European Union’s efforts to update data protection laws

Discuss about the The Digital Age Of Communication Regards Data Protection As A Key Factor For The Protection Of Individuals. Are The Current Laws Enough?

Digitalization has decreased the level of privacy of the general population and those who surf the online medium leave behind a trail of their digital footprint.  The majority of the general population use the online medium to connect to different people where they leave a large amount of personal data. On the hand, with the advent of web 2.0 there has been significant increase in online transaction and online shopping so a large chunk of consumer data is always available on company databases (Kerber 2016). Moreover, it is has been seen that security breaches has been as common phenomenon in major organizations where large amount of consumer data has been stolen. Therefore, the study will analyze the appropriateness of the current data protection laws. 

European Union has made attempts to update the data protection laws of 1995 by modifying the previous laws. European commission proposed changes in the current privacy protection laws to adapt to the current need of the society.  The factors that has been taken into consideration while making the changes in the current reforms are new legal basis, choosing the appropriate legal instruments, application scope, strengthening the data subject rights, processor and controller enhancement responsibility, assisting in international personal data transfer, assurance regarding independent enforcement, and guaranteeing personal data protection by criminal justice authorities and police (Montgomery and Chester 2015).  However, cross border issues arise as the boundaries between countries can be determined on the online platform. These have posed concerns and it is tough for the European Union to address this duality effectively.

The prime media for communication in the current society are Facebook, YouTube, Twitter and Instagram.  It has quite difficult for the organizations to safeguard and protect the privacy of the individuals over the world. The data protection law of 1995 has been considered as the only effective legal instrument for data protection of the consumers.The internet platform is diffusive and universal so all the end user agreements and privacy policies are generic in global context.  Moreover, the national parliaments are only responsible for determining the data protection laws. Wachter et al. (2017) stated that the presence of data protection principles is required to implement in the UK workplace for the reason of purpose limitation and data minimization. The General Data Protection Regulation (GDPR) hence provides benefit to the European Data Protection Board for information exchange in transmitting the data for communication (Goodman and Flaxman 2016). This chapter provides a detailed discussion of the current privacy protection laws for digital communication in UK and advantage and disadvantage of the data protection legislation.

Advantages and disadvantages of the Data Protection Act

Data protection for the details of the users taken from the company need to be managed in an efficient ways and for the same reason the government of the UK has formulated five legations. These five legislations are- Data Protection Act 1998, The Privacy and Electronic Communications (EC Directives) Regulations 2003), Data Retention and Investigatory Powers Act 2014 (DRIPA) and Freedom of Information Act 2000. This law come into action from 16th July 1998 and is the primary legal basis for protecting the data (Hornung 2012). The data protection act only implements for collecting the data, processing the same utilizing the personal data of living and natural persons. This data protection legislation processes all the private or public sector data. Gellert and Gutwirth (2013) highlighted that the data protection law is formulated to meet the requirement of EU Data Protection Directive 95/46/EC The data protection laws have total of 75 provisions and detailed information of exception of this legislation, implementation and final provision. In case of Data Protection Act (DPA), data personal to an individual must be processed fairly and b maintaining all the laws and cannot be processed if any conditions under the Schedule 2 of the DPA, any one of the conditions from Schedule 3 of the DPA should be met while handling the sensitive data (Lynskey 2015). Moreover, the personal data of an individual must be adequate, relevant, accurate and of recent date. 

This legislation is implemented for sector-specific laws especially for the online marketing companies. The organization handles the cookies for storing the information of the preferred objects and products of the consumers. The Privacy and Electronic Communications (EC Directives) Regulations 2003) thus implements the provisions of EU directive 2002/58/EC and 2009/136/EU for regulating cookies (Hornung 2012). The additional obligation of this legislation is in relation to the electronic communications industry and electronic marketing. The legislation covers that a person shall not utilize any electronic communications network for storing their personal information (Legislation.gov.uk 2018). The person is also not allowed to access the stored information. This law also considered the consent of the individual and imposes any site to provide clear and comprehensive information regarding the storage and access of the information. The law also stated that the person is also free to refuse the storage of or access to that information (Legislation.gov.uk 2018).

