Is GDPR really about data privacy?
This question may sound strange given the fact that article 1, number 1 of the GDPR states that the regulation „lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.“ According to article 1, number 2 of the GDPR, the regulation „protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.“
There can be no doubt that GDPR deals with „personal data“. However, was the GDPR really made to empower us by protecting our privacy in this way? If you take a closer look at article 6 of the GDPR, you may notice that there are numerous reasons to justify the processing of personal data. There is a justification, for example, called “legitimate interests.” As a legal term, this is very vague. In addition, article 1, number 3 of the GDPR states that „the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.” This suggests that personal data should move around freely, albeit in accordance with GDPR. So you can process personal data on a massive scale in a way that is legal, but it does not necessarily protect the privacy of the data subject.
Another problematic aspect is recital (15) of the GDPR which states: „In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used . . .” This means that the privacy law is the same, whatever technology is used. The GDPR is therefore the same for the baker as it is for the blockchain developer. The problem here is that the GDPR was being developed over such a long period that new technologies, such as blockchain and decentralized apps (Dapps), emerged without being considered by the makers of the GDPR. For example, the assumption in the regulation of a “controller” behind any processing of personal data does not fit well with decentralized technologies such as blockchain. There simply is no “controller” in a public blockchain.
The notion that data subjects will now have more „control“ over their personal data is misleading. How many people have the time to read privacy declarations exceeding ten pages? This resonates with consumer protection law, which is premised on the idea that the consumer is best protected by the provision of information regarding his or her rights. In reality, this means that consumers, like data subjects, end up being bombarded by information they do not necessarily read. Is this protection? According to the GDPR, it is.