125 79 3MB
English Pages 213 [209] Year 2021
Vanessa Kirch
Social Networks The Modern-Day Family Law and Policy of Regulation
Social Networks - The Modern-Day Family
Vanessa Kirch
Social Networks - The Modern-Day Family Law and Policy of Regulation
Vanessa Kirch Bonn, Germany
ISBN 978-3-030-68650-5 ISBN 978-3-030-68651-2 https://doi.org/10.1007/978-3-030-68651-2
(eBook)
© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG. The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
To my daughter, Valentina, who will most likely be neither able nor willing to escape social media. I wish her to take advantage of all the possibilities modern technologies in general, and social networks in particular, will offer her, but without getting caught up in the negative impact social media especially can have on the individual and society. Furthermore, I wish her the strength, independence, and courage that are needed in order to find her very own way in life, always with an open heart and pure intentions, trying to do her best to make the world around her a peaceful and happy place—challenge yourself, be curious, kind, loving, positive, and wholehearted, trust yourself as well as your destiny, and keep a smile on your face each and every day, as life is too short to be taken too seriously, Vali.
Foreword
Dr. Vanessa Kirch has engaged a topic that lies at the root of today’s interactions: the Internet and its children, i.e., social networks of ever-increasing breadth and intensity. Unless we wished to engage in the life of a hermit, this new communications environment affects each and every one of us. The world around us has changed fundamentally. The author ends her thesis with a quote from French philosopher Michel Serres, who stated that since 1970, via electronic communications of this kind, “a new kind of human being was born in the brief period of time that separates us from the 1970s. He or she no longer has the same body or the same life expectancy. They no longer communicate in the same way; they no longer perceive the same world; they no longer live in the same Nature or inhabit the same space.” (Michel Serres, Thumbelina. The Culture and Technology of Millennials (2015)). Serres wished he could be one of them, part of the Generation Facebook: “I would like to be eighteen years old, the age of Thumbelina and Tom Thumb, since everything has to be redone, everything still needs to be invented. I hope that life leaves me enough time to work on this, side by side with Thumbelina and Tom Thumb, to whom I have dedicated my life because I have always respectfully loved them.” (id.). The author would probably approach this new world with slightly less enthusiasm—with more trepidation than joyful anticipation. Her thoughtful introduction starts with an apparent paradox: while in China the limitations of access to the Internet are the focus of much criticism, in the U.S. social media are criticized precisely because their overconsumption and use lead to what Fritz Stern has called the “stultification” of the people, a danger to democracy in this country not known to the Founders of the Republic whose high level of education prepared them well for responsible leadership. In contrast, the author then points out the openness and transparency of the Internet and social media through which people freely share intimate details of their lives with others, far beyond the confines of a traditional family. In fact, we have arrived at a novel concept of family, a “modern-day family,” as designated by the author in the subtitle of her thesis—one that transcends the communications technology-driven image of a “global village” put forward by vii
viii
Foreword
Marshall McLuhan in 1960 and that links people across continents in detailed virtual communication about all aspects of their lives, from the high-minded to the mundane. Is there a dark side to this ubiquitous transparency? Dr. Kirch fairly points out the convenience of the new media, which appears to be a condition of their success. They facilitate access to information on all aspects of knowledge, the doing of business across borders and within, and social interaction— which has changed in quantity and quality. Facebook has given its name to an entire generation. Its terminology of “friends,” “followers,” and “likes” created relationships of nature not before known in human history. In terms of time spent, people tend to their smartphone more than to any human being or pet. One’s image in this virtual world becomes all-important. People create, and constantly adapt, a profile which shows them in the best light possible—often to the detriment of real, physical relationships, further accentuated in today’s COVID-19 environment. This unlimited revealing of all aspects of one’s inner world, fomented by the philosophy of the social media, to anybody and possibly nefarious actors can lead to lifetime adverse consequences, as the Internet does not forget. The author thoughtfully points out these issues. Her strength lies in the posing of questions that may lead to important insights. She strikes a conversational tone, highlighting the issues through the technique of storytelling. Her statistics on usage on Facebook and its cognate platforms such as Twitter, Instagram, TikTok, and Snapchat are enlightening. The effects of violations of users’ privacy are well described, i.e., social isolation, depression, mobbing, suicides, disruptive Facebook parties, etc. resulting in a “glass person” without any “islands of privacy” left. What should be done about this issue—by the social media, by individuals, by the state? Should there be a right to be forgotten on the Internet? Is this even technologically feasible? The author addresses this all-important issue, introduced in Chap. 1, by applying the problem-and policy-oriented methodology of the New Haven School of Jurisprudence. This approach aims at a thorough interdisciplinary and multi-method analysis of a societal problem (Chap. 2), presents conflicting claims in society (Chap. 3), analyzes past and future responses by the law (Chaps. 4 and 5), and offers an appraisal of those responses as well as solutions oriented at an empirical ideal of a public order of human dignity (Chap. 6). In Chap. 2, the author begins with an important section: “Understanding the Internet.” It describes the phenomenon in a conversational way, focusing on the history of its development, from ARPANET to Timothy Berners-Lee and other progenitors. She then follows up with basic facts on social networks—Facebook, Instagram, Snapchat, Twitter, TikTok, and WhatsApp—focusing on their special technical features and the particular attraction they have for particular audiences. The author follows this discussion up with a presentation of the “Facebook Generation.” Dr. Kirch then proceeds to discuss the data gathered and processed through social networks—their major source of revenues. She focuses on Facebook and analyzes its data usage practices. She presents the data voluntarily given by users via their profiles, their use of the like button, their links, posts, comments, friendships, etc. Metadata (information about the time, place, language, sender, recipient, etc. of certain communications) are also of great interest to the social network. Statistical
Foreword
ix
analysis of all of these data yields the third category of pertinent information, i.e., “big data”; undertaken in cooperation with market research agencies, this data mining can make advertising much more targeted and effective. As the collection of data is unlimited, its evaluation occurs at an ever faster speed due to these processes of data mining, text algorithms, and software. The ubiquitous voluntary sharing of personal information on social media creates fundamental problems regarding a person’s privacy. The author asks why there should be a problem if the sharing of such data is done voluntarily and then proceeds with the explanation that people will use those networks anyway, despite the parade of horribles she envisions. The author delves into the motivation of such potentially dangerous behavior. In the business and professional world, can one still attract clients if one lacks a presence on social media? In Chap. 3, the author presents the conflicting empirical claims, starting with the claim to freedom of communication and access to information enhanced by social media, followed by the claim to economic benefit. The third claim is privacy, and the fourth claim she presents is the original claim to unlimited freedom of the Internet, confronted by the fifth claim, i.e., the claim to protect security both on the international and the domestic planes. The author proceeds to government regulation in the field, as a response to these conflicting claims. In Chap. 4, Dr. Kirch focuses on privacy as the major concern, vel non, of governmental agencies. In historical analysis, she starts with the general introduction of privacy as a term of art into systems of law, quoting, for the USA, the seminal 1890 Warren and Brandeis article in the Harvard Law Review. Appropriately, she points out that a single-minded focus on privacy and its protection might yield undesirable social consequences: the traditional distinction between the public and the private sphere, leading to the characterization of life within a family as private, thus untouched by governmental regulation, has, for example, spawned untold suffering in the form of domestic violence. Still, some feminist legal scholars, such as Martha Fineman, see also benefits for women in the recognition of privacy. A good discussion of the definition of the right to privacy follows—one, to be left alone, the other to autonomy within society (including personal self-determination, freedom from surveillance, control over one’s personal information, the right to secrecy, etc.), essentially the right to keep a sphere of our lives away from government intrusion and invasion by others. The author then provides an overview of domestic laws on the subject, concluding that most constitutions grant a right to the secrecy of communications and the inviolability of one’s home. Such guarantees are to be found not only in constitutions, but also in “jurisprudence and general law,” focusing on the USA, Germany, and the UK. As to the USA, Dr. Kirch discusses the statement that the Constitution should be understood as a “living document” made “in order to adapt to any type of changes,” an assertion highly contested in today’s constitutional jurisprudence, especially in light of today’s composition of the Supreme Court, by the jurisprudence of textualism and original intent, mostly identified with the late Justice Antonin Scalia. Of great interest are the author’s analyses of the dissenting opinion of Justice Harlan in Poe v. Ullman and the foundational decision on the right to
x
Foreword
privacy, Griswold v. Connecticut. She also discusses the right in the criminal procedure context of Katz v. U.S. (1967), in the abortion context of Roe v. Wade (1973), and in the recent case on cell phone location tracking, i.e., Carpenter v. U.S. of June 22, 2018. The author concludes correctly that there is no general right to privacy in the USA, but that case law and legislation have granted rights to specific privacy protections in certain contexts. Proceeding to Europe, the author discusses, in particular, the privacy protections in Germany and the UK. As to the analysis of German law, Dr. Kirch, a fully credentialed jurist in that jurisdiction, provides a strong analysis of the combined effect of Article 1(1) of the German Basic Law (the Constitution of Germany), which safeguards human dignity, and its Article 2(1), granting a certain “space” protecting “against any kind of intrusion—neither visual nor audio monitoring—by creating an area where a person can be free and act the way [he or she] desires.” This statement is backed up by jurisprudence of the Federal Constitutional Court developing three different spheres of privacy. An eminent original contribution to this field of law is the Court’s proclamation, in its Census decision of 1983, of the right to informational selfdetermination, again derived from the combination of Article 1(1) and Article 2(1) of the Basic Law. It provides protection against the collection, the saving, the usage, and the transfer of one’s personal data and put the individual in charge of deciding whether to give away or utilize his or her personal data; the limitation to this right would have to constitute a predominant common interest. Of great insight is also her contextualized discussion of the pertinent law in the UK and Latin America. For all other countries’ protections of the right to privacy, she properly refers to Alexandra Rengel’s comprehensive work (Alexandra Rengel, Privacy in the 21st Century (2013)). As to international law, the author recites a plethora of pertinent texts, starting with Article 12 of the Universal Declaration of Human Rights, Art. 17 ICCPR as well as other pertinent universal and regional instruments. While this general overview of the right to privacy provides proper background, the next section, entitled “The Protection of Privacy in the Context of Electronic Communications,” is focused on the specific context of social media. The author starts with a critical insight: there is a difference between the analog protection of human rights and the protection of human rights in the digital world. She also asks pertinent questions: what are the data that need protection? How are personal data defined? What are the obligations of people or entities collecting such data, processing, and transferring them? How are they enforced? Properly, the author lists the historical progression from data protection laws in Germany in the 1970s to other European countries, to Article 8 of the 2000 EU Charter of Fundamental Rights, which guarantees a right to protection of personal data concerning a person, allowing processing for specified purposes on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data concerning him or her and have them rectified. Similar principles characterize also the OECD Guidelines on Data Protection and the Council of Europe’s Convention for the Protection of Individuals with
Foreword
xi
regard to Automatic Processing of Personal Data. The author also states that key states such as the USA, Russia, and China “are still not participating in the protection of the individual and his or her personal data”—a statement later more differentially addressed regarding the USA. In detail, the author again first analyzes domestic law in the subject. As to the USA, Dr. Kirch correctly states that there is “not one single or general law dealing with the subject of privacy when it comes to electronic communications.” But there is a “pretty confusing system of federal as well as state rules” on the subject covering key areas such as HIPAA, financial services, federal trade, consumer protection, the Fair Credit Reporting Act, and the Electronic Communications Privacy Act. Counter-tendencies are listed as well, including President Trump’s repeal of privacy and data security regulations for broadcast Internet service providers adopted by the FCC under President Obama. She properly also mentions California’s Online Privacy Protection Act. European countries are reported on next. Germany is credited with taking first place in a 2014 global Internet privacy study. Here, the author comments on the federal and state data protection laws, as they have to be amended to conform to the new EU General Data Protection Regulation. The 2018 Network Enforcement Act is criticized for applying only to social networks with more than 2 million registered users within Germany. The Latin American section of this chapter provides details on the novel remedy of “habeas data,” a groundbreaking concept which allows an individual to find out what exact data have been collected about him or her (e.g., in the Dominican Republic). Argentina and Uruguay are, however, the only two countries with laws considered to be adequate enough for the European Union to transfer data to them. As to international law, Dr. Kirch analyzes and critiques the 1988 General Comment No. 16 on Article 17 of the ICCPR (right to privacy). The author then properly elucidates the content of EU Directive 95/46/EC of 1995 which mandates that data can only be collected for specified, explicit, and legitimate purposes, and individuals must give their unambiguous and explicit consent thereto. Importantly, the author analyzes the “right to be forgotten,” as put forward by the European Court of Justice in the landmark Costeja Case in 2014. The author then properly presents the EU’s path-breaking May 25, 2018 General Data Protection Regulation. On novel ground, she discusses the subject-matter and the definition of the “data subject,” as well as the right to be informed (Articles 12–14); the right of access (Article 15); the right to rectification (Article 16); the right to erasure (Article 17); the right to restrict processing (Article 18); the right to data portability (Article 20); and the right to object (Article 21). In detail, she discusses Articles 5 and 6, the principles relating to the processing of personal data, including “lawfulness, fairness, and transparency”; the limitation to the declared purposes of processing; data minimization; accuracy, with the right to erasure and rectification without delay; storage limitation; integrity and confidentiality of data; as well as accountability of the controller. As to the requirement of consent, the author points out that the key reason for processing of personal data and profiling of persons
xii
Foreword
is the economic purpose of targeted advertising, as clarified by Google and other social networks. Limitations to rights are as important as the rights themselves, as stated by Roza Pati in Rights and Their Limits: The Constitution for Europe in International and Comparative Legal Perspective, 23 Berkeley J. Int’l L. 223 (2005). In this case, as detailed in the text of the GDPR and its Preamble, balancing rights against legitimate public interests is allowed. The author’s discussion of the transfer of personal data is properly paired with exemptions for reasons of national security and public safety. Dr. Kirch provides an excellent analysis as to the novelty of the GDPR as compared to the 1995 EU Directive: the definition of personal data; the inclusion of new rights like the right to be forgotten; higher fines; new transparency and information requirements, including the duty to present information to an individual “in a way that he or she can easily understand it”; the distinction between privacy by design and privacy by default; and the expansion of the territorial scope. Chapter 5 tries to predict the future decisions in the field. This section commendably starts with the image of the oscillation of developmental constructs of the future ranging from the most pessimistic to the most optimistic ones. The focus here is on Facebook. Videos streamed live on Facebook live, for example, are apt to influence/ manipulate the many users of Facebook of which 2.2 billion users log on every day, in addition to the hundreds of millions of users of Facebook-owned WhatsApp and Instagram. Other media are also posting their article on Facebook, which creates a dependency of these media companies on Facebook and the danger that users pick up all their information from Facebook rather than the original news media website. Extreme and radical viewpoints that would never be uttered out loud in the real world get an audience on Facebook, which has an impact on elections and other democratic decision-making processes. The author usefully warns of the possibly harmful impact of disinformation and fake news. On the positive side, Facebook and other Internet companies, through internet. org, will provide Internet access to developing countries. Facebook is developing drones, to be operated by solar energy, that could tape and film virtually everything; the constant surveillance of everybody is no longer a fiction. New sources of income might arise: bloggers, influencers, and YouTubers are already earning a good living using the Internet creatively. Worst-case scenarios include the prospect of constant surveillance. By creating exclusive platforms for their users, social networks make them additionally vulnerable. In this “open, transparent society,” it would be normal to be watched and exposed nonstop, via an “all-seeing eye.” Best-case scenarios include the state limiting the power of social media, protecting the right to privacy, and collecting data on its citizens only to prevent danger and guard against threats to them. Individuals would refrain from sharing data using social media. Final Chap. 6 appraises the past and predicted future decisions, presents alternatives, and recommends solutions in the global common interest. This common interest, touchstone for appraisal and guiding light for solutions, is defined as a world order of human dignity, meaning maximum access by all to the processes of
Foreword
xiii
shaping and sharing all things humans value. These empirical values are, in classical formulation by Yale’s policy scientist Harold D. Lasswell, described as power, wealth, enlightenment, skills, affection, well-being, respect, and rectitude. Dr. Kirch starts, properly, with the value of affection, as communication among “friends” was the first goal of Facebook and other social media. Friendship may be enhanced, but Facebook can also be a platform for mobbing, increased loneliness, and bad information remaining visible forever. Enlightenment is enhanced by easy access to tons of information, but the Internet also can create an information overload, and the information may not be correct or reliable. As to power, the user may feel empowered, but social media may be in actual control as they can easily influence him or her (cf. Cambridge Analytica, troll factories). As to rectitude, faith can be promoted, but also terrorism based on supposedly religious principles. Respect may be enhanced, but more likely, the disrespect for others and its expression is fostered by the anonymity of the Internet and the fact that there are no consequences for bad behavior—maybe lawsuits, but no fear for life or body on the part of the offender hiding behind the digital screen. Real-life skills decline, as the user may sink into isolation and depression. As to wealth, there is a chance for developing businesses, but most do not succeed. Well-being: communications on social media may be fun, but looking at others’ profiles may actually lead to depression. The author is to be commended for such excellent analysis based on human aspirations and their disappointment, as the author concludes that the negative sides of social media use predominate. As to alternatives to the present state of affairs, Dr. Kirch discusses a return to life before the Internet, including the destruction of all computers and smartphones—or a withdrawal from all forms of modern living. Both these alternatives are, however, in her view, removed from reality. A third alternative is an individual’s refusal to use the Internet or post content on social media. Few persons, however, the author concludes, would give up the comforts of the new technologies. Self-regulation could be the way to go for activities transcending a country’s boundary, but the GDPR model could also be advisable. The author also thoughtfully evaluates the pros and cons of the GDPR. Pros include the harmonization of data protection laws throughout the EU, affecting 500 million EU citizens, the provision of a better definition of consent and the protection of minors; the establishment of a “onestop shop” authority within a country. Cons, in her mind, include her characterization of the GDPR as “too chaotic and ambiguous” and its focus on sometimes outdated technologies, which might lead to lawsuits. But the cons do not beat the pros; the GDPR has a global impact which forces Internet companies to comply with it. The author discusses Molly Land’s thesis that the “Internet has an international law problem” in the sense of its regulation ignoring basic human rights concepts such as freedom of expression, privacy, etc. If the human rights community does not weigh into the decisions on the regulation of the Internet, decisions will be made by the industry and government. What is needed is respect for freedom of expression, but also for data privacy. Dr. Kirch also reflects upon Lori Andrews’ idea of a Social Network Constitution where the social networks would become “information
xiv
Foreword
fiduciaries.” They would have a duty of care and loyalty toward clients and beneficiaries, embodying trustworthiness and abiding by confidentiality, akin to journalistic ethics. As to her recommendations, Dr. Kirch primarily urges the raising of awareness among citizens, politicians, social networks, and businesses of the digital vulnerability of individual human beings and the threats to privacy posed by the Internet and social networks. States should create and enforce rules protecting individuals. A binding code of conduct for social networks should be developed which could become the law of the land. Beyond government regulation, Dr. Kirch suggests that individual users of social media should reflect upon what they really want out of life. What kind of world would they like to live in, and how much privacy would they wish to give up? As a matter of social policy, a fight for the right to privacy would begin. The author presents a conclusion where she starts with the dystopian vision of an autistic, antisocial society fostered by the Internet, but ends with Michel Serres’ magic of new beginnings, as evoked in Hermann Hesses’s eternal poem Stufen: “Und jedem Anfang wohnt ein Zauber inne, der uns beschützt und der uns hilft, zu leben.” In sum, Dr. Kirch completed the task of tackling this immensely complex social problem with authority and clarity of vision. In command of the subject-matter, she displays an elegance of style rarely known for someone who is not a native English speaker. This alone makes the book a delight to read. Her mastery of the New Haven School of Jurisprudence methodology is equally evident. The delimitation of the problem and the profound questions asked demonstrate the author’s control of the topic and her analytical brilliance. Her assessment of the novel European Union’s General Data Protection Regulation (GDPR) is thoughtful. The breadth of pertinent comparative and international law she presents is impressive; so is her depth of research on various countries, particularly the Federal Republic of Germany, the USA, and states of Latin America. Overall, the contents of this book, the questions it asks, and its critical insights make the reader stop and think. Its ultimate conclusion affirming the value of selfdetermination and the independent moral agency of the individual human being sets a courageous counterpoint to the prevalent mainstream. Its wisdom, I am sure, will stand the test of time. 16 December 2020 Miami, FL, USA
Siegfried Wiessner
Preface
Understanding sans Frontières You have to know English today and French, Italian too, and more and more Spanish and Russian and Japanese the world grows together, the frontiers are blurred,
the people begin to reflect on what´s foreign and search for the word which ensures the right meaning, and yet they forget that two pairs of eyes, which meet face to face, tell everything then, all without language. “PáTú”, Gedichte/Poems, page 5 Gabriele Kirch
Social networks, without doubt, form part of today’s society and will not disappear anytime soon. It is also very unlikely that the individual will live solely in an analog world ever again. The convenience of making use of the new way of communicating, including social media platforms, is just too appealing and, for most of the younger generation, participating in these platforms is nothing but normal. It even seems as if today’s individual sometimes prefers to live in the digital world, forgetting that, as Gabriele Kirch writes, “two pairs of eyes, which meet face to face, tell everything then, all without language.” And without modern technologies involved, I would like to add. When the idea of this book came to life, I was not part of any social network yet, as I have never felt the need to be so and, as of today, I still have not posted or shared any content on social media platforms, taking advantage instead only of the fast and easy way of getting in touch with family and friends from around the world that communication via networks like WhatsApp offers.
xv
xvi
Preface
I am still of the opinion that, for many individuals, social networks might come with possible threats rather than real benefits. The fact that, with the help of social media, fake news are spread easier than ever before remains scary to me, and the phenomenon of fake news alone demonstrates how dangerous social networks can be. Today’s ongoing pandemic is just another example, as news on COVID-19 are shared on social media platforms riddled with conspiracy theories, including that the virus does not exist at all. In this particular case, the threat of fake news on social media is not only annoying or disappointing, but could even be fatal. Social networks allow the individual to easily pick and choose and, more importantly, share and spread whatever opinion he or she is searching for, no matter how bizarre his or her beliefs might be. Throughout the course of writing this book, my concern that social media could impose a serious threat to our societies did not disappear, and although I still think that the cons of social networks outweigh the pros, I also gained better insight into the possibilities that today’s situation offers us. It is our chance and responsibility to decide how we want to shape our future, where social media is going to continue to play an important role and more than likely form a big part of our everyday lives. It is not yet too late to get involved in paving a new way of dealing with today’s social media companies. Accordingly, I can only encourage everyone to at least start thinking about the dilemma posed by modern technologies and the right to privacy, as the individual is the one who has the power to head in a different direction and better engage in this very important subject. Coming back to Gabriele Kirch’s poem, one notices that the Chinese language is not mentioned, although Chinese has to be considered of utmost importance these days. Leaving Chinese out may have been due to the fact that the poem dates back to the early 2000s, when the People’s Republic of China was not yet as important a world player as it is today, and shows how fast and profound the world order has been changing and gravitating toward China ever since. This demonstrates that change and the shifting of power are possible even in a very short period of time. Taking stock of this example of rapid and profound change in our world order should be an encouragement to stand up for one’s right to privacy and start actively working on transferring the power over personal information and data back to the individual, instead of leaving it up to social networks or governments to address the issue. Aventutra, FL, USA November 2020
Vanessa Kirch
Acknowledgements
I am grateful and proud of the completion of this book and would like to thank everyone who supported this project, first and foremost my family. By using the term “family,” I am addressing, overall, my mother, Gabriele, my sister, Anne, and my grandmother, Gerdy. Although we are all spread around the globe, family should be understood in the traditional sense here and not as “modern-day family,” which I describe in my first Chapter/Introduction. In addition, my thanks go to Elzyata for her help and support ever since we studied law together. Furthermore, I especially would like to thank Professors Dr. iur. Siegfried Wiessner and Dr. iur. Roza Pati, who have inspired this book. When we met in 2010, when I started my Master of Laws in Intercultural Human Rights (LL.M.) at St. Thomas University School of Law, it was these two professors who encouraged me to take on the position of editor-in-chief of the school’s reknowned legal journal, the Intercultural Human Rights Law Review. There, I learned a lot about legal writing. Being Professor Pati’s research assistant at that time helped me getting deeper insights into the subject of human rights. So, it was both the School’s distinct LL.M. Program, inviting global experts in the field of human rights to teach, as well as all the experience that I additionally gained, thanks to my dedicated professors, that led to the decision to enter the School’s Doctoral Program in Intercultural Human Rights (J.S.D.), successfully completed a couple of years later. In particular, I am grateful to Professor Wiessner, who helped me overcome various obstacles in the way of completing this book, especially when I was working back home in Germany. I greatly appreciate his indefatigable support, advice, and encouragement. Ein herzliches Dankeschön!
xvii
Contents
1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 11
2
Delimitation of the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Understanding the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Social Networks: Basic Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 The “Facebook Generation” . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Data Gathered and Processed Through Social Networks . . . . . . . 2.4.1 Data Actively Provided to Facebook by Its Users . . . . . . . 2.4.2 Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.3 Big Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5 Privacy Concerns Arising from Social Networks and the Concept of Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . .
13 15 23 28 33 35 36 38
. .
42 50
Conflicting Claims, Claimants, Identifications and Bases of Power . . . 3.1 The Claim to Freedom of Communication and Access to Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 The Claim to Economic Benefit . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 The Claim to Privacy and Data Autonomy . . . . . . . . . . . . . . . . . . 3.4 The Claim to Unlimited Freedom of the Internet . . . . . . . . . . . . . . 3.5 The Claim to Protect National and International Security . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
55
3
4
56 57 58 59 59 61
Past Trends in Decision and Conditioning Factors . . . . . . . . . . . . . . 63 4.1 The General Legal Protection of Privacy . . . . . . . . . . . . . . . . . . . 64 4.1.1 Domestic Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 4.1.2 International Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 4.2 The Protection of Privacy in the Context of Electronic Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
xix
xx
Contents
4.2.1 Domestic Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4.2.2 General Data Protection Regulation (GDPR) . . . . . . . . . . . 123 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 5
Predictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
6
Appraisal, Invention of Alternatives and Recommendations . . . . . . . 6.1 Appraisal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.1 Affection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.2 Enlightenment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.3 Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.4 Rectitude . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.5 Respect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.6 Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.7 Wealth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.8 Well-Being . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Invention of Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
169 170 170 171 172 172 173 174 174 175 177 180 187
Chapter 1
Introduction
When historian Fritz Richard Stern1 turned 90 years old in February of 2016, and was asked2 how freedom is menaced at this very moment and what exactly might be a threat to today’s democracy, part of his answer was: I see the danger of stultification of people – this cannot be underestimated – the stultification including in this country. In parts because of American television, also because of social media, . . .3
1 Fritz Stern, a US historian with German roots, was born in Breslau/Germany (now Wroclaw/ Poland) on February 2, 1926 and left Nazi-Germany when he was 12 years old with his Jewish family that converted to Lutheranism. Stern studied history at Columbia University in New York. His main research focus was the cultural and political history of modern Europe, especially of Germany during the nineteenth and twentieth century, and Stern acted as advisor for US diplomats as well as for German state officials. Stern who can be seen as the most significant US historian on German history deceased in New York City on May, 18 2016; for further information on Fritz Stern, see Bauer (2020). 2 Stern was questioned on February 2, 2016 by the so-called Kulturzeit-Interview. The title of this talk was:
Was können wir aus der Geschichte lernen? (What can we learn from history?). Kulturzeit is a reputable television program in German in cooperation with Austria, Germany and Switzerland and governed by public law. 3 This part of the interview was in German and its original version reads as follows: Question: Answer:
“Was genau ist die Gefahr für die Demokratie im Moment?” (“What exactly is the threat to democracy presently?”) “Da sehe ich die Gefahr einer Verdummung der Menschen - die kann man nicht unterschätzen - die Verdummung auch in diesem Lande. Zum Teil durch amerikanisches Fernsehen, auch durch social media, . . .” (“I see the danger of stultification of people – this cannot be underestimated – the stultification including in this country. In parts because of American television, also because of social media, . . .”).
The author herself has been translating from German to English. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 V. Kirch, Social Networks - The Modern-Day Family, https://doi.org/10.1007/978-3-030-68651-2_1
1
2
1 Introduction
Reading this interview, one might think: Given that people in countries like China are fighting for the right to have unlimited access to the world wide web,4 not only in order to have access to all kinds of information, but also—and in many cases foremost—in order to be able to share any kind of information with whomever around the globe through social media,5 how can academics—like Fritz Stern—in other countries, such as the United States of America, consider social media a threat to democracy? How is this possible? Shouldn’t a totally free internet necessarily lead to a completely transparent society? And isn’t especially social media one of the purest forms of people sharing their lives? Hence, wouldn’t this necessarily mean that social media contributes to a more open and open-minded society? As a matter of fact, today’s so-called international community wants to grow more and more close together, and it actually does on many levels.6 Thus, human interaction and conflicts are becoming somehow different to what they used to be, especially with the advent of the new communications technologies. Without doubt, one of the reasons why the phenomenon known as globalization is happening faster and faster is people’s usage of the internet and the possibilities it provides, including social media. And these new technologies have already caused tremendous changes that, consequently, must also have an impact on states’ duties and responsibilities. But what exactly is the internet? Or let’s better call it the “world wide web.” When did it start? And how? Who initiated it? And what is the status quo as of today? Overall, what about the state’s citizens? How does the internet influence their lives? And what is it that a state has to do in order to fulfill its duties and responsibilities towards its citizens? Overall, and when speaking of a state’s responsibility to prevent harm from its citizens and protect its citizen’s rights (not only in order to protect peoples’ privacy, but also to fight crimes and terrorism in order to protect peoples’ safety, well-being and lives), what is actually the government’s role? And what is it
4 The term “world wide web” will be further explained later on—especially, in the context of the term “internet”—but it should already be noted that although these two terms are often used synonymously, they are not the same as the world wide web only forms part of the actual internet. 5 In his article “China’s scary lesson to the world: Censoring the Internet works”, Washington Post (May 23, 2016), the author refers to internet censorship, over all, in China and points at a study that comes to the conclusion that in total one third of all people around the world faces heavy internet censorship. Furthermore, there is the fight of GreatFire.org, a Chinese initiative to end internet censorship in China that is quoted by Reuters, Bloomberg, Wall Street Journal, The Guardian and other media from around the world on a regular basis; see “These Activists Are Plotting To End Internet Censorship In China”, TechCrunch (May 30, 2015). To give further information, see Sun (2011). For information on how the Chinese government is involved in social media, see King et al. (2017). 6 Especially, when it comes to the political level, there is an ongoing process of growing together internationally, see, for example, Zahrnt (2016), p. 47.
1 Introduction
3
that a state has to do in the context of electronic communications and peoples’ involvement in social networks? It has to be pointed out that the average American and European spends a large amount of his or her free time surfing the world wide web, doing online shopping, getting information on almost anything he or she is interested in and, of course, being involved in social networks.7 But what exactly does this mean—being involved in or joining a social network? And what are the reasons one might have to join a social network? It can be stated that, when referring to social networks, most people today would associate this subject with “Facebook”, the most popular social network.8 There, people constantly dedicate their time to, overall, working on their profiles, adding pictures and comments, examining other people’s profiles, pictures and comments, and adding more comments or Facebook’s users, and liking certain content by making use of Facebook’s so-called “like button”.9 A study has shown that about 80.0% of people who are using a smartphone check their phone within 15 min of waking up every morning, and one can easily assume that many of these individuals are checking on their social networks.10 But why is that? And does it have any specific effects on the people who join social networks and spend their time using social networks on a regular basis? How much time does the average person spend on social networks?
7 In November of 2015, a new report—the first large-scale study involving more than 2600 teens and tweens between 8 and 18 years old in the United States—stated that the average teen in the U.S. consumes about 9 hours using media on a screen like tablets, laptops or smartphones every single day, see “Teens spend a ‘mind-boggling’ 9 hours a day using media, report says”, CNN (November 3, 2015). Furthermore, a study performed in Great Britain comes to the conclusion that the average adult spends more than 20 hours online, see “Teenagers spend 27 hours online a week online: how internet use has ballooned in the last decade”, The Telegraph (May 11, 2015). 8 According to the website of “statista”, an online statistics portal that was founded in Hamburg/ Germany in 2007, Facebook is the world’s most popular social network, see Clement (2020). See also “Most popular social networks worldwide as of July 2020, ranked by number of active users”, statistica (July 16, 2020). 9 Facebook’s like button has caused legal dispute since years already. For further information on how Facebook makes use of its like button, see Simonite (2015). See also Simonite (2012) as well as Zuboff (2019). Waldman even concludes:
It’s hard to keep anything secret these days, especially since browsing the Internet is an information sharing event. See Waldman (2018), p. 148. This number goes back to a study of the International Data Corporation, a firm founded in 1964 in the United States and, overall, providing information on “market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets”, see the information of the International Data Corporation (IDC) (n.d.). For further information on people’s behavior when it comes to electronic communication, see “50 incredible WiFi Tech Statistics That Businesses Must Know”, The Huffington Post (April 14, 2014).
10
4
1 Introduction
First and foremost, using social networks means an easy and fast way to communicate amongst each other. Moreover, as a matter of fact, in our society many families have been increasingly falling apart, whether due to the number of divorces in the last decades,11 or due to the fact that some family members might have been moving more frequently, so that a family does no longer live in the same place. But as the nature of humankind is considered to involve sharing one’s life with one and another by living in communities and families, a lot of people are using new technologies which can serve as a new way to stay in touch with others and family members. And some people might even try to build new families for themselves by starting to make a connection to new people in order to somehow establish a certain kind of new modern-day family.12 In doing so, many of these social network users must make use of social networks. Participating in social networks, in fact, becomes a more important part of people’s lives, no matter what particular purpose one might have when spending one’s time on a social network.13 As a result, today’s younger people are sometimes even called “generation Facebook”.14 But do social networks really play a similar role as family did before?15 And if so, is there, for instance, a family leader? Or is there anyone else who sets up certain rules for the new family members? And do social networks really provide a good
11
In 2011, the Organisation for Economic Co-operation and Development (OECD) published that, in general, there are less people getting married and those who actually enter into a marriage are more likely to end up getting a divorce, see OECD (2011), p. 23. Furthermore, especially, the so-called developed countries are more and more facing “singleparent families” because of the fact that there is an increase of divorces, see Feltey (2003). 12 In this context, thinking of a novel concept of family, one might want to point at Marshall MacLuhan and his description of a “global village” that connects people from all around the world due to new technologies and the use people make of these by communicating and sharing details of their lives amongst each other. MacLuhan was also predicting extreme stress for human beings because of the new ways of communication. For more information on the vision of Marshall MacLuhan including his image of a “global village”, see MacLuhan (1962). 13 Supra note 8. 14 As already said, for a long time, Facebook has to be considered being the most popular social network. In the following, it will be further explained who actually falls under the term generation Facebook. 15 Speaking of a “modern-day family”, it is obvious that the definition of family as one can find it in any dictionary does not apply here, but when referring to the discussed Generation Facebook, family seems to have a different meaning already. To give an example, The New York Times, in 2011, asked Students of 13 years and older: Tell us how you define “family” and why. Do you think a new definition of family is starting to emerge in our society? If so, how do you see that in your own life or community? Here are some answers: • • •
I define family as those people who you are closest with and who you can entrust with your worries, dreams, and attitudes. That is one’s true family. Relatives are not always family, and family is not always relatives. The definition of family is falling apart in my opinion. . . . My view of a family is not only my relatives, but the people closest to me. . . .
1 Introduction
5
solution to actual problems of modern society? Do they, for example, help young people really communicate their problems? Especially when it comes to teenagers who dedicate a lot of their time and energy to building their social networks profiles,16 it has to be asked if today’s younger generation still has the same needs as teenagers a generation ago. May today’s generation’s Facebook simply be channeling the exact same needs through a completely new technology that offers them new opportunities and challenges? And perhaps teenagers, as well as adults, are just doing exactly the same everyone was already doing before social networks became a new tool that quickly turned out to become a pretty big part of people’s lives? And what are the effects of social networks on their users? Are there psychological effects on the individual or even on society as a whole? Might this new technology even be changing our world more dramatically than we are actually capable to imagine at the moment? Coming back to Mr. Stern’s statement, it has to be mentioned that there have been discussions already before the last presidential election in the US on how this election could possibly be influenced by social media.17 •
Family doesn’t consist of just relatives. You can consider anyone family. Whom ever is close to you. It doesn’t matter who they are, I have best friends that I consider sisters. I think who ever you love the most is your family:). • Family, to me, denotes a body of closely related individuals, either from origin as in genetics, or through action as in revolutionary groups, that are linked by a common partnership in attaining a certain goal, namely survival. This grouping can extend to nearly any realm of life. • The definition of family to me is a group of people who truly love each other and care for you. But yes the circumstances of what family use to be is now changing into new categories of families. Family life is changing but so are people. • I define a family as a group of people who share laughter, sadness, tragedy, victory, loss, regret, happiness, and success together. A family is hard to define. Most commonly one thinks a man, a woman, and their children. Time has shown this isn’t an exact answer. Grandparents, adopted parents, cousins, aunts, uncles, and even just friends can make up a family. Family is important for individuals to lead happy lifestyles and to become satisfied with their life. See “How Do You Define ‘Family’?”, The New York Times (February 24, 2011). 16
Supra note 8. For example, Kate Crawford, a visiting professor at the MIT Center for Civic Media and a senior fellow at the Information Law Institute at NYU and principal researcher at Microsoft Research mainly focusing on social, political and cultural changes coming from humans intersecting with networked technologies and on social networks, was warning people about the power of social networks during the election campaigns in the U.S. in 2016, see Fabian Reinbold’s interview, see “Es gibt riesige ethische Fragen”, Spiegel Online (May 19, 2016). Furthermore, the discovery involving Cambridge Analytica is demonstrating how people can be influenced while they are making use of social networks. For further information, see Kaiser (2019). Cambridge Analytica was a British firm that claimed on their website: 17
We measurably improve your brand’s marketing effectiveness by influencing consumer behavior through a unique approach that blends predictive analytics, behavioral sciences, and data-driven ad tech.
6
1 Introduction
And as it becomes increasingly clear that social media now plays a big part of our world, people’s everyday lives, and today’s reality, seeming unlikely that this could change any time soon (especially, as people’s desire to communicate each and every situation, fact, and feeling through social networks seems to be already an evitable part of life), it must be asked whether this is a good development, or rather a change that has to be critically observed (and maybe somehow controlled) by state governments or any other institutions that could adopt rules and regulations concerning the use of electronic communications. It has to be pointed out that, on the one hand, social networks offer a lot of advantages and possibilities for sure. For instance, this easy and, above all, faster way of communicating makes organizing events, reaching out to a large amount of people and gathering them together much less work. To give an example, during the 2011 Arab Spring protests, news came almost exclusively through new media at that time, and social media played a major role, as news regarding the actions inside those countries were so communicated not only to the outside world, but also to the protestors within those countries, through all kinds of social media websites like Facebook.18 And some of the Spanish protestors’ actions taking place at the heart of Spain’s capital, Madrid’s Puerta del Sol, in early 2011 were also organized with the help of social networks.19 Social media can also be the beginning of building one’s business nowadays, as young people prove by leaving more conventional careers behind to follow their dreams with the help of these new technologies.20 Hence, social networks could be seen as a true step forward in order to “free” people and to protect and promote their rights, especially their human rights when it comes to self-government and self-realization. This sounds nice, but does it really reflect today’s reality? Taking another look at the effects of social networks, it has to be mentioned that, on the other hand, there can also be a negative outcome for people—especially for those who are involved in social networks on a regular basis. For example, studies show that more and more people are suffering from depression and fear regarding the future, and that this phenomenon can be connected to the use of social networks,
18
During the protests in Egypt and Tunisia in 2011, social media was crucial as activists made use of social media in order to organize these protests and even in Syria where the use of social media was considered being too risky by many protestors, the protestors were well aware of the fact that especially social media was in many cases the only way to get information out of their countries and that’s why, they were taking a risk and made use of social networks in order to spread information. For further information, see “Social media: a double-edge sword in Syria”, Reuters (July 13, 2011). 19 For example, several groups of Spanish citizens across the country made use of social networks like Facebook in order to reach protestors and even the organizers of these protests were caught by surprise when tens of thousands of people actually showed up in cities like Madrid or Barcelona, see “Thousands of Spaniards call for economic reform in new protests”, CNN (June 19, 2011). To get an overview of the events in Spain during 2011, see “‘Spanish Revolution’ of 2011 Explained”, The Huffington Post (May 25, 2011, updated on July, 25 2011). 20 To give an example, there is Jennifer Palpallatoc and her blog www.hauteofftherack.com. For further information on Jennifer Palpallatoc, see “Jennifer Palpallatoc Leaves LSU Behind to Take on the Fashion World”, Nolawoman (2012).
1 Introduction
7
wherea “perfect” image is constantly created by users, which can notably lead to the stress and/or disappointment of both the posting and reader users.21 Furthermore, there have been various cases of persons, especially children or teenagers, being successfully mobbed and deeply traumatized by others, normally anonymous individuals who are hard to identify in the world wide web, but who are posting bad, insulting, and often false comments about them through social networks, where almost everybody is able to read about and follow it.22 This leads to the question of what can these people do. To whom should they turn? What happens if a certain social network is not able or willing to do anything against such kinds of abuse, especially taking into account that social networks themselves might constitute people’s new, modern-day families? Who is this family leader and is he, she, or it supposed to create certain rules and standards? Should one only rely on the social network itself? And what about the governments’ role? Isn’t it a state’s duty to protect its citizens’ integrity, especially if social networks fail? And isn’t it a government’s responsibility to intervene in social networks due to the fact that social networks’ effects can even go far beyond its individual users and rather have an impact on other parts of a state’s community? To give an example of how user activity on a social network can have a direct impact on a state itself: There have been so-called “Facebook parties” announced throughout Facebook, willingly or by accident, that have cost the state—in this case, Germany—a large amount of money, because instead of a small number of guests showing up, thousands of people have, so that not only police officers, but also a large number of cleaning staff have been needed to resolve the chaos caused by such large numbers of people.23 Also, individuals are often voluntarily spreading information about themselves on the world wide web and, once the information is out, they can never (or, at least, not totally or easily) be erased.24 And that might, consequently, cause problems for these
21
There has been an experiment done by Facebook and it was published in 2014 which proves the fact that the use of Facebook can influence people’s mood, see “Teenage mental-health crisis: Rates of depression have soared in past 25 years”, The Independent (February 27, 2016). See also “Does quitting social media make you happier? Yes, say young people doing it”, The Guardian (September 21, 2016). 22 To give an example, there is the tragic story of the 12-year-old Floridian Ann Sedwick who was cyberbullied by lots of people and apparently committed suicide, see “When Cyberbullying turns into Cyber-Mobbing: Death by Suicide”, The Huffington Post (September 29, 2013). A publication of the German university Eberhard Karls Universität Tübingen gives an insight on cyber-mobbing with more detailed facts—there, one can, for instance, find a graphic that shows statistics of how many teens know victims of cyber-mobbing, see Weiler (2010), pp. 24 and 25. For further informations, see also “Cyber Bullying Statistics” (2020). 23 To give an idea of how the administrative practice regarding the costs of police intervention and services is handled in Germany, see Hohmann (2016). See also “Polizei und Facebook-Partys – Angst vor dem Klick”, Spiegel (August 16, 2012). 24 See “The Web Means the End of Forgetting”, The New York Times (July 21, 2010).
8
1 Introduction
people throughout their whole lives—for example, in finding employment, getting admitted to institutions, presenting themselves in a new light and so on. And as a result, the so-called “gläserne Mensch”25 could become a true reality at a certain point. And this might facilitate social goals such as crime control, but it would also remove sought-after islands of privacy. And not to mention the fact that information posted on social media and controlled by the particular social network could be a huge influence on people’s opinions—especially taking in mind that the particular social network could decide and control what kind of news can be posted and will be available for its users.26 As mentioned above, there have been discussions on how the 2016 presidential elections in the United States might have been decided or, at least, influenced by social media.27 So, what exactly should or must a state do? Should the state, which traditionally plays the major role both domestically and internationally when building and shaping the law and establishing certain standards in order to promote and protect human rights, react to the problems arising from social networks? And if so, what kind of interference of state authorities would be suitable? When looking at these issues from a human rights perspective, bearing in mind the fact that human rights should be considered increasingly important these days, the question arises whether there might not only exist a need, but rather a duty, of states to intervene, including limiting their citizen’s liberties and rights when it comes to social networks. Or should social networks just remain exactly as they are? And do they really represent freedom? Or do social networks rather lead to certain limitations? No matter what answer one might find to all these questions, after all, it is pretty clear that, as of today, social networks form a fundamental part of many people’s lives and there remain many questions when it comes to the protection of the individual’s rights. Is there, for example, an individual right to privacy? Or a right to access information? And what about the so-called “right to be forgotten”? Would such a right be even technologically feasible? It can be assumed that there will be many more issues arising in the near future as our so-called Facebook generation is still a quite new phenomenon. Therefore, in what follows, I take a closer look at the basic facts regarding social networks (the effects and consequences of social media usage) in order to identify, discuss, and try to prevent problems resulting from social networks, as well as find
The “gläserne Mensch” is a German expression referring to the individual being completely exposed and transparent due to the constantly advancing modern technologies that are spying on people. 26 See “Facebook news selection is in hands of editors not algorithms, documents show”, The Guardian (May 12, 2016). The article refers to Facebook’s internal guidelines that were leaked and it describes the human intervention when it comes to almost any operation regarding news via Facebook. 27 Supra note 17. 25
1 Introduction
9
suitable solutions to these problems. In the end, the focus will be on privacy and data protection. By doing so, the “New Haven Approach” will be used—a detailed problem and policy-oriented analysis aiming to strengthen a public order of human dignity developed by the so-called “policy-oriented jurisprudence”.28 I remember that when I started this manuscript and visited New Haven, a Professor at Yale School of Law asked me why I would like to follow the New Haven Approach instead of using any other more often followed or more wellknown that might also better serve me in academia. At that very moment, I remembered what another great professor once told me. Like me, he had come from a country where civil law—meaning written law that finds its base in legal codes—is the true basis to decide cases and was just blown away by learning about this approach. According to him, and also to my very own experience, New Haven was a liberation from the straitjacket of legal positivism.29 To give an idea of what the New Haven School of Jurisprudence (founded by Myres Mc Dougal and Harold D. Lasswell) is, it must first be noted that it can be considered one of the most innovative approaches to law from the twentieth century.30 By defining law as a process of authoritative and controlling decisions over time, sought in order to promote and establish a public order of human dignity, this School is different from other approaches to law. The New Haven School of Jurisprudence is, for example, different from classical positivism. In contrast to classical positivism, which is based on written law and past decisions, the policyoriented approach does not only include past rules and regulations, but also other components which must be borne in mind in the decision-making process—for instance, socio-political, scientific, or philosophical ideas, the so-called conditioning factors of the decisions regarding a particular problem.31 According to Professor Wiessner: within that process, the lawmaking function is essentially a process of communication focusing on messages of policy content, i.e., decisions, sent by persons with authority within a certain community to members of that community, messages backed up by a threat of severe deprivation of values or a high expectation of indulgences or benefits.32
The New Haven School of Jurisprudence is, therefore, a theory of interdisciplinary research in pursuit of a solution to a societal problem, an innovative and much 28
McDougal et al. (1967), p. 253; Lasswell and McDougal (1992). Wiessner (1999), p. 203. Professor Dr. iur. Siegfried Wiessner is overall the founder and director of LL.M. and J.S.D. Program in Intercultural Human Rights at St. Thomas University School of Law in Miami, Florida after passing the First and the Second State Examination in Law in Germany and receiving his Master of Laws (LL.M.) degree from the Yale Law School as well as his Doctorate in Law (Dr. iur.) from the University of Tübingen. For further details on Professor Wiessner, see the information of St. Thomas University School of Law (STU) (n.d.). 30 See generally Reisman et al. (2009), pp. 575–582. 31 Wiessner (2010a, b), pp. 22 and 23. 32 Wiessner (2009), pp. 525 and 526. 29
10
1 Introduction
more open-minded approach to law.33 And it has to be taken in mind the simple fact that in real life, one always prefers to look at the social consequences and outcome of a rule, or a law rather than the isolated legal framework itself as these consequences are much more important to the people affected by a rule than the rule itself. Or, as Michael Reisman once stated: Because the New Haven’s goal is understanding and influencing decisions in ways that will precipitate desired social outcomes, the what of inquiry is necessarily broader than the what of conventional analysis.34
Although policy-oriented jurisprudence was critically discussed by many positivists, especially in its beginning,35 its idea that law should serve the human being is a very enlightened understanding of law. And it was, therefore, more and more relied on. To give an example, in the last “Report of the United States of America submitted to the U.N. High Commissioner for Human Rights in Conjunction with the Universal Periodic Review, 2010”, the New Haven Approach can be found on page 4 (number 9).36 The goal of the New Haven Approach lies in finding an answer to actual problems, and searching for the best solution regarding a public order of human dignity in order to address the maximum number of human beings.37 Besides, it must be pointed out that the New Haven Approach especially pays attention to the eight values of a world order of human dignity that are reflected in different articles of the 1948 Universal Declaration of Human Rights38—affection, enlightenment, power, rectitude, respect, skill, wealth and well-being.39 Thus, according to the New Haven School of Jurisprudence, the term human rights could be defined as an authoritative and controlling response by the international decisionmaking process relating to claims of human beings in order to protect and strengthen specific values.40 After all, it can be said that policy-oriented jurisprudence, when it was founded, was the answer to a new and since long-needed way to effectuate the
33
See supra note 28, id. Reisman (2004), p. 4. 35 Wiessner (2010a, b), p. 46. 36 See United Nations Universal Periodic Review, Report of the United States of America Submitted to the U.N. High Commissioner for Human Rights In Conjunction with the Universal Periodic Review (2010), p. 4. 37 Reisman (2004), p. 5. 38 Universal Declaration of Human Rights, G.A. Res. 217 (III) A U.N. Doc. A/RES/217(III) (Dec 10, 1948) [hereinafter UDHR]. Article 1 of the UDHR provides that: 34
All human beings are born free and equal in dignity and rights. They are endowed with reason and conscience and should act towards one another in a spirit of brotherhood. 39
These eight values were detected by the three Professors Myres S. McDougal, Harold D. Lasswell and Lung-chu Chen. See McDougal et al. (1980). See also Wiessner and Willard (2004), p. 30. 40 For another definition of the term human rights, see Kirch (2008), p. 703. In addition, Professor Wiessner describes human rights as “at their innermost core, collectively enforced stop signs against the violations of the weak, the vulnerable, the few, the hated, the powerless, the oppressed.”, see Wiessner (2006), p. 1.
References
11
international protection of human rights—“the principle that an ideal legal order should allow all individuals, and particularly the weakest among them, to realize themselves and accomplish their aspirations.”41 Accordingly, this book will follow the New Haven School of Jurisprudence techniques in the analysis of possible and recommended solution, the so-called “five steps of procedure”:42 1. Goal Clarification—delimitation of the problem: What is the specific problem concerning social networks and, over all, human rights issues? 2. What are the conflicting claims and who are the claimants? 3. Trend and Factor Analysis: What were past trends in decisions and their factors? 4. Predictions: What will future decisions be like? 5. Appraisal, Invention of Alternatives and Recommendations: How are past and future decisions to be evaluated against the goals of a public order of human dignity? What are possible solutions? And which one would be the best regarding a public order of human dignity in order to address the maximum number of human beings? Summing up, in developing the concept of social networks, arising problems will be exposed through a human rights perspective and the focus will be on the discussion of whether the involvement of the state is needed in order to protect and promote an order that allows human beings to flourish. A law is to serve human beings, not the other way around, it ought to maximize access by all to the processes of shaping and sharing access to all things humans value in life, for example the eight values mentioned above. Such a law would approximate the goal of a world order of human dignity.
References Bauer P (2020) Fritz Stern. German-born American historian. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/ biography/Fritz-Stern. Accessed 22 Nov 2020 Bullying Statistics (2020) Anti-bullying help, facts, and more. http://www.bullyingstatistics.org/ content/cyber-bullying-statistics.html. Accessed 22 Nov 2020 Clement J (2020) Global social networks ranked by number of users 2020. Statistica, Berlin. https:// www.statista.com/statistics/272014/global-social-networks-ranked-by-number-of-users/. Accessed 22 Nov 2020 Feltey K (2003) Single-parent families. In: Ponzetti J (ed) International encyclopedia of marriage and family, 2nd edn. Macmillan Reference USA, New York City, pp 1515–1523 Hohmann I (2016) Facebook-Partys und Sicherheitsrecht. In: Peter Lang International Academic Publishers (ed) Europäische Hochschulschriften Recht, vol 5885. Peter Lang Publishing, New York
41 42
Wiessner (2009), p. 531. Reisman (2004), p. 7.