This regulation is mainly formatted for the telecommunication industry and organizations to save connection data of the customers (Legislation.gov.uk 2018). This legislation covers the grounds for issuing warrants and obtaining data in order to detect serious crime and safeguarding the UK’s economic (Legislation.gov.uk 2018). The main purpose of this legislation is to allow with the provision to security services to have access to phone and internet records concerning an individual following by previous repeal of these rights by the “Court of Justice of the European Union”. However, argument has been represented for this legislation that is Data Retention and Investigatory Powers Act (Dripa) 2014 is not consistent with European Union law (Theguardian.com 2018). 

Privacy and Electronic Communications Regulations

According to this legislation, any person can access data and a right to free access to all the information like copies of government documents and other records from public organizations (Burri and Schar 2016). The main objectives for the formulation of this law is to make government more transparent, more accountable, improve the decision- making, better understand decision making processes to the public, engage the participation of the public in politics and endear public trust concerning government work (Hon et al. 2016).

According to this legislation, any person can access data and a right to free access to all the information like copies of government documents and other records from public organizations (Burri and Schar 2016). The main objectives for the formulation of this law is to make government more transparent, more accountable, improve the decision- making, better understand decision making processes to the public, engage the participation of the public in politics and endear public trust concerning government work (Hon et al. 2016).

The disadvantage of the Data Protection Act (DPA) is there are many exceptions involved in the process which does not allow a transparent data sharing among the individuals.  The exempted data for this data protection legislations are- national security, crime and taxation, health, education and social, regulatory activity, journalism, literature and art, research, history and statistics, manual data held by public authorities, information available to the public, disclosures required by law and domestic purposes (Burri and Schar 2016). Thus, it can be said that public cannot get proper data from many sources as they are protected by other regulations. However, the main changes bring in the data protection rules are easier access to personal data, which will be beneficial for the user to get the information how their data are handled, provision to delete the data in case they want to remove the data, right to have data portability to the provider and where they intends to give their data (Diker Vanberg and Maunick 2018). 

General Data Protection Regulation (GDPR) is also taking action to maintain the communication with the customers especially for the e-commerce marketers (Gellert and Gutwirth 2013). The chat system adopted by e-commerce organization analyze the data like visitor’s location, IP address and company through different software in order to identify whether or not the person on chat is a returned customer. The chat system also asks of the customer details like name, email, and address. Wachter et al. (2017) stated that in many cases, company uses the data on the consent of the users but in many cases, even if the customer do not press the enter button, the data is saved in their database which then beaches the legislation of the data protection. The General Data Protection Regulation (GDPR) implements three main steps to strictly follow in order to gather data and personal information from the users (Goodman and Flaxman 2016). The first instance is that the organization have a comprehensive privacy policy set up that includes the details of their authenticity, what kind of data they receive, what are their business functions and how they utilize the data for accomplishing their business functions (Diker Vanberg and Maunick 2018). The policy should also define clearly how the customers can access their details and remove if they do not find any relevance of the saved data with the information that they have shared with the company. In the second phase, these company need to have consent system prior to data collection that is the company, also known as data controllers have to show a permission checkbox in pre-chat surveys and web forms (Goodman and Flaxman 2016). Lastly, the companies have to present a proof that the data they have stored is legal and in case, the organization on using the cloud technology should select a high security data centre located in an EU-approved country (Hon et al. 2016). The stored data should also implement the security protected system like passwords, encryption and firewalls. Moreover, all these three phases will be implemented by 25 May 2018. It is also imposed by the government that, if any organization failed to follow these three phases, they have to pay the penalties of 2-4% of their annual revenues or up to $25 million (The Economic Times 2018). Thus, the planned changes seem to be safe for protection of the personal data from the users in the live chat support system.

