{"id":633892,"date":"2018-10-08T00:00:00","date_gmt":"2018-10-07T22:00:00","guid":{"rendered":"https:\/\/www.ie.edu\/insights\/latest-news\/articles\/gdpr-reasonable-logic-unreasonable-expectations\/"},"modified":"2019-02-27T18:07:41","modified_gmt":"2019-02-27T17:07:41","slug":"gdpr-reasonable-logic-unreasonable-expectations","status":"publish","type":"articles","link":"https:\/\/www.ie.edu\/insights\/articles\/gdpr-reasonable-logic-unreasonable-expectations\/","title":{"rendered":"GDPR: Reasonable Logic, Unreasonable Expectations"},"featured_media":636280,"template":"","meta":{"_has_post_settings":[]},"schools":[32],"areas":[19,26],"subjects":[],"class_list":["post-633892","articles","type-articles","status-publish","has-post-thumbnail","hentry","schools-global-and-public-affairs","areas-global-affairs-law","areas-technology"],"custom-fields":{"wpcf-article-leadin":["One of the main objectives of GDPR is to give individuals control over their personal data. But does the new law really make it easier for people to manage the huge amount of data that they have shared?"],"wpcf-article-body":["The General Data Protection Regulation (GDPR) recognizes that is it very difficult for individuals to have <a href=\"http:\/\/www.ie.edu\/corporate-relations\/insights\/search\/finance-control\/\" target=\"_blank\" rel=\"noopener\">control<\/a> over the massive amount of data that they have shared. But to solve this problem, the new <a href=\"http:\/\/www.ie.edu\/corporate-relations\/insights\/search\/global-affairs-law\/\" target=\"_blank\" rel=\"noopener\">law<\/a> asks people to monitor an equally massive amount of privacy agreements.\r\n\r\nAs the <a href=\"http:\/\/data.consilium.europa.eu\/doc\/document\/ST-9565-2015-INIT\/en\/pdf\" target=\"_blank\" rel=\"noopener\">proposal for GDPR<\/a> suggests, \u201cRapid <a href=\"http:\/\/www.ie.edu\/corporate-relations\/insights\/search\/technology\/\" target=\"_blank\" rel=\"noopener\">technological<\/a> developments and <a href=\"http:\/\/www.ie.edu\/corporate-relations\/insights\/search\/global-affairs-law\/\" target=\"_blank\" rel=\"noopener\">globalisation<\/a> have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased spectacularly\u2026 Individuals should have <a href=\"http:\/\/www.ie.edu\/corporate-relations\/insights\/search\/finance-control\/\" target=\"_blank\" rel=\"noopener\">control<\/a> of their own personal data and legal and practical certainty for individuals, economic operators and public authorities should be reinforced.\u201d\r\n\r\nSo far, so good. It is true that ongoing <a href=\"http:\/\/www.ie.edu\/corporate-relations\/insights\/search\/technology\/\" target=\"_blank\" rel=\"noopener\">technological<\/a> developments require individuals to share more and more data online. It also sounds fair that this personal data belongs to the individuals, who should have <a href=\"http:\/\/www.ie.edu\/corporate-relations\/insights\/search\/finance-control\/\" target=\"_blank\" rel=\"noopener\">control<\/a> over how and when it is used. So, in spirit, everything makes sense.\r\n\r\nNow let\u2019s look at the practical implementation of the part of GDPR that involves how individuals exercise <a href=\"http:\/\/www.ie.edu\/corporate-relations\/insights\/search\/finance-control\/\" target=\"_blank\" rel=\"noopener\">control<\/a> over their personal data. In practice, what individuals faced was an avalanche of really long emails. Every single one of them explained the rights that individuals have under GDPR and included <a href=\"https:\/\/ec.europa.eu\/info\/law\/law-topic\/data-protection\/reform\/rules-business-and-organisations\/principles-gdpr\/what-information-must-be-given-individuals-whose-data-collected_en\" target=\"_blank\" rel=\"noopener\">all kinds of related information<\/a>. Each email also prompted individuals to indicate whether they agreed with the described use of their personal data.\r\n<blockquote>A large percentage of individuals\u2014perhaps even the vast majority\u2014are not aware of, and thus cannot enforce, their personal data protection rights.<\/blockquote>\r\n<strong>Reasonable (?) expectations<\/strong>\r\n\r\nAgain, in theory, this is okay. Everyone was given the opportunity to review their rights and indicate if they disagreed with any use of their data. Or were they? A small-scale survey conducted by some of my students<sup>1<\/sup>\u00a0revealed that 60% of the respondents did not read the privacy agreements sent to them at all and that 25% read the agreements for one minute or less\u2014a miniscule amount of time given the length of these texts. Moreover, 60% of the respondents have not read the GDPR policy itself at all. Of these, 83% did not read it because it was too long and 84% said they would have read it if it was shorter.\r\n\r\nAlthough we cannot claim that this sample is representative, these numbers suggest that a large percentage of individuals\u2014perhaps even the vast majority\u2014are not aware of, and thus cannot enforce, their personal data protection rights, because the regulation that protects these rights was too demanding. From this perspective, GDPR seems to fail, at least for now.