-technology-will-shape-the-legal-profession-over-the-next-decade/ Wed, 21 Oct 2020 11:44:17 +0000 https://www.legalcheek.com/?post_type=lc-careers-posts&p=154752 Tara Waters, partner and head of Ashurst Advance Digital, discusses how law firms are embracing tech and what it means for future lawyers

The post How technology will shape the legal profession over the next decade appeared first on Legal Cheek.

]]>
Tara Waters, partner and head of Ashurst Advance Digital, discusses how law firms are embracing tech and what it means for future lawyers

Tara Waters, partner and head of Ashurst Advance Digital

There’s been a notable increase in the number of law firms adopting legal technology in recent years, notes Ashurst partner Tara Waters.

“They are now using many more applications compared to the standard desktop suite used when I started out in 2009 — but it’s not been a tech revolution yet,” she explains. Waters continues: “What we still haven’t seen is tech that will fundamentally change the way lawyers do things. We’re still waiting for these technological innovations to sprout and show themselves.”

In terms of what’s happening now, Waters says larger law firms are using AI-powered document review platforms to help lighten the workload of lawyers. In certain areas, Waters shares there is a real focus on efficiency gains: “We’re starting to see some slightly more sophisticated software around functionality, for example, delivering automated decision trees. But a lot of what we’re using day-to-day are tools to make processes more efficient,” she notes.

Over the next ten years Waters hopes to see more collaboration between law firms to develop solutions for clients. “Clients don’t want ten solutions for the same thing — they want one [solution]. So we need to be talking to each other a lot more about what works best for the client. Increased collaboration will be really positive for the industry as a whole,” she predicts.

This increase in collaboration needs to extend beyond the confines of the legal industry, according to Waters. “Tech has advanced incredibly over the past 20 years but we’re not seeing the same level of advancement in the legal sector”, and one of the reasons for this is because of the lack of collaboration between major tech players and law firms, Waters tells me.

As head of Ashurst Advance Digital, Waters and her team are responsible for finding new and innovative ways to embed tech into the firm’s services and products.

The digital services side of the team sees Ashurst technologists work closely with the firm’s practice groups to find ways to assist on specific client matters using technology to increase efficiency and profitability.

On the products side, the team looks at how tech can be used to automate work and then, based on these findings, create a product that can be offered to clients. “This way clients can get the answers they need from the product, but as if they’re talking to us. Clients get the Ashurst experience but in a purely digital way,” Waters explains.

The application deadline for Ashurst's Summer Vacation Scheme is Friday 29 January 2021

Tech is bringing about a variety of new opportunities for law firms. “Clients are bringing new projects to us that they previously may have gone to an accounting or IT consultancy firm. But now law firms are getting into the mix,” she explains.

To explain how this works in practice, Waters uses the example of the introduction of GDPR. “A client will recognise this has wide-ranging implications across their business and so they’ll need to examine every policy, procedure and piece of tech used to ensure it is GDPR-compliant.” There are several elements to consider when advising on the matter: understanding the requirements of GDPR, understanding its practical effects, and then implementing the necessary work. Normally the client would turn to an accounting or IT firm for the implementation. However, tech is now making it possible for a law firm to deliver this full service to the client. Waters adds: “We even have a consulting arm so we can give a consulting view in-house. It’s very powerful for a client to be able to go to one firm for the full spectrum of work.”

For those interested in the interplay between technology and the law, Waters tells me that there’s no traditional path to entering this space. Waters came from a non-law background having studied electronic art and media at university. She taught herself coding during her first year and graduated in 2000, the height of the dot-com boom, and so getting involved in the tech sector seemed like a natural step.

Whilst working in the tech sector, it was a good friend that sparked her interest in pursuing a legal career. “My friend recognised that legal skills and analysis were similar to how you have to think and analyse when you’re writing code, so he thought there were transferable skills,” she explains. “He also recognised the perennial problem that tech moves faster than the law and how it was crucial to have people in the legal sector who understood technology.”

This prompted Waters to go to law school in New York where she studied intellectual property, media, and entertainment. She began her legal career in 2009, joining Allen & Overy‘s London office focused on corporate finance and capital markets.

