أعمالنا

Data Privacy at a Crossroads

By Adv. Zaid Edaili

Data Privacy at a Crossroads: Evaluating Zuboff’s Surveillance Capitalism in Light of GDPR’s Consent and Legitimate Interest Debate

Introduction
Privacy is a fundamentally important subject, particularly in our current era where technology permeates our lives and information about individuals can spread rapidly via the internet. Privacy is a multi-faceted term that can be viewed differently depending on the ideology being followed. Generally, it can be defined as “the right of a person to make their own decisions regarding private or personal matters,” “the right to be free from interference and intrusion,” or “the right to be let alone.” Thus, in broad terms, privacy essentially denotes an individual’s right to lead a concealed life away from others and maintain a personal space where they feel safe.
In the context of our modern world, the ability to access and transfer information, regardless of location, has become crucial for social and economic development as well as technological progress. However, there is a growing concern that the global transfer and processing of personal data could adversely impact individuals’ privacy rights. Consequently, it became necessary to establish a regulatory framework to protect data transfer and privacy on an international scale, particularly in Europe. This need gave rise to the ‘European Union Data Protection Directive 95/46’, which was later replaced by the ‘European Union General Data Protection Regulation’ (GDPR) on 25th May 2018.
Shoshana Zuboff, in her book ‘The Age of Surveillance Capitalism,’ discusses how the new era of technology is gradually taking over the world, ushering in the age of techno-capitalism. This essay will examine this concept from a legal perspective, focusing on the GDPR in relation to consent and legitimate interest in the sharing of health data obtained from Fitbit by Meta. Additionally, we will analyze health data platforms, leading to a discussion on Fitbit and the sharing of health records through the device.

The Era of Change: The EU Data Protection Directive ‘the Directive’ and the EU General Data Protection Regulation ‘the GDPR’

Before 2018, prior to the advent of the GDPR, the EU and the UK operated under the EU Data Protection Directive, which was established in 1995 to address data privacy and security issues. The Directive also limited the international transfer of private data outside the EU. While the Directive was effective during its time, it eventually became outdated. Consequently, the EU initiated the implementation of the General Data Protection Regulation (GDPR) to provide a more current and comprehensive legal framework.
On 6th October 2015, in the landmark case of ‘Schrems v. Data Protection Commissioner’, the Court of Justice of the European Union overturned the High Court of Ireland’s decision, which had upheld the agreement between the USA and the EU as providing sufficient protection for data transferred from Europe to the US. The facts of the case revealed that Maximilian Schrems, a Facebook user since 2008, was concerned that US laws did not offer adequate protection for data transferred from Facebook’s European subsidiary in Ireland to its servers in the United States. These concerns led Mr Schrems to file a complaint with the Irish Data Protection Commissioner stating that,
“In light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services such as the National Security Agency (‘NSA’), the law and practice of the United States did not offer adequate protection against surveillance by public authorities of the data transferred to that country.”
The ruling in this case was pivotal, leading to significant changes and the establishment of the GDPR. This shift was necessary because the Directive was insufficient to protect international data transfers outside the EU, as evidenced by the loophole identified in the Schrems case. The GDPR was introduced to address this inadequacy and ensure stronger data protection measures.
The Directive contained ‘bugs’ that required fixing, and rather than amending it again, a new regulation was proposed. One of these issues was in Article 25(1), which stated:
“The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection”
This subsection needed revision because any national law adopted after the EU Directive should comply with its provisions. However, this meant that sufficient protection was not guaranteed by international entities or third-party countries. As a result, this article became ineffective due to its flawed wording.
Furthermore, subsection (2) of the same article stated:
“The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country”
This created problems with the concept of ‘adequacy,’ as this definition effectively meant that not all data was protected in all situations. This inconsistency could lead to chaos in data transfer, as the EU Directive would determine the importance of personal data transfers based on third-party laws. This led to widespread concern within the EU, exemplified by the Schrems v. Data Protection Commissioner case, which became the cornerstone of the new era in data and privacy protection.
The GDPR addressed and resolved the ‘bugs’ identified in the Directive. Article 101 of the GDPR states that:
“However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organizations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organization to controllers, processors in the same or another third country or an international organization”
While this part of the article starts vaguely, it generally defines the privacy and safety aspects of international data transfers, specifically to international organizations and third parties outside the European Union. Nevertheless, it has yet to determine the tools required for protecting individuals’ privacy. This is why the regulation further explains in the next part of the article that any data transferred to international organizations is strictly protected under the provisions of this regulation, provided that data transfers comply with the international organization’s processor, as stated:
“A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organizations are complied with by the controller or processor.”
Despite some criticisms, the GDPR’s influence on modern data protection and its alignment with the rapid evolution of technology cannot be denied. As outlined in its provisions, the GDPR effectively protects the privacy of individuals internationally. A key point in the regulation is that any international agreement between EU states and third countries must adhere to the regulation’s provisions. Any contradiction within such agreements would be overridden in favor of the GDPR, as stated in Article 102 of the regulation.
Additionally, Article 103 of the GDPR further details the appropriate tools for data protection, stating that the European Commission must always approve data transfers to third countries or international entities and has the ultimate authority to determine if the international entity in question provides sufficient protection for data transferred from the EU.
Moreover, in Schrems v. Data Protection Commissioner, the Court of Justice of the European Union, after considering all the evidence presented, concluded that decision 2000/520 was unenforceable. Due to this judgment, the EU Commission and the Court of Justice determined that the EU Data Protection Directive was inadequate for protecting international data transfers, leading to the development of the General Data Protection Regulation.

