THE GDPR BETWEEN STRENGTHENING THE INTERNAL MARKET AND MONITORING EUROPEAN CITIZENS

Alessandro Tomaselli

Cultore di Diritto dell’Unione europea nell’Università Kore di Enna

 

Abstract: Regulation (EU) 2016/679, which came into force in May 2018, brings with it significant innovations regarding the protection of sensitive data and privacy of the individual in the age of the Internet, in particular, among other things, through a series of obligations on the subjects (e-mail servers, internet providers, search engines, companies, public bodies, etc..) whose activities on the network involves the processing of data in question. Specifically, the normative text in question, promulgated in order to update the previous discipline of the Directive 95/46/CE and finalized textually to the ambitious objective of elevating the protection of the natural persons with regard to the treatment of the data of a personal character to a fundamental right in a uniform perspective, seems to be characterized by a ratio more guaranteed towards European citizens in terms of control on the use of the information regarding their own person by the aforementioned subjects. However, in this context we will try to offer a deepening within a different critical view and analysis of the rule in question through the identification of what appears to be the real object of protection in the matter, and that is the strengthening and subsequent proper functioning of the market.

 

Keywords: European Union, market, GDPR

 

 

          Preliminary remarks:

On 25 May 2018, Regulation (EU) No 2016/679[1] of the European Parliament and of the Council (hereinafter also referred to as GDPR) on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC[2] was implemented within the territory of the EU. Despite to the adavantages that this Regulation gives to the european people, the analysis of the Regulation in question should be reconsidered within a renewed perspective, more concrete, raw even, but perhaps capable, as revealing the authentic assumptions and purposes underlying its promulgation, to reveal the essential mercantilistic matrix.

This perspectice seems to be confirmed by some parts of the GDPR and the proposal for a Directive adpoted by European Parliament on the re-use of information in the public sector (so-called secondary use) that promises to radically revolutionize the standards of data protection of European citizens. In this sense, the protection of the individual, even if it is an immediate object of protection, assumes a functional relevance to the achievement of the above indicated objective, in the final analysis, assuming relevance for the EU system, the potential of consumption attributable to the individual, which, therefore, does not detect in re ipsa.

Personal data have become a commercial tool and people have become data packages for exchange in our increasingly deindustrialised and volatile societies. Transparency societies have, through social networks, amplified on a mass level our compulsion to homologate ourselves according to desires and needs that are substantially functional to the market: in this way, however, our autonomy has turned into its opposite, into an instrument of control and coercion where we have become the controllers of ourselves, realizing the dreams of the multinationals of the digital economy.

At this point, the reform of the directive on secondary use appears functional to the objective of putting all the information that we more or less consciously release, regardless of the type, more or less personal character, more or less sensitive, in the total and perpetual availability of those who have the means to rework and transform them into goods and capital. It is not to be ignored, then, that the collection of personal data assumes economic importance in itself considered, besides and, therefore, apart from a configuration of the subject as a medium of the market; and this is precisely the deserving passage, in the opinion of the writer, of specific attention: the increased capacity of storage of data by the current databases for those who carry out a commercial activity on the Internet constitutes a source of new wealth, even if, at the moment, it has no appropriate discipline. In fact, the expertise in the analysis of the above data is undeniable as they now represent indicators of such importance in order to intercept the changing market trends to be raised to activities autonomously endowed with enormous capacity for profit.

The diffusion of artificial intelligence systems (virtual assistants) on our smartphones, on the Internet, in household objects or other portable devices (smartwhatch, health tracker), on automobiles (autonomous or semi-autonomous vehicles), the elaboration of new algorithms able to treat more efficiently the inexhaustible amount of data we produce (big data), the advent of the internet of things that can make all objects interconnected and able to interact in our cities (smart cities) or in our homes (home automation) are revolutions that are already profoundly changing our lives.

This is an epoch-making transformation that identifies the information we generate as its fulcrum. Information identifies us and for this reason has a growing economic value in a market increasingly marked by the use of digital technologies. The convergence of these new technologies will produce, in fact, more amounts of data that will give an increasingly precise image of our habits, our desires, what we think or want (or perhaps would like) to do, thus generating new services, new products, new business opportunities. But also new possibilities of control.

For this reason, the control of information is more or less indirectly reflected on our lives and its discipline is to represent an object of desire of those who move on the market, as well as those who draw the contours as the regulator.

