In order to present the GDPR as a system, it is assumed that data protection is concerned with a single problem. Evidently, this assumption is not part of the law, nor was the GDPR systematically created to solve a single stated problem. The basic problem that is postulated here may not even find general consensus. Nevertheless, the postulated base problem is suited to explain the GDPR in a systematic way as a single system. This is the only purpose this base problem has in this introduction. Alternative base problems and ways to systematically explain the GDPR may well exist.
No general consensus exists on what problem data protection actually addresses. The thesis of an “influential minority” is that data protection is concerned with power. This introduction adopts this thesis to address the basic problem. In particular, the basic problem addressed by data protection is thus to limit the power that organizations gain over individuals by processing their personal data. The well-known phrase knowledge is power expresses this very idea. Namely, the possession of information about an individual provides power over that person.
Practically, processing such personal information can influence a person’s behavior in itself (for example through chilling effects), can help to predict a person’s behavior, can make it easier to manipulate a person to act a certain way (for example through targeted advertisement), or can in extreme cases even allow to force a person to a certain behavior (for example through blackmail). The Facebook-Cambridge Analytica data scandal illustrates how far power based on personal information can reach in as far as it may threaten the basic values of democracy. The use of personal information by totalitarian surveillance states to exert power over its citizens may be the ultimate illustration of the problem.
Gaining power over individuals through personal information was always possible. In the past, however, the limited technical capabilities have typically restricted who had access to such power and how much information could actually be collected and processed. With the advent of electronic data processing, the situation has drastically changed. Storing, finding, combining, and analyzing data has become ever more inexpensive and accessible to everyone. The advent of personal devices and ubiquitous sensors have drastically increased the ease of collecting personal data. Data protection is the response to the increasing risk to individuals that comes with this situation.
In the same way as data protection legislation can be seen as a remedy for power imbalance between individuals and organizations in the context of data processing, anti-trust legislation can be seen to address power imbalances in the market place.
1See pages 104-105 in Pohle, Jörg. (2018). Datenschutz und Technikgestaltung : Geschichte und Theorie des Datenschutzes aus informatischer Sicht und Folgerungen für die Technikgestaltung, Berlin, Germany: Humboldt-Universität zu Berlin, DOI http://dx.doi.org/10.18452/19136, https://edoc.hu-berlin.de/handle/18452/19886 (last visited 11/03/2020), (in German). ↑
2Personal communications with Jörg Pohle. ↑
3See for example Austin, Lisa M., Enough About Me: W:hy Privacy is About Power, Not Consent (or Harm) (January 1, 2014). Forthcoming in Austin Sarat, ed., A World Without Privacy?: What Can/Should Law Do.. Available at SSRN: https://ssrn.com/abstract=2524512. ↑
4Note that processing of personal data for private purposes in a household is excluded from data protection (see Article 2(2)(b) GDPR). ↑
5A chilling effect is the inhibition or discouragement of the legitimate exercise of a right or freedom due to data processing, such as video surveillance. ↑
6Access was for example limited though a high cost. ↑
7Reiner Rehak, Was schützt eigentlich der Datenschutz?, presentation at the 35th Chaos Communication Congress (35C3), Leipzig, Germany, 28/12/18, Slide 18, https://mirror.netcologne.de/CCC/congress/2018/slides-pdf/35c3-9733- was_schutzt_eigentlich_der_datenschutz.pdf (last visited 24/04/2020). ↑