The European "General Data Protection Regulation" and the consumer's utility. Impact and consequences

Table of contents

List of Abbreviations II

1 Introduction

2 Theoretical Foundations
2.1 Definition of privacy and privacy protection
2.2 Personal data collection of consumers and usage process
2.3 Consumer policy instrument: Command and control policy
2.4 Privacy protection law the European General Data Protection Regulation

3 Implications of the privacy protection law the European General Data Protection Regulation
3.1 Consumers' privacy concerns and privacy paradox
3.2 Consumer's utility on the European General Data Protection Regulation

4 Conclusion

References

List of Abbreviations

Abbildung in dieser Leseprobe nicht enthalten

1 Introduction

Edward Snowden's disclosures regarding the surveillance practices of the National Security Agency (NSA) and the Facebook-Cambridge Analytica affair, in which data from up to 87 million Facebook users were illegally collected. These both cases were the largest personal data scandal in the past years (Chen, 2017, p. 868). The violations of privacy protection create enormous concerns, not only for the affected firms but also for their customers. Depending on the firm, the stolen data can range from relatively harmless information to extremely personal data. Besides that, a breach of privacy rights will cost a lot of money to remediate and do serious harm to a firm's credibility and reputation. These examples have sent alarming signals to governments, firms, consumer policy, and consumers to address the problem of personal processing data and privacy protection. Motivated by this problem, this paper aims to conduct a critical literature review on the main research question: Does the European General Data Protection Regulation increase consumer's utility by increasing privacy protection?

The paper is structured as follows in chapter 2.1, a systematic framework of the notion of privacy and privacy protection will be described. In chapter 2.2, the paper will study which kind of personal data is collected, data collection technologies such as user log-in information, cookies or IP address, and the usage process of personal data. Then, in chapter 2.3, the command and control policy is considered a consumer policy instrument to determine how the consumer can benefit from the command and control policy and how the government can set limitations about the level of privacy protection and consumer's welfare. The last chapter 2.4 presents the significant articles of the law European General Data Protection Regulation (EU GDPR) for privacy protection and the consequences for non-compliance with the EU GDPR. In the main part, the research tries to answer the following questions split in chapters 3.1 and 3.2: How can we reduce privacy concerns? Can a privacy protection law like the EU GDPR lower privacy concerns and protect the welfare of the consumer?

This paper sets out the main arguments for introducing consumers’ privacy concerns, privacy paradox, and consumer's utility regarding consumer welfare to answer the questions as mentioned above. Finally, the paper will summarises the findings and a concluding solution to the research question.

2 Theoretical Foundations

2.1 Definition of privacy and privacy protection

Defining privacy is broad and complex. To different people, it means different things. It is closely connected to human dignity, freedom, self-determination. It is related to personal space protection, and mostly used as a right to privacy and how the consumer manages the personal data. It can even be viewed as setting limits between the public and private spheres (Acquisti/Taylor/Wagmann, 2016, p. 445). From the above definition, the paper considers if the right to privacy is really used in privacy protection or is still a problem in the European Union?

This part of privacy is significant because rapid changes in the digital age are challenging privacy protection, and privacy must be reinterpreted and analyzed in the current sense (Dinev, 2014, p. 98). As a policy issue, the notion of privacy inexplicit, and to add to the uncertainty, 'privacy' and 'data protection' have evolved into different fields of research (Gonzalez Fuster, 2014). This paper uses 'privacy protection' and 'data protection' synonymously, for the sake of simplicity. In the interest of the following chapter the synonymous of the two words makes sense because, the paper investigates the personal data collection and usage process and if the privacy protection legislation EU GDPR is providing the right for privacy protection and managing the personal data on the internet. In the European Union, privacy is seen as a foundational right, see Art. 7 and 8 of the EU Charter for Fundamental Rights (EUCFR). The main idea is that people should have the power of their personal data. This is closely related to the concept of 'informational self-determination' established by the German Federal Constitutional Court (Kerber, 2016, p. 3). In this paper, privacy protection is defined as society's laws for managing the collection, disclosure, and personal data use (Richards/Sarat, 2015, p. 40). For decades, the privacy roles of individuals and society have been addressed, which led the researcher Solove (2009) to suggest that privacy is the abstract term for protecting various kinds of practical activities from disturbance (Pedersen, 1997, p. 148; Regan, 2002, p. 384; Solove, 2009). Previous studies indicate that an essential facet of privacy is protecting the processes of not determined human growth and technologies in everyday life (Pedersen, 1997, p. 149; Regan, 2002, p. 384; Solove, 2009). It is not the paper's aim to give a detailed distinction of these two rights privacy and privacy protection. Furthermore, introducing significant facts helps to understand the notions. A significant distinction is that, while privacy might be more abstract right, there is a comprehensive regulation of the right to privacy protection, including definitions, principles, provision. Despite the formal differentiation between these two rights, there is considerable overlap in their content, showing that privacy protection is broader and narrower than privacy and vice versa. Privacy protection is broader since the privacy protection law refers to all forms of personal data processing, even though there is no violation of privacy. Privacy protection is more of a legal issue. Privacy protection is about what firms who have lawfully collected data of the consumer can do with it and what kind of control the consumer has over that collection and processing. Privacy is also broader and more precise since it can extend to non-personal data processing, but it still affects privacy. However, its regulation does not apply to all processing of data because it does not apply to the processing of data that does not interfere with the user's privacy. One does not guarantee the other, and it takes both together to create an appropriate control mechanism (Gellert/Gutwirth, 2013, p. 523).