12
1 Introduction
International Data Corporation (IDC) (n.d.). https://www.idc.com/about. Accessed 22 Nov 2020 Kaiser B (2019) Targeted. The Cambridge Analytica whistleblower’s inside story of how big data, Trump, and Facebook Broke Democracy and how it can happen again. Harper, New York City King G, Pan J, Roberts M (2017) How the Chinese government fabricates social media posts for strategic distraction, not engaged argument. Am Polit Sci Rev 111:484–501 Kirch W (ed) (2008) Encyclopedia of public health, vol 1. Springer, Dordrecht Lasswell H, McDougal M (1992) Jurisprudence for a free society. Studies in law, science, and policy (2 vols). Martinus Nijhoff, Leiden MacLuhan M (1962) The Gutenberg Galaxy. University of Toronto Press, Toronto McDougal M, Lasswell H, Reisman W (1967) The world constitutive process of authoritative decision. J Legal Educ 19:253 McDougal M, Lasswell H, Chen L (1980) Human rights and world public order: the basic policies of an international law of human dignity. Yale University Press, New Haven OECD (2011) Families are changing. In: OECD (ed) Doing better for families. Available via OECD https://www.oecd.org/els/soc/47701118.pdf. Accessed 22 Nov 2020 Reisman W (2004) The view from the New Haven School of International Law. In: Reisman W, Arsanjani M, Wiessner S, Westermann G (eds) International law in a contemporary perspective, 2nd edn. Foundation Press, Eagan Reisman W, Wiessner S, Willard A (2009) The New Haven School: a brief introduction. Yale J Int L 32:575–582 Simonite T (2012) What Facebook knows. MIT Technology Review, Cambridge Simonite T (2015) Facebook’s like buttons will soon track your web browsing to target ads. MIT Tech Rev. Available via EFF https://www.eff.org/mention/facebooks-buttons-will-soon-trackyour-web-browsing-target-ads-0. Accessed 22 Nov 2020 St. Thomas University School of Law (STU) (n.d.). https://www.stu.edu/law/faculty-staff/faculty/ siegfried-wiessner/. Accessed 22 Nov 2020 Sun H (2011) Internet policy in China. A field study of Internet Cafés. Lexington Books, Lanham United Nations Universal Periodic Review, Report of the United States of America Submitted to the U.N. High Commissioner for Human Rights In Conjunction with the Universal Periodic Review (2010). https://www.state.gov/universal-periodic-review/. Accessed 22 Nov 2020 Universal Declaration of Human Rights, G.A. Res. 217 (III) A U.N. Doc. A/RES/217(III) (Dec 10, 1948) [hereinafter UDHR]. https://www.ohchr.org/EN/Library/Pages/UDHR.aspx. Accessed 22 Nov 2020 Waldman A (2018) Privacy as trust. Information privacy for an information age. Cambridge University Press, Cambridge Weiler E (2010) Cyber-mobbing. In: Tübingen E, Tübingen K (eds) Mobbing und cyber-mobbing an Beruflichen Schulen. Problemlagen und Interventionsmöglichkeiten. Books on Demand GmbH, Norderstedt Wiessner S (1999) Professor Myres Smith McDougal: a tender farewell. St Thomas Law Rev 11:203 Wiessner S (2006) Dedication. Intercultural Hum Rights Law Rev 1:1–4 Wiessner S (2009) Law as a means to a public order of human dignity: the jurisprudence of Michael Reisman. Yale J Int Law 525(526):34 Wiessner S (2010a) Michael Reisman, human dignity, and the law. In: Arsanjani M, Cogan J, Sloane R, Wiessner S (eds) Looking to the future. Essays on international law in honor of W. Michael Reisman. Brill, Leiden Wiessner S (2010b) The New Haven School of Jurisprudence: a universal tool-kit for understanding and shaping the law. Asia Pacific Law J 18:46 Wiessner S, Willard A (2004) Policy-oriented jurisprudence. In: Reisman W, Arsanjani M, Wiessner S, Westermann G (eds) International law in a contemporary perspective, 2nd edn. Foundation Press, Eagan Zahrnt V (2016) Die Zukunft Globalen Regierens. Herausforderungen und Reformen am Beispiel der Welthandelsorganisation. De Gruyter, Berlin Zuboff S (2019) The age of surveillance capitalism. The fight for a human future ate the new frontier of power. Public Affairs, New York
Chapter 2
Delimitation of the Problem
Following the New Haven School of Jurisprudence’s five steps as described during this paper’s introduction, the problem to be discussed must first be delimited.1 So, what is the specific problem concerning social networks? Is it over all privacy and data protection? And could other human rights issues also come into play? In order to explore the subject of social networks and point out the problem that should be further discussed, a basic description of the world wide web as well as the most important facts regarding social networks have to be given and the so-called Facebook Generation as well as data gathered and processed through social networks have to be explained and, in the end, those concerns that arise from social networks have to be exposed. While doing so, questions will arise and should be answered. For example, when speaking of the development as well as the current situation concerning social networks one might ask the following: How did these networks get started? Which one was the first social network? How did social networks develop? And what is today’s situation? How many persons are currently joining social networks? How much time do they spend on these platforms? And what are exactly their activities or purposes while using these services? Besides, are there psychological effects social networks might have
1 In order to give more detailed information on the New Haven School of Jurisprudence, see Reisman et al. (2007), pp. 575–582 as well as Wiessner (1999), p. 203 and Lasswell and McDougal (1992). It has to be noted once again that the New Haven Approach especially pays attention to the eight values of a world order of human dignity that are reflected in different articles of the 1948 Universal Declaration of Human Rights meaning “affection, enlightenment, power, rectitude, respect, skill, wealth and well-being”, see McDougal et al. (1980). See also Wiessner and Willard (2004), p. 30, and Wiessner (2010), p. 46. For further information on the New Haven Approach, its beginnings and vision, see Chap. 1.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 V. Kirch, Social Networks - The Modern-Day Family, https://doi.org/10.1007/978-3-030-68651-2_2
13
14
2 Delimitation of the Problem
concerning its users? And are there maybe financial benefits a person might have because of social media? After all, what are the pros and cons for social networks? Furthermore, when speaking of the term “Facebook Generation”, who falls under this term? And what are the reasons for joining social networks for a member of the Facebook Generation? Which ones are the most frequented social networks amongst the Facebook Generation? And what happens to a person who is using social networks not just frequently, but literally all the time? Are the members of the Facebook Generation just doing what everyone else was doing in former times and before social networks became part of people’s everyday life? Especially when it comes to teenagers, do today’s teens still have the same needs as teenagers growing up without any social media? And if so, are today’s teens just channeling their needs through a new technology with new opportunities? Are there possible effects of social networks on its users? Are there psychological effects on the individual or even on the society as a whole due to the existence of social networks and the role social networks play today in the individual’s life? After all, might this new technology be changing our world more dramatically than we presently think? Moreover, when it comes to data gathered and processed through social networks, where does this data come from? How did this data flow develop? Are different categories of data? And do we know the amount of data that is produced in the context of social networks? But more important, what kind of data do social networks gather and process? And most important, how can social networks make use of the data retrieved from their users? And how can a user have an impact on the usage of his or her own data? Besides, who might be interested in the data? And why is that? How is the data and its gathering and processing controlled? Over all, who might have the right to use, sell or work with the data gathered and produced in social networks? In addition, while focusing on privacy concerns arising from social networks, the concept of privacy has to be developed which will lead to questions such as: When and how was the concept of privacy developed? Did it change over time? And what does it include nowadays? What are the differences from country to country or culture to culture? And what are the reasons why some countries might be treating privacy differently than other countries? And what about privacy in the context of globalization and new technologies, as well as terrorism? What about the concept of privacy when it comes to the world wide web? Overall, what about privacy particularly concerning social networks? Why are there any concerns, at all, if people share and give away their information voluntarily on social media? And does is make any difference if one spreads one’s information throughout social networks in contrast to any other situation when people expose their personal details voluntarily—for example, in a conversation one has with someone he or she meets while crossing a street? And if there is a difference, what exactly makes this difference? Could it be possible that there is a real threat to privacy nowadays? Could the concept of privacy even only exist on paper any longer, so that privacy has been banned from people’s real lives already a long time ago? How much privacy would be still left then?
2.1 Understanding the Internet
15
In order to get started, it is essential to give a brief idea of the internet.
2.1
Understanding the Internet
First of all, it is important to explain what the term “internet” actually means. Is there a clear definition for that term? And why is internet not equal to the term “world wide web”? How is the internet’s architecture actually? What is its history? Who started the internet and where, when, how and why? And what about today’s situation? What does “internet governance” mean? Are there policies, norms, principles, rules or regulations that regulate the use and further development of the internet? Over all, who are the ones in charge of shaping today’s internet? What about states or the EU? Do they have an impact on or do they actually rule today’s internet? Who exactly does what meaning who assigns and maintains the internet? And what can be assigned or has to be maintained in particular? Maybe so-called domains? And who repairs and maintains, for example, internet routers? So, in order to give some explanations, it has to be noted that although the terms “internet” and “world wide web” are often used synonymously, they are not the same, as the world wide web only forms part of the actual internet and it is where one can find pictures, texts videos and audio files as well as a bunch of other information, but it is only one of many server collectives of the internet. Other services that are not part of the world wide web but are of the internet are, for instance, Emails or Chats.2 The internet is also older than the world wide web, as its beginning goes back to the 1970s,3 but the fact that the internet became part of most people’s lives nowadays is due to the world wide web.4 2
For further information on the technical side of the world wide web and how it started, see Wilde (1999). In order to get an overview of the current situations and latest trends of the internet development around the globe, one should take a look at the Fifth World Internet Conference, see Chinese Academy of Cyberspace Studies (2020). See also Sunyaev (2020). 3 The world wide web was actually started 25 years ago—on April 30, 1993 to be exact—and one can say that it opened a gate to a whole new world. In contrast, the internet’s beginning dates back to the 1970s. The Encyclopaedia Britannica describes the internet as: a system architecture that has revolutionized communications and methods of commerce by allowing various computer networks around the world to interconnect. Sometimes referred to as a “network of networks, the Internet emerged in the United States in the 1970s but did not become visible to the general public until the early 1990s. By the beginning of the 21st century, approximately 360 million people, or roughly 6% of the world’s population, were estimated to have access to the Internet. 4
For further information on the internet, see Dennis (2020b). For more details on the world wide web, see Augustyn et al. (2020c).
16
2 Delimitation of the Problem
In what follows, it will be explained why that is. The internet being a gigantic network consisting of a large number of computers in countries all around the world that are connected with each other, over all, via cables and satellites, leads to more than 3 billion people using it presently.5 This means that, at least, 10 out of 100 people have access to the internet as of today. But as mentioned above, the internet itself is mostly only this gigantic network, meaning computers and the connecting cable or other lines. So, in order to actually make use of the internet, one needs certain programs, and this is when the world wide web comes into play, being the most important program of the internet besides Email6 or Chat.7 Because the world wide web consists of many webpages written with hypertext markup language (HTML), a programming language, the webpages are automatically interconnected to each other via so-called links.8 Hence, this
5
The online statistics portal “statista”, founded in Hamburg/Germany in 2007, states: With over 2.7 billion monthly active users as of the second quarter of 2020, Facebook is the biggest social network worldwide. In the third quarter of 2012, the number of active Facebook users surpassed one billion, making it the first social network ever to do so. Active users are those which have logged in to Facebook during the last 30 days. During the last reported quarter, the company stated that 3.14 billion people were using at least one of the company’s core products (Facebook, WhatsApp, Instagram, or Messenger) each month.
See “Facebook: number of monthly active users worldwide 2008–2020”, statista (August 10, 2020a). For further information on how the total number of active Facebook monthly developed globally between 2008 and 2020, see “Number of monthly active Facebook users worldwide as of 2nd quarter 2020”, statista (July 2020). Besides, according to statista, Facebook remains the world’s most popular social network, see “Global social networks ranked by number of users 2020”, statista (August 21, 2020b). See also “Most popular social networks worldwide as of July 2020, ranked by number of active users”, statista (July 2020). At least for now, Facebook remains the most frequented social network and it has to be seen whether in the near future, other social networks might overtake Facebook—especially, as the younger generation seems to be no longer as interested in Facebook as people were in former times, but this generation rather turns to other social networks like, for example, Instagram, SnapChat or TikTok. 6 According to the Encyclopaedia Britannica, Email means “in full electronic mail, messages transmitted and received by digital computers through a network. An e-mail system allows computer users on a network to send text, graphics, and sometimes sounds and animated images to other users”, see Augustyn et al. (2020a). 7 It has to be noted that besides, so-called “chatting”, there is also “Instant messaging”. The Encyclopaedia Britannica describes it as follows: Instant messaging (IM), form of text-based communication in which two persons participate in a single conversation over their computers or mobile devices within an Internet-based chatroom. IM differs from “Chat,” in which the user participates in a more public real-time conversation within a chatroom where everyone on the channel sees everything being said by all other users. See Larson (2020). 8 It has to be noted that the harmonization of technical standards was necessary during the process of the installation of the internet worldwide, or as Professor David Singh Grewal says:
2.1 Understanding the Internet
17
formatting system that is designed in order to display any graphics, audio files and texts on a computer screen, leads the user of the world wide web to being able to “surf the web” so easily. Due to HTML a user only has to click on a link and is automatically brought from one webpage to another. As a result, the world wide web was used more and more and this way, at the same time, the internet that only became that famous because of the success of the world wide web.9 But how exactly did the internet itself get started? And who was the one initiating the world wide web? When it comes to the history of the internet, one could say that it reflects the trajectory of the United States during the Cold War period.10 Until the Second World War, nothing was invented yet that could be compared to what a computer is as we know it today.11 However, there were devices that allowed multiple calculations at the same time. And in the late 1930s, Howard Hathaway Aiken started to design such a machine.12 His analog mechanical computer could be seen as marking the
The harmonization of existing technical standards, and standardization in emerging fields, are essential for the spread of compatible technologies and products—in short, for ‘technical progress’. See Grewal (2008), p. 195. Besides, in the process of standardization, history as always plays in important role in order to achieve an agreement. See McDougal et al. (1967). See also Lasswell et al. (1994), p. 3. For further information on hypertext markup language (HTML), HTML, see Hemmendinger (2020). 9 It has to be remembered that, especially in the 1990s, more and more Universities started to use the world wide web in order to publish their information and also companies began to do the same. Because of the fact that during that time, the world wide web consisted mostly of simple text and only a few links, the world wide web was pretty easy to handle, although it was not yet fast and nothing compared to what it is today. Nevertheless, little by little, also private individuals started to access the world wide web and this way, the world wide web actually brought the internet into private households. 10 Balleste (2015), p. 11. Roy Balleste states that: Beginning around 2001, however this powerful tool began to benefit from the valuable input and collaboration of other nation. Today, the internet is a network formed by millions of servers and computers worldwide, all sharing data with one another. 11
Id. at 9. Howard Hathaway Aiken (1900–1973) was an American physicist who got his Master’s degree as well as his doctorate in physics from Harvard University and is best known for his invention of an automatic calculating machine, the so-called Mark I. For further information on Howard Hathaway Aiken, see “Howard Hathaway Aiken”, The Association for Information Science and Technology (2020). Furthermore, it has to be noted that Aiken’s project was funded by the International Business Machines Corporation (IBM) and Harvard University. See Ifrah (2002), pp. 211–212.
12
18
2 Delimitation of the Problem
beginning of the era of analog computers,13 especially, as these became the latest in technology back then.14 While the technology of computers was evolving in the following years, after the Second World War, since the 1950s and during the time of the Cold War, the United States founded an institution called Advanced Research Projects Agency (ARPA).15 ARPA was installed in order to fund universities and other institutions to do research, especially as the Soviet Union had already been launching the first satellite (called “sputnik”).16 The agency was founded in 1958 and linked to the Ministry of Defense. ARPA was supposed to develop technologies and projects that could be useful in the military field.17 While getting started with its work, very fast, it became clear to the employees of ARPA that computers would play an important role in the future,18 although computers were not only extremely big, heavy and expensive, but also research on them was not really communicated amongst the different groups of people that were performing studies on them.19 Therefore, ARPA created a computer network called Advanced Research Projects Agency Network (ARPANET)20 that was supposed to connect all those researchers who were already involved in the
13
Rather than being electric, the Mark I was electromechanical and not only because of the fact that this device was capable of solving nearly all mathematical problems, but also because the Mark I was made available also to anybody outside of the US government, it can be considered being an important step in the development of computers. Id. 14 Supra note 10, at 9–10. 15 The Advanced Research Projects Agency (ARPA), also later on called Defense Advanced Research Projects Agency (DARPA), is different to other organizations linked to the Department of Defense as this agency neither owns research facilities or laboratories nor has it lots of permanent staff, but rather assigns eminent scientists as project managers to specific research projects shortterm. For more information on the Advanced Research Projects Agency (ARPA), see Dennis (2020a). 16 Not only did the Unites States not have a satellite at that time yet, but also had nobody in the United States been thinking that the Russians would achieve to place the very first satellite. Id. Hence, it becomes clear that the Cold War did not only take place in politics, but also when it came to innovative technologies, science and research. 17 Supra note 15. 18 Overall the psychologist Joseph Carl Robnett Licklider forecasted that the use of computers would have to become an extension of the human being. See Hafner and Lyon (1998), p. 27. For more information on Joseph Carl Robnett Licklider, see Augustyn et al. (2020b). 19 Supra note 15. 20 The Advanced Research Projects Agency Network (ARPANET) was an experimental computer network and is being considered being the final product of an era of great developments in computer-communications that were fueled by the constant threat of the Soviets attacking the United States during the Cold War. ARPANET is also being considered the precursor of the internet. For further information on ARPANET see Featherly (2020a). There, it is said: The end of ARPANET’s days arrived in mid-1982, when its communications protocol, NCP, was turned off for a day, allowing only network sites that had switched to Cerf’s TCP/IP language to communicate. On January 1, 1983, NCP was consigned to history, and TCP/IP began its rise as the universal protocol.
2.1 Understanding the Internet
19
field of computer technology.21 In its beginning in 1969, ARPANET consisted of only four computers that were located in four different cities within the United States,22 but little by little, more and more computers were added to the ARPANET. Furthermore, there were similar networks built in Europe, too, so that by the late 1970s England and France also achieved to have their own networks that were connecting computers within their countries’ territories.23 It was in the early 1980s that people working for ARPA decided that it would be a step into the right direction if they tried to connect all the existing computers including those oversees. That is why, all the necessary measurements were taken and in 1982, after a long way of research trying to develop and establish the best technology in order to be permanently used when transmitting information from one computer to the other, ARPANET was converted to Transmission Control Protocol/Internet Protocol (TCP/IP), a new standard that allowed any computer worldwide to join the ARPANET.24 In the end, this way, the so-called Interconnected Networks, commonly known as the “internet”, came to life.25 How exactly did this happen? And who initiated the world wide web? It all began with one of the experts in the field, Timothy John Berners-Lee.26 Berners-Lee was driven by the question of whether a computer could be programmed such that it could link different information together the same way as the human brain does. During college, when Berners-Lee was studying Physics, this question led to building his own very first computer.
21 When it comes to the idea of connecting the computers, it has to be noted that the successor of Joseph Carl Robnett Licklider who was Ivan Sutherland had been choosing Robert Taylor to be the director of the Information Processing Techniques Office (IPTO) at ARPA at that time. Robert Taylor was the one who made the suggestion to connect all the computers in his department to one another. This way, the idea of connecting different devices was born. See supra note 10, at 12. 22 These first four computers were only able to exchange information amongst the four of them. For more information on Robert Taylor, see Featherly (2020b). 23 Not only countries within Europe, but also other countries far away from Europe—for example, Canada—had been establishing their own networks during that time. 24 Transmission Control Protocol/Internet Protocol (TCP/IP) means “standard Internet communications protocols that allow digital computers to communicate over long distances”, see Featherly (2020c). The most common application for TCP/IP might be the Domain Name System (DNS) as it can be seen as the foundation of the internet, in order to better understand the hierarchy of the internet as well as the subject of control of the internet where the DNS plays on important role, see Stallings (2007), pp. 25, 775, 777, 781. For more information on how it came to TCP/IP as well as what exactly this standard consists of and how it works, see supra note 10, at 11–19. 25 As it was pretty difficult to understand and not very easy to manage, mostly experts and scientists in this field were using the internet at that point, but soon after, the world wide web came to life and this way, as already pointed out, the internet became accessible for anyone. For an overview of events and people who were involved in the process of initiating the internet’s present success, see “How the Web was Born”, Vanity Fair (January 7, 2009). 26 Timothy John Berners-Lee was born in one of London’s suburbs in 1955 as the son of two mathematics. Both his parents were working on building a computer for a British firm. The question that Berners-Lee’s father was already addressing at that time was whether a computer would, like the human brain, be able to link certain information to each other. For more detailed information on Timothy John Berners-Lee, see Dennis (2020c).
20
2 Delimitation of the Problem
After graduating from university and working as a consultant for a British telecommunication firm, in 1981, Berners-Lee spend a couple of months at the European Centre of Nuclear Research (CERN).27 During that time, he wrote the computer program “Enquire,”28 and in 1989, Berners-Lee requested CERN to start a project called “world wide web”. It has to be noted that this way, in quite a short period of time, the world wide web’s first web browser and sever were created, so that in 1990 the world wide web was officially born.29 Since then, Berners-Lee has been constantly working on improving the world wide web as his vision was to create a totally free world wide web and that is why, he never wanted to have his invention to be patent-registered.30 But how does the world wide web actually work? In the following, a short explanation should help to, at least, give an idea of how a website comes to life: First of all, it is clear that any computer is just part of a network. If the computer has access to the internet and must be connected to it, a modem is usually necessary that gets in touch with a provider and connects the computer to this provider. The provider gives every computer a so-called IP-address, so that it is able to recognize any computer as soon as data is retrieved from the internet. Thus, if the user of a computer searches for a specific website, the provider sends the data to a database, the so-called Domain Name System (DNS). This database is able to connect the computer’s IP-addresses to websites as the IP-address is sent back to the provider. This way, it can be seen if a webpage was already requested several times by a particular IP-address, and a copy of that page would be saved by the server, so that this webpage could always be shown easily and fast over and over again. No connection to the server where the particular webpage is located is necessary in this case. Otherwise, a connection with the server is mandatory and so-called routers are the ones in charge of connecting the computer to the server as fast as possible. As soon as the computer’s request reaches a sever, this server sends the data back to a provider and the provider transmits it to a computer. And this is basically what happens every time a user requests a website or clicks on a link.31 27
The European Centre of Nuclear Research (CERN) is an international scientific organization with its headquarters in Geneva/Switzerland that was founded in 1954 in order to do collaborative research of a “pure scientific and fundamental character” in the field of physics. Article 2 of the CERN Convention states that it “shall have no concern with work for military requirements and the results of its experimental and theoretical work shall be published or otherwise made generally available.” See Sutton (2020). 28 See supra note 26. It has to be noted that Enquire was the basis of what became the world wide web. 29 Abbate (1999), p. 214. 30 Supra note 10, at 19, 20. In order to give a more detailed overview on innovations in technology that made the internet and worldwide web possible, see National Research Council (1999), pp. 169–183. 31 For more detailed information, see “Hintergründe erklärt: Das passiert beim Öffnen einer Webseite”, Computerbild (August 2, 2015). See also Mandl (2019).
2.1 Understanding the Internet
21
It has to be noted that, as of today, the world wide web has been shaping and changing the world dramatically. 25 years ago, firms like ExxonMobil32 were the most valuable companies in the world and ruled the stock market, whereas nowadays, firms like Apple, Google, Amazon, Microsoft or Facebook are the leading firms on the stock market and Wall Street.33 As a result of the spread of the world wide web around the globe and its constant improvement,34 things have been shifting35 and values exchanged. One could say that, nowadays, the new currency of most value is the collection of personal data of individuals who are making use of the internet.
32
ExxonMobil describes itself as the following: Over the last 135 years ExxonMobil has evolved from a regional marketer of kerosene in the U.S. to the largest publicly traded petroleum and petrochemical enterprise in the world. Today we operate in most of the world’s countries and are best known by our familiar brand names: Exxon, Esso and Mobil. We make the products that drive modern transportation, power cities, lubricate industry and provide petrochemical building blocks that lead to thousands of consumer goods. See “Our history”, ExxonMobil (September 4, 2018).
33 Not only due to the coronavirus pandemic, tech companies have been overtaking former leaders at the Wall Street, this shift happened already years ago. In order to get an overview of who was leading the U.S. stock market in 2017, see “The 30 Largest Companies on the Stock Market”, The Motley Fool (December 5, 2017). 34 It has to be remembered that not only was the world wide web during its beginnings not accessible in as many parts of the world as today, but also was it pretty slow when it first started. 35 For instance, people started to do their shopping online and bought more and more things using what the world wide web had to offer. To give a more specific example, in the year 2000, people in the Federal Republic of Germany made purchases online that were worth about 1 billion euros while 17 years later, Germans purchased for more than 58 billion euros making use of the world wide web. These numbers are pretty impressing, especially, if one takes in mind that out of everything the German population buys per year, online shopping accounts for only about 10% of the total purchases. Besides, the Centre for Retail Research that has been foreseeing the trends in online retail sales in Europe for more than a decade as well as in the United States for the year of 2017 stated:
The online retail sector is the main driver of growth in European and North American retailing, achieving in Europe growth rates of 18.2% (in 2015), 15.6% (2016), and expected increases in 2017 of 14.2% and 13.8% in 2018. In contrast, the annual growth rates for all types of retailing (from stores and online) have ranged between an average of 1.5% and 3.5% pa. The recession induced many shoppers to buy online rather from traditional stores. The fact that internet search is comparatively easy and predictable has made online retailing attractive for a wide range of products. Retail focus on the growing use of mobile technology is an additional factor in making online retailing attractive and convenient. As before, the European online market is dominated by the UK, Germany and France. These three countries are responsible for £152 bn online sales, equivalent to 75.1% of European online sales. See “Online Retailing: Britain, Europe, US and Canada 2017”, Centre for Retail Research (2017). For more recent information that also takes into account the “dramatic boost in online sales resulting from the coronavirus pandemic”, see Centre for Retail Research (2020).
22
2 Delimitation of the Problem
It can be said that, when it comes to the development of new technologies in the history of human mankind, “the internet stands in its own category, and has been particularly defined by its subsequent commercialization.”36 This leads to today’s internet situation. Are there policies, norms, principles, rules or regulations that regulate the use and further development of the internet? Who are the ones in charge of shaping today’s internet? Overall, what does “internet governance” stand for? It must be pointed out that those who created the internet like Berners-Lee wanted the internet to be totally free without any governmental structures. Roy Balleste describes the situation as follows: The creators of the internet, a group of graduate students, professors, business members from the private sector, and government engineers, did not think of the internet as being governed, or even as requiring governance; rather they saw it as being coordinated in a collaborative and voluntary fashion The study of Internet governance thus reveals a historical process of claims that demonstrates the lack of a universally accepted system of governance.37
Nevertheless, more and more are of the opinion that the internet is in need of a set of rules in order to be operated properly and meet people’s needs.38 First and foremost, the Internet Governance Forum (IGF) plays an important role in shaping the internet of today.39 The work of the IGF started in 2006 with preparatory meetings that led to background reports. At those meetings, public policy issues were discussed in detail in order to provide responses to these points of concern.40 The IGF aims at the following: The purpose of the IGF is to maximize the opportunity for open and inclusive dialogue and the exchange of ideas on Internet governance (IG) related issues; create opportunities to share best practices and experiences; identify emerging issues and bring them to the attention
36
Supra note 10, at 11. Supra note 10, at 20. Furthermore, Balleste’s book gives an overview of how the idea of internet governance started and how it further developed. For a short analysis of the history of the internet, see “A brief history of the internet”, Science Node (February 9, 2017). 38 That is why, not only have there been working groups within different governments and within Europe and the world, but also have there been different models of internet governance that were developed—such as the model of Self-Regulation, the model of Government Regulation or the model of International Institutions. See supra note 10, at 129–149. 39 Internet Governance Forum (IGF) describes itself as: 37
The IGF is a forum for multi-stakeholder dialogue on public policy issues related to key elements of Internet governance issues, such as the Internet’s sustainability, robustness, security, stability and development. The United Nations Secretary-General formally announced the establishment of the IGF in July 2006 and the first meeting was convened in October/November 2006. See “About IGF FAQs”, IGF (2020). 40 Some of the most discussed subjects by the IGF was “Privacy and Data Protection” as well as “Privacy, protection and their relation to human rights”, see Supra note 10, at 95.
2.2 Social Networks: Basic Facts
23
of the relevant bodies and the general public; contribute to capacity building for Internet governance. The main aim of the IGF is to facilitate inclusive, productive discussions on Internet related public policy issues from a general perspective, while keeping all stakeholders involved. This includes having a harmonized and consistent approach when covering IG issues. To further this aim, the IGF adheres to the generally used UN principle of discouraging ad hominem attacks. As such, participants should refrain from singling out individual persons, companies, countries or entities during their interventions and throughout the general discussions and debates in main sessions, workshops and other events at IGF meetings. Concrete examples can be highlighted in the overall coverage of IG issues as long as it is not done in a blatantly inflammatory or potentially libelous way. Singling out one entity without broader context could not only discourage further participation of this entity, but endanger inclusive and productive discussion at the IGF.41
The internet remains a work in progress. Only the future will tell what the IGF’s (as well as other stakeholders’) role will be with regard to the development of the internet.
2.2
Social Networks: Basic Facts
In order to further delimit the problem, and after giving an idea of what today’s internet is, some of the basic facts about social networks have to be presented. Therefore, in the following, the development as well as the current situation concerning social networks will be described in order to provide answers to questions such as: How did these networks get started? Which one was the first social network? How did social networks develop? And what is today’s situation? Furthermore, facts will be pointed out regarding the number of persons joining social networks, the amount of time they are spending on these platforms, the activities or purposes of the people who are using these services as well as on psychological effects social networks might have concerning its users and on possible financial benefits a person might have because of social media. At the end, a short list of pros and cons for social networks will be given. It has to be noted that due to the easier access to devices like computers, smartphones and tablets and the constant development in technology all around the world, nowadays people use the internet way more than ever before and it is not a secret that social networking has become one of the most popular activities for users of the internet.42 As of today, there is a number of social networks that are worth mentioning—for example:
41
Id. For more detailed information on the use of the world wide web, especially in regards to online shopping, see supra note 35. 42
24
2 Delimitation of the Problem
WhatsApp WhatsApp is a messaging service and social network that is designed to send and receive texts, documents, photos, videos and locations as well as voice calls worldwide.43 Instagram Instagram can be described as a mobile application and social network where people can post and share images and short videos.44 TikTok TikTok is a social networking service that allows its users to share short videos.45 Snapchat Snapchat is another multimedia mobile app and it sends images that are automatically deleted shortly after.46
43
As of July 2020, WhatsApp with its 2 billion users was number 3 when it comes to the most popular social networks, see supra note 5. Furthermore, according to WhatsApp: More than 2 billion people in over 180 countries use WhatsApp to stay in touch with friends and family, anytime and anywhere. WhatsApp is free and offers simple, secure, reliable messaging and calling, available on phones all over the world. See WhatsApp (2020). 44 Founded in 2010 and purchased by Facebook in 2012 for US$1 billion, Instagram is a social network where people post and share pictures and videos as well as so-called “stories”—videos that are only visible for 24 h. With more than 1 billion people worldwide who are actively using this social media platform on a monthly basis and 500 million users who are even actively using Instagram every day, Instagram ranks number 6 of the most popular social networks as of July 2020, see “Instagram—Statistics & Facts”, Statista (May 14, 2020c). See also supra note 5. For further information on how Instagram is used for commercial purposes and how its users make use of Instagram in order to earn their living, see “Instagram for Business: Everything You Need to Know”, Business News Daily (March 6, 2018). 45 TikTok is a Chinese-owned social media app that was started in 2016 and has ever since began its success story around the globe as people love to upload their own videos to the app and launch or join so-called “challenges”—for example, TikTok dance challenges are very popular amongst the users of this social network. With its 800 million users as of July 2020, TikTok became the seventh most popular social network in only a few years, see supra note 5. Due to the plan of President Trump to ban TikTok from the United States as he claims, overall, that the Chinese government might spy on U.S. citizens who are using the app, TikTok entered into negotiations in order to stay in business within the United States. A deal is not yet closed, but it seems as if the Trump administration might agree on the compromise that TikTok proposed taking in mind the security concerns the U.S. has. For further information, see “TikTok’s Proposed Deal Seeks to Mollify U.S. and China”, The New York Times (September 14, 2020). 46 Snapchat was launched in 2011 and has become the fastest growing app in the US with about 200 million users as of January 2015; see “Is Snapchat Really Confusing, or Am I Just Old?”, Slate (January 29, 2015). Snapchat’s posts are automatically deleted after a while and not only this, but also the fact that Snapchat’s median age is 18—in contrast Facebook’s median age is 40—makes Snapchat the biggest enemy to Facebook; see “The Inside Story of Snapchat: The World’s Hottest App Or A $3 Billion Disappearing Act?”, Forbes (January 20, 2014). As of July 2020, Snapchat with its almost 400 million users was number 13 when it comes to the most popular social networks, see supra note 5.
2.2 Social Networks: Basic Facts
25
Twitter Twitter can be defined as a news and social network service.47 Facebook As of today, Facebook still is the most popular social network.48 The starting point of social networks can be illustrated by the very first social network created, Friendster.49 The best known and most frequented social network as of today is Facebook with more than 15,000 employees and more than a dozen offices in the US as well as more than 30 offices in other cities around the globe.50 That is why, in the following, Facebook should serve as an example to present the basic facts of social networks.51 With its 2.6 billion monthly active users, Facebook has more monthly active users than Instagram, TikTok and Snapchat together.52 Moreover, looking at Facebook’s monthly active users, it has to be noted that this means an increase year over year of almost 12% since Facebook was launched in 2004. Also, the almost 1.8 billion users that log on to Facebook on a daily basis have increased by 12% over the years since Facebook’s beginning in 2004.53 Although founded in the United States, Facebook is not only an American phenomenon, but rather a global one and more than 85% of all profiles are created outside of the U.S. and Canada.54
Created in 2006, according to Twitter’s own website, its mission is “To give everyone the power to create and share ideas and information instantly, without barriers.” See “Twitter Just Filed For Its IPO, And Its Mission Statement Is Super Short”, Business Insider (October 3, 2013). As of July 2020, Twitter had more than 320 million users and ranks in the top 15 of the most popular social networks, see supra note 5. For more information on this company and its culture, see Twitter (2020). 48 See supra note 5. Facebook was founded in a Harvard dorm in 2004 by Mark Zuckerberg, Dustin Moskovitz, and Chris Hughes and became the world’s leading social network in less than 10 years playing an important part of people’s lives all over the world. For more detailed information on the history of Facebook, see Taulli (2012). 49 One has to know that in 2002, Friendster was started by Jonathan Abrams. Abrams established a totally new movement when it comes to internet behavior of people around the globe by initiating his “social networking” site Friendster. Nevertheless, Friendster was soon overtaken by MySpace and Facebook that was considered being more college-student-friendly. For more information on Friendster and for an overview of the history of different social networks, see “Then and now: a history of social networking sites”, CBS News (July 6, 2011). 50 As of June 30, 2020, there were 52,534 people working for Facebook as full-time employees in 70 offices and 17 data centers around the globe, see “Who We Are”, Facebook (2020d). 51 For an overview of the history of social networks, see “The history of social networking”, Digital Trends published on (May 4, 2016). See also supra note 37. 52 Instagram has 1 billion monthly active users, TikTok 800 million and Snapchat about 400 million, see supra note 5. 53 See Press Release “Facebook Reports Second Quarter 2020 Results”, Facebook (July 30, 2020). 54 For example, in mid-2017, there had been 307 million people using Facebook who are located in Europe. See The London School of Economics and Political Science (2017). 47
26
2 Delimitation of the Problem
But how much time does a person spend on Facebook? And what are people actually doing there? The average time a user from the United States spends on Facebook is 37 min per day, and it seems to be worth mentioning that during their visits, most people share content—over all, pictures and comments.55 That is why, in total, more than 50% of all users are joining Facebook in order to share content with other people and 65% of all users watch photos, while 46% watch videos, so that 100 million hours of video content is watched every day on Facebook.56 Furthermore, 15% make use of Facebook to do online shopping and 800 million people are using Facebook Marketplace every month.57 Moreover, users update their statuses on a regular basis and they generate so-called “Likes” that indicate that a person is agreeing on another person’s content. As of May 2013, 4.5 billion likes were generated every day and the average user of Facebook likes 13 posts every month as of July 2020.58 Besides, the average Facebook user usually shares one article and comments 5 times a month as well as checks on 12 advertisements that are promoted on Facebook. This way, 57% of all Facebook users to be precise take advantage of Facebook to share content with others and 33% actually user Facebook to network.59 According to Facebook, its mission is the following: Founded in 2004, Facebook’s mission is to give people the power to Build community and bring the world closer together. People use Facebook’s apps and technologies to connect with friends and family, find communities and build businesses.60
As already pointed out, Facebook with its users all over the globe is a gigantic network that wins more and more power by being part of so many people’s everyday lives. So, does Facebook’s mission as stated on their own website really apply to the majority of its users? Or are there other goals and purposes people might be driven by? It must be kept in mind that with the large number of people who are using social media, a network like Facebook cannot be ignored—especially when users are visiting their social network on a very regular basis. And it is unnecessary to point out that such a platform can offer great business opportunities—not only to larger brands and corporations, but also to individuals who are just getting started in promoting their own products, ideas, businesses or simply just themselves. Many
For further information on statistics regarding Facebook and its users, see “Facebook Revenue and Usage Statistics (2020)”, Business of Apps (July 30, 2020). See also “The Top 20 Valuable Facebook Statistics – Updated August 2020”, Zephoria (August 2020). 56 Id. 57 For more information on Facebook Marketplace, see Facebook Marketplace available via Facebook https://www.facebook.com/marketplace/learn-more/. 58 Supra note 55. 59 Id. 60 Supra note 53. 55
2.2 Social Networks: Basic Facts
27
examples show how social networks can be the starting point for someone to realize an idea as well as influence and even push someone’s business.61 According to Facebook, as of May 2013, there had been 16 million local business pages created which means a 100% increase since June 2012 and a total of 42% of marketers state that Facebook is critical or, at least, important to their business.62 What is it that really matters to Facebook users? Do they follow the above stated mission of Facebook over all, staying connected with friends and family? Before further developing this subject, it has to be given a brief summary of the pros and cons of social networks as to our previous discussion: Pros of Social Networks As far as easy and fast communication amongst people from all over the world goes, social media is definitely contributing to it big time. Furthermore, and as pointed out already, there are also business opportunities for individuals who make use of social media platforms. Cons of Social Networks It must also be taken into account that there are threats coming from social networks, too—especially when these are becoming more and more powerful and influential.
61
To give an example, I would like to share the success story of a young lady from Berlin who had been working at one of Germany’s most well-known newspapers being the personal assistant of the editor-in-chief for the newspaper’s edition online. After many years of doing her job, a job that others would have been more than happy to get and that was pretty well-paid, she decided from one day to another to quit and to rather follow her dream to work in fashion. So, like many others she started her own blog including participating in all kind of social media platforms—especially, Instagram and after a while of positioning herself, making the right business decisions—over all, deciding on how to post what on whatever platform -, she actually started earning good money because more and more people were following her. After all, many of her followers as well as companies contacted her and they signed agreements, magazines published her photos and pointed to her website and she continued her journey as a so-called influencer making a living. See “Hello Shopping” available at http://helloshopping.de/medien/. Another great example is Chiara Ferragni as Ferragni used to be a so-called simple girl from Italy who successfully built an empire making use of social media which led to her being on the Forbes 30 under 30 list twice. In order to better understand her story, see “Chiara Ferragni – how a ‘crazy blogger’ turned her life into a shop window”, The Guardian (November 29, 2016). For more information on how to use social network platforms as a marketing tool, see Faßmann and Moss (2016). 62 Nowadays, the aspect of using social media platforms like Facebook or Instagram that is owned by Facebook as a business tool, is of even more importance than 7 years ago. Today’s mission of Facebook as referred to above demonstrates this very well—especially, when one compares today’s mission to Facebook’s mission a couple of years ago: Founded in 2004, Facebook’s mission is to give people the power to share and make the world more open and connected. People use Facebook to stay connected with friends and family, to discover what’s going on in the world, and to share and express what matters to them. See Press Release “Facebook Reports Third Quarter 2016 Results”, Facebook (November 2, 2016).
28
2 Delimitation of the Problem
Not only does the internet itself pose general threats to its users—as for example, piracy and data theft as well as heading towards a future where nothing is ever forgotten, but rather constantly supervised and one becomes a so-called “glass person”—, but also specific ones. By creating an atmosphere of intimacy and promoting to share emotions, thoughts and opinions, a user might give up on personal information too easily and without thinking about any possible consequences. This way, others could detect weaknesses in individuals and not only could this lead to victimization, but also to major manipulation. Furthermore, it becomes incredibly easy to create fake images of oneself or even other persons,63 and as already said, social networks contribute to mobbing as well as to depression and even suicidal thoughts and actions. Especially, the psychological effects of social media on the individual and on society will be further developed in the next part when discussing the so-called Facebook Generation. First, it has to be asked what the term of the so-called Facebook Generation encompasses. In addition, as far as to the questions on what exact data is gathered and processed through social networks and what possible impact this might have, this will also be explored.
2.3
The “Facebook Generation”
Accordingly, the Facebook Generation, also called “Generation Facebook,” will be described in what follows.64 There are a number of questions that pop up when starting to think of the term “Facebook Generation,” such as: First and foremost, who falls under this term? And what are the reasons for joining social networks? Which ones are the most frequented ones amongst the Facebook Generation? And what happens to a person who is on social networks all the time? Are these people just doing what everyone was doing before social networks became part of their lives? Especially when it comes to teenagers, do today’s teens still have the
63
Besides, there are millions of fake user accounts on social media platforms. As of 2012, there were 83 million fake profiles on Facebook alone. These accounts made up almost 10% of all active pages on Facebook. See “83 million Facebook accounts are fakes and dupes”, CNN (August 3, 2012). For more information on fake Facebook accounts and how Facebook is dealing with this issue, see “Does Facebook Really Know How Many Fake Accounts It Has?”, The New York Times (January 30, 2019). As of May 2019, there were 120 million fake accounts on Facebook, see supra note 55. 64 The report “The Millennial Generation Research Review” gives a good first impression of what the subject at hand is, see U.S. Chamber of Commerce Foundation (2012).
2.3 The “Facebook Generation”
29
same needs as teenagers had who were growing up a generation before them? And are they just channeling these needs through a new technology with new opportunities? What are the effects of social networks on people? Are there psychological effects on the individual or even on the society as a whole? After all, might this new technology be changing our world more dramatically than we actually think presently? First of all, it must be noted that, when referring to Generation Facebook, we are talking about a certain demographic group of individuals born while the internet came to life, so that these people were growing up making use of the internet as well as of social media. Instead of communicating via one-to-one meetings, phone calls or emails, for Generation Facebook, social networks are the most important way of getting in touch with each other. Most of those who are considered belonging to the Generation Facebook started to make use not only of computers, but also of mobile devices—such as smart phones and tablets—from an early age on, and participating in social networks has been just a normal part of their lives in order to communicate and connect to others from around the globe from early on, too.65 This way, not only do they have relationships with persons in the places where they live or visit, but they also share their lives with people who do not form part of their physical everyday lives when they meet their friends in person. These relationships rather take place in the digital world and do not interfere or overlap with the real world. Nevertheless, for the members of the Generation Facebook, the relationships the have to those they only meet in the digital works are as crucial as the ones with actual physically present friends. That is also why, new technologies are important to the younger generation—not only in their private lives, but also when it comes to their workplaces. According to Gary Hamel,66 “organizations must provide Generation Facebook with a social environment at work to reflect the social context of the Web.”67 Besides, Katrin Bennhold, a New York Times correspondent68 has been exploring and writing about the subject of Generation Facebook. That is why, she was 65
In order to give an overview not only of the actual usage of Generation Facebook when it comes to new technologies and social networks, but also on the emotional experiences caused by social media platforms on this generation, see Wood et al. (2016). 66 Gary Hamel is an American author and business consultant and he was ranked “one of the world’s most influential business thinkers”, The Wall Street Journal (2009). Furthermore, Hamel was amongst the top 10 most influential business gurus, see “In Pictures: The 10 Most Influential Business Gurus”, Forbes (October 14, 2009) and is still referred to as “one of the world’s leading management thinkers”, see “Gary Hamel: Leadership Lessons From The Corona Crisis”, Forbes (April 23, 2020). 67 See also “Generation Facebook (Generation F)”, SerachCIO (October 2012). 68 Katrin Bennhold is a German native who has been moving around the globe living in five different countries on three continents. She has been a Nieman fellow at Harvard University in 2012 and 2013. Furthermore, Bennhold who has been working for The New York Times since 2004 is managing the bureau of the The New York Times in Berlin at the moment. See “Katrin
30
2 Delimitation of the Problem
interviewing, amongst other teenagers, a young 19-year-old US citizen who is part of the Generation Facebook. In an interesting newspaper article,69 Bennhold asks: What kind of citizens, voters, consumers, leaders will kids like Trevor grow up to be?70
In order to find an answer to this question, Kartrin Bennhold was further researching on the subject and writes: I decided to go back to the place I was a teenager in the days before cellphones and e-mail: the Ratsgymnasium in Osnabrück, an average school in an average town in northwest Germany. For three days in April I embedded in the everyday lives of 13- to-19-year-olds, hanging out in and after class, watching them interact and interviewing the adults in their lives. Their teachers say they have poor spelling and short attention spans. (“This is an ADD epidemic in the making,” one muttered darkly.) I found them hyper self-conscious, narcissistic and a little superficial. Memory is on a hard disc — many of them don’t even know their own mobile number by heart. But most of the Facebooking teens I met among the 1280 students here are also infinitely more international-minded, flexible and tech-savvy than we were 20 years ago. They can study for a math test whilst IMing71 and listening to music; they take piano tutorials on
Bennhold”, The New York Times (August 23, 2020), available at https://www.nytimes.com/by/ katrin-bennhold. Although Bennhold never thought of herself as an outsider, she was surprised to find herself a “digital immigrant” at her old high school in Germany. As Technology has never been more than a work tool for Bennhold, she found the so-called Facebook Generation “clicking at a different rhythm”. 69 See “Generation FB”, The New York Times (June 23, 2011). This article gives a pretty good overview of different aspects regarding the Generation Facebook and how this generation is different to the previous one. The article does not only highlight the differences in between the teenagers from the generation right before the internet and social media become so popular and the Generation Facebook teens, but it also describes how social networking actually works by having the teenagers of Generation Facebook being involved and by explaining what these teenagers actually do every day and how as well as why they do and share so much on social networks sites. Furthermore, the article gives an idea on how much time the younger generation actually spends on social media platforms and how social networks interfere in and occupy the every-day lives of Generation Facebook. Besides, the article also touches to aspect of bullying. For further information on young adults and privacy online, see Marwick et al. (2010). 70 Id. 71 The definition of IMing is “Instant Messaging”. For more information on the latest developments in instant messaging, especially when it comes to its use at work places, and its impact on society, in particular its changes regarding communication amongst people, see “The Instant Message Generation Gap”, The Wall Street Journal (April 17, 2018). The article describes the following: . . .Slack, one of the most widely used messaging apps, allows group chats, direct messaging to individuals, and voice and video calls across multiple devices.[. . .] While email is still the leading form of business communication, IM accounts are expected to grow 8% annually for the next four years, to 8.6 billion world-wide, says the Radicati Group, a Palo Alto, Calif.,
2.3 The “Facebook Generation”
31
YouTube and battle monsters in virtual games with virtual friends from all over the world. They share everything, from their latest break-up to prized study notes. The social networking addiction may be accentuating the worst in youth, but I also saw it bring out the best: this is not Generation Y, this is Generation Why Not? — multi-tasking and crowd-sourcing, collaborative and open-minded. The kids of today may not be able to spell Zeitgeist but they are fundamentally of their time. And after getting to know them a little I came away reassured that the many daunting problems previous generations are bequeathing on them might just be in good hands.72
Bennhold further describes the pros and cons of the life the younger generations due to the impact new technologies have on them and concludes the following: At my old school I was struck by how much teenagers have changed. But I was also struck by how little the school had changed, and I don’t think it’s an exception. Teachers are right to fret about attention deficits and lazy thinking. But no fundamental rethink seems to have occurred about how teaching and learning should take place in the age of social networking.73
So, this means that the Facebook Generation, although still facing the same needs and having similar dreams and expectations from like to the previous generations, yet, are leading a different lifestyle that requires an adaptation of certain institutions like, for example, the schooling system to this new reality? Just recently a memo of Facebook’s executive Andrew Bosworth who has been working for Facebook for more than 10 years was exposed.74 In that memo called “The ugly”, the Facebook employee writes: research firm. Employers say they reduce the need for meetings and make it easier to sustain conversations among team members, share updates and get quick tips and answers. Email can seem clumsy, slow and officious by comparison. [. . .] The tempo of IMing changes the way many people organize their days. [. . .] A new generation of workplace apps, including Microsoft Teams, Stride by Atlassian and Google Hangouts, aim to simplify communication by bundling instant messaging with team-collaboration, web-conferencing and socialnetworking tools.[. . .] There has also been a recent study on instant messaging where instant messaging is described as the following: Instant Messaging (IM) plays a major role in online communication, whether through dedicated software or through chat integrated in a social network’s platform. IM-based online conversation enables private, synchronous, interpersonal communication while being invisible and possibly anonymous; facilitates self-disclosure and intimacy; and possesses advantageous features of expressive writing and social support. For adolescents, the use of IM is a legitimate, available, and free alternative vehicle for communicating with peers to ventilate negative emotions and to receive social support and advice. See Dolev-Cohen and Barak (2013), pp. 58–63. Id. 73 Id. 74 For more detailed information on this memo, see “A Look at Facebook’s “ugly” memo”, CNet News (March 30, 2018). For further information, see “Facebook Memo Reveals Angst Over Growth Cultures Consequences”, The Wall Street Journal (March 30, 2018). 72
32
2 Delimitation of the Problem Maybe it costs a life by exposing someone to bullies. Maybe someone dies in a terrorist attack coordinated on our tools.
To give an actual example of mobbing within a social networks, there has been a case that led to suicide due to social media and disrespectful treatment one another.75 In this very sad case, a 13-year-old teenage girl commits suicide after being ignored by her alleged boyfriend who she had fallen in love with after getting to know him online. In the end, it turns out that this boyfriend was a former girlfriend of hers who wanted revenge.76 Besides, studies have shown that social media has an impact on people’s health— especially, when it comes to younger adults.77 So, the question remains whether all the information that is already out there and accessible to whoever is interested in it, changes the way teenagers are behaving nowadays. Once again, coming back to Bennhold as she comes to the following assumptions: Sometimes it’s not clear whether the kids today control the information or the information controls them. [. . .] But that’s just it: The flipside of this attitude (meaning that the Generation Facebook has a pretty easy attitude towards privacy) is that teens like Eva, Johannes, Leo and Arne are much less selfish with their knowledge than we were. They share their study notes not just among friends or in their class, but across the country: Abiunity.de is a goldmine of shared files on every exam subject on the German syllabus. Unlike us, many of them study regularly in groups and seem to be much better at it. “They are much less hierarchical than you guys were,” observes my former biology teacher, Gerd Schiefelbein. Arne plans a trip around the world after graduating from high school this summer and dreams of studying marine biology in Australia. Leo wants to move to Britain. Today they use social networking to rally around the coolest band of the day and organize ad hoc parties with amazing turnout. As adults they will have the tools to rally large communities around the causes they care about at unprecedented speed. They don’t mind small
See “Cyber-Mobbing Tod eines Teenagers”, Der Spiegel (November 18, 2017). According to Bennhold “Social networking has penetrated just about every aspect of teenage interaction, not least dating etiquette.” See supra note 69. Furthermore, it is said there are tens of millions of fake accounts on social networks, see “Have You Been a Victim of Social Media Theft?”, The New York Times (January 29, 2018). 77 For example, the Journal of Medical Internet research published a study that comes to the following results: 75 76
Approximately 69% of US adults reported having access to the Internet in 2007. Among Internet users, 5% participated in an online support group, 7% reported blogging, and 23% used a social networking site. Multivariate analysis found that younger age was the only significant predictor of blogging and social networking site participation; a statistically significant linear relationship was observed, with younger categories reporting more frequent use. [. . .] In general, social media are penetrating the US population independent of education, race/ethnicity, or health care access. See Chou et al. (2009). On the other hand, there are also studies that support the contrary. One recent study comes to the conclusion that its findings “do not support the narrative that young adolescents’ digital technology usage is associated with elevated mental- health symptoms.” See Jensen et al. (2019).
2.4 Data Gathered and Processed Through Social Networks
33
tailored ads, but abhor big intrusive ones. They trust one another more than politicians and big companies. My bet is that they will be demanding customers and demanding voters.78
We will conclude this chapter with Bennhold’s assumptions, as this is a very positive way of thinking and only the future will tell how the members of the Generation Facebook will shape tomorrow’s reality.
2.4
Data Gathered and Processed Through Social Networks
After giving a description of the world wide web and basic facts regarding social networks, as well as explaining the so-called Facebook Generation, it is time to focus on the data gathered and processed through social networks. As everyone knows, social networks are collecting their user’s data.79 But, first of all, where does this data come from? What is the amount of data gathered and processed? How did this data flow develop? And more important, what kind of data do social networks gather and process? How exactly do these networks use the data retrieved from their users? And how can a user have an impact on the usage of his or her own data? Who is interested in the data? And why is that? How is the data and its gathering and colleting controlled? Overall, who has the right to use, sell or work with the data? It, once again, has to be pointed out that, on the one hand side, social networks provide an easy way of communication amongst individuals from all around the world. The users of social networks engage with one another constantly as they are posting texts as well as videos and pictures exchanging ideas and opinions. They are commenting on and discussing all kind of subjects. And while doing so, usually, the individual does not pay anything in order to make use of this new and easy way of electronic communication. So, on the one hand, it seems as if these social networks offer free platforms to anybody who wants to join and be part of a community of people who share their lives, visions, dreams and fears with each other. But on the other hand, some might come to the conclusion that the users of social networks are actually paying after all as they are giving away lots of their very personal data to the social networks they use. One could even say that the users are charged big time—especially as it has to be taken in mind that it remains pretty unclear what exactly social networks actually know.80
78
See supra note 69. Not only is Facebook’s business model based on collecting data from their users, but also Facebook’s CEO Mark Zuckerberg just recently stated that his social network even collects data on non-users, see “Zuckerberg Says Facebook Collects Internet Data on Non-Users”, Bloomberg News (April 11, 2018). For a definition of the term data, see Kirch (2008), Vol. 1, p. 192. 80 To take Facebook as an example, Mark Zuckerberg’s statement “In general, we collect data on people who have not signed up for Facebook for security purposes.”, once again, emphasizes that anybody using the internet is affected no matter if they are users of Facebook or not. To get a better idea on what Facebook knows about individuals, see “What Mark Zuckerberg Didn’t Say About What Facebook Knows About You”, The Wall Street Journal (April 14, 2018). 79
34
2 Delimitation of the Problem
To give a better example in order to explain the topic of data in the context of social networks, the author will take a closer look at Facebook and its practices. This way, numbers, for example, the amount of users and maybe the data obtained from them will become more clear. So, there is Facebook that, of course, is collecting data on a daily basis, but it is by far not the only social network doing so.81 Besides, there are also other internet services that collect data in a similar way social networks do.82 In the following, basic facts will be given on the production of data in social networks by taking Facebook as an example: so, what kind of data does Facebook collect? It has to be noted that there are different categories of data Facebook is constantly retrieving from its users which will be presented in the following.
81
As already described, the so-called generation Facebook uses a number of other social networks—such as Instagram, Twitter, Snapchat or TikTok. 82 For example, so-called “web tracking” leads to finding out about someone’s very own behavior online. As already explained, web tracking means that a website uses special software tools in order to keep certain tabs on its visitors and, this way, monitor the visitor’s behavior online to improve the online experience of this person with that website. Obviously, many websites are making use of web tracking in order to find out where internet users are at, what these people are interested in or what they like and buy. And it has to be pointed out that web tracking was not invented by social networks, but it is pretty problematic when it comes to data protection, although not too many people might be caring about it yet, and there might rather be more concern when it comes to data collected through social networks. Accordingly, an article describes the following: A study that looked at web tracking over the last 20 years found that at least 75% of the world’s 500 most popular websites contain web trackers, up from fewer than 5% in 1998. [. . .] The rise of web tracking and more targeted advertising has helped fund the explosion of online content and build such web behemoths such as Google, Facebook, Amazon and others. [. . .] Websites today commonly include tracking code from third parties, such as advertisers, social media sites and website analytics services. In the simplest tracking mechanism, those third parties store a “cookie” containing a unique identifier (such as “USER1234”) in the user’s browser. Whenever a user visits a website containing code from one of those third party trackers, that code is used to look for the user’s unique identifier stored in the user’s browser. If it finds the unique identifier, it sends information about what the user viewed to its collection of information about them out to the company that placed it. Thus, the third party trackers are able to build “browsing profiles” of users. While these don’t include their name, they do include information of interest to advertisers. See “They really are watching you: web tracking surges with online ads”, USA Today (August 16, 2016).
2.4 Data Gathered and Processed Through Social Networks
2.4.1
35
Data Actively Provided to Facebook by Its Users
First of all, there is the data a user actively provides to Facebook. For example, upon registration a user usually gives away information such as his or her name, address, gender, birthday or Email-address as this is required by Facebook.83 Furthermore, many users add more information, such as, for instance, their education, work place and hobbies, as well as the music, books, artists, TV shows and so on. This is not mandatory according to Facebook’s policy, but especially those who use Facebook on a regular basis are constantly contributing to more data the networks can collect on them. For example, the famous like-button84 as well as people’s status updates, their links, posts, comments and friendships as well as participating in groups and events or their communication through mail or chats makes it possible for Facebook to retrieve more and more information as its users are actively providing it. The likebutton, a so-called social plug-in, in particular is a perfect tool in order to retrieve gigantic amounts of information as it is not only existing within the social network itself, but also on many other websites and because of it complex software,85 the 83 In order to be able to create a Facebook profile, the user has to provide all the above mentioned personal information. For more detailed information on Facebook’s data policy, see “Data Policy”, Facebook (August 21, 2020a). In order to get an overview of all of Facebook’s policies, see “Facebook Terms and Policies”, Facebook (2020b). 84 The like-button allows Facebook to learn certain facts about a person such as the IP-address and location of the person’s device, or what web browser is used and it becomes clear that this way, it is easily possible to create a pretty exact user profile of any person surfing online. Although, there are certain things one can do, over all, install specially designed programs, in order to stop Facebook from collecting one’s information, some of these programs do not work properly and others even turn out to be another toll that actually collects and reports to Facebook. In this context, it has to be also noted that Facebook’s like-button has been of concern in Germany—especially, when it was first introduced. Overall, those who are working for consumer protection have been fighting companies that make use of the like-button like Beierdorf or Paypack nationwide. In 2016, for example, a German court ruled that the like-button was actually illegal when it comes to those websites of companies. The District Court Düsseldorf had to decide a case of the consumer advice center of the German State of Nordrhein-Westfalen against Fashion ID, the online shop of the German clothing Company Peek & Cloppenburg. The legal line of argument led to the conclusion that the like-button was retrieving too many information of the consumer who was visiting the online shop’s website and who did not even know that certain of his or her information was exposed, so that by doing so, the like-button was violating laws that are supposed to protect the individual’s personal data. For further information on the like-button as well as the court’s ruling, see “Der FacebookDaumen ist ein raffinierter Spion”, Die Welt (March 9, 2016). For the complete text of the ruling of the District Court Düsseldorf—Landgericht Düsseldorf Urteil (Aktenzeichen 12 O 151/15), see NRWE—Rechtsprechungsdatenbank der Gerichte in Nordrhein-Westfalen meaning the German State of Nordrhein-Westfalen’s website, available at https://www.justiz.nrw.de/nrwe/lgs/duesseldorf/lg_duesseldorf/j2016/12_O_151_15_Urteil_ 20160309.html. 85 Usually, plug-ins contain so-called tracking-cookies which are designed in order to be automatically placed on a person’s computer and which are recognizing the software of a plug-in, so that they report all the person’s behavior online right away back to Facebook even if that particular person does not even have an account with Facebook.