In conclusion, the perplexities that can be traced back to Regulation 2016/679 do not seem of little importance, above all, with regard to the unpredictable deflagrating potentialities deriving from the use, analysis and conservation of boundless quantities of sensitive data within the indefinite virtual space constituted by the Internet[3], as well as to the authentic object of protection referred to in this Regulation.

 

 

 

 

1.      Critical aspects of the GDPR: the European citizen as a market function?

 

          Despite to the theoretical goals to be reached by the promulgation of the GDPR[4] and to the advantages for inbdividuals [(overcome the "fragmentation of the protection of personal data in the territory of the Union" and the prejudices deriving from the "coexistence of different levels of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data" and the so called risk based approach, a principle by virtue of which the measure of responsibility of the holder or the person responsible for the treatment is determined, taking into account the nature, the scope, the context and the purposes of the treatment, as well as the probability and gravity of the risks for the rights and freedoms of the users; the increased territorial applicability (the discipline binds anyone, European operator or not, regardless of its territorial location, uses data relative to citizens of the Union); the network of precautions provided for with regard to consent (which may in any event be revoked at any time), so that there is no longer any possibility for undertakings to have recourse to incomprehensible contractual conditions; the strengthening of the right of access, with the possibility for the data subject to obtain confirmation of the processing of the data and its purposes, and a copy of such data in electronic form, without charge to the applicant; data portability (right to transmit one's own data to another holder); "privacy by design", a concept that is certainly not innovative but that is now only enshrined in a legislative text; the provision of a new role, that of the so called DPO (Data Protection Officer), responsible for data processing (for companies whose main activity consists of processing operations that require the use of a in processing operations which require the regular and systematic monitoring of data subjects on a large scale); the right to erasure of data (the so-called right to be forgotten)], the analysis of the Regulation in question should be reconsidered within a renewed perspective, more concrete, raw even, but perhaps capable, as revealing the authentic assumptions and purposes underlying its promulgation, to reveal the essential matrix.

          Confirmations in this sense seem to be found within the GDPR itself through the identification of the "importance of creating a climate of trust which will allow the development of the digital economy in the entire internal market", as well as the clarification by virtue of which "It is opportune that the physical persons have control of the personal data which concern them and that the legal and operative certainty is strengthened both for the physical persons and for the economic operators and the public authorities" (Recital N° 7).

          Further remarks in the above perspective also seem to be apparent from Recital No. 9, 13 and 42 of the Regulation in question: the first, concerning the reasons behind a uniform framework ending the fragmentation of the application of the protection of personal data in the territory of the EU, specifies how the differences between different levels of protection of the rights and freedoms of natural persons can constitute a brake on the exercise of economic activities on a Union scale, distort competition and prevent national authorities from fulfilling their obligations under Union law; the second, expressly identifies the good functioning of the internal market as the underlying objective of the need not to restrict or prohibit the free movement of personal data within the Union for reasons relating to the protection of individuals with regard to the processing of personal data; the third, finally, in recalling in analogy the discipline prepared by Directive 93/13/EEC[5] in favor of the consumer with regard to unfair terms of so called contracts by accession seems to endorse the suggested hermeneutical option.

            In the light of the above, the real aims underlying the enactment of the Regulation in question do not seem, therefore, to be identified with the need to ensure a higher level of protection in favour of the subject in question, who is increasingly present on the web and regardless of his capacity to consume, but seem in reality to be attributable only to the hypotheses in which those who act online carry out an activity that in some way has an economic value.

            Consequently, the ultimate and authentic objective at the basis of the regulatory intervention of the European legislator seems, once again, represented by the protection and strengthening of the market, and therefore by the relative identification of criteria, rules and principles to discipline the correct and safe course, in the specific case through the progressive consolidation of a safe virtual environment where the subject can operate with no fear.

            From this point of view, the protection of the individual, even if it is an immediate object of protection, assumes a functional relevance to the achievement of the above indicated objective, in the final analysis, assuming relevance for the EU system, the potential of consumption attributable to the individual, which, therefore, does not detect in re ipsa.

