Introduction
Data protection in the European Union began decades before the passage of the General Data Protection Regulation (GDPR) in 2016 as I discussed in my previous post. Shoshana Zuboff, author of The Age of Surveillance Capitalism, expressed a more guarded outlook on the potential for real-world data protections as expanded under the law for:
Only time will tell if the GDPR will be a catalyst for a new phase of combat that wrangles and tames an illegitimate marketplace in behavioral futures, the data operations that feed it, and the instrumentarian society toward which they aim. In the absence of new synthetic declarations, we may be disappointed by the intransigence of the status quo. If the past is a prologue, then privacy, data protection, and antitrust laws will not be enough to interrupt surveillance capitalism.1
Due to the global presence of corporate entities such as Meta, organizations can shop around looking for the best deal for the corporate bottom line. In 2018, Meta (Facebook) changed the territory under which users in North America were governed. Prior to this move, Meta employed their Irish location. As a member of the EU, however, GDPR would have become the de jure regulatory requirements for users all around the world. Rather than allow GDPR protections to cover the globe, and provide more substantial protections in tandem with consequential penalties for data processors with fines up to 4% of the total worldwide annual turnover of the of the preceding financial year, Meta instituted different geographic data regions subject to lesser scrutiny. Even with the smaller reach, the European Data Protection Board (EDPD) recently issued its largest fine to date to Meta in 2023 of 1.2 billion euros. According to Meta’s investor relations report, the gross revenue from operations was $134,902,000,000 in 2023 with long-lived assets (real property and material goods) exceeded $90,000,000,000 in 2022. However, their current market capitalization is $1.75 trillion in 2025. While the € 1.2 billion was a record, the fine could have exceeded the applied amount and may only be a blip to corporations worth in excess of a trillion US dollars.
General Data Protection Regulation
The GDPR extended the already-existing rights provided under the European Council’s Data Protection Directive adopted in 1995. Chapter 3 of the law outlines the rights of the “data subject” in the European Union. First, the “controller,” or the individual/authority/organization determining “the purposes and means of processing data, is required to provide information to individuals. Article 13 in this chapter establishes the requirements for the controller if the personal data has been collected directly from the data subject while Article 14 enumerates the responsibilities of the controller when data has not been obtained directly from the individual. One of the main differences between the two is the knowledge of the data subject, Article 14 compels controllers to notify individuals within a month that the data has been indirectly collected and what types of data has been collected. Ultimately, the goal is one of transparency in data collection by a controller.
Many of the remaining articles in Chapter 3 outline the rights available to a data subject under the territorial scope defined by the GDPR which includes the processing of personal data for activities taking place inside of the European Union even if the data controller/processor does not have an EU presence. The rights provided to data subjects include:
- Right of Access by the Data Subject – Under this right, individuals have the right to know the types of data collected and why it is being processed, notification if their data is transferred to an international organization or third country, and requires the controller to provide a copy of the data.
- Right to Rectification – Individuals are permitted to correct and complete any personal data being processed
- Right to Erasure – This right is also known as the right to be forgotten. Personal data has the right to be erased if no longer needed for the original purpose, if consent is withdrawn, and if unlawfully collected.
- Right to Restriction of Processing – This protection allows users the right to refrain from having their data processed if it is unlawful, inaccurate, or no longer needed for the original purposes.
- Right to Data Portability – When requesting their data, individuals have the right to receive it in a commonly used and readable format.
- Right to Object – Citizens have a right to object to the processing of their data in most situations unless the task “is necessary for the performance of a task carried out for reasons of public interest.”
- Automated Individual Decision-Making, Including Profiling – An individual does not have to accept decisions dependent only upon automatic processing which includes profiling.
Some of the largest offenders to the GDPR can sustain the occasional fine such as Meta’s bill of 1.2 euros or Amazon’s fine of $886.6 million for the illegal processing of personal data. If similar protections existed worldwide with provisions for equally punitive fines, the potential exists to cut into their existing profits. We might be able to hold corporations responsible for their continual violations of our digital privacy.
Conclusion
The most recent attempt to enact data privacy legislation on a national level by the U.S. Congress was introduced to House Committee on Energy and Commerce in June 2024. The American Privacy Rights Act of 2024 stated goal was “[t]o provide Americans with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement, and for other purposes.” The proposed legislation called for individual control over the access, correction, deletion and portability of data. Unfortunately, the legislation did not escape the committee. With over a billion stolen records in 2024 alone, the United States is in desperate need of not only state but federal-level protections for our data. Such legislation at this time is currently unthinkable due to Elon Musk and Doge’s continued attack on data in the hands of the United States federal government. Although multiple law suits have been filed to fight the eradication of our data privacy, the future for American data privacy looks even more uncertain.Works Cited
- Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, (New York: Public Affairs, Hachette Book Group, 2019), Chapter 17, epub.
Professor Karen Sichler 