36
2 Delimitation of the Problem
button once placed on a website allows Facebook to know about anybody who is just visiting a website that has the like-button no matter whether the person actually makes use of the like-button or not. As there are millions of like-buttons existing and Facebook is constantly staying connected to each and every website that contains one of them, as of today, almost every user of the internet is being spied on non-stop while Facebook monitors the users’ behaviors online, their preferences, buying patterns and much more.86
2.4.2
Metadata
There is also another category Facebook’s users are not always aware of. The users provide Facebook with way more information than the above mentioned as Facebook saves a lot of so-called “metadata”. Metadata stands for the collection of information about the communication of people—for example, time, place, language, sender, recipient or let’s better say how a person communicates—in contrary to the collection of content meaning what exactly a person actually says or writes.87 According to David D. Cole:88 Of course, knowing the content of a call can be crucial to establishing a particular threat. But metadata alone can provide an extremely detailed picture of a person’s most intimate associations and interests, and it’s actually much easier as a technological matter to search huge amounts of metadata than to listen to millions of phone calls.89
86 It also has to be noted that not only does Facebook see who or what IP-address visits what website, but also what the individual does on such a website where a like-button is placed—for example, how long one is staying on that site, which link one clicks on or what product one looks at or buys etc., see supra note 84. 87 See Granick (2017), p. 20. 88 David D. Cole is the current Legal Director of the American Civil Liberties Union, the oldest and largest civil liberties organization in the United States of America. After graduating from Yale Law School, besides other achievements, he has been successfully litigating a number of constitutional cases in the Supreme Court of the United States and he has been the Hon. George J. Mitchell Professor in Law and Public Policy at Georgetown University from 2014 till 2016. For further information on David D. Cole, see “David Cole”, American Civil Liberties Union (2020). 89 Furthermore, Cole also writes:
As NSA General Counsel Stewart Baker has said, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” When I quoted Baker at a recent debate at Johns Hopkins University, my opponent, General Michael Hayden, former director of the NSA and the CIA, called Baker’s comment “absolutely correct,” and raised him one, asserting, “We kill people based on metadata.” See “We Kill People Based on Metadata”, The New York Review of Books (May 10, 2014).
2.4 Data Gathered and Processed Through Social Networks
37
That is why collecting metadata is one of the most important tasks of an intelligence analyst.90 And looking at the United States, it has to be noted that the collection of metadata and its tremendous revelations regarding the country’s citizens has caused an attempt of a reform of the National Security Agency (NSA) in 2014. Unfortunately, although this bill was unanimously approved by two committees, it did not become binding law.91 Coming back to metadata and social networks, it can be said that, especially, those users who are permanently logged on to Facebook, are giving away tons of information as Facebook uses, over all, automated services to constantly check on its users.92
90
In her book, Jennifer Stisa Granick states: Metadata is sensitive, revealing, and highly coveted by intelligence analysts. Metadata collection is a huge part of what the intelligence community gathers. In a one-month period alone in 2013, a single unit of the NSA, the Global Access Operations unit, collected metadata on more than 97 billion emails and 124 billion phone calls from around the world. Supra note 87 at 20–21.
91
David D. Cole describes the approval of the initiative as the following: It is precisely this power to collect our metadata that has prompted one of Congress’s most bipartisan initiatives in recent years. On May 7, the House Judiciary Committee voted 32-0 to adopt an amended form of the USA Freedom Act, a bill to rein in NSA spying on Americans, initially proposed by Democratic Senator Patrick Leahy and Republican Congressman James Sensenbrenner. On May 8, the House Intelligence Committee, which has until now opposed any real reform of the NSA, also unanimously approved the same bill. And the Obama administration has welcomed the development. See supra note 89.
Nevertheless, in 2018 not only the House, but also Senate simply reauthorized the surveillance powers and did not even really debate on it and there were neither any amendments nor privacy reforms, see “Congress demanded NSA spying reform. Instead, they let you down”, ZD Net (January 19, 2018). 92 For example, Facebook can constantly track its users and can see every move they make if connected to Facebook via smartphone as a smartphone is usually always carried around by its owner. Also, Facebook saves the metadata of uploaded videos and pictures, so that not only the device in action—for instance, a smartphone, tablet or computer—is discovered, but also time and place are recognized and saved by Facebook. Furthermore, Facebook is able to scan all kind of uploaded pictures in order to recognize faces and certain landscapes, places and even food. Although the automated facial recognition is turned off for users from Europe according to Facebook, it becomes clear that one cannot really know the exact amount of information this social network actually retrieves. In order to get an idea on how Facebook itself looks at the issue of collecting data, here is what its website states: Promote safety and security. We use the information we have to verify accounts and activity, combat harmful conduct, detect and prevent spam and other bad experiences, maintain the integrity of our Products, and to promote safety and security on and off of Facebook Products. For example, we use data we have to investigate suspicious activity or violations of our terms or policies, or to detect when someone needs help. See supra note 83.
38
2 Delimitation of the Problem
2.4.3
Big Data
This leads to the third category of data—the so-called “big data”. Big data comes from a statistic analysis of the above explained data. This new information, therefore, is data won from existing information by analyzing this existing data.93 Facebook looks at the data and performs its own analysis and experiments that, sometimes, are presented to the public.94 Besides, Facebook also combines different sources of data in order to retrieve even more data.95 Additionally, there are others out there who participate in retrieving data such as market research institutions. And Facebook cooperates with these firms, overall, in order to better target its clients coming from the advertising field who are posting their advertisements on Facebook. This way, Facebook combines its own information with the one from others. By doing so, it often comes down to its users’ Email addresses and phone numbers in order to link the right data with each other.96 So, what exactly is it that Facebook wants to achieve with all the data that was collected?
93 For further information on big data, see “Why “Big Data” Is a Big Deal”, Harvard Magazine (March-April 2014). There, the author refers to Gary King’s study on social media who says that the potential of big data is to benefit society and that this benefit could be far beyond what has been accomplished until now. He names the example of Google that could perform a quicker prediction of flu outbreaks by analyzing clusters of search terms, big data, than by just using the regular hospital admission records within the United States. 94 For instance, Facebook already did its research on the subject whether a huge amount of positive or rather negative comments can lead to emotional contagion, so that more and more people would follow the same ideas. The feed experiment that was performed by Facebook in collaboration with academics from Cornell and University of California concluded:
Emotions expressed by friends, via online social networks, influence our own moods, constituting, to our knowledge, the first experimental evidence for massive-scale emotional contagion via social networks. For further information on this mass study including more than 689,000 Facebook users regarding emotional manipulation, see “Facebook reveals news feed experiment to control emotions”, The Guardian (June 29, 2014). 95 As Facebook constantly buys more and more firms—as, for instance, platforms like Instagram or WhatsApp—there are plenty of possibilities to gain tons of information even outside the social network itself. To give an example, although Facebook promised not to use any of the information obtained from users of WhatsApp, terms and conditions later on changed, so that data was also transferred to Facebook after all. Several European countries reacted and also the European commission has fined Facebook with 110 million euros because of misleading information when taking over WhatsApp. For further information, see “Facebook fined £94 m for ‘misleading’ EU over WhatsApp takeover—European commission says fine is a ‘clear signal’ to companies that they must comply with EU merger rules”, The Guardian (May 18, 2017). 96 One of the most prominent and recent examples of a company going into business with a social network is the firm Cambridge Analytica that made use of the collection of millions of Facebook users’ personal data by examining all the users’ personal data. For more information on the events in 2018 involving Cambridge Analytica, see Kaiser (2019).
2.4 Data Gathered and Processed Through Social Networks
39
What is Facebook’s business model? According to Facebook’s official statements, there are only two purposes in collecting data: On the one hand side, Facebook wants to guarantee and improve its performance for its existing users and, this way, keep these users as well as gain new ones. On the other hand, Facebook is keen of optimizing the advertisements presented on its websites and as already explained, Facebook collects the personal data of its users. This way, Facebook is able to provide each user with personalized matching advertisements.97 Therefore, it must be crucial to Facebook to know its users as well as possible. It is known that there are about 1300 characteristics—as for example, educational level, monthly income, shopping patterns, address, gender etc.—that Facebook uses in order to identify the needs of its users.98 This way, Facebook can better work together with the advertising companies and increase its revenues. That is why, when thinking about the data Facebook collects, one could come to the conclusion that Facebook must be keeping most of the data to itself and particularly, does not want to give away any personal data to third parties—especially, as Facebook should not be considered a globally operating investigation agency, but rather a company that wants to place advertisements in order to make money. But what if a third party wants to access Facebook’s data? Obviously, there must be many firms and also state agencies that are interested in making use of Facebook’s huge collection of data and would want to, for example, retrieve personal information about an individual’s personal information.99
97
Facebook’s business model is, overall, built on providing individualized advertisements to its users as the social network earns money based on revenues coming from those advertisements posted on Facebook’s websites. For further information on Facebook’s business model, see “Why Facebook Will Never change Its Business Model”, Forbes (2018). There Professor Colin writes: Facebook has compelling reasons to be committed to its current business model. It is therefore disingenuous and gallingly inaccurate for Zuckerberg to justify his company’s business practices by comparing Facebook with “a lot of media, having an advertisingsupported model as the only rational model that can support building this service to reach people.” In reality, Facebook has hollowed out the readership and drained the advertising revenues from media companies, causing many to shift to subscription-based revenue sources for survival.
98
For example, Facebook is trying to attract advertisers by providing them with more than 1300 categories for ad targeting, see “What Facebook Knows About You”, ProPublica (September 28, 2016). 99 For example, there has been an insurance company that was advertising cheaper rates if a person allowed the insurance company access to his or her Facebook profile. Here, not the social network’s users, but rather Facebook itself stopped the firm from accessing the individual’s personal data as according to Facebook’s own terms and conditions, when it comes to giving away any data away to third parties, this data is not supposed to be used to determine if a person is eligible for a loan. For more information, see “Facebook blocks Admiral’s car insurance discount plan”, BBC News (November 2, 2016).
40
2 Delimitation of the Problem
In this context, it has to be noted that there are some cases when Facebook actually has to release its data. This usually happens when it comes to criminal prosecution and a court orders Facebook to provide the investigative authority with the necessary data.100 Furthermore, there are countries like the United States that might force Facebook to cooperate with its secret services.101 And there are also researchers who get data from Facebook from time to time in order to be analyzed.102 It, once again, becomes clear that being active on such a social media platform like Facebook can expose way more about a person than he or she actually expects.103 And as explained before, even if the individual does not join any social network, does not obtain an account with Facebook, but rather might have actually never created any profile there, it is still very likely that his or her personal information is being collected and used by a social network or even a third party.104 And as described already, overall, social plugins collect anybody’s information and even the installation of special software in order to stop Facebook from collecting one’s information, does not guarantee that all the various collections of one’s data are being stopped.105 100
In order to better understand what rule applies if a law enforcement official wants access to Facebook’s data, Facebook has created operational guidelines as well as a so-called “Law Enforcement Online Request System”, see “Information for Law Enforcement Authorities”, Facebook (2020c). 101 See “Microsoft, Facebook, Google and Yahoo release US surveillance requests”, The Guardian (February 3, 2014). There, it is explained that every 6 months, due to secret court orders, tech companies like Facebook have to turn over tens of thousands of its users’ accounts and this way, their users’ personal data, to U.S. governmental authorities. 102 This way, British researchers found out that it can easily be determined what gender a Facebook user has, whether he or she is homo- or rather heterosexual and which religion he or she practices solely according to the likes—again, the so-called “like-button” comes into play—of a certain user. To give another example, there has been a mass study on emotional contagion done by Facebook together with Cornell University and the University of California, see supra note 94. 103 In order to provide an example, we’ll come back to Facebook’s like-button as obviously, not everybody is aware of the fact that when it comes to the like-button, not only likes posted on Facebook are collected by Facebook, but also those likes that a person posts on any other website. Furthermore, the person’s behavior online is monitored and automatically reported to Facebook even when not making use of the like-button as the simple fact that a website contains such a social plug-in, such as the like-button, leads to the direct transferal of all kind of information to Facebook. And there is more, even if the person is neither logged on to Facebook nor does he or she click on the like-button, the information regarding the activities of that particular person visiting the website that has a like-button also automatically goes to Facebook. One could say that there are millions of invisible cameras constantly watching the individual while surfing the world wide web and Facebook being, at least, one of the biggest spies. 104 Facebook’s CEO Mark Zuckerberg just recently stated in his hearing regarding the Facebook’s privacy practices in Washington before the House Energy and Commerce Committee: In general we collect data on people who are not signed up for Facebook for security purposes. See supra note 79. 105
See, overall, supra notes 79, 80, and 82. Moreover, it is also without doubt that “The data business is changing and is becoming more sophisticated,”, see Dixon and Gellman (2014), p. 84.
2.4 Data Gathered and Processed Through Social Networks
41
After all, even if a computer bans and blocks any kind of data collection, the questions remain: What about the data that has already been collected? And how does one find out what exact data Facebook already collected? In general, there is a link provided by Facebook that makes it possible for any user to know about certain data Facebook collected on her or him.106 Usually, it is not only surprising, but rather pretty scary once one realizes how much of one’s personal information one has been giving away freely and without any charge to a firm called Facebook.107 Besides, there is an even more concerning fact: Facebook collects data as described above—above all, through its social plugins—not only on its users, but on everybody. So, how would someone who does not have an account with Facebook and who, therefore, could not be capable to follow Facebook’s instructions on how to download the collected data, access his or her Facebook data?
On its website, Facebook informs its users on how to find out about the data Facebook collects on them. Facebook explains the following:
106
Download Your Info: This includes a lot of the same information available to you in your account and activity log, including your Timeline info, posts you have shared, messages, photos and more. Additionally, it includes information that is not available simply by logging into your account, like the ads you have clicked on, data like the IP addresses that are logged when you log into or out of Facebook, and more. To download your information, go to your Settings and click Download a copy of your Facebook data. Facebook further describes all the different categories of data that are available to its users to be downloaded. For instance, a user will know what videos and pictures as well as photos metadata, credit cards, likes on other sites, political views, religious views, login-data and profile information Facebook has saved. For more detailed information, see “What categories of my Facebook are available to me?”, Facebook Help Center (2020a). 107 If one would like to find out what exact data was collected about oneself, it would also be interesting to learn about habeas data, a statutory remedy that can be found overall in countries within Latin America. For further information on habeas data, see González (2015). The abstract of this article reads as follows: Habeas data enables individuals to petition their government, and certain private entities, to learn what information has been kept on them and for what purposes, as well as to challenge, rectify, and even delete such information. With the recent revelations of the National Security Agency’s massive electronic surveillance of people throughout and beyond the United States, learning about habeas data could constitute a vital intervention for the discourse of U.S.-based legal scholars writing in English, as well as for the community of critical socio-legal scholars who affiliate with LatCrit. To both constituencies, the afterword urges attending carefully to the terrible histories that birthed habeas data, while being cognizant of their continuities with today’s “neoliberal states of insecurity and surveillance,” in order to fashion a strategic alliance capable of grounding habeas data rights within the United States Constitution. Habeas Data will be further discussed in Chap. 4, overall Sect. 4.2.1.3.
42
2 Delimitation of the Problem
It would be interesting to find out if Facebook was allowed to gather such a person’s information, especially, as these people did not agree on any terms and conditions of Facebook as they never signed up. So, if Facebook collects data on a person who is not even joining Facebook, what about those who are using fake profiles? And what about deleting a Facebook account? Does one who no longer wants to join Facebook and, therefore, deletes their profile, automatically deletes all the data? What about, for instance, the content that was posted on other user’s profiles? When it comes to deleting a profile, first of all, it has to be said that truly deleting one’s profile is not that easy as Facebook usually provides its users with the option to deactivate rather than delete their profiles. Furthermore, some of the data—such as comments posted—has to be removed by the person who wants to delete his or her profile one by one. Moreover, to delete one’s profile usually takes about 3 months.108 After all, it becomes clear that as electronic communication progresses, there is no comparison to data gathered and processed in the past that was typically retrieved through questionnaires and analyzed by an actual human being. Nowadays, the collection of data is becoming unlimited and its evaluation is getting faster and faster as it is done automatically due to data mining and text algorithms and software.109
2.5
Privacy Concerns Arising from Social Networks and the Concept of Privacy
Now that a basic description of the world wide web as well as the most important facts regarding social networks have been given and the so-called generation Facebook as well as data gathered and processed through social networks have been explained, in the following, those concerns that arise from social networks will be discussed. After giving a brief overlook of the most common problems related to social media platforms, the main focus will be on privacy concerns. It becomes very clear that one can learn a lot about others just by studying their social media profiles. Especially when combining profiles of one person on various
For further information, see “Deactivating or deleting Your Account”, Facebook Help Center (2020b). 109 See Bilgin and Wührer (2014), p. 126. There it is said: 108
The plethora of applications with its user-generated data seems to be unlimited. The fact is that available information also accessible to companies and marketing researchers and departments will increase dramatically. Data sources that will attract the attention of future international marketing researchers will be mobile data, user-generated content and text mining, social networks and path data, eye tracking, web browsing, [...].
2.5 Privacy Concerns Arising from Social Networks and the Concept of Privacy
43
social networks, one is often capable to find out more things regarding a particular person than a private investigator would have detected in previous times. And we are only talking about private individuals looking at each other’s social media profiles here, not to mention the social media platforms collecting data of their users themselves as described.110 All this easily obtained knowledge about each other’s lives because of the fact that people can post almost anything they want on social media, and they do share all kind of information no matter if it comes down to the food they like, the places they visit, their hobbies, friends and family, things they do on a regular basis or just occasionally, political opinions or religious beliefs they might have and many other subjects. So, after discussing why a person puts all this information out there and what might be the reasons behind this more and more common behavior for people from all around the globe and, especially, after getting an idea of the so-called generation Facebook,111 it comes down to the following questions: Why are there any concerns, at all, if people share and give away their information voluntarily on social media? And it should also be of interest whether there are differences between spreading information throughout social networks and any other situation when people expose their personal details voluntarily. So, if there is a difference, what exactly makes this difference? In the end, all the remarks will lead to the discussion of privacy. That is why it is essential to explore the concept of privacy. When and how was the concept of privacy developed? What does it include? And did it change over time? What are the differences from country to country or culture to culture? And what are the reasons why some countries might be treating privacy differently than other countries? Furthermore, in this context, it has to be questioned what privacy in the context of globalization and new technologies as well as terrorism means. And what about the concept of privacy when it comes to the world wide web? Overall, what about privacy particularly concerning social networks? It also has to be asked if there are real threats to privacy nowadays. Or maybe the concept of privacy only exists on paper and privacy has been banned from people’s real lives already a long time ago? How much privacy should still be left as of today? First of all, possible concerns should be uncovered and the question is why there are any concerns at all, if people share and give away their information voluntarily on social media platforms.112 What are the possible dangers to the individual or society as a whole when people spread information throughout social networks?
110
See Sect. 2.4. See Sect. 2.3. 112 To get started, it has to be pointed at Chamath Palihapitiya, a former Facebook executive who left as Facebook’s vice president for user growth in 2011. In 2017, already before the scandal involving Facebook and Cambridge Analytica, he stated: 111
44
2 Delimitation of the Problem
As of today, one can assume that the average person who makes use of electronic communications is aware of the fact that the world wide web bears a lot of dangers as one’s computer and this way, oneself can easily become a victim of malicious software programs, so-called malware, such as computer viruses, malicious computer programs such as Trojans, or computer worms.113 And there is also the threat of phishing114 one can run into to only name a few of the risks one always has to take in mind while surfing the world wide web in order to protect one’s personal data such as, for example, sensitive banking information. Furthermore, when it comes to social networks, one should know that social media platforms might mean an even bigger threat to one’s personal data.115 As already explained, social networks like Facebook are gathering and processing data big times.116 Besides, people might even share more information on those websites of social network platforms than on any other sites that can be found in the world wide web as people might feel less exposed within a social network, but rather “amongst friends”.117 It is easy to imagine that this factor comes into play when speaking of those who are after specific data of individuals. To focus particularly on social networks makes total sense when people there are even more open to give away their personal information. That would also explain why there are certain computer viruses and worms specifically created for social networks,118 and why so-called cross-site scripting119 is used on social network sites. These tools are all
“It literally is a point now where I think we have created tools that are ripping apart the social fabric of how society works. That is truly where we are,” he said. “The short-term, dopamine-driven feedback loops that we have created are destroying how society works: no civil discourse, no cooperation, misinformation, mistruth. And it’s not an American problem. This is not about Russian ads. This is a global problem.” See “Former Facebook VP says social media is destroying society with ‘dopamine-driven feedback loops’”, The Washington Post (December 12, 2017). 113 For further information on malware, see OECD (2008). 114 To give a brief explanation what phishing means, according to the dictionary it signifies: an attempt to trick someone into giving information over the internet or by email that would allow someone else to take money from them, for example by taking money out of their bank account. See Cambridge Dictionary (2020). For more detailed information on phishing, see “Phishing”, Computerworld (January 19, 2004). It has to be pointed out that in 2007, a study of the European Network and Information Security Agency (Enisa) did warn already regarding giving away too much of one’s very own private information and regarding fake friends. The study further came to 19 recommendations addressing the users of social networks and drew the conclusion that a user should only expose that amount of information he or she would share with a stranger he or she might meet walking in the streets. See “Die Gefahren des sozialen Netzes”, Der Spiegel (November 23, 2007). 116 See Sect. 2.4. 117 Id. See also Sect. 2.3. 118 Already in 2011, experts were stating that about 40% of all social network users are targets of malware referring to Facebook and Twitter, see “40% of Social Network Users Attacked by Malware”, Time (March 23, 2011). 119 Cross-site scripting has been an issue for quite a while already and Microsoft describes cross-site scripting on its website as the following: 115
2.5 Privacy Concerns Arising from Social Networks and the Concept of Privacy
45
designed to surpass a computer’s security and expose it leaving it being vulnerable or plant certain programs on a device in order to retrieve specific information. Moreover, it is pretty popular to make use of phishing-techniques that are built to get sensitive data from users of social networks.120 In addition, the sole fact that anybody can easily retrieve and use another person’s data posted on social networks, is not always pleasant as there are not only friends and family looking at one’s profile.121 There has also to be taken in mind that not only oneself, but also many others contribute to one’s very own collection of data. In many cases—especially, the more friends or followers a social network user has—it becomes quite impossible to be in control of where and when one’s face pops up on a social media site as there are, over all, so many posts and links and friends tagging each other, so that one can easily lose control of his or her very own appearance on one or more social networks. And even if one is aware of where he or she is being exposed, it is often difficult to erase, for example, one’s image or a link or a comment related to it.122 This is unfortunate if one has to deal with awkward pictures or embarrassing comments, but it really becomes a problem and in extreme cases can lead to real bullying when it comes down to, over all, reputational damage or even identity theft.123 Besides, it is pretty
Cross-Site Scripting would potentially enable a malicious user to introduce executable code of his choice into another user’s web session. Once the code was running, it could take a wide range of actions, from monitoring the user’s web session and forwarding a copy to the malicious user, to changing what’s displayed on the user’s screen. Even more seriously, the script could make itself persistent, so that the next time the user returned to the web site, the malicious user’s script would start running again. See “Information on Cross-Site Scripting Security Vulnerability”, Microsoft (February 20, 2014). Supra note 114. Furthermore, besides all the above described, it also has to be mentioned that users are often bombarded with so-called spam meaning tons of commercials while visiting their social media sites which is also more than annoying, even though not considered being a concern or thread, see “Social spam is taking over the Internet”, IT World (April 3, 2012). In the article, the author describes the phenomenon of social spam and gives a good example. He also points out that the difference of social spam compared to regular spam is that social spam— unlike, for example, email spam—is not illegal and he comes to the conclusion that this has to change. Furthermore, the phenomenon of spam has been discussed for more than a decade already and people keep on asking what one could do, see “Spam 2.0: Fake user accounts and spam profiles”, Google Webmaster Central Bog (June 26, 2009). 121 For example, a possible next employer, co-worker or even one’s insurance company could view one’s information and draw their own conclusions. 122 It has been described how difficult it is to erase a Facebook profile—especially, when it comes to content a user has been posting on a different user’s site and not on his or her own profile’s site. See Sect. 2.4. 123 For an overview on the issue of identity theft, see “Identity Theft and Social Media: How are they related?”, SecurityIntelligence (August 5, 2016). The article refers to the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) which describes identity theft as “when someone appropriates another’s personal information without their knowledge to commit theft or fraud”. 120
46
2 Delimitation of the Problem
easy to just create a new profile on any social network by using whatever name one wants to invent. Especially, celebrities or people of public interest often have to deal with fake profiles that were made by using their real names creating the illusion that the person behind it is the celebrity or the one of public interest him or herself while in reality it is someone else who, in many cases, wants to destroy a person’s reputation.124 Moreover, there are also those who are building certain profiles on social networks in order to get closer to people who they would like to get specific information from. By taking advantage of the more intimate and friendly environment often coming with social networks, these people might be able to achieve retrieving sensitive and even confidential information. This way, a trustful or unmindful user might expose in-house information related to his work and/or colleagues and employers and even corporate secrets, so that, in the worst case, it might come down to a successful business espionage.125 Besides all of the above mentioned and as already described before,126 it is also common that people become victims of mobbing as social networks are great platforms to exclude, belittle and denounce a person. This can lead to young adults even committing suicide as given an example in a previous chapter.127 Furthermore, there is the unpleasant phenomenon of stalking, too. A social network user can easily become a stalking victim if another decides to bombard him or her with countless messages and comments, likes and Emails—especially, as the stalker usually stays anonymous.128
124
Furthermore, it has to be noted that: The Federal Trade Commission (FTC) reported that debt collection, identity theft and impostor scams were the most common categories of consumer complaints received by the agency’s Consumer Sentinel Network in 2015. Identity theft complaints were the second most reported, increasing more than 47% from 2014, in part due to tax identity theft. Per the FTC, impostor scams — in which criminals impersonate someone else to commit fraud — remained the third most common complaint in 2015. Id.
There has also been the case of St. Louis Cardinals manager Tony La Russa that is worth mentioning, see “Celebrity Social Media Identity Theft Hits MLB Coach, but Can Happen to Anyone”, The Huffington Post (July 24, 2009). The article states that “There is no limit to the damage someone can do by using your name and picture in order to impersonate you online.” 125 Sometimes, the internet is even described as a “goldmine” and there has been a report that came out earlier in 2016 assuming a total amount of £144 bn only in business fraud because of the fact that fraudsters are making use of details they are retrieving from individuals online, see “Identity fraud up by 57% as thieves ‘hunt’ on social media”, The BBC (July 5, 2016). 126 See Sect. 2.2. 127 See Sect. 2.3. 128 There has already been a report warning about stalking when it comes to social media sites in 2012, see “Social networking sites fueling stalking, report warns”, The Guardian (February 1, 2012).
2.5 Privacy Concerns Arising from Social Networks and the Concept of Privacy
47
All this shows very clearly that giving away one’s information on social networks even voluntarily, and especially when it comes to very private information, could cause great damage and could even lead to psychological terror.129 And as already described, modern technology makes it so much easier to collect and process huge amounts of data of any an individual who is making use of electronic communication, so that one cannot even compare how information was spread in former times when a person was exposing personal details voluntarily. The major difference between today and back then is that even if whatever information was getting out into the world, it did not stay there forever, but was rather disappearing at a certain point. Anything that is posted online, in contrast, stays basically forever and can be found and repeated way easier than it was ever possible before the internet and social networks became that popular that they transformed into one of the main means of communication amongst human beings. That said, the subject of privacy will now be further explored. It seems as if privacy has always been of concern.130 Going back in history, it must be acknowledged that even in the Bible a number of references to privacy can be found and during the times of Classical Greece and Ancient China as well as Early Hebrew culture, the protection of privacy was important.131 But how would we define privacy today? In order to get started by giving a very brief and simple definition of privacy, one could state that private stands for “confidentiality, data protection and private sphere protection”132 and not for everyone and the Oxford dictionary defines privacy as “a state in which one is not observed or disturbed by other people” or “The state of being free from public attention”133 and as described, there must have always been the particular need for privacy as privacy is supposed to lie in human nature. At least, most people must still feel the need not to share each and every detail of their lives, their feelings and thoughts with one and another, although this concept might have changed and shifted into the direction of keeping less from the outside
129
Accordingly, giving away personal data and information voluntarily must be considered potentially dangerous behavior. The motivation of such behavior can not only be seen in the simple fact that many users of social media just do not care about their right to privacy, but must rather be found in the users’ individual circumstances like peer pressure or needs of the profession or the marketplace. The latter often leads to the question of whether one can still attract clients in a competitive profession if one lacks of presence on social media platforms. For further information on how to brand in the age of social media, see Holt (2016). Furthermore, when it comes to teenagers or young adults, social networks play an important role while developing one’s identity and way of interacting with others, see Spies, Shapiro and Margolin (2014). 130 It has to be noted that although there are, of course, cultural differences that lead to a different understanding of privacy, people must have been always caring about their privacy. 131 Privacy back then must have been understood as the right to solitude, see Hixson (1987), p. 3. See also Moore (1984). 132 Kirch (2008), Vol. 2, p. 1157. 133 Oxford University Press (2020).
48
2 Delimitation of the Problem
world for many people nowadays—especially making use of the new technologies as an easy way of communication and participating in social media sites.134 There have been several different concepts or definitions of privacy over the past and I would like to explain two of them as they were well-developed and explained in the second half of the last century and are pretty useful in order to understand the different approaches to the concept privacy.135 The first one goes back to the legal scholar and expert on privacy, Alan Furman Westin.136 In 1970, Professor Westin described privacy as: . . .the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.137
Besides, according to Professor Westin there are four different states of privacy: • • • •
solitude, anonymity, reserve, and intimacy.138
These states describe how privacy works. For example, solitude means not being watched and observed by others, while anonymity stands for not being free from identification in a public environment.139 Furthermore, Westin’s theory finds an explanation for the reason why privacy is essential by establishing four different functions of privacy:
134
See Sect. 2.3. See Stanton (2004), pp. 571–575. 136 Alan Furman Westin (October 11, 1929–February 18, 2013) was a political scientist and American legal scholar. After graduating from Harvard Law School and earning his Ph.D. in political science from Harvard University, he dedicated lots of his work to the realm of privacy. His book “Privacy and Freedom” was a groundbreaking guide and is now one of the classic textbooks on the subject of privacy. See Westin (1967). On its cover the book itself claims: 135
The first complete and authoritative study of privacy in America, including a report on the new technology of privacy invasion and the responses we have made and must make to this threat. For further information on Professor Westin, see Sparks (2020). There, it is said: Westin advocated not only that a person had a right to be left alone but also that each individual should have the autonomy to decide how much personal information would be disclosed and how and when it would be shared. 137
See Westin (1967), pp. 330–364. Id. 139 Id. 138
2.5 Privacy Concerns Arising from Social Networks and the Concept of Privacy
• • • •
49
personal autonomy, emotional release, self-evaluation, and limited and protected communication.140
So, for instance, personal autonomy signifies making one’s own choices and developing one’s own personality and individuality without being manipulated, exposed or dominated by someone else and emotional release means being able to feel and show one’s very own personal feelings without being forced to take in mind anybody else or other people’s point of views and traditions, but rather release all kinds of emotions and tensions from social demands and let go in order to relax emotionally and, this way, manage one’s every day routine even better.141 This way, Professor Westin’s theory claims that each and every individual is in need of privacy and it describes how human beings deprive others from access to their very own space for a certain period of time in order to self-protect themselves. Soon after Westin’s theory was introduced in 1970, another scholar’s theory came out. In 1975, the social psychologist Professor Irwin Altman142 described his so-called privacy regulation theory. According to this theory, privacy is: . . .the selective control of access to the self or to one’s group.
Altman understands privacy as a process of optimizing the individual him- or herself in order to manage and regulate his or her limits the way his or her aim for being in touch with as well as keeping the right amount of privacy is met. During that process, the actual level of privacy does not always match with the level of privacy one desires and therefore, a regulation is needed no matter if a verbal one or rather a non-verbal one. Altman’s concept leads to the regulation following according to the reactions of a third person regarding our very own openness and this way, privacy is not a one-way-street and the level of privacy is constantly adjusted or, as Altman says, “regulated”.143 After all, it has to be stated once again that the definition of privacy varies a lot depending on the environment and context used. Besides the two given concepts of privacy, there have been numerous other older and younger ideas as well.144 All this said, it can be stated that privacy concerns are already massive when it comes to social media sites and it is very likely that they will become even bigger in the near future, but besides the two mentioned and any other philosophical or social approaches to privacy, there still remains the major issue of whether there is a
140
Id. For more information including Westin’s definition of self-evaluation as well as limited and protected communication, see id. 142 For more detailed information on Irwin Altwin, an American psychologist, see Plous (2020). 143 See Altman (1975). 144 Id. 141
50
2 Delimitation of the Problem
general right to privacy, especially, under International Law. This leads to the following questions: Is there an actual right to privacy? And if so, what are the differences from country to country? And what are the reasons why some countries might be treating privacy differently than other countries? Furthermore, in this context, it has to be questioned what privacy in the context of globalization and new technologies as well as terrorism means—especially when it comes to the world wide web. Overall, what about privacy particularly concerning social networks? It also has to be asked if there are real threats to privacy nowadays. Maybe the privacy only exists on paper and has been banned from people’s real lives already a long time ago? How much privacy is still left? In the following chapters conflicting claims, claimants, identifications and bases of power as well as past trends in decision and conditioning factors will be further discussed in order to explore the subject of social networks in the context of privacy concerns in depth.
References Abbate J (1999) Inventing the Internet. The MIT Press, Cambridge Altman I (1975) The environment and social behavior. Brooks/Cole Publishing Company, Pacific Grove American Civil Liberties Union (2020) David Cole. Available via https://www.aclu.org/bio/davidcole. Accessed 22 Nov 2020 Augustyn A et al (2020a) E-mail. Computer science. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/technology/email. Accessed 22 Nov 2020 Augustyn A et al (2020b) Joseph Carl Robnett Licklider. American scientist. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www. britannica.com/biography/Joseph-Carl-Robnett-Licklider. Accessed 22 Nov 2020 Augustyn A et al (2020c) World Wide Web. Information Network. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/ topic/World-Wide-Web. Accessed 22 Nov 2020 Balleste R (2015) Internet governance. Origins, current issues, and future possibilities. Rowman & Littlefield, Lanham Bilgin Z, Wührer G (2014) International marketing compact. Linde Verlag Ges.m.b.H, Wien Cambridge Dictionary (2020) Phishing. Cambridge University Press, Cambridge. https:// dictionary.cambridge.org/us/dictionary/english/phishing. Accessed 22 Nov 2020 Centre for Retail Research (2020) Online: UK, Europe & N. America 2020 estimates. Available via Center for Retail Research http://www.retailresearch.org/onlineretailing.php. Accessed 22 Nov 2020 Chinese Academy of Cyberspace Studies (2020) World Internet Development Report 2018. Blue Book of World Internet Governance. Springer, Heidelberg Chou W, Hunt Y, Beckjord E, Moser R, Hesse B (2009) Social media use in the United States: implications for health communication. J Med Internet 11(4):e48. https://doi.org/10.2196/jmir. 1249. Available https://www.jmir.org/2009/4/e48/. Accessed 22 Nov 2020 Clement J (2020a) Facebook: number of monthly active users worldwide 2008–2020. Statista, Berlin. https://www.statista.com/statistics/264810/number-of-monthly-active-facebook-usersworldwide/. Accessed 22 Nov 2020
References
51
Clement J (2020b) Global social networks ranked by number of users 2020. Statista, Berlin. https:// www.statista.com/statistics/272014/global-social-networks-ranked-by-number-of-users/. Accessed 22 Nov 2020 Clement J (2020c) Instagram – Statistics & Facts. Statista, Berlin. https://www.statista.com/topics/ 1882/instagram/. Accessed 22 Nov 2020 Cole D (2014) We kill people based on metadata. The New York Review of Books. Rea S. Hederman, New York Dennis M (2020a) Defense Advanced Research Projects Agency. United States Government. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/topic/Defense-Advanced-Research-Projects-Agency. Accessed 22 Nov 2020 Dennis M (2020b) Internet. Computer network. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/technology/Internet. Accessed 22 Nov 2020 Dennis M (2020c) Tim Berners-Lee. British scientist. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/biography/ Tim-Berners-Lee. Accessed 22 Nov 2020 Dixon P, Gellman R (2014) The scoring of America: how secret consumer scores threaten your privacy and your future. Available via the Federal Trade Commission https://www.ftc.gov/ system/files/documents/public_comments/2014/08/00014-92369.pdf or the World Privacy Forum http://www.worldprivacyforum.org/wp-content/uploads/2014/04/WPF_Scoring_of_ America_April2014_fs.pdf. Accessed 22 Nov 2020 Dolev-Cohen M, Barak A (2013) Adolescents’ use of instant messaging as a means of emotional relief. In: Amichai-Hamburger A (ed) Computers in human behavior, vol 29, Issue 1. Elsevier, Amsterdam, pp 58–63 ExxonMobil (2018) Our history. Available via ExxonMobil http://corporate.exxonmobil.com/en/ company/about-us/history/overview. Accessed 22 Nov 2020 Facebook (2020a) Data policy. Available via Facebook available at https://www.facebook.com/ full_data_use_policy or https://www.facebook.com/about/privacy. Accessed 22 Nov 2020 Facebook (2020b) Facebook terms and policies. Available via Facebook https://www.facebook. com/policies. Accessed 22 Nov 2020 Facebook (2020c) Information for law enforcement authorities. Available via Facebook https:// www.facebook.com/safety/groups/law/guidelines/. Accessed 22 Nov 2020 Facebook (2020d) Who we are. Available via Facebook https://about.fb.com/company-info/. Accessed 22 Nov 2020 Facebook Help Center (2020a) What categories of my Facebook are available to me? Available via Facebook https://www.facebook.com/help/405183566203254. Accessed 22 Nov 2020 Facebook Help Center (2020b) Deactivating or deleting your account. Available via Facebook https://www.facebook.com/help/www/250563911970368. Accessed 22 Nov 2020 Facebook Press Release (2020) Facebook reports second quarter 2020 results. Available via Facebook https://investor.fb.com/investor-news/press-release-details/2020/Facebook-ReportsSecond-Quarter-2020-Results/default.aspx. Accessed 22 Nov 2020 Faßmann M, Moss C (2016) Instagram als Marketing-Kanal. Die Positionierung ausgewählter Social-Media-Plattformen. Springer VS, Wiesbaden Featherly K (2020a) ARPANET. United States defense program. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica. com/topic/ARPANET. Accessed 22 Nov 2020 Featherly K (2020b) Robert Taylor. American scientist. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/biography/ Robert-Taylor-American-scientist. Accessed 22 Nov 2020 Featherly K (2020c) TCP/IP. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/technology/TCP-IP. Accessed 22 Nov 2020
52
2 Delimitation of the Problem
Fitzpartick T (2017) A brief history of the Internet. Available via Science Node https://sciencenode. org/feature/a-brief-history-of-the-internet-.php. Accessed 22 Nov 2020 González M (2015) Habeas data: comparative constitutional interventions from Latin America against neoliberal states of insecurity and surveillance. Chicago-Kent Law Rev 90(2). St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available via Social Science Research Network https://ssrn.com/abstract¼2694803. Accessed 22 Nov 2020 Granick J (2017) American spies. Modern surveillance, why you should care, and what to do about it. Cambridge University Press, Cambridge Grewal D (2008) Network power. The social dynamics of globalization. Yale University Press, New Haven Hafner K, Lyon M (1998) Where wizards stay up late. The origins of the Internet. Simon & Schuster, New York Hemmendinger D (2020) HTML. Computer science. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/technology/ HTML. Accessed 22 Nov 2020 Hixson R (1987) Privacy in a public society: human rights in conflict. Oxford University Press, Oxford Holt D (March 2016) Branding in the age of social media. A better alternative to branded content. Harv Bus Rev. Available https://hbr.org/2016/03/branding-in-the-age-of-social-media. Accessed 22 Nov 2020 Ifrah G (2002) The universal history of computing: from the Abacus to the Quantum Computer. Wiley, Hoboken Internet Governance Forum (IGF). About IGF FAQs. Available via IGF https://www.intgovforum. org/multilingual/content/about-igf-faqs. Accessed 22 Nov 2020 Jensen M, George M, Russell M, Odgers C (2019) Young adolescents’ digital technology use and mental health symptoms: little evidence of longitudinal or daily linkages. Clin Psychol Sci 7 (6):1416–1433. Available https://journals.sagepub.com/doi/abs/10.1177/2167702619859336? journalCode¼cpxa. Accessed 22 Nov 2020 Kaiser B (2019) Targeted. The Cambridge Analytica whistleblower’s inside story of how Big Data, Trump, and Facebook broke democracy and how it can happen again. Harper, New York City Kirch W (ed) (2008) Encyclopedia of public health. Springer, Dordrecht Larson G (2020) Instant messaging. Communication. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/topic/instantmessaging. Accessed 22 Nov 2020 Lasswell H, McDougal M (1992) Jurisprudence for a free society. Studies in law, science, and policy (2 vols). Martinus Nijhoff, Leiden Lasswell H, Miller J, McDougal M (1994) The interpretation of international agreements and world public order. Principles of content and procedure. The New Haven studies in international law and world public order, vol 8. Brill | Nijhoff, Leiden Mandl P (2019) Internet Internals. Vermittlungsschicht, Aufbau und Protokolle. Springer Vieweg, Wiesbaden Marwick A, Murgia-Diaz D, Palfrey J (2010) Youth, privacy, and reputation. Berkman Center for Internet & Society at Harvard University Research Publication No. 2010-5, Harvard Public Law Working Paper No. 10-29. Available via https://ssrn.com/abstract¼1588163 Accessed 22 Nov 2020 McDougal M, Lasswell H, Reisman W (1967) The world constitutive process of authoritative decision. J Legal Educ 19:253 McDougal M, Lasswell H, Chen L (1980) Human rights and world public order: the basic policies of an international law of human dignity. Yale University Press, New Haven Moore B (1984) Privacy: studies in social and cultural history. M.E. Sharpe, Inc., Armonk National Research Council et al (1999) Funding a revolution. Government support for computing research. National Academies Press, Washington
References
53
Organization for Economic Co-Operation and Development (OECD) Directorate for Science, Technology and Industry Committee for Computer and Communications Policy (2008) Malicious Software (Malware): a security threat to the Internet economy. Ministerial Background Report DSTI/ICCP/REG(2007)5/FINAL. Available via OECD http://www.oecd.org/sti/ 40724457.pdf. Accessed 22 Nov 2020 Oxford University Press (2020) Privacy. In: Lexico.com. Oxford University Press, Oxford https:// en.oxforddictionaries.com/definition/privacy. Accessed 22 Nov 2020 Plous S (2020) Irwin Altman. https://altman.socialpsychology.org. Accessed 22 Nov 2020 Press Release (2016) Facebook reports third quarter 2016 results. Available via Facebook https:// investor.fb.com/investor-news/press-release-details/2016/Facebook-Reports-Third-Quarter2016-Results/default.aspx. Accessed 22 Nov 2020 Reisman W, Wiessner S, Willard A (2007) The New Haven School: a brief introduction. Yale J Int Law 32:575–582 Shaw J (March–April 2014) Why “Big Data” is a big deal. Harvard Magazine. Available via Harvard Magazine https://www.harvardmagazine.com/2014/03/why-big-data-is-a-big-deal. Accessed 22 Nov 2020 Sparks K (2020) Alan Furman Westin. American legal scholar and political scientist. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www. britannica.com/biography/Alan-Westin. Accessed 22 Nov 2020 Spies Shapiro L, Margolin G (2014) Growing up wired: social networking sites and adolescent psychosocial development. Clin Child Fam Psychol Rev 17:1–18. Available via Springer https://doi.org/10.1007/s10567-013-0135-1. Accessed 22 Nov 2020 Stallings W (2007) Data and computer communications. Prentice Hall, Upper Saddle River Stanton J (2004) Privacy In: Bainbridge W (ed) Berkshire encyclopedia of human-computer interaction, vol 2. Berkshire Publishing Group, Massachusetts, pp 571–571 Sunyaev A (2020) Internet computing. Principals of distributed systems and emerging Internetbased technologies. Springer, New York Sutton C (2020) CERN, European research laboratory. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/topic/CERN. Accessed 22 Nov 2020 Taulli T (2012) How to create the next Facebook. Seeing your startup through, from idea to IPO. Apress, New York The Association for Information Science and Technology (2020) Howard Hathaway Aiken. Available via The Association for Information Science and Technology https://www.asist.org/ pioneers/howard-hathaway-aiken/. Accessed 22 Nov 2020 The London School of Economics and Political Science (LSE) (2017) Social media platforms and demographics. Available via LSE https://info.lse.ac.uk/staff/divisions/ communications-division/digital-communications-team/assets/documents/guides/A-Guide-ToSocial-Media-Platforms-and-Demographics.pdf. Accessed 22 Nov 2020 Twitter (2020) Our company. Available via Twitter https://about.twitter.com/en_us/company.html. Accessed 22 Nov 2020 U.S. Chamber of Commerce Foundation (2012) The millennial generation research review. Available via U.S. Chamber of Commerce Foundation https://www.uschamberfoundation.org/ reports/millennial-generation-research-review. Accessed 22 Nov 2020 Westin A (1967) Privacy and freedom. Scribner, New York WhatsApp (2020) About WhatsApp. Available via WhatsApp https://www.whatsapp.com/about/. Accessed 22 Nov 2020 Wiessner S (1999) Professor Myres Smith McDougal: a tender farewell. St Thomas Law Rev 11:203 Wiessner S (2010) The New Haven School of Jurisprudence: a universal tool-kit for understanding and shaping the law. Asia Pacific Law J 18:46
54
2 Delimitation of the Problem
Wiessner S, Willard A (2004) Policy-oriented jurisprudence. In: Reisman W, Arsanjani M, Wiessner S, Westermann G (eds) International law in a contemporary perspective, 2nd edn. Foundation Press, Eagan Wilde E (1999) World Wide Web. Technische Grundlagen. Springer, Heidelberg Wood M, Bukowski W, Lis E (2016) The digital self: social media serves as a setting that shapes youth’s emotional experiences. Adolescent Res Rev 1:163–173. Available via Springer https:// doi.org/10.1007/s40894-015-0014-8. Accessed 22 Nov 2020
Chapter 3
Conflicting Claims, Claimants, Identifications and Bases of Power
After exploring the basic facts of the internet and social networks, the individual user and data that is constantly collected as well as basic facts on the concept of privacy and privacy concerns arising from social networks by following the New Haven methodology,1 the focus of this chapter shifts to the question of who are the different claimants and bases of power when it comes to social networks. What are the claims that are made in favor and against the usage of social networks? Should one vote for an unbounded development of social networks? Or are new rules and regulations necessary? What are the specific arguments made in favor of regulation? In order to get started, the question regarding possible claimants will be answered by listing the obvious claimants in the subject at hand: States There are the states with their governments. The Individual Then, there is the individual who participates in social media or, in contrast, might rather refuse to be part of any social network. Social Networks Of course, the social networks themselves have to be named as potential claimants.
1 In order to give more detailed information on the New Haven School of Jurisprudence, see Reisman et al. (2009), pp. 575–582 as well as Wiessner (1999), p. 203 and Lasswell and McDougal (1992). It has to be noted once again that the New Haven Approach especially pays attention to the eight values of a world order of human dignity that are reflected in different articles of the 1948 Universal Declaration of Human Rights meaning “affection, enlightenment, power, rectitude, respect, skill, wealth and well-being”, see McDougal et al. (1980). See also Wiessner and Willard (2004), p. 30 and Wiessner (2010), p. 46. For further information on the New Haven Approach, its beginnings and vision, see Chap. 1.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 V. Kirch, Social Networks - The Modern-Day Family, https://doi.org/10.1007/978-3-030-68651-2_3
55
56
3 Conflicting Claims, Claimants, Identifications and Bases of Power
Other Businesses Also, other firms like advertisers that might be involved in or benefitting from social networks have to be considered being claimants.2 So, when looking at these claimants, what could be their possible claims? And would the different claims be in conflict with one another?
3.1
The Claim to Freedom of Communication and Access to Information
The claims to freedom of communication and access to information are not only enhanced by social media platforms like Facebook or Twitter, but are also very much claimed by its users as freedom of communication and access to information make social networks attractive in the first place.3 Accordingly, social networks as well as their users would argue that privacy concerns cannot be as important as the right of the individual to have “freedom online” being part of the individual’s self-realization or self-governance.4
2 There are not only those firms that are going into business with social networks by posting their commercials, but also companies that use the data collected through social networks in different ways. One of the most prominent and recent examples is the firm Cambridge Analytica that dealt with millions of Facebook’s users by examining their personal data. For more information on the events in 2018 involving Cambridge Analytica, see Kaiser (2019). 3 For further information on the younger generation in regards to social networks, see Sect. 2.3. See also Watkins (2010). 4 To be “free online” has been promoted for a long time already and there is even the Freedom Online Coalition (FOC) that consists of 32 governments including lots of countries in Europe like France, Germany, or Spain as well as Argentina, Australia, Canada or the United States of America. Nevertheless, it has to be pointed out that the mission of the FOC that was founded in 2011 is to “work together to support Internet freedom and protect fundamental human rights – free expression, association, assembly, and privacy online – worldwide.” Accordingly, all member states acknowledge that human rights have to be same offline and online and they all joined the “Freedom Online: Joint Action for Free Expression on the Internet”, the founding document of their coalition. In addition, the coalition released other statements as for example, the “Freedom Online Coalition Statement on COVID-19 and Internet Freedom”. The statement reads as the following:
The Freedom Online Coalition (FOC) is a group of 31 countries deeply committed to the promotion and protection of human rights and fundamental freedoms proclaimed in the Universal Declaration of Human Rights (UDHR). We believe that the human rights and fundamental freedoms that individuals have offline must also be protected online. We are committed to working together to support Internet freedom for individuals worldwide – including the freedoms of expression, association, peaceful assembly, as well as privacy rights online. The FOC shares the concerns of people everywhere in the face of the COVID-19 global pandemic, [. . .]
3.2 The Claim to Economic Benefit
3.2
57
The Claim to Economic Benefit
Furthermore, there is the claim to economic benefit for the social media companies as well as for advertisers and the individual users who could be described as “internet business people”.5 Accordingly, there are many different economic motivations that are to be considered when it comes to social networks like Facebook. The claim to economic benefit applies to social networks as they are making money with the information retrieved from their users as well as with often personalized ads and news posted on their websites6 and the same applies to many other firms that are engaged in social networks.7 This way, it only seems logical that these
Furthermore, the FOC is concerned by the spread of disinformation online and activity that seeks to leverage the COVID-19 pandemic with malign intent. This includes the manipulation of information and spread of disinformation to undermine the international rules-based order and erode support for the democracy and human rights that underpin it. Access to factual and accurate information, including through a free and independent media online and offline, helps people take the necessary precautions to prevent spreading the COVID-19 virus, save lives, and protect vulnerable population groups. [. . .] For further information on the FOC, see “About us”, FOC (2020). For the complete version of the Freedom Online Coalition Statement on COVID-19 and Internet Freedom, see FOC (2020). 5 There is, overall, the so-called Instagram phenomenon meaning an individual who can easily make US $ 10,000.00 or more by simply posting photographs and sharing certain information and not to forget those individuals who are building their business on social media. See Sect. 2.3. In this context, it has to be pointed at the example of Chiara Ferragni who earns Millions of Dollars posting pictures on the Social Network Instagram, see Sect. 2.2. In order to better understand how individual can succeed in the online world, see “8 Successful Online Entrepreneurs You Should Be Following”, Entrepreneur (April 8, 2015). 6 Not only is Facebook’s business model based on collecting data from its users, but also Facebook’s CEO Mark Zuckerberg just recently stated that his social network even collects data on non-users, see “Zuckerberg Says Facebook Collects Internet Data on Non-Users”, Bloomberg News (April 11, 2018). In addition, Facebook’s business model is, overall, built on providing individualized advertisements to its users as the social network earns money based on revenues coming from those advertisements posted on Facebook’s websites. For further information on Facebook’s business model, see “Why Facebook Will Never change Its Business Model”, Forbes (2018). There Professor Colin writes: “Facebook has compelling reasons to be committed to its current business model. It is therefore disingenuous and gallingly inaccurate for Zuckerberg to justify his company’s business practices by comparing Facebook with “a lot of media, having an advertisingsupported model as the only rational model that can support building this service to reach people.” In reality, Facebook has hollowed out the readership and drained the advertising revenues from media companies, causing many to shift to subscription-based revenue sources for survival.” 7
Supra note 2.
58
3 Conflicting Claims, Claimants, Identifications and Bases of Power
firms would follow Facebook’s line of argument—overall, claiming the right of any individual of self-realization or self-governance and therefore, voting against any type of state-regulation.8 In addition, the claim to economic benefit applies as well when it comes to the individual who often benefits form social media through e-commerce by blogging, influencing or posting on platforms like Instagram.9
3.3
The Claim to Privacy and Data Autonomy
States could refer to the claim to privacy and data autonomy when creating new government regulation in the field. Nevertheless, the claim to privacy and data autonomy would most likely be promoted by the individual who seeks autonomy regarding his or her personal data including the right to be forgotten.10 Accordingly, the individual would claim, overall, to have control over his or her personal data and personal information and fight any policy mandated by a government, often under the banner-cry of security.11 Furthermore, the individual would also claim the right to have “freedom online” as part of the right to self-realization or self-governance,12 which leads to the next claim, the original claim to unlimited freedom of the internet.
8 Nevertheless, it also has to be mentioned that social networks have just recently asked for the help of a government as their own self-regulation practices have proved to be insufficient. This statement goes back to Facebook as Facebook has asked or, at least, allowed governmental regulation when Mark Zuckerberg had to testify in front of the U.S. congress regarding Facebook’s data leak involving the British firm Cambridge Analytica in April of 2018. In this context, see “Mark Zuckerberg Is Literally Asking Congress To Regulate Facebook”, The Huffington Post (March 22, 2018). 9 Supra note 5. 10 The right to be forgotten means that in certain cases, one should be able to have private information removed from the internet. For more information on the right to be forgotten, see Werro (2020). Furthermore, Chap. 4 is discussing the right to be forgotten, its history and scope in detail. 11 In order to decide on whether one is in favor of social networks or not and in order to come to a conclusion regarding to what extend one prefers to join this new form of electronic communication, privacy aspects and concerns should play an important role in making up one’s mind. While some might claim their right of self-determination asking for unlimited access to all information online and the sovereignty of their personal information in order to be granted the use of social networks without any interference of governments, others might rather argue in favor of state-regulation in order to be better protected against possible threats arising from social networks. For further information, see Solove (2013). 12 See supra note 4. It should further be noted that in an ideal world, each state would provide its citizens with the adequate protection of human rights making sure that the individual’s as well as the communities’ rights are guaranteed—especially, as one should understand human rights as a minimum standard of
3.5 The Claim to Protect National and International Security
3.4
59
The Claim to Unlimited Freedom of the Internet
The original claim to unlimited freedom of the internet without any regulation can almost no longer be found. States, as well as the individual, are increasingly aware of the fact that social media needs regulation.13 Even social networks like Facebook themselves sometimes ask for help, when their own self-regulation practices have proved to be insufficient.14 There is basically only the Electronic Frontier Foundation left, a pioneer entity of the Internet,15 that would ask for unlimited freedom of the Internet leaving no space for governmental regulation.