            It is not to be ignored, then, that the collection of personal data assumes economic importance in itself considered, besides and, therefore, apart from a configuration of the subject as a medium of the market; and this is precisely the deserving passage, in the opinion of the writer, of specific attention: the increased capacity of storage of data by the current databases for those who carry out a commercial activity on the Internet constitutes a source of new wealth, even if, at the moment, it has no appropriate discipline. In fact, the expertise in the analysis of the above data is undeniable as they now represent indicators of such importance in order to intercept the changing market trends to be raised to activities autonomously endowed with enormous capacity for profit.

            In this way, therefore, we are able to identify a new form of economy, the so-called economy of reputation, which finds its specific reason for being in the data and in the relative analysis, "given that these data have begun to acquire an economic value - pertaining both to the data itself and to the information of which they are bearers - which, according to many, can be quantified. A question of data governance, therefore, which is expressed in the claim of the system to guarantee to rights holders a precise and efficient control of the data within storage systems, a control such as to define every nuance of each single processing operation"[6].

            The diffusion of artificial intelligence systems (virtual assistants) on our smartphones, on the Internet, in household objects or other portable devices (smartwhatch, health tracker), on automobiles (autonomous or semi-autonomous vehicles), the elaboration of new algorithms able to treat more efficiently the inexhaustible amount of data we produce (big data), the advent of the internet of things that can make all objects interconnected and able to interact in our cities (smart cities) or in our homes (home automation), are revolutions that are already profoundly changing our lives. This is an epoch-making transformation that identifies the information we generate as its fulcrum.

            Information identifies us and for this reason has a growing economic value in a market increasingly marked by the use of digital technologies. The convergence of these new technologies will produce, in fact, more amounts of data that will give an increasingly precise image of our habits, our desires, what we think or want (or perhaps would like) to do, thus generating new services, new products, new business opportunities. But also new possibilities of control.

            For this reason, the control of information is more or less indirectly reflected on our lives and its discipline is to represent an object of desire of those who move on the market, as well as those who draw the contours as the regulator.

          And to confirm all this, it is not surprising that recently the European Parliament, in order to adapt the European market to this revolution that sees us all (more or less involuntarily) protagonists, adopted a Resolution on the proposal for a Directive on the re-use of information in the public sector (so-called secondary use) that promises to radically revolutionize the standards of data protection of European citizens: thanks to the GDPR, principles such as 'privacy by design' and 'privacy by default' represent a reference point able to transform, and in part have already done so, the strategies of web giants such as Google, Amazon, Facebook and the world's leading electronics companies Apple, Ibm, Huawai etc. The line now drawn by the European institutions, Parliament in agreement with the Council, is going to contradict this approach by introducing some completely antithetical principles that can only distort the current European regulatory framework: these are the principles of 'openess by design' and 'openess by default' (art. 3, 2 bis).

          The basic idea of the new legislation on secondary use is that an enormous amount of data is produced through public institutions, and this mass of information represents the new Eldorado of digital companies, and must therefore be made available to the community, that is to say, to anyone who has the means and resources necessary to invest in it, therefore, both public and, above all, private companies. This is in order to "further stimulate digital innovation, in particular in the field of artificial intelligence" (recital 3). "The intelligent use of data, including their processing through artificial intelligence applications, can transform all sectors of the economy", contributing "to improving the single market and the development of new applications for consumers and businesses". (recitals 10 and 6a). For this reason, "all data from publicly funded research should be made available by default" (Article 10).

          Moreover, access to information, as the European Parliament reminds us, is a fundamental right enshrined in the Charter of Fundamental Rights of the European Union itself, which protects freedom of expression, which includes not only freedom of opinion but also, and above all, the freedom "to communicate information or ideas without interference by public authorities and without frontier limits" (recital 4a and Article 11). The proposal for a directive does not provide for any limitation by type of data, even sensitive data.

          This revolution would affect any category of data processed in sectors which, according to the opinion of the Committee on the Internal Market and Consumer Protection, do not have an immediate economic value (textual), such as education, the environment or health (recital 60a). This will lead to a paradoxical and schizophrenic situation where the public (as well as private individuals) will be subject to a whole series of limitations in collecting data to defend our privacy but then once collected and processed will be obliged to share them with anyone and for whatever reason and purpose of processing.

          In this way, the gap between public and private is destined to grow, progressively eroding the bases of competitiveness of the former, who will find himself increasingly in difficulty in the face of a market that will be able to freely draw on all its information resources (even sensitive ones) at a ridiculous cost. In such a framework there would be no scandal.

