In the case of the GDPR, improving our understanding of the interaction between law and technology stands a good chance of being useful because a number of experts seem to have doubts about its expected efectiveness. Criticism emerged already in the period leading up to the GDPR’s passing into law. Three examples:
• Moerel has opined that the GDPR needs to be made future proof. Technological developments will negate the efects of the informed consent requirement, the profling prohibition and overly specifc documentation requirements; she dismisses the purpose limitation principle as “at odds with the reality of big data”.87
85 European Commission, ‘Proposal for a General Data Protection Regulation’ (n 81) 104. 86 ‘It is obvious that if you are comparing the performance of an industry under regulation
with what it would be without regulation, there is no reason to assume (indeed there is good reason not to assume) that either of these situations will correspond to anything an economist would call optimal. (…) Until we realize that we are choosing between social arrangements which are all more or less failures, we are not likely to make much headway.’ Ernest W Williams and Ronald H Coase, ‘Discussion’ (1964) 54 The American Economic Review 192, 194–195 <http://www.jstor.org/stable/1818503> accessed 21 March 2019.
• Koops has put forth that there is a number of fallacies underlying the GDPR: it focuses too much on the concept of informational self-determination, it puts too much faith in controllers to perform certain actions, and it attempts to regulate developments like behavioural advertising and profling that require their own kinds of regulation.88
• Zarsky claims that the GDPR is incompatible with “the data environment that the availability of big data generates”, which could either lead to the Regulation’s irrelevance or to making big data analysis “suboptimal and inefcient.”89
Considering the possible impact of big data on individuals and societies discussed in sections 1.3–1.4, data protection law should be future proof, free from obvious fallacies and compatible with both its social and technological contexts. The above criticisms therefore give rise to the following question:
To what extent does the GDPR refect or employ theories of power relations and risk management presented by Komesar, Barnett and Duvall, Beck, Perrow, Klinke and Renn, and complex systems science?
The question is approached through the following sub-questions:
• How do the decision-making mechanisms in the GDPR itself, and in the EU lawmaking process that produced the GDPR, compare to other available decision- making mechanisms with regards to opportunities for efective participation by data subjects?
• How do the GDPR’s protections for data subjects giving consent or entering into a contract compare to the protections in EU consumer protection law?
• To what extent were existing insights from the social sciences and environmental law applied in the GDPR insofar as it deals with the identifcation of risks of big data or with the addressing of new or unknown risks?
87 Lokke Moerel, Big Data Protection: How to Make the Draft EU Regulation on Data
Protection Future Proof. Oratie 14 Februari 2014 (Tilburg University 2014) 51–54.
88 Bert-Jaap Koops, ‘The Trouble with European Data Protection Law’ (2014) 4 International
Data Privacy Law 250, ss II–IV <https://academic.oup.com/idpl/article-
abstract/4/4/250/2569063/The-trouble-with-European-data-protection-law> accessed 20 March 2019.
89 Tal Zarsky, ‘Incompatible: The GDPR in the Age of Big Data’ (2017) 47 Seton Hall Law
• Is the GDPR’s protection of sensitive personal data adequate in the context of big data and relevant insights in the feld of Complex Systems Science?
1.7.1 Delineation
Geographically, this research deals primarily with the European Union. The treaties underlying the institutions and the workings of the Union, secondary EU law, jurisprudence of the Court of Justice, but also the European Convention on Human Rights and the case law of the European Court of Human Rights, are the foundations of the EU legal order and therefore count as primary sources. Additionally, other treaties and Member States’ domestic law and jurisprudence will be referenced where appropriate. However, the subject matter of the question implies that developments outside of the EU can be of signifcance: they will be included where relevant.
The primary focus is on the processing of personal data based on the necessity for the performance of a contract and on consent. Observations are mostly limited to the private and consumer context and the provisions of Chapters I to III of the GDPR (General provisions principles and rights of the data subject). The processing of personal data (including profling) based on the need to comply with a legal obligation, the vital interest of the data subject or the legitimate interest of the controller will not be covered: this mostly excludes use cases from the administrative law and criminal law contexts from the scope of this work. The specifc processing situations of chapter IX (e.g., freedom of expression, employment and archiving) are not covered as they have only limited relevance to the consumer context. This research also excludes the provisions specifcally regarding the consent of minors and the specifc national provisions on the capabilities of minors to enter into contracts. Provisions pertaining to the obligations of controllers and processors towards each other and towards supervisory authorities, as well as the provisions regarding transfers of personal data to third countries and the authority of supervisory authorities and their cooperation and consistency are not covered in depth for the same reason, although they can be mentioned in passing.
This research does only occasionally identify diferences between platform providers and non-consumer end users of a platform. Even though platform providers in two- sided markets play an essential role in the development of datafcation and the efects of big data, the GDPR does not distinguish platform providers from other types of controllers. Both a platform provider and the non-consumer end users of the platform
tend to count as controllers in the sense of article 4(7) of the GDPR, especially if they have separate contracts with the consumer. Also, consumer contracts are held to the same legal standards, regardless of whether the other party is a platform provider or not.