Waters maintained her interest in tech though and was keen to integrate this interest with her legal career. “When there were any deals involving tech companies I always tried to get involved. I also attended tech events after work and tried to stay plugged into the tech world,” she tells me. It was in 2014 that Waters joined Ashurst where she now works as a partner and head of Ashurst Advance Digital.

Waters’ advice to those looking to enter the legal tech space is to remember that understanding the client is a fundamental aspect of her team’s work. “Everything you do needs to be catered towards the client so having spent time myself as a practising lawyer means that I understand my clients and their needs,” she elaborates. However, the key, Waters emphasises, is to have a genuine interest in this area:

“It’s not just a job — you need a real interest and a passion for the challenge of what we’re trying to achieve.”

Tara Waters will be speaking alongside other Ashurst lawyers at ‘Technology and the law’, a virtual student event taking place next week, on Monday 26 October. You can apply to attend the event, which is free, now.

The application deadline for Ashurst's Summer Vacation Scheme is Friday 29 January 2021

About Legal Cheek Careers posts.

The post How technology will shape the legal profession over the next decade appeared first on Legal Cheek.

]]>
60% of legal workers think firms should be doing more to support remote working https://www.legalcheek.com/2020/05/60-of-legal-workers-think-firms-should-be-doing-more-to-support-remote-working/ Fri, 22 May 2020 07:38:36 +0000 https://www.legalcheek.com/?p=147172 But three quarters say lockdown has shown they can work effectively from home

The post 60% of legal workers think firms should be doing more to support remote working appeared first on Legal Cheek.

]]>
But three quarters say lockdown has shown they can work effectively from home

More than half of legal workers believe their firms should be doing more to support home-working amid the coronavirus lockdown, new research has shown.

Fifty-six percent of more than 3,000 British office workers, including around 100 in the legal sector, thought that their companies could be doing more to help them cope with the technological challenges of home-working. More than one in six (17%) of those surveyed are using a personal laptop or desktop computer to work from home, with a further 10% working on equipment purchased since the lockdown, for example.

The data further reveals that less than half (44%) of workers in the legal profession said their employer has helped them to make adequate provisions to work from home in the long-term, while over a third (36%) said they need their company to invest in long-term solutions given that social distancing measures are likely to stay in place for at least the end of the year. One fifth (20%) said they need their firm to act urgently to enable productive home-working.

The study found, however, that more than three quarters (77%) of legal workers believe the lockdown has shown that they can work effectively from home. Prior to the lockdown, only two fifths (41%) said that they could work from home when they want — about a fifth lower than workers in financial services (63%) and government and manufacturing (58%).

The 2020 Legal Cheek Firms Most List

Elsewhere, the study, which has been published by IT provider Atlas Cloud to coincide with the second anniversary of the GDPR on Monday, shows that almost two thirds (63%) of home-working legal staff are storing files on their own devices, raising concerns about data security. Three percent admitted that the computer they are using to work from home is not password protected.

Commenting on the findings, Pete Watson, chief executive officer of Atlas Cloud, said: “Our survey shows there is still a clear need to implement short-term solutions to enable a fifth of legal sector workers to work more productively from home.”

He added:

“However, with organisations now starting to implement long-term working from home policies now is the time to take stock and to start planning to invest in longer-term remote and home-working solutions. To adapt a well-known phrase — the legal sector needs to get home-working done.”

Sign up to the Legal Cheek Newsletter

The post 60% of legal workers think firms should be doing more to support remote working appeared first on Legal Cheek.

]]>
Who is responsible for our data and how do we get it back? https://www.legalcheek.com/lc-journal-posts/who-is-responsible-for-our-data-and-how-do-we-get-it-back/ https://www.legalcheek.com/lc-journal-posts/who-is-responsible-for-our-data-and-how-do-we-get-it-back/#respond Wed, 29 Apr 2020 11:04:20 +0000 https://www.legalcheek.com/?post_type=lc-journal-posts&p=145638 Data controllers have weaponised consent by using privacy policies written in legalese and dark patterns to hide privacy-protecting options, argues St Andrews PhD student Janis Wong

The post Who is responsible for our data and how do we get it back? appeared first on Legal Cheek.