3.5
The Claim to Protect National and International Security
States and its governments would very likely claim that they have plenty of duties and responsibilities towards their citizens. Following John Locke’s mandate for governments to protect the individuals’ liberty and property in a liberal, democratic state,16 governments have to address the threats to privacy coming from social Networks and the fight over the control over personal information as countervailing claims to protect citizens against security threats posed by individuals and groups.17 National and individual security have to be guaranteed, privacy granted, and defamation of the individual prevented. All these claims lead to the state governments
a life in dignity that all states have agreed on granting to each and every of their citizens and their communities. 13 That is why, governments have been passing more and more laws in order to regulate social networks. For a more detailed discussion on this subject matter, see Chap. 4. 14 See supra note 8. 15 To get an idea of what the Electronic Frontier Foundation (EFF) is, this foundation states on its website: The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows. [. . .] Today, EFF uses the unique expertise of leading technologists, activists, and attorneys in our efforts to defend free speech online, fight illegal surveillance, advocate for users and innovators, and support freedom-enhancing technologies. For further information on EFF, see “About EFF”, EFF (2020). For further information on John Locke and his points of view when it comes to the duties of politicians, see Woolhouse (2009) and Tuckness (2020). 17 To give an example, there is, the threat of terrorist attacks committed by individuals as well as by groups. 16
60
3 Conflicting Claims, Claimants, Identifications and Bases of Power
claim of regulating social networks as well as accessing individual’s data collected through social networks in order to grant the individual security on the national as well as on the international level. The latter could include claims to protect the political processes of one country from interference by the outside.18 After giving a brief idea of the possible conflicting claims that might arise in the context of social networks, a list of some of the bases of power for the different claimants need to be presented: States The states with their governments would have, overall, the right and power as well as the responsibility to pass certain rules and regulations in order to regulate social networks and protect its citizens.19 By doing so, government regulation might be needed in order to protect both privacy and security, so that security measures might be balanced with considerations of privacy. The Individual One might think that the individual is the claimant with the strongest base of power, as he or she has the ability to decide whether to release any personal information or rather keep this information to him or herself. Unfortunately, it is not always as easy as that for different reasons. Often, a person who shares information on social media considers his or her data protected by personal privacy, only to later find out that this was not the case. Furthermore, the motivation of giving away personal data and information voluntarily can not only be seen in the simple fact that many users of social media just do not care about their right to privacy, but must rather be found in the users’ individual circumstances like peer pressure or needs of the profession or the marketplace. The latter often leads to the question of whether one can still attract clients in a competitive profession if one lacks of presence on social media platforms.20 This is why, the base of power of the individual that seems to be a pretty strong one, might not be as powerful as one might think at first. Social Networks In contrast, the social networks themselves, especially those as omnipresent as Facebook in most peoples’ everyday lives, seem to be most powerful, as they possess all the information that has already been gathered and they could make use of it. Looking at recent events—overall, at the scandal surrounding Cambridge Analytica, it becomes clear that Facebook cannot be ignored by any state, and that is
In this context, Russian “troll factories” are what immediately come to one’s mind. For a better understanding on how Russian troll factories operate, see “Russian trolls can be surprisingly subtle, and often fun to read”, The Washington Post (March 8, 2019). 19 For example, a law could be passed that includes penalties such as a fine in case a social network does not comply with the law. 20 For further information on how to brand in the age of social media, see Holt (2016). For a more detailed description of users of social media platforms who are giving away personal data and information voluntarily, see Sect. 2.5. 18
References
61
why Facebook’s CEO, Mark Zuckerberg, as well as other representatives, have been communicating with the political leaders of many countries in the past, as these countries request Facebook to get in touch in order to find suitable solutions to rising problems.21 Other Businesses Also, other firms, like advertisers that are linked to social media platforms, have gained enough personal data and information in the past that this collection of information and data must be seen as a base of power they can make use of. That is why, not only when it comes to social networks being a claimant, but also when it comes to the claimant that consists of other firms like advertisers, government regulation might be needed in order to protect both privacy and security of the individual. In the following chapter, the subject of privacy concerns in the context of electronic Communications including social networks will be further exposed, and past trends in decision, overall, government regulation in the field, will be analyzed.
References Holt D (March 2016) Branding in the age of social media. A better alternative to branded content. Harv Bus Rev. Available https://hbr.org/2016/03/branding-in-the-age-of-social-media. Accessed 22 Nov 2020 Kaiser B (2019) Targeted. The Cambridge analytica whistleblower’s inside story of how big data, trump, and Facebook broke democracy and how it can happen again. Harper, New York Lasswell H, McDougal M (1992) Jurisprudence for a free society. studies in law, science, and policy (2 vols). Martinus Nijhoff, Leiden McDougal M, Lasswell H, Chen L (1980) Human rights and world public order: the basic policies of an international law of human dignity. Yale University Press, New Haven Reisman W, Wiessner S, Willard A (2009) The New Haven school: a brief introduction. Yale J Int Law 32:575–582 Solove D (2013) Nothing to hide. The false tradeoff between privacy and security. Yale University Press, New Haven The Electronic Frontier Foundation (EFF) About EFF. Available via EFF https://www.eff.org. Accessed 22 Nov 2020 The Freedom Online Coalition (FOC) (2020) The Freedom Online Coalition Statement on COVID19 and Internet Freedom. Available via U.S. Department of State https://www.state.gov/ freedom-online-coalition-statement-on-covid-19-and-internet-freedom/. Accessed 22 Nov 2020 The Freedom Online Coalition (FOC) About us. Available via FOC https://freedomonlinecoalition. com/about-us/about/. Accessed 22 Nov 2020
21 To give an example, in April of 2018 Mark Zuckerberg had to testify in front of the U.S. congress regarding Facebook’s latest data leak, see “Mark Zuckerberg faces tough questions in two-day congressional testimony – as it happened”, The Guardian (April 11, 2018). Nevertheless, it also has to be mentioned that social networks have just recently asked for the help of a government as their own self-regulation practices have proved to be insufficient, see supra note 8.
62
3 Conflicting Claims, Claimants, Identifications and Bases of Power
Tuckness A (2020) J. Locke’s political philosophy. In: Zalta E (ed) Stanford Encyclopedia of Philosophy, Stanford. https://plato.stanford.edu/archives/win2020/entries/locke-political/. Accessed 22 Nov 2020 Watkins S (2010) The young and the digital. What the migration to social network sites, games, and anytime, anywhere media means for our future. Beacon Press, Boston Werro F (2020) The right to be forgotten. A comparative study of the emergent right’s evolution and application in Europe, the Americas, and Asia. Springer, Berlin Wiessner S (1999) Professor Myres Smith McDougal: a tender farewell. St Thomas Law Rev 11:203 Wiessner S (2010) The New Haven school of Jurisprudence: a universal tool-kit for understanding and shaping the law. Asia Pacific Law J 18:46 Wiessner S, Willard A (2004) Policy-oriented Jurisprudence. In: Reisman W, Arsanjani M, Wiessner S, Westermann G (eds) International law in a contemporary perspective, 2nd edn. Foundation Press, Eagan Woolhouse R (2009) Locke. A biography. Cambridge University Press, Cambridge
Chapter 4
Past Trends in Decision and Conditioning Factors
In what follows, a broader look at the subject of social networks and privacy concerns will be taken from a legal point of view. After a general overview of the most common problems related to social media platforms and to privacy concerns, as well as of conflicting claims, claimants, identifications and bases of power, has been given,1 past trends in decision and conditioning factors have to be discussed in order to elucidate the legal responses to this problem. All the examples regarding the issues concerning social networks that have been already explained2 show that when it comes down to engaging in on-going discussions on specific concerns related to social media sites, the subject of privacy always comes into play. This leads us to the following questions: What decisions have been made in the past that allow the development of social network platforms? And what laws and regulations have been enacted to respond to the claims made above all, when it comes to privacy concerns?3 Do these controversies lead to certain results? Do people draw their conclusions and come to specific standpoints? And does anybody defend these opinions? And if so, how? Have there been any laws and regulations that have been drafted or even passed and entered into force? Did countries implement laws and court decisions? And what about International Law and Jurisdiction? And if there has been a legislative framework, did it actually matter? Does it fulfill its purpose? Can it keep up with today’s constantly developing technologies? Or are
1
See Chaps. 1–3. See Chap. 2. 3 It is clear that it is always of upmost importance to understand the history of a certain subject in order to comprehend the presence. For more information on how important the historical background is when it comes to an agreement process, see Lasswell et al. (1994), p. 3. See also McDougal et al. (1967). 2
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 V. Kirch, Social Networks - The Modern-Day Family, https://doi.org/10.1007/978-3-030-68651-2_4
63
64
4 Past Trends in Decision and Conditioning Factors
there gaps when it comes to the protection of privacy because of new problems arising from new technical developments basically every day?
4.1
The General Legal Protection of Privacy
As already pointed out, when it comes to the term privacy, it is not easy to find a common definition, and there have been all kinds of discussions over time and over societies and cultures, but privacy is still pretty hard to define. There is not one universal or single definition, but rather a variety of different understandings and concepts of privacy.4 Yet, it may be said that there have not only been concepts of privacy that have been developed, but also a general right to privacy. In 1890, an article was written and published by Samuel Dennis Warren and Louis Dembitz Brandeis claiming exactly this, the recognition of the right to privacy, arguing that “the elasticity of our law, its adaptability to new conditions, the capacity for growth, which has enabled [our law] to meet the wants of an ever-changing society and to apply immediate relief for every recognized wrong, have been its greatest boast.”5 And there are those who are of the opinion that the right to privacy is a necessity for a modern democratic society, not just the individual. For example, the political scientist Priscilla Reagan argues that “[m]ost privacy scholars emphasize that the individual is better off if privacy exists; I argue that society is better off as well when privacy exists. I maintain that privacy serves not just individual interests but common, public and collective purposes.”6 Nevertheless, there are also others who are of the opinion that no special recognition is needed when it comes to privacy, as a concept or as to the right to privacy. Especially the so-called “reductionists” do not recognize the right to privacy, as their theories claim that it is simply not needed because there are already many other rights and interests that cover whatever would possibly fall under a general right to privacy.7 4
See Brierley Newell (1995), p. 87 and Brierley Newell (1998), p. 357. For an overview of current privacy laws, see Solove and Schwartz (2017). 5 See Warren and Brandeis (1890), pp. 193–220. Both authors were attorneys from Boston and Louis Dembitz Brandeis was also sitting on the Supreme Court of the United States in between 1916 and 1939, see Duignan (2020). 6 See Regan (1995). For more general information on whether the right to privacy is a necessity for a modern democratic society, see Westin (1970), pp. 330–364. 7 See, for example, Thomson (1975), pp. 295–314. This philosopher states that: the right to privacy is itself a cluster of right, and that is not a distinct cluster of rights but itself intersects with the cluster of rights which the right over the person consists in and also with the cluster of rights which owning property consists in. Also see McCloskey (1980), p. 37. Furthermore, legal scholar Harry Kalven Jr. states that:
4.1 The General Legal Protection of Privacy
65
Furthermore, there are feminists who criticize the recognition of the right to privacy as they argue that women might be deprived of participating in everyday life—particularly activities in politics and legal matters—as soon as the realm of privacy is reserved to them, especially because of the separation of public from private spheres.8 By reserving the private sphere to women, women could easily become more and more isolated from and less powerful in the public sphere that could be described as public life or life within the society. Moreover, some even argue that because of separating the public from the private sphere and the establishment of freedom of intrusion into that private sphere plus the fact that the private sphere is the one assigned to womanhood, the private sphere turns into one that is not regulated and, therefore, a sphere where women as well as children could easily be dominated and controlled, silenced or even become victims of abuse.9 This way, it becomes obvious that gender violence may even thrive in the protection of the privacy of a home. But there are also those feminists and legal scholars who are in favor of the right to privacy, as they see the benefits for women rather than the possible gender subordination in this context.10 And many of them also promote the separation of the public from the private sphere as this creates a sphere where one is autonomous and free from public intervention—especially, from governmental intrusions.11 After all, it can be said that most theorists still consider privacy a valuable concept and therefore, also recognize a right to privacy. Nevertheless, it still seems pretty hard to come to a universal definition of the right to privacy as the term can be understood in a narrow or a very broad fashion.12 But no matter what one’s opinion on privacy or the necessity for a right to privacy is, it can be stated that the subject of privacy has become one of today’s most important concerns. So, a right to privacy, obviously, would mean that privacy has to be legally protected. And in order to be able to do so, the concept of privacy, once again, comes into play as privacy has to be somehow defined in order to fall under any legal protection. So, while searching for a definition, a clear and meaningful concept of privacy is needed. As the ideas and findings surrounding a general concept of privacy have already been presented,13 in the following, the right to privacy and the general legal
privacy seems a less precise way of approaching more specific values, as for example in the case of freedom of speech, association and religion. See Kalven Jr (1966), pp. 326, 327. See Higgins (2000), pp. 847, 857–858. For further information, see Schneider (2000), pp. 87–88 Ackelsberg and Shanley (1996), p. 216. 9 See McKinnon (1989), pp. 187–194. For more information, see Gordon (1990), p. 191. 10 Albertson Fineman (1999), pp. 1207–1224. 11 For more information, see Allen (1996), pp. 193–203. 12 See Chap. 1. 13 See Chap. 1 and supra note 4. 8
66
4 Past Trends in Decision and Conditioning Factors
protection of privacy should be further delimited, not only in reference to domestic, but also to international law. First of all, and in order to establish any kind of legal protection, the right to privacy should be defined. So, to give a very brief definition of the right to privacy, one could say that the right to privacy is the “right to be left alone.”14 Others state that privacy “might be described as autonomy within society.”15 This way, the right to privacy would involve a number of different things—for instance, personal autonomy, freedom from surveillance, control over one’s personal information or integrity of one’s home.16 Also, a right to privacy must be linked to the right to secrecy as it seems to be impossible to guarantee a right to privacy without at the same time granting the right to secrecy.17 As a result, the right to privacy could be defined as “the right to keep a sphere of our lives away from government intrusion, and away from the intrusion by others with whom we do not want to share certain aspects of our lives.”18 And what about the general legal protection of privacy in reference to domestic law?
4.1.1
Domestic Law
When speaking of domestic law, it has to be noted that in most of the states around the globe, the law distinguishes between a public and a private realm and governments are usually not supposed to interfere with the private realm if their country’s law does not explicitly allow this. And it has to be noted that, as of today, almost every country’s constitution worldwide recognizes a right to privacy.19 Of course, the constitution’s provisions differ from one another, but most of them while referring to privacy involve the right of secrecy of communications as well as the 14
See supra note 5 at 193. Hirshleifer (1980), pp. 649–664. 16 It was stated that privacy is a “generic term encompassing various rights recognized . . . to be inherent in the concept of ordered liberty.” See Katz v. U.S., 389 U.S. 347, 350 (1967) and see also Industrial Foundation of the South v. Texas Industrial Accident Board, 540 S.W.2d 668, 679 (1976). 17 The right to secrecy should be understood as the right to cut or, at least, avoid others to know everything about oneself. One should stay in control of the information about oneself that is out there in the world. For further explanation regarding the right to secrecy, see Cavoukian and Tapscott (1997), p. 9. 18 See Rengel (2013), p. 35. 19 For an overview of the protection around the globe, see id. at 203–255. It has to be noted that there are also those countries where the right to privacy is not explicitly referred to in the constitution— for example, in Ireland, India or the United States. Nevertheless, the judiciary has found the right to privacy either implied in the Constitution with respect to certain factual constellations, as in the United States, or in statutes or other legal prescriptions outside the country’s constitution. 15
4.1 The General Legal Protection of Privacy
67
right of inviolability of the home.20 Besides, those constitutions that were just recently adopted even include rights of access to and control of one’s personal information. To give an example, the Constitution of the Dominican Republic21 states in its Article 44: Right to privacy and to personal honor All people have the right to privacy. The respect and non-interference into private and family life, the home and private correspondence are guaranteed. The right to honor, good name, and one’s own image are recognized. All authorities or individuals who violate them are obligated to compensate or repair them in accordance with the law. Thus: 1) The home and domicile and all private premises of the person are inviolable, except in ordered cases, in accordance with the law, by the appropriate judicial authority or in cases of flagrante delicto; 2) All persons have the right to access to the information and facts about them or their property that reside in official or private registers, as well as to know the destination and the uses of the same, with the limitations fixed by law. Treatment of personal facts or information or that regarding property shall be made respecting the principles of quality, lawfulness, loyalty, security, and finality. One may solicit the updating, oppose the treatment, rectification, or destruction of that information that illegitimately affects his rights from before the appropriate judicial authority; 3) The inviolability of private correspondence, documents, or messages in physical, digital, electronic, or all other formats is recognized. They may only be taken, intercepted, or searched by order of a appropriate judicial authority through legal proceeding in the substantiation of matters that are made public in the case and preserving the secrecy of private matters that are not related to the corresponding process. The secrecy of telegraphic, telephonic, cable, electronic, teleprocessing communication or that established by another mode is inviolable, unless by authorities authorized by a judge or appropriate authority, in accordance with the law; 4) The management, use, or processing of data and information of official character gathered by authorities tasked with the prevention, prosecution, and punishment of criminal may only be processed or communicated to public registers, after the opening of a trial has intervened, in accordance with the law.22
20
Id. See Constitution of the Dominican Republic (2015). Also, the previous constitution of the Dominican Republic from 2010 established rights of access to and control of one’s personal information. It has to be noted that the Dominican Republic has had almost 40 different constitutions in less than 180 years since the country became independent in 1844 and this way, is holding the world record when it comes to the number of constitutions. For further information, see Marsteintredet (2020). 22 In addition, the Constitution of the Republic of Ecuador, National Assembly, Legislative and Oversight Committee, published in the Official register, October 20, 2008, also grants rights of access to and control of one’s personal information in several provisions: 21
Tit. III, Ch. II, Art. 18, All persons, whether individually or collectively, have the right to: [. . .]
68
4 Past Trends in Decision and Conditioning Factors
In addition, it must be pointed out that in most countries, the starting point of a right to privacy were other rights addressing specific privacy issues until the actual right to privacy was particularly recognized and subject of legal disputes to be finally incorporated into legal codes, laws and countries’ constitutions. And it has to be noted that no matter if nowadays most countries’ constitutions refer to a right to privacy or address the issue somehow in their provisions, the right to privacy did not necessarily develop the same way, but was rather shaped by each and every national legal system as well as the countries’ specific rules and process of developing new laws and, of course, different people’s different needs. And, as of today, the right to privacy is not only incorporated into most constitutions, but also into the countries’ jurisprudence and their general law—especially, if it comes to a country without a written constitution.23 It must be further mentioned that, in many countries, there have numerous laws that have been passed that focus on the protection of a person’s individual privacy, so that some scholars even speak about a “movement towards comprehensive privacy and data protection laws.”24
2. Gain access freely to information generated in public institutions or in private institutions that handle State funds or perform public duties. There shall be no confidentiality of information except in those cases expressly provided for by the law. In the event of a violation of human rights, no public institution shall refuse to provide the information. [. . .] Ch. VI, Art. 66, The following rights of persons are recognized and guaranteed:[. . .] 11. The right to confidentiality about one’s convictions. No one can be obliged to make statements about these convictions. In no case shall it be possible to require or use, without the authorization of the holder or his/her legitimate representatives, personal or third-party information about one’s religious beliefs, political affiliation or thinking, or data about one’s health or sexual life, unless required for medical care. [. . .] 19. The right to protection of personal information, including access to and decision about information and data of this nature, as well as its corresponding protection. The gathering, filing, processing, distribution or dissemination of these data or information shall require authorization from the holder or a court order. 20. The right to personal and family intimacy. 21. The right to inviolability and secrecy of hard-copy and on-line correspondence, which cannot be retained, opened or examined, except in those cases provided by law, after court order and under the obligation to uphold the confidentiality of matters other than those motivating their examination. This right protects any type or form of communication. 22. The right to the inviolability of one’s domicile. It shall not be possible to enter the house of a person or conduct inspections or searches without their authorization or a court warrant, except in matters of felonies, in those cases and forms provided for by law. See Constitution of the Republic of Ecuador (2008). A country that lacks of a written constitution usually includes the protection of privacy by all kind of legal norms—for example, through statuary protections, evidentiary codes or procedural rules. One of the countries that does not have a written constitution is the United Kingdom. See Krotoszynski (1990), pp. 1398, 1401. 24 See Marcella Jr and Stucki (2003), p. 72. 23
4.1 The General Legal Protection of Privacy
69
It can be said that countries from around the world started to create laws based on the protection of individual privacy since the early 1970s.25 Thus, the protection of privacy can be seen as a very common part of most of today’s countries’ legal framework. In order to further explore the protection of privacy when it comes to domestic law, in the following, I will take a look at different countries—such as the United States of America, the Federal Republic of Germany and the United Kingdom as well as some other examples from within the European Union and Latin America.
4.1.1.1
The United States of America
When it comes to the United States of America, it must be mentioned that, as of today, people—no matter if celebrities, public figures or just a person being part of any public debate—seem to simply have to deal with paparazzi being allowed to discover and expose any private facts even without the people’s consent as the right of the press as well as the right to freedom of speech are usually overtaking any attempt to enforce the right to privacy.26 So, how much is the right to privacy worth in the United States and where can it be found in U.S. laws and jurisprudence? First of all, it has to be noted that The Constitution of the United States of America27 does not employ the term “privacy” anywhere. Yet, the founding 25
Id. When it comes to the First Amendment of The Constitution of the United States of America, the Constitutional protection, overall the right of free speech, is a pretty strong one. Although, of course, the right of free speech is not without a limit—U.S. courts have established certain rules that guarantee the right to privacy in specific contexts—in many cases, the courts do not rule in favor of the right to privacy if a case involves the First Amendment. 27 The Constitution of the United States of America is being considered the fundamental law of the United States government meaning the federal system of government. This constitution was, overall, designed to provide and grant liberty to all citizens and limit the government’s power. Not only does the Constitution of the United States of America lists the basic rights of U.S. citizens, but also does it establish the principal organs of the U.S. government as well as their jurisdictions. In this context, the system of separation of powers has to be pointed out. This political doctrine leads to keeping the three branches of government, meaning the executive, judicial and legislative branch, separate in order to avoid any kind of abuse of power. It is also often called the system of checks and balances as each of the branches has certain powers in order to check and balance each branch against the other branches. Together with the guarantees of liberty for the U.S. citizens, balance between liberty and authority was supposed to be created. This balance can be seen as the upmost goal of American Constitutional Law. The Constitution of the United States of America was drafted in Philadelphia, Pennsylvania, by delegates of a Constitutional Convention in the summer of 1787 and entered into force on March 4, 1789. It is the oldest written national constitution that is still in use and can be seen as a landmark document of the Western world. As of today, since the constitution entered into force, the U.S. Congress has proposed thirty-three amendments and the states have ratified twenty-seven of them, so that the constitution consists of twenty-seven amendments. It has to be noted that the first ten amendments, also known as the Bill of 26
70
4 Past Trends in Decision and Conditioning Factors
documents, meaning the Declaration of Independence28 and the Constitution of the United States, refer to inalienable rights such as the right to liberty29 and the pursuit of happiness.30 Furthermore, as the constitution should be understood as a living document being made in order to adapt to any type of changes—especially, when it comes to new technologies that are developing faster and faster each day31—it should not matter if the right to privacy is explicitly or directly mentioned either in these founding documents or in any other statutes, laws and regulations, as the right to privacy must rather enjoy a certain recognition either way. In this context, it must be noted that the assertion that the Constitution of the United States should be understood as a living document is highly contested in today’s constitutional jurisprudence as, especially in light of today’s composition of the Supreme Court, one cannot overlook the jurisprudence of textualism and original intent.32 Nevertheless, there are also other tendencies in constitutional theory that need to be mentioned too. For example, there has been Chief Justice John Marshall, who stated in the early nineteenth century in the case McCulloch v. Maryland already the following: We must never forget that it is a constitution we are expounding. . . intended to endure for ages to come, and consequently, to be adapted to the various crises of human affairs.33
It can be said that, although there are new tendencies that do not recognize the Constitution of the Unites States as a living document, but rather promote that any Rights, were adopted and ratified at the same time. And four of the six amendments that were not ratified could still be ratified in the future. For further information, see Augustyn et al. (2020a). For the complete document, see The Constitution of the United States of America. 28 The Declaration of Independence stated the separation of 13 British colonies located in North America from Great Britain on July 4, 1776. For further information, see Augustyn et al. (2020b). For the complete document, see Declaration of Independence. 29 See, for example, The Fourteenth Amendment Section 1 of The Constitution of the United States of America where it clearly states, U.S. Const. amend. IV sec. 1: All persons born or naturalized in the United States, and subject to the jurisdiction thereof, are citizens of the United States and of the state wherein they reside. No state shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any state deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws. 30
The pursuit of happiness can be found in the Declaration of Independence, see supra note 28. After the Constitution of the United States was drafted during the pre-industrial eighteenth century, a lot of technologies have been invented and introduced to the public and became part of people’s every-day-life, for instance, telephony, photography and other audio and/or visual recording devices and transmitters, but one could state that the biggest changes occurred just recently during our so-called information age or digital age when, overall, the internet came to life. 32 This can be mostly identified with Justice Antonin Scalia, see Scalia (2018). See also the videos where Scalia explains textualism available on youtube.com. 33 See 17 U.S. 316, 407 (1819). Furthermore, Chief Justice Charles Evans Hughes amplified that: 31
4.1 The General Legal Protection of Privacy
71
right not explicitly mentioned in the founding documents cannot be recognized, the author reaffirms her contention that the law needs to adapt to new modern technologies.34 One could even say that the right to privacy should be seen as one of the oldest constitutional rights, as the right to privacy could be understood as a common foundation of the following rights that are outlined in the Constitution of the United States: the freedom of thought,35 the right of the people to be secure in their persons36 and the right of a person to refuse to answer questions or otherwise give testimony against himself or herself which will subject him or her to an incrimination (the right to refuse self-incrimination).37 After all, common law in the United States must also include a right to privacy.38 Furthermore, as already pointed out, in 1890, an article was written and published by Samuel Dennis Warren and Louis Dembitz Brandeis claiming exactly this, the recognition of the “right to privacy.”39
power of ‘judicial review’ has given the Court a crucial responsibility in assuring individual rights, as well as in maintaining a ‘living Constitution’ whose broad provisions are continually applied to complicated new situations. See Supreme Court of the United States (2020). Furthermore, the author is the opinion that even if we followed the tendencies of today’s constitutional jurisprudence represented by Justice Antonin Scalia and others, we must face reality and this way, would have to, at least, accept the existence of a certain kind of common law that guarantees a right to privacy. In this context, it is important to understand that common law can be described as a legal system that derives from judicial decisions. This body of customary law has been governed by the courts of common law in England since the Middle Ages and it was the starting point of the legal systems of the United States of today as well as of almost every member state of the Commonwealth. Common law is totally different to those legal systems that are, overall, prevalent in Europe originating from civil law. Therefore, common law is also referred to as Anglo-American law. For further information on common law, see Glendon (2020). 35 See The First Amendment of The Constitution of the United States of America, U.S. Const. amend. I. 36 See The Fourth Amendment of The Constitution of the United States of America, U.S. Const. amend. IV. 37 See The Fifth Amendment of The Constitution of the United States of America, U.S. Const. amend. V. 38 The decision in Griswold v. Connecticut allows for such an interpretation, although it may also be limited to its facts. Griswold v. Connecticut, 381 U.S. 479 (1965) will be further discussed later on. In this context, The Third Amendment of The Constitution of the United States of America can already be mentioned as it comes to play in the case. It has to be pointed out that common law won’t be needed in order to grant a right to privacy as according to the author’s interpretation, there is a Constitutional right to privacy that derives from express rights such as The First, Fourth and Fifth as well as the Third Amendment of The Constitution of the United States of America. 39 See supra note 5. 34
72
4 Past Trends in Decision and Conditioning Factors
The two authors of that article saw the need to respond to technological developments that occurred in the late nineteenth century—overall, instant photography and audio recordings. These developments had caused that a tabloid industry was created that was making profit without caring about morals like respecting a person’s personal information. Warren and Brandeis did not only outline the potential harms that were coming from the tabloid industry, but also established the need for a right to privacy. Therefore, their article was the basis for discussing whether one should read into the common law a right of privacy and whether such a right would be worth of protection. Furthermore, Warren and Brandeis did not only name the possible harms that could occur by violating an individual’s right to privacy, but they also referred to possible remedies for the individual. This way, their article can be seen as the starting point of the establishment of a general right to privacy that is supposed to protect a person from exposure of private matters.40 In addition to Samuel Dennis Warren and Louis Dembitz Brandeis claiming the recognition of the right to privacy, there have been several rulings regarding the right to privacy that are worth mentioning:41 Union Pacific Railway Co. v. Botsford First of all, in 1891, the Supreme Court of the United States ruled in the case of Union Pacific Railway Co. v. Botsford42: “[n]o right is held more sacred, or is more carefully guarded by the common law, than the right of every individual to the possession and control of his own person, free from all restraint or interference of others, unless by clear and unquestionable authority of law.”43 This can be seen as one of the origins of the right to privacy in U.S. legislation. Pavesich v. New England Life Ins. In 1905, in the case of Pavesich v. New England Life Ins. the right to privacy is not only further developed, but also explicitly mentioned for the first time.44 The court recognizes the right to privacy stating that the right to privacy “is recognized
40
There were only a few exceptions the authors made. They, for example, concluded that gossiping and oral communication was not included in any privacy right. Also, consent to publication is an outright defense. 41 Again, for more information on how important the historical background is when it comes to an agreement process, supra note 3. 42 In this case, the plaintiff had suffered severe injuries because of an accident. As the majority of the judges voted in favor of the plaintiff, the Supreme Court denied the defendant the right to compel the plaintiff to undergo a physical examination. For further information, see Union Pacific Railway Co. v. Botsford, 145 U.S. 250 (1891). 43 Id. at 252. 44 The case of Pavesich v. New England Life Ins is about the question whether there is a right to privacy when it comes to the publication of photographs, see Pavesich v. New England Life Ins. Co. et al. 50 S.E. 68 (1905).
4.1 The General Legal Protection of Privacy
73
intuitively, consciousness being the witness that can be called to establish its existence.”45 Olmstead v. United States Twenty-three years later, in 1928, in the case of Olmstead v. United States,46 a case concerning wiretapping, Louis Dembitz Brandeis refers to the right to be let alone.47 Poe v. Ullman In 1961, the Supreme Court of the United States rules in Poe v. Ullman against the plaintiffs who were challenging a law from Connecticut that was banning birth control.48 Dissenting Justice Harlan49 outlines the right to privacy by stating: . . .Adultery, homosexuality and the like are sexual intimacies which the State forbids altogether, but the intimacy of husband and wife is necessarily an essential and accepted feature of the institution of marriage, an institution which the State not only must allow, but which always and in every age it has fostered and protected. It is one thing when the State exerts its power either to forbid extramarital sexuality altogether, or to say who may marry, but it is quite another when, having acknowledged a marriage and the intimacies inherent in it, it undertakes to regulate by means of the criminal law the details of that intimacy.50
Therefore, one could say that this was a ruling of a single judge at that time, but it actually became the law of the land 4 years later. Griswold v. Connecticut In 1965, in the case of Griswold v. Connecticut51 the Supreme Court establishes that the right to privacy should be treated as a constitutional doctrine.52 While answering
45 Id. at 69. Furthermore, the court also stated that the right to privacy has “its foundation in the instincts of nature” and this way, recognized the right to privacy. 46 See Olmstead v. United States 277 U.S. 438 (1928). 47 Brandeis states:
The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness. [. . .] They conferred, as against the government, the right to be let alone—the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment. See id. at 478. 48
Poe v. Ullman 367 U.S. 497 (1961). For more details on Justice John Marshall Harlan, see Augustyn et al. (2020c). 50 Id. at 552, J. Harlan, dissenting. 51 Griswold v. Connecticut, 381 U.S. 479 (1965). 52 In that case, Estelle Naomi Trebert Griswold was the Executive Director of the Planned Parenthood League of Connecticut at that time. The Planned Parenthood League of Connecticut wanted, overall, to serve married couples as a birth control clinic in New Haven, Connecticut in order to provide them with information on birth control and give them medical advice. According to a law in the State of Connecticut (the same law that was already challenged in Poe v. Ullman), there were birth control restrictions and counseling as well as providing other medical treatment to couples in order to avoid conception was criminalized. Therefore, Mrs. Griswold and one of her colleagues were convicted and their conviction was upheld not only by the Appellate Division of the Circuit Court, but also by the Connecticut Supreme Court. Id. at 480 and 481. 49
74
4 Past Trends in Decision and Conditioning Factors
to the question whether The Constitution of the United States of America grants protection against state restrictions concerning a married couple’s capacity of being able to receive counseling on the use of contraceptives,53 according to the Supreme Court, the numerous guarantees that can be found in the Bill of Rights create certain zones which lead to the establishment of a right to privacy in that case. The court finds that although The Constitution of the United States of America does not grant the protection of a general right to privacy, The First and The Third Amendment as well as The Fourth and The Ninth Amendment of the U.S. constitution combined lead to a new constitutional right—the right to marital privacy or the right to privacy in marital relations.54 One may conclude that the case of Griswold v. Connecticut was the real milestone when it comes to the right to privacy as it establishes a legal recognition of protection against the unjustified intrusion of the government in relationship to specific personal matters that are considered being private. Loving v. Virginia and Other Cases Since then, the Supreme Court of the United States has applied the doctrine of a constitutional right to privacy several times. For example, in the case of Loving v. Virginia the court states that: The freedom to marry has long been recognized as one of the vital personal rights essential to the orderly pursuit of happiness by free men.55
Katz v. United States Moreover, in the case of Katz v. United States,56 the Supreme Court further discusses the right to privacy, overall, questioning whether this right might be applicable to telephone booths and other public places. Because of this case the protection under the Fourth Amendment was expanded to every area with a “reasonable expectation of privacy” for any individual.57 53
Id. at 482. The court states that “specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance.” See Poe v. Ullman, 367 U.S. 497, 516–522 (dissenting opinion), supra note 48. Various guarantees create zones of privacy. The right of association contained in the penumbra of the First Amendment is one, as we have seen. The Third Amendment in its prohibition against the quartering of soldiers “in any house” in time of peace without the consent of the owner is another facet of that privacy. The Fourth Amendment explicitly affirms the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” The Fifth Amendment in its SelfIncrimination Clause enables the citizen to create a zone of privacy which government may not force him to surrender to his detriment. The Ninth Amendment provides: “The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people”. Id. at 479. 55 See Loving v. Virginia, 388 U.S. 1, 12 (1967). 56 See Katz v. United States, 389 U.S. 347 (1967). 57 Id. at 360. It has to be noted that this constitutionally granted protection has to be determined by the so-called reasonable expectation of privacy test or Katz test that established in Katz v. United States and also applied to other cases later on. This test consists of two elements—the plaintiff has to express the expectation of privacy and this expectation has to be reasonable. Id. at 361. For further information, see Tokson (2016), p. 146. 54
4.1 The General Legal Protection of Privacy
75
Eisenstadt v. Baird In 1972, in the case of Eisenstadt v. Baird, the Supreme Court stated: “If the right of privacy means anything, it is the right of the individual, married or single, to be free from unwarranted governmental intrusion into matters so fundamentally affecting a person as the decision whether to bear or beget a child.”58 Roe v. Wade and Other Cases Concerning Abortion Rights and Sodomy Laws Furthermore, the right to privacy was applied to a number of cases concerning abortion rights and sodomy laws. In this context, overall, the case of Roe v. Wade59 has to be mentioned as it can be seen as further extending former Supreme Court decisions when it comes to the right to privacy. After the Supreme Court decided already a couple of times that governmental interference in those decisions of an individual that are of most personal nature is subject to rejection as that kind of interference violates the constitution, in the case of Roe v. Wade, the Supreme Court comes to the conclusion that a constitutional right to privacy also involves the aspect of any woman to choose if she desires to terminate a pregnancy or not.60 Carpenter v. United States In the following years, the Supreme Court’s view on the right to privacy further evolved while the court decided on several cases.61 One of the most recent examples must be the case Carpenter v. United States as this Supreme Court case Carpenter v. United States was argued on November 29th, 2017 and decided on June 22nd, 2018.62
58 See Eisenstadt v. Baird 405 U.S. 438 (1972). In this case, the Supreme court decided in favor of unmarried couples giving them the right to use contraception the same way as married couples and ruling against a Massachusetts law. This law established that any distribution of contraceptives to unmarried peoples in order to prevent pregnancy was prohibited, but the Supreme Court rather came to the conclusion that the Massachusetts law was violating the Constitution, in particular, the Equal Protection Clause. 59 See Roe v. Wade, 410 U.S. 113 (1973). 60 Accordingly, the court states:
This right of privacy, whether it be founded in the Fourteenth Amendment’s concept of personal liberty and restrictions upon state action, as we feel it is, or, as the District Court determined, in the Ninth Amendment’s reservation of rights to the people, is broad enough to encompass a woman’s decision whether or not to terminate her pregnancy. Id. at 153. And the same year, there was also the Supreme Court ruling in the case of Doe v. Bolton coming to the same conclusion as in Roe v. Wade and arguing the same way when it comes to the right to privacy. See Doe v. Bolton 410 U.S. 179 (1973). 61 To give a number of examples, see the cases of Singleton v. Wulff, 428 U.S. 106 (1976), Bellotti v. Baird, 443 U.S. 622 (1979), Harris v. McRae, 448 U.S. 297 (1980), Bowers v. Hardwick, 478 U.S. 186 (1986), Webster v. Reproductive Health Services, 492 U.S. 490 (1989), Stenberg v. Carhart, 530 U.S. 914 (2000) or Lawrence v. Texas, 539 U.S. 558 (2003). 62 In order to get a more detailed overview of the case, both to its facts and to its law, see Rozenshtein (2019). See also Freiwald and Smith (2018). For the complete verdict, see Carpenter v. United States.
76
4 Past Trends in Decision and Conditioning Factors
In this newest case on cell phone location tracking, the question at hand was if the police should be allowed to track anybody’s cellphone location at any given time and without any warrant.63 The court decided that nobody should become the subject of surveillance of his or her movements without a proper warrant.64 The decision was highly anticipated by some people as they saw this case as being of upmost importance for privacy in the context of modern technologies.65 As already stated above, although the right to privacy can neither be found in The Constitution of the United States of America—especially, it is not explicitly named in the Bills of Rights—nor does United States jurisprudence provide a certain definition of the right to privacy, the doctrine of a constitutional right to privacy has been established. Undoubtedly, there are certain personal matters that are considered being private and, therefore, granted protection against unjustified governmental interference. Hence, the right to privacy can be considered common law in the United States, although there is no general right to privacy,66 but rather individual cases that enunciate rights to specific privacy protections67 and yet, one could question how many laws might not have been passed or enforced because of this doctrine of a constitutional right to privacy that has become of outmost importance when speaking of jurisprudence concerning civil liberties in the United States.68 And what about other countries?
63 For further details on the case, see “In Carpenter, The Supreme Court Rules, Narrowly, For Privacy”, The New Yorker (June 22, 2018). 64 The Supreme Court decided in a 5-4 decision and Amy Davidson Sorkin’s opinion on the ruling is the following:
The Supreme Court’s decision in Carpenter v. United States is not quite a full manifesto for digital privacy, but it insists that there is a new discussion to be had, and it tries to set the terms. Id. See, for example, “The Supreme Court Phone Location Case Will Decide the Future of Privacy”, Vice (June 16, 2017). The author starts the article by stating the following: 65
Later this year the Supreme Court will decided if police can track a person’s cell phone location without a warrant. It’s the most important privacy case in a generation. 66 One example for the proposition that there is no such general right is the decision in Whalen v. Roe, 429 U.S. 89 (1977), which did not recognize a right of protection of personal medical information, so that a Congressional statute, The Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. §1301 et seq.), had to be developed in order to effectuate such protection. 67 See the examples given above and it can be stated that, overall, the right to privacy of medical information has been developed. Accordingly, case law as well as statutes do exist that grant rights to specific privacy protections in certain contexts. 68 It has to be noted that there is a number of privacy protection laws in the Unites States not only at the state, but also at the federal level. This will be further discussed when speaking of the right to privacy in the context of electronic communications. In order to have an idea about some of the most important laws concerning privacy protection not only in the State of California, but also at the federal level, see Privacy Laws (2020).
4.1 The General Legal Protection of Privacy
4.1.1.2
77
Countries Within Europe
In contrast to the United States, in many European countries there are plenty of laws protecting one’s personal privacy, especially since the late 1970s. Furthermore, in most constitutions of the countries in Europe one can find the right to privacy, and the majority of the constitutions even explicitly refer to it.69 Furthermore, and as already mentioned, there is much jurisprudence and legal protection recognized connected to civil as well as criminal codes when it comes to the right to privacy—especially in those countries that do not have a specific reference to the right to privacy in their constitutions.70 In addition, the European Union or the Council of Europe itself has established provisions in order to protect the right to privacy. For example, the European Convention for the Protection of Human Rights and Fundamental Freedoms.71 In the following, two examples—The Federal Republic of Germany and The United Kingdom—will be given to further explore the history and present situation of privacy laws in these European countries.
The Federal Republic of Germany First, the author will take a closer look at the Federal Republic of Germany.72 Germany has transformed many international legal rights and guidelines into national law in order to guarantee the right to privacy in the past,73 but foremost, there is its constitution, the Basic Law of 1949.74
69 To give only a few examples, the Greek constitution (Articles 9, 9 A, 19) as well as the Spanish (Article 18) and Italian constitutions (Article 14) recognize the right to privacy as an individual right that is not related to other rights, but rather standing on its own. For an even broader overview of the protection of the right to privacy in European countries, see supra note 18 at 203–255. 70 France could serve as an example as its judicial system little by little developed the right to privacy not only by court decisions, but also be adopting laws that recognize the right to privacy (as for example, the 1868 press law). For further information, see Hauch (1994), pp. 1219, 1228. 71 To give an example, there is Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, see Convention for the Protection of Human Rights and Fundamental Freedoms (Treaty No. 005). Besides, later on, the European Union will be further discussed in regards to its privacy laws and regulations. 72 It will be only be taken in mind the Federal Republic of Germany excluding the former German Democratic Republic or so-called “East Germany” that was established after World War II and existed until the German reunification on October 3rd in 1990. To give a first overview of the protection of privacy in Germany including its social and cultural dimension by speaking of “Die voyeuristische Kultur”, see Nettesheim (2011). 73 Of course, overall, there are those guidelines that were coming from the European Union and that establish their implementation into all the different legal systems of the member states of the European Union. 74 The German Constitution, the basic law of Germany, consists of 146 articles that were entered into force on May 23rd, 1949 after being approved by the Allies of World War II. Articles 1 and 20 of the German Constitution cannot be changed as their content is irrevocable. While Article 1 grants human dignity, Article 20 establishes Germany’s principles like being a constitutional democracy or a welfare state.
78
4 Past Trends in Decision and Conditioning Factors
The German Constitution establishes in its Article 1 the guarantee to live a life in human dignity. Article 1 of the German Constitution states: [Human dignity – Human rights – Legally binding force of basic rights] (1) Human dignity shall be inviolable. To respect and protect it shall be the duty of all state authority. (2) The German people therefore acknowledge inviolable and inalienable human rights as the basis of every community, of peace and of justice in the world. (3) The following basic rights shall bind the legislature, the executive and the judiciary as directly applicable law.75
Besides, it has to be noted that the protection of privacy is considered a fundamental right in Germany, as its basis comes from the general right to privacy that can be found in the German Constitution.76 The right to privacy derives from Article 2 paragraph 1, in combination with Article 1 paragraph 1, of the German Constitution.77 This way, the individual is granted a certain For further information on the German Constitution, see Grundgesetz für die Bundesrepublik Deutschland vom 23. Mai 1949 (BGBl. S. 1), zuletzt geändert durch Artikel 1 und 2 Satz 2 des Gesetzes vom 29. September 2020 (BGBl. I S. 2048). There, it reads: Das Grundgesetz (GG) ist die Verfassung für die Bundesrepublik Deutschland. Es wurde vom Parlamentarischen Rat, dessen Mitglieder von den Landesparlamenten gewählt worden waren, am 8. Mai 1949 beschlossen und von den Alliierten genehmigt. Es setzt sich aus einer Präambel, den Grundrechten und einem organisatorischen Teil zusammen. Im Grundgesetz sind die wesentlichen staatlichen System- und Werteentscheidungen festgelegt. Es steht im Rang über allen anderen deutschen Rechtsnormen. Für eine Änderung des Grundgesetzes ist die Zustimmung von zwei Dritteln der Mitglieder des Bundestages sowie zwei Dritteln der Stimmen des Bundesrates erforderlich. Es ist jedoch nach Artikel 79 Absatz 3 GG unzulässig, die grundsätzliche Mitwirkung der Länder bei der Gesetzgebung zu ändern. Die in den Artikeln 1 und 20 des Grundgesetzes niedergelegten Grundsätze sind unabänderlich. Artikel 1 garantiert die Menschenwürde und unterstreicht die Rechtsverbindlichkeit der Grundrechte. Artikel 20 beschreibt Staatsprinzipien wie Demokratie, Rechtsstaat und Sozialstaat.[. . .] For the complete English version of the German Constitution, see Basic Law for the Federal Republic of Germany (1949). 75 Id. According to the New Haven School of Jurisprudence, the term human rights could be defined as an authoritative and controlling response of an international decision-making process relating to claims of human beings in order to protect and strengthen specific values. For a detailed description of the New Haven School of Jurisprudence, see Chap. 1. For another definition of the term human rights, see Kirch (2008), p. 703. Furthermore, Professor Wiessner describes human rights as “at their innermost core, collectively enforced stop signs against the violations of the weak, the vulnerable, the few, the hated, the powerless, the oppressed.”, see Wiessner (2006), p. 1. 76 Article 2 paragraph 1 in combination of Article 1 paragraph 1 of the German Constitution creates this fundamental right—the protection of privacy. 77 Article 2 of the German Constitution states: [Personal freedoms]
4.1 The General Legal Protection of Privacy
79
space that protects against any kind of intrusion—neither visual nor audio monitoring— by creating an area where a person can be free and act the way one desires.78 In order to understand this general right to privacy under German law that is seen in Article 2 paragraph 1 in combination with Article 1 paragraph 1 of the German Constitution, the so-called “Allgemeines Persönlichkeitsrecht”, or general right to privacy, it has to be noted that although a general right to privacy is not mentioned in the German Constitution, it is considered being customary law in Germany. This is because it is acknowledged that there are three different spheres within the framework of the general right to privacy deviating from Article 2 paragraph 1 in combination with Article 1 paragraph 1 of the German Constitution. These spheres are the following: The So-Called “Intimsphäre” (The Closest Private Sphere) It protects the individual’s very inner world concerning, overall, a person’s thoughts and feelings and cannot be intruded by the state under any circumstances. The So-Called “Privatsspäre” (Privacy) It refers to the individual’s private life as well as the life at home and within one’s family and the state can only intervene under certain circumstances and only when complying with specific rules, overall, with the so-called “Verhältnismäßigkeitsgrundsatz” (the principle of proportionality). The So-Called “Individualspäre” (The Individual Sphere) It grants the individual the right of self-determination including, for example, the right to informational self-determination. Besides this general right to privacy, the German Constitution grants more particular individual fundamental rights that at the same time also protect the
(1) Every person shall have the right to free development of his personality insofar as he does not violate the rights of others or offend against the constitutional order or the moral law. (2) Every person shall have the right to life and physical integrity. Freedom of the person shall be inviolable. These rights may be interfered with only pursuant to a law. Furthermore, Article 13 of the German Constitution establishes: [Inviolability of the home] (1)The home is inviolable. (2) Searches may be authorised only by a judge or, when time is of the essence, by other authorities designated by the laws, and may be carried out only in the manner therein prescribed. 78
It has to be further noted that there have been a number of decisions—especially, of the Bundesverfassungsgericht (the Federal Constitutional Court) since 1954 when the Bundesverfassungsgericht established this general right for the first time already—that grant the individual its freedom to be left alone. Other decisions followed this path—for example, Beschluss des Zweiten Senats vom 19. Juli 1972—2 BvL 7/71—where the court states the following: . . .Das Grundgesetz gewährt zwar - wie das Bundesverfassungsgericht in ständiger Rechtsprechung anerkannt hat - dem einzelnen Bürger einen unantastbaren Bereich privater Lebensgestaltung, der jeder Einwirkung der öffentlichen Gewalt entzogen ist (BVerfGE 6, 32 [41]; 27, 1 [6]; 27, 344 [350 f.]; 32, 373 [378 f.]). . . . See Beschluss des Zweiten Senats vom 19. Juli 1972.
80
4 Past Trends in Decision and Conditioning Factors
individual’s general right to privacy—there, is, for example, Article 1379 protecting the inviolability of the home or Article 10 granting privacy of correspondence, posts and telecommunications while stating: [Privacy of correspondence, posts and telecommunications] (1) The privacy of correspondence, posts and telecommunications shall be inviolable. (2) Restrictions may be ordered only pursuant to a law. If the restriction serves to protect the free democratic basic order or the existence or security of the Federation or of a Land, the law may provide that the person affected shall not be informed of the restriction and that recourse to the courts shall be replaced by a review of the case by agencies and auxiliary agencies appointed by the legislature.
79
Article 13 of The German Constitution states: [Inviolability of the home] (1) The home is inviolable. (2) Searches may be authorised only by a judge or, when time is of the essence, by other authorities designated by the laws, and may be carried out only in the manner therein prescribed. (3) If particular facts justify the suspicion that any person has committed an especially serious crime specifically defined by a law, technical means of acoustical surveillance of any home in which the suspect is supposedly staying may be employed pursuant to judicial order for the purpose of prosecuting the offence, provided that alternative methods of investigating the matter would be disproportionately difficult or unproductive. The authorisation shall be for a limited time. The order shall be issued by a panel composed of three judges. When time is of the essence, it may also be issued by a single judge. (4) To avert acute dangers to public safety, especially dangers to life or to the public, technical means of surveillance of the home may be employed only pursuant to judicial order. When time is of the essence, such measures may also be ordered by other authorities designated by a law; a judicial decision shall subsequently be obtained without delay. (5) If technical means are contemplated solely for the protection of persons officially deployed in a home, the measure may be ordered by an authority designated by a law. The information thereby obtained may be otherwise used only for purposes of criminal prosecution or to avert danger and only if the legality of the measure has been previously determined by a judge; when time is of the essence, a judicial decision shall subsequently be obtained without delay. (6) The Federal Government shall report to the Bundestag annually as to the employment of technical means pursuant to paragraph (3) and, within the jurisdiction of the Federation, pursuant to paragraph (4) and, insofar as judicial approval is required, pursuant to paragraph (5) of this Article. A panel elected by the Bundestag shall exercise parliamentary oversight on the basis of this report. A comparable parliamentary oversight shall be afforded by the Länder. (7) Interferences and restrictions shall otherwise only be permissible to avert a danger to the public or to the life of an individual, or, pursuant to a law, to confront an acute danger to public safety and order, in particular to relieve a housing shortage, to combat the danger of an epidemic, or to protect young persons at risk.
4.1 The General Legal Protection of Privacy
81
Also, the German Constitution grants freedom of expression.80 In this context, it has to be noted that there are a couple of laws that are setting up certain limitations on the right to one’s freedom of expression and the most important restrictions can be found in the German Criminal Code (Strafgesetzbuch).81 Besides being a right that can be found in Germany’s constitution, the right to privacy is also existing in many other national rules on the federal level as well as on the state level.82 On the federal level, there is, overall, the Federal Data Protection Act (Bundesdatenschutz- gesetz).83 Moreover, the Art Copyright Act (Kunsturheberrechtsgesetz) must be mentioned.84 Furthermore, there is a quite new Act, the Network Enforcement Act (Netzwerkdurchsetzungs- gesetz).85 This law has already received quite a bit of
80
See Article 5 of the German Constitution that states: [Freedom of expression, arts and sciences] (1) Every person shall have the right freely to express and disseminate his opinions in speech, writing and pictures, and to inform himself without hindrance from generally accessible sources. Freedom of the press and freedom of reporting by means of broadcasts and films shall be guaranteed. There shall be no censorship. (2) These rights shall find their limits in the provisions of general laws, in provisions for the protection of young persons, and in the right to personal honour. (3) Arts and sciences, research and teaching shall be free. The freedom of teaching shall not release any person from allegiance to the constitution.
81 The German Criminal Code penalizes, besides others, libel and slander, see Paragraph 185 of the German Criminal Code, see Criminal Code (Strafgesetzbuch, StGB). 82 As the Federal Republic of Germany consists of 16 federal states (Bundesländer or Länder), there are many state laws besides the federal laws as Germany’s constitution refers many subjects to the federal states in order for them to create legal rules and regulations. 83 The Federal Data Protection Act was implementing the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. For the complete act, see Federal Data Protection Act (BDSG) and for the complete text of the directive, see Directive 95/46/EC (1995). 84 Paragraph 22 of the Art Copyright Act is dealing with the right to disseminate or publicly display a person’s image. It states the following:
Bildnisse dürfen nur mit Einwilligung des Abgebildeten verbreitet oder öffentlich zur Schau gestellt werden. Die Einwilligung gilt im Zweifel als erteilt, wenn der Abgebildete dafür, daß er sich abbilden ließ, eine Entlohnung erhielt. Nach dem Tode des Abgebildeten bedarf es bis zum Ablaufe von 10 Jahren der Einwilligung der Angehörigen des Abgebildeten. Angehörige im Sinne dieses Gesetzes sind der überlebende Ehegatte oder Lebenspartner und die Kinder des Abgebildeten und, wenn weder ein Ehegatte oder Lebenspartner noch Kinder vorhanden sind, die Eltern des Abgebildeten. For the complete text of the Art Copyright Act, see Art Copyright Act (KunstUrhG). The Network Enforcement Act establishes a set of rules for providers of social networks—for example, an obligation of providing reports if there has been a certain amount of complaints, see Section 2 of the Network Enforcement Act. In order to read the complete Network Enforcement Act—Gesetz zur Verbesserung der Rechtsdurchsetzung in sozialen Netzwerken (Netzwerkdurchsetzungsgesetz, NetzDG), in the 85
82
4 Past Trends in Decision and Conditioning Factors
criticism, as it is said that the Network Enforcement Act has a negative impact on the right to freedom of expression by forcing social media websites to take an active role in not only monitoring, but also taking down certain content.86 The Network Enforcement Act will be further mentioned when speaking of the right to privacy and electronic communications. It must also be noted that, besides the rules and regulations concerning the protection of the individual’s privacy that can be found in federal laws, the right to privacy is also existing in many other national rules on the state level,87 and it has to be pointed out that, until May 25, 2018, the Federal Data Protection Act, as well as the state laws, will have to be revised in order to comply with the Regulation (EU) 2016/ 679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).88 In order to complete this part on the right to privacy in the Federal Republic of Germany, it, once again, must be stressed that, over the years, the general right to privacy has been often and variously discussed before the German Federal Consti-
version of 1 September 2017 (Federal Law Gazette I, p. 3352 ff. Valid as from 1 October 2017)—in English, see Network Enforcement Act (Netzwerkdurchsuchungsgesetz). 86 For further information on the criticism regarding the Network Enforcement Act, see the article “Maas verteidigt Gesetz gegen Hass im Internet”, Der Spiegel (January 4, 2018). 87 There are, for example, the so-called “Landesdatenschutzgesetze” (State Data Protection Acts) and as the Ferderal Republic of Germany consists of 16 different federal states, there are 16 different State Data Protection Acts. It has to be noted that the Data Protection Act of 1970 of the state “Hessen” (the German Federal State of Hesse) is considered being the very first State data Protection Act and this way, the oldest law dealing with data protection. As of today, the German Federal State of Hesse has a Data Protection Act like all other 16 federal states and the German Federal State of Hesse just remodeled its law to the “Hessisches Gesetz zur Anpassung des Hessischen Datenschutzrechts an die Verordnung (EU) Nr. 2016/679 und zur Umsetzung der Richtlinie (EU) Nr. 2016/680 und zur Informationsfreiheit vom 3. Mai 2018”, so that it complies with the new European guidelines. This new law consists of 91 paragraphs. See Hessisches Gesetz zur Anpassung des Hessischen Datenschutzrechts an die Verordnung (EU) Nr. 2016/679 und zur Umsetzung der Richtlinie (EU) Nr. 2016/680 und zur Informationsfreiheit vom 3.Mai 2018 (HDSIG). 88 On May 25, 2018 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), entered into force. The General Data Protection Regulation (GDPR) was created with the intention to better protect the individual’s personal data and will be discussed in more detail as soon as speaking of the protection of the right to privacy in the context of electronic communication. For now, it is important to know that the Federal Data Protection Act will be completely revised in order to comply with the GDPR, so that any public body would need to act accordingly in the future meaning complying with the different laws coming to play, the Federal Data Protection Act as well as the various data protection laws of the German federal states. For the complete version of this new European regulation, see General Data Protection Regulation (GDPR).