The Bystander of the Age of Surveillance Capitalism ‘Shoshana Zuboff’s Intake’
Shoshana Zuboff, in her book ‘The Age of Surveillance Capitalism,’ introduced the concept of the new era of data surveillance. This work provided a fresh perspective on the potential scope of surveillance in the modern age. Surveillance capitalism can be defined as the “monetization of data captured through monitoring people’s movements and behaviors online and in the physical world” This means that a surveillance capitalist company operates with the aim of eventually controlling individuals’ personal data, even in the most basic ways, such as Facebook does.
Zuboff’s idea of the beginning of surveillance capitalism is what she called ‘The Apple Hack,’ where she concluded that the emancipatory promise of “giving people social or political freedom and rights” began with Apple’s invention of the iPod. She argued that the birth of the iPod allowed people to explore their social capabilities as they pleased. In her view, this path taken by Apple would be the breakthrough for surveillance capitalism in the near future.
Furthermore, Zuboff believed that the emancipatory promise of the internet emerged from the same historical circumstances that propelled the iPod’s success, as she explains in the following chapters. Crucially, these identical circumstances provided the foundation for surveillance capitalism to establish and thrive. The success of surveillance capitalism and the Apple phenomenon can be attributed to the clash of two opposing historical forces.
However, it can also be argued that Zuboff might have been slightly off the mark. Although she began her book with one of the most successful technological stories known to man, she overlooked the fact that Apple was not founded on the principles of surveillance capitalism, as she suggested. Apple’s intentions were more ‘selfish,’ focusing on their own success rather than the broader good of society. They were not the benevolent forces that Zuboff portrayed them to be in this context.
On the same note, it might have been more appropriate for Zuboff to introduce the birth of surveillance capitalism with a closer examination of data transfer-centric corporations such as Facebook, rather than Apple. Although she did mention that Google and Facebook were also prime examples of surveillance capitalist corporations, focusing initially on these would have provided a more direct link to her thesis. With Facebook and Instagram being prominent examples of surveillance capitalist entities, and as the faces of the parent company Meta, concerns arose about the merger between Meta and Fitbit. This merger raised issues about the potential misuse of health data by Meta.
Although Meta’s actions are profit-driven, the high demand for Fitbit devices, driven by the “Quantified Self Movement,” makes this advantageous in marketing. With the merger, Meta now has access to personal health data of Fitbit users, which number approximately 28 million. During the initial negotiations between Google and Fitbit, a third company, Meta, was waiting to seize the opportunity, which ultimately led to Meta’s control over this vast amount of health data.
Surveillance capitalist corporations, in their pursuit of enhancing goods, services, and customer engagement, must go beyond merely gathering and analysing consumer data. This is where the concept of ‘behavioural surpluses’ come into play.
Thanks to Shoshana Zuboff and her book, this term has gained considerable attention from various media sources. A ‘new’ definitive term that marks a significant step forward in the technological advancement of economics is now widely recognized, thanks to Zuboff. For newcomers to the technological economy, behavioural surplus is defined as:
“Data that goes beyond online product and service use. It can include information related to a person’s location, age, profession, lifestyle, habits, and a range of personal and professional preferences”
Arguably, this so-called behavioural surplus is the turning point of surveillance capitalism, as observed by Zuboff. Facebook has been utilising this terminology and system for years. The primary purpose is to market advertisements tailored to the user’s interests while profiting from it. A significant concern is that Facebook, due to behavioural surplus, has been collecting users’ personal data for years and will continue to do so now that it has merged with Fitbit.
Furthermore, a similar situation is occurring with Apple. Users can view all their health and fitness information using Apple’s Health app. Various devices and software, such as a Nike FuelBand, a Withings blood pressure monitor, and an iHealth Wireless Smart Gluco-Monitoring System, can have their data compiled in the Apple Health app, which acts as a dashboard for health and fitness data. This system allows Apple to access users’ health data without facing consequences. However, Apple, being a surveillance capitalist corporation, has developed privacy settings for its health app that could be useful for users concerned about involuntary data transfers to unwanted entities.
Similarly, it cannot be said that Fitbit offers adequate protection for its users’ health data. On the other hand, under the GDPR, international data transfers can be legitimate and based on the user’s consent.

