Please enable JavaScript.
Coggle requires JavaScript to display documents.
:pencil2: *DP Reform fallacies (reform does not simplify the compliance p…
:pencil2:
*DP Reform fallacies
:silhouette: DP law does not give individuals control over their data
consent is not a suitable approach to data processing in online context p. 3
businesses generate revenue from user-data-based profiling and advertising .Th e move to paid services is unlikely. p.4
data processing online should be based on other grounds than consent p.4
exercising control over data is very difficult
multiple controllers and processors, big data, automated operations on data p.4
Schrems case is a good example of exercising data subject rights p.4
Google v. Spain case and "right to be forgotten", which is in fact is a right to erasure. It is also very difficult to enforce p. 5
informational self-determination in citizen/goverment relationships is impossible p.5
citizens have a little "say" when governmental institutions process their data p.6
reform does not simplify the compliance p.7 :red_flag:
DP law is very complex which makes it more difficult to controllers to understand and comply with it
GDPR contains many "fuzzy" provisions which allow data controllers to justify excessive processing
GDPR contains more sticks than carrots
data processors should have a data protection rationale mindset instead of data protection rule compliance mindset.
more ex ante and ex post paperwork
Regulating everything in one statutory law p.8
enormous disconnect between law and reality
response to disconnect is more of the same law
a problem with drawing a line between personal data and just data (profiling, online identifiers)
data portability p.11
is a regulatory challenge
rather belongs to unfair business practice or consumer protection law, competition law
communication problem p.11
misconception that data protection restricts not enables
key data protection message should be that it enables and not restricts
too much focus on law, leaving other regulatory tools out of use
competition law as a regulatory tool has not been widely used
focus on providing market incentives for privacy-friendly providers might be more helpful than command-based approach
Conclusions
DP needs to be simplified and focus on underlying principles
communicated as corporate governance, good practice guidelines
Creating sui generis regimes for certain types of data
for ex. data portability to be regulated by consumer protection law, same with profiling and automated decision-making
governments to act as role-models for data protection