Data Retention and Investigatory Powers Act

In case of e-mail marketing, problem of e-mail spam has been witnessed and for the same reason the General Data Protection Regulation (GDPR) implemented span regulations imposed by the organization to protect their citizens from such unsolicited email (Lynskey 2015). In Countries like UK, Australia, Germany, Spain and Netherlands, the marketers need to ask for the consent from the users whether or not they want to take participation in the e-mail survey. However, in US no consent form has been provided as they follow CAN-SPAM Act through which the data are protected (Woods 2017).

Woods (2017) also highlighted that the e-mail that is sent to the user must contain the details of the option for unsubscribing, clear identification of the sender, postal address and information about the contact details of the sender. All these criteria in the e-mail marketing legislation are followed Germany and Canada. However, UK, US, Netherlands, France and Spain do not provide the contact details of the sender, which results in authenticity issue of the sender.

Under the international e-mail law charges a penalty of some cost that has to be paid by the organization that sends such mails. This penalty is different for different nation and on breaching this regulation results in closure of their business functions from the government. The UK government charges the penalty of GBP 500,000, in USA the provider has to give USD 16,000 per e-mail, government of Canada charges up to CAD 10 million, Netherlands charges up to EUR 450,000, France government charges up to EUR 750 per mail, Australian government charges up to AUD 1.7 million; while, Italy imposes up to 3 years of imprisonment (Woods 2017). However, Diker Vanberg and Maunick (2018) presented an argument that some developed countries imposes only small amount of monetary penalties, which might not affect the provider much and thus, strict rule have to be imposed on breaching the international e-mail laws.

The research will aim to identify whether the data protection laws in the present era is enough to protect the rights of the users and consumers. This will highlight the different privacy protection law and practices in European Union in order to narrow down the scope of the study.

The research objectives of the study are examining the present privacy protection laws for digital communication in European Union and to identify the changes in the present privacy protection laws for digital communication in European Union.

• What are the present privacy protection laws for digital communication in European Union?
• What are the changes required in the privacy protection laws for digital communication in European Union?

Freedom of Information Act

In this study, qualitative content analysis will be used as it will provide better in depth answers which can be analyzed to provide relevant findings in the study. The descriptive answers obtained will address different issues so the issues can be easily identified using the qualitative content analysis. This will also make the research framework flexible which will assist in shifting the focus of the study from one specific area to another specific area (Lewis 2015). The gathered data is based on the human experience so the data collected will be more relevant in this context. The personal experience of the respondents can be effectively portrayed using the study. The study will use small sample sizes to reduce the cost so qualitative data analysis is appropriate.

However, the subjectivity of the qualitative research is one of its biggest problems as analyzing and mining the data for key facts is tough as very minute details have to be evaluated which makes the process very time consuming (Alvesson and Sköldberz, 2017). Moreover, representing the data that has been collected is quite difficult as framing the information into a database is tough. Moreover, the researchers’ point of view affects the observation when there is biasness regarding a particular topic. Moreover, reliability in these studies is low due to the inability of the study to reproduce the same data due to the difference in human perceptions.

Research methodology is chosen based on the objective and nature of the study. This study is an applied research where data will be explored to develop relevant findings for the study (Flick 2015).  The study has used mono method where only a single research design has been used to develop effective research findings.

In this study, positivism is the chosen research methodology which will consist of secondary analysis of data by collecting data from journals, articles and websites. Positivism is objective in nature and will include human element (Silverman 2016). Social construction can only be used to gain access in this research philosophy. Therefore, diverse approaches are clubbed together such as hermeneutics, phenomenology and constructivism to apply the subjective view.

In this study, inductive approach will be used to developed new theories and frameworks for solving the identified problem (Smith 2015). In this approach, the theories are based on the observations made in the study by exploring different data in the articles.

Research design describes the methods that will be used for data collection and interpretation. There are generally two research designs and they are exploratory and conclusive. In this study, exploratory research design will be used where different data will be explored to draw relevant conclusion (Humphries 2017).

GDPR and its impact on e-commerce marketers

In this study, primary data will be collected by conducting pilot testing which will consist of developing open ended questionnaire for the study. The patterns from the answers of the respondents will be evaluated to develop relevant findings (Lu and Wang 2017). The open ended questionnaire is used for the respondents that have considerable amount of knowledge in this field.

