Far from being the gold standard of privacy it is often claimed to be, the GDPR is a potential threat to personal freedoms.
Child with cell phone (GDPR)
The broad scope the GDPR provides to governments might result in more invasive surveillance practices, justified under vague pretexts like national security. © Getty Images
×
In a nutshell
The GDPR has serious drawbacks and does not fulfill its core function
Loopholes allow government data misuse, risking overreach
The regulation is vague and lacks clear safeguards
Data protection requires a delicate balance between security and functionality. The European General Data Protection Regulation (GDPR) is often touted as the global standard for data protection, yet it markedly diminishes the usability of websites and online services. Moreover, a frequently overlooked aspect of the GDPR is its failure to fulfill its core objective: protecting data.
Internet users encounter the GDPR whenever they access a site from any European Union member state. Before accessing the site, users must either accept all the provider’s cookie policies or select from various categories of data that the provider collects. Most users simply click the accept button; fewer than 1 percent navigate through the detailed menu of data categories. However, even after accepting the provider’s policies, users still maintain several rights, including the right to delete their data after using the web-based service or to request information from the provider’s data protection officer.
Websites and other online-based service providers are required to provide users with extensive information on their data collection and use. In addition to various opt-in and opt-out options, they must maintain several safeguards and have a data protection officer. The GDPR’s stringent requirements increase costs that disproportionately affect small and medium enterprises, which lack the infrastructure to absorb fixed costs as easily as larger corporations. The mandatory data protection measures, including the extensive consent procedures users must navigate and the administrative burden on providers, reduce the usability of the web for both consumers and providers based in the EU.
EU officials have justified these costs by arguing that the benefits of enhanced data protection outweigh the drawbacks of decreased usability. In practice, however, the GDPR does not effectively protect data. The regulation includes a strategically designed loophole: Governments can pass special legislation for data collection. This allows governments to bypass the protections that apply to individuals in the private sector, leading to serious concerns about potential misuse.
A dangerous clause in the GDPR
Article 23 of the GDPR allows member states to enact laws that restrict the rights to data protection outlined in the regulation for reasons such as national security, public safety and crime prevention. While these exceptions might appear reasonable in principle, they pose considerable risks. There is no clear definition or consistent practice defining what qualifies as an exception.
×
Facts & figures
Timeline of GDPR development
Governments can invoke broad and often vaguely defined justifications to legitimize extensive data collection. Unlike businesses, which must demonstrate explicit consent or legitimate interest to process data, governments can create legal frameworks that override these requirements. This results in a double standard in data protection – one that is strict for private entities but lenient for public authorities. This asymmetry undermines the GDPR’s core mission to protect individuals from data misuse.
The risk of government overreach
The power to collect and process large volumes of personal data presents a significant risk of overreach. Governments can exploit these capabilities to engage in pervasive surveillance, tracking individuals’ movements, communications and behaviors. While these measures may be framed as necessary for maintaining security, the absence of transparency and oversight makes it challenging to determine whether they are proportionate or justified. In practice, these activities can lead to the suppression of dissent, targeting minority groups and eroding democratic freedoms.
Moreover, the potential for data misuse is amplified by advancements in technology. Artificial intelligence and machine learning algorithms enable governments to analyze data at an unparalleled scale and speed, creating detailed profiles of individuals. These profiles have the capability to predict behaviors, identify associations and infer private information, which can be utilized to monitor and control populations. For example, social credit systems and predictive policing, already implemented in some regions, depend on similar data-driven mechanisms. While these technologies are often justified as tools for improving governance, they carry a high risk of misuse when employed without adequate safeguards.
The GDPR establishes an exception to the rule but fails to specify its application or define its limits. This effectively gives governments a free pass to enact whatever legislation they consider necessary. While it is unlikely that any government would immediately use this loophole to implement highly invasive regulations, it is more probable that governments will exploit this incrementally, gradually expanding their activities.
Feedback loop into military and intelligence
Beyond domestic governance, the data collected under these exceptions has potential for military and intelligence applications. Personal data can enhance surveillance systems, refine targeting capabilities and improve decision-making in conflict scenarios. For example, geolocation data, biometric information and social media activity can all provide valuable insights for intelligence agencies. However, these applications blur the line between protecting national interests and infringing on individual rights.
Read more by Henrique Schneider
The collected data can feed into machine learning systems used in military applications or intelligence systems. Whether the data trains or refines the models, the clear distinction between the civilian and military realms is also being blurred. This distinction is an elementary facet of international and humanitarian law since civilians should not be targeted in wars. However, if their data points feed military and intelligence systems, they cease to be innocent bystanders.
At first glance, the possibility of data misuse by governments under the guise of the GDPR might appear improbable. However, data misuse often unfolds gradually, remaining undetected until it becomes a significant issue. The demand for data by machine learning models, including those deployed in military contexts, is continually increasing.
×
Scenarios
The GDPR’s allowance for government exemptions reflects a broader trend of prioritizing state authority over individual rights. While national security and public safety are legitimate concerns, they should not come at the expense of fundamental freedoms. Unchecked accumulation of data by governments risks creating a surveillance state in which citizens are constantly monitored. Such an environment would stifle free expression, discourage dissent and undermine the principles of democratic governance.
Furthermore, the lack of transparency in government data practices makes it difficult for citizens to understand how their information is used. Unlike businesses, which must disclose their data processing activities, governments often operate under a veil of secrecy. This undermines accountability and prevents meaningful public discourse on the balance between security and privacy.
One initial suggestion for addressing the GDPR’s shortcomings might be to implement stronger safeguards and enhance government transparency as straightforward solutions. However, these approaches could inadvertently exacerbate the issues. Safeguards are inherently imperfect; adding new ones could unintentionally introduce additional loopholes.
Likely: Governments slowly enact additional regulations
Due to internal political pressure, governments will likely accept some constraints or safeguards. Since the military does not carry much weight in EU politics, armed forces and intelligence agencies will likely be prevented from using data to train their machine-learning models. There will still be a discrepancy between the rights of citizens when dealing with businesses, and their rights when interacting with public services.
Equally likely: Governments rapidly enact additional regulations
If governments opt to move quickly, the new regulations will likely feature few, if any, safeguards for citizens. Users will have virtually no means to intervene against governments using their data. In this scenario, the data is not utilized for military purposes.
Less likely: Personal data is used for military purposes
In a worst-case but less likely scenario, governments could use civilian data to train machine learning models for military applications and introduce regulations without any safeguards concerning the appropriation and use of personal data.
Is there a scenario where governments respect personal data and online users have legal options to combat its misuse by governments? The short answer is no. The loophole that permits governments to exploit the GDPR is embedded within the regulation itself and shows no signs of being amended.
Contact us today for tailored geopolitical insights and industry-specific advisory services.
Sign up for our newsletter
Receive insights from our experts every week in your inbox.