Literature Review
Before sending out our google forms to young european residents, we did some research to gather information and key numbers. We first started by looking at the content of the GDPR and summed it up to understand how it works and how it legally protects European citizens. Then we found many articles about numbers on the use of data by big tech companies in the EU. Finally, we read previous studies concerning mainly trust, consent and the individual perceptions on the GDPR.
A few more words about GDPR
As mentioned in the introduction, the GDPR is a legislation that aims at protecting EU citizens’ privacy rights. This legislation is applied to companies collecting data from individuals within the EU. The penalty for violating the GDPR is steep fines. The regulation follows 7 principles. To cite a few, it follows the principles of lawfulness, fairness and transparency, data minimization, accuracy and accountability.
Concerning the rights of data subjects, under this legislation, they can claim the right to be informed, the right of erasure, the right to object, the right of access, the right to rectification, the right to restrict processing and rights in relation to automated decision making and profiling.
How are companies using our data?
When it comes to numbers, we learned that about 2.5 quintillion bytes of consumers’ data are collected every day, and this number continues to grow according to Rudder Stack.
Andriy Slynchuk in his article entitled Big brother brands report,which explains how companies might access our personal data the most, he stresses that every time you use a TikTok or Instagram filter, they track your facial movements to build a picture of your likeness. While it might create some amusing results, it allows these companies to capture your image and collect your image.
Others go further than just a picture of your face, requesting access to your entire image library. They can use these images to tailor ads specifically to your interests, tracking images of sports, music, nights out and events you have attended to offer you a truly personalized experience.
TikTok, which has launched many viral sensations over the past year, collects 46.15% of available data on you, including your facial recognition, voice data, and image library. And, If how you look isn’t enough, some brands even want to know how you sound. Voice recognition can be used to make it quicker for you to log into certain accounts, with 4.17% of the brands we reported storing your voice for later use.
Moreover, the article called The Data Big Tech Companies Have On You, written by Aliza Vigderman and Gabe Turner, explains that, if you’ve used Google to make calls or text, then they’ve also collected the calling and receiving party numbers, forwarding numbers, times and dates of your calls and texts, call durations, routing information, and types of calls.
Finally, according to Facebook reports Fourth Quarter and Full Year 2018 results, ads are how Facebook makes the most of its money, around $16.6 billion to be precise. so the more it knows about you, the more it can sell on. As well as the usual, such as your name, location, email address and date of birth, it also collects a whole load of things you might not be aware you gave away.
What do other studies say?
Last but not least, we collect three studies about the notions of trust, consent and the individuals perception on the GDPR.
The first study conducted by Paul C. Bauer, Frederic Gerdon, Florian Keusch, Frauke Kreuter and David Vannette is about the impact of the GDPR on individuals’ trust. Their hypothesis was that the latter has positively affected individuals’ trust. Their observations and experimental evidence contradicts their hypothesis.
They first observed if data collection on individuals’ trust before and after the GDPR has been implemented. Then they made a Survey experiment about random information about the GDPR policy with trust measured by a number of entities. They found that even if they checked the participants’ knowledge on the GDPR, “many people might not be fully aware of its exact stipulations” and also there is trust and comfort when data collectors and data collection procedures are transparent, it isn't necessarily driven by the implementation of policies.
The second study focused on consent and cookie banners. Their method was between subjects study where the participants had to consent on different types of cookie banners on a German e-commerce website. They collected passive clickstream data to see how people interact with consent and they invited the participants to complete a survey for qualitative data. They did 3 experiments
“Experiment 1: Banner Position”
“Experiment 2: Choices and Nudging”
“Experiment 3: Language and Privacy Policy Link” → how does the language used influences users’ decisions on accepting or not cookies. ex : “This website uses cookies” instead of “This website collects your data”
Their result was that in general, opt-out cookie banners are less likely to produce a meaningful consent expression and a more elaborate cookie banner is better than just a “yes” “no” one.
The third and last study, aimed at examining the individual reaction towards the GDPR, their perceptions and how they experience it in real life. They made a Panel survey in the Netherlands using the Deloitte report, which focuses on the impact of the GDPR on relationships between organizations and its clients and the Eurobarometer which is general awareness among Europeans of the GDPR.
They found that people from the Netherlands know their rights, thanks to the media but they still have doubts about the effectiveness of the GDPR. However there is still some confusion between what they know and the understanding of the actual provisions. Indeed there are strong misconceptions about the law: “more than two thirds of users incorrectly believed that they had a right to know in which country their data was being stored”. Furthermore, laws that do exist aren’t known by the majority, 60% of people weren’t aware of the right to data portability.
This literature review shed some light on our hypothesis; suggesting that despite efforts by the GDPR and the competent EU institutions to make people aware of their rights and to protect their privacy, people are still quite unfamiliar and confused.
However, instead of drawing any premature conclusion, let’s first proceed to analyze the results of our surveys.