]]>
This article is the best-in-category winner entry to the Justis International Law and Technology Writing Competition 2020, from the category of ‘social media, data and privacy’

In our data-driven society, every piece of technology that connects us to the internet collects our personal data (any information relating to an identified or identifiable natural person), building elaborate profiles on what we are doing, where we are, and even who we are.

As data subjects (those about whom personal data are collected), we can no longer hide from data controllers (those who collect and determine what these data are used for). With every data breach and data sharing revelation from Cambridge Analytica to Google’s Project Nightingale, our personal data is becoming less personal, where data attached to our identity are no longer in our control and becomes harder for us to identify who is responsible.

The data subject’s struggle

Recognising the need to protect privacy as an individual’s right, data protection attempts to rebalance power between data subjects and data controllers. The European General Data Protection Regulation (GDPR) [1] grants data subject rights such as the right of access [2], right to be forgotten [3], and right not to be subject to a decision based solely on automated processing [4]. Data controllers must also follow the principles of data protection by design and by default [5]. However, even with the GDPR, data subjects still lack the extra hours and cognitive capacity to exercise these rights. Only 15% of EU citizens feel completely in control of their personal data [6]. Additionally, while there are multiple means for lawful processing of personal data [7], data controllers have weaponised consent by using privacy policies written in legalese and dark patterns to hide privacy-protecting options, obfuscating how data subjects’ data are reused, aggregated, and anonymised to make decisions about them.

Everyone is a data controller

Responsibility over personal data is further complicated where judgements have expansive interpretations of who could be considered a data controller. A user who administers a Facebook Group or Page [8], a website operator who has a Facebook ‘like’ button or other social plug-ins [9], and a religious community whose congregation conducted preaching activities and collected personal data [10] are ‘joint controllers’ who are all liable if one controller breaches requirements on those data. This significantly increases the number of data controllers and people responsible for personal data, where not all joint controllers need to have access to the data for joint controllership to occur. While these judgements introduce more responsibility, they also disperse where data responsibility lies, increasing the ambiguity over who can share, reuse, and repurpose data.

From my data to our data to your data

Beyond the individual, initiatives such as Decode encourage public institutions to be more responsible with its citizens’ data. However, governments continue to watch over its people through social credit scoring, criminal sentencing, and partnerships with privately-owned, pervasive technologies. In the age of surveillance capitalism, where personal experiences are translated into free raw material for behavioural data, our personal and derived data are collectively used against us. Although data protection and information rights enable some forms of transparency and accountability, our data are still often used without our knowledge and without legal recourse as decisions are made using unexplainable black-box algorithms [11].

Want to write for the Legal Cheek Journal?

Find out more

Reclaiming our personal data

In order to better understand how our personal data is being used and abused, we need to look beyond data protection on an individual level. Instead, privacy should represent an ecosystem that requires legal and socio-technical collaboration between lawyers, technologists, policymakers, and most importantly, us as data subjects.

Firstly, stronger regulation beyond data protection is required to fully realise the responsibility data controllers have over our personal data. While the European Data Protection Board established guidelines to clarify the GDPR, further regulatory guidance has only been provided by academics and has yet to be codified. Regulators should do more to prevent ‘ethics washing’, whereby data companies use ethics boards and policies to limit regulation. Competition law in particular may help us escape the grasp of digital behemoths. Looking beyond fines, Margrethe Vestager, the EU’s competition commissioner, plans to regulate industries such as artificial intelligence and gig economy companies to return the ethos of ‘consumer is king’ back to data subjects. Other mechanisms include using legal data Trusts to empower data subjects by facilitating access to pre-authorised, aggregated data and remove key obstacles to the realisation of the potential underlying large datasets.

Secondly, although many of the challenges described are driven by the business models of data controllers, technology should be considered part of, and not excluded from, solutions that help data subjects better understand how our data are processed and managed. Tools such as Databox, Jumbo Privacy, and DoNotPay are already beginning to challenge the data protection practices of Big Tech companies, providing alternatives to existing services and mechanisms for control.

