![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
The paper explores the conflict between users' right to privacy and data protection and the practices of online platforms such as Google and Facebook. Based on the collection of a data set of 13 complaints against the two companies in the period 2011 to 2016, the authors provide an overview of the field and a critical look at the current systems of privacy and data protection in the US and Europe, including the new General Data Protection Regulation (GDPR). The paper argues that whereas the two systems differ on a number of accounts neither of them critically engage with the online business model that lie beneath these platforms, including its incentive for maximising data collection.
Notes
1 The authors wish to thank Anja Møller Pedersen for valuable comments to a previous version of this article.
2 For example: UN General Assembly Resolution ‘The Right to Privacy in the Digital Age’ (16 November 2016) UN Doc A/C.3.71/L.39/Rev 1; UNGA, ‘The Right to Privacy in the Digital Age: Report of the Office of the United Nations High Commissioner for Human Rights’ (30 June 2014) UN Doc A/HRC/23/37; Council of Europe, Committee of Ministers, Recommendation CM/Rec(2012)4 of the Committee of Ministers to member States on the protection of human rights with regard to social networking services (4 April 2012); Council of Europe, Committee of Ministers, Recommendation CM/Rec(2012)3 of the Committee of Ministers to member States on the protection of human rights with regard to search engines, 4 April 2012; S and Marper v the United Kingdom App nos 30562/04 and 30566/04 (ECtHR 4 December 2008) [s 41]; Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others App nos C-293/12 and C-594/12 (ECJ, 8 April 2014).
3 S Zuboff, ‘Big Other: Surveillance Capitalism and the Prospects of an Information Civilization’ (2015) 30(1) Journal of Information Technology 75.
4 Franziska Boehm, A Comparison between US and EU Data Protection Legislation for Law Enforcement: Study for the LIBE Committee (European Parliament, Directorate General For Internal Policies Committee On Civil Liberties, Justice And Home Affairs, Brussels, 2015). Daniel J Solove and Paul M Schwartz, Consumer Privacy and Data Protection (Wolters Kluwer 2015).
5 European Union, Charter of Fundamental Rights of the European Union, 26 October 2012, OJ C 326/02 (EU Charter).
6 Pub L No 106–70, 15 USC ss 6501–06.
7 The Online Privacy Protection Act of 2003, Cal Bus & Prof Code ss 22575–79 (2004).
8 UNGA, International Covenant on Civil and Political Rights, (adopted 16 December 1966, entered into force 23 March 1976), 999 UNTS 171.
9 Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos 11 and 14, (adopted 4 November 1950, entered into force 3 September 1953), ETS 5.
10 Anette Faye Jacobsen (ed), Human Rights Monitoring (Martinus Nijhoff 2008) ch 11b.
11 EU Charter, art 8(1).
12 ibid, art 8(2).
13 Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31; Council Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector [2002] OJ L201/37.
14 European Union, Treaty on European Union (Consolidated Version), Treaty of Maastricht, (adopted 7 february 1992, entered into force 1 November 1993), OJ C 325/5; 24 December 2002, arts (3) and 6(1); EU Charter, art 51.
15 Google v Vidal-Hall [2015] EWCA Civ 311.
16 In the UK, the DPD has been transposed in national law through the Data Protection Act 1998. Art 13(2) of this act state that a claimant is only entitled to compensation if they also suffer ‘damage’, which had been interpreted as pecuniary loss. However, no mention of pecuniary loss is mentioned in DPD art 23 (the corresponding DPD article). The Court of Appeal, citing this, and for reasons that art 13(2) therefore conflicted with arts 7 and 8 of the EU Charter of Fundamental Rights, chose to disapply art 13(2) of the DPA and allow compensation to be sought without pecuniary loss.
17 European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GRDP).
18 DPD art 4(1)(a).
19 Weltimmo sro v Nemzeti Adatvédelmi és Információszabadság Hotóság Case no C-230/13 (ECJ 1 October 2015).
20 DPD art 4(1)(c).
21 DPD arts 25–26, with recital 60 stating that ‘ … transfers to third countries may be effected only in full compliance with the provisions adopted by the Member States pursuant to this Directive, and in particular Article 8 thereof’, showing that adequacy is determined through adherence to the articles of the DPD.