          Today we are all interconnected, which means that which means that we all spontaneously participate in this technologically advanced era to which neoliberalism has led us. The data we generate is the boundary of our freedom. Paradoxically, however, through the continuous generation of data, sharing it ourselves spontaneously, we only feed the reasons of those who shape this neo-liberal version of capitalism. The progressive lowering of the thresholds of our confidence that the daily use of the technologies that surround us and envelop us, like our devices, social media, the interconnected objects of our homes and work environments, only reduces complexity, predisposing us to share what we would not otherwise share, moreover, mind, not coercively. In postmodern societies, in fact, coercion has been replaced by the seduction of the will that is brought to want and introject the same goals that the market pursues: when we want a product, a service, an application, we only want what the market, thanks to the inexhaustible collection of data that allows us to trace our dreams, our desires, our needs, makes us, finally, want.

          Personal data have become a commercial tool and people have become data packages for exchange in our increasingly deindustrialised and volatile societies. Transparency societies have, through social networks, amplified on a mass level our compulsion to homologate ourselves according to desires and needs that are substantially functional to the market: in this way, however, our autonomy has turned into its opposite, into an instrument of control and coercion where we have become the controllers of ourselves, realizing the dreams of the multinationals of the digital economy.

          At this point, the reform of the directive on secondary use appears functional to the objective of putting all the information that we more or less consciously release, regardless of the type, more or less personal character, more or less sensitive, in the total and perpetual availability of those who have the means to rework and transform them into goods and capital.

          In this context, the right of access to data, the origin of which has been tried directly at the basis of the treaties, of which the Charter of Fundamental Rights of the European Union, following the Treaty of Lisbon, is perhaps one of the greatest expressions today, is nothing more than the right to unlimited control, from which no one can escape tomorrow. It should be stressed that the whole approach of the General Regulation on the protection of personal data, which has built up its fortunes precisely on the concept of 'privacy by design', is thus reversed. This change is perhaps self-defeating as far as the old continent is concerned.

          On the other hand, all this should not surprise much: we must not, in fact, forget how the European Union was born with the main objective of creating a single market within which goods, people, services and capital can circulate freely, and this in spite of the alleged humanistic ambitions that the EU claims to have.This fact cannot be denied and the economic and mercantile matrix of the then European Economic Community represents an essential quid from which Europe does not know, nor above all wants to emancipate itself.

 

3.      Conclusions

 

          In conclusion, the perplexities that can be traced back to Regulation 2016/679 do not seem of little importance, above all, with regard to the unpredictable deflagrating potentialities deriving from the use, analysis and conservation of boundless quantities of sensitive data within the indefinite virtual space constituted by the Internet[7], as well as to the authentic object of protection referred to in the same. In this regard, it should be added that also the so-called risk based approach, one of the founding principles of the GDPR, does not fully convince, because it delegates the assessment of the risk to the company, making the disputes more difficult in the case of violations, and pays greater attention to the processing of a large set of data, where it is clear that even the processing of small quantities of data can cause damage to individuals.

          Secondly, it is not given to fully grasp the need to prepare a specific normative discipline in order to attribute to the protection of personal data the chrism of "fundamental right", considered, in the meantime, that this prerogative of subjective nature already possesses such character as it is included within the art. 8 of the Charter of Fundamental Rights of the European Union; moreover, it leaves somewhat perplexed what is sanctioned by the Recital N° 4 of the Regulation which, precisely in reference to the human right in question, seems capable, apparently, of giving life to a sort of aberrant two-faced january of an absolute nature, but, at the same time, relative: "The right to the protection of the data of character but must be considered in the light of its social function and must be reconciled with other fundamental rights, in accordance with the principle of proportionality"[8].

          Moreover, it seems to represent an inextricable paradox to identify, at least in the abstract, in the elevation of the right to the protection of the personal data of the natural persons, the main inspirational rationale of the Regulation in question where it is the GDPR itself, instead, to sanction, precisely by virtue of the preliminary provision just mentioned, his relativity[9]! 

          Once again, therefore, the reference to human rights seems more to represent the product of a clumsy political use of the same, and instrumental to the identification of grips of an absolute nature aimed at legitimizing the work of the European legislator, guaranteeing at the same time the pursuit of the real objectives underlying its initiatives.

           

 

 

 

 



[1] The text, adopted on April 27, 2016, published in the European Official Journal on May 4, 2016 and entered into force on May 25 of the same year, is operational from May 25, 2018, in order to allow the laws of the EU Member States to prepare the related regulatory instruments for adjustment.