\r\n\r\nBut what, exactly, is the problem? After all, GDPR just expects individuals to take time to inform themselves about and exercise their own rights. Is this expectation reasonable? Let me quote again from the GDPR proposal: \u201cThe scale of data sharing and collecting has increased spectacularly.\u201d Thus, no: Expecting individuals to carefully read a mountain of very long privacy agreements pertaining to a \u201cspectacularly increased\u201d amount of information does not sound reasonable.\r\n\r\nLet\u2019s bring the pieces together: (a) given the massive scale of data sharing, GDPR aims to give individuals <a href=\"http:\/\/www.ie.edu\/corporate-relations\/insights\/search\/finance-control\/\" target=\"_blank\" rel=\"noopener\">control<\/a> over their personal data, but (b) it does so by requiring individuals to keep track of an equally massive number of data-policy agreements. In other words, GDPR recognizes that it is hard for individuals to have control over the massive amount of personal data that they have shared, but to fix this problem, the <a href=\"http:\/\/www.ie.edu\/corporate-relations\/insights\/search\/global-affairs-law\/\" target=\"_blank\" rel=\"noopener\">law<\/a> asks individuals to monitor an equally massive amount of privacy agreements.\r\n<blockquote>GDPR aims to give individuals control over their personal data, but it does so by requiring individuals to keep track of an equally massive number of data-policy agreements.<\/blockquote>\r\n<strong>Make it easy<\/strong>\r\n\r\nFrom this perspective, what effects could GDPR have in the medium to long run? First, any company can easily comply with GDPR. The main requirement is to send data subjects a long email explaining all their rights and giving them the opportunity to prohibit the use of their data. Second, in all likelihood, most recipients will not read these emails and will just accept whatever is asked of them. Thus, most individuals will not know what their real rights are and how to exercise them. Third, although in theory all personal data will be used with the consent of the data subjects, in practice this consent is ostensible, as (predictably) most individuals will be unaware of what they have consented to.\r\n\r\nLet me close by quoting the mantra of Richard H. Thaler, the recipient of the 2017 Nobel Prize in Economics: \u201cIf you want people to do something, make it easy. Remove the obstacles.\u201d In this case, if you want people to actually read and exercise their rights, make it easy for them. Reading (and agreeing with) dozens of multi-thousand-word privacy agreements is something that people, predictably, will not do.\r\n\r\n&nbsp;\r\n\r\n<hr \/>\r\n\r\n<span style=\"color: #00328d;\"><sup>1<\/sup>\u00a0I would like to thank Alex Mtaini, Claudia Hubert, Ernesto Cifaldi, Ioannis Panagiotis Kipouros, Pablo Carbonero, and Ram Agarwal (graduates of the IE Master in International Management) for their interesting project on this topic and for allowing me to report some of their results in this article.<\/span>\r\n\r\n<hr \/>\r\n\r\n&nbsp;\r\n\r\n\u00a9 IE Insights."],"wpcf-article-extract-enable":["1"],"wpcf-article-extract":["By <strong>Antonios Stamatogiannakis<\/strong>. One of the main objectives of GDPR is to give individuals control over their personal data."],"wpcf-article-summary-enable":["1"],"wpcf-article-summary":["The objective of the new General Data Protection Regulation (GDPR) is to give people greater control over the personal information they share online. In practice, GDPR translated into an avalanche of really long emails explaining individuals\u2019 rights under the new regulation and inviting the recipients to indicate whether they agreed with the proposed use of their data. Most people did not read these privacy agreements, so they are not aware of\u2014and therefore cannot exercise\u2014their data-protection rights. Although GDPR aims to give people control over the massive amount of personal data that they have shared, individuals have been asked to monitor an equally massive amount of privacy agreements. If we want people to actually read and exercise their rights, we have to make it easy for them."]},"_links":{"self":[{"href":"https:\/\/www.ie.edu\/insights\/wp-json\/wp\/v2\/articles\/633892","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ie.edu\/insights\/wp-json\/wp\/v2\/articles"}],"about":[{"href":"https:\/\/www.ie.edu\/insights\/wp-json\/wp\/v2\/types\/articles"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ie.edu\/insights\/wp-json\/wp\/v2\/media\/636280"}],"wp:attachment":[{"href":"https:\/\/www.ie.edu\/insights\/wp-json\/wp\/v2\/media?parent=633892"}],"wp:term":[{"taxonomy":"schools","embeddable":true,"href":"https:\/\/www.ie.edu\/insights\/wp-json\/wp\/v2\/schools?post=633892"},{"taxonomy":"areas","embeddable":true,"href":"https:\/\/www.ie.edu\/insights\/wp-json\/wp\/v2\/areas?post=633892"},{"taxonomy":"subjects","embeddable":true,"href":"https:\/\/www.ie.edu\/insights\/wp-json\/wp\/v2\/subjects?post=633892"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}