4.1 The General Legal Protection of Privacy
83
tutional Court, and was further shaped that way. For instance, in 1983 the German Federal Constitutional Court developed the so-called right to informational selfdetermination with its famous “Volkszählungsurteil”.89 The right to informational self-determination finds its basis in the general right to privacy that comes from Article 2 paragraph 1 in combination with Article 1 paragraph 1 of the German Constitution and should only be limited if there is a predominant common interest.90 The German Federal Constitutional Court basically adjusted the general right to 89 In order to better understand the Volkszählungsurteil (judgment regarding the census of population), here is the background of this case:
Nach dem sogenannten Volkszählungsgesetz (VZG) aus dem Jahr 1983 sollten sämtliche Einwohner der Bundesrepublik Deutschland statistisch erfasst werden. Es enthielt Vorschriften darüber, wie und mit welchem Inhalt die Befragungen durchgeführt werden sollten, was nach den Befragungen mit den gewonnenen Informationen geschehen sollte und wie und wofür sie verwendet werden sollten. Dagegen wehrten sich zahlreiche Betroffene vor dem Bundesverfassungsgericht (BVerfG). See Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI). For further information, see Schwartz and Pfeifer (2019), pp. 6, 7. 90 The head notes of the Volkzählungsurteil’s verdict read as the following: Leitsätze: 1. Unter den Bedingungen der modernen Datenverarbeitung wird der Schutz des Einzelnen gegen unbegrenzte Erhebung, Speicherung, Verwendung und Weitergabe seiner persönlichen Daten von dem allgemeinen Persönlichkeitsrecht des GG Art. 2 Abs. 1 in Verbindung mit GG Art. 1 Abs. 1 umfasst. Das Grundrecht gewährleistet insoweit die Befugnis des Einzelnen, grundsätzlich selbst über die Preisgabe und Verwendung seiner persönlichen Daten zu bestimmen. 2. Einschränkungen dieses Rechts auf “informationelle Selbstbestimmung” sind nur im überwiegenden Allgemeininteresse zulässig. Sie bedürfen einer verfassungsgemäßen gesetzlichen Grundlage, die dem rechtsstaatlichen Gebot der Normenklarheit entsprechen muss. Bei seinen Regelungen hat der Gesetzgeber ferner den Grundsatz der Verhältnismäßigkeit zu beachten. Auch hat er organisatorische und verfahrensrechtliche Vorkehrungen zu treffen, welche der Gefahr einer Verletzung des Persönlichkeitsrechts entgegenwirken. 3. Bei den verfassungsrechtlichen Anforderungen an derartige Einschränkungen ist zu unterscheiden zwischen personenbezogenen Daten, die in individualisierter, nicht anonymer Form erhoben und verarbeitet werden, und solchen, die für statistische Zwecke bestimmt sind. Bei der Datenerhebung für statistische Zwecke kann eine enge und konkrete Zweckbindung der Daten nicht verlangt werden. Der Informationserhebung und Informationsverarbeitung müssen aber innerhalb des Informationssystems zum Ausgleich entsprechende Schranken gegenüberstehen. 4. Das Erhebungsprogramm des Volkszählungsgesetzes 1983 (§ 2 Nr. 1 bis 7, §§ 3 bis 5) führt nicht zu einer mit der Würde des Menschen unvereinbaren Registrierung und Katalogisierung der Persönlichkeit; es entspricht auch den Geboten der Normenklarheit und der Verhältnismäßigkeit. Indessen bedarf es zur Sicherung des Rechts auf informationelle Selbstbestimmung ergänzender verfahrensrechtlicher Vorkehrungen für Durchführung und Organisation der Datenerhebung.
84
4 Past Trends in Decision and Conditioning Factors
privacy to what modern technologies required91 and established the right to informational self-determination within the German Constitution basing it, overall, on the dignity of humans.92 Every German citizen should be protected against collecting, saving, usage and transferring one’s personal data and be granted the free development of his or her own person93 Thus, the individual should be the one in charge of deciding whether to give away and utilize one’s own personal data.94 After all, it can be assumed that the right to informational self-determination is a basic right and a major part of the base for the data protection in Germany.95 That is why, the Volkszählungsurteil with the rise of the right to informational self-determination was very important for the development of Germany’s privacy laws and data protection.
5. Die in Volkszählungsgesetz 1983 § 9 Abs. 1 bis 3 vorgesehenen Übermittlungsregelungen (unter anderem Melderegisterabgleich) verstoßen gegen das allgemeine Persönlichkeitsrecht. Die Weitergabe zu wissenschaftlichen Zwecken (Volkszählungsgesetz 1983 § 9 Abs. 4) ist mit dem Grundgesetz vereinbar. For an English translation, see Judgment of 15 December 1983 (1 BvR 209/83). To read to verdict of the “Volkszählungsurteil”, see Urteil des Ersten Senats vom 15. Dezember 1983 (Volkszählungsurteil). 91 The court was thinking, overall, of current and future automated data gathering and processing. BVerfGE 65, 1 (42). Id. For further information, see “Datenschutz – Antrittsvorlesung von Prof. Dr. Michael Schmidl: Informationalle Selbstbestimmung in der Theorie und Praxis”, IITR Das Datenschutz-Blog (April 2, 2012). 92 Article 1 of the German Constitution states: [Human dignity – Human rights – Legally binding force of basic rights] (1) Human dignity shall be inviolable. To respect and protect it shall be the duty of all state authority. (2) The German people therefore acknowledge inviolable and inalienable human rights as the basis of every community, of peace and of justice in the world. (3) The following basic rights shall bind the legislature, the executive and the judiciary as directly applicable law. 93
Supra note 74. See BVerfGE 65, 1 (43) that reads as the following: Freie Entfaltung der Persönlichkeit setzt unter den modernen Bedingungen der Datenverarbeitung den Schutz des Einzelnen gegen unbegrenzte Erhebung, Speicherung, Verwendung und Weitergabe seiner persönlichen Daten voraus. Dieser Schutz ist daher von dem Grundrecht des Art. 2 Abs. 1 in Verbindung mit Art. 1 Abs. 1 GG umfasst. Das Grundrecht gewährleistet insoweit die Befugnis des Einzelnen, grundsätzlich selbst über die Preisgabe und Verwendung seiner persönlichen Daten zu bestimmen.
Supra note 90. Id. Yet, it has to be noted that the right to informational self-determination does not lead to the individual being in possession of its own data legally speaking. 95 See generally Franzius (2015), pp. 259–270. One might even call the Volkszählungsurteil the “Magna Charta” of the German data protection law—at least, Wolfgang Hoffmann-Riem did so, see Hoffmann-Riem (1998), p. 517. 94
4.1 The General Legal Protection of Privacy
85
Accordingly, Hans-Jürgen Papier, former president of the Federal Constitutional Court of Germany,96 stated in 2010 that, although circumstances might have changed since the Volkszählungsurteil in 1983, the conclusions the court was drawing at that time are still as important today as they were back then, and that there are threats against the right of informational self-determination posed by the development in modern technologies.97 So, one could say that it becomes clear that the Federal Republic of Germany is well-equipped with laws and legislation when it comes to the right to privacy, especially in regards to modern technologies.98 In addition, it has to be noted that the German citizens won the first place when it comes to data protection online according to a global internet privacy study that was performed in 2014 by EMC Corporation (NYSE: EMC),99 the so-called EMC Privacy Index.100
96 Hans-Jürgen Papier is a German lawyer and used to work at the German Federal Constitutional Court for 12 years being the president of the German Federal Constitutional Court from 2002 till 2010. For further information on Hans-Jürgen Papier, see “Prof. em. Dr. Dres. h.c. Hans-Jürgen Papier. Entpflichteter Professor”, Ludwig-Maximilians-Universität München (2020). 97 For further information on the development of the right to informational self-determination since its birth with the Volkszählungsurteil and data protection in Germany, see Papier (2010). The author, Hans-Jürgen Papier, states:
Die modernen Mittel der Datenverarbeitung geben zudem die Möglichkeit, einmal erlangte Informationen beliebig zusammenzufügen, ohne dass der Einzelne die Richtigkeit und Verwendung kontrollieren könnte. Wer jedoch nicht mehr überschauen kann, wer in einer Gesellschaft was wann und bei welcher Gelegenheit über einen weiß, wird in seiner Persönlichkeit und in der Ausübung von Freiheitsrechten, die auch für die Mitwirkung in einem demokratischen Gemeinwesen von Bedeutung sind, gefährdet. Vgl. BVerfGE 65, 1 (42 f.); zuletzt erneut bestätigt durch: BVerfGE 120, 274 (311 f.). In the end he concludes the following: Wir haben gesehen, dass der Ausgangspunkt des “Volkszählungsurteils” erhebliche Veränderungen und Entwicklungen erfahren hat. Gleichwohl haben die Aussagen des “Volkszählungsurteils” nichts von ihrer Aktualität verloren. Ich habe hervorgehoben, dass die technologische Entwicklung erhebliche Gefahren für das Recht der informationellen Selbstbestimmung gerade auch für das Verhältnis zwischen Privaten birgt. 98 The subject of the right to privacy in regards to modern technologies will be further explored later on. 99 According to its own website:
EMC Corporation is a global leader in enabling businesses and service providers to transform their operations and deliver IT as a service. Fundamental to this transformation is cloud computing. Through innovative products and services, EMC accelerates the journey to cloud computing, helping IT departments to store, manage, protect and analyze their most valuable asset – information – in a more agile, trusted and cost-efficient way. Additional information on EMC can be found at www.EMC.com. See Press Release (2014). Id. The EMC Privacy Index is a global study that was performed in order to find out about consumer’s points of view regarding online privacy. Therefore, it will be discussed in detail later on. As far as the Federal Republic of Germany’s consumers are concerned, 71% of the, are not
100
86
4 Past Trends in Decision and Conditioning Factors
The United Kingdom In order to provide another example of a country from the European continent, in what follows, the focus will be on the Anglo-Saxon system of the United Kingdom. First of all, it has to be mentioned that the starting point for the establishment of a right to privacy was the protection of private property. Yet, there was never a clear definition of the term privacy and no recognition of any right to privacy. Therefore, its protection seemed to be impossible. This way, although the Younger Committee on Privacy in the United Kingdom that was established in 1970 might be seen as the entity that have been initiated data protection in the United Kingdom101 and although the committee is the opinion that a right to privacy must be universal,102 the committee could still not yet agree on a right to privacy.103 Also, looking at the Report of the Committee on Privacy and Related Matters, this committee found that
willing to give up their data protection and privacy just because this way, it might be more convenient surfing the internet which makes the German consumers the world’s leaders when it comes to the protection of privacy online. Nevertheless, here is the statement of Sabine Bendiek, CEO of EMC Deutschland: Der EMC-Datenschutzindex belegt eindrucksvoll die verschiedenen Auffassungen, die weltweit zu den Themen Datenschutz und Privatsphäre existieren. Auch wenn Deutschland als ‚Datenschutzweltmeister‘ im EMC-Datenschutzindex gut abschneidet – die Studie zeigt, dass hierzulande Nachholbedarf besteht: Fast drei Viertel der Verbraucher ändern nicht regelmäßig ihre Passwörter, ein Drittel passt die Datenschutzoptionen in den sozialen Netzwerken nicht an und gibt so unnötige Daten preis. Zu denken gibt mir auch die pessimistische Einschätzung der überwiegenden Mehrheit der Deutschen, dass der Datenschutz weiter abnehmen wird. Hier sind Gesellschaft und Wirtschaft gefragt, Verbraucher besser aufzuklären und Lösungen aufzuzeigen. Sonst wird das Vertrauen in die digitale Wirtschaft langfristig erodieren., see “EMC Datenschutzindex zeigt Deutsche sind Weltmeister im Datenschutz”, Dell Technologies (June 12, 2014). 101
See Feather and Sturges (2013), p. 124. The Younger Committee on Privacy in the United Kingdom stated in its 1972 report the following:
102
the quest and need for privacy is a natural one, not restricted to man alone, but arising in the biological and social processes of all the higher forms of life. All animals have a need for temporary individual seclusion of the intimacy of a small unit, quite as much as for the stimulus of social encounters among their own species. Indeed, the struggle of all animals, whether naturally gregarious or not, to achieve a balance between privacy and participation is one of the basic features of animal life. See Younger Committee on Privacy in the United Kingdom (1972). The 1972 report of the Younger Committee on Privacy in the United Kingdom finds that due to the fact that a right to privacy is not worth anything as long as it cannot be defined properly and, therefore, the committee’s recommendation, although agreeing on the need for privacy, comes down to not establishing any right to privacy. Id.
103
4.1 The General Legal Protection of Privacy
87
there had not been any satisfying definition for the term privacy so far,104 but it came to the conclusion that defying privacy should not be considered an impossible task. This way, the committee comes to a legal definition for the right to privacy stating: “[t]he right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information.”105 Nevertheless, when going back in the history of the United Kingdom,106 it has to be noted that the English law did not recognize a right to privacy until 1998.107 That year, the right to privacy finally became national law as the Parliament approved two acts—the Human Rights Act of 1998108 and the Data Protection Act of 1998109—after years of only indirect protections for privacy.110 When referring to indirect protections for privacy, the tort related to the breach of confidence was mostly chosen by English courts and Article 8 of the Human Rights Act establishes that domestic courts are “bound to uphold a citizen’s right to respect for his private and family life, his home and his correspondence”.111 The Human Rights Act was the incorporation of the European Convention on Human Rights into the English national law and this way, forcing English courts to comply with the protections of the right to privacy according the European Convention. By doing so, an enforceable right to privacy was established in Great Britain for the very first time.112 That is one of the reasons, the Human Rights Act can be seen as the upmost achievement when it comes to the right to privacy and its protection on the national
The committee stated that “nowhere have we found a wholly satisfactory statutory definition of privacy.” 105 Calcutt (1997), p. 7. 106 Once again, for more information on how important the historical background is when it comes to an agreement process, see supra note 3. 107 See Samuels (1996), p. 115. 108 See Human Rights Act of 1998 (HRA). 109 See Data Protection Act of 1998 (DPA). 110 It hast to be noted that English courts were only granting recovery for invasions of personal privacy if the claimant was referring not only to the invasion of his or her privacy, but also to a more established right that had to contain the equitable breach of confidence as well as torts based on the intentional infliction of harming a person and those principles that govern the appropriate use of police powers. See Weeks (1963), pp. 484–485. 111 See Cardonsky (2002), pp. 393, 399. Besides, it also has to be pointed at the case of Prince Albert v. Strange from 1849 as it established the English breach of confidence tort for the first time, see Prince v. Strange, 1 Mac. & G. 25 (1849). 112 See Haenggi (1999), p. 533. 104
88
4 Past Trends in Decision and Conditioning Factors
legal level in Great Britain.113 And the English courts have recognized the right to privacy since the Human Rights Act was introduced.114
4.1.1.3
Latin American Countries
First of all, out of the 33 countries in Latin America,115 more than 10 have already enacted comprehensive privacy laws.116 While Argentina’s and Uruguay’s privacy laws are pretty similar to those that are applicable within the European Union,117 in other Latin American countries privacy legislation is still in the making.118 And although there are several laws already existing that Latin American countries are working with, it has to be mentioned that law enforcement has not been strong so far in Latin America as some of the law enforcement authorities had yet to be established.119 Yet, it can be said that in Latin America, privacy as well as data protection is an issue that countries care about—maybe as much as they do in Europe. In order to give an example, the Republic of Colombia provides fundamental protection for the right to privacy under its constitution treating the right to
113
See Morris (2008), p. 443. See, for example, the prominent case of Mosley v. News Group Newspapers Ltd., EWHC (QB) 1777,2, (Eng.) (2008). I this case, the English court fully grated the claimant his right to privacy. The court by balancing the right to privacy and other social interests ruled in favor of the protection of the claimant’s right to privacy, especially, as there was no public interest seen by the court as some of the allegations in the newspaper article in question were false. This way, the court recognized the right to privacy as an independent right as established by the European Convention and the Human Rights Act. The case of Mosley v. News Group Newspapers Ltd. Can be seen as a milestone for the right to privacy in the United Kingdom. See also Stanley (2011) wherethe author states that “Mosley marked a landmark moment for the English right to privacy”. 115 For a list of all the countries in Latin America and for further information on these countries, see United Nations Educational, Scientific and Cultural Organization (UNESCO). 116 As of 2015, Latin American countries with comprehensive privacy laws are the following: the Argentine Republic, Commonwealth of The Bahamas, Republic of Chile, Republic of Colombia, Republic of Costa Rica, Dominican Republic, United Mexican States, Republic of Nicaragua, Republic of Peru, Republic of Trinidad and Tobago, Oriental Republic of Uruguay. For further information, see Rich (2015). 117 Id. In addition, it has to be noted that the impact of the European Union on the privacy laws in European countries will be further exposed when it comes to the right to privacy in the context of modern technologies. 118 Id. Besides, in a number of countries, there is, at least, a draft of a new privacy law already existing. The situation concerning comprehensive privacy laws within Latin America will be discussed in more detail as soon as speaking of the right to privacy in the context of modern technologies. 119 Id. 114
4.1 The General Legal Protection of Privacy
89
privacy as a fundamental right,120 and as a groundbreaking statutory remedy called “habeas data”.121 After all, some Latin American countries have been enacting comprehensive privacy laws, so that a certain protection of the individual is granted under specific laws in some of the Latin American countries. Furthermore, in most Latin American countries the constitutions recognize the right to privacy—while the newer constitutions explicitly establish a right to privacy, the recognition, at least, of a certain concept of privacy can also be found in the older constitutions.122
120
See Article 15 of the Colombian Constitution: All individuals have the right to personal and family privacy and to their good reputation, and the State has to respect them and to make others respect them. Similarly, individuals have the right to know, update, and rectify information collected about them in data banks and in the records of public and private entities. Freedom and the other guarantees approved in the Constitution will be respected in the collection, processing, and circulation of data. Correspondence and other forms of private communication may not be violated. They may only be intercepted or recorded on the basis of a court order in cases and following the formalities established by law. For tax or legal purposes and for cases of inspection, the oversight and intervention of the State may demand making available accounting records and other private documents within the limits provided by law.
For the complete document, see Constitution of the Republic of Colombia (1991). As already mentioned in Chap. 2, habeas data is a constitutional remedy that provides the individual with the option to find out what exact data was collected about him- or herself. It can be found mostly in Latin American countries. For more information on habeas data, see González (2015). The abstract of González—article states:
121
Habeas data enables individuals to petition their government, and certain private entities, to learn what information has been kept on them and for what purposes, as well as to challenge, rectify, and even delete such information. With the recent revelations of the National Security Agency’s massive electronic surveillance of people throughout and beyond the United States, learning about habeas data could constitute a vital intervention for the discourse of U.S.-based legal scholars writing in English, as well as for the community of critical socio-legal scholars who affiliate with LatCrit. To both constituencies, the afterword urges attending carefully to the terrible histories that birthed habeas data, while being cognizant of their continuities with today’s “neoliberal states of insecurity and surveillance,” in order to fashion a strategic alliance capable of grounding habeas data rights within the United States Constitution. See also Farivar (2018). Also, in other countries such as, for example, the Argentine Republic or the Federative Republic of Brazil the statutory remedy of habeas data was implemented. This will be further explained when it comes to the right to privacy in the context of modern technologies. 122 For an overview of the protection of privacy in the constitutions of all the countries around the world, see supra note 18 at 205–255.
90
4.1.2
4 Past Trends in Decision and Conditioning Factors
International Law
After taking a look at some state practice—especially examining constitutions and specific laws that were created in order to protect individuals’ privacy in different legal systems, in what follows, the focus should be on the right to privacy in the international context. Overall, if one comes to the conclusion that the right to privacy should be recognized and granted to individuals, the question becomes whether such legal protection or recognition is to be protected internationally, beyond the sovereignty of individual states. If one argues that privacy should be granted to each and every individual due to the simple fact of him or her being human, what about the right to privacy on the international level? Are there treaties and customary international law as well as jurisprudence guaranteeing the right to privacy? And if so, could one say that there is a right to privacy as a norm of international law? And what about human rights? Maybe the right to privacy could have already reached the status of a recognized human right under customary international law? Has there been enough of the necessary consensus in order to reach that status? What is the exact legal status the right to privacy has achieved so far in the international context? When it comes to the international level, there usually has been a human need first that then might be responded to by the legal system as an internationally recognized right. The process of transforming such a need—as, for example, privacy that is being considered a fundamental human need123—into law is usually a pretty complex one. Especially, when speaking of the recognition of a human need as a human right, it is important to know that this would be considered a step taken as “last resort” only if other ways of protecting essential needs of individuals are not available.124 It has to be made clear that not every claim to a right that might be seen as important is also considered a right that falls under international legal protection. There are some rights that are recognized as fundamental rights by the international community while others are not. The two main sources of international law are international treaties and customary international law.125 123
See Sect. 2.5. See Helfer and Slaughter (1997), pp. 273, 345. See also Donnelly (2003), p. 12. 125 The definition of the two main sources of international law, international treaties and customary international law, can be found in Article 38 (1) (a) and (b) of the Statute of the International Court of Justice. A third source, general principles of law recognized by civilized nations is listed in Article 38 (1) (c) ICJ Statute, but it is of lesser significance in our context. The Statute of the International Court of Justice (ICJ) consists of 70 articles. This statute was created in 1945 under the Charter of the United Nations in order to form be the principal judicial organ of the United Nations. The statute’s main instrument meaning the Statute of the Court is an essential part of the Charter of the United Nations. The Statute of the International Court of Justice was published on April 18th, 1946. See Rome Statute of the International Criminal Court (ICJ). It also should be pointed at the most recent statement by the International Law Commission (ILC) on the identification of such rules for customary international law, see International Law Commission (2018). 124
4.1 The General Legal Protection of Privacy
4.1.2.1
91
Treaty Law
The examples already given regarding state law and practice show that the general right to privacy must have become somehow customary international law.126 Overall, when speaking of criminal law and the context of search and seizure, it has to be noted that the right to privacy has been recognized by so many countries’ laws that the right to privacy has been considered customary international law as state practice as well as opinio juris were matched.127 Nevertheless, the Rome Statute for the International Criminal Court does not contain a right specifically referring to search and seizure and therefore, has received lots of criticism.128 But it has to be pointed out that the most important international instruments that have been developed by the United Nations refer to certain freedoms and rights for the individual which could be falling under the term of the right to privacy. And when it comes to international human rights law, there is a pretty clear universal understanding not only for the promotion, but also the protection of the right to privacy. First and foremost, the 1948 Universal Declaration of Human Rights has to be mentioned.129 It specifically protects privacy of one’s home as well as privacy of communications as its Article 12 states: No-one should be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks on his honor or reputation. Everyone has the right to the protection of the law against such interferences or attacks.130
Although the Universal Declaration of Human Rights is the very first document listing a number of rights that are not necessary in order to live or survive, but rather in order for individuals to be able to live a life in dignity, it was not adopted by the United Nations General Assembly131 in 1948 to force states to comply with legal obligations enumerated in the document, and there are the two principal documents
In order to get an overview of different theories of international law, see Wiessner (2017), pp. 1–78. 126 Customary international law as the second most important source of international law requires two elements (state practice to prove custom and so-called opinio juris) in order to establish a principle or rule that falls under customary international law. See Edwards (2001), p. 327. 127 Id. 128 See Walker (2004), p. 277. 129 Universal Declaration of Human Rights, G.A. Res. 217 (III) A U.N. Doc. A/RES/217(III) (Dec 10, 1948) [hereinafter UDHR]. 130 Id. It has to be also noted that Article 3 of the Universal Declaration of Human Rights states: Everyone has the right to life, liberty and the security of one’s person. 131
For further information on the United Nations General Assembly, see General Assembly of the United Nations (2020). There, the General Assembly’s powers and functions are described as the following: General Assembly (GA) is the main deliberative, policymaking and representative organ of the UN.
92
4 Past Trends in Decision and Conditioning Factors
that followed this declaration. These are the International Covenant on Civil and Political Rights132 and the International Covenant on Economic, Social and Cultural Rights.133 They were adopted being legally binding documents for those states that chose to ratify them. In this context, it is interesting to cite Eleanor Roosevelt who was a U.S. representative to the U.N.’s General Assembly during the time when the Universal Declaration of Human Rights was adopted and who also was chairwoman of the U.N. Commission on Human Rights when this declaration was drafted: In giving our approval to the declaration today, it is of primary importance that we keep clearly in mind the basic character of the document. It is not a treaty; it is not an international agreement. It is not and does not purport to be a statement of law or of legal obligation. It is a declaration of basic principles of human rights and freedoms, to be stamped with the approval of the General Assembly by formal vote of its members, and to serve as a common standard of achievement for all peoples of all nations.134
The International Covenant on Civil and Political Rights refers to privacy in its Article 17: 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation. 2. Everyone has the right to the protection of the law against such interference or attacks.135
Decisions on important questions, such as those on peace and security, admission of new members and budgetary matters, require a two-thirds majority. Decisions on other questions are by simple majority. Each country has one vote. Some Member States in arrear of payment may be granted the right to vote. 132
The International Covenant on Civil and Political Rights consists of 53 articles. This covenant was adopted by the United Nations General Assembly on December 16th, 1966 and entered into force on March 23th, 1976. For further information on the, see International Covenant on Civil and Political Rights (ICCPR). 133 The International Covenant on Economic, Social and Cultural Rights consists of 31 articles. This covenant was adopted by the United Nations General Assembly on December 16th, 1966 and entered into force on January 3rd, 1976. For further information, see on International Covenant on Economic, Social and Cultural Rights (ICESCR). 134 It also has to be noted that the Universal Declaration of Human Rights has gained more and more legal relevance over time, so that there has been even the argument of all the rights of this declaration being customary international by now. See Kaladharan Nayar (1978), pp. 813, 815–817. See also Myres S. McDougal et al. (1980). Besides, see Blum and Steinhardt (1981), pp. 53, 69–70. As it will be further explained below, most, but not all of the rights under the Universal Declaration of Human Rights reflect customary international law. 135 Supra note 132.
4.1 The General Legal Protection of Privacy
93
Furthermore, the General Comment136 on Article 17 has to be mentioned, the CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to respect Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation.137 The Human Rights Committee starts its interpretation of Article 17 by stating: Article 17 provides for the right of every person to be protected against arbitrary or unlawful interference with his privacy, family, home or correspondence as well as against unlawful attacks on his honour and reputation. In the view of the Committee this right is required to be guaranteed against all such interferences and attacks whether they emanate from State authorities or from natural or legal persons. The obligations imposed by this article require the State to adopt legislative and other measures to give effect to the prohibition against such interferences and attacks as well as to the protection of this right.138
Besides, the Human Rights Committee asks the states to only retrieve the private information of an individual if this information is of essence for the society as a whole.139 And states should not interfere with the right to privacy as described by The International Covenant on Civil and Political Rights, but rather offer sufficient rules and regulations that make sure that an individual is protected against violations
136
General comments are published by the different Human Rights treaty bodies such as, for example, the United Nations Human Right Committee (HRC). The treaty bodies give their interpretation on the human rights treaty they are in charge of. Interpreting the treaty’s provisions leads to general comments, also sometimes called general recommendations. The comments refer to lots of different subjects. For further information, see United Nations Human Rights Office of the High Commissioner (2020) There, it says: These comments cover a wide range of subjects, from the comprehensive interpretation of substantive provisions, such as the right to life or the right to adequate food, to general guidance on the information that should be submitted in State reports relating to specific articles of the treaties. General comments have also dealt with wider, cross-cutting issues, such as the role of national human rights institutions, the rights of persons with disabilities, violence against women and the rights of minorities.
137
See UN Human Rights Committee (HRC). This comment was adopted at the Thirty-second Session of the Human Rights Committee on April 8th, 1988 and also published by the Human Rights Committee. It will be referred to as “General Comment No. 16” when being further discussed. 138 Id. Paragraph 1 of General Comment No. 16. 139 Paragraph 7 of General Comment No. 16 states: As all persons live in society, the protection of privacy is necessarily relative. However, the competent public authorities should only be able to call for such information relating to an individual’s private life the knowledge of which is essential in the interests of society as understood under the Covenant. Accordingly, the Committee recommends that States should indicate in their reports the laws and regulations that govern authorized interferences with private life.
94
4 Past Trends in Decision and Conditioning Factors
against the right to privacy.140 This General Comment is also referring to the right to privacy in the context of new technologies which is going to be further explained later on.141 Furthermore, a large number of human rights treaties also refer to privacy as a right142—for example, the International Convention on the Protection of All Migrant Workers and Members of Their Families.143 Its Article 14 states: No migrant worker or member of his or her family shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home, correspondence or other communications, or to unlawful attacks on his or her honour and reputation. Each migrant worker and member of his or her family shall have the right to the protection of the law against such interference or attacks.
Moreover, there is also the UN Convention on the Rights of the Child stating in its Article 16: No child should be subjected to arbitrary or unlawful interference with his or her privacy, family home or correspondence.144
To give another example on the regional level, there is also the 1950 Convention for the Protection of Human Rights and Fundamental Freedoms being the oldest and arguably most effective human rights treaty that, as already cited before, states in its Article 8:
140
Paragraph 9 of General Comment No. 16 states: States parties are under a duty themselves not to engage in interferences inconsistent with article 17 of the Covenant and to provide the legislative framework prohibiting such acts by natural or legal persons. Also, Paragraph 8 of General Comment No. 16 states: Even with regard to interferences that conform to the Covenant, relevant legislation must specify in detail the precise circumstances in which such interferences may be permitted. A decision to make use of such authorized interference must be made only by the authority designated under the law, and on a case-by-case basis. Compliance with article 17 requires that the integrity and confidentiality of correspondence should be guaranteed de jure and de facto. Correspondence should be delivered to the addressee without interception and without being opened or otherwise read. Surveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited. Searches of a person’s home should be restricted to a search for necessary evidence and should not be allowed to amount to harassment. So far as personal and body search is concerned, effective measures should ensure that such searches are carried out in a manner consistent with the dignity of the person who is being searched. [. . .]
141
See paragraph 10 of General Comment No. 16. Besides and as said, there are usually also interpretive documents such as the so-called General Comments and the concluding observations of the monitoring bodies such as, for example, the Human Rights Committee that monitors the International Covenant on Civil and Political Rights. 143 See Article 14 of the International Convention on the Protection of All Migrant Workers and Members of Their Families (A/RES/45/158). 144 See Convention on the Rights of the Child (A/RES/44/25). 142
4.1 The General Legal Protection of Privacy
95
(1) Everyone has the right to respect for his private and family life, his home and his correspondence. (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health of morals, or for the protection of the rights and freedoms of others.145
Besides, speaking of the regional level and human rights law, there are the American Convention on Human Rights as well as the European Convention for the Protection of Human Rights and Fundamental Freedoms protecting the right to privacy. The 1969 American Convention on Human Rights also guarantees the right to privacy.146 This convention is very similar to the foundation offered by the Universal Declaration of Human Rights. The American Convention on Human Rights states in its Article 11: 1. Everyone has the right to have his honor respected and his dignity recognized. 2. No one may be the object of arbitrary or abusive interference with his private life, his family, his home, or his correspondence, or of unlawful attacks on his honor or reputation. 3. Everyone has the right of the protection of the law against such interference or attacks. No one may be the object of arbitrary or abusive interference with his private life, his family, [or] his home.
Furthermore, Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms states: 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.147
In addition, not only must I mention the European Convention for the Protection of Human Rights and Fundamental Freedoms, but also the Charter of Fundamental Rights of
145
Supra note 71. See Article 11 of the American Convention on Human Rights “Pact of San José, Costa Rica” (O.A.S. Treaty Series No. 36, at 1, O.A.S. Off. Rec. OEA/Ser. L/V/II.23 dec rev. 2). Besides, the Organization for American States proclaimed the American Declaration of the Rights and Duties of Man in 1965. This declaration includes the protection of numerous human rights—for example, the right to privacy—and the Inter-American Court of Human Rights started to address the right to privacy in some of its more recent cases. 147 See supra note 71. 146
96
4 Past Trends in Decision and Conditioning Factors
the European Union148 as referring to privacy. Moreover, the Charter of Fundamental Rights of the European Union refers to privacy in two of its Articles: Article 7 Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications.149
Moreover, Article 8 of the Charter of Fundamental Rights of the European Union states: Article 8 Protection of personal data: 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purpose and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data, which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.150
Furthermore, much case law has been developed under the jurisprudence of the European Court of Human Rights, as well as the European Court of Justice.151 Also, the American Declaration of the Rights and Duties of Man refers to the right to privacy as well.152 For example, Article 5 of the American Declaration of the Rights and Duties of Man states: 148
See Charter of Fundamental Rights of the European Union (2012/C 326/02). It has to be noted that the Charter of Fundamental Rights of the European Union was already ratified on December 7 of 2000, but it only was fully legally binding when the Treaty of Lisbon entered into force on December 1 of 2009. 149 Id. 150 Id. 151 To give an example, the case of Von Hannover v. Germany was decided by the European Court of Human Rights in 2004. The court found that there has been a breach of Article 8 of European Convention on Human Rights because of a specific German law. For further information, see Von Hannover v. Germany, ECHR 294 (2004). The European Convention on Human Rights is available at https://www.echr.coe.int/ Documents/Convention_ENG.pdf. 152 Here are all the different articles that address the right to privacy: ● Article V. Right to protection of honor, personal reputation, and private and family life. Every person has the right to the protection of the law against abusive attacks upon his honor, his reputation, and his private and family life. ● Article IX. Right to inviolability of the home. Every person has the right to the inviolability of his home. ● Article X. Right to the inviolability and transmission of his correspondence. Every person has the right to the Inviolability and transmission of his correspondence.
4.1 The General Legal Protection of Privacy
97
Article V. Right to protection of honor, personal reputation, and private and family life. Every person has the right to the protection of the law against abusive attacks upon his honor, his reputation, and his private and family life.
Also, looking at the African Charter on Human and People’s Rights, although this document does not include a specific section on privacy, it states in its Article 5: Every individual shall have the right to the respect of the dignity inherent in a human being and to the recognition of its legal status. All forms of exploitation and degradation of man particularly slavery, slave trade, torture, cruel, inhuman or degrading punishment and treatment shall be prohibited.153
After all, there are many other human rights instruments that are referring to the right to privacy and that will be further discussed when coming to the right to privacy and social media—for example, the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,154 the Council of Europe Recommendation No. R(99) 5 for the protection of privacy on the Internet,155 the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,156 the Declaration of Principles on Freedom of Expression in Africa157 to only mention some of them.158
153
See African Charter on Human and People’s Rights (No. 26363). See Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Treaty No. 108). 155 See Recommendation No. R(99) 5 for the protection of privacy on the Internet (1999). 156 For further information on this directive, see Directive 95/46/EC (1995). 157 See Declaration of Principles on Freedom of Expression in Africa (2002). 158 To provide some more examples: 154
• • •
Article 21 of the Human Rights Declaration of the Association of the Southeast Asian Nations, see Association of Southeast Asian Nations (ASEAN) (2012), Articles 15 and 21 of the Arab Charter on Human Rights, see Arab Charter on Human Rights (1994) and Article 18 of the Cairo Declaration on Human Rights in Islam, see Cairo Declaration on Human Rights in Islam (1990).
98
4 Past Trends in Decision and Conditioning Factors
It has to be further pointed at the fact that since 2015, there is a UN special rapporteur159 on the right to privacy.160 This Special Rapporteur’s duty is to visit countries in order to examine and report on privacy there and one of the main tasks is also releasing annual reports.161 Moreover, it has to be mentioned that the 34th Session of the UN Human Rights Council that was held from February 27 till March 24, of 2017 has been focused on the right to privacy. A center piece of discussion was the report of the Special Rapporteur on the right to privacy, but this was not the only report dealing with the
159
To give a brief explanation of what a Special Rapporteur is, the position of a Special Rapporteur can be described as an honorary one or of an independent expert. While being part of the Special Procedures of the Human Rights Council, the work of this expert consists of examining and reporting back on a specific human rights theme or a particular situation in a certain country. Although a Special Rapporteur is appointed by the Human Rights Council, he or she is not considered being a member of the staff of the United Nations and therefore, he or she does not get paid for his or her work. The Special Rapporteur on the right to privacy get appointed for 3 years and the first person who came to fill this position was Prof. Joseph Cannataci of Malta who was appointed by the Human Rights Council in July of 2015. 160 The mandate of this Special Rapporteur comes from the Human Rights Council’s Resolution 28/16 and is the following: (a) To gather relevant information, including on international and national frameworks, national practices and experience, to study trends, developments and challenges in relation to the right to privacy and to make recommendations to ensure its promotion and protection, including in connection with the challenges arising from new technologies; (b) To seek, receive and respond to information, while avoiding duplication, from States, the United Nations and its agencies, programmes and funds, regional human rights mechanisms, national human rights institutions, civil society organizations, the private sector, including business enterprises, and any other relevant stakeholders or parties; (c) To identify possible obstacles to the promotion and protection of the right to privacy, to identify, exchange and promote principles and best practices at the national, regional and international levels, and to submit proposals and recommendations to the Human Rights Council in that regard, including with a view to particular challenges arising in the digital age; (d ) To participate in and contribute to relevant international conferences and events with the aim of promoting a systematic and coherent approach on issues pertaining to the mandate; (e) To raise awareness concerning the importance of promoting and protecting the right to privacy, including with a view to particular challenges arising in the digital age, as well as concerning the importance of providing individuals whose right to privacy has been violated with access to effective remedy, consistent with international human rights obligations; ( f ) To integrate a gender perspective throughout the work of the mandate; (g) To report on alleged violations, wherever they may occur, of the right to privacy, as set out in article 12 of the Universal Declaration of Human Rights and article 17 of the International Covenant on Civil and Political Rights, including in connection with the challenges arising from new technologies, and to draw the attention of the Council and the United Nations High Commissioner for Human Rights to situations of particularly serious concern; (h) To submit an annual report to the Human Rights Council and to the General Assembly, starting at the thirty-first session and the seventy-first session respectively. 161
The annual reports are published by the United Nations Human Rights Office of the High Commissioner. For a list of the Annual reports of the Special Rapporteur on the right to privacy, see United Nations Human Rights Office of the High Commissioner (OHCHR).
4.1 The General Legal Protection of Privacy
99
right to privacy.162 Last but not least, there are two UN General Assembly resolutions that also have to be mentioned: the ever first resolution on the right to privacy 2013163 and November 21, 2016 UN resolution on the right to privacy in the digital age.164 Summing up, it can be said that not only taking into account the historical and philosophical developments regarding the concept of privacy, but also the legal decisions that have been made by states as well as international legal institutions over time, privacy as a general right has been recognized by most of today’s national legal systems as well as by the international community.
4.1.2.2
Customary International Law
There is also Customary International Law as the second most important source of international law.165 In order to establish a principle or rule that falls under customary international law, there are two elements needed: state practice to prove custom and so-called opinio juris.166 After all, it can be assumed that it has yet to be determined whether the right to privacy can be considered customary international law. Nevertheless, and especially looking at the most recent events, it is even more interesting to see if the protection of privacy in the context of electronic communications is granted. In the following, this matter will be further explored. To conclude the remarks on a general right to privacy, I would like to refer to Alexandra Rengel who describes the right to privacy as the following: In the international law arena the right to privacy is widely accepted and specifically enumerated in the most important international instruments, and although it is not an absolute right, it
162
Id. For further information, see United Nations Human Rights Office of the High Commissioner (OHCHR) (2020). 164 Id. 165 As said, the definition of the two main sources of international law, international treaties and customary international law, can be found in Article 38 (1) (a) and (b) of the Statute of the International Court of Justice. See Rome Statute of the International Criminal Court (ICJ). 166 While state practice requires four elements—duration of practice, uniformity and consistency of the practice, generality and empirical extent of the practice and conformity of state practice—opinio juris demands that states are applying a certain practice because of legal obligation meaning that three elements—legality of the rules that are protecting the right, relationship of the right to international law and awareness of the states regarding the right—have to be met, or, as the Statue of the International Court of Justice states, “a general practice accepted as law”. Yet, it has to be noted that it is not necessary that all countries comply with state practice and opinion juris, but customary international law rather pretty widespread. Furthermore, it is also possible that customary international law is established instantly, see North Sea Continental Shelf Cases of the International Court of Justice, available at http://www.icj-cij.org/files/case-related/52/052-19690220-JUD-0100-EN.pdf. See also D’Amato (1971), pp. 95–99. 163
100
4 Past Trends in Decision and Conditioning Factors
is considered to be a legally recognizable right. In the context of individual countries, the right to privacy is specifically enumerated in the majority of the constitutions in the world. In countries whose constitutions do not contain a right to privacy, privacy protections have developed in the jurisprudence, and in some cases the right to privacy has been read as an implicit right. However, the definitional parameters of the right to privacy continue to expand as the right to privacy becomes more easily infringed. At the same time, as more national, regional, and international tribunals consider the protections granted to individuals by their right to privacy, the law will continue to evolve to meet society’s needs. Given the extensive amount of recognition, in international instruments of the right to privacy, the prominent place that the topic of privacy continues to occupy in writings and commentary, and the treatment as binding norm that the right to privacy has received in both national and international legal systems, it can be concluded that there is a general fundamental right to privacy under customary international law. Although the need for protection of the right to privacy continues to expand, it appears that in certain contexts there is widespread recognition that the right to privacy protects individuals from the actions of the state and third parties infringing on that right. Even though the right to privacy is not an absolute right and must be balanced against other societal interests, as with any other legally recognized fundamental right, the states’ actions must be reviewed with the presumption that the state’s interference is only permitted in situations where there are compelling governmental interests at stake.167
Accordingly, the conclusion on a right to privacy under customary international law has to be that a “general fundamental right to privacy”, as Rengel calls it, must be recognized under customary international law, and this right should only be limited by governmental interference if “compelling governmental interests” are in real danger.
4.2
The Protection of Privacy in the Context of Electronic Communications
Although it can be stated that, when the internet was born, it was long considered a place of freedom without any kind of borders and also a space where borders were not even possible to be established, over time, many came to the conclusion that the internet was a sphere where people could easily be controlled, influenced, manipulated and deprived from freedom and liberties.168 So, the internet became more of an instrument that was seen as a tool to control and deprive people from freedom, but there were no adequate instruments at hand in order to control the internet anyway.
167
See supra note 18 at 108. It is the author’s opinion that, at least, when Edward Snowden exposed his revelation to the whole world, basically nobody—meaning neither experts in the field of digital technologies nor the public and politicians—could deny the possible threats the internet imposes on people. 168
4.2 The Protection of Privacy in the Context of Electronic Communications
101
Especially, the law did not establish sufficient rules and regulations to address these issues. Although there is some substantive law169 and also jurisdiction,170 the lack of a true and consistent legal framework that also addresses human rights concerns as there is in the analog world cannot be denied. In this context, it should be mentioned that when it comes to anything that is not linked to the internet, there is a usually a number of different laws protecting the individual and his or her human rights—including international law and European Community law as well as national law on the state level. Furthermore, there is usually case law. That is why, one could speak of the analog protection of human rights in contrast to the digital protection of human rights because when it comes to the digital world, the protection of the individual is sometimes barely existing, overall, speaking of a legal protection on the international level.171 In what follows, the chapter will focus on the right to privacy and new technologies as these are closely connected to each other. It is clear that threats caused by modern technologies have always been requiring new privacy laws meeting the new needs imposed by those threats.172 The work of the U.N., especially, looking at the special rapporteur on the right to privacy, shows that the right and also the threat to privacy is often linked to the internet and also to social networks.173 Therefore, a closer look at the right to privacy in the context of electronic communications, over all, social networks is necessary. After all, it all comes down to information privacy law or data protection laws. But what is the definition of data protection? What is personal data? Is there some data that is more sensitive than other? And are there any national and/or international laws and guidelines that are dealing with the collection as well as processing and use of such data? And if so, what exactly is regulated and to whom do these rules apply? Are there any major requirements one always has to take into account when handling personal data? Are there any obligations for those who are collecting, using or processing personal data? And what are the individual’s duties and responsibilities if any? Could an individual claim any rights regarding his or her personal data? And what about the state? Does a government have certain responsibilities? What when it comes to security breaches or threats to national security? What does the company dealing with the data have to do? And what must be done by a state? Furthermore, thinking of processing personal data, what about third parties that might handle the processed data? Also, what about international data transfer? What happens if personal data is being transferred to another country’s territory? What are national
169
For example, in the Federal Republic of Germany, there can be some paragraphs found, overall, regarding private law, copy right, data privacy laws or consumer rights. Later on, different legislations of several countries will be further exposed. 170 Case law is also going to be discussed later on in more detail. 171 In the following, data protection is going to be further addressed and this way, the issue is going to be exposed in more detail. 172 See DeVries (2003), pp. 291–305. 173 See supra note 160.
102
4 Past Trends in Decision and Conditioning Factors
authorities’ obligations when dealing with data that has been transferred outside their own national jurisdiction? Are there any agreements on data transfer? And if there are such agreements and also laws and guidelines, what happens if these are not met? Can they be somehow enforced? And are there any sanctions or remedies in the case of non-compliance? To give a brief overview, it can be said that as of today data protection is being considered a fundamental digital human right.174 After the first data protection laws that were established in Germany in the 1970s, other European countries followed by also establishing such laws and European jurisdiction was picking up first cases concerning data protection. Besides, in 2009, data protection was recognized and incorporated into the Charter of Fundamental Rights of the European Union.175 Article 8 of the Charter of Fundamental Rights of the European Union states: Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.
In addition, at the international level, data protection was recognized already since the 1980s—to give an example, the European guidelines of the Organization for Economic Cooperation and Development were established for data protection since the 1980s and there is also, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.176 The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
174
This applies, at least, to the Federal Republic of Germany where data protection has been addressed as a legal issue since the 1970s already and a famous Supreme Court judgment of 1983 led to granting data protection the status of being a fundamental digital human right on the German state level. The protection of privacy in the context of electronic communications on the national level in Germany as well as in other countries will be further discussed later on. 175 See supra note 148. 176 For more information, see supra note 154. There, it says: This Convention is the first binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data. In addition to providing guarantees in relation to the collection and processing of personal data, it outlaws the processing of “sensitive” data on a person’s race, politics, health, religion, sexual life, criminal record, etc., in the absence of proper legal safeguards. The Convention also enshrines the individual’s right to know that information is stored on him or her and, if necessary, to have it corrected. Restriction on the rights laid down in the Convention are only possible when overriding interests (e.g. State security, defence, etc.) are at stake. The Convention also imposes some restrictions on transborder flows of personal data to States where legal regulation does not provide equivalent protection.
4.2 The Protection of Privacy in the Context of Electronic Communications
103
could actually be seen as a starting point for the protection of the right to privacy in the context of electronic communications. Yet, it took until 1995 and the establishment of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data177 to actually have an impact on countries—especially, those that have a certain economic interest in the data gathered throughout the internet. In this context, the predominant states, like the United States or Russia and China, are still not participating in the protection of the individual and his or her personal data.178 In the following, the subject of whether the individual’s right to privacy is also protected in the context of social networks will be further explored. By doing so, it will be taken a closer look at the legal protection on the domestic level as well as on the international level. So, this chapter will focus on the right to privacy in the context of social networks. Not only should be given a survey of some of the most significant recent legal decisions by states, but also by international institutions. Following the previous order, a closer look at state practices within the United States as well as in Germany and Great Britain are going to be presented first.
4.2.1
Domestic Law
This leads to the part which will explore the protection of privacy in the context of electronic communications on the national level. So, starting with the protection of the individual’s right to privacy in the context of social networks on the domestic level, when it comes down to domestic law in the context of electronic communications and the right to privacy, it, once again, has to be noted that in most of the states around the globe, the law distinguishes between a public and a private realm and governments are usually not supposed to interfere with the private realm if their country’s law does not explicitly allow this. In addition, as already discussed, almost every country’s constitution worldwide recognizes a right to privacy and although the constitution’s provisions may differ from one another, most of them while referring to privacy involve the right of secrecy of communications as well as the
177
Directive 95/46/EC is the reference text, at European level, on the protection of personal data. It sets up a regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the European Union (EU). To do so, the Directive sets strict limits on the collection and use of personal data and demands that each Member State set up an independent national body responsible for the supervision of any activity linked to the processing of personal data. See Directive 95/46/EC (1995).
178
Until today, Russia as well as China just refuse to take any action, at all and the United States created a number of so-called “safe harbor privileges” in order to avoid falling under binding law. It will be taken a closer look at the different state practices when discussing the right to privacy in the context of electronic communications on the domestic level in the United States and other countries.
104
4 Past Trends in Decision and Conditioning Factors
right of inviolability of the home. Furthermore, those constitutions that were just recently adopted even include rights of access to and control of one’s personal information. So, how do the different countries protect their citizens from threats that are imposed by social networks? When it comes to state practice, the right to privacy was addressed in the specific context of social media in many countries already and, as of today, at least forty countries worldwide have enacted laws of information privacy and data protection.179
4.2.1.1
The United States
It must be noted that, in the United States of America, there is not one single or general law dealing with the subject of privacy when it comes to electronic communications. Instead of a single, comprehensive federal law on the national level that regulates the gathering of the individual’s personal data, unfortunately, as of today, the United States consists of a pretty confusing system of federal as well as state rules and regulations as well as laws that has lots of overlapping clauses.180 Although there are proposals each and every Congressional term in order to facilitate and to agree on certain standards on the federal and not just on the state level, there are only some federal laws that are touching the subject of privacy by regulating certain fields where personal data is collected and used.181 Furthermore, the United States does have consumer protection laws on the federal level that are protecting the individual in a pretty broad sense, but they do not particularly focus on the right to privacy. therefore, they cannot be considered being privacy laws. Nevertheless, they can serve to protect the individual’s personal data also in the context of electronic communications. In order to get a better idea of what laws are protecting the consumer on the federal level, one should take a look at the overview that is given by an expert in the field of privacy and data protection: Some of the most prominent federal privacy laws include, without limitation, the following: ● The Federal Trade Commission Act (15 U.S.C. §§41–58) (FTC Act) is a federal consumer protection law that prohibits unfair or deceptive practices and has been applied to offline and online privacy and data security policies. The FTC has brought many enforcement actions against companies failing to comply with posted privacy policies and for the unauthorised disclosure of personal data. The FTC is also the primary enforcer of the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. §§6501–6506), which applies to the online collection of information from children, and the Self-Regulatory Principles for Behavioural Advertising.
179
Supra note 24 and supra note 69. Besides, it has to be noted that sometimes these rules even contradict one another. 181 To give some examples, these laws come into play in the field of finances or banking, when health information is involved, or in the case of electronic communications, but this includes things like telemarketing or commercial e-mails, not social networks. 180
4.2 The Protection of Privacy in the Context of Electronic Communications
105
● The Financial Services Modernization Act (Gramm-Leach-Bliley Act (GLB)) (15 U.S.C. §§6801–6827) regulates the collection, use and disclosure of financial information. It can apply broadly to financial institutions such as banks, securities firms and insurance companies, and to other businesses that provide financial services and products. GLB limits the disclosure of non-public personal information, and in some cases requires financial institutions to provide notice of their privacy practices and an opportunity for data subjects to opt out of having their information shared. In addition, there are several Privacy Rules promulgated by national banking agencies and the Safeguards Rule, Disposal Rule, and Red Flags Rule issued by the FTC that relate to the protection and disposal of financial data. ● The Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. §1301 et seq.) regulates medical information. It can apply broadly to health care providers, data processors, pharmacies and other entities that come into contact with medical information. The Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule) (45 C.F.R. Parts 160 and 164) apply to the collection and use of protected health information (PHI). The Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule) (45 C.F.R. 160 and 164) provides standards for protecting medical data. The Standards for Electronic Transactions (HIPAA Transactions Rule) (45 C.F.R. 160 and 162) applies to the electronic transmission of medical data. These HIPAA rules were revised in early 2013 under the HIPAA “Omnibus Rule”. ● The HIPAA Omnibus Rule also revised the Security Breach Notification Rule (45 C.F.R. Part 164) which requires covered entities to provide notice of a breach of protected health information. Under the revised rule, a covered entity must provide notice of acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule, unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised. ● The Fair Credit Reporting Act (15 U.S.C. §1681) (and the Fair and Accurate Credit Transactions Act (Pub. L. No. 108–159) which amended the Fair Credit Reporting Act) applies to consumer reporting agencies, those who use consumer reports (such as a lender) and those who provide consumer-reporting information (such as a credit card company). Consumer reports are any communication issued by a consumer reporting agency that relates to a consumer’s creditworthiness, credit history, credit capacity, character, and general reputation that is used to evaluate a consumer’s eligibility for credit or insurance. ● The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) (15 U.S.C. §§7701–7713 and 18 U.S.C. §1037) and the Telephone Consumer Protection Act (47 U.S.C. §227 et seq.) regulate the collection and use of e-mail addresses and telephone numbers, respectively. ● The Electronic Communications Privacy Act (18 U.S.C. §2510) and the Computer Fraud and Abuse Act (18 U.S.C. §1030) regulate the interception of electronic communications and computer tampering, respectively. A class action complaint filed in late 2008 alleged that internet service providers (ISPs) and a targeted advertising company violated these statutes by intercepting data sent between individuals’ computers and ISP servers (known as deep packet inspection). This is the same practice engaged in by Phorm in the UK and several UK telecommunications companies that resulted in an investigation by the European Commission. ● In 2016, Congress enacted the Judicial Redress Act, giving citizens of certain ally nations (notably, EU member states) the right to seek redress in US courts for privacy violations when their personal information is shared with law enforcement agencies. ● On 3 April 2017, President Donald Trump signed into law a bill that repealed a set of privacy and data security regulations for broadband internet service providers adopted by the
106
4 Past Trends in Decision and Conditioning Factors
Federal Communications Commission (FCC) in the last months of the Obama administration. The FCC adopted the Privacy Rule for broadband ISPs at the end of October 2016, after acknowledging that “the current federal privacy regime, including the important leadership of the Federal Trade Commission (FTC) and the Administration efforts to protect consumer privacy, does not now comprehensively apply the traditional principles of privacy protection to these 21st Century telecommunications services provided by broadband networks.” The FCC Privacy Rule (which would have taken effect later in 2017) established a framework of customer consent required for ISPs to use and share their customers’ personal information that was calibrated to the sensitivity of the information. The rules would have incorporated the controversial inclusion of browsing history and apps usage as sensitive information, requiring opt-in consent. They also would have included data security and breach notification requirements. The Federal Trade Commission (FTC), which oversees consumer privacy compliance for other companies, does not currently treat consumer browsing history or apps usage as sensitive data.182
Furthermore, governmental agencies and/or initiates coming from the US industry have been establishing guidelines that are not binding law, but considered best practices. Summing up, it must be recognized that the United States does not have as much legislation when it comes to data privacy as most other countries that regulate the protection of privacy in the context of electronic communication, at least, when speaking of federal laws. This could be because of the fact that a lot of the issues at hand are left to the different states in order for them to establish state laws.183 Yet, there are several federal laws that address data privacy—for example, the Children’s Online Privacy Protection Rule184 or the Health Insurance Portability and Accountability Act of 1996.185 And the Federal Trade Commission186 is in charge of protecting consumers including their personal data. So, as there are only a few rules and regulations at the federal level and as, obviously, the laws of the different states are not always the same—not only because of a different state practice, but also according to the various industries located in each and every state—and there are many different laws, it can be stated that United States law is pretty confusing when it comes to data protection and privacy policies.
182
For further information, see Jolly (2020). Besides, data protection would not be the only subject mostly taken care of by each state itself as there are also many different laws regarding the general protection of privacy as seen above when presenting different Supreme Court cases over the years. 184 The Children’s Online Privacy Protection Rule dates back to 1998 and has to be applied as soon data is collected of any individual under the age of 13, see Children’s Online Privacy Protection Rule (COPPA). 185 The Health Insurance Portability and Accountability Act of 1996 establishes rules for information with regard to a person’s health. For further information, see Health Insurance Portability and Accountability Act of 1996 (HIPAA). 186 The Federal Trade Commission is an independent governmental agency founded in the early 1900s in order to protect consumers and although this agency does not mandate any privacy policies, it does forbid practices that might be misleading ones. For further information, see Federal Trade Commission (FTC). 183
4.2 The Protection of Privacy in the Context of Electronic Communications
107
Going back to the example of California, the state of California has the California Online Privacy Protection Act (CalOPPA)187 that is pretty strict compared to other laws as this act establishes that any website dealing with personal data of its users has to provide the user with a privacy policy.188 Furthermore, not only does the law apply to websites that are based in the State of California, but also to those websites that are handling personal data from an individual who is a resident of the State of California.189 This way, it can be tricky for an owner of a website not only to apply the right law of all the many laws existing in the United States in general, but also to comply with California law in particular.190
4.2.1.2
Countries Within Europe
When it comes to the European Union, it has to be noted that the laws of the European Union were mostly adopting those ideas and models the Council of Europe as well as the Organization for Economic Cooperation and Development have been presenting.191 In the following, it will be further explained what instruments are important while discussing the protection of privacy in the context of electronic communications on the international level, but first of all, it will be taken a closer look at different countries within the European Union.
