GDPR: Reasonable Logic, Unreasonable Expectations
One of the main objectives of GDPR is to give individuals control over their personal data. But does the new law really make it easier for people to manage the huge amount of data that they have shared?
The General Data Protection Regulation (GDPR) recognizes that is it very difficult for individuals to have control over the massive amount of data that they have shared. But to solve this problem, the new law asks people to monitor an equally massive amount of privacy agreements.
As the proposal for GDPR suggests, “Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased spectacularly… Individuals should have control of their own personal data and legal and practical certainty for individuals, economic operators and public authorities should be reinforced.”
So far, so good. It is true that ongoing technological developments require individuals to share more and more data online. It also sounds fair that this personal data belongs to the individuals, who should have control over how and when it is used. So, in spirit, everything makes sense.
Now let’s look at the practical implementation of the part of GDPR that involves how individuals exercise control over their personal data. In practice, what individuals faced was an avalanche of really long emails. Every single one of them explained the rights that individuals have under GDPR and included all kinds of related information. Each email also prompted individuals to indicate whether they agreed with the described use of their personal data.
A large percentage of individuals—perhaps even the vast majority—are not aware of, and thus cannot enforce, their personal data protection rights.
Reasonable (?) expectations
Again, in theory, this is okay. Everyone was given the opportunity to review their rights and indicate if they disagreed with any use of their data. Or were they? A small-scale survey conducted by some of my students1 revealed that 60% of the respondents did not read the privacy agreements sent to them at all and that 25% read the agreements for one minute or less—a miniscule amount of time given the length of these texts. Moreover, 60% of the respondents have not read the GDPR policy itself at all. Of these, 83% did not read it because it was too long and 84% said they would have read it if it was shorter.
Although we cannot claim that this sample is representative, these numbers suggest that a large percentage of individuals—perhaps even the vast majority—are not aware of, and thus cannot enforce, their personal data protection rights, because the regulation that protects these rights was too demanding. From this perspective, GDPR seems to fail, at least for now.
But what, exactly, is the problem? After all, GDPR just expects individuals to take time to inform themselves about and exercise their own rights. Is this expectation reasonable? Let me quote again from the GDPR proposal: “The scale of data sharing and collecting has increased spectacularly.” Thus, no: Expecting individuals to carefully read a mountain of very long privacy agreements pertaining to a “spectacularly increased” amount of information does not sound reasonable.
Let’s bring the pieces together: (a) given the massive scale of data sharing, GDPR aims to give individuals control over their personal data, but (b) it does so by requiring individuals to keep track of an equally massive number of data-policy agreements. In other words, GDPR recognizes that it is hard for individuals to have control over the massive amount of personal data that they have shared, but to fix this problem, the law asks individuals to monitor an equally massive amount of privacy agreements.
GDPR aims to give individuals control over their personal data, but it does so by requiring individuals to keep track of an equally massive number of data-policy agreements.
Make it easy
From this perspective, what effects could GDPR have in the medium to long run? First, any company can easily comply with GDPR. The main requirement is to send data subjects a long email explaining all their rights and giving them the opportunity to prohibit the use of their data. Second, in all likelihood, most recipients will not read these emails and will just accept whatever is asked of them. Thus, most individuals will not know what their real rights are and how to exercise them. Third, although in theory all personal data will be used with the consent of the data subjects, in practice this consent is ostensible, as (predictably) most individuals will be unaware of what they have consented to.
Let me close by quoting the mantra of Richard H. Thaler, the recipient of the 2017 Nobel Prize in Economics: “If you want people to do something, make it easy. Remove the obstacles.” In this case, if you want people to actually read and exercise their rights, make it easy for them. Reading (and agreeing with) dozens of multi-thousand-word privacy agreements is something that people, predictably, will not do.
© IE Insights.
1 I would like to thank Alex Mtaini, Claudia Hubert, Ernesto Cifaldi, Ioannis Panagiotis Kipouros, Pablo Carbonero, and Ram Agarwal (graduates of the IE Master in International Management) for their interesting project on this topic and for allowing me to report some of their results in this article.