Sampling is a method where sample population is chosen from the total available population to reduce the complexity of the study. In this study, non probabilistic sampling has been chosen where initially 10 respondents were selected. However, non probabilistic sampling has been used to reduce the sample size to 5 respondents and these respondents will represent the overall sample (Fraley and Hudson 2014). These respondents are all cyber security experts working for different companies in United Kingdom such as Clearswift, Sophos and British Telecom.

Reliability is the ability of the study to reproduce similar result using different data in same or different study.  It is essential to maintain a high reliability in the study for obtaining better results. In this study, test rated reliability has been implemented to check whether similar answers are derived using different respondents or not (LoBiondo-Wood and Haber 2014). The study has used construct validity to examine whether all the prescribed methodology has been followed or not.

Research ethics have been maintained in the study where authentic journals and articles have been used to evaluate the research topic (Resnik 2015). Moreover, the data provided in the study is not subjected to plagiarism and none of the findings in the study has been manipulated to obtain the desired result.

Content Analysis

Question	Comment	Count
What perception do you have about the privacy protection laws in European Union?	“The privacy laws are sufficient and the new amendments will facilitate in both cross border and national communication laws” “The privacy laws are not sufficient and a major change is required”	2 3
What are the challenges you have faced while communicating on the online medium?	I have faced challenges like unwanted pop ups and websites which keep track of my data I don’t feel safe while using the online platform and I use advertisements blockers to protect my privacy information. Moreover, I use software to hide by location and IP address as there are many sites accessing my location and other crucial details.	2 3
What measures do you take while shopping on online platforms?	I do not take measures while shopping on online platform as I buy products from trusted websites I do not share any personal data on the online platform and I prefer using cash on delivery as the mode of payment in most of the occasions so that I do not have shared my personal details.	1 4

The majority of the respondents feel that there are not secure while communicating on the online medium and they do not think that the privacy laws are enough to protect the online users. This is the very reason that they resort to measures to ensure that their privacy has been protected. They use the online medium cautiously such as advertisement blockers and other pops which extract information about the consumers and users. Moreover, the buying behaviour of the consumers has already changing where they prefer to buy products with cash payments. They prefer using encrypted applications for chatting instead of suing normal chat options. These shows that the privacy protection laws require further upgradation due to the changing nature of technology.

The result from the study shows that there have been improvements in the privacy policy in all aspects where there has been increase in consistency and independency of the laws where the authorities can effectively provide assistance in privacy issues. However, the rules and regulations are still not clear and consistent throughout. Lack of consistency and unambiguity is a specific issue GDPR and privacy shield will face especially for those countries where the data protection laws have not yet been updated.

Conclusion

The technological companies from different parts of the world will be able to gain access to personal data which shows the vagueness and lack of transparency is a major problem. However, the new data protection law such as the GDPR and Privacy shield will have a positive affect on the privacy policies of the organization.  European have been instrumental in addressing all the issues faced by the individuals on the online platform where all the websites in Europe will be considered under the data protection law of EU irrespective of the origin of the website and the company.

However, this is just a ground work for the organizations as with the advancement in the field of technology significant areas grey areas will have to be addressed. Therefore, laws will have to be changed and interpreted depending upon the changing nature of the online platform. Therefore, it cannot be said that the current laws are sufficient to provide protection to the users on the online platform as significant grey still remain due to lack of borders on the online platform.

References

Alvesson, M. and Sköldberg, K., 2017. Reflexive methodology: New vistas for qualitative research. Sage.

Burri, M. and Schar, R., 2016. The Reform of the EU Data Protection Framework. Journal of Information, 6.

Burri, M. and Schär, R., 2016. The reform of the EU data protection framework: outlining key changes and assessing their fitness for a data-driven economy. Journal of Information Policy, 6(1), pp.479-511.

Diker Vanberg, A. and Maunick, M., 2018. Data protection in the UK post-Brexit: the only certainty is uncertainty. International Review of Law, Computers & Technology, 32(1), pp.190-206.