The California Online Privacy Protection Act is the United States’ very first law that forces a website to include a privacy policy. For further information, see Education Foundation Consumer Federation of California (CFC). 188 This privacy policy must contain the privacy policy’s effective date, the type of personal data that is being collected, third parties the website shares the data with as well as how an individual user of the website is able to review and/or change his or her personal data and how the website is going to update its users in case of changes to its privacy policy. Id. It can be said that the CalOPPA is similar to the GDPR. 189 This becomes clear when the law defines the term operator in Section 22577 by stating: 187
The term “operator” means any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes. Id. 190
It becomes clear that it is crucial to anybody who runs a website to comply with the California Online Privacy Protection Act as soon as one deals with personal data from any individual residing in the State of California. For further information on some of the most important laws concerning privacy protection not only in the State of California, but also at the federal level, see Office of the Attorney General (OAG) State of California Department of Justice (2020). For state social media privacy laws, see also National Conference of State Legislatures (NCSL). 191 See Global Internet Liberty Campaign (GILC).
108
4 Past Trends in Decision and Conditioning Factors
The Federal Republic of Germany As already pointed out before, one could say that the Federal Republic of Germany is well-equipped with laws and legislation when it comes to the right to privacy, especially, in regards to modern technologies.192 Moreover, it has to be noted that the German citizens won the first place when it comes to data protection according to a global internet privacy study that was performed in 2014 by EMC Corporation (NYSE: EMC), the so-called EMC Privacy Index.193 The EMC Privacy Index is a global study that was performed in order to find out about consumer’s points of view regarding online privacy. It was performed amongst 15 countries around the world including a total amount of 15,000 people that were questioned. In the end, the EMC Privacy Index comes to the conclusion that different consumers assess privacy in very different ways. The study shows a wide variety of points of view. The differences are mostly based on the different geographical locations of the people involved and the type of activity these people were engaged in while surfing the internet. The EMC Privacy Index came to the conclusion that most individuals are longing for the benefits technology can offer them, but without giving up their privacy.194 This way, tree paradoxes could be detected: “We Want It All” Paradox This paradox stands for those consumers who wish for all the conveniences new modern digital technology offers them, but at the same time these very same consumers are not willing to sacrifice their privacy.
See the section “The Federal Republic of Germany”. In order to find out about consumer’s points of view regarding online privacy, the EMC Privacy Index was performed in 2014. For further information on this global internet privacy study, see “Studie zu Datenschutz in den USA. Amerikaner sind misstrauischer”, die tageszeitung (November 20, 2014). 194 For more information on the EMC Privacy Index, see supra note 99 and 100. There, one can find the following interesting facts: 192 193
STORY HIGHLIGHTS – Taps into privacy attitudes of 15,000 consumers from 15 countries – 91% of respondents value the benefit of “easier access to information and knowledge” that digital technology affords – Only 27% say they are willing to trade some privacy for greater convenience and ease online – Only 41% believe government is committed to protecting their privacy – 81% expect privacy to erode over the next five years; 59% say they have less privacy than a year ago.
4.2 The Protection of Privacy in the Context of Electronic Communications
109
“Take No Action” Paradox This paradox reflects the fact that even if a consumer’s privacy is at risk and this circumstance might have a direct impact on a consumer, nevertheless, in most cases, the consumer at risk would not take any measurements in order to protect his or her privacy online, but rather relies on those who are actually gathering and processing his or her very own data. “Social Sharing” Paradox This paradox means that while the consumers who are making use of social media sites are the opinion of not trusting social networks, but who are rather valuing privacy big time, these very same cosumers still freely and willingly spread huge amounts of their very own and personal data amongst all kind of social network platforms.195
195
In order to better understand these three paradoxes, read the key findings: - “We Want It All” Paradox – Irrespective of persona and type of benefit, people have very little willingness to trade privacy for the benefits of digital technology: – 91% of respondents value the benefit of “easier access to information and knowledge” that digital technology affords – Only 27% say they are willing to trade some privacy for greater convenience and ease online – 85% of respondents value “the use of digital technology for protection from terrorist and/or criminal activity; however, only 54% say they are willing to trade some of their privacy for this protection” – Respondents over the age of 55 across a sampling of countries say they are less willing to trade privacy for convenience and desire more control over their personal data - “Take No Action” Paradox – More than half of all respondents reported that they have experienced a data breach (email account hacked; mobile device lost or stolen; social media account hacked; and more.) Many are not taking measures to protect themselves: – 62% don’t change passwords regularly – 4 out of 10 don’t customize privacy settings on social networks – 39% don’t use password-protection on mobile device – Respondents listed businesses using, selling or trading personal data for financial gain (51%) and the lack of government attention (31%) among the top risks to the future of privacy. Similarly, “a lack of personal oversight and attention from regular people like me” was ranked very low (11%) – A sampling of people over the age of 55 report they are much less likely to password protect their mobile devices or change the privacy settings on their social networks - “Social Sharing” Paradox – Use of social media sites continues to explode despite: – Respondents expecting that their privacy on social media will be most difficult to maintain in the next five years
110
4 Past Trends in Decision and Conditioning Factors
When speaking of the Federal Republic of Germany and the right to privacy in the context of electronic communications, there is, foremost, the Federal Data Protection Act (Bundesdatenschutzgesetz) being an ordinary federal statute.196 Furthermore, and as already explained, there are also the so-called “Landesdatenschutzgesetze” as every one of the sixteen German federal states has its own law concerning data protection, accordingly there are 16 “Landesdatenschutzgesetze”.197 In this context, it, once again, has to be noted that the German Federal State of Hesse established the very first law concerning the protection of data privacy worldwide.198 Moreover, Germany’s newly adopted Network Enforcement Act (Netzwerkdurchsetzungsgesetz) has entered into force that also addresses the issues concerning the right to privacy and social networks.199 The Network Enforcement Act, consists of six sections and entered into force at the beginning of 2018 and it was intended to eliminate a gap that the German Telemedia Act (Telemediengesetz) left as the Telemediengesetz does not force anybody to remove certain content that is unlawful, but rather relies on its approach to a voluntary cooperation of the different
– A belief among consumers that the skills and ethics of institutions to protect the privacy of personal data on social media sites are low; – Just 51% claim to have confidence in the skills of these providers to protect personal data, and just 39% claim to have confidence in those organizations’ ethics – The vast majority of consumers (84%) claim they don’t like anyone knowing anything about them or their habits unless they make a decision themselves to share that information – A sampling of respondents over the age of 65 are substantially more concerned about their privacy, citing the least willingness to let other people know about their online habits A Stark Global Privacy Outlook – The confidence people have in their levels of privacy is degrading over time – Compared to a year ago, 59% of global respondents feel they have less privacy now – Brazil and the United States reported the highest percentage of respondents who feel they have less privacy now, with 71% and 70% respectively – France is the only country with a majority (56%) that disagrees with the statement that they have less privacy now than they did a year ago – A large majority of respondents (81%) expect privacy will decrease in the next five years These findings suggest consumers are likely to engage in more online activities with institutions that demonstrate greater privacy protection. This presents real opportunities that business and governments must not ignore. Id. 196
See Federal Data Protection Act (BDSG). See also supra note 83. The term Landesdatenschutzgesetz means laws to protect data on the state level rather than the national level as Landesdatenschutzgesetze are ordinary statutes as well, but not on the national level, but rather on the state level, so that each of the 16 different states of the Federal Republic of Germany may have their own data protection law. For further information, see Hotter (2011), pp. 193, 196–197. 198 Supra note 87. 199 See supra note 85. 197
4.2 The Protection of Privacy in the Context of Electronic Communications
111
parties involved.200 Besides, it has to be pointed out that this law consists of sections that refer to social networks in particular establishing a set of rules for providers of social networks, for example, an obligation of providing reports if there has been a certain amount of complaints.201
200
For further information on the Network Enforcement Act, see Deutscher Bundestag (Netzwerkdurchsuchungsgesetz). There, it says, for example: Das Netzwerkdurchsetzungsgesetz verpflichtet Plattformbetreiber, ein wirksames und transparentes Verfahren für den Umgang mit Beschwerden vorzuhalten, das für Nutzer leicht erkennbar, unmittelbar erreichbar und ständig verfügbar ist. Offensichtlich rechtswidrige Inhalte müssen in der Regel innerhalb von 24 Stunden nach Eingang der Beschwerde entfernt werden. Für Inhalte, deren Rechtswidrigkeit nicht offensichtlich ist, gilt im Grundsatz eine Sieben-Tages-Frist. Eine Überschreitung soll möglich sein, wenn begründet mehr Zeit für die rechtliche Prüfung benötigt wird. 201
Section 2 of the Network Enforcement Act reads as the following: Reporting obligation (1) Providers of social networks which receive more than 100 complaints per calendar year about unlawful content shall be obliged to produce half-yearly German-language reports on the handling of complaints about unlawful content on their platforms, covering the points enumerated in subsection (2), and shall be obliged to publish these reports in the Federal Gazette and on their own website no later than one month after the half-year concerned has ended. The reports published on their own website shall be easily recognisable, directly accessible and permanently available. (2) The reports shall cover at least the following points: 1. general observations outlining the efforts undertaken by the provider of the social network to eliminate criminally punishable activity on the platform, 2. description of the mechanisms for submitting complaints about unlawful content and the criteria applied in deciding whether to delete or block unlawful content, 3. number of incoming complaints about unlawful content in the reporting period, broken down according to whether the complaints were submitted by complaints bodies or by users, and according to the reason for the complaint, 4. organisation, personnel resources, specialist and linguistic expertise in the units responsible for processing complaints, as well as training and support of the persons responsible for processing complaints, 5. membership of industry associations with an indication as to whether these industry associations have a complaints service, 6. number of complaints for which an external body was consulted in preparation for making the decision, 7. number of complaints in the reporting period that resulted in the deletion or blocking of the content at issue, broken down according to whether the complaints were submitted by complaints bodies or by users, according to the reason for the complaint, according to whether the case fell under section 3 subsection (2) number (3) letter (a), and if so, whether the complaint was forwarded to the user, and whether the matter was referred to a recognised self-regulation institution pursuant to section 3 subsection (2) number (3) letter (b),
112
4 Past Trends in Decision and Conditioning Factors
The Network Enforcement Act also forces platforms like Facebook, Twitter or Youtube to remove unlawful content within 24 h once a complaint is received. If it is not clear if the content that is the subject of a complaint is unlawful or not, the Network Enforcement Act sets a deadline of 7 days in order to decide whether the content has to be deleted or not.202 And the law establishes that certain fines have to be paid if a regulatory offense was committed.203 Nevertheless, the Network Enforcement Act has already received some criticism as there are certain legal requirements that have to be matched in order for the law to come to play—for instance, the social network must have more than 2 million registered users within 8. time between complaints being received by the social network and the unlawful content being deleted or blocked, broken down according to whether the complaints were submitted by complaints bodies or by users, according to the reason for the complaint, and into the periods “within 24 hours”/“within 48 hours”/“within a week”/“at some later point”, 9. measures to inform the person who submitted the complaint, and the user for whom the content at issue was saved, about the decision on the complaint. 202
Section 3 of the Network Enforcement Act establishes: Handling of complaints about unlawful content (1) The provider of a social network shall maintain an effective and transparent procedure for handling complaints about unlawful content in accordance with subsections (2) and (3). The provider shall supply users with an easily recognisable, directly accessible and permanently available procedure for submitting complaints about unlawful content. (2) The procedure shall ensure that the provider of the social network: 1. takes immediate note of the complaint and checks whether the content reported in the complaint is unlawful and subject to removal or whether access to the content must be blocked, 2. removes or blocks access to content that is manifestly unlawful within 24 hours of receiving the complaint; this shall not apply if the social network has reached agreement with the competent law enforcement authority on a longer period for deleting or blocking any manifestly unlawful content, 3. removes or blocks access to all unlawful content immediately, this generally being within 7 days of receiving the complaint; the 7-day time limit may be exceeded if a) the decision regarding the unlawfulness of the content is dependent on the falsity of a factual allegation or is clearly dependent on other factual circumstances; in such cases, the social network can give the user an opportunity to respond to the complaint before the decision is rendered; b) the social network refers the decision regarding unlawfulness to a recognised selfregulation institution pursuant to subsections (6) to (8) within 7 days of receiving the complaint and agrees to accept the decision of that institution, 4. in the case of removal, retains the content as evidence and stores it for this purpose within the scope of Directives 2000/31/EC and 2010/13/EU for a period of ten weeks, 5. immediately notifies the person submitting the complaint and the user about any decision, while also providing them with reasons for its decision. [. . .]
203
See Section 4 “Provisions on regulatory fines” of the Network Enforcement Act.
4.2 The Protection of Privacy in the Context of Electronic Communications
113
Germany, otherwise the Network Enforcement Act cannot be applied.204 Also, there are claims saying that the Network Enforcement Act has an impact on the right to freedom of expression in a negative way by forcing social media websites to take an active role in not only monitoring, but also taking down certain content.205 Some even say that the Network Enforcement Act is unconstitutional.206 Besides the questions that are arising within Germany, there is also EU law that might be violated if the Network Enforcement Act enters into force207 and although the European Commission had to review the Network Enforcement Act and should
204
See Section 1 of the Network Enforcement Act stating: Scope (1) This Act shall apply to telemedia service providers which, for profit-making purposes, operate internet platforms which are designed to enable users to share any content with other users or to make such content available to the public (social networks). Platforms offering journalistic or editorial content, the responsibility for which lies with the service provider itself, shall not constitute social networks within the meaning of this Act. The same shall apply to platforms which are designed to enable individual communication or the dissemination of specific content. (2) The provider of a social network shall be exempt from the obligations stipulated in sections 2 and 3 if the social network has fewer than two million registered users in the Federal Republic of Germany. [. . .]
205
It has to be noted that in mid-June of 2017, eight out of ten experts that were appointed by the German Bundesregierung in order to be questioned at a hearing in front of the Bundestag, were considering the Network Enforcement Act being unconstitutional. For further information on the criticism regarding the Network Enforcement Act being unconstitutional, see “Bundestag verabschiedet umstrittenes Facebook- Gesetz”, Der Spiegel (June 30, 2017). Besides, the article also names others like the big tech-firms from Silicon Valley criticizing the network Enforcement Act by stating: Bürgerrechtler, Netzaktivisten und die großen Tech-Firmen des Silicon Valley hatten sich ebenso gegen die von Maas präsentierte Fassung ausgesprochen.
206
Id. See “EU-Kommission legt Maas keine Steine in den Weg”, Frankfurter Allgemeine Zeitung (June 6, 2017). The author writes:
207
EU-Juristen haben Bedenken gegen Vorhaben Aber auch jenseits grundsätzlicher Fragen verstößt das Gesetz nach Ansicht der Kommission gegen das EU-Recht, heißt es im Umfeld des für digitale Themen zuständigen Vizepräsidenten Andrus Ansip. Das gilt allen voran für die europäische E-CommerceRichtlinie. Die erlaubt den Mitgliedstaaten nicht, derart weitgehende Regeln für in anderen Ländern sitzende Internetplattformen zu erlassen, wie es Maas vorhat. Auch die kurzen Löschfristen bereiten den EU-Juristen Bauchschmerzen. Eigentlich gäbe es für die Kommission also allen Grund dafür, Bedenken gegen das Gesetz anzumelden.
114
4 Past Trends in Decision and Conditioning Factors
have come to the conclusion that it is not according to European Law, the Commission did not interfere.208 Besides, there have been court decisions shaping Germany’s data protection— overall, the Volkszählungsurteil that established the basic right to informational selfdetermination.209 Summing up, when it comes to the Federal Republic of Germany and the right to privacy in the context of electronic communications, one should be able to conclude that although there are plenty of different German rules and regulations that one has to take into account, they cannot be that confusing compared to what one is facing dealing with all the different laws within the United States, especially, as they all had to comply with the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data210 and starting May 25, 2018 with the GDPR.211 And what about other European countries?
The United Kingdom When looking at the United Kingdom, first and foremost, there is a data protection act that needs to be focused on as this act, the Data Protection Act 2018, is “the third generation of data protection law” in the United Kingdom and it “aims to modernize data protection laws to ensure they are effective in the years to come”.212 Furthermore,
208
This must have been because the European Commission did not want to interfere in the ongoing German elections and it also must have had more important tasks to take care of as the recent terrorist attacks in Europe. 209 The famous Volkszählungsurteil has been discussed already, so that it should only be noted, once again, that it plays an important part in the development of the German data protection and this way, the Volkszählungsurteil was also crucial when it comes to the subject of the right to privacy in the context of electronic communications. For more detailed information on the Volkszählungsurteil, see supra note 89 and 90. 210 See Directive 95/46/EC (1995). 211 As mentioned before, since May 25, 2018 the Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the General Data Protection Regulation (GDPR), is reshaping Germany’s current Data Protection Act. The GDPR will be further discussed and presented in detail later on. 212 It has to be noted that this only recently established law implements the GDPR in national law in the United Kingdom. See Data Protection Act of 1998 (DPA). Nevertheless, this new law is not fully following the GDPR, but rather goes beyond the GDPR. The Information Commissioner’s Office (ICO), the organization within the United Kingdom that is independent and designed in order to be charge of the matter of data protection and information rights, describes the situation as the following: •
The DPA 2018 has a part dealing with processing that does not fall within EU law, for example, where it is related to immigration. It applies GDPR standards but it has been amended to adjust those that would not work in the national context.
4.2 The Protection of Privacy in the Context of Electronic Communications
115
the United Kingdom demands the fair processing of one’s personal data.213 Accordingly, whoever is collecting data of an individual has to be clear about how this personal data is going to be used and why it is collected in the first place.214 While the previous data protection law established that if browser cookies were involved in collecting personal data, the informed consent of the one using such a cookie was needed in order to collect his or her data and the collector had to be transparent about why these cookies were utilized and what exactly they were doing, the new and current law does not explicitly refer to cookies, but the institution that is supposed to control the collection of personal data and oversee that the law is being met remains to be same as the Information Commissioner’s Office in the United Kingdom remains to be in charge.215 Besides, it is without doubt that the United Kingdom is actively working on the subject of privacy and data protection in the context of modern technologies. Just recently, the United Kingdom’s House of Commons published a committee study called “Disinformation and ‘fake news’”.216 This report recommends the regulation of social media, so that social networks would have to be liable for the use of inaccurate—or, as the website states, “harmful and misleading material”—on their sites.217 •
It also has a part that transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. The Directive complements the General Data Protection Regulation (GDPR) and Part 3 of the DPA 2018sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’. The ICO has produced a detailed Guide to Law Enforcement Processing in addition to a helpful 12 step guide for quick reference. • National security is also outside the scope of EU law. The Government has decided that it is important the intelligence services are required to comply with internationally recognised data protection standards, so there are provisions based on Council of Europe Data Protection Convention 108 that apply to them. • There are also separate parts to cover the ICO and our duties, functions and powers plus the enforcement provisions. The Data Protection Act 1998 is being repealed so it makes the changes necessary to deal with the interaction between FOIA/EIR and the DPA. For further information, see the Information Commissioner’s Office (ICO). 213
See, for example, Data Protection Act of 2018, Part 1, 2 Protection of personal data: (1) The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—(a) requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis, [. . .]
See also Chapter 2 of the Data Protection Act 2018 where the principles for data protection are described. 214 Id. 215 Part 5 of the Data Protection Act 2018 establishes, overall, the functions and roles the Information Commissioner has by starting stating: The Information Commissioner (1) There is to continue to be an Information Commissioner. [. . .] For further information on this subject of the “Disinformation and ‘fake news’: Final Report” (2019). There, one can download the entire report as well for further study. 217 Id. 216
116
4 Past Trends in Decision and Conditioning Factors
Other European Countries Obviously, there are many other European countries that are concerned about the right to privacy in general and about this right in the context of electronic communications in particular as well and therefore, have established laws in order to protect the individual’s data privacy, especially, as the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data requires exactly that.218
4.2.1.3
Latin American Countries
As already explained, out of the 33 countries in Latin America, more than 10 have already enacted comprehensive privacy laws and while Argentina’s and Uruguay’s privacy laws are pretty similar to those that can be found within the European Union,219 in other Latin American countries privacy legislation is still in the making. Besides, although there are several laws already existing, the law enforcement rate has not been high so far in Latin America as some of the law enforcement authorities had yet to be established. Nevertheless, Latin American countries are taking privacy as well as data protection seriously—maybe as much as European countries do. Thus, some of the Latin American countries have been enacting comprehensive privacy laws, so that a certain protection of the individual is granted under specific laws. Furthermore, in most Latin American countries, the constitution recognizes the right to privacy—while the newer constitutions explicitly establish a right to privacy, the recognition, at least, of a certain concept of privacy can also be found in the older constitutions.220 This leads to, coming back to the subject of habeas data, a groundbreaking concept that exists in Latin America. As already explained, habeas data is a constitutional remedy that provides the individual with the option to find out what exact
218
To give some examples of other European countries that have established laws in order to protect the individual’s data privacy: the Kingdom of Spain, the Netherlands, the Italian Republic, the Kingdom of Sweden, the Republic of Poland or the Hellenic Republic. 219 That is why, the European Union sees Argentina’s and Uruguay’s privacy laws as the laws that provide adequate protection when it comes to personal data that had been transferred from the European Union. See supra note 116. 220 Once again, Latin American countries with comprehensive privacy laws are the following: the Argentine Republic, Aruba, Commonwealth of The Bahamas, Republic of Chile, Republic of Colombia, Republic of Costa Rica, Country of Curacao, Dominican Republic, United Mexican States, Republic of Nicaragua, Republic of Peru, Republic of Trinidad and Tobago, Oriental Republic of Uruguay. Besides, for an overview of the protection of privacy in the constitutions of all the countries around the world, see supra note 18 at 205–255.
4.2 The Protection of Privacy in the Context of Electronic Communications
117
data was collected about him- or herself.221 Furthermore, the individual is given the possibility to be the one who makes the decision on what exactly could and should be done with his or her personal information that was gathered. And although the concept of habeas data might have been existing and acknowledged since quite a long time, it is quite unknown in many parts of the world.222 Overall in Latin America habeas data has been gaining importance throughout the last couple of years and countries such as, for example, the Dominican Republic have been implementing laws that establish the protection according to the concept of habeas data. In the following, this subject of habeas data will be further examined together with the issue of the protection of privacy in the context of electronic communications by giving a few examples of Latin American countries in order to demonstrate that the privacy and data protection are not only addressed, but also taken seriously in Latin America.
The Argentine Republic In Argentina, there is the Argentine Personal Data Protection Act of 2000223 which is applicable to each and every individual as well as legal entities handling personal data inside the Argentine Republic.224 It has to be mentioned that the European 221
See supra note 121. For further information on habeas data, see Parraguez Kobek and Caldera (2016). The abstract of this article states: Habeas Data is not a commonly known concept, yet it is widely acknowledged in certain circles that deal with information security and data protection. Though it has been around for decades, it has recently gained momentum in Latin America. It is the legal notion that protects any and all information pertaining to the individual, from personal to financial, giving them the power to decide how and where such data can be used. At the same time, most Latin American countries have created laws that protect individuals if their information is misused. [. . .]
222
Id. This law, the Personal Data Protection Act (Ley de Protección de los Datos Personales), consists of 46 sections. For its complete version in English, see Personal Data Protection Act (PDPA). 224 See Section 1 of the Argentina Personal Data Protection Act of 2000 that states: 223
Purpose The purpose of this Act is the full protection of personal information recorded in data files, registers, banks or other technical means of data-treatment, either public or private for purposes of providing reports, in order to guarantee the honor and intimacy of persons, as well as the access to the information that may be recorded about such persons, in accordance with the provisions of Section 43, Third Paragraph of the National Constitution. The provisions contained in this Act shall also apply, to the relevant extent, to data relating to legal entities. In no case shall journalistic information sources or data bases be affected. Id.
118
4 Past Trends in Decision and Conditioning Factors
Union recognized Argentina as being the very first country as well as currently only one out of two countries in Latin America that is protecting personal information which had been transferred from the European Union adequately.225 Personal data should be understood as all the information related to an individual that is not just considered being basic information as, for example, one’s name, address, date of birth or occupation.226 Furthermore, the Argentine law states that only if an individual has been given prior informed consent to collecting or processing one’s personal data, it is legal to deal with this data in any way.227 Thus, the individual must be told why personal data is collected as well as what would be the consequences if one refused to give one’s personal information or provided inaccurate data. Furthermore, the individual must know about the right not only to access, but also to correct and/or delete one’s personal data, especially, as the individual is entitled to ask for deleting one’s personal data at any time.228 For further information, see “Personal Data Protection Act (PDPA) Argentina”, Microsoft (November 30, 2020). 225 See supra note 116 at 1, 3–4. 226 It has to be noted that it is not quite clear if an individual IP address should be considered being personal data or not. Experts are arguing both ways, so that there is legal disagreement, but as long as there has been consent prior to dealing with this kind of data, it should be legal to obtain, process or work in any way with individual IP addresses. See also the definitions given in Chapter I Section 2 of the Argentina Personal Data Protection Act of 2000. 227 See Section 5 of the Personal Data Protection Act of 2000 that states: Consent 1. The treatment of personal data is unlawful when the data owner has not given his or her express consent, which must be given in writing, or through any other similar means, depending on the circumstances. The consent above, given with other statements, must appear in a prominent and express manner, together with the warnings set forth in Section 6 hereof. 2. The consent above shall not be deemed necessary when: a. the data are secured from source of unrestricted public-access; b. are collected for the performance of the duties inherent in the powers of the State; c. consist of lists limited to name, national identity card number, taxing or social security identification, occupation, date of birth, domicile and telephone number, d. arise from a contractual relationship, either scientific or professional of data owner, and are necessary for its development or fulfillment; e. refer to the transactions performed by financial entities, and arise from the information received from their customers in accordance with the provisions of Section 39 of Act Number 21.526. 228
See Section 6 of the Personal Data Protection Act of 2000 that states: Information Whenever personal data are requested, data owners shall be previously notified in an express and clear manner:
4.2 The Protection of Privacy in the Context of Electronic Communications
119
In addition, Argentina has the statutory remedy of habeas data as the Constitution of the Argentine Nation229 states: Section 43. Any person shall file a prompt and summary proceeding regarding constitutional guarantees, provided there is no other legal remedy, against any act or omission of the public authorities or individuals which currently or imminently may damage, limit, modify or threaten rights and guarantees recognized by this Constitution, treaties or laws, with open arbitrariness or illegality. In such case, the judge may declare that the act or omission is based on an unconstitutional rule. This summary proceeding against any form of discrimination and about rights protecting the environment, competition, users and consumers, as well as about rights of general public interest, shall be filed by the damaged party, the ombudsman and the associations which foster such ends registered according to a law determining their requirements and organization forms. Any person shall file this action to obtain information on the data about himself and their purpose, registered in public records or data bases, or in private ones intended to supply information; and in case of false data or discrimination, this action may be filed to request the suppression, rectification, confidentiality or updating of said data. The secret nature of the sources of journalistic information shall not be impaired. When the right damaged, limited, modified, or threatened affects physical liberty, or in case of an illegitimate worsening of procedures or conditions of detention, or of forced missing of persons, the action of habeas corpus shall be filed by the party concerned or by any other person on his behalf, and the judge shall immediately make a decision even under state of siege.230
a) The purpose for which the data shall be treated, and who their addressees or type of addressees may be; b) The existence of the relevant data file, register or bank, whether electronic or otherwise, and the identity and domicile of the person responsible therefor; c) The compulsory or discretionary character of the answers to the questionnaire the person is presented with, particularly, in relation to the data connected with in the following Section; d) The consequences of providing the data, of refusing to provide such data or of their inaccuracy; e) The possibility the party concerned has to exercise the right of data access, rectification and suppression. 229
For the complete constitution, see Constitution of the Argentine Nation (1994). This long, detailed and comprehensive article might be the most exhaustive form of habeas data as of today.
230
120
4 Past Trends in Decision and Conditioning Factors
The Federative Republic of Brazil When it comes to the right to privacy in the context of electronic communications, Brazil, has its own law since 2014, Marco Civil da Internet, the Brazilian Internet Act, Law No. 12.965.231 This law treats, overall, the collection, treatment, usage and maintenance of personal data that was gathered from individuals coming from the internet.232 Furthermore, and as already said, Brazil’s constitution also consists of the remedy of habeas data.233 It can be concluded that Brazil is an active player when it comes to the protection of privacy, especially, in the context of electronic communication.234
The Republic of Colombia To give another example, in Colombia, there are different laws that deal with privacy and data protection—for instance, Law No. 1581 that establishes the protection of a natural individual’s personal information coming from the public and/or the private sector.235 Furthermore and maybe more importantly, there is the Regulatory Decree 1377.236 This decree’s purpose is to substitute parts of Law No. 1581.237 Decree 1377 regulates the protection of privacy in the context of electronic communications by setting clear rules on how to deal with personal data
231
The Marco Civil Law of the Internet in Brazil consists of 32 articles and entered into force on April 23, 2014. For the complete version of this Law No. 12.965 in English, see Marco Civil Law of the Internet (2014). 232 Not only is it mandatory for those dealing with personal data in this context to provide accurate terms and conditions clearly, so that any individual would easily be able to find out about the way his or her personal data is being, overall, gathered and processed, but also is it legally binding to obtain prior consent of the individual who’s personal data is at hand. 233 See Title II Fundamental Rights and Guarantees, Chapter I Individual and Collective Rights and Duties, Article 5 of the Constitution of the Federative Republic of Brazil. For the complete version of the constitution in English, see Constitution of the Federative Republic of Brazil (2010). 234 See also supra note 116 at 3. 235 Law No. 1581 (Ley Estatuaria No. 1581) consists of 30 articles and entered into force on October 17, 2012. The law was created in order to complement another law from the year 2008 that only addressed personal credit information. It establishes certain protections for children in particular. See supra note 116 at 5. For the complete version of this law in Spanish, Ley Estatuaria No. 1581 (2012). 236 The Decree Number 1377/2013 consists of 28 articles and entered into force on June 27, 2013, for its complete version in English, see Decree Number 1377/2013 (2013). 237 See Article 1 of Decree Number 1377/2013 that states: Purpose. The present Decree has as purpose partially regulating Law 1581/2012, whereby the general provisions for personal data protection are stipulated.
4.2 The Protection of Privacy in the Context of Electronic Communications
121
of individuals within the Colombian territory and it also mandates the consent of an individual when using his or her personal data.238 Besides, and as already pointed out, Colombia provides fundamental protection for the right to privacy under its constitution treating the right to privacy as a fundamental right and as a groundbreaking statutory remedy called “habeas data”239 as Article 15 of the Colombian Constitution states: All individuals have the right to personal and family privacy and to their good reputation, and the State has to respect them and to make others respect them. Similarly, individuals have the right to know, update, and rectify information collected about them in data banks and in the records of public and private entities. Freedom and the other guarantees approved in the Constitution will be respected in the collection, processing, and circulation of data. Correspondence and other forms of private communication may not be violated. They may only be intercepted or recorded on the basis of a court order in cases and following the formalities established by law. For tax or legal purposes and for cases of inspection, the oversight and intervention of the State may demand making available accounting records and other private documents within the limits provided by law.240
This way, it can be said that Colombia does not only have a comprehensive privacy law with its Regulatory Decree 1377, but also so that Colombia is another country within Latin America that actively protects the individual’s right to privacy in the context of electronic communications.241
The Dominican Republic With its the Organic Law 172-13 on the Protection of Personal Data (“Ley 172-13 (ley orgánica sobre protección de datos de carácter personal)”),242 the Dominican Republic is one of the 13 countries in Latin America that has a comprehensive privacy law.243 238
Not only is it necessary to expose the purpose of working with the retrieved data in a privacy policy, but also is it prohibited to use this personal data in any other way than the one the purpose stated. Furthermore, the methods of how data is handled and the one in charge of dealing with that data as well as an individual’s right regarding his or her personal data at hand and the instruments of executing those rights, must be part of any privacy policy when it comes to personal data in regard to online activities in Colombia. Supra note 236. 239 See supra note 121. 240 See supra note 120. 241 See supra note 116 at 1, 3. 242 This Law consists of 92 articles and entered into force on December 13, 2013, so that it is one of the most recent data protection laws in Latin America. For the complete text of the law in Spanish, see Organic Law 172-13 on the Protection of Personal Data in Spanish (2013). 243 Supra note 116 at 7.
122
4 Past Trends in Decision and Conditioning Factors
The law was designed in order to protect personal information—overall, personal information that was coming from public or private archives and data banks.244 Moreover, it has to be mentioned that Article 70 of the Constitution of the Dominican Republic245 as well as Article 17 of the Organic Law 172-13 on the Protection of Personal Data establish the remedy of habeas data.246
The United Mexican States The example of Mexico, once again, shows that the issue of privacy of personal data has been legally addressed in Latin America as Mexico has Federal Law on Protection of Personal Data Held by Private Parties.247 This law also sets the general rule that only if consent has been given, personal data can be collected and processed.248 Although Mexico might be somehow different from other data 244
Id. For further information on the Organic Law 172-13 on the Protection of Personal Data, see “Ley sobre protección de datos”, Listin Diario (Jan 15, 2014). 245 See supra note 21. 246 Article 17 of the Organic Law 172-13 on the Protection of Personal Data reads as the following: Acción de hábeas data Sin perjuicio de los mecanismos establecidos para el ejercio de los derechos de los interesados, estos podrán ejercer la acción judicial de hábeas data de conformidad con la Constitución y las leyes que rigen la materia. La acción judicial de hábeas data procederá para tomar conocimiento de la existencia de los datos personales almacenados en archivos, registros o bancos de datos públicos o privados que se derivan de una relación comercial, laboral o contractual con una entidad pública o privada; o simplemente para tomar conocimiento de los datos personales que se presuma que existen almacenados en archivos, registros o bancos de datos públicos o privados. En los casos en que se presuma inexactitud, la desactualización de la información de que se trata, o el tratamiento de datos cuyo registro se encuentre prohibido en la presente ley, para exigir su rectificación, supresión actualización. Supra note 242. Federal Law on Protection of Personal Data Held by Private Parties entered into force on April 27, 2010 and consists of 33 articles. For the complete text of this law in English, see Federal Law on Protection of Personal Data Held by Private Parties (2010). 248 See, overall, “Chapter II Principles of Personal Data Protection” of the Federal Law on Protection of Personal Data Held by Private Parties. There, for example, Article 8 reads as the following: 247
All processing of personal data will be subject to the consent of the data owner except as otherwise provided by this Law. Consent will be express when such is communicated verbally, in writing, by electronic or optical means or via any other technology, or by unmistakable indications. It will be understood that the data owner tacitly consents to the processing of his data when, once the privacy notice has been made available to him, he does not express objection.
4.2 The Protection of Privacy in the Context of Electronic Communications
123
protection laws within Latin America,249 it can be assumed that Mexico is still one of the countries that is actively protects the right to privacy in the context of electronic communications.
The Oriental Republic of Uruguay The last example given of a country within Latin America, the Oriental Republic of Uruguay, once again, confirms that the issue of privacy of personal data has been legally addressed in this part of the world. This said, Uruguay’s Law No. 18.331 on the Protection of Personal Data and Habeas Data Action.250 As Uruguay’s law does not only establish rules for the public, but also for the private sector when dealing with personal information of natural, as well as legal persons and, in this sense, Law No. 18.331 is pretty similar to the privacy laws that can be found within the European Union. That is why Uruguay became one of the two Latin American countries that the European Union recognized as being properly protecting personal information which is transferred from the European Union.251 Summing up, all these examples of some of the 33 countries in Latin America show that privacy as well as data protection has been taken seriously in Latin America—maybe as much as in Europe.
4.2.2
General Data Protection Regulation (GDPR)
This leads to the next subject, the right to privacy in the context of electronic communications on the international level. After discussing the issue of the right to privacy in the context of electronic communications and examining domestic laws of several countries on different continents, it can be concluded that there are plenty of laws and regulations on the national level.
Financial or asset data will require the express consent of the data owner, except as provided in Articles 10 and 37 of this Law. Consent may be revoked at any time without retroactive effects being attributed thereto. For revocation of consent, the data controller must, in the privacy notice, establish the mechanisms and procedures for such action. Cynthia Rich even says that “data protection rules in the Mexican Law have a number of important differences from those found elsewhere in the region.” Supra note 116 at 7. 250 Law No. 18.331 consists of 49 articles and entered into force in August of 2008. For the complete text of this law in Spanish, see Law No. 18.331 (2008). 251 Supra note 116 at 1, 9. 249
124
4 Past Trends in Decision and Conditioning Factors
But what about the international level? What if it comes to International Law and Jurisdiction? First of all, one has to come back to Article 17 of The International Covenant on Civil and Political Rights and General Comment No. 16.252 General Comment No. 16 refers to the right to privacy in the context of electronic communications, although being adopted in 1988 already: The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files. If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.253
Furthermore, a closer look must be taken at the European Union.254 Once again, when it comes to the European Union, its laws mostly adopted those ideas and models that the Council of Europe, as well as the Organization for Economic Cooperation and Development, have been presenting.255 And as already mentioned, there are a number of human rights instruments referring to the right to privacy in the context of social media.256
252
As already described, the UN Human Rights Committee (HRC) adopted CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation on April 8th, 1988, see supra note 137. 253 Id. Paragraph 10 of General Comment No. 16. An analysis of this comment might lead to some critique, especially as General Comment No. 16 dates back to 1988, but it can be also applied to today’s modern technologies and the right to privacy, although, of course, technology has changed and advanced throughout the last three decades. 254 This, of course, would rather have to be considered legal framework on the regional level than actual international law. Nevertheless, we will further explore how, especially, the latest novelties, the GDPR, might have an impact that goes even beyond the European Union, and this way, could be considered a law on the international level. 255 See supra note 191. 256 Besides instruments in the European Union such as, for example, the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the Council of Europe Recommendation No. R(99) 5 for the protection of privacy on the Internet, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, there are also other instruments like the Declaration of Principles on Freedom of Expression in Africa, the Human Rights Declaration of the Association of the South-East Asian Nations, the Arab Charter on Human Rights or the Cairo Declaration on Human Rights in Islam.
4.2 The Protection of Privacy in the Context of Electronic Communications
125
One of the legal instruments that deserves special recognition when it comes to privacy protection while dealing with electronic communication within the European Union is the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive).257 The Data Protection Directive was adopted in 1995 in order to face the problem of the lack of protection of individual privacy within the European Union as there were not sufficient laws in the different countries and the protection of privacy was varying from state to state and as every country of the European Union had to implement the directive into its legal framework until October 24, 1998,258 the directive became a significant part of today’s privacy and Human Rights Law in Europe.259 Furthermore, the Data Protection Directive was supposed to protect the citizens of all the states that are part of the European Union against abuses concerning their personal information by forcing the states to make sure that their citizens’ personal information is protected by law even when being exported to a
257
As a reminder, this European Union directive has been replaced since May 25, 2018 by the Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the General Data Protection Regulation (GDPR). 258 See Article 32 of the Data Protection Directive that states: 1. Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive at the latest at the end of a period of three years from the date of its adoption. When Member States adopt these measures, they shall contain a reference to this Directive or be accompanied by such reference on the occasion of their official publication. The methods of making such reference shall be laid down by the Member States. 2. Member States shall ensure that processing already under way on the date the national provisions adopted pursuant to this Directive enter into force, is brought into conformity with these provisions within three years of this date. By way of derogation from the preceding subparagraph, Member States may provide that the processing of data already held in manual filing systems on the date of entry into force of the national provisions adopted in implementation of this Directive shall be brought into conformity with Articles 6, 7 and 8 of this Directive within 12 years of the date on which it is adopted. Member States shall, however, grant the data subject the right to obtain, at his request and in particular at the time of exercising his right of access, the rectification, erasure or blocking of data which are incomplete, inaccurate or stored in a way incompatible with the legitimate purposes pursued by the controller. 3. By way of derogation from paragraph 2, Member States may provide, subject to suitable safeguards, that data kept for the sole purpose of historical research need not be brought into conformity with Articles 6, 7 and 8 of this Directive. 4. Member States shall communicate to the Commission the text of the provisions of domestic law which they adopt in the field covered by this Directive. For more detailed information on the Data Protection Directive, see “What is the Data Protection Directive? The Predecessor to the GDPR”, The Guardian (April 24, 2017).
259
126
4 Past Trends in Decision and Conditioning Factors
state that does not belong to the European Union or when being processed in countries outside the European Union.260 That’s why, the European Data Protection Directive states that anyone processing personal data needs to do so in a fair and lawful manner.261 In order for the data collection to be considered lawful, data can only be collected for specified, explicit and legitimate purposes262 and individuals must give unambiguous and explicit consent after being informed that data collection and processing is taking place.263 260 261
Id. See Article 6 of the Data Protection Directive that states: 1. Member States shall provide that personal data must be: (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. 2. It shall be for the controller to ensure that paragraph 1 is complied with.
262
Id. 263 See Article 7 of the Data Protection Directive that states: Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent; or (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or (d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
4.2 The Protection of Privacy in the Context of Electronic Communications
127
In this context, it needs to be drawn attention to a decision of the European Court of Justice from the year 2014 when the court established a new right, the so-called “right to be forgotten”. The case at hand was “Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González”. The case was brought by the Spanish citizen Mario Costeja González together with the Agencia Española de Protección de Datos, the Spanish Data Protection Agency, in 2010. Mario Costeja González claimed to remove a link to a 1998 article in La Vanguardia newspaper about an auction for his foreclosed home, for a debt that he had subsequently paid. He did not only go against La Vanguardia Ediciones SL, a renowned Spanish newspaper publisher that had been publishing the article the link at stake was leading to, but also against Google Spain and Google Inc.264 The court ruled that any search engine must grant the individual the right to be forgotten as only this way, a search engine like Google would comply with the data privacy laws of the European Union. To be more specific, the European Court of Justice ruled that search engines are responsible for the content they point to and thus, Google was required to comply with the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.265 Moreover, already on its first day of compliance meaning May 30, 2014, Google received 12,000 requests to have personal details removed from its search engine.266 Nevertheless, search engines like Google started to only remove links from the European sites, not from the American ones, so that the data that was supposed to disappear was still accessible on, for example, google.com.267 That is why, although the right to be forgotten was a novelty, it remains questionable if this
The Data Protection Directive further requires that an individual must be informed regarding the fact that a website might share its data with any third party. 264 For further information on this case, see Press Release No. 70/14 of the Court of Justice of the European Union (May 13, 2014). For more information on the right to be forgotten, see Werro (2020). 265 Id. 266 See “Removal of Google personal information could become work intensive” Europe News (June 1, 2014). 267 See “‘Right to Be Forgotten’ Online Could Spread”, The New York Times (August 5, 2015). There, while referring to the number of requests, the author writes: Proponents of the right to be forgotten argue such claims are overblown. They point out that the number of removals so far has been relatively small. Since May 2014, Google, by far Europe’s most popular search engine, has received requests to forget about a million web links, and has removed about 41 percent of those from certain search results. That’s hardly alarming — considering the billions of pages online, it’s difficult to shed many tears for the mere 400,000 or so that will no longer show up. In response to the original European ruling, search engines began removing links only from European versions of their sites.
128
4 Past Trends in Decision and Conditioning Factors
right really makes a difference when it comes to the protection of the individual’s data and privacy. Besides, anybody would agree if he or she was told that there must have always been way more personal data that was gathered and processed while using the internet and social networks than the individual would have actually wanted or agreed on. This particular fact might have been one of the reasons why the European Union decided to revise its Data Protection Directive and announced the establishment of a new law, the General Data Protection Regulation (GDPR).268 Accordingly, as the Data Protection Directive was no longer sufficient in order to protect the individual, a comprehensive data protection reform was desired? And if so, does the GDPR fill those gaps now? Although only time will show whether and if so, how the GDPR will influence the current situation concerning the protection of the individual’s right to privacy when it comes down to a person’s personal data that is spread through social networks, it can be already stated that the European Union with its GDPR has had quite an impact not only within the European Union, but also on the global scale.269 Since the GDPR was passed in May 2016 and before even entering into force, the GDPR has already been discussed big time—overall, of course, in Europe, but not only in Europe, but rather also in the United States.270 And not only discussions occurred, but states, companies and basically anybody who is dealing with data that is gathered and/or processed online and that might somehow be connected to or under the umbrella of 268
The discussion whether a comprehensive reform was needed when it comes to European data protection laws goes years back and in 2012, the European Commission proposed the reform of the Data Protection Directive. For more information on the history of the European data protection laws, see European Data Protection Supervisor (EDPS). See also Franzius supra note 95 at 268 where the author refers to “der seit Jahren diskutierten, aber namentlich von Deutschland blockierten Datenschutzgrundverordnung”. 269 See “New European Union Data Law GDPR Impacts Are Felt By Largest Companies: Google, Facebook”, Forbes Magazine (May 25, 2018). The author writes: These regulations are impacting companies globally, not just European firms. Forbes reported in December 2017, GDPR will affect US-based businesses as well – even those without clients or operations in the European Union. [. . .] This regulation will greatly impact data-driven businesses in Europe and across the Globe. [. . .] The GDPR has broad sweeping requirements that impact companies across the world. US Fortune 500 companies have put billions toward compliance – and in some cases that has not been enough to avoid lawsuit filings – while some smaller firms have closed operations or shut down entirely until they better understand the implications of these new regulations. To give an example, “Advertising in a Post GDPR World”, IBM (October 18, 2018). There the author states that “The enactment of the European Union’s General Data Protection Rules (GDPR) on May 25, 2018 has had an impact on businesses, not just in the EU but worldwide.” For more opinions of different people on the GDPR, see “Data protection in Europe is about to transform: Here’s how”, CNBC (March 8, 2018).
270
4.2 The Protection of Privacy in the Context of Electronic Communications
129
the European Union had to take actions in order to make sure to comply with the GDPR until it entered into force on May 25, 2018, especially, as failure to comply could have severe consequences.271 So, what exactly is the subject-matter of the GDPR? Or what are the key data protection elements of the General Data Protection Regulation to enable personal data protection? And what is new compared to the Data Protection Directive being the predecessor to the GDPR? Why might one want to consider the GDPR as pathbreaking? What are the pros and cons of the GDPR? And what is predominant—the pros or the cons? But, first of all, what exactly were the reasons for establishing a new law in Europe? What purpose does the GDPR pursue? In order to understand why a comprehensive reform of the Data Protection Directive was desired or even necessary, it, once again, has to be pointed out that the rules of the Data Protection Directive were no longer sufficient in order to properly protect the individual’s rights as more and more data of the individual was gathered and processed uncontrollably, especially, due to globalization and the rapid developments in modern technologies such as, for example, in electronic communications.272 That is why the GDPR was created and its purpose is to help establish a free as well as safe and just European Union with a flourishing economy and well-situated individuals.273 But what is the exact subject-matter of the GDPR? What are the key data protection elements that the Data Protection Directive, the predecessor to the GDPR, did not have?
See Article 83 “General conditions for imposing administrative fines” of the GDPR. This article will be further discussed later on. 272 See the Appendix for the Preamble of the GDPR, No. 6 of the Preamble of the GDPR states: 271
Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection. Also, other factors, for example, legal uncertainty or the fragmentation of data protection laws within the European Union, were taken in mind when deciding on reforming the Data Protection Directive, see, overall, No. 7-10 of the Preamble of the GDPR. 273 See No. 2 of the Preamble of the GDPR: This Regulation is intended to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.
130
4 Past Trends in Decision and Conditioning Factors
Obviously, the subject-matter of the GDPR are certain key data protection elements to enable personal data protection, especially, Article 1 Paragraph 2 and 3 of the GDPR are describing the fundamental rights and freedoms of the individual as well as the freedom of movement of personal data.274 In order to explore what exactly is new when it comes to the GDPR, the key provisions of the GDPR have to be presented first. One can assume that an individual might be most interested in the question about what rights he or she is entitled of thanks to the GDPR. That is why, the starting point of exploring the key provisions of the GDPR will highlight the rights of the so-called data subject.275 The term “data subject“ refers to a natural person whose personal data is affected. This term becomes more clear when reading the GDPR where it says the following: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The rights of the data subject are: The Right To Be Informed as Described in Articles 12–14 GDPR This right requires that a data subject is informed immediately in a way that he or she can easily understand it, overall, not only about the legal foundation for gathering and processing his or her personal data, but also the period of time the data will be stored as well as whether the data might be transferred to a third party for external use. The Right of Access as Described in Article 15 GDPR A data subject can ask for a confirmation whether his or her personal data was processed and if so, the data subject has to be provided with a copy of all the
274
See Article 1 of the GDPR:
Subject-matter and objectives 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. 3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. For an overview of the subject-matter of the GDPR, there is the website of the Information Commissioner’s Office, the United Kingdom’s organization that is independent and designed in order to uphold information rights, see Information Commissioner’s Office (ICO) supra note 212. 275
See Article 2 paragraph 1 of the GDPR.
4.2 The Protection of Privacy in the Context of Electronic Communications
131
information listed in Article 15 including, for example, why personal data was processed and what kind of data is concerned.276 The Right to Rectification as Described in Article 16 GDPR A data subject can request the immediate correction of wrongful or incomplete personal data.277 276
See Article 15 of the GDPR: Right of access by the data subject 1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purpose of processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. 3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
277
See Article 16 of the GDPR: Right to rectification The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
132
4 Past Trends in Decision and Conditioning Factors
The Right to Erasure as Described in Article 17 GDPR Under certain circumstances, a data subject can have his or her personal data erased.278 This right is based on the decision of the European Court of Justice that led to the right to be forgotten. The right to be forgotten is part of the GDPR and it, this way, became a statutory law. The Right to Restrict Processing as Described in Article 18 GDPR When specific requirements are met, a data subject might request the limitation of the processing of his or her data—for example, if the data subject doubts that the personal data is correct or not.279 The Right to Data Portability as Described in Article 20 GDPR A data subject is entitled to transfer his or data from one platform to another and while doing so, he or she can request all the personal data of, for example, one social network in order to be able to easily submit it to another social network.280 The data
278
See Article 17 of the GDPR: Right to erasure (‘right to be forgotten’) 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: [. . .]
279
See Article 18 of the GDPR: Right to restriction of processing 1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: [. . .]
280
See Article 20 of the GDPR: Right to data portability 1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machinereadable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and (b) the processing is carried out by automated means. 2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. 3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
4.2 The Protection of Privacy in the Context of Electronic Communications
133
has not only to be accurate, but also meet certain requirements as described in Article 20 paragraph 1.281 The Right Object as Described in Article 21 GDPR A data subject can object to the processing of his or her data at any time and if certain requirements are met, the objection will be successful.282 Specific Rights Concerning Automated Decision Making Including Profiling as Described in Article 22 GDPR283 A data subject might also be entitled to the rights described in Article 22 of the GDPR.284 After pointing at what rights the GDPR establishes for the data subject, in the following, Article 5 of the GDPR will be examined in more detail as Article 5 outlines the principles that apply to the processing of personal data and therefore, can be seen as the outstanding key provision of the GDPR. Article 5 of the GDPR reads as the following:
281
It is quite unclear how the technical requirements in order to comply with the right to data portability should be fulfilled. 282 See Article 21 of the GDPR: Right to object 1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. 2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. 3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. 4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information. 5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications. 6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. 283
See Article 22 of the GDPR. Solely automated decisions, including decisions that were made in order to perform profiling, that have a certain impact on a data subject are prohibited.
284
134
4 Past Trends in Decision and Conditioning Factors
Principles relating to processing of personal data 1. Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
In total, there are seven principles that are connected to the processing of personal data that can be found in Article 5 of the GDPR.285 In what follows, these seven principles will be further explained: Lawfulness, Fairness and Transparency Article 5 Paragraph 1 (a) of the GDPR describes the principle of lawfulness, fairness and transparency. When it comes to the GDPR and processing personal data, first and foremost, a valid legal foundation is necessary and the three elements of this
285
It has to be mentioned that some of the seven principles that are connected to the processing of personal data that can be found in Article 5 of the GDPR are coming from Germany’s Federal Data Protection Act (Bundesdatenschutzgesetz), see Federal Data Protection Act (BDSG). See also supra note 83 and 196. That is why, the structure of the GDPR is similar to the one of German data protection laws. Nevertheless, the GDPR is stricter in some ways than the Bundesdatenschutzgesetz, but its unique novelties will be explained later on.
4.2 The Protection of Privacy in the Context of Electronic Communications
135
principle—lawfulness, fairness and transparency286—have to be met that are often overlapping, but that all need to be always satisfied.287 Purpose Limitation Article 5 Paragraph 1 (b) refers to the principle of purpose limitation which means that the purpose of collecting personal data has to be clearly established from the beginning and not only does the data subject need to know why and what of his or her personal data was collected and for which purpose, but also has all this to be specifically documented and presented in a transparent way.288
286
In the context of lawfulness, it has to be mentioned that the Articles 6–10 of the GDPR have to be considered as they provide more detailed information on the element of lawfulness. For example, Article 6 clarifies that only one of the different options that are enumerated in its Paragraph 1 have to be fulfilled in order to be applicable for lawfulness. Accordingly, Article 6 GDPR states: Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) he data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. [. . .]
And Article 7 sets out rules for the legal processing of personal data based on consent. Article 7 of the GDPR will be discussed in more detail later on. Furthermore, Articles 13 and 14 of the GDPR that provide further obligations regarding transparency. 287 See Information Commissioner’s Office (ICO) supra note 212. 288 Article 5 Paragraph 1 (b) formulates some exceptions when it comes to further processing of the above described data. In this context, it has to be pointed out that the GDPR is a so-called Prohibition statute with reservation of authorization. This means that the general rule of the law is the prohibition of the processing of personal data and only when certain requirements are met, so that the processing is allowed. Article 5 Paragraph 1 (b) serves as an example.
136
4 Past Trends in Decision and Conditioning Factors
Data Minimization In Article 5 Paragraph 1 (c) we learn about the principle of data minimization. Accordingly, the personal data that is being processed must be only the very necessary data.289 Accuracy When speaking of the principle of accuracy, Article 5 Paragraph 1 (d) with an obligation comes into play as this principle requires reasonable steps that have to be taken in order to make sure that any kind of inaccurate data is kept away. Storage Limitation The principle of storage limitation can be found in Article 5 Paragraph 1 (e). In general, personal data should not be processed under the GDPR290 and according to Article 5 Paragraph 1 (e), personal data should also not be kept much longer than needed. The length of how long personal data is stored depends on the purpose of keeping the data and whether there is a justification for keeping it other than set in the law itself (public interest archiving, scientific or historical research, or statistical purposes). Usually, there has to be a policy at hand that explains and this way, justifies the storage of personal data.291 Integrity and Confidentiality Article 5 Paragraph 1 (f) establishes the principle of integrity and confidentiality that is also known as the security principle being one of the most significant principles of the GDPR as it concerns the concept of information security meaning that personal data has to be processed securely including both technical and organizational measures that need to be appropriate.292 Accountability The last principle of Article 5 can be found in its Paragraph 2. This principle refers to the controller’s accountability meaning that the controller does not only have to make sure that he or she complies with Paragraph 1, but also
289
The data has to be adequate, relevant and limited to what is necessary meaning the data has to enough to fulfil its purpose while being rationally connected to that purpose and only consists of what is really necessary for that purpose. 290 As explained, the GDPR is a so-called Prohibition statute with reservation of authorization. 291 See Information Commissioner’s Office (ICO) supra note 212. 292 It has to be noted that Article 32 of the GDPR comes to play in the context of the security principle as it establishes more detailed requirements regarding security. Id.
