This article is from WeChat public account:Economic Observer Observer (ID: eeoobserver), author: Liu Zichuan, from FIG title: Oriental IC
The practice of a year and a half shows that GDPR is not just a set of conceptual principles, it is not an empty promise, but a practical tool to ensure the rights of citizens to protect data
The Internet economy is subverting traditional business models and business thinking, and data has become the most important asset in the digital economy. However, there is data abuse, and it is a global challenge that the Internet companies with data control rights can reasonably protect user privacy and limit their use of data for profit.
In this regard, the EU is at the forefront. On May 25, 2018, the European Union officially implemented the General Data Protection Regulations (GDPR). GDPR is regarded as the most authoritative and meticulous legislation in the field of privacy protection. The general idea is to give citizens greater control over their personal data by constraining corporate information processing behavior.
GDPR defines seven basic principles of privacy protection and proposes a series of more operational requirements and specifications. At the same time, the legal effects of GDPR are radiated outside the EU, and its provisions apply to any company that sells or sells products to EU consumers. The implementation of the safeguard mechanism, a serious violation of GDPR may be imposed a fine of 20 million euros or 4% of the global annual turnover of the previous year, which has great deterrent.
Until now, GDPR has been in operation for nearly a year and a half. The practice of a year and a half shows that GDPR is not just a set of conceptual principles, but also an empty promise, but a practical tool to ensure the protection of citizens’ data rights, and has been actively applied by citizens. According to statistics, as of the first half of this year, the data protection agencies of EU countries have received more than140,000 cases of violations of data rights were reported; as of the end of September this year, a total of 82 institutions or individuals were penalized by GDPR.
A series of fines are exposing GDPR to teeth. In January of this year, the French National Information and Freedom Commission (CNIL) announced its conviction on the grounds that Google failed to fulfill its obligations under the two GDPR regulations. A fine of 50 million euros. In July, the Office of the Information Commissioner of the United Kingdom (ICO) announced a fine of more than £99 million for Marriott International Hotel because it would have 500 million guests. Personal information is exposed to hacker attacks. In the same month, British Airways was also fined more than 180 million pounds because 500,000 customer data was stolen due to attacks on British Airways.
Of course, all of the above companies can appeal against the fine.
Economic and legal logic of GDPR
There is a need for GDPR to exist, and there are deep reasons behind it, as well as economics and legal logic.
Backtracking history, the concept of “privacy” that we are used to today does not exist in ancient times. The emergence of privacy is the result of a clear distinction between the public and private spheres, which is an important feature of modern society. Recognizing the right to privacy within the private sphere in the legal sense, and thus recognizing data privacy in the Internet age, is the result of the high development of the ideas and values that respect human personality, value and dignity, and has inherent progressive significance.
The economic reason for recognizing data privacy is that personal data has real value, so companies have a legal responsibility to ensure their security as they do with other assets. The economic value of the data makes it a commodity that can be used for trading. Today, data transactions form a complete industrial chain with enormous commercial value.
The targeted advertising we often encounter in our lives shows that online businesses are well aware of who the consumer is and what their interests are. Enterprises often do not receive explicit consent from consumers when collecting this information. Although this represents a certain degree of economic efficiency, it can reduce the degree of information asymmetry and transaction costs, and also provide consumers with accurate services tailored, but it also hides the possibility of harming consumers. And the information that originally belonged to the consumer became an enterprise.The way of profitability of the industry also constitutes an unfair distribution of certain benefits.
The harm caused by privacy breaches is obvious. For example, in China, incidents of fraud and cyberbullying have repeatedly appeared in newspapers in recent years. On the other hand, citizens’ awareness of privacy and self-protection are gradually awakening and strengthening. These require the specification of data and privacy from the legal level.
For each individual, the harm caused by the leakage of privacy data is mostly small and potential, and the individual will not take action to protect such weak interests, let alone the lack of knowledge and skills related to rights protection. . The general public cannot influence the display results of search engines, and there is nothing that can be done about the theft and sale of personal data.
But on the other hand, strong network companies and stakeholders can use the data and information gathered from the public to manage their profits. In view of such a collective action dilemma and the serious asymmetry of the two sides, it is legally sufficient and reasonable for the government to introduce laws to protect individuals’ ownership of their private data.
Controversy over GDPR
The EU’s GDPR, despite its considerable attention, does not mean that it is abrupt, brand new, deliberately unconventional. GDPR is an upgrade to the previously existing data protection laws of EU countries, and it is the enrichment and improvement of existing experience.
At present, at least 107 countries around the world have enacted privacy protection legislation, and the overall regulatory environment tends to be strict. This is an inevitable general trend. The California Consumer Privacy Act (CCPA) will also take effect in January next year, and it will bring all business data related to California residents Behavior is included in the scope of regulation, which is the latest example of global imitation of GDPR.
Many opinion polls show that in Europe and the United States, most people are highly concerned about data privacy. GDPR is neither a matter of nothing, nor a kind of “Lutheran” impulse to smash the machine, but rather a more elaborate design idea and institutional arrangement, and will continue to improve in practice.
Someone has accused Europe of falling behind in the competition with the US-China network economy because of its stringent data protection. But it is difficult to prove logically that the lack of a strong network enterprise in the EU is the result of many factors. There is also a saying that GDPR is a helpless measure adopted by the European Union because the Internet industry is not developing as well as the United States.