Finally, in considering how personal data should be best protected, data protection must be considered beyond the individual. Data protection should look beyond privacy as control and be expanded to include the ability to participate and engage with other individuals and groups, crowdsourcing information and solutions to personal data challenges. Philosophical discussions surrounding group privacy can be put into practice. Developing a data protection public sphere and commons, regulators, lawyers, and technologists can support data subjects in minimising the risks involved in the public use of anonymised personal data [12] and establish the necessity for collective rights [13] before and after data are collected. The protection of data subjects with regard to the processing of personal data can only be achieved where legal frameworks and technological mechanisms include input from data subjects to respect their data protection requirements.

The responsibility over our personal data should not burden data subjects. As data protection matures, this responsibility should be shared with all stakeholders that benefit from the personal data, not only with those about whom personal data are collected. It is only with legal and technical collaboration that data subjects can be collectively protected, governing the data protection landscape for the benefit of our current and our future selves.

Janis Wong is a PhD student in computer science at the Centre for Research into Information, Surveillance and Privacy (CRISP), University of St Andrews. She holds a LLB from the London School of Economics and a MSc in computing from the University of St Andrews.


The Justis International Law and Technology Writing Competition is in its third year. This year, the competition attracted entries from students at 98 universities in 30 countries. Judging was conducted by a panel of industry experts and notable names, including The Secret Barrister and Judge Rinder.


Sources:

[1]: Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.
[2]: ibid art 15.
[3]: ibid art 17.
[4]: ibid art 22.
[5]: ibid rec 108.
[6]: Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, and Simone van der Hof, ‘Conclusions’ in Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, and Simone van der Hof (eds), EU Personal Data Protection in Policy and Practice (T.M.C. Asser Press 2019).
[7]: General Data Protection Regulation, art 6.
[8]: Case C‑210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388.
[9]: Case C-40/17 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV ECLI:EU:C:2019:629.
[10]: Case C-25/17 Tietosuojavaltuutettu v Jehovan todistajat — uskonnollinen yhdyskunta ECLI:EU:C:2018:551.
[11]: Frank Pasquale, The Black Box Society: The Secret Algorithms That Control Money and Information (Harvard University Press 2015).
[12]: Luciano Floridi, ‘Group Privacy: A Defence and an Interpretation’ in Linnet Taylor, Luciano Floridi, and Bart van der Sloot (eds), Group Privacy: New Challenges of Data Technologies (Springer International Publishing 2016).
[13]: Joseph Raz, The Morality of Freedom (Oxford University Press 1986).

The post Who is responsible for our data and how do we get it back? appeared first on Legal Cheek.

]]>
https://www.legalcheek.com/lc-journal-posts/who-is-responsible-for-our-data-and-how-do-we-get-it-back/feed/ 0
The Great British ‘internexit’ from the EU https://www.legalcheek.com/lc-journal-posts/the-great-british-internexit-from-the-eu/ https://www.legalcheek.com/lc-journal-posts/the-great-british-internexit-from-the-eu/#respond Tue, 21 Apr 2020 09:55:21 +0000 https://www.legalcheek.com/?post_type=lc-journal-posts&p=142651 Brexit marks a turning-point in internet regulation in the UK -- future magic circle trainee William Holmes explains why

The post The Great British ‘internexit’ from the EU appeared first on Legal Cheek.

]]>
Brexit marks a turning-point in internet regulation in the UK — future magic circle trainee William Holmes explains why

The United Kingdom had been eagerly awaiting Brexit Day on 31 January. But another vitally important date was arguably ten days earlier.

On 21 January 2020 the UK took its first steps towards outlining its internet exit — or ‘internexit’ — from the EU. On that day, the UK government minister Chris Skidmore announced the first break with the planned European internet legislation, stating that the UK would not implement the controversial EU Copyright Directive (Directive (EU) 2019/790), commonly known as the legislation which ‘banned’ memes. This marks a turning-point in internet regulation for the UK. Whilst most European law will be imported into UK domestic law (a process known as onshoring), the power to choose what the British internet will look like is in the hands of Britain’s Prime Minister Boris Johnson and the UK Supreme Court.

But why has the UK made this first move away from the European internet? And, in light of this, what will replace European internet regulation and its values of “openness, inclusivity, transparency, privacy, cooperation and protection of data”?

The catch-22

Skidmore’s announcement that “the United Kingdom will not be required to implement the Directive [EU Copyright Directive], and the government has no plans to do so” complies with Boris Johnson’s opinion that the EU Copyright Directive is “terrible for the internet”.