[2] And that together with the Directive (EU) 2016/280 (relating to the protection of individuals with regard to the processing of personal data by the competent authorities for the purposes of prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, as well as the free movement of such data and repealing the Council Framework Decision 2008/977/JHA) composes the so-called "data protection package".

[3] Phenomenon against which the GDPR contrasts the unrealistic objective of data minimisation.

[4] It should be noted that the promulgation of the regulatory text in question is, in fact, to be traced back to a renewed process undertaken in 2012 by the legislator in Brussels, and aimed at identifying new rules common to all EU Member States in the field of personal data protection and which the GDPR itself, therefore, is to be considered the final outcome: in particular, the presentation by the European Commission of the complete package on the protection of personal data, in which both the proposal for a Regulation object of this essay and the proposal for a Directive concerning the protection of individuals with regard to the processing of personal data by the competent authorities for the purposes of prevention, investigation, detection and prosecution of crimes or the execution of criminal sanctions, and the free circulation of such data were presented for the first time, is dated 25 January 2012.  This was followed by the adoption in Europe of other initiatives aimed at facilitating the transition of individual national laws to the aforementioned new digital horizons, the most important of which is certainly that undertaken by the EU Commission in 2016, known as Digitising European Industry Initiative and specifically functional to the creation of the Digital Single Market (Digital Single Market). This project, in particular, aimed at ensuring that every company operating within the EU territory can reap the benefits of digital innovation regardless of its size, location and sector, is based on the following four fundamental pillars: 1) creation of a European platform for national initiatives on industrial digitisation; 2) digital innovations for all: digital innovation hubs; 3) strengthening leadership through partnerships and industrial platforms; 4) determination of a regulatory framework suitable for the digital era; 5) preparing citizens for the digital future. As part of this initiative, the so-called Directive (EU) 2016/1148 of the European Parliament and of the Council laying down measures for a common level of network and information system security in the European Union (the so-called "Digital Agenda for Europe") was adopted. Directive NIS, Network and Information Security), and were subsequently signed various documents relevant to the implementation of new technologies in relation to various contexts of European action: Among others, the "NIS eGovernment Action Plan 2016-2020 - Accelerating the digital transformation of government" dedicated to the digitization of public administration and the creation of digital services for users (COM (2016) 179 final) and the "European Cloud Initiative - Building a competitive data and knowledge economy in Europe" - aimed at the creation of a European economy based on the exchange of data and information through the use of technologies such as cloud computing, deserve mention. Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions (COM (2016) 178 final). 

[5] Council Directive 93/13/EEC of 5 April 1993 (OJ L 95, 21.4.1993, p. 29).

[6] Bonavita, Le ragioni dell'oblio, in Cyberspazio e diritto, vol. 18, n. 57 (I-2017), p. 99.

[7] Phenomenon against which the GDPR contrasts the unrealistic objective of data minimisation.

[8] Not to mention the beginning of the same Recital 4, according to which "The processing of personal data should be at the service of man", but, as has been demonstrated, resoundingly defeated by the content of other provisions of the GDPR, as well as by its essential inspirational rationale of mercantilistic inspiration, and therefore fully antithetical to the above mentioned abyss, and on the political nature of which very few doubts seem to exist.

[9] For the most part, it seems appropriate to add, through an incongruous and clumsy redefinition clearly borrowed from the Italian legal system: remember, in fact, as the art. 42 of italian Constitution expressly invests the right to property with a social function, thus unhinging its essentially proprietary nature enshrined in the Italian Civil Code, but not going so far as to deny its peculiarity (of a purely juridical matrix, and not also confusedly political as happens for the category of human rights) of absoluteness as traditionally understood (that is, opposability erga omnes), but only establishing its subordination with respect to renewed interests of a public nature.

Contatti

Università degli Studi di Enna "Kore" - Cittadella Universitaria 94100 Enna info@unikorestudent.it

Numeri utili >>

I nostri uffici sono aperti con orario continuato:

Da lunedì a venerdì 8:30 - 18:00
Sabato 8:30 - 13:00

Follow us

Seguici sui canali ufficiali dell'Università, rimarrai aggiornato in tempo reale sul mondo Kore
Su Facebook, Twitter e gli RSS feeds.