22 Maximillian Schrems v Data Protection Commissioner Case no C-362/14 (ECJ 6 October 2015).
23 European Commission, ‘European Commission Launches EU-US Privacy Shield: Stronger Protection For Transatlantic Data Flows’ <http://europa.eu/rapid/press-release_IP-16-2461_en.htm> accessed 22 March 2017.
24 Maximillian Schrems v Data Protection Commissioner (n 22) [73].
25 Article 29 Data Protection Working Party (Art 29 WP), Opinion 01/2016 on the EU: US Privacy Shield draft adequacy decision, 16/EN WP 238, 13 April 2016.
26 DPD art 3(2)(a) and (b).
27 DPD art 2(b).
28 Lawfulness and fairness required by DPD art 6(1)(a), with the grounds being listed in art 7.
29 DPD art 7(a).
30 ibid art 7b).
31 ibid art 7(f).
32 ibid art 2(d).
33 Art 29 WP, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (‘Legitimate Interests’), 844/14/EN WP 218, 9 April 2014, 4.
34 ibid 10.
35 Such as being collected for ‘specific, explicit and relevant purposes’: DPD (art 6(1)(b)).
36 Art 29 WP, ‘Legitimate Interests’ (n 33) 30–31.
37 ibid 50–51.
38 DPD art 14(a).
39 For instance, a transparency requirement is added to fairness and lawfulness; art 5(1)(c) removes the fluffiness of ‘having regard to the purposes’ of the processing in the DPD, and explicitly limits the processing to what is necessary; and art 6(1)(a) expands on the consent requirement, requiring it to be given for ‘one or more specific purposes’. In addition processors, as well as controllers, can be held liable under the GDPR.
40 Chris Hoofnagle, ‘Country Study B1’ in Douwe Korff (ed), Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments (European Commission, May 2010) 1.
41 Whalen v Roe 429 US 589 (1977).
42 Griswold v Connecticut 381 US 479 (1965).
43 Hoofnagle (n 40) 11.
44 Restatement of the Law, Second s 652B (1997), The American Law Institute.
45 ibid s 652D.
46 ibid s 652E.
47 ibid s 652C.
48 15 USC ss 51–58 (as amended); Hoofnagle (n 40) 17–18.
49 Hoofnagle (n 40) 19.
50 ibid 20.
51 Constitution of the State of California, 7 May 1879.
52 Hill v National Collegiate Athletic Association, 865 P.2d 633 (Cal. 1994).
53 Hoofnagle (n 40) 8.
54 Cal Bus & Prof Code s 22575.
55 Cal Civ Code s 1798.83.
56 ibid s 1798.81.
57 ibid s 1798.82.
58 ibid s 1798.81.5.
59 ibid s. 1708.8.
60 Cal Bus & Prof Code ss 22580–81.
61 We have not included in our analysis some recent cases that have come to light, such as Ryan Corley at al v Google, Inc, USDC Northern District of California, filed on 1 February 2016 (a complaint regarding Google's scanning of emails in Gmail); Matthew Campbell et al v Facebook, Inc, USDC Norther District of California, filed on 30 December 2016, becoming a class action on 18 May 2016 (concerning Facebook scanning private messages); the Hamburg DPA's decision on 28 June 2015 that Facebook's real name policy was an infringement of the right to privacy – and Article 29's opinion on the same topic set out in a letter dated 12 May 2010; and Maximillian Schrems v Data Protection Commissioner, ECJ 6 October 2015 (declaring SafeHarbour invalid).
62 FTC, In the matter of Facebook Inc, ‘Complaint’ (, fn f) para 29.
63 Schrems v Facebook Ireland Limited (, fn b) filed lawsuit, para 82.
64 Art 29 WP, ‘Opinion 15/2011 on the definition of consent’ (‘Consent’), 13 July 2011, 21.
65 ibid 2.
66 DPD art 6 (1)(b).
67 Max Schrems v Facebook Ireland Limited (Table 2, fn b) filed lawsuit, para 85.
68 Art 29 WP, ‘Consent’ (n 64) 10.
69 Max Schrems v Facebook Ireland Limited (, fn b) filed lawsuit, para 85.
70 ibid, para 72.