The EU Copyright Directive will ensure online platforms (like Facebook and YouTube) that commercially benefit in Europe from copyrighted content pay rights holders for their content. This means that online platforms will have to take a more active role in monitoring content that could be copyrighted. Furthermore it enforces the principle, enshrined in Article 17, of closing the “value-gap”, which sees Hollywood and media creators hit back at free online streamers and the tech giants.

Article 17 leaves these tech firms with a catch-22 and a difficult dilemma. The catch-22 is that the creation of large quantities of viral content makes tech firms successful, but also means that there is much more content to monitor. For YouTube that means, after having enticed their two billion monthly viewers to watch videos on their platform, they have to monitor the one billion hours of content that they stream every day. This brings us to the dilemma for tech firms. They must choose between spending on artificial intelligence (AI) to try and complete the near impossible task of policing their content, or they may be forced to pull out of the markets where more stringent regulation is not worth complying with. Therefore, it is unsurprising that Article 17 has received the bulk of the Directive’s criticism.

Counterproductive and costly

These more stringent copyright laws are in line with the European Commission’s ‘Digital Single Market Strategy for Europe’ which, as former president Jean-Claude Juncker explained, aims to create “digital services that cross borders and a wave of innovative European start-ups”. Yet, the EU Copyright Directive seems to be doing the opposite. Instead it risks creating increasingly confusing cross border barriers which, with an absence of case law from the European Court of Justice (CJEU), will depend on national case law. This means that cultural differences determine whether copyrighted content has been acceptably used “for the specific purposes of quotation, criticism, review, caricature, parody or pastiche” which will vary from jurisdiction to jurisdiction. After all, Germany’s sense of humour is different to France’s!

Want to write for the Legal Cheek Journal?

Find out more

And if this is a cash-burning headache for big tech companies, it is potentially crippling for start-ups. The greatest irony is that the tech giants are the most likely to develop AI solutions to these regulatory issues, which they could then sell to start-ups, thereby reducing market competition. Therefore, even if regulatory compliance is achieved, the EU will have failed to make the market more competitive, limiting opportunities for their “wave of innovative European start-ups”.

If you are one of 27 EU member states, you have until June 2021 to implement the EU Copyright Directive into national law. Consequently, Poland has launched legal action to the CJEU which seeks to annul Article 17. Conflicted rulings, litigation, dispute resolution and new legislation will certainly create a copyright storm for online platforms as they become increasingly liable for their content.

The Great British ‘internexit’

The UK, however, has a reprieve. Brexit will allow the UK Supreme Court to be able to follow or ignore CJEU case law, and the UK will have political autonomy over its internet objectives and values. The UK’s internet values and strategic position today can be summarised as innovative and ethical.

The UK has been innovative in developing its economy to embrace digital transformation. British regulation has pursued the internet’s ability to ‘enable’ in an exemplary fashion. The Financial Conduct Authority (FCA) has launched its “global sandbox” to allow fintech firms to trial their products alongside regulators. The UK Jurisdiction Taskforce of the LawTech delivery panel has ruled that cryptoassets are legal property and smart contracts are legally binding. Moreover, the Treasury’s 2019 review of the payments landscape is expected to yield innovative and collaborative work between Central Banks, with the outgoing governor of the Bank of England proposing the implementation of a global cryptocurrency.

This innovative regulatory environment, coupled with London’s status as an important global financial centre, as well as the UK’s production of talent thanks to the wealth of excellent academic institutions, has seen Britain’s capital become the most popular investment hub for tech start-ups. The strategy is to attract the digital revolution to the UK. In addition, Britain’s Online Harms White Paper, a global regulatory first which was launched in April 2019, aims to make the British internet safer by empowering an independent regulator with penalties akin to those in the General Data Protection Regulation (GDPR) for breaking the UK’s “code of practice” for tech companies (the maximum fine under GDPR is a sum equivalent to 4% of annual turnover or €20 million (whichever is the larger sum). As a result, the UK’s internet is both commercial and well-regulated. Therefore, the UK is in a good position to benefit from an internexit from the EU.