2.2 Personal data collection of consumers and usage process

Since the paper discussed privacy and privacy protection, it will be described briefly which kind of personal data is collected, data collection technologies, how the personal data is collected, and the usage. Today, growing technical developments do not increase the cost for data firms to collect and use the consumers’ personal data (Goldfarb/Tucker, 2019). Personal data is collected from a consumer, especially during online activities on the internet, knowingly and unknowingly. Personal data can be assigned to a specific person and allows conclusions to be drawn about that person. Personal data includes, for example, biometric data (height, fingerprint, eye color). Norberg and Horne (2014, p. 121) provided a list of general data that are collected by the technology and webpages such as name, date of birth, address, contact details, identification numbers like the tax identification number, bank data, land register entries, vehicle license plates, buying behavior, type of credit card, social media networks, mobile devices, GPS locations, health records and facial recognition. Personal data deserves superior protection. Information may be provided by a consumer or rather a customer knowingly and willingly, for instance, when the consumer has registered a customer account for prior purchase. It is possible to recognize such a customer as the individual logs in (Zuiderveen Borgesius/Poort, 2017, p. 350). It is also possible to use an IP address to decide the country and area where a customer resides and the sort of internet provider the customer has (ibid.). Besides the user log-in formation and IP address, one of the most popular technical technology ways of obtaining personal data about consumers is called a cookie. Cookies are compact text documents stored locally on a consumer's device to store information about their traits and preferences. In return, the cookies detect the user's IP and browser history of profiling the user to show personalized advertisements, including their demographic details (Kulyk et al., 2018). There are different sorts of cookies like session cookies, persistent cookies, first-party and third-party cookies. A session cookie collects information that associates online activities with a single browser session. The session cookie is usually deleted again when the browser is closed. Conversely, persistent cookies are stored for subsequent web page sessions on a user's device until they intentionally delete the cookies. For instance, persistent cookies can be guaranteed that the language selected by the consumer or the buying cart history of the customer is seen on the website again (Soltani et al., 2009). It exists a difference between first-party and third-party cookies. First-party cookies are installed by website owners themselves, while third-party cookies are placed by non-owner parties. By using a unique code, the third-party cookies identify the identity of a user across several websites. This customer 'tracking' enables multiple firms' content to be presented on a single webpage that seems to be managed by a single website owner. Third parties, also including advertisement networks, can put their cookies on numerous of their partner webpages, granting them to identify and deliver targeted content to users on all websites that are part of that network (Soltani et al., 2009). Basically, through a wide variety of technologies, such as user log-in information, IP address, and cookies, the firms can specifically analyze the user's behavior and be aware of the users' browsing patterns (Cofone, 2018). Data brokers collect personal data about consumers' names (Choi/Doh-Shin/ Byung-Cheol, 2019, p. 115). However, it is not limited to it. The researcher Choi, Doh-Shin and Byung-Cheol (2019) add that these firms collect people's 'life-event triggers.' On the one hand, analyzing the example of Acxiom, they found that this consumer data broker firm principally collects people's personal data and analyzes for a specific purpose. After analyzing the collected personal data, the consumer data broker firms sell the Big Data analysis as a service (Pence, 2014, p. 167). The researcher Pence (2014, p. 167) also provided an example in the pharmaceutical industry. IMS Health, another consumer data broker firm, collects information from pharmacies to analyze and construct medication trend profiles and sell them to drug manufacturers. Additionally, pricing algorithms based on such health personal data can also increase the revenues of the website. The reason for collecting personal data is to increase the firm's profit. On the other hand, the researcher Bleier, Goldfarb and Tucker (2020) showed that Netflix collects numerous viewing information from its members to personalize suggestions and generate new, creative content, lately also by interactive series and films. Zuiderveen Borgesius and Poort (2017, p. 352) demonstrated how it is possible to use a user log-in information, cookie or IP address to specifically identify users and track their behavior o use price discrimination. More reasonably, one can argue that what the consumer is doing online, such as what websites the consumer visited, what the consumer looked for, the data brokers collect all the consumers’ transactions (Evans, 2009, p. 44). The researchers Zuiderveen Borgesius and Poort (2017, p. 357) argued that cookies collect personal data and information in the online world. Because cookies are mainly unique identifiers, they should be treated as personal data. Such personal data collected can threaten and violate the consumer's privacy protection because these consumer data broker firms, as mentioned above Acxiom and IMS Health, know everything about the consumer. The lack of privacy protection and potential loss of personal data is due to knowingly and unknowingly collecting and processing personal data (Zuiderveen Borgesius/Poort, 2017 p. 350). This problem causes the loss of consumer trust in the internet because many consumers are not aware of what happens with their personal data because the collection of personal data usually goes unnoticed. The loss of information on the part of consumers leads to asymmetric information. Asymmetric information is one of the four leading causes of market failure (Fritsch, 2018, p. 75). Due to reasons of conciseness, asymmetric information will be defined briefly in the following section. The consequence of violating the assumption of a perfect competition market model, which does not exist, leads to an imperfect market outcome. In the following, the paper examines what kind of government intervention can fill the lack of privacy protection for the consumer, especially with consumer policy in mind.