71 Art 29 WP, ‘Consent’ (n 64) 8; ‘Legitimate Interests’ (n 33) 16-17.
72 Art 29 WP, ‘Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995’ (25 November 2005) 14; Art 29 WP, ‘Legitimate Interests’ (n 33) 4. The fundamental rights and freedoms of the data subject which require protection are listed in article 1(1) of the Directive, 16.
73 Reuters, ‘Facebook Wins Privacy Case against Data Protection Authority’, 29 June 2016 <http://uk.reuters.com/article/us-facebook-belgium-idUKKCN0ZF1VV> accessed 21 March 2017; Commission for the Protection of Privacy, ‘The Judgment in the Facebook Case’, 10 November 2015 <www.privacycommission.be/en/news/judgment-facebook-case> accessed 21 March 2017.
74 Google Buzz (, fn g) ‘Complaint’, [8].
75 ibid [14].
76 ibid [8], [10] and [11].
77 Google Buzz (, fn g) ‘Decision and Order’.
78 Google In-App Purchases (, fn b) ‘Complaint’, [27]–[29].
79 18 USC ss 2511(2)(g)(i) and 2510(16).
80 Joffe & ors v Google, Inc (, fn e) Decision, p 17.
81 Art 29 WP, ‘Consent’ (n 64) 17–18.
82 Passive users are ‘those who do not themselves utilize a Google service, but whose data is nevertheless collected by the company indirectly. Whenever these users surf on sites where Google operates as an advertising space broker, the company will collect their IP addresses, the sites they visit, as well as the unique identifiers present in the corresponding cookies, then known as DoubleClick’ (CNIL decision, 10); non-authenticated users are those who use a Google service that does not require prior authentication, such as Google Maps and YouTube (CNIL decision, 9).
83 Will be arts 12–14 in the GDPR.
84 Art 29 WP, ‘Consent’ (n 64) 20: Joined Cases C-397/01 to C-403/01 Pfeiffer, Roith, Süß, Winter, Nestvogel, Zeller, Döbele (ECJ 5 October 2004).
85 Art 29 WP, ‘Consent’ (n 64) 19.
86 Michael L Rustad and Sanna Kulevska, ‘Reconceptualizing the Right to Be Forgotten to Enable Transatlantic Data Flow’ (2015) 28 Harvard Journal of Law and Technology 349.
87 Google Spain (, fn c) [94, 349].
88 GDPR, art 17(1)(b).
89 The problem of user consent has been widely addressed in the privacy literature: see e.g. D Solove, ‘Privacy Self-Management and the Consent Dilemma’ (2012) 126(7) Harvard Law Review 1880.
90 Nissenbaum's seminal work on information privacy details an alternative framework for protection based on the specific context for data use: see HF Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life (Stanford Law Books 2010).
91 Hoofnagle (n 40) 23–25.
92 ibid 39.
93 ibid 44.
94 ibid 42.
95 ibid 26–28.
96 For a practice-based comparison of the EU and US privacy regime see K Bamberger and D Mulligan, Privacy on the Ground: Driving Corporate Behavior in the United States and Europe (MIT Press 2015).
97 GDPR, art 4(1).
98 Art 29 WP, ‘Consent’ (n 64) 11–12.
99 GDPR, art 7(1).
100 ibid 7(2).
101 ibid 7(3).
102 ibid 7(4).
103 Or below 13 should a Member State provide this in its national law.
104 GDPR, art 8(1).
105 ibid 8(2).
106 See e.g. A Bechmann, ‘Non-informed Consent Cultures: Privacy Policies and App Contracts on Facebook’ (2014) 11 Journal of Media Business Studies 21; J Grimmelmann, ‘Saving Facebook’ (2009) 94 Iowa Law Review 1137.
107 GDPR recital 78 and art 25.
108 For a discussion of privacy by design principles in relation to Facebook and Google see IS Rubinstein and N Good, ‘Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents’ (2013) 28(2) Berkeley Technology Law Journal 1133.