Is the GDPR efficient in protecting EU citizens against the privacy risks raised by social media?
Abstract
The General Data Protection Regulation (GDPR) was adopted for a noble cause: protecting European Union (EU) citizens’ privacy and the EU social model founded on the values of dignity, freedom, democracy, equality, the rule of law and respect for human rights. Thanks to the magnitude of its fines, the GDPR attracted much attention from media, companies and legislators far beyond the EU and greatly helped expand the protection of personal data worldwide. Seven years after coming into force, however, it appears that the GDPR has failed to stop social media from massively tracking EU citizens’ online activity, monetising their privacy and personal data, exploiting their vulnerabilities and manipulating them for commercial and political purposes. This paper aims to demonstrate that the GDPR failure is mainly due to: (1) an individualist approach to data protection; (2) the absence of any absolute prohibition; (3) the concept of lawfulness conceived as mere procedural exercise; (4) the tendency of the EU supervisory authorities and legislators to prioritise individual consent as the GDPR’s legal basis for online social media behavioural advertising activities, despite its inability to efficiently protect individuals’ and collective democratic rights and values; (5) insufficient use of the overarching fairness principle to draw red lines from the outset; and (6) inefficient EU data protection authorities’ enforcement strategy towards social media. The GDPR should be amended to adopt another paradigm focused on a risk-based approach that considers collective interests, such as the EU regulation on artificial intelligence (AI). Although the European Commission (EC) has not proposed any amendment to the GDPR following its reports on GDPR application in 2020 and 2024, it seems urgent to make these changes given the geopolitical context and the omnipotence of social media in the US. Moving away from an individualist vision of data protection will help put an end to the overreliance on consent for digital services and personalised online advertising. This paper is also included in The Business & Management Collection which can be accessed at https://hstalks.com/business/.
The full article is available to subscribers to the journal.
Author's Biography
Caroline Doulcet was admitted to the Paris Bar in 2006 and worked for seven years as a lawyer in well-known data protection law firms. She joined Barclays as Vice President, Data Protection lawyer, working initially for France, then the EMEA region and finally at global level. She then relocated to Singapore, where she was Head of Data Privacy Legal, Asia Pacific for Barclays. For the last six years she has been working for Oerlikon (Switzerland) as Global Data Privacy and Data Compliance Officer.