4.2 The Protection of Privacy in the Context of Electronic Communications
137
has to be able to demonstrate this compliance.293 Thus, the principle of accountability consists of two elements—responsibility and ability to demonstrate. After concluding the discussion of Article 5 of the GDPR Paragraph 2 of Article 5 referring to the controller’s accountability, the provisions concerning the rights of the data subject as well as the general principles that are established in Article 5 of the GDPR were explained, so that now, other key provisions of the GDPR are the subject of interest. These are the following: Obligations of Processors and Controllers Processors and controllers, as already defined, obviously have to fulfill certain obligations under the GDPR. Key provisions are Article 24294 for processors and
293
It is important to clarify what controller actually means. Article 2 Paragraph 7 defines the controller as the following: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
In this context, it is also interesting to learn what the term processor stands for. Article 2 Paragraph 8 defines Processor as the following: ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 294
See Article 24 of the GDPR: Responsibility of the controller 1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. 2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller. 3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
138
4 Past Trends in Decision and Conditioning Factors
Article 28295 for controllers establishing responsibilities that have to be taken into account when processing personal data.
295
See Article 28 of the GDPR: Processor 1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. 2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. 3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor: (a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; (b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) takes all measures required pursuant to Article 32; (d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor; (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III; (f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor; (g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data; (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
4.2 The Protection of Privacy in the Context of Electronic Communications
139
Consent As already explained, the key reason for processing of personal data and profiling of individuals is the economic purpose of targeted advertising.296 That is why, seeking consent is of upmost importance and as already discussed, data processing has to be lawful297 and there are different ways to meet this requirement, one of them is when consent is given by the data subject.298
With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions. 4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations. 5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article. 6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43. 7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2). 8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63. 9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form. 10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing. 296
For more detailed information on the processing of personal data, see Sect. 2.4. See Article 5 Paragraph 1 (a) of the GDPR. 298 See Article 6 Paragraph 1 (a) of the GDPR. 297
140
4 Past Trends in Decision and Conditioning Factors
That is why, consent is an important matter here and the GDPR consists of an Article that solely deals with consent.299 This provision should be seen as another key provision as it sets the requirements for giving consent.300 In this context, limitations to rights are as important as the rights themselves.301 That is why balancing with legitimate public interests when it comes to seeking consent is allowed. Transfers of Personal Data While the GDPR primarily establishes rules for processing personal data within in the European Union, Chapter V deals with transfers of personal data to third countries or international organizations.302 The fact that transfers of personal data
299
See Article 7 of the GDPR: Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
300
To give an example, consent has always to be given freely. Id. See also Preamble No. 32 of the GDPR that states: Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
301 302
Pati (2005), pp. 228–231. See Articles 44–50 of the GDPR.
4.2 The Protection of Privacy in the Context of Electronic Communications
141
to third countries which provide the data subject with an adequate level of data protection are allowed, becomes also clear when studying the Preamble.303 In order for a data subject not to lose his or her rights granted by the GDPR, the law prohibits any kind of transfer of personal data of a data subject to countries outside of the European Union or to international organizations unless there is an exception under the GDPR coming to play.304 Key provision is here Article 44 that sets the general principle for transfers.305
303
See, for example, Preamble No. 104 of the GDPR: In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. [. . .]
304
Exemptions could be those for reasons of national security and public safety. See Article 44 of the GDPR:
305
General principle for transfers Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
142
4 Past Trends in Decision and Conditioning Factors
Independent Supervisory Authorities Ensuring Compliance in Member States Furthermore, Article 51 of the GDPR has to be considered a key provision as it sets the rules for all the European member states to establish, at least, one so-called supervisory authority.306 A supervisory authority should, overall, oversee the compliance with the GDPR within its country’s territory and cooperate with other member states in order to best protect their citizens’ rights to privacy and also to secure the freedom of personal data being processed throughout the European Union.307 The European Data Protection Board And there is also an independent308 European Data Protection Board consisting of, foremost, the different supervisory authorities of all the member states of the European Union.309 This board is important when it comes to the consistency mechanisms that are described in Chapter VII Section 2 Articles 63–67 of the
306
See Article 51 of the GDPR: Supervisory authority 1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’). 2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII. 3. Where more than one supervisory authority is established in a Member State, that Member State shall designate the supervisory authority which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63. 4. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to this Chapter, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
307
For more detailed information, for example, on the supervisory authority’s competence, tasks, powers, reports, on its cooperation (like, for instance, mutual assistance or joint operations) or on its consistency mechanisms such as the exchange of information, see Articles 52–67 of the GDPR. 308 See Article 69 of the GDPR. 309 Article 68 describes that the European Data Protection Board as the following: shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.
4.2 The Protection of Privacy in the Context of Electronic Communications
143
GDPR. Key provision is Article 70 of the GDPR that establishes all the tasks of the European Data Protection Board.310
310
See Article 70 of the GDPR: Tasks 1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular: (a) monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities; (b) advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation; (c) advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules; (d) issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services as referred to in Article 17(2); (e) examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation; (f) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2); (g) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal data breach; (h) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1). (i) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal data transfers based on binding corporate rules adhered to by controllers and binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned referred to in Article 47; (j) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal data transfers on the basis of Article 49(1); (k) draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83; (l) review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f); (m) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2);
144
4 Past Trends in Decision and Conditioning Factors
Exemption And there is one more Article that should be considered a key provision as it allows member states to introduce an exemption under certain circumstances such as, for
(n) encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42; (o) carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7); (p) specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42; (q) provide the Commission with an opinion on the certification requirements referred to in Article 43(8); (r) provide the Commission with an opinion on the icons referred to in Article 12(7); (s) provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international organisation. (t) issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66; (u) promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities; (v) promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organisations; (w) promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide. (x) issue opinions on codes of conduct drawn up at Union level pursuant to Article 40 (9); and (y) maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism. 2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter. 3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public. 4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.
4.2 The Protection of Privacy in the Context of Electronic Communications
145
example when national security or public safety would be in danger otherwise.311 So, only in very limited situations, a state would be able to introduce such a derogation to the GDPR. So, after explaining not only the subject-matter of the GDPR, but also its key provisions, the question remains: What exactly is new compared to the Data Protection Directive, the predecessor to the GDPR? In this context and as domestic law won’t automatically disappear in the different European countries that are affected by the GDPR, it has to be noted that depending on what the national data protection law of a country establishes, some European countries might feel that with the GDPR a lot changes are on their way, while others might only be able to notice a few novelties.312 That is why, in what follows, some of the most important novelties in comparison to the former Data Protection Directive will be given: New Definition of the Term “Personal Data” First and foremost, the definition of “personal data” became much broader. Instead of only considering an individual’s basic information such as, for example, name address or phone number, as personal data, the GDPR includes all the information that directly or indirectly leads to the identification of a particular person. This way, data like an IP-address or a user ID can be considered being personal data under the GDPR unlike under the Data Protection Directive.313
311
See Article 23 of the GDPR: Restrictions 1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: (a) national security; (b) defence; (c) public security; [. . .]
312
As explained, Germany’s Federal Data Protection Act (Bundesdatenschutzgesetz) has a similar structure as the GDPR because the Bundesdatenschutzgesetz served as an example or guidance for the new European law. That is why, in Germany, one might not experience as many differences when the GDPR enters into force like in other counties that did not have a similar law to the Bundesdatenschutzgesetz. 313 See Article 4 of the GDPR: Definitions For the purposes of this Regulation:
146
4 Past Trends in Decision and Conditioning Factors
Codification of New Rights, For Example, the Right To Be Forgotten Furthermore, and as already explained, the individual whose personal data comes to play, the data subject, is granted a number of rights, overall the right to be forgotten that was established by the European Court of Justice, and that now became part of the GDPR being a statutory law for the first time.314
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; [. . .] (13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; (14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; (15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status; [. . .] 314
Article 17 of the GDPR codifies the right to be forgotten and reads as the following: Right to erasure (‘right to be forgotten’) 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1). 2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to
4.2 The Protection of Privacy in the Context of Electronic Communications
147
Higher Administrative Fines Administrative fines are way higher than before, in general they can easily reach 20 million euros or up to 4% of the yearly transaction volume of a company.315 New Transparency and Information Requirements New rules regarding transparency and information requirements come to play as the GDPR establishes that companies have to provide the individual, overall, not only the legal foundation for gathering and processing personal data, but also the period of time the data will be stored as well as whether the data might be transferred to
inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. [. . .] 315
See Article 83 of the GDPR that states: General conditions for imposing administrative fines [. . .] 4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43; (b) the obligations of the certification body pursuant to Articles 42 and 43; (c) the obligations of the monitoring body pursuant to Article 41(4). 5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; (b) the data subjects’ rights pursuant to Articles 12 to 22; (c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49; (d) any obligations pursuant to Member State law adopted under Chapter IX; (e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1). 6. Non-compliance with an order by the supervisory authority as referred to in Article 58 (2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. [. . .]
148
4 Past Trends in Decision and Conditioning Factors
another company for external use.316 Furthermore, the information has to be presented to the individual in a way that he or she can easily understand it.317 Privacy by Design and Privacy by Default Another novelty worth mentioning is that the GDPR requires companies to take appropriate technical and organizational measures in order to ensure that personal data remains anonymous the best way possible (so-called “privacy by design”)318
316
See Article 12 of the GDPR: Transparent information, communication and modalities for the exercise of the right of the data subject 1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means. 2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject. 3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. 4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. 5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. [. . .]
317
See Article 12 Paragraph 7 of the GDPR: 7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
318
See Article 25 of the GDPR: Data protection by design and by default 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at
4.2 The Protection of Privacy in the Context of Electronic Communications
149
and devices as well as application have to be pre-set the way that they only gather this information that are actually necessary to be collected (so-called “privacy by default”).319 New Territorial Scope And last, but definitely not least, it has to be pointed at the new territorial scope of the GDPR. As the GDPR applies to each and every company that processes information of an individual who resides within the European Union and as in case of a law suit, from now on, the laws of the country of residency of the individual will be applied, foreign companies can no longer make to use of their headquarters in order to determine what kind of law would be applicable.320
the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons. 3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article. 319
Id. It has to be noted that it remains unclear what “necessary” means in this context, so that it is open for interpretation for the companies to decide, at least, until this matter might be brought to court for further clarification. 320 See Article 3 of the GDPR: Territorial scope 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) he offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
150
4 Past Trends in Decision and Conditioning Factors
It becomes clear that the GDPR has quite some novelties which leads to the question: What are the pros and cons of the GDPR and what is predominant? The GDPR has not been in force for a long time yet and the law might seem too complicated.321 Nevertheless, the GDPR has already had an impact not only within the European Union, but also on the international level.322 Furthermore, not only was the GDPR created with the intention to better protect the individual’s personal data, but also does the GDPR consist of new elements trying to fill those gaps the former Data Protection Directive had left wide open.323 The pros are predominant.324 Therefore, one should consider the GDPR as being a path-breaking new law as the GDPR definitely is the latest and most comprehensive example for the protection of the individual’s personal data so far. Yet, it has to be seen what the future impact of the GDPR will be. Accordingly, after exploring the subject of social networks and privacy concerns from a legal point of view—discussing not only the general legal right to privacy, but rather also the protection of privacy in the context of electronic communications— the next chapter will examine what future decisions might be like.
References Ackelsberg M, Shanley M (1996) Privacy, publicity, and power. A feminist rethinking of the public-private distinction. In: Held V, Jaggar A (eds) Feminist theory and politics. Westview Press, Boulder African Charter on Human and People’s Rights (No. 26363), see the website of the African Commission on Human and Peoples’ Rights, available via African Commission on Human and Peoples’ Rights. https://www.achpr.org/legalinstruments/detail?id¼49. Accessed 22 Nov 2020
321
The GDPR is considered not only too complicated, but also too complex, chaotic and open to different interpretations and thus, likely leading to law suits. For a more detailed description of the cons of the GDPR, see Sect. 6.3. 322 The GDPR was not only discussed worldwide, but also states as well as companies and basically everybody who is confronted with data retrieved online and that might somehow be connected to or under the umbrella of the European Union had to take actions in order to make sure to comply with the GDPR, especially, in order to avoid failure to comply and its severe consequences. 323 Besides, the GDPR is binding for all member states of the European Union, so that a uniform law is created that is applicable to an entire region of the world. 324 In order to name a few of the advantages of the GDPR, for example, the GDPR gives a better definition for personal data, way higher fines come to play as soon as the law is violated and the GDPR leads to harmonization of the legal situations concerning data protection within an important and big part of the world, the European Union. For a more detailed overview of the pros and cons of the GDPR, see Sect. 6.3. See also Communication from the Commission to the European Parliament and the Council (2020).
References
151
Albertson Fineman M (1999) What place for family privacy? Geo Wash Law Rev 67:1207–1224. https://papers.ssrn.com/sol3/papers.cfm?abstract_id¼2103306. Accessed 22 nov 2020 Allen A (1996) Privacy at home. The twofold problem. In: Hirschmann N, Di Stefano C (eds) Revisioning the political. Feminist reconstructions of traditional concepts in western political theory. Routledge, New York American Convention on Human Rights “Pact of San José, Costa Rica” (O.A.S. Treaty Series No. 36, at 1, O.A.S. Off. Rec. OEA/Ser. L/V/II.23 dec rev. 2) Available via Organization of American States http://www.oas.org/dil/treaties_B-32_American_Convention_on_Human_ Rights.pdf. Accessed 22 Nov 2020 Arab Charter on Human Right (1994). Available https://policehumanrightsresources.org/content/ uploads/2016/06/Arab-Charter-on-Human-Rights.pdf?x96812. Accessed 22 Nov 2020 Art Copyright Act (KunstUrhG) Gesetz betreffend das Urheberrecht an Werken der Bildenden Künste und der Fotographie, Gesetz vom 09.01.1907 (RGBl. I S.7), zuletzt geändert durch Gesetz vom 16.01.2001 (BGBl. I S. 266) mit Wirkung vom 01.08.2001. Available via Bundesmininsterium für Justiz und Verbraucherschuatz https://www.gesetze-im-internet.de/ kunsturhg/BJNR000070907.html. Accessed 22 Nov 2020 Association of Southeast Asian Nations (ASEAN) (2012) ASEAN human rights declaration. Available via ASEAN https://www.asean.org/storage/images/ASEAN_RTK_2014/6_AHRD_ Booklet.pdf. Accessed 22 Nov 2020 Augustyn A et al (2020a) Constitution of the United States of America. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/ topic/Constitution-of-the-United-States-of-America. Accessed 22 Nov 2020 Augustyn A et al (2020b) Declaration of independence. United States history. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www. britannica.com/topic/Declaration-of-Independence. Accessed 22 Nov 2020 Augustyn A et al (2020c) John Marshall Harlan, United States Jurist [1899–1971]. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www. britannica.com/biography/John-Marshall-Harlan-United-States-jurist-1899-1971. Accessed 22 Nov 2020 Basic Law for the Federal Republic of Germany (1949) Available via Deutscher Bundestag https:// www.btg-bestellservice.de/pdf/80201000.pdf. Accessed 22 Nov 2020 Beschluss des Zweiten Senats vom 19. Juli 1972. Available via https://www.servat.unibe.ch/dfr/ bv033367.html. Accessed 22 Nov 2020 Blum J, Steinhardt R (1981) Federal jurisdiction over international human rights claims: the Alien Tort claims act after Filartiga v. Pena-Irala. Harv Int Law J 22(75):53–70 Brierley Newell P (1995) Perspectives on privacy. J Environ Psychol 15:87–104 Brierley Newell P (1998) A cross-cultural comparison of privacy definitions and functions: a systems approach. J Environ Psychol 18(18):357–371 Cairo Declaration on Human Rights in Islam (1990) Cairo Declaration on Human Rights in Islam, Aug. 5, 1990, U.N. GAOR, World Conf. on Hum. Rts., 4th Sess., Agenda Item 5, U.N. Doc. A/CONF.157/PC/62/Add.18 (1993) [English translation]. Available via University of Minnesota Human Rights Library http://hrlibrary.umn.edu/instree/cairodeclaration.html. Accessed 22 Nov 2020 Calcutt D (1997) Report of the committee on privacy and related matters. The Stationary Office, London Cardonsky L (2002) Towards a meaningful right to privacy in the United Kingdom. Br Univ Int Law J 20:393–413 Carpenter v. United States. Available via Supreme Court https://www.supremecourt.gov/opinions/ 17pdf/16-402_h315.pdf. Accessed 22 Nov 2020 Cavoukian A, Tapscott D (1997) Who knows. Safeguarding your privacy in a networked world. McGraw-Hill, New York
152
4 Past Trends in Decision and Conditioning Factors
Charter of Fundamental Rights of the European Union (2012/C 326/02) Available via Official Journal of the European Union https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/? uri¼OJ:C:2007:303:FULL&from¼EN. Accessed 22 Nov 2020 Children’s Online Privacy Protection Rule (COPPA) Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501–6505. Available via Federal Trade Commission https://www.ftc.gov/ enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protec tion-rule. Accessed 22 Nov 2020 Communication from the Commission to the European Parliament and the Council (2020) Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation. Available via European Commission https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/? uri¼CELEX:52020DC0264&from¼EN. Accessed 22 Nov 2020 Constitution of the Argentine Nation (1994). Available http://www.biblioteca.jus.gov.ar/argentinaconstitution.pdf. Accessed 22 Nov 2020 Constitution of the Dominican Republic (2015) Dominican Republic’s Constitution of 2015. Available https://www.constituteproject.org/constitution/Dominican_Republic_2015.pdf. Accessed 22 Nov 2020 Constitution of the Federative Republic of Brazil (2010.) Available via Biblioteca Digital da Camera dos Diputados https://www.oas.org/es/sla/ddi/docs/acceso_informacion_base_dc_ leyes_pais_b_1_en.pdf. Accessed 22 Nov 2020 Constitution of the Republic of Colombia (1991) Colombia’s constitution of 1991 with amendments through 2005. Available https://www.constituteproject.org/constitution/Colombia_2005. pdf. Accessed 22 Nov 2020 Constitution of the Republic of Ecuador (2008) Available via Georgetown University http://pdba. georgetown.edu/Constitutions/Ecuador/english08.html. Accessed 22 Nov 2020 Convention for the Protection of Human Rights and Fundamental Freedoms (Treaty No. 005) Details of Treaty No. 005. Available via Counsel of Europe https://www.coe.int/en/web/ conventions/full-list/-/conventions/treaty/005. Accessed 22 Nov 2020 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Treaty No. 108) Available via Council of Europe https://www.coe.int/en/web/conventions/fulllist/-/conventions/treaty/108. Accessed 22 Nov 2020 Convention on the Rights of the Child (A/RES/44/25). Available http://www.cirp.org/library/ ethics/UN-convention/. Accessed 22 Nov 2020 Criminal Code (Strafgesetzbuch, StGB) As promulgated on 13 November 1998 (Federal Law Gazette I, p. 945, p. 3322). Available via German Law Archive https://germanlawarchive. iuscomp.org/?p¼752. Accessed 22 Nov 2020 D’Amato A (1971) The concept of custom international law. Cornell University Press, New York Data Protection Act of 1998 (DPA). Available https://www.legislation.gov.uk/ukpga/1998/29/ contents. Accessed 22 Nov 2020 Declaration of Independence. Available via National Archives https://www.archives.gov/foundingdocs/declaration-transcript. Accessed 22 Nov 2020 Declaration of Principles on Freedom of Expression in Africa (2002) Declaration of Principles on Freedom of Expression in Africa, African Commission on Human and Peoples’ Rights, 32nd Session, 17–23 October, 2002: Banjul, The Gambia, available via University of Minnesota Human Rights Library http://hrlibrary.umn.edu/achpr/expressionfreedomdec.html. Accessed 22 Nov 2020 Decree Number 1377/2013 (2013). Available https://iapp.org/media/pdf/knowledge_center/ DECRETO_1377_DEL_27_DE_JUNIO_DE_2013_ENG.pdf. Accessed 22 Nov 2020 Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) Eingriffe in das Recht auf informationelle Selbstbestimmung nur auf der Grundlage eines Gesetzes, das auch dem Datenschutz Rechnung trägt (Volkszählungsurteil). Available via BfDI https://www.bfdi. bund.de/DE/Datenschutz/Themen/Melderecht_Statistiken/VolkszaehlungArtikel/151283_ VolkszaehlungsUrteil.html. Accessed 22 Nov 2020
References
153
Deutscher Bundestag (Netzwerkdurchsuchungsgesetz) Available via Deutscher Bundestag https:// www.bundestag.de/dokumente/textarchiv/2017/kw26-de-netzwerkdurchsetzungsgesetz/ 513398. Accessed 22 Nov 2020 DeVries W (2003) Protecting privacy in the digital age. Berkeley Tech Law J 18(1):283–311. Available via Berkeley Law https://lawcat.berkeley.edu/search?p¼035:[(bepress-path)btlj/ vol18/iss1/19]. Accessed 22 Nov 2020 Directive 95/46/EC (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281:1–50. Available https://eur-lex.europa.eu/ LexUriServ/LexUriServ.do?uri¼CELEX:31995L0046:en:HTML. Accessed 22 Nov 2020 Disinformation and ‘fake news’: Final Report (2019) Eight report of session 2017–19. Available via House of Commens Digital, Culture, Media and Sport Committee https://publications. parliament.uk/pa/cm201719/cmselect/cmcumeds/1791/1791.pdf. Accessed 22 Nov 2020 Donnelly J (2003) Universal human rights in theory and practice. Cornell University Press, New York Duignan B (2020) Louis Brandeis. United States jurist. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/biography/ Louis-Brandeis. Accessed 22 Nov 2020 Education Foundation Consumer Federation of California (CFC) California Online Privacy Protection Act (CalOPPA). Available via CFC https://consumercal.org/about-cfc/cfc-educationfoundation/california-online-privacy-protection-act-caloppa-3/. Accessed 22 Nov 2020 Edwards G (2001) International human rights law challenges to the new International Criminal Court: the search and seizure right to privacy. Yale J Int Law 26:323–412. Available https:// digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article¼1148&context¼yjil. Accessed 22 Nov 2020 European Data Protection Supervisor (EDPS) The History of the General Data Protection Regulation. Available via EDPS https://edps.europa.eu/data-protection/data-protection/legislation/ history-general-data-protection-regulation_en. Accessed 22 Nov 2020 Farivar C (2018) Habeas Data. Privacy vs. the rise of surveillance tech. Melville House, New York Feather J, Sturges P (2013) International Encyclopedia of Information and Library Science. Available https://books.google.com/books?id¼gvzfCgAAQBAJ&pg¼PA124&lpg¼PA124& dq¼Younger+Committee+on+Privacy+in+the+United+Kingdom+encyclopaedia& source¼bl&ots¼T-B-Ory14S&sig¼PF_Rj04cIvALSq0CxL8Etfq_3zM&hl¼en&sa¼X& ved¼0ahUKEwjMxbL-z9rZAhUI7lMKHaXCCJ8Q6AEIQTAD#v¼onepage&q¼Younger% 20Committee%20on%20Privacy%20in%20the%20United%20Kingdom%20encyclopaedia& f¼fals. Accessed 22 Nov 2020 Federal Data Protection Act (BDSG). Federal Data Protection Act of 30 June 2017 (Federal Law Gazette I p. 2097), as last amended by Article 12 of the Act of 20 November 2019 (Federal Law Gazette I, p. 1626). Available via Bundesamt für Justiz und Verbraucherschutz https://www. gesetze-im-internet.de/englisch_bdsg/index.html. Accessed 22 Nov 2020 Federal Law on Protection of Personal Data Held by Private Parties (2010). Available http://media. mofo.com/files/uploads/Documents/FederalDataProtectionLaw2010.pdf. Accessed 22 Nov 2020 Federal Trade Commission (FTC). Available via FTC https://www.ftc.gov. Accessed 22 Nov 2020 Franzius C (2015) Das Recht auf informationelle Selbstbestimmung. ZJS, pp 259–270 Freiwald S, Smith S (2018) The Carpenter Chronicle: a near-perfect surveillance. Harv Law Rev 132:205–235. Available via Harvard Law Review https://harvardlawreview.org/wp-content/ uploads/2018/11/205-235_Online.pdf. Accessed 22 Nov 2020 General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official J of the European Union 59:1-88.
154
4 Past Trends in Decision and Conditioning Factors
Available via Europen Commission https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/? uri¼CELEX:32016R0679&from¼EN. Accessed 22 Nov 2020 Glendon M (2020) Common law. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/topic/common-law. Accessed 22 Nov 2020 Global Internet Liberty Campaign (GILC) Privacy and Human Rights. An International Survey of Privacy Laws and Practice. Available via GILC http://gilc.org/privacy/survey/intro.html. Accessed 22 Nov 2020 González M (2015) Habeas data: comparative constitutional interventions from Latin America against neoliberal states of insecurity and surveillance. Chicago-Kent Law Rev 90(2). St. Thomas University School of Law (Florida) Research Paper No. 2015-06. Available via Social Science Research Network https://ssrn.com/abstract¼2694803. Accessed 22 Nov 2020 Gordon L (1990) Family violence, feminism, and social control. In: Gordon L (ed) Women, the state, and welfare. University of Wisconsin Press, Madison Grundgesetz für die Bundesrepublik Deutschland vom 23. Mai 1949 (BGBl. S. 1), zuletzt geändert durch Artikel 1 und 2 Satz 2 des Gesetzes vom 29. September 2020 (BGBl. I S. 2048). Available via Deutscher Bundestag https://www.bundestag.de/parlament/aufgaben/rechtsgrundlagen/ grundgesetz. Accessed 22 Nov 2020 Haenggi S (1999) The right to privacy is coming to the United Kingdom: balancing the individual’s right to privacy from the press and the media’s right to freedom of expression. Hous J Int Law 21 (3):531 Hauch J (1994) Protecting private facts in France. The Warren & Brandeis tort is alive and well and flourishing in Paris. Tul Law Rev 68:1219–1228 Health Insurance Portability and Accountability Act of 1996 (HIPAA) Available via Center for Disease Control and Prevention https://www.cdc.gov/phlp/publications/topic/hipaa.html. Accessed 22 Nov 2020 Helfer L, Slaughter A (1997) Toward a theory of effective supranational adjudication. Yale Law J 107:273–391. Available https://digitalcommons.law.yale.edu/ylj/vol107/iss2/1. Accessed 22 Nov 2020 Hessisches Gesetz zur Anpassung des Hessischen Datenschutzrechts an die Verordnung (EU) Nr. 2016/679 und zur Umsetzung der Richtlinie (EU) Nr. 2016/680 und zur Informationsfreiheit vom 3.Mai 2018 (HDSIG). Available https://beck-online.beck.de/Dokument?vpath¼bibdata% 5Cges%5Ches_1106_2018_0082%5Ccont%5Ches_1106_2018_0082.htm. Accessed 22 Nov 2020 Higgins T (2000) Reviving the public/private distinction in feminist theorizing. Chi-Kent Law Rev 75:8 75, Chi.-Kent L. Rev. 847–868 Hirshleifer J (1980) Privacy. Its origin, function and future. J Leg Stud 9:649–664 Hoffmann-Riem W (1998) Informationalle Selbstbestimmung in der Informationsgesellschaft. AöR, pp 513–540 Hotter M (2011) Privatsphäre. Der Wandel eines liberalen Rechts im Zeitalter des Internets. Campus Verlag, Frankfurt Human Rights Act of 1998 (HRA) C. 42 (Eng.). Available https://www.legislation.gov.uk/ukpga/ 1998/42/contents. Accessed 22 Nov 2020 Information Commissioner’s Office (ICO) Guide to the General Data Protection Regulation (GDPR). Available via ICO https://ico.org.uk/for-organisations/guide-to-the-general-dataprotection-regulation-gdpr/. Accessed 22 Nov 2020 International Convention on the Protection of All Migrant Workers and Members of Their Families (A/RES/45/158). Available via OHCHR http://www.ohchr.org/Documents/ ProfessionalInterest/cmw.pdf. Accessed 22 Nov 2020 International Covenant on Civil and Political Rights (ICCPR) Available via United Nations Human Rights Office of the High Commissioner https://www.ohchr.org/en/professionalinterest/pages/ ccpr.aspx. Accessed 22 Nov 2020
References
155
International Covenant on Economic, Social and Cultural Rights (ICESCR) Available via United Nations Human Rights Office of the High Commissioner https://www.ohchr.org/en/ professionalinterest/pages/cescr.aspx. Accessed 22 Nov 2020 International Law Commission (2018). Draft conclusions on identification of customary international law, with commentaries 2018. Yearbook of the International Law Commission, 2018, vol II, Part Two. Available via United Nations https://legal.un.org/ilc/texts/instruments/english/ draft_articles/1_13_2018.pdf. Accessed 22 Nov 2020 Jolly I (2020) Data protection in the United States: overview. Available https://content.next. westlaw.com/6-502-0467?transitionType¼Default&firstPage¼true&bhcp¼1&contextData¼ (sc.Default). Accessed 22 Nov 2020 Judgment of 15 December 1983 (1 BvR 209/83). Available via Bundesverfassungsgericht https:// www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/EN/1983/12/rs19831215_ 1bvr020983en.html. Accessed 22 Nov 2020 Kaladharan Nayar M (1978) Introduction: human rights. The United Nations and United States Foreign Policy. Harv Int Law J 19:813–817 Kalven H Jr (1966) Privacy in tort law - were Warren and Brandeis wrong? Law Contemp Probs 31:326–341. Available via Duke Law https://scholarship.law.duke.edu/cgi/viewcontent.cgi? article¼3112&context¼lcp. Accessed 22 Nov 2020 Kirch W (ed) (2008) Encyclopedia of public health, vol 1. Springer, Dordrecht Krotoszynski R (1990) Autonomy, community and traditions of liberty. The contrast of British and American Privacy Law. Duke Law J 1990:1398–1454. https://scholarship.law.duke.edu/cgi/ viewcontent.cgi?article¼3136&context¼dlj Lasswell H, Miller J, McDougal M (1994) The interpretation of international agreements and world public order. Principles of content and procedure. The New Haven studies in international law and world public order, vol 8. Brill | Nijhoff, Leiden Law No. 18.331 (2008). Available http://archivo.presidencia.gub.uy/_web/leyes/2008/08/CM524_ 26%2006%202008_00001.PDF. Accessed 22 Nov 2020 Ley Estatuaria No. 1581 (2012). Available https://habeasdatacolombia.uniandes.edu.co/wpcontent/uploads/LEY-1581-DEL-17-DE-OCTUBRE-DE-2012.pdf. Accessed 22 Nov 2020 Ludwig-Maximilians-Universität München (LMU), Juristische Fakultät (2020) Prof. em. Dr. Dres. h.c. Hans-Jürgen Papier. Entpflichteter Professor. Available via LMU https://www.jura.unimuenchen.de/personen/p/papier_hans-juergen/index.html. Accessed 22 Nov 2020 Marcella A Jr, Stucki C (2003) Privacy handbook. Guidelines, exposures, policy implementation, and international issues. Wiley, Hoboken Marco Civil Law of the Internet (2014) Available via Government agency Comitê Gestor da Internet no Brasil. https://www.cgi.br/pagina/marco-civil-law-of-the-internet-in-brazil/180. Accessed 22 Nov 2020 Marsteintredet L (2020) The Constitutions of the Dominican Republic. Between aspirations and realities. In: Albert R, O’Brien D, Wheatle S (eds) The Oxford handbook of Caribbean Constitutions. Oxford University Press, Oxford McCloskey H (1980) Privacy and the right to privacy. R Inst Philos 55(211):17–38 McDougal M, Lasswell H, Reisman W (1967) The world constitutive process of authoritative decision. J Leg Educ 19:253 McDougal M, Lasswell H, Chen L (1980) Human rights and world public order: the basic policies of an international law of human dignity. Yale University Press, New Haven McKinnon C (1989) Toward a feminist theory of state. Harvard University Press, Cambridge Morris J (2008) Big Success or “Big Brother”?: Great Britain’s national identification scheme before the European Court of Human Rights. Ga J Int Comp Law 36:443–473. Available https:// digitalcommons.law.uga.edu/cgi/viewcontent.cgi?article¼1179&context¼gjicl. Accessed 22 Nov 2020 National Conference of State Legislatures (NCSL) State Social Media Privacy Laws. Available via NCSL https://www.ncsl.org/research/telecommunications-and-information-technology/state-
156
4 Past Trends in Decision and Conditioning Factors
laws-prohibiting-access-to-social-media-usernames-and-passwords.aspx. Accessed 22 Nov 2020. Nettesheim M (2011) Grundrechtsschutz der Privatheit. VVDStRL 70 Network Enforcement Act (Netzwerkdurchsetzungsgesetz). Available via the German Law Archive https://germanlawarchive.iuscomp.org/?p¼1245. Accessed 22 Nov 2020 Office of the Attorney General (OAG) State of California Department of Justice (2020) Privacy Laws. Available https://oag.ca.gov/privacy/privacy-laws. Accessed via OAG 22 Nov 2020 Organic Law 172-13 on the Protection of Personal Data in Spanish (2013). Available http://media. mofo.com/files/PrivacyLibrary/3983/Ley_172_13_Proteccion_Datos_Caracter_Personal.pdf. Accessed 22 Nov 2020 Papier H (2010) Entwicklungen des Rechts auf informationelle Selbstbestimmung seit dem Volkzählungsurteil des Bundesverfassungsgerichts. Vortrag im Rahmen der 1. Bitburger Gespräche. Available at https://www.uni-trier.de/fileadmin/fb5/inst/IRP/BG_ Einzeldokumente_ab_2010/BGiM_1/Vorabversion_BG01München_04_Papier.pdf. Accessed 22 Nov 2020 Parraguez Kobek L, Caldera E (2016) Cyber security and Habeas Data. The Latin American Response to Information Security and Data Protection. OASIS 24:109–128. Available https:// papers.ssrn.com/sol3/papers.cfm?abstract_id¼2868039. Accessed 22 Nov 2020 Pati R (2005) Rights and their limits: the constitution for Europe in international and comparative legal perspective. Berkeley J Int Law 23:223–280. Available via Berkeley Law https://lawcat. berkeley.edu/record/1119791. Accessed 22 Nov 2020 Personal Data Protection Act (PDPA). Available http://www.jus.gob.ar/media/3201023/personal_ data_protection_act25326.pdf. Accessed 22 Nov 2020 Press Release (2014) Global Internet privacy study reveals consumers conflicting views. Beliefs of Eroding Privacy, Lack of Confidence in Ethics. Available via Dell Technologies https://www. emc.com/about/news/press/2014/20140612-01.htm. Accessed 22 Nov 2020 Press Release No. 70/14 of the Court of Justice of the European Union (May 13, 2014). Available via the Court of Justice of the European Union https://curia.europa.eu/jcms/upload/docs/ application/pdf/2014-05/cp140070en.pdf. Accessed 22 Nov 2020 Privacy Laws (2020) Available via State of California, Department of Justice https://oag.ca.gov/ privacy/privacy-laws. Accessed 22 Nov 2020 Recommendation No. R(99) 5 for the protection of privacy on the Internet (1999) Available via Council ofhttps://dispatch.coe.int/?home¼wcd.coe.int&command¼com.instranet. CmdBlobGet&InstranetImage¼2732155&SecMode¼1&DocId¼396826&Usage¼2. Accessed 22 Nov 2020 Regan P (1995) Legislating privacy. University of North Carolina Press, Chapel Hill Rengel A (2013) Privacy in the 21st century. Martinus Nijhoff, Leiden Rich C (2015) Privacy in Latin America and the Caribbean (reproduced with permission from Privacy & Security Law Report, 14 PVLR 730, 04/27/2015). Bureau of National Affairs, Inc. (Bloomberg BNA), Arlington. Available via Bloomberg BNA https://www.bna.com/ uploadedFiles/BNA_V2/Legal/Pages/Custom_Trials/PVRC/Privacy_Laws_Latin_America. pdf. Accessed 22 Nov 2020 Rome Statute of the International Criminal Court (ICJ). Available http://legal.un.org/icc/statute/ romefra.htm.Accessed 22 Nov 2020 Rozenshtein A (2019) Fourth amendment reasonableness after Carpenter. Yale Law J 128:943–960. Available via The Yale Law Journal https://www.yalelawjournal.org/pdf/Rozenshtein_ 5gbt6641.pdf. Accessed 22 Nov 2020 Samuels A (1996) Privacy. Statutorily definable? Stat Law Rev 17:115–127 Scalia A (2018) A matter of interpretation. Federal courts and the law. Princeton University Press, New Jersey Schneider E (2000) Battered women & feminist lawmaking. Yale University Press, New Haven
References
157
Schwartz P, Pfeifer K (2019) Structuring international data protection law. Int Data Privacy Law 2019:1–49. Available https://www.law.berkeley.edu/wp-content/uploads/2019/10/SchwartzIntl-Data-Privacy-Law-21.pdf. Accessed 22 Nov 2020 Solove D, Schwartz P (2017) Privacy law fundamentals. International Association of Privacy Professionals (IAPP), Portsmouth Stanley J (2011) Max Mosley and the English right to privacy. Wash Univ Glob Stud Law Rev 10:641–667. Available https://openscholarship.wustl.edu/cgi/viewcontent.cgi?article¼1028& context¼law_globalstudies. Accessed 22 Nov 2020 Supreme Court of the United States (2020) The Court and Constitutional interpretation. Chief Justice Charles Even Hughes Cornerstone Address. Available via Supreme Court of the United States https://www.supremecourt.gov/about/constitutional.aspx. Accessed 22 Nov 2020 The Constitution of the United States of America. Available via Government Publishing Office https://www.gpo.gov/fdsys/pkg/CDOC-110hdoc50/pdf/CDOC-110hdoc50.pdf Thomson J (1975) The right to privacy. Philos Public Aff 4:295–314 Tokson M (2016) Knowledge and fourth amendment privacy. Northwest Univ Law Rev 111:139–204 UN Human Rights Committee (HRC) CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation, 8 April 1988. Available http://www.refworld.org/docid/453883f922. html. Accessed 22 Nov 2020 United Nations Educational, Scientific and Cultural Organization (UNESCO). Latin America and The Caribbean. Available via UNESCO http://www.unesco.org/new/en/unesco/worldwide/ latin-america-and-the-caribbean/. Accessed 22 Nov 2020 United Nations General Assembly (2020) About the general assembly. Available via United Nations http://www.un.org/en/ga/about/. Accessed 22 Nov 2020 United Nations Human Rights Office of the High Commissioner (2020) Human rights and treaty bodies – general comments. Available via United Nations Human Rights Office of the High Commissioner https://www.ohchr.org/en/hrbodies/pages/tbgeneralcomments.aspx. Accessed 22 Nov 2020 United Nations Human Rights Office of the High Commissioner (OHCHR) (2020a) OHCHR and privacy in the digital age. Available via United Nations Human Rights Office of the High Commissioner https://www.ohchr.org/EN/Issues/DigitalAge/Pages/DigitalAgeIndex.aspx. Accessed 22 Nov 2020 United Nations Human Rights Office of the High Commissioner (OHCHR) Annual thematic reports of the Special Rapporteur on the right to privacy. Available via United Nations Human Rights Office of the High Commissioner http://www.ohchr.org/EN/Issues/Privacy/SR/ Pages/AnnualReports.aspx. Accessed 22 Nov 2020b Universal Declaration of Human Rights, G.A. Res. 217 (III) A U.N. Doc. A/RES/217(III) (Dec 10, 1948) [hereinafter UDHR]. https://www.ohchr.org/EN/Library/Pages/UDHR.aspx. Accessed 22 Nov 2020 Urteil des Ersten Senats vom 15. Dezember 1983 (Volkszählungsurteil). Available via Bundesverfassungsgericht https://www.bundesverfassungsgericht.de/SharedDocs/ Entscheidungen/DE/1983/12/rs19831215_1bvr020983.html. Accessed 22 Nov 2020 Walker A (2004) When a good idea is poorly implemented. How the International Criminal Court fails to be insulted from international politics and to protect basic due process guarantees. W Va Law Rev 106:246–306 Warren S, Brandeis L (1890) The right to privacy. Harv Law Rev 4:193–220 Weeks J (1963) Comparative law of privacy. Clev-Marshall Law Rev 12:484 Werro F (2020) The right to be forgotten. A comparative study of the emergent right’s evolution and application in Europe, the Americas, and Asia. Springer, Heidelberg Westin A (1970) Privacy and freedom. The Bodley Head, London Wiessner S (2006) Dedication. Intercult Hum Rights Law Rev 1:1–4
158
4 Past Trends in Decision and Conditioning Factors
Wiessner S (2017) Introduction. In: Wiessner S (ed) General theory of international law. Brill I Nijhoff, Leiden Younger Committee on Privacy in the United Kingdom (1972) Report of the Committee on Privacy (Cmnd. 5012). Available http://hansard.millbanksystems.com/lords/1973/jun/06/privacy-youn ger-committees-report. Accessed 22 Nov 2020
Chapter 5
Predictions
After illustrating the subject of social networks and privacy concerns from a legal point of view, by explaining the general legal right to privacy, as well as the protection of privacy in the context of electronic communications, this chapter aims to explore what future decisions might be like in the range oscillating from a most pessimist to the most optimistic developmental construct of the future.1 First of all, it would be hard to deny that social networks will gain more and more power in today’s reality because they consume a lot of the time of their many users.2 Therefore, it becomes clear that any government would have to, at least, try to cooperate and negotiate with global players like Facebook that have become such a big part of so many individuals’ every-day lives.3 The question is whether states should even have to draw and enforce strict rules in order to regulate some or all of the behavior that can be witnessed on almost every social network.4 Overall, and when it comes to a state’s responsibility to prevent harm from its citizens, but rather protect them—not only in order to protect its citizens’ privacy, but also in order to fight crimes as well as terrorism in order to protect its citizens’ safety, well-being and lives—governments have to decide what their very own role is when it comes down to people’s involvement in social networks.5 To, once again, emphasize the fact that social networks gain more and more power and influence on the lives of many people, in what follows, the focus will be on Facebook.
1
For more information on how to best predict future developments, see Ascher (1979). There has been the prediction that Facebook would disappear till the year 2020, see “Facebook Will Disappear by 2020, Says Analyst”, Mashable (June 4, 2012). This prediction did not come true. 3 See, in particular, Sect. 2.3. 4 To remember how social networks usually operate, what their aims and purposes are, see Sect. 2.2. 5 For further information on how stakeholders should respond to the new situation social media imposes, see Fieseler and Fleck (2013), pp. 759–775. 2
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 V. Kirch, Social Networks - The Modern-Day Family, https://doi.org/10.1007/978-3-030-68651-2_5
159
160
5
Predictions
Approximately 2.2 billion people log on to Facebook alone every month,6 so that it can be assumed that Facebook has officially become the number one means of communication worldwide.7 And as already discussed, this giant player also owns other platforms like WhatsApp or Instagram used by hundreds of millions of people from all around the world. Furthermore, and more importantly, Facebook constantly develops new things in order to be able to reach out to even more individuals. Here are some of its latest developments that are worth mentioning: Facebook Live There is, for instance, so-called “Facebook Live” meaning a service that allows people to share videos being streamed live. Of course, and as already pointed out, every user of Facebook grants Facebook “a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use” all of the content posted on Facebook.8 Hence, this includes every picture as well as every video—and this license won’t even end neither upon deletion of content nor upon closing a Facebook account.9 Therefore, by offering its new service Facebook live, even more data could be obtained from Facebook’s users in the future and this way, people could also become more and more exposed, easier influenced and manipulated as well as better controlled.10
The website of “statista”, an online statistics portal that was founded in Hamburg/Germany in 2007, states:
6
With over 2.7 billion monthly active users as of the second quarter of 2020, Facebook is the biggest social network worldwide. In the third quarter of 2012, the number of active Facebook users surpassed one billion, making it the first social network ever to do so. Active users are those which have logged in to Facebook during the last 30 days. During the last reported quarter, the company stated that 3.14 billion people were using at least one of the company’s core products (Facebook, WhatsApp, Instagram, or Messenger) each month. See “Facebook: number of monthly active users worldwide 2008–2020”, statista (August 10, 2020). For further information on how the number of active Facebook per month developed worldwide from 2008 till 2020, see “Number of monthly active Facebook users worldwide as of 2nd quarter 2020”, statista (July 2020). 7 According to statista, Facebook remains the world’s most popular social network, see Clement (2020a). See also Clement (2020b). So, at least for now, Facebook is the most frequented social network, in the future, obviously, other social networks might overtake Facebook—especially, as the younger generation, the so-called Generation Facebook, might not be as attached to Facebook as people were in the past. Generation Facebook might rather turn more and more to other social networks like, for example, Instagram, SnapChat or TikTok. See Sect. 2.2 as well as Sect. 2.3. 8 In order to read Facebook’s current terms, see Facebook (2019). 9 Id. 10 For further information on Facebook Live and how to involve others in one’s live broadcast, see Facebook for Media (2020a).“Facebook Live”, Facebook for Media (2020).
5 Predictions
161
Instant Articles And there is another development by Facebook that is worth mentioning. It is the possibility for any media corporation to post their articles directly to Facebook and only link them to their own Websites from there. Facebook states that by doing so, way more people could be reached by any media company using this service. That, of course, would be an advantage for a media venture. But obviously it, once again, creates a pretty intense dependency of these media companies on Facebook as it has to be noted again that Facebook is going to be the one in control of all this media content and also the one who decides whether when and how an article would be spread over the network. As people would get used to the simple way of retrieving their information including the news so easily from a platform they are using constantly already, they could totally stop looking at other websites, but rather only rely on what Facebook offers them regarding up to date information. This way, people could, once again, easily be manipulated by only getting specific news, points of views, just one-sided information.11 And as already discussed, the studies on how incorrect information can be spread throughout the internet—especially, making use of social networks—are pretty scary in this context. Overall, extreme points of view or radical political opinions find their platform, a platform they would not find outside the world wide web as not many people would speak them out loud in public being in the real world. It is obvious that defending extremist points of view is way harder and requires courage and strength if standing in front of a real person compared to post such thing online sitting in front of, or let us better say, hiding or feeling safe behind a computer, tablet or smartphone. Hence, one can easily imagine how this kind of diffusion of media could, for example, have an impact on a presidential election, a referendum or any other kind of decision-making. Facebook as an Ambassador of the World Wide Web Moreover, Facebook intends to bring the world wide web to every corner of the world. The goal is that any person should be able to use the internet at any time no matter where they are. That is why, Facebook has teamed up with other companies in order to establish internet.org by Facebook. Internet.org by Facebook is supposed to provide affordable access to the world wide web to those people who are living in less developed countries.12 Moreover, Facebook has been working on a specific drone that is supposed to be operated by solar energy.13
11 For further information on Instant Articles and how to publish overall quick articles, see Facebook for Media (2020b). 12 For further information on internet.org by Facebook, see internet.org by Facebook’s website, available at https://info.internet.org/en/. see “internet.org by Facebook”, Facebook (2020). For a more critical point of view on internet.org by Facebook, see “The surprising Truth about Facebook internet.org. No, Internet.org is not a nonprofit organization that subsidizes Internet access for new users”, computerworld (February 15, 2016). 13 For more information on this flying object called Aquila, Facebook’s “solar-powered plane that will beam internet to remote parts of the world” as Facebook states on their website, see Zuckerberg (2016).
162
5
Predictions
But who knows what such drone might be doing besides providing people with access to the internet. It is not very hard to imagine that sooner or later such type of flying object could be stocked with further equipment such as a camera and microphone, so that it could easily also tape and film pretty much everything while being out there. All these examples of recent developments initiated by Facebook illustrate that constant surveillance of anybody anywhere is no longer fiction, but rather already an easy task that could soon actually become reality. Moreover, it is pretty clear that a network like Facebook has its own global political ambitions.14 That is why, Facebook’s founder and CEO Mark Zuckerberg has long become an important figure many leaders of all kind of different countries all around the world are willing to meet frequently. Zuckerberg also already spoke at the United Nations.15 And although Facebook constantly points out how important it is for any person to be connected and have access to the internet—in order to connect the world and also in order to achieve the Sustainable Development Goals of the United Nations as Zuckerberg stated during his visit there in 201516—the question remains if these things really are what those social networks are driven by.
14 Therefore, the threat of fake news spread through social networks becomes an even bigger dimension—especially, as more than 50 % of all U.S. adult users of Facebook make use of Facebook to obtain their daily news. See “Facebook Revenue and Usage Statistics (2020)”, Business of Apps (July 30, 2020). Furthermore, it becomes clear that after collecting and carefully analyzing the data of the users of social networks, it is pretty easy to place only certain information or rather spread fake news as well as very one-sided facts on certain events or future decisions on social network sites in order to manipulate the users of those social networks. Moreover, there are so-called “troll factories” that are supposed to only focus on driving people’s opinions into a certain direction. For further information on troll factories, see “Inside the Russian Troll Factory: Zombies and a Breakneck Pace”, The New York Times (February 18, 2018). For more information on how the Chinese government gets involved in social media, see King et al. (2017). In order to learn more about the impact of Facebook and possible responses of its users, see “The power of social networks and Generation Facebook strategies”, SearchCIO.com (September 13, 2012). In addition, the European Union tries to fight fake news itself with its project “Pheme” as Facebook does not respond the way it is expected to do so, see “Wie sich Lüge vor die Wahrheit legt”, FAZ (February 10, 2017). For further information on the project Pheme that was started in 2014 and is funded by the European Commission, see Pheme (2020). 15 On September 26, 2015, Mark Zuckerberg participated in the Sustainable Development Summit’s interactive dialogue on Fostering Sustainable Economic Growth, Transformation and Promoting Sustainable Consumption and Production. That day, he also met with the President of the UN General Assembly and gave a keynote address at the United Nations Private Sector Forum, see General Assembly of the United Nations (2015). 16 Id.
5 Predictions
163
Furthermore, and as already presented, the internet and especially social media have become a source for making money big time.17 Not only the individual—for instance, the blogger or the so-called youtuber—is aiming to earn a living by using the internet. The largest corporations of our times like Apple or Facebook are themselves the ones that want to benefit from the data retrieved from the world wide web the most. And coming back to the issue of privacy concerns, it has to be noted that there are tendencies that go way beyond of what a social network is considered today. As already pointed out, there are firms that are creating so-called profiles of one’s personality including all kind of behavior that could be obtained from the internet.18 And there exists also already the tool that is able to recognize someone’s face. Moreover, several companies are working on creating glasses that can be worn in order to detect a person on the street by screening people’s faces.19 So, what could possibly be the worst-case-scenario in the future looking at the individual’s behavior when making use of electronic communication and people’s involvement in social networks? As already said, it can be stated that social networks like Facebook are trying to create exclusive platforms for their users as they aim their users to only make use of this one particular medium online and build their whole lives around it.20 Looking at the worst-case-scenario, this would easily lead to the user not only being very dependent on a specific social network, but also becoming pretty vulnerable while relying on that platform as he or she could, over all, be easily influenced, manipulated and even controlled. Privacy would no longer exist.21 And coming back to the firms that are working with personal information retrieved from the world wide web, an all-seeing eye would soon become reality. Combining the three things—an individual profile of each and every person based on the information obtained from the world wide web as well as the tool of facial recognition and special glasses that are designed to make use of the tool of facial
17
See Sect. 2.2. It once again has to be pointed at the discovery in 2018 involving Cambridge Analytica—a British firm that claimed on its website: 18
We measurably improve your brand’s marketing effectiveness by influencing consumer behavior through a unique approach that blends predictive analytics, behavioral sciences, and data-driven ad tech. This is only one, but at least for now, the most prominent example of Facebook leaking personal data of millions of its users. For further information, see Kaiser (2019). 19 For further information on how social media platforms as well as governments gather data from individuals, see Kurz and Rieger (2011). 20 See Sect. 2.2. 21 For further information, see Garfinkel (2001).
164
5
Predictions
recognition—would form the perfect combination in order to easily create such an all-seeing eye.22 So, in a worst-case-scenario, the individual would not only be under constant surveillance by everybody surrounding him or her, but more importantly, each and everybody would be totally manipulated and controlled. Furthermore, any kind of regulation would not make a difference or governmental regulation would simply just not occur. Besides, I am sure that, in this scenario, people would get used to being constantly watched, they would grow into it and would not even care much about it—especially as long as they could themselves spy on others and somehow benefit from it, even if it is just to satisfy their curiosity. And people are usually very curious to see what and how others are doing no matter if it makes them feel good about themselves or rather depresses them. Furthermore, the human is supposed to be able to getting used to anything and is usually happy about everything that makes his or her life easier. That is why, making use of technical innovations—especially those that allow an easier way of interact with others—is always very appealing to people. Moreover, the younger generation would not even notice any difference as these individuals would grow into such an “open, transparent” society. For them, it would be just normal to be watched and exposed nonstop.23 An all-seeing eye is a pretty scary thought and I hope that it is not going to become reality as one can easily imagine what huge impact that would have on the world as we know it as of today. It would be a total game-changer as privacy would no longer be existing. So, what would be the best-case-scenario? Looking at the different claimants as they were introduced before,24 future decisions of states could go into the direction of trying to limit the power of networks like Facebook. This way, the individual and the right to privacy would be protected as the states would neither care about nor interfere in what a person would do using the world wide web. Only in the case of preventing danger or threats from its citizens, the state would act and make use of all the personal data the internet provides.25
22
This combination is—at least, for now—just the imagination of the author and did not transform into reality yet, but it becomes clear that as those glasses would be able to recognize a certain person by using the tool of facial recognition and would also be connecting a particular face to an individual personality profile, anybody wearing these special glasses could be walking across the street and retrieve all kind of data of the people passing by just by basically scanning their faces with the help of those special glasses. 23 The phenomenon of the so-called Generation Facebook has been discussed in Sect. 2.3. 24 See Chap. 3. 25 State officials have been discussing ways to limit social media for years already. For example, the British government was discussing with firms like Facebook and Twitter almost 10 years ago to voluntarily restrict the use of social media, see “In Britain, a Meeting on Limiting Social Media”, The New York Times (August 26, 2011).
5 Predictions
165
This leads to another claimant besides the states that are trying to get involved in the context of electronic communications,26 the social networks themselves.27 Although it can be assumed that even in a best-case-scenario, each and every social network would continue to go after as much data of their users as possible28 promoting a “safer, better, transparent world” where people are truly “just real”,29 social networks that want to stay in business would no longer collect, process and sell their users data, but rather only go as far as their users would let them in order not to lose them and, this way, their power.30 Social networks would, moreover, be trying to find out what their users actually want in order to serve and protect them. They as well as all other firms that are currently dealing with personal data collected online would work hand in hand with law and policy makers. They would not only want to collaborate with the users of social networks, but also with governments to create a better and safer world respecting the individual’s rights as well as helping to prevent any kind of threats or attacks to the individual or society. And in order to complete the list of claimants, there is also the individual who is the one who takes the decision to share information on platforms like Facebook. In a best-case-scenario, the individual would actually be the one who would come to the conclusion that releasing basically all his or her private information and trading it in just for having an easier way of communicating with other people from all around the globe or for achieving a more transparent world, is not what one should do. And this way, the implication would be for the users of social networks to step back from building their lives around social networks that might retrieve all kind of their very own and private information. The users of social networks would rather start sharing less information or even better switch to another less “spying” platform or quit using social networks at all unless their rights would be respected, protected and granted. Comparing the worst and the best scenario, it is hard to say what future decisions will be like. First of all, are we going to continue considering social networks being today’s number one means of communication around the globe in the near future? And if so, will the behavior of social networks and other firms that are making use of the data collected in social networks change their behavior? Will users of social networks make a change when using these networks? And what about governmental
26
Furthermore, the companies that are trying to make as much money as possible using the data that people leave using the world wide web and in particular social networks are also to be considered as a claimant as already explained before. 27 See Chap. 3. 28 Whatever the motives are, it can be assumed that a social network’s motto would always be: The more data, the better. 29 The scenario of social networks actually literally running and basically controlling the world is best described in Dave Eggers’ novel “The Circle”, see Eggers (2013). 30 Referring to those events involving Cambridge Analytica, it will be interesting to observe not only what Facebook itself is willing to do in order to convince its users that they care about their privacy concerns, but also what exact steps Facebook’s users will be undergoing. Are they going to claim their right to privacy? Are they going to fight for changes in the current policy? Or do they even care at all?