Surfing the (5G) waves

The ‘Great British internexit’ allows the UK to develop its internet independent of the constraints of poorly designed European legislation. But the UK’s internet is also well-regulated thanks to European regulatory efforts. The EU’s aforementioned GDPR has been championed by the Information Commissioner’s Office (UK data privacy regulator) which has readily dished out record-breaking fines. The EU’s aims and values should also not be forgotten by Britain as it enters a period of negotiations with other nations to determine its new position in the world. And whilst our legislative powers have gained independence from the EU, the UK may well be more reliant on other nations which can leverage policy decisions in their favour.

Recently, France backed down on implementing its 3% digital tax, after the threat of tariffs by the US. The UK also wants to implement a digital tax but as Britain enters trade negotiations with the US, the values and policy objectives up for sale are unknown. Another internet-related issue that has fallen into choppy waters is the UK’s 5G radio waves. The US’s disapproval of Huawei’s (a Chinese tech company) stake in building Britain’s new 5G infrastructure threatened to make technological progress slower and more expensive for the UK. Furthermore, these complex trade-offs must be decided quickly if Boris Johnson is to keep his promise of securing a trade deal with the US by the end of 2020. And ethical trade-offs may be on the cards as well.

The UK might also be forced to sell its internet ethics in order to remain commercial. Britain’s ability to diverge from European Privacy Standards could leave British citizens’ privacy unprotected and at the mercy of data-hungry tech giants. Consequently, the UK’s digital modernisation, innovation and ethics are potentially under threat.

Conclusion

From now on around 62 million British internet users will develop a unique internet, as the UK forges its own path towards the creation of the ‘British internet’. In Brexiteer spirit, this has been correctly proclaimed as a great opportunity. Many will seize on the UK’s ability to avoid the controversial EU Copyright Directive as proof of the success of Britain’s internexit. But there is no reward without risk. Picking strategic allies who have objectives to change British internet policy, such as the US, will not be an easy battle. In addition, the blatant abuses of data privacy in the Snowden leaks and the Cambridge Analytica scandal warn us of the consequences of regulatory failures. It is possible that these detrimental trade-offs are the price to pay for a more commercial British internet.

William Holmes is a penultimate year student at the University of Bristol studying French, Spanish and Italian. He has a training contract offer with a magic circle law firm.

The post The Great British ‘internexit’ from the EU appeared first on Legal Cheek.

]]>
https://www.legalcheek.com/lc-journal-posts/the-great-british-internexit-from-the-eu/feed/ 0
GDPR: 1 year on https://www.legalcheek.com/lc-journal-posts/gdpr-one-year-on/ https://www.legalcheek.com/lc-journal-posts/gdpr-one-year-on/#respond Fri, 28 Jun 2019 12:04:57 +0000 https://www.legalcheek.com/?post_type=lc-journal-posts&p=131954 University of Edinburgh law student Nicole Pitches examines its impact over the past 12 months

The post GDPR: 1 year on appeared first on Legal Cheek.

]]>
University of Edinburgh law student Nicole Pitches examines its impact over the past 12 months

The General Data Protection Regulation (GDPR) took the EU by storm, and everyone scrambled to maintain the highest standard of data privacy known to date. So what has the GDPR actually achieved in the past year? Have any major companies fallen victim to the dreaded fine of 4% annual global revenue?

Fines have indeed been distributed across Europe, with smaller organisations falling subject to the scrutiny just as much as larger ones. In March of this year, the president of the Polish Personal Data Protection Office (UODO) imposed a €200,000 fine (£180,000) to a relatively small organisation. The company knew about the GDPR requirement to inform data subjects of data processing activities, but failed to do so. As the data subjects were unaware of their rights, they were not able to object to the further processing of their data or request the data’s rectification or erasure. The director of the Analysis and Strategy Department at UODO, Piotr Drobek, revealed the controller had denied the information to over 6 million people, with the president claiming it was done intentionally.

By comparison, in May 2019 the Belgian equivalent of the UODO, the Belgian Data Protection Authority (DPA), issued a fine for just €2,000 (£1,800). The case was taken to the DPA’s Litigation Chamber, where it was found the defendant, a mayor, collected email addresses in order to send out electoral campaign-related materials, and thus violated the principles of the GDPR, namely article 5(1)(b) which states that the data collected must be for “specified, explicit and legitimate purposes” and not further processed for new, incompatible purposes.