2.3 Consumer policy instrument: Command and control policy

The following section examines government intervention, which involves intervening in markets to solve problems that affect consumer welfare. Due to market failures, e. g. information asymmetry or other three leading causes of market failure, namely externalities, market power, and lack of adjustment processes, it is necessary to protect the economy or welfare of consumers (Fritsch, 2018, p. 76). This is why consumer policy is necessary, as there are limits to what economics can do to protect consumers. Hence, as Thorelli (1972, p. 193) points out, consumer policy is a subset of public policy. Vickers (2003, p. 2) clarifies consumer policy as "laws and regulations that are aimed at protecting consumers". That implies that consumer policy incentives aim to promote certain consumer behavior forms by ensuring consumer welfare and education, acceptance and protection through legislation, consumer awareness, or other training and motivations. Thorelli (1972, p. 194) categorizes consumer policy into three subcategories: Consumer education, consumer information, and consumer protection. While the latter corresponds to Vickers' definition. Thorelli (1972, p. 194) expands the definition to include the government's obligation to educate consumers to become ‘intelligent consumers’. That means providing an understanding of some basic market principles, informing consumers of their rights and duties, and showing them a rational way to make decisions. Further, Thorelli (1972, p. 194) regards the government as responsible for informing customers about products on the market through commercial communication, e. g. labeling and testing. This can be observed, in particular in the case of asymmetric information. Asymmetric information outlines the situation where one market participant, e. g. the firm is better informed about the market or transaction conditions than the other participant, e. g. the consumer (Akerlof, 1970, p. 489). This allows the better-informed actor to take advantage of the less-informed one. Otherwise, consumers are faced with nonregulated markets and could, therefore, be exploited by firms with better market information (Akerlof, 1970, p. 489). An information-rich environment is provided by the internet. This would seem to provide a way to resolve information asymmetry, such as by allowing customers to show them what happens to their personal data, such as cookies (Izquierdo/Izquierdo, 2007). The internet has the ability to lower, and (ideally) even overcome, the asymmetry of information between consumers and firms. This will theoretically increase consumer trust, utility and welfare, increase competition, and decrease adverse selection. This will lead to a more effective allocation of economic resources and an improved fair and competitive marketplace. The lack of privacy and handling with personal data is one aspect that threatens these possibilities because consumer data firms know everything about the consumer (Malbon, 2013). The problem of privacy protection and the information asymmetry between consumers and firms might require government intervention in the form of legislation to manage personal data on the internet and to protect consumer welfare. Consequently, the problem of privacy protection is a consumer policy problem. This fact seems to make a strong political instrument that forces firms to limit privacy intrusions on the internet. The strongest political instrument influencing individual consumer behavior is legislation. Laws are all formal legal regulations enacted by legislative bodies. Command and control policies, as politicians call them, limit the consumption of individuals. Command and control policies should aim to strengthen their position to protect privacy by ensuring transparency and liability, especially sanctions for the firm (Loer, 2019, p. 38). If the government implements the command and control policy, the government in its turn assumes responsibility, possibly also based on legislation. That may be the case if there is an expectation that neither market actors in the design of their supply nor consumers will change their behavior on their own but that the intervention is politically desired (Loer, 2019, p. 38). For example, assuming that if the aim were to protect the consumer's privacy on the internet, there might be an expectation that each individual firm would be aware of the harm and invasion of privacy in personal data collection and use. The firm would therefore refrain from personal data collection and use out of a responsibility to consumers. Alternatively, the firm may also offer to educate and inform consumers about personal data collection and use to eventually have access to personal data through the consumer's consent (ibid.). However, the example shows that the government does not expect such a sense of responsibility but introduces clear regulations to protect consumers. Simultaneously, government actors also do not assume that firms act in the best interests of consumers or consumer welfare and out of pure awareness of their responsibilities. Instead, the policymakers assume that firms act rationally and with an emphasis on profit. Only with legal regulations can the government intervene and protect consumers from this behavior. As long as the firms comply with the requirement to obtain the consumer's consent for the data collection, the government refrains from imposing sanctions. The example shows that if privacy protection is accepted, the command and control policy can lay the foundation for equal competition conditions and protect the welfare of the consumers because the same rules apply to all consumers and firms. For this reason, interventions aimed at limiting or completely prohibiting individual consumption of a certain good must always be carefully weighed (Nathanson, 1999; Richardson, 2015). Under the policy of command and control, the government can regulate the level of personal data that firms can use and get from consumers and set the transparency command to disclose which personal data are collected and processed. The next section presents the privacy protection law called the European General Data Protection Regulation (EU GDPR). These conceptual clarifications laid the groundwork to answer the research question.

[...]