by Kanerva Jalas

Digitalisation of our society has led to daily usage of the digital devices, most of which are connected to the internet at all times. Digital relations between people often take place on commercial platforms online which gather large amounts of personal data from each user. It has quickly been realised that such behaviour by platforms and service providers should be regulated. An important principle that developed as a result is that of data protection, which ensues the governance of data. Protecting data is of fundamental importance also taking into account the fact that almost all actions a user performs on the internet will lead to generation of personal data. Such data might include, for example, a user's search history, the amount of time one remains active on these sites, and which online purchases the user makes. Personal data can additionally make users increasingly vulnerable, as personal data is easier to gather and disseminate than ever before in our history. This vulnerability is aggravated by digitalisation: a large number of individuals own a cell phone with internet connection, or a household computer. This vulnerability raises questions of our safety when surfing on the internet. What exactly is data protection, and how can it be employed to ensure our safety?

To understand the concept, we must first define personal data. In the European Union (EU) the General Data Protection Regulation (GDPR) defines the scope of protection: personal data is defined as data that relates to an ‘identified or an identifiable person’. This person is then the ‘data subject’. The identifiability of a person should be assessed by the controller of data, which should take reasonable measures to identify an individual. Furthermore, protection is required as different parties regard personal data of individuals valuable: a data controller is a natural or a legal person who defines purpose for the processing of personal data; a data processor, on the other hand, conducts the actual processing of the data, and does so in accordance with the instructions received from the controller. Both parties carry legal liability over exercising control of data. Under EU legislation, only natural persons can enjoy the benefits from EU data protection rules. An example of processing data includes the collection of personal data and translation to useful information, which can be presented in the forms of graphs or other output. Not all countries have such extensive definitions: the United States has not enacted a country wide data protection regime which would conform to uniform regulations. Instead, legislation comprises different state instruments which govern transactions state-wide and internationally. However, due to the fact that companies in countries which aim to interact with users in the EU must have data protection regulations conforming to those in place within the EU, the above-mentioned definitions will be used.

How is personal data protected in practice? According to the GDPR, personal data can be legally processed if the data subject has consented to the processing. Consent is present where the data subject has expressed it in a free, specific, unambiguous and informed manner. However, the consent must also be lawfully obtained by the processor or the controller: where it is admitted through a written agreement (and this agreement concerns additional matters apart from consent), the request must be expressed with ‘clear and plain language’. Where this is not the case, the agreement is not binding. Furthermore, all data subjects have a right to withdraw their expressed consent at all times. In the case the data subject is a minor, processing is lawful (where consent is given) if the minor has turned 16 years old. Where this is not the case, authorisation of a guardian is required. Consent is however only the basis for processing. What actually constitutes lawful processing is defined in the second chapter of the regulation. As the first point, processing of data must comply with the principles laid out in Article 5: lawfulness, fairness, transparency, accountability, purpose limitation, minimisation, accuracy, storage limitation, and security. While some principles can be viewed broad and up to interpretation, others impose direct limitations on controllers. For example, storage limitation entails that when personal data is no longer required for the purpose for which it was collected, this data must be deleted or anonymised. Secondly, the processing must be legitimate. In the case of ordinary data, legitimacy is present where the consent has been given, or where this is not the case where there is a legitimate reason for it under article 6 (e.g. it is necessary to perform obligations under a contract to which the data subject is party to or where it necessary to protect ‘vital’ interests of the subject or another individual). Where the processing concerns sensitive data (information which reveals ethnic, racial origins, political opinions, religious beliefs, genetic or biometric data, or data concerning health or sexual orientation/activities), explicit consent is required. The processing is generally prohibited unless an exception laid out in Article 9 (2) is applicable. To foresee proper application of the regulations, controllers and processors are required to appoint a Data Protection Officer (DPO) if regular monitoring of data is conducted, or where the controller’s main activities include ‘large-scale’ processing.

The consequences for non-compliance include a possibility for a controller or a processor to be fined up to 20 million euros, or where the breach by an undertaking, up to 4% of its total turnover (the higher fine will be imposed). The imposition of such fines have been seen in practice: in 2020 Google was fined 50 million euros and H&M over 35 million euros. The largest fine so far has been issued to Amazon at 746 million euros. While issuing fines have been regarded as an effective methods to regulate data breaches, some Member States have been accused of slow enforcement due to lack of resources: recently, European Parliament voted in favour of opening an infringement procedure against the Irish Data Protection Authorities, who have failed to take a speedy approach towards Big Tech companies such as Facebook and Apple.

Sources:

Hasty R, Nagel T W, and Subjally M, ‘Data Protection law in the USA’ (2013) Advocates for International Development.

Heine I, ‘3 Years Later: An Analysis of GDPR Enforcement’ (CSIS, 13 September 2021): <https://www.csis.org/blogs/strategic-technologies-blog/3-years-later-analysis-gdpr-enforcement> accessed on the 1st of February.

Houser K A and Voss W G, ‘GDPR: The End of Google and Facebook Or a New Paradigm in Data Privacy’ (2018) 25 Richmond Journal of Law and Technology 1, 98.

Senigaglia R, Irti C and Bernes A, Privacy and Data Protection in Software Services (Springer, 2022).

Lynskey O, The Foundations of EU Data Protection Law (Oxford University Press, 2015)

Council of Europe, European Union Agency and the ECtHR, Handbook on European Data Protection Law, (2018).

Talend, ‘What is Data Processing’: <https://www.talend.com/resources/what-is-data-processing/>, accessed on the 1st of February 2023.