Consent and Legitimate Interest: A Legal Tension in the GDPR
Consent in the GDPR is first introduced at the beginning of Article 32, which states that:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement”
This article effectively asserts that consent can be given in various ways, including electronic means, such as the agreements to terms and conditions commonly used by social media platforms when a user first signs up. Furthermore, the article continues to state that hidden, pre-agreed boxes for electronic consent are invalid. These cannot be used as a means of consent by surveillance capitalist corporations because the user is unaware that they have consented to any data transfers while using the program.

The last part of Article (32) adds that:
“If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise, and not unnecessarily disruptive to the use of the service for which it is provided”
With this statement, the GDPR strictly dictates that for a user’s consent given through media platforms to be valid, the request for consent must be comprehensible and must not disrupt the user’s ability to use the services provided by the platform.
Validation of this point requires an understanding of what constitutes consent in public law, particularly in terms of its application in data protection. In public law, consent is the full agreement of a person to a service or request made by another, without duress and with full capacity to make the choice. In data protection, consent means that a person must be well informed about how their data will be shared or transferred and have complete freedom of choice. If a data platform urges a person to give consent and, if not given, denies them the use of the platform’s services, then the consent is invalid because it lacks the element of free choice.
Applying this to Zuboff’s analysis of surveillance capitalist corporations, such as Meta, which depend on data sharing and transfer, a person using Meta’s services should be well informed about their terms and services. The person should also have the freedom to agree or disagree with the terms of data sharing and still be able to use the services. This is especially relevant in the case of Fitbit, as health data is a sensitive topic, and users are highly conscious of privacy in this matter.
When Google sought to acquire and merge with Fitbit, there were significant concerns and opposition. The primary reason for this opposition was the fear that the health data acquired by Fitbit would fall into the hands of a surveillance capitalist company like Google, potentially leading to the unnecessary use of this data. Professor Chongwoo Choe expressed concerns on this matter, stating, “While Google says it would not use Fitbit data for advertising purposes, this doesn’t rule out Google’s use of this data in other markets, such as health care” This is not an unreasonable assessment, as Google acquiring Fitbit can reasonably be assumed to have led to expansion into the healthcare market, which would not be acceptable to a significant portion of the community. For example, people with sensitive health issues may have opposed Google transferring and sharing their health records under the guise of expanding its business. Similarly, if Meta does not find an appropriate way to obtain consumers’ consent regarding the use of their health data, they are not permitted to transfer or share this data according to the GDPR.