166
5
Predictions
regulations? Maybe Europe’s new law on privacy and personal data will make a difference? It might seem to be pretty hopeless to fight an instrument that has become as powerful as a social network like Facebook already. Therefore, many people must be pretty much interested in watching how this issue is going to develop and, hopefully, to be solved. Nevertheless, not long ago, there was a case of Germany going against Facebook and at least for now, Facebook seems to be willing to collaborate, so that Facebook was taking this matter into its own hands by cooperating and be willing to come to Germany immediately and talk about the problem.31 Besides, on May 25, 2018, Europe’s new law on privacy and personal data, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation), entered into force32 and might serve as a role model on the international level in order to address the issue of privacy in the context of social networks.33 Only time will tell what the future decisions of all the different claimants involved—governments, social networks as well as other firms that are handling personal data and individuals—will be.
References Ascher W (1979) Forecasting. An appraisal for policy-makers and planners. Johns Hopkins University Press, Baltimore Clement J (2020a) Global social networks ranked by number of users 2020. Statista, Berlin https:// www.statista.com/statistics/272014/global-social-networks-ranked-by-number-of-users/. Accessed 22 Nov 2020 Clement J (2020b) Facebook: number of monthly active users worldwide 2008–2020. Statista, Berlin. https://www.statista.com/statistics/264810/number-of-monthly-active-facebook-usersworldwide/. Accessed 22 Nov 2020 Communication from the Commission to the European Parliament and the Council (2020) Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation. Available via European
31
Id. See also Chap. 4. The General Data Protection Regulation was created with the intention to better protect the individual’s personal data and will be discussed in detail in Chap. 4 when speaking of the protection of the right to privacy in the context of electronic communications. For the complete version of this new European regulation, see General Data Protection Regulation (GDPR). 33 For further information on how the GDPR might shape future decisions, see Utz et al. (2019). See also European Commission (2020) as well as Communication from the Commission to the European Parliament and the Council (2020). 32
References
167
Commission https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/? uri¼CELEX:52020DC0264&from¼EN. Accessed 22 Nov 2020 Eggers D (2013) The circle. Knopf Publishing Group, New York European Commission (2020) GDPR – the fabric of a success story. Available via European Commission https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules/ gdpr-fabric-success-story_en. Accessed 22 Nov 2020 Facebook (2019) Terms of service. Available via Facebook https://www.facebook.com/terms.php. Accessed 22 Nov 2020 Facebook for Media (2020a) Facebook Live. Available via Facebook https://live.fb.com/about/. Accessed 22 Nov 2020 Facebook for Media (2020b) Instant articles. Available via Facebook https://instantarticles.fb.com/. Accessed 22 Nov 2020 Fieseler C, Fleck M (2013) The pursuit of empowerment through special media: structural social capital dynamics in CSR-Böogging. J Bus Ethics 118:759–775. Available via Springer https:// www.jstor.org/stable/42921264?seq¼1. Accessed 22 Nov 2020 Garfinkel S (2001) Database nation. The death of privacy in the 21st century. O’Reilley Media, Newton General Assembly of the United Nations (2015) Facebook CEO Mark Zuckerberg at the UN. Available via UN http://www.un.org/pga/70/2015/09/26/facebook-ceo-mark-zuckerbergat-the-un/. Accessed 22 Nov 2020 General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official J of the European Union 59:1-88. Available via European Commission https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/? uri¼CELEX:32016R0679&from¼EN. Accessed 22 Nov 2020 Internet.org by Facebook (2020) Join us in Connecting the world. Available via https://info.internet. org/en/. Accessed 22 Nov 2020 Kaiser B (2019) Targeted. The Cambridge Analytica whistleblower’s inside story of how Big Data, Trump, and Facebook broke democracy and how it can happen again. Harper, New York City King G, Pan J, Roberts M (2017) How the Chinese Government fabricates social media posts for strategic distraction, not engaged argument. Am Polit Sci Rev 111:484–501 Kurz C, Rieger F (2011) Die Datenfresser. Wie Internetfirmen und Staat sich unsere persönlichen Daten einverleiben und wie wir die Kontrolle darüber zurückerlangen. Fischer Verlag, Berlin Pheme (2020) About PHEME. Available https://www.pheme.eu. Accessed 22 Nov 2020 Utz C, Koloßa S, Holz T, Thielbörger P (2019) Die DSGVO als internationales Vorbild? Erste Forschungsergebnisse zu Grundprinzipien der DSGVO und Gedanken zu ihrer Umsetzbarkeit. Datenschutz Datensich 43:700-705. Available via Springer https://doi.org/10.1007/s11623019-1192-5. Accessed 22 Nov 2020 Zuckerberg M (2016) The technology behind Aquila. Available via Facebook. https://www. facebook.com/notes/mark-zuckerberg/the-technology-behind-aquila/10153916136506634/. Accessed 22 Nov 2020
Chapter 6
Appraisal, Invention of Alternatives and Recommendations
After focusing on past trends in decisions and predicting a possible worst-case scenario, as well as the best possible future scenario, the author will first appraise past and predicted future decisions in light of a world public order of human dignity meaning a legal order in which all individuals have maximum access to the process of shaping and sharing all things humans want out of life: affection, enlightenment, power, rectitude, respect, skill, wealth and well-being.1 These are the eight values of a world order of human dignity that are reflected in different articles of the 1948 Universal Declaration of Human Rights and that are covered by the New Haven School of Jurisprudence.2 So, in order to come to a satisfying appraisal in regards to the topic at hand—the usage of modern technologies in general and social networks in particular in regard to the individual’s right to privacy—first of all, I must examine whether the present situation adversely affects the eight values or whether there is rather a positive impact on those values. Afterwards, it has to be determined whether there might be alternatives that should be taken into consideration. Once the issue of new technologies, including social networks and the right to privacy, has been appraised, the final step for this chapter would be to explore what possible recommendations one might want to suggest. In order to come to suitable recommendations, there are certain questions one should address as for example: Upon evaluation of past decisions, what are possible solutions to the problems identified? And which ones would be the best promoting a public order of human dignity in order to address the maximum number of human beings? Should rules and
1
See Wiessner and Willard (2004), p. 30. Universal Declaration of Human Rights, G.A. Res. 217 (III) A U.N. Doc. A/RES/217(III) (Dec 10, 1948) [hereinafter UDHR]. Article 1 of the UDHR provides that: 2
All human beings are born free and equal in dignity and rights. They are endowed with reason and conscience and should act towards one another in a spirit of brotherhood. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 V. Kirch, Social Networks - The Modern-Day Family, https://doi.org/10.1007/978-3-030-68651-2_6
169
170
6 Appraisal, Invention of Alternatives and Recommendations
regulations be created and laws enforced? What about, for example, creating a binding “code of conduct” for social networks? And if agreeing on a certain code of conduct, should this code be binding by law or rather by self-regulation? And what about the idea of a “social network constitution”? Or should the subject of social networks rather be left alone for the networks and its users to decide how this subject will further develop in the future?
6.1
Appraisal
First of all, and in order to appraise the topic, one might ask the following when following the New Haven School of Jurisprudence3: Does the current situation adversely affect the eight values of a world order of human dignity or does it rather positively contribute to those values? In the following, each of the values will be addressed separately:
6.1.1
Affection
On the one hand, when it comes to affection, social networks can contribute in a positive way big time as they offer an easy and fast way for people to get in touch with each other.4 On the other hand, they can also be a platform for mobbing and resulting in people feeling even lonelier than they actually did before joining that kind of social network. Additionally, the internet and those sites do not easily give up on information once it is received and this way, not only a person’s private information, but also his or her possible or alleged mistakes or lapses might stay there being visible for others forever.5
3 In order to give more detailed information on the New Haven School of Jurisprudence, see Reisman et al. (2009), pp. 575–582 as well as Wiessner (1999), p. 203 and Lasswell and McDougal (1992). It has to be noted once again that the New Haven Approach especially pays attention to the eight values of a world order of human dignity that are reflected in different articles of the 1948 Universal Declaration of Human Rights meaning “affection, enlightenment, power, rectitude, respect, skill, wealth and well-being”, see McDougal et al. (1980). See also Wiessner (2010), p. 46. For further information on the New Haven Approach, its beginnings and vision, see Chap. 1. 4 Especially, when speaking of so-called dating apps, it is with no doubt that these social networks provide the individual with tons of opportunities to find a suitable partner and escape the many people’s loneliness. It can be assumed that Tinder must be the most popular and frequented dating app, but it is by far not the only one. In order to get a better overview of what is on demand as of today, see “The best dating apps for 2020”, digitaltrends (July 24, 2020). 5 The pretty easy way of bullying a person with the help of social media platforms is one of the new phenomenon of nowadays teenager’s every-day lives. To give an example, see “Generation FB”, The New York Times (June 23, 2011). The article describes the following:
6.1 Appraisal
6.1.2
171
Enlightenment
When speaking of enlightenment, the internet including social networks offer the individual the gain lots of knowledge and retrieving this knowledge is done very quick and easy, most of the time, it requires basically just one mouse-click. This sounds awesome—especially, if one compares the current situation with former times when people had to go to libraries to do their research, to search the actual hardcopy of the newspaper for specific information, look somebody up in the telephone book or pay a visit to the register office in order to find a person to just give some examples. Nevertheless, in the context of easily obtained information, it has to be taken in mind that not only can this way of constant and very broad access to all kind of data lead to an overload of information, so that an individual might be rather totally stressed out than thankful for the knowledge obtained. 6 But also and even worse, one always has to take in mind that not everything written, posted or stated online is accurate. And particularly, when it comes to social networks, information there on a certain person as well as on a specific might be wrong and
The school counselor, she is the first point of contact for bullying complaints and 80 percent of those now involve social networking sites, she says. In one recent case a girl became the target of an elaborate plot by a group of classmates. They created a fictional boy character online and started courting her. When the girl eventually agreed to come on a date, she found a crowd of mean girls laughing in her face. Facebook has empowered the bullies who in my days were largely confined to nasty little notes handed around in class. 6 To give another example, here is what Katrin Bennhold who is managing the bureau of The New York Times in Berlin found out regarding the Generation Facebook after performing her very own research at a school by speaking to teenagers as well as to teachers and school counselors:
The subtext is clear: when teenagers are ‘on,’ their brains are off. She further explains: Two decades ago Attention Deficit Disorder was barely on the radar in Europe. But in recent years the number of cases has gone up, and not just in my old school. Studies by psychologists and educators have linked excessive screen time to a loss of concentration and deep thinking. In one of them, published in the journal Pediatrics last year, Douglas A. Gentile of the Media Research Lab at Iowa State University studied 1,300 school-age children and found that more than two hours a day in front of a screen raised the odds of exceeding the average level of attention problems by 67 percent. Nevertheless, Bennhold finds: Many teenagers I met say they spend at least two hours every day in front of some electronic device. But not all that time is wasted. I witnessed an impressive capacity for self-directed learning. Arne Thate, 18, got bored with his classical piano lessons so he started teaching himself pop songs with YouTube tutorials (Praise You by Fat Boy Slim is a favorite.) Marcel Sievers, a 14-year-old fan of computer games, taught himself Camtasia, a screencasting software. Many more are members of interest-driven groups on Facebook with peers in far-flung places whom they have never met. Id. For further information on Katrin Bennhold and her newspaper article, see Sect. 2.3.
172
6 Appraisal, Invention of Alternatives and Recommendations
sometimes—unfortunately, it seems to actually happen more and more often lately—even deliberately incorrect.7
6.1.3
Power
The next value that has to be further illuminated is power. While power can stand for the individual to be in charge of his or her own image he or she wants to draw online in order for the world to know who he or she wants to represent, nevertheless, and as already explained before, in many cases, it is not the individual who ends up being in power, but rather others, overall, the social networks themselves and their special tools that are in control of their users as they can be easily influenced, manipulated and even controlled. And other firms—like, for example, Cambridge Analytica— even claim to be able to manipulate elections via social media.8
6.1.4
Rectitude
In the context of the value of rectitude, the subject of religion comes to one’s mind as faith could be spread more easily through a faster and global way of communication like the one social network platforms offer and as this way, faith could be promoted better and to more people. This new, broader and faster mode of reaching out to people, also bears the thread of extremists being able to spread their religious ideas easier than ever before. It is not a secret that terrorist groups have not only been trying to recruit new members through the internet and especially by making use of social media platforms, but they
7
Katrin Bennhold’s article also refers to the case where a school counselor caught a student while he was uploading a photograph of one of his friends to a social network site exclusively for gays “as a joke.” Id. 8 As described in Chap. 5, after collecting and carefully analyzing the data of the users of social networks, the threat of fake news spread through social networks and of manipulating people is inherent as it is pretty easy to place only certain information or even spread fake news or very one-sided facts on certain events or future decisions on social media sites in order to manipulate people. Besides, there have been so-called “troll factories” that are built in order to driving people’s focus and opinion into a certain direction. For further information on troll factories, see “Inside the Russian Troll Factory: Zombies and a Breakneck Pace”, The New York Times (February 18, 2018). For more information on how the Chinese government gets involved in social media, see King et al. (2017). In order to learn more about the impact of Facebook and possible responses of its users, see “The power of social networks and Generation Facebook strategies”, SearchCIO.com (September 13, 2012).
6.1 Appraisal
173
also actually did achieve their goals.9 And it becomes clear that as it is that easy for anyone to find out who might be a possible target simply due to all the personal information one can find on social networks, not only are these extremist or terrorist groups capable of convincing new members to join their organizations, but also are they able to easily manage to stay in touch with recruits from all around the globe thanks to this new technology, this easy and fast way of electronic communication. In this context, social media could even impose a threat to society when dealing with possible terrorist attacks. Furthermore, when speaking of rectitude, not only extremists and their ideas and religious beliefs are to be taken in mind, but also social media platforms themselves might be the subject of interest here. If a social network claims to take its user’s personal information and privacy seriously, how can it be that the very same social networks is trying to trade its user’s data in at the same time?10
6.1.5
Respect
This is often the value that is disrespected the most. As people feel more selfconscious and being more anonymous online, it is more likely that they disrespect others. Most of the time, they do not have to fear any consequences no matter how bad their behavior towards others actually was, or, at least, there is no need to fear an actual fight. While in the real world where one stands in front of the other things could become ugly, being online and insulting someone would, in the worst case, 9
For a general overview of today’s situation when it comes to terrorism, see Pati (2009). For further details on terrorism and social media, see Watts (2018). In this statement that was prepared for the U.S. Senate Committee on Commerce, Science and Transportation, the risks of social media in the context of terrorism are described as the following: Lesser-educated populations around the world predominately arriving in cyberspace via mobile phones will be particularly vulnerable to the social media manipulation of terrorists and authoritarians. See also Klausen (2016). For further information on extremist use of social media, see Close (2014) who states: Like the rest of the world, extremist organizations have discovered social media and are not going to stop using it anytime soon. Terror organizations often utilize new technology in the same manner as an everyday user. For more detailed information on terrorists and social media, see Berger (2015). Berger concludes his testimony before the U.S. House of Representatives Committee on Foreign Affairs by stating: Any approach to social media policing needs to include some consideration of our multipolar world. In our fight against terrorism, we do not wish to create precedents and authorities that would empower tyrants and repressive movements with tools to silence legitimate dissent. 10 See “Facebook to Banks: Give Us Your Data, We’ll Give You Our Users”, The Wall Street Journal (August 6, 2018).
174
6 Appraisal, Invention of Alternatives and Recommendations
only lead to legal prosecution, but no actual real danger to the offender’s body and or life because the offender is still sitting hiding behind his or her digital screen.11 Also, the right to privacy as well as other human rights are often not respected when dealing with social networks where people just post whatever they feel is right to let the world know according to how they feel that particular moment.
6.1.6
Skills
Maybe one could develop or emphasize on certain skills with the help of social networks, but it has to be taken in mind in the end, a real interaction with people face to face cannot be replaced, so that one would come to the conclusion that the really valuable skills are usually obtained by learning from one another while interacting with each other instead of being isolated only connected to the digital world through one’s computer screen. Although a person might think that he or she is connected to the world, as already discussed, spending too much time online instead of participating in the real world that is happening outside one’s home can easily lead to isolation, depression and maybe even autistic behavior.12
6.1.7
Wealth
When it comes down to wealth, it once again has to be pointed at the possibilities social networks offer individuals in order to build their own businesses.13 Without a doubt social networks offer the individual an easy way to become an entrepreneur. Nevertheless, it has to be noted that the majority of those who are trying to build their living solely on the opportunities social networks are offering them, unfortunately do not succeed. It seems as if the success of the rather few so-called Social mediaphenomenon—at least, compared to the large number of people who are also trying
11 As already mentioned, there have even been cases that led to suicide due to social media and disrespectful treatment one another, see “Cyber-Mobbing Tod eines Teenagers”, Der Spiegel (November 18, 2017). In this article, the author refers to a sad story of a 13-year-old teenage girl who commits suicide after being ignored by her alleged boyfriend who she had fallen in love with after getting to know him online. In the end, it turns out that this boyfriend was a former girlfriend of hers who wanted revenge. See also Sect. 2.3. 12 Not only has the author pointed at these possible negative outcomes of the usage of social networks, but also will this paper quote a statement of Chris Dercon in its conclusion that represents this exact point of view. 13 It has been pointed at the example of Chiara Ferragni, see Sect. 2.2.
6.1 Appraisal
175
to succeed—is not only based on certain skills14 One could compare the breakthrough of such a phenomenon to the breakthrough of an artist no matter if a musician or a painter—there are also always many different factor that come to play and not the best or most talented one has to be the one who raises to the top, but rather the one who is lucky enough to be at the right place at the right time with the right piece of art and the right team of supporters by his or her side. So, wealth, on the one hand, under certain circumstances, the value wealth can be seen as being positively influenced by social networks, but, on the other hand, one should also look at the possible downside of social networks in this case. As the individual’s personal information is easily collected and analyzed, it is not hard to imagine that someone could easily become a target of advertisers. They would bombard the user with personalized commercials in order to manipulate the user to buy specific goods. And it is also a possible scenario that wrongful information being spread through social networks could cause a person a real financial damage.15 And there is also the real threat of becoming a victim of fraud as it is not unusual that a person with criminal intentions16 would try to get the necessary information through a social network.17
6.1.8
Well-Being
This leads to the last of the eight values, well-being. In this context, the question remains if social networks rather contribute the someone’s well-being as people might have lots of fun while communicating amongst each other and this way, sharing their lives with one another, or if spending time on social networks scrolling the other person’s profiles, reading his or her comments and looking at their pictures rather leads to depression. Not only could a person come to the conclusion that looking at the other users’ posts is so extremely boring because people often just share their every-day activities, but also could it be very frustrating to see what another person is trying to
14 To give an example, it is essential not only to choose the right pictures and words, but also to poste them at the right time and to place them at the right media platform while having the right followers and the right amount of likes etc. That is why, it is not unusual that a person even pays for his or her own followers and likes, although, for instance, Instagram prohibits to buy followers and / or likes. 15 For example, due to incorrect information on social media, a person does not get the job he or she applies for or a promotion he or she actually deserves. 16 Some possible scenarios would be someone who wants to commit identity theft or retrieve a person’s banking information to only name a few. 17 And as already explained before, in contrast to communication amongst people who are face to face with each other, people usually feel more protected and being in a more amicable and trustworthy space while communicating with others via social media and this fact might even lead to someone exposing corporate secrets. See Sect. 2.5.
176
6 Appraisal, Invention of Alternatives and Recommendations
represent while in reality his or her real life is pretty dull. And then there are also those who are getting the impression that everybody else but them is out there having fun and being connected to the whole world. This could even leave to serious depression.18 So, after taking a look at the eight values of a world order of human dignity and how today’s situation of social networks and the on-going threat to privacy affects them, one can conclude that in each case, there are positive as well as negative impacts on the values. Yet, the negative sides seem to be predominant. Nevertheless, there are always also those voices that are believing in the individual still holding on to his or her privacy like, for example, Pam Dixon19 who is the founder of the World Privacy Forum.20 She stated in 2014: People are interested in having human autonomy, and that won’t die anytime soon, because there’s something in our human spirit that wants that. What we call privacy facilitates that.
18 19
See Sect. 2.3. For further information on Pam Dixon, see World Privacy Forum (2020). There Dixon is described as the following: Pam Dixon is the founder and executive director of the World Privacy Forum, a public interest research group known and respected for its consumer and data privacy research. An author and a researcher, Dixon has written groundbreaking studies in the area of privacy, including The Scoring of America, a report on predictive analytics and privacy written with Bob Gellman. [. . .] In 2017, A Failure to Do No Harm was published in a special issue of Springer-Nature and co-published in the Harvard-based Journal of Technology Science. Dixon has written 9 books, including titles for Random House / Times Books, among other major publishers. Her most recent book, Surveillance in America, was published in 2016 by ABC-CLIO books. Her next book on privacy is underway and will be published by ABC CLIO in 2019. Dixon has written numerous other influential studies, including studies in the area of health, financial, online, biometric, digital signage, and workplace privacy. Dixon is an expert advisor to the OECD regarding health data uses. In 2015 she was appointed to the editorial board of Harvard’s Technology Science journal. Dixon served as co-chair of the California Privacy and Security Advisory Board, a board that reported to California’s Secretary of Health. She is also a past board member of HITSP, a national-level board for determining health information technology standards. In 2008, Dixon won the Consumer Excellence Award. Dixon was formerly a research fellow with the Privacy Foundation at Denver University’s Sturm School of Law. There, she researched and wrote about technology-related privacy issues. Dixon has written extensively about technology both as a researcher and as a book author. [. . .] Dixon has testified before Congress and Federal agencies, speaks internationally as a leading privacy expert, and is frequently quoted in the media regarding privacy and security issues. [. . .]
In order to get an insight into the work of Pam Dixon, see Dixon (2017). See also http://www. pamdixon.com. 20 The World Privacy Forum is a “nonprofit, non-partisan 501(C)(3) public interest research group” with the mission to “reimagining privacy in a digital era through groundbreaking, in-depth privacy research, analysis, and consumer education of the highest quality.” The World Privacy Forum aims to “empower people with the knowledge, rights, and tools they need to protect their privacy and shape their digital lives.” For further information on the World Privacy Forum and its activities, see World Privacy Forum (2020).
6.2 Invention of Alternatives
177
It’s the ability to make the choices in our lives, and not be bounded unfairly or by other information.21
In addition, there is also the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)22 that entered into force just recently and that seem to have more pros than cons23 as well as other possible measures—both international and domestic—that can be taken in order to contribute to ensure the compatibility of social networks and their impact with a public order of human dignity. 24
6.2
Invention of Alternatives
That is why the question is whether there might be possible alternatives and if so, what kind of alternatives? How could the topic as it presents itself at the moment be handled differently? And if there is another way, what possible changes would be necessary? Would those be easily to be realized? Or do they rather seem to be unrealistic? As everything that has to do with the creation and further development as well as the usage of technologies is automatically linked to the people’s behavior and what exactly people decide to make out of new inventions and new ways of communication, when talking about alternatives, it must come down to what humans could or should do instead of continuing to live the status quo. So, one alternative would be to just return to the times before the internet came to life. That would require that everybody would agree on that and computers as well as smart phones and tablets would have to be destroyed.25
See “2.7 - Privacy: Privacy Please”, DELLTechnologies (April 11, 2018). For the complete version of this new European regulation, see General Data Protection Regulation (GDPR). On May 25, 2018 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) entered into force. The GDPR was created with the intention to better protect the individual’s personal data. For a detailed discussion on the GDPR, see Sect. 4.2.2. 23 See the pros and cons of the GDPR later in this chapter—Sect. 6.3. 24 The subject of possible measures that could be taken will be further exposed when speaking of recommendations in order to promote and establish a world order of human dignity defined as maximum access by all. 25 This way, everybody would have to become a so-called luddite meaning “a person who is opposed to the introduction of new working methods, especially new machines”, see Cambridge Dictionary (2020). 21 22
178
6 Appraisal, Invention of Alternatives and Recommendations
Another even more drastic alternative would be to totally withdraw from all kind of modern living.26 The third alternative that will be presented is the one where the individual refuses to use the internet in general or only social networks in particular any longer in order to avoid spreading personal information online.27 It is pretty obvious that none of the above is realistic as everything is digitalized today and on top, only very few individuals would be willing to give up the comfort new technologies including the electronic way of communication, also through social networks, offer. More likely and manageable would be if states created certain rules and regulations and Enforced privacy laws that protect the individual.28 In her work, Molly Land describes what has to be taken in mind when creating a legal framework, she writes the following: The Internet has an international law problem. International institutions ranging from the International Telecommunication Union to the U.N. General Assembly are becoming increasingly involved in regulating the Internet. Apart from the question of the desirability of international regulation which at this point may be an inevitability this activity suffers from an even more fundamental defect. International regulation is proceeding without any attention to existing international law on freedom of expression or the consequences of these regulatory decisions for human rights. Without consideration of international human rights law and values, decisions about regulation will be driven by government and industry
26 Theodore John Kaczynski or the so-called Unabomber, is a prominent example of a person who wants to give up on all kind of modern technology and amenities. With the purpose to gain back his own freedom, the Unabomber decided to live alone in a cabin in the woods leading the simplest lifestyle one could imagine meaning, for example, no electricity and no running water. When the environment, that particular piece of forest he chose, was no longer an isolated place for him to live due to humans intruding this wilderness, he became a terrorist who threatened the United States. The Unabomber was attacking more than a dozen of times leaving civilians injured and three people dead. Today, he is imprisoned after getting sentenced to life without the possibility of parole. The Unabomber wrote a manifest. For the complete manifest, see Kaczynski (1995). 27 One example of a person who recommends to withdraw from social media, is the artist Jeremy Deller. Deller started an anti-Facebook-campaign after the data scandal involving Cambridge Analytica became exposed. For more information, see “Nach Datenskandal des sozialen Netzwerks. Jeremy Deller startet Anti-Facebook-Kampagne”, monopol (March 23, 2018). “Monopol” is an award-winning magazine that is based in Berlin since being established in 2004 and it focuses on contemporary art and its relationship and impact on society. For further information on monopol, see “Monopol - Magazin für Kunst und Leben”, Facebook (2020). To take a look at monopol’s current articles and authors, see “Monopol. Magazin für Kunst und Leben”, monopol (2020). 28 Land (2013), pp. 393–458. Besides Molly Land, there are many others who promote the creation of new laws, so that governments across the globe feel the need to react. For a brief overview what different countries have been doing lately in order to respond to the request of new privacy rules and laws for social networks, see “Social media: How do other governments regulate it?”, BBC News (February 12, 2020).
6.2 Invention of Alternatives
179
interests. The result is likely to be standards on issues such as data privacy and censorship that are inconsistent with and even undermine international human rights.29
Also, the idea of a social network constitution is worth a thought, and we would not be the first ones to consider drawing such a constitution, as there is also, for example, the American Professor of Law, Lori B. Andrews, who has been promoting this vision for a couple of years already.30 In addition, just recently Tim Berners-Lee who initiated the world wide web31 announced his “Contract for the Web” that promotes a fair internet as he sees the danger of the internet and feels the need of creating an internet without hatred and misinformation.32 Another way to gain back one’s right to privacy could be by creating some kind of legal framework that applies to social networks transforming them into so-called “information fiduciaries” as American Professor Jack Balkin suggests.33
29
Id. at 394. For more information on Professor Andrews and her idea of a social network constitution, see “Lori Andrews, author of I Know Who You Are and I Saw What You Did: Social Networks and the Death of Privacy”, Social Network Constitution (2020). See also Andrews (2012). 31 Timothy John Berners-Lee is one of the experts in the field of the world wide web. Berners-Lee was born in one of London’s suburbs in 1955 as the son of two mathematics. Both his parents were working on building a computer for a British firm. The question that Berners-Lee’s father was already addressing at that time was whether a computer would, like the human brain, be able to link certain information to each other. Berners-Lee was driven by the question if a computer could be programmed the way that it could link different information together the same way as the human brain does. During college and also university when Berners-Lee was studying Physics, this question led to building his own very first computer. After graduating from university and working as a consultant for a British telecommunication firm, in 1981, Berners-Lee spend a couple of months at the European Centre of Nuclear Research (CERN). During that time, he wrote the computer program “Enquire”. It has to be noted that Enquire was the basis of what became the world wide web. In 1989, Berners-Lee requested CERN to start a project called “world wide web”. It has to be noted that this way, in quite a short period of time, the world wide web’s first web browser and sever were created, so that in 1990 the world wide web was officially born. Since then, Berners-Lee has been constantly working on improving the world wide web as his vision was to create a totally free world wide web. For more detailed information on Timothy John Berners-Lee, see Dennis (2020). See also Abbate (1999), p. 214. For a detailed overview of how the world wide web started, see Sect. 2.1. 32 See “Tim Berners-Lee stellt Verfassung für faires Internet vor”, Frankfurter Allgemeine Zeitung (November 23, 2019). For more detailed information on the “Contract for the Web” and its complete wording, see Contract for the Web (November 2019). 33 See “Three Questions: Prof. Jack Balkin on Facebook and the Risks of ‘Data Capitalism’”, Yale Insights (May 8, 2018). Professor Balkin explains the idea of establishing a legal framework for online companies being information fiduciaries, so that these companies have to protect its users’ data by law, as the following: 30
We rely on digital companies to perform many different tasks for us. They know a lot about us; we don’t know very much about them. As a result, we are especially vulnerable to them, and we have to trust that they won’t betray us or manipulate us for their own ends.
180
6 Appraisal, Invention of Alternatives and Recommendations
Last, but definitely not least, the users of social networks themselves could actually make a real change. If they started to react in some way—for example, by protesting and standing up for their own rights and the protection of their private information loud and clear, even if shared on a social network—the users of social networks would actually have the power to make a difference.
6.3
Recommendations
After all, the question remains what one would actually recommend when it comes to the dilemma of social networks and threats to the individual’s privacy and it is without doubt that there is reason for concern when thinking of the current situation. As far as to the author’s research as well as to recent events—for example, involving Facebook and the British firm Cambridge Analytica—there seems to be only very little of a person’s right to privacy left. That is why, regaining more autonomy over oneself, one’s data and life, basically getting one’s life back is definitely recommendable. Not doing anything, at all, on the contrary, as a recommendation would not be an option. So, it rather has to be asked: What exactly should be done? Who should act? And in what way? And what way would be the best in order to promote a public order of human dignity, so that the maximum number of human beings could be addressed? First of all, people—citizens as well as politicians and also representatives of social networks and other internet businesses—should raise awareness of the digital vulnerability of the individual, so that everybody would be informed about the threats to the right to privacy due to the internet in general and social networks in particular. Furthermore, states should create certain rules and regulations and enforce laws that are protecting the individual.34 Drawing a so-called Social Network Constitution could be a first step into the right direction in order to establish effective measures to fight for the right to privacy around the globe.35
[. . .] Fiduciaries have special duties of care and loyalty toward their clients and beneficiaries. The kinds of duties they have depend on the nature of their business, so that digital companies won’t have all of the same obligations as doctors and lawyers currently do. Even so, digital companies will owe a duty of trustworthiness and confidentiality with respect their customers. For further information on Professor Balkin, see Yale Law School (2020). See supra note 28. 35 As presented, the idea of a constitution for social networks has been promoted since years by Professor Lori B. Andrews, see supra note 30. In order to gain back one’s right to privacy, there is also the idea of creating some kind of legal framework that applies to social networks transforming them into so-called “information fiduciaries”, see supra note 33. 34
6.3 Recommendations
181
Nevertheless, if the decision was made to establish some kind of a binding code of conduct for social networks, it would be very likely that this code would enter into force as a binding law only within a certain country. Anything that would go beyond a nation’s territory would more likely be established on a self-regulating basis, but either way, a binding code of conduct for social networks would be a good start and highly appreciated. That is why, the author is recommending to take the General Data Protection Regulation (GDPR) that was created with the intention to better protect the individual’s personal data as guidance for any of such binding law.36 The GDPR might not have been in force for a long time yet, but it is definitely the latest and most comprehensive example for the protection of the individual’s personal data so far. The GDPR might also seem to be a little bit too big and maybe even mind-boggling, but there are still many advantages that need to be taken into account when thinking of the individual’s right to privacy in the context of electronic communications. In order to give a better understanding of the innovations and advantages of the GDPR, in the following, pros and cons of the GDPR will be presented. These are the most important pros of the GDPR: Harmonization of the European Data Protection Laws It has to be noted that because of the Data Protection Directive, all 28 member states of the European Union have certain data protection laws based on the said Data Protection Directive. Yet, the level of protection when it comes to data laws varies a lot within the European Union as every country was forced to implement the Data Protection Directive, but there was a lot of freedom left to the states, so that they could basically implement this directive pretty much the way they wanted and a lot of differences were created not only between the different member states, but also within a states when it came to the private sector compared to the public sector. In contrast to the Data Protection Directive, the GDPR standardizes the private and the public sector and thus, creates a harmonization within the European Union that has never been there before. In addition, the GDPR does not have to be transformed into domestic law as it is applicable as it is. This way, the same level of data protection applies to each and every of the 500 million citizens within the European Union. Better Understanding of the Term “Personal Data” As already pointed out, the term personal data within the GDPR is broader and also better defined, for example, genetic and biometric data was added.37 This way, 36 37
See Sect. 4.2. See Article 4 of the GDPR: Definitions For the purposes of this Regulation: (1)‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical,
182
6 Appraisal, Invention of Alternatives and Recommendations
personal data can be better understood and also better and easier applied to modern technologies and ways of communications. Codification of the Right To Be Forgotten Although the European Court of Justice had established the right to be forgotten, it was quite difficult to base a case on it as there was no codification yet.38 By incorporating the right to be forgotten into the GDPR,39 it becomes clear to everybody, both the individual as well as the companies, how to handle this right, what requirements are necessary for the right to be fulfilled.
physiological, genetic, mental, economic, cultural or social identity of that natural person; [. . .] (13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; (14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; (15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status; [. . .] Besides a person’s basic information, the GDPR also considers information even only indirectly linked to a certain person being personal data, see Sect. 4.2.2. 38 See the decision of the European Court of Justice from the year 2014 when the court established a new right, the so-called “right to be forgotten - Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González”. For further information on this case, see Press Release No. 70/14 of the Court of Justice of the European Union (May 13, 2014). For more information on the right to be forgotten, see Werro (2020) and see also Sect. 4.2.2. 39 See Article 17 of the GDPR codifies the right to be forgotten and reads as the following: Right to erasure (‘right to be forgotten’) 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1). 2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. [. . .]
6.3 Recommendations
183
Higher Administrative Fines Higher administrative fines might not be a pro for the companies that are fined, but they sure are designed to better protect the rights of the data subject. And by rising the fines to up to 20 million euros or 4% of a company’s yearly transaction value, one can be sure that most companies that might not have taken their processing of personal data too seriously in the past, will definitely pay attention to how they will be processing personal data in the future.40 Better Definition of the Term “Consent” Although the term consent is usually highly controversial, the GDPR establishes some clear elements that have to be fulfilled when it comes down to consent, so that the term is no longer that controversial in the context of the processing of personal data within the European Union.41 Protection of Minors With the GDPR, personal data of a person being younger than 13 years of age, can only be processed with the consent of the parents of the minor.42 40
See Article 83 of the GDPR that states: General conditions for imposing administrative fines [. . .] 4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43; (b) the obligations of the certification body pursuant to Articles 42 and 43; (c) the obligations of the monitoring body pursuant to Article 41(4). 5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; (b) the data subjects’ rights pursuant to Articles 12 to 22; (c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49; (d) any obligations pursuant to Member State law adopted under Chapter IX; (e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1). 6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. [. . .]
41
Article 4 Paragraph 11 of the GDPR defines consent as the following: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
42
See Article 8 of the GDPR: Conditions applicable to child’s consent in relation to information society services 1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful
184
6 Appraisal, Invention of Alternatives and Recommendations
One Stop Shop Mechanism This new mechanism allows data subjects to always exclusively refer to the authority within his or her own country instead of having to claim where the data breach occurred as he or she would have had to do before the GDPR.43 Prohibition Statute with Reservation of Authorization Last but not least, the GDPR is a so-called prohibition statute with the reservation of authorization. This means that the general rule of the law is the prohibition of the processing of personal data and only when certain requirements are met, the processing of personal data is allowed.44 After pointing at the most important pros of the GDPR, it should be taken a look at the cons as there might be two cons that should be explored: GDPR Too Chaotic and Ambiguous The law might be too complex and not structured enough in order for people to easily understand and maneuver through the new rules and regulations. Besides, the law could be too ambiguous and sometimes also referring to already outdated technologies. Thus, neither the private individual who should be the one making use of the GDPR nor the data expert in the filed would be capable to apply the law and timeconsuming law suits would follow in which in the end, once again, the court would have to solve the cases. 45
where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. 2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology. 3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child. 43
For more information on the One Stop Shop Mechanism, see Giurgiu et al. (2015). For further information on how the One Stop Shop Mechanism developed after the adoption of the GDPR, see “What happened to the one-stop shop?”, International Association of Privacy Professionals (Feb 21, 2019). 44 For further information on the possible impact of the GDPR, see Utz et al. (2019), pp. 700–705. Furthermore, as already explained, the prohibition statute with reservation of authorization is exactly the way the German Federal Data Protection Act (Bundesdatenschutzgesetz) operates. Germany’s Bundesdatenschutzgesetz has a similar structure as the GDPR because the Bundesdatenschutzgesetz served as an example or guidance for the new European law. That is why, in Germany, one might not experience as many differences when the GDPR enters into force like in other countries that did not have a similar law to the Bundesdatenschutzgesetz. For more detailed information, see the section “The Federal Republic of Germany”. 45 To give one example, see “Europe’s Data Protection Law Is a Big, Confusing Mess”, The New York Times (March 15, 2018) as the author writes that the GDPR “will give citizens greater control over their data while requiring those who process personal data in the European Union or about its citizens to take responsibility for its protection. The G.D.P.R. will give Europeans the right
6.3 Recommendations
185
Administrative Fines Too High And another con could be seen in the fact that infringements could lead to administrative fines that could be extremely high.46 This way, companies that are doing business with data might be totally excluded from or, at least, limited to doing certain business from now on as their costs would be higher due to the GDPR and its fines.47 to data portability (allowing people, for example, to take their data from one social network to another) and the right not to be subject to decisions based on automated data processing (prohibiting, for example, the use of an algorithm to reject applicants for jobs or loans). Advocates seem to believe that the new law could replace a corporate-controlled internet with a digital democracy. There’s just one problem: No one understands the G.D.P.R.” 46 See Article 83 of the GDPR that states: General conditions for imposing administrative fines [. . .] 4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43; (b) the obligations of the certification body pursuant to Articles 42 and 43; (c) the obligations of the monitoring body pursuant to Article 41(4). 5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; (b) the data subjects’ rights pursuant to Articles 12 to 22; (c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49; (d) any obligations pursuant to Member State law adopted under Chapter IX; (e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1). 6. Non-compliance with an order by the supervisory authority as referred to in Article 58 (2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. [. . .] See “New European Union Data Law GDPR Impacts Are Felt By Largest Companies: Google, Facebook”, Forbes (May 25, 2018). The article states accordingly:
47
GDPR (General Data Protection Resolution) went into effect in the EU at midnight this morning (May 25) but has already impacted European and US-based Fortune 500 firms on
186
6 Appraisal, Invention of Alternatives and Recommendations
Yet, the fines are only effecting companies, not so much individuals and most of the companies are huge corporations that might even be able to easily effort to make changes in compliance with the GDPR or that might even be able to easily effort the fines they could be facing. In contrast, the individual who is the subject that is supposed to be protected by the GDPR could rather benefit from those administrative fines as only the possibility to face those fines might already lead to a better and more effective protection to the individual’s personal data because it can be assumed that companies—no matter of what size and funds—would try to comply with the GDPR rather than risk to pay huge amounts of money. Thus, the fact that the GDPR establishes its administrative fines should not be seen as a con, but rather as a pro.48 After all, it cannot be denied that the pros are predominant. The GDPR has new elements trying to fill those gaps the former Data Protection Directive had left wide open. Besides, the GDPR is binding for all member states of the European Union, so that a uniform law is created that is applicable to an entire region of the world. There is no need to name all the pros at hand, once again. Already the fact that as a con there is basically only the criticism of the GDPR being too complex, complicated, chaotic and open to different interpretations and thus, likely leading to law suits, can absolutely not beat the pros. So, as already said, only time will show whether and if so, how the GDPR will influence today’s situation regarding the protection of the right to privacy in the context of personal data that the individual spreads through social networks. Yet, the GDPR has had already quite an impact not only on the European Union, but also on the international level as the GDPR was not only discussed worldwide, but also states as well as companies and basically everybody who is confronted with data retrieved online and that might somehow be connected to or under the umbrella of the European Union had to take actions in order to make sure to comply with the GDPR, especially, in order to avoid failure to comply and its severe consequences.49
the scale of over $9 billion, and has led many smaller firms and companies to shut down operations or fold entirely. Additionally, as of publishing this article, Google, Instagram, WhatsApp, and Facebook have already had lawsuits filed against them and face up to $8.15 billion (EUR 7 billion) in fines. [. . .] The rising cost of doing business, stifling data-driven enterprises, and increasing the barriers to entry for entrepreneurship is the other side of the coin for these data-protection regulations. As explained in Chap. 4, the new and higher administrative fines might not be a pro for the companies that are fined, but they sure are helping to better protect the rights of the data subject. As the GDPR is rising its fines to up to 20 million euros or 4% of a company’s yearly transaction value, one should rest assured that most companies that might not have taken their processing of personal data too seriously in the past, will definitely start to pay attention to how they are processing personal data in the future. 49 For further information, see European Commission (2020). See also Communication from the Commission to the European Parliament and the Council (2020). Some even say that “The GDPR is not only a law for the EU; it has a global reach.”, see “How the GDPR changed the Argentina Personal Data Protection Act” michalsons (February 21, 2017). 48
References
187
Therefore, one might want to consider the GDPR as being a path-breaking new law, and hopefully the GDPR will shape and change today’s situation of the protection of privacy in the context of electronic communications for the better in order to build a world public order of human dignity meaning a legal order in which all individuals have maximum access to the process of shaping and sharing all things humans want out of life: affection, enlightenment, power, rectitude, respect, skill, wealth and well-being. Of course, it has to be seen in the future if the GDPR will fulfill the expectations people are having now or rather need modifications, but as of today, the GDPR seems like a pretty promising step into the right direction when it comes to the protection of the right to privacy. In addition, and as already pointed out earlier, besides the GDPR and the states with their ability to create and enforce rules and regulations, there are also the users of social networks themselves and they are the ones who could actually really make a difference. If the users of social networks started to stand up for their right to privacy, they would have the biggest impact on shaping the future of the right to privacy in regards to social networks. Hence, not only mandated compliance with certain rules, but also self-regulation of the individual as well as the social networks and all other companies involved could be effective measures in order to fight for the right to privacy. That is why, the author highly recommends, that the individual should think about what he or she wants, what kind of world he or she would like to live in and how much of one’s very own privacy one might be willing to further give up. As already pointed out, it is pretty obvious that the world is digitalized nowadays and if any, only very few individuals would be willing to give up the comfort of new technologies including the electronic way of communication, also through social networks.50 This said, if one comes to the conclusion that there is a need to make certain adjustments in order to better achieve a public order of human dignity, so that the maximum number of human beings is addressed, one should start to raise awareness about the increasing loss of one’s private sphere, gather together with others and begin to fight for the right to privacy. Creating a binding code of conduct by the users of social networks that might be similar to the GDPR, Europe’s new and promising data protection law, could be an effective measure of fighting for the right to privacy.
References Abbate J (1999) Inventing the Internet. The MIT Press, Cambridge Andrews L (2012) I know who you are and I saw what you did. Social networks and the death of privacy. Free Press, New York
50 For further information on how social media platforms as well as governments gather data from individuals and also how one could gain back control over one’s data, see Kurz and Rieger (2011).
188
6 Appraisal, Invention of Alternatives and Recommendations
Berger J (2015) The evolution of terrorist propaganda: the Paris attack and social media. Available via Brookings Institution https://www.brookings.edu/testimonies/the-evolution-of-terroristpropaganda-the-paris-attack-and-social-media/. Accessed 22 Nov 2020 Cambridge Dictionary (2020) Luddite. Cambridge University Press, Cambridge. https://dictionary. cambridge.org/us/dictionary/english/luddite. Accessed 22 Nov 2020 Close J (2014) Terror. Social media and extremism. Available via http://www.dtic.mil/dtic/tr/ fulltext/u2/1023582.pdf. Accessed 22 Nov 2020 Communication from the Commission to the European Parliament and the Council (2020) Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation. Available via European Commission https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/? uri¼CELEX:52020DC0264&from¼EN. Accessed 22 Nov 2020 Contract for the Web (November 2019) Contract for the web. Available via Contract for the Web https://9nrane41lq4966uwmljcfggv-wpengine.netdna-ssl.com/wp-content/uploads/Contractfor-the-Web-3.pdf. Accessed 22 Nov 2020 Dennis M (2020) Tim Berners-Lee. British scientist. In: Augustyn A et al (eds) Encyclopedia Britannica. Encyclopædia Britannica, Inc., Chicago. https://www.britannica.com/biography/ Tim-Berners-Lee. Accessed 22 Nov 2020 Dixon P (2017) A failure to “Do No Harm”. India’s Aadhaar biometric ID program and its inability to protect privacy in relation to measures in Europe and the U.S. Health Technol 7:539–567. Available via Springer https://doi.org/10.1007/s12553-017-0202-6. Accessed 22 Nov 2020 Dixon P (2018) 2.7 - privacy: privacy please. Available via DELLTechnologies https://www. delltechnologies.com/en-us/perspectives/podcasts-trailblazers-s02-e07-privacy/. Accessed 22 Nov 2020 European Commission (2020) EU data protection rules. Available via European Commission https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules_en. Accessed 22 Nov 2020 Facebook (2020) Monopol – Magazin für Kunst und Leben. Available via Facebook https://www. facebook.com/pg/MonopolMagazin/about/?ref¼page_internal. Accessed 22 Nov 2020 General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official J of the European Union 59:1–88. Available via European Commission https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/? uri¼CELEX:32016R0679&from¼EN. Accessed 22 Nov 2020 Giurgiu A, Boulet A, De Hert P (2015) EU’s one-stop-shop mechanism: thinking transnational. privacy laws & business international report, 13 October 2015. Available via reserachgate https://www.researchgate.net/publication/283325994_EU’s_One-Stop-Shop_Mechanism_ Thinking_Transnational. Accessed 22 Nov 2020 Kaczynski T (1995) The Unabomber manifesto. Industrial society & its future. Jolly Roger Press, Berkeley King G, Pan J, Roberts M (2017) How the Chinese government fabricates social media posts for strategic distraction, not engaged argument. Am Polit Sci Rev 111:484–501 Klausen J (2016) The role of social networks in the evolution of Al Qaeda-inspired violent extremism in the United States, 1990–2015. Available via the Office of Justice Programs’ National Criminal Justice Reference Service https://www.ncjrs.gov/pdffiles1/nij/grants/ 250416.pdf. Accessed 22 Nov 2020 Kurz C, Rieger F (2011) Die Datenfresser. Wie Internetfirmen und Staat sich unsere persönlichen Daten einverleiben und wie wir die Kontrolle darüber zurückerlangen. Fischer Verlag, Berlin Land M (2013) Toward an international law of the Internet. Harv Int Law Rev 54:393–458. Available via The Office of the United Nations High Commissioner for Human Rights (OHCHR) http://www.ohchr.org/Documents/Issues/Opinion/Communications/MollyLand.pdf. Accessed 22 Nov 2020
References
189
Lasswell H, McDougal M (1992) Jurisprudence for a free society. Studies in law, science, and policy (2 vols). Martinus Nijhoff, Leiden McDougal M, Lasswell H, Chen L (1980) Human rights and world public order: the basic policies of an international law of human dignity. Yale University Press, New Haven Moerel L (2019) What happened to the one-stop shop? International Association of Privacy Professionals (IAPP). Available via IAPP https://iapp.org/news/a/what-happened-to-the-one-stopshop/. Accessed 22 Nov 2020 Monopol (2020) Monopol. Magazin für Kunst und Leben. Available via Monopol https://www. monopol-magazin.de. Accessed 22 Nov 2020 Pati R (2009) Due process and international terrorism. Martinus Nijhoff, Leiden Press Release No. 70/14 of the Court of Justice of the European Union (May 13, 2014). Available via the Court of Justice of the European Union https://curia.europa.eu/jcms/upload/docs/ application/pdf/2014-05/cp140070en.pdf. Accessed 22 Nov 2020 Reisman W, Wiessner S, Willard A (2009) The New Haven School: a brief introduction. Yale J Int L32:575–582 Social Network Constitution (2020) Lori Andrews. Available via http://www. socialnetworkconstitution.com/about.html. Accessed 22 Nov 2020 Universal Declaration of Human Rights, G.A. Res. 217 (III) A U.N. Doc. A/RES/217(III) (Dec 10, 1948) [hereinafter UDHR]. Available via The Office of the United Nations High Commissioner for Human Rights (OHCHR). https://www.ohchr.org/EN/Library/Pages/UDHR.aspx. Accessed 22 Nov 2020 Utz C, Koloßa S, Holz T, Thielbörger P (2019) Die DSGVO als internationales Vorbild? Datenschutz Datensich 43:700–705. Available via Springer https://doi.org/10.1007/s11623019-1192-5. Accessed 22 Nov 2020 Watts C (2018) Terrorism and social media: is big tech doing enough? Available via Foreign Policy Research Institute https://www.fpri.org/wp-content/uploads/2018/01/Testimony-Clint-WattsSenate-Commerce-17-Jan-2018.pdf. Accessed 22 Nov 2020 Werro F (2020) The right to be forgotten. A comparative study of the emergent right’s evolution and application in Europe, the Americas, and Asia. Springer, Heidelberg Wiessner S (1999) Professor Myres Smith McDougal: a tender farewell. St Thomas Law Rev 11:203 Wiessner S (2010) The New Haven School of Jurisprudence: a universal tool-kit for understanding and shaping the law. Asia Pacific Law J 18:46 Wiessner S, Willard A (2004) Policy-oriented jurisprudence. In: Reisman W, Arsanjani M, Wiessner S, Westermann G (eds) International law in a contemporary perspective, 2nd edn. Foundation Press, Eagan World Privacy Forum (2020) About us. Available via World Privacy Forum https://www. worldprivacyforum.org/about-us/. Accessed 22 Nov 2020 Yale Insights (2018) Three questions: Prof. Balkin on Facebook and the Risks of ‘Data Capitalism’. Available via Yale Insights https://insights.som.yale.edu/insights/three-questions-prof-jackbalkin-on-facebook-and-the-risks-of-data-capitalism. Accessed 22 Nov 2020 Yale Law School (2020) Jack M. Balkin. Knight Professor of Constitutional Law and the First Amendment. Available via Yale Law School https://law.yale.edu/jack-m-balkin. Accessed 22 Nov 2020
Chapter 7
Conclusion
After exploring the subject of social networks and the right to privacy and discovering the different claimants and their differing claims, or pinpointing past trends in decisions at the domestic (as well international) level, and after predicting future trends by presenting a possible worst-case and a preferable best-case scenario in order to finally come to an appraisal of the current situation and develop suitable recommendations, one can easily conclude that modern technology in general and social networks in particular mean a serious threat to the individual’s right to privacy. Yet, one question still remains: How much privacy do we still have left? As the author’s research has shown and also recent events1 have proven, there seems to be only a very small piece of a person’s private sphere remaining. And unfortunately, one gets the impression that people do not really care about this fact. Maybe this is due to the fact that the internet and people’s behavior online, as well as the influence of social networks on the individual, have already changed people, and perhaps even without them actually realizing. Chris Dercon2 might be right when he states that:3
1 These recent events refer to the most prominent example of a scandal involving Facebook and the British firm Cambridge Analytica as Cambridge Analytica did not only receive the data of millions of Facebook’s users, but also used by examining all the users’ personal information. 2 Chris Dercon was born in Belgium and became an art curator and art historian who has been working as the director of various contemporary art museums including London’s museum “Tate Modern”. He also led the Berlin’s theatre “Volksbühne” until just recently. For more information on Chris Dercon, see “Protest-Hit Director Quits Berlin Theater”, The New York Times (April 13, 2018). 3 This quote was found in “monopol” which is an award-winning magazine that is based in Berlin since being established in 2004 and it focuses on contemporary art and its relationship and impact on society. For further information on monopol, see “Monopol - Magazin für Kunst und Leben”, Facebook (2020).
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 V. Kirch, Social Networks - The Modern-Day Family, https://doi.org/10.1007/978-3-030-68651-2_7
191
192
7 Conclusion
Because of the internet our behavior becomes, roughly said, more autistic. It is a solitary medium, a cocky occupation for overachievers. The dotcoms are by nature anti-social, although paradoxically, living on groups and on oversharing. [. . .]4
By chance, in the near future, when the world has been already dramatically changed due to technological developments in general and the use of social media in particular, the implication for the users of social networks would be to step back from building their lives around social networks that retrieve all kind of their very own and private information and start sharing less information, or better switch to another less “spying” platform, or even quit using social networks altogether, as they are doing today. Nevertheless, hopefully and against all odds, it actually may be the individual users of social networks themselves who, at a certain point, will come to the conclusion that throwing away basically all his or her privacy and trading it in just for having an easier way of communicating with each other across the globe or for achieving a more transparent world, is not what one should do. Perhaps one should rather have trust in the so-called Generation Facebook that differs from its precursor generation in many ways due to the simple fact that its every-day life is a different one with the internet and social media playing an important role and interfering in its realities. The individuals of Generation Facebook might have more potential than some might think. At least, Michel Serres5 was a strong believer when it comes to the Generation Facebook. Accordingly, he stated in one of his latest books “Thumbelina: The Culture and Technology of Millennials”:6
To take a look at monopol’s current articles and authors, see “Monopol. Magazin für Kunst und Leben”, monopol (2020). 4 Chris Dercon’s statement was published in monopol’s issue in December of 2015. The German translation reads as the following: Durch das Netz wird unser Verhalten, grob gesagt, autistischer. Es ist ein einzelgängerisches Medium, eine anmaßende Beschäftigung für Overachievers. Die Internetfirmen sind von Natur aus unsozial, leben aber paradoxerweise von Gruppen, und dem Oversharing. Computerfreaks sind an Informationen und Systemen interessiert, die von der zeitgenössischen Kunst nicht länger bedient werden. The author herself translated from German to English. Michel Serres was a French philosopher and is considered being one of the most important thinkers in France as of today. He was born on September 1, 1930 and died on June 1, 2019 in France. Serres was a professor at the world-renowned Sorbonne University in Paris, France as well as the Stanford University in California. Over the years, Serres had published various books such as Le Parasite, Le contrat naturel, La légende des anges, or C’était mieux avant. For further information on Michel Serres, see “Michel Serres”, Stanford University (2020). 6 See Serres (2015). The original French book—simply “Petite Poucette”—was published in 2012, the German edition followed in 2013 with the title “Erfindet euch neu! Eine Liebeserklärung an die vernetzte Generation”. 5
References
193
Without us even realizing it, a new kind of human being was born in the brief period of time that separates us from the 1970s. He or she no longer has the same body or the same life expectancy. They no longer communicate in the same way; they no longer perceive the same world; they no longer live in the same Nature or inhabit the same space. [. . .] He or she writes differently. After watching them, with admiration, send an SMS more quickly than I could ever do with my clumsy fingers, I have named them, with as much tenderness as a grandfather can express, Thumbelina (Petite Poucette) and Tom Thumb (Petit Poucet).7
Furthermore, Serres finished the first chapter of this book describing Generation Facebook by expressing his love for this generation and stating the following: I would like to be eighteen years old, the age of Thumbelina and Tom Thumb, since everything has to be redone, everything still needs to be invented. I hope that life leaves me enough time to work on this, side by side with Thumbelina and Tom Thumb, to whom I have dedicated my life because I have always respectfully loved them.8
References Facebook (2020) Monopol – Magazin für Kunst und Leben. Available via Facebook https://www. facebook.com/pg/MonopolMagazin/about/?ref¼page_internal. Accessed 22 Nov 2020 Monopol (2020) Monopol. Magazin für Kunst und Leben. Available via Monopol https://www. monopol-magazin.de. Accessed 22 Nov 2020 Serres M (2015) Thumbelina. The culture and technology of millennials. Rowman & Littlefield, London & New York Stanford University (2020) People. Michel Serres. Available via Stanford University https://dlcl. stanford.edu/people/michel-serres. Accessed 22 Nov 2020
The book in English was released later and its title “Thumbelina: The Culture and Technology of Millennials” was chosen well, although not reflecting Serres’ love and admiration for the Generation Facebook as much as the German title does. 7 Id. at 7. 8 Id. at 15.