Following the DPA’s decision in the mayor/email case, the UK’s Information Commissioner’s Office (ICO) announced that it would focus on the use of personal information in political campaigns, use of surveillance and facial recognition technology, artificial intelligence, big data and machine learning.

Elsewhere, Ireland set its sights on the major internet giants due to their taxation arrangements within the country. The head of Ireland’s Data Protection Commission, Helen Dixon, predicts that within the next month we’ll see the first enforcement action reach the European Data Protection Board. The response of companies has been to become “combative” by “lawyering up” — hardly surprising given the amount of EU scrutiny.

So far GDPR may not have forced organisations to cough up eye-watering amounts of money, bar a couple of exceptions, but plenty of data breaches have been reported to have occurred over the past year. In February 2019, DLA Piper revealed that over 59,000 breaches had been reported throughout Europe, with Germany, the Netherlands and the UK securing top spots for the highest number of breach notifications.

Want to write for the Legal Cheek Journal?

Find out more

So, what have we learned from all this? PrivSec, a blog specialising in internet privacy and security, rightly points out that while the GDPR has brought about many challenges for business, it has upped data standards and increased the demand for privacy professionals. The very nature of the GDPR demands companies to engage in efficient and accurate documentation from the very beginning, improving the overall standardisation of data protection. General cybersecurity has also been vastly improved, with networks, servers and infrastructures being readily upgraded in order to limit the possibility of data breaches.

Since its implementation in Europe, the GDPR has prompted a number of other regulators to devise data protection and privacy legislation, such as Brazil’s Personal Data Protection Regulation and the Californian Consumer Privacy Act.

Despite the optimism surrounding the GDPR, there have been complaints that regulators have not been quick enough to issue fines. Of the €56 million (£50 million) dished out in financial penalties since GDPR’s implementation, €50 million (£45 million) was the result of just one single fine: the French DPA against Google in January of this year over its use of user data to create personalised adverts.

While this huge fine may seem to some like a major victory for data protection, it only makes up for 0.04% of Google’s total revenue in 2018. However, the EU has taken note of this, with the Dutch DPA creating a fining matrix to gauge how administrative fines should be calculated. There are reports other EU countries are looking to create something similar.

Now that a year has passed, the ICO has recommended that both large and small organisations move beyond mere “baseline compliance”, and start focusing on “accountability with a real evidenced understanding of the risks” posed to individuals. GDPR compliance will need to be continuously monitored, and while we have not yet seen any truly damaging data breaches, investigations continue, the results of which are eagerly awaited.

Nicole Pitches is a postgraduate law student at the University of Edinburgh. She recently completed her LLB at the University of Warwick.

The post GDPR: 1 year on appeared first on Legal Cheek.

]]>
https://www.legalcheek.com/lc-journal-posts/gdpr-one-year-on/feed/ 0
The final countdown to GDPR compliance begins https://www.legalcheek.com/lc-journal-posts/the-final-countdown-to-gdpr-compliance-begins/ Thu, 15 Feb 2018 15:15:32 +0000 https://www.legalcheek.com/?post_type=lc-journal-posts&p=108839 Womble Bond Dickinson's data protection team explains the key points of the big legislative change of 2018

The post The final countdown to GDPR compliance begins appeared first on Legal Cheek.

]]>
Womble Bond Dickinson’s data protection team explains the key points of the big legislative change of 2018

The EU’s General Data Protection Regulation (GDPR) takes effect on 25 May 2018. This means organisations have a matter of months to achieve compliance.

Much has been made in the press about the significant obligations that the GDPR will place on all organisations. It will undoubtedly be challenging for organisations to assess the actions that they need to take to move towards compliance and then implement those actions.

The application deadline for Womble Bond Dickinson's work placements and 2020 training contract is on Wednesday 28 February

We advise public, private and third sector organisations of all sizes (from SMEs to multi-nationals) on a range of matters from large scale projects to day-to-day advice. In the video below we give an overview of the GDPR and what it means to business, based on our experience of advising some of the UK’s best known organisations on privacy and data issues.

For more commercial awareness insights, check out Womble Bond Dickinson’s articles & briefings blog.

The post The final countdown to GDPR compliance begins appeared first on Legal Cheek.

]]>