Article 44 of the GDPR states that:
“In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
The above article is crucial as it not only addresses the consent of the data subject but also outlines the conditions under which Meta can perform data transfers without the subject’s consent. If obtaining consent compromises Meta’s work and profitability, they can rely on the legitimate interest approach.
Legitimate interest, as defined in law, is:
“When you or a third-party have a genuine reason that makes processing the data necessary, and there are no other interests that outranks your business interest”
Legitimate interest serves as the foundation for data sharing when necessary. Under this principle, Meta is not required to obtain consumer consent, provided there is a reasonable belief that consumers are aware that the provider’s environment is based on data processing and transfers. However, Meta must still provide clear terms and services and list the entities to which data is being transferred. Consumers must agree to these terms, but their use of the service is not dependent on their consent to data sharing, as long as the ‘pre-agreed box’ is ticked. It is important to note that data collected on the basis of legitimate interest cannot later be used for consent-based marketing.
The introduction of Article 47 of the GDPR states that:
“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller…”
With this part of the Article, one can see that the GDPR also permits legitimate interest in data processing between consumers and providers, which provides further incentive for Meta to consider legitimate interest as its primary marketing strategy. However, this can vary depending on the type of data being processed and transferred; in this case, it involves health data, which is inherently sensitive.

In contrast, Article 69 of the aforementioned regulation states that:
“Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation”
According to this article, surveillance capitalist corporations have the right to process data in the name of legitimate interest. However, if the data processing overrides or distorts the consumer’s freedom, the controller has the right to determine whether the data processing is lawful, and the data subject has the right to object to the processing of their data.
Moreover, Chapter 2, Article 6, subsection (f) of the GDPR states that legitimate interest in data processing, provided it does not infringe on the freedom and rights of consumers, is a lawful means of processing data. Additionally, subsection (a) of the same article deems consent a lawful basis for data processing. I would argue that the mention of consent in this article was unnecessary, as it was already covered in Article 32. Subsection (f) of Article 6 in the general provisions inherently includes consent, since legitimate interest is not more significant than consent. Therefore, if legitimate interest is lawful, so is consent. The redundancy in the GDPR’s wording could have been avoided by the legislator.

Consent and Legitimate Interest in the Eyes of Zuboff on Surveillance Capitalist Corporations
Zuboff highlights the role of Facebook as a surveillance capitalist. She explains how terms of service are often misleading, as most people do not read them and simply agree to use the provider’s services. Additionally, she points out that surveillance capitalist companies typically make the terms of service and fine print excessively long, discouraging users from fully reading and understanding them, resulting in users consenting without truly ‘consenting’.
Within the fine print of the terms of service, there is usually a clause allowing the provider to change the terms at any time without the user’s legal consent or knowledge. This brings us to the main concern with Meta’s acquisition of Fitbit: if Facebook publicly shares and transfers data, there is no guarantee that Fitbit will not do the same, considering both companies are under Meta’s umbrella.
Margaret Radin, in her book ‘Boilerplate: The Fine Print, Vanishing Rights, and the Rule of Law,’ addresses how the terms of service in surveillance capitalist corporations are degrading contracts that do not genuinely seek the user’s full consent. Radin views such contract terms as a moral and democratic degradation of the rule of law and the institution of contracts. She argues that these terms pervert the system to favour the firm’s interests, forcing recipients into a legal framework conceptualised by the firm in order to participate in transactions with it.
It can be argued that legitimate interest can be devised and used by corporations such as Meta, especially given their tendency to change terms of service without the user’s knowledge or consent. Zuboff also discusses how the GDPR addresses the issue of legitimate interest, as highlighted by the New York Times through the words of Data Protection Supervisor Giovanni Buttarelli. One example she cites is an international law firm’s paper stating that legitimate interest can be a lawful and profitable way of data processing, without the degrading aspects, and with full user consent. The law firm states:
“Legitimate interest may be the most accountable ground for processing in many contexts, as it requires an assessment and balancing of the risks and benefits of processing for organisations, individuals and society. The legitimate interests of the controller or a third party may also include other rights and freedoms. The balancing test will sometimes also include; freedom of expression, right to engage in economic activity, the right to ensure the protection of IP rights, etc. These rights must also be taken into account when balancing them against the individuals’ right to privacy”
Essentially, Zuboff expresses strong opposition to the existence of surveillance capitalist companies. She advocates for these companies to be supervised by larger organizations, such as the EU Data Protection Commission, and through international agreements aimed at restricting the operations of surveillance capitalist entities.

Conclusion
Given the widespread adoption of technology for all aspects of our lives, from business to entertainment to consumerism, surveillance capitalism is an issue of increasing prominence. This essay has shown that the issue of privacy invasion is a matter of perspective. However, the GDPR clearly emphasizes the importance of consent for the transfer and processing of data, as well as a legