The GDPR cannot be left alone

Is the need for privacy inherent to human nature or a temporary error shaped by the artifacts and technology that our brains have invented in the last millennium?

Private rooms only appeared somewhere in the last 600 years, and solo reading, in silence, became a common behavior when the printing press democratised the once luxurious (but exclusive) access to books.   

The right to privacy came much later. In the United States, it was only at the end of the 19th century when it was first coined, answering the growing fear of the first photography cameras. The document referred to privacy as “the right to be left alone”.

Today, privacy is law, protected by numerous regulations and global human-rights declarations. 

In one shot, and without being over simplistic, they all refer to the storage and usage of personally- identifiable information of individuals that governments, public or private organisations or other individuals can process. 

But if technology helped develop privacy to how it is conceived now, it’s also technology that is challenging the privacy rules and forcing humans to rethink the regulation around them. In Europe, the most conspicuous example of it is the General Data Protection Regulation or, simply, the GDPR. 

In the belle époque of digital, privacy finds itself powerless and blind because it can be jeopardised without an individual’s awareness of how and when personal data is being collected, censored or restrained. More serious still, transgressors are faceless, hiding behind unsweetened cookies and small camera lenses. 

To some, privacy is an anomaly. To any surveillance state—and they are on the rise— eroding it is justified in the name of security and to solve complex social issues. To the law, it’s the inherently special and sensitive human side that we all have the right to keep out of others’ prying eyes. 

Albeit, research on the subject has proved that people prefer privacy and intimacy, countless episodes in the centuries of history prove that the desire for privacy is shadowed by human needs. Yes, we even trade privacy for pleasure, whatever the shape it takes. 

This article is a wake-up call for us—as individuals responsible for our own security—and for organisations—as data controllers or data processors—to take a larger approach when acting on privacy matters, reflect on the role GDPR plays in our present, its scope and limitations, and to think of data hygiene more thoroughly.  

A soliloquy on Privacy

According to Privacy International,

Privacy enables us to create barriers and manage boundaries to protect ourselves from unwarranted interference in our lives.” […] This allows us “to negotiate who we are and how we want to interact with the world around us.

In legal terms, what’s considered as “privacy” translates into control of information (data and metadata), namely, who knows of it, what they know and to what extent. However, legal approaches to privacy differ, and they’re greatly influenced by culture and context. In human terms there is more consensus: privacy is that personal intimate space where body and soul allow themselves to manifest, to be bared and, sometimes, to be helpless.

It isn’t difficult to get confused in the maze of privacy-related terms. Let’s try a simplistic: Data Privacy and Data Protection are two faces of the same coin. The former relates to the rights to be in control of our data, and the rule deriving thereof; the latter deals primarily with technical measures, to ensure that the rules are properly enforced.

In Europe, the data privacy is unquestionable and unwavering or, well, it seems to be so far. 

In America, consumer convenience has been a determining factor to data privacy. Sophisticated algorithms fed with data that consumers exchange—mindfully or often times unmindfully—to get tailored products and services has made it more transactional. That doesn’t mean, however, that citizens feel at ease with it. In research conducted in 2019’s last quarter some 81% of American respondents said that “the potential risks they face because of data collection by companies outweigh the benefits”. 

In China, the giant of the far East, a strong sense of community—shaped during centuries of history and decades of an authoritarian regime—makes society less reluctant to give up their right to privacy, and surveillance reigns.  

Note that privacy only finds its raison d’être when the individual interacts with the surrounding environment, whether in the family, work environment or social sphere. The actors of each sphere share the responsibility of keeping the right to privacy, with written laws—at the level of companies and governmental organisations, and unwritten—the family or friends circle, for example. 

The GDPR cannot be left alone

The GDPR imposes good data management rules on organisations to protect users’ privacy. Not exempt from criticism and detractors, it has made privacy by default and data protection by design the new data privacy paradigms.

If the GDPR had to claim any virtue, it’s that of creating a framework that unifies divergent conceptions around privacy, data privacy and data protection. However, claiming victory is too soon: the ultimate impacts of the GDPR are yet to be seen. To some, for instance, it will negatively affect the quality of free services that we are used to being provided with when we trade our personal data on the internet. 

But are these free services really free? Aren’t we giving away valuable information, our data, when using these services, without properly balancing the benefits gained against that value?

What the GDPR’s original text states:

“This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”

Thinking of the GDPR as the Hercules of data privacy is nothing but a naïve idea. The regulation won’t solve all matters linked to it. Let’s bear in mind that the GDPR addresses data privacy from the organisation’s side of the coin, so they manipulate data subjects’ information responsibly.

But there is more. The GDPR has little to do with a business’s operational efficiency when it comes to data hygiene (or the cleanliness of data). 

Conversely, there is a big chunk of the responsibility pie that falls to the user. Caring about the privacy of the data we share offline and especially online isn’t different from protecting our bodily integrity. Imagine you’re a victim of a hacker’s obscure intentions. Who else but you will be more affected by any cyberattack or data breach, nowadays more common and severe? Even though governments and businesses are taking a serious stand on cybersecurity and investing more and more in it, cybercrime is normally one step ahead.

After a data breach, can companies earn back consumer trust?

However, It seems accountability for data privacy isn’t clear to users. This WEF article puts it this way: “Some consumers agree that the responsibility lies with them, but others think governments or businesses are better equipped to deal with this complex issue.”

Who should be responsible for ensuring data is safeguarded and used responsibly?

PwC US Survey 2017
The cleanliness of data

Data hygiene—a set of processes to ensure that data is error free—becomes even more relevant in times of big data (please, allow us a little redundancy). Inaccuracies, duplicated information and incomplete or outdated data affect negatively the cleanliness.

Making the beginning is one third of the work, an Irish proverb goes. Certainly, data hygiene is  an undeniable organisation responsibility, but we also want to be more involved and demanding to make sure that our personal data is properly used. A good start is to reflect on how much of our information we want to exchange and for what reasons. When the reason is beneficial, then let’s be responsible for the quality of the information we provide.

Think of this!

By June last year, an astonishing 97.8% of people were internet users in Luxembourg; in the European Union, it was 90.2%. These numbers are highly likely larger at the moment you’re reading this article.

Technological developments are setting the pace of our society. We live in the time of the internet of everything and privacy goes beyond the user’s control. Yes, privacy regulations for online platforms want to give users control over their personal data but, what if our private attributes or behaviour can be inferred without our personal data? According to recent research, the individuals’ behaviours, “can be predicted using only the information provided by their friends in an online social network”.

This doesn’t mean to be afraid, but to pay more attention. We all need to gain maturity when living our digital lives just as we do in our physical ones.

Is Privacy an illusion? 

Enforcing laws to keep both privacy and data privacy safe is undeniably desirable from our point of view. There will always be someone, somewhere in the world, trying to take advantage of the rights only protected by good will and sane intentions. 

Consider this, however: since the beginning of our memory of time, privacy has been, somehow, limited by the rules of the family, the community or authority. 

Perhaps our search for full privacy is that of looking for utopia and there is little wrong with that. Imperfect results or realities keep us moving forward in the search for new, improved versions of what we are and how we live together. 

We finish this article with the quote of a great writer, Gabriel Garcia Marquez: “All human beings have three lives: public, private, and secret.” 

Keep them all watched, especially your secrets. 

What we think
Frédéric Vonner, Partner, GDPR and Privacy Leader at PwC Luxembourg

Till now, we’ve been giving away our personal data too easily, too broadly and, in most cases, without understanding what we were doing.

We need to change that and start managing our own personal data, to think of how valuable our information is… such us what type of pet I have, what my travel preferences are, what my shopping habits are, my preferred grocery store, etc. And we need to start receiving dividends for that!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top