Flick, U., 2015. Introducing research methodology: A beginner’s guide to doing a research project. Sage.

Fraley, R.C. and Hudson, N.W., 2014. Review of intensive longitudinal methods: an introduction to diary and experience sampling research.

Gellert, R. and Gutwirth, S., 2013. The legal construction of privacy and data protection. Computer Law & Security Review, 29(5), pp.522-530.

Goodman, B. and Flaxman, S., 2016. European Union regulations on algorithmic decision-making and a” right to explanation”. arXiv preprint arXiv:1606.08813.

Hoel, T. and Chen, W., 2016. Implications of the European data protection regulations for learning analytics design. In Workshop paper accepted for presentation at The International Workshop on Learning Analytics and Educational Data Mining (LAEDM 2016) in conjunction with the International Conference on Collaboration Technologies (CollabTech 2016), Kanazawa, Japan-September (pp. 14-16).

Hon, W.K., Millard, C., Singh, J., Walden, I. and Crowcroft, J., 2016. Policy, legal and regulatory implications of a Europe-only cloud. International Journal of Law and Information Technology, 24(3), pp.251-278.

Hornung, G., 2012. A General Data Protection Regulation for Europe: Light and Shade in the Commission’s Draft of 25 January 2012. SCRIPTed, 9, p.64.

Humphries, B., 2017. Re-thinking social research: anti-discriminatory approaches in research methodology. Taylor & Francis.

Kerber, W., 2016. Digital markets, data, and privacy: competition law, consumer law and data protection. Journal of Intellectual Property Law & Practice, 11(11), pp.856-866.

Legislation.gov.uk., 2018., Data Retention and Investigatory Powers Act 2014. [online] Available at: https://www.legislation.gov.uk/ukpga/2014/27/pdfs/ukpga_20140027_en.pdf [Accessed 26 Apr. 2018].

Legislation.gov.uk., 2018., Electric Communication- The Privacy and Electronic Communications (EC Directive) Regulations 2003. [online] Available at: https://www.legislation.gov.uk/uksi/2003/2426/pdfs/uksi_20032426_en.pdf [Accessed 26 Apr. 2018].

Lewis, S., 2015. Qualitative inquiry and research design: Choosing among five approaches. Health promotion practice, 16(4), pp.473-475.

LoBiondo-Wood, G. and Haber, J., 2014. Reliability and validity. Nursing research-ebook: Methods and critical appraisal for evidencebased practice. Missouri: Elsevier Mosby, pp.289-309.         

Lu, B. and Wang, S., 2017. Data Collection and Analysis. In Container Port Production and Management (pp. 31-71). Springer, Singapore.       

Lynskey, O., 2015. The foundations of EU data protection law. Oxford University Press.

Montgomery, K.C. and Chester, J., 2015. Data Protection for Youth in the Digital Age. Eur. Data Prot. L. Rev., 1, p.277. 

Resnik, D.B., 2015, December. What is ethics in research & why is it imp

Silverman, D. ed., 2016. Qualitative research. Sage.

Smith, J.A. ed., 2015. Qualitative psychology: A practical guide to research methods. Sage.

The Economic Times., 2018. Europe’s data protection law may have severe implications for India’s IT industry. [online] Available at: https://economictimes.indiatimes.com/tech/internet/europes-data-protection-law-may-have-severe-implications-for-indias-it-industry/articleshow/63741020.cms [Accessed 26 Apr. 2018].

Theguardian.com., 2018. High court rules data retention and surveillance legislation unlawful. [online] Available at: https://www.theguardian.com/world/2015/jul/17/data-retention-and-surveillance-legislation-ruled-unlawful [Accessed 26 Apr. 2018].

Wachter, S., Mittelstadt, B. and Floridi, L., 2017. Why a right to explanation of automated decision-making does not exist in the general data protection regulation. International Data Privacy Law, 7(2), pp.76-99.

Woods, L., 2017. Automated Number Plate Recognition: Data Retention and the Protection of Privacy in Public Places. Journal of Information Rights, Policy and Practice, 2(1).