Objetivos Específicos:

As it appears, the models examined in the preceding chapters have not been applied or integrated into the GDPR clauses regarding processing based on contract or consent. Additionally, no other model regarding risk management or power imbalances appears to lie at the basis of the provisions regarding contract and consent. In this regard, the GDPR difers from the Seveso III-directive, the Unfair Terms Directive and the Unfair Commercial Practices directive: these directives contain standards that display some degree of coherence with models of risk management and power distribution from the social sciences, even though these models are not expressly applied. This fnding appears to confrm the criticisms from Moerel, Koops and Zarsky.496

The absence of an underlying testable model in legislation could adversely afect the expected efcacy of the GDPR in least the following ways:

• It could reduce the efectiveness of enforcement strategies by Independent Supervisory Authorities if a lack of focus in enforcement eforts could prevent a cycle of permanent improvement in enforcement or processing practice.

• It could make the outcome of court cases less predictable. This could make developing a coherent doctrine in jurisprudence more difcult, which could, in turn, complicate the solving of any problems with the GDPR that may become evident in the coming years.

A possible explanation for why modelling the efects of big data could have escaped the attention of legislators was seen in section 4.5. Datafcation was never the focus of regulation, as it may have often been regarded as a mere by-product of welcomed innovation through automation. Another possible cause was hinted at in the introduction and in section 5.2: in step with Moore’s, Keck’s and Kryder’s laws, the number and the complexity of systems under datafcation has increased exponentially. In this context, “surveillance capitalism” in its current form may be an emergent property of a complex system – a society under datafcation – where personal data has become ubiquitous. Foreseeing the emergence of the current market for personal data may have been impossible, since emergent properties are unpredictable from the properties of the elements in the system.497

Regulating an emergent phenomenon almost at the same time as its emergence could be an impossible task for any legislative efort. Under these circumstances, Coase’s prediction that the efects of any possible form of regulation would not resemble “anything an economist would call optimal” seems almost self-evident.498 _{But no}

matter why a clear assessment of the associated risks and power shifts is absent, it is proposed here that the challenge that big data presents for society needs to be identifed before it can be addressed. This research has shown that models from the social and the exact sciences can be of assistance in better understanding this challenge.

Legislative intervention to address risks and power imbalances seems appropriate. A relatively small number of actors, “Tech’s Frightful Five” prominently among them, have managed to increase their structural power by achieving a dominant position in

497 _{See section 5.2 above.}

the market for platforms through the collection of both capital and personal data. This gives them great institutional power: the mere size of the most successful platforms implies that the platforms themselves can be leveraged to unilaterally dictate terms and thereby increase this structural power even further in almost any market that can be accessed through telecommunications – including the marketplace of ideas. This increases the risk for unfair treatment.

For many consumers, escaping the Frightful Five’s collection of personal data has become almost impossible in the course of their regular economic, social and intellectual activities. And if escaping it were possible, it remains questionable whether consumers would want to do without the benefts that these platforms are ofering. Due to the large amounts of capital needed to build a platform with similar capabilities and market presence, new platforms that aim to compete with the frightful fve for dominance may take considerable time to emerge. Even if they do, it is uncertain whether these platforms would aim to relinquish any power or carry any risk that their competitors have accrued and ofoaded. Competition, at least in the sense that consumers are free to choose whether or not and with whom to share their personal data, is much more than “a click away”.499

The European Commission has cited technological developments as an important trigger for drafting the GDPR in 2012.500 _{But somewhat surprisingly, the evaluation of}

the risks associated with these developments is very similar to the risk evaluations in the French Loi n° 78-17 du 6 janvier 1978 and the Council of Europe’s Convention 108

from 1981. The supporting documents of these three legal instruments, as well as the legal texts themselves, focus on the risks for individual rights and freedoms. These risks are obviously important, but no specifc reasoning is provided as to how the proposed measures are expected to reduce the risks or mitigate the efects once the risks have materialised. At the same time, risks at the level of groups, communities or societies should not be ignored.

6.3

Understanding big data better: