One of the primary aims of the GDPR is to increase the participation of data subjects and to grant them more control over their data. Since Google and Facebook are global companies collecting and processing vast amounts of personal data, their compliance with the GDPR is essential to ensure better protection of the data subjects. The key challenge now is whether the GDPR impacts the business model of Facebook and Google, since the scandal of Cambridge Analytica revealed that transparency” has no meaning in today’s online market, where individuals’ data is the currency. Even though GDPR provides some fundamental rights for the data subjects, it could be argued that the data subjects have no effective control over their data in the online market in practice. Therefore, it is necessary to analyse, whether GDPR sets adequate safeguards regarding the data subjects’ rights, regarding data owners’ consent, purpose limitation principle and the right to be informed as well as whether these companies meet the requirements of the GDPR in practice. Thus, the aim of this book is to illuminate the interaction of legislative decree and business practices of Facebook and Google.

Text sample: Chapter 3, Basics of the GDPR to Collect and Process Personal Data: 3.1, Some of the General Principles of the GDPR: Principles in general are abstractions determinate the essence and the basis of a set of legal rules. General principles of data processing in the EU are mostly regulated under Art. 5 of the GDPR. These principles set out not only obligations for businesses and organizations which collect, process and store personal data, but also rights for the data subjects. The principles are also functioning as guiding standards when interpreting the legislation. 3.1.1, Fair and Lawful Processing: One of the primary principles of the data protection law are fair and lawful processing regulated under Art. 5(1)(a) of the GDPR. The term fairness” is quite abstract in the GDPR. Thus, it is difficult to define. It could however be said that it embraces some of the fundamental principles such as transparency, purpose limitation and proportionality. For data processing to be lawful, it must be based on consent or one of the other legitimate grounds provided in the Article 6 (1) of the GDPR. Principle of fairness requires the data processing to be done in a fair manner. In that sense, the controller needs to ensure the data subjects that there are no unforeseeable negative effects caused by data processing and inform them about the potential risks. Moreover, the interest and the reasonable expectations of the data subjects need to be considered by the controller. Therefore, balance and proportionality are integral part of fairness. This also includes for the controller to be acting within the frame of the wishes of the data subject as much as possible. Especially when the data subject’s consent forms the legal basis of the data processing. In British Gas Trading Case, the Tribunal ruled that individuals should be informed of any non-specific purpose for processing at the time they enter into the relationship with the controller. Also, wider uses of the data without the consent of the data subject has been found to be unfair. The principle could also be interpreted as a protection from abuse of the controllers of their monopoly position, as well as direct data collection from the data subjects, and not from third parties. 3.1.2, Transparency: Transparency principle is regulated under Art. 5(1)(a) of the GDPR and it requires the personal data relating to natural persons to be transparent about how the data are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.” In that sense, the identity of the controller, purposes of the processing, information necessary for the natural persons to use their right to obtain confirmation and communication of personal data concerning them, the risks, rules, safeguards and rights regarding the processing of personal data and how to exercise their rights in relation to such processing must be provided by the controller. Moreover, the principle of transparency requires that the information addressed to the public or data subject to be concise, easily accessible and easy to understand, and that clear and plain language”. It is particularly important for data subjects to know ”by whom and for what purpose personal data relating to him or her are being collected”. Transparency principle is also crucial for the usage of artificial intelligence (AI) and automated decision-making processes, since the GDPR requires the controllers to provide the grounds for the decision made by the AI. For instance, in the case of online behavioural advertising, the controller is responsible for providing information to the users, on what grounds a specific advertisement is shown to the specific user. However, there are technical challenges to provide such information because of the vast amount of data collection such as the black-box issue. It can be said that the black-box issue is one of the technically weak points regarding to comply with the principle of transparency in the GDPR so far. In case of the companies such as Facebook and Google, providing the necessities of the principle of transparency might help to increase the productivity for the advertisers using their Ads services. Since an explanation will be given by the AI, the reason why it shows a specific advertisement to a specific person on what bases, will be clear.

• Data Subject Rights

• Datenschutz

• Privacy Policy

• Datenschutz-Grundverordnung

• DSGVO

Bilge Huschebeck was born in 1995 in Istanbul. After obtaining her bachelor’s degree in law she completed several internships in international law firms and has been admitted to the bar in Istanbul. The author decided to further develop his professional qualifications in the field of IT and IP law including data protection law. She completed her double masters’ degree at Leibniz University Hannover and University of Oslo in 2019 with the academic degree of Magna Cum Laude. Currently, she is working as an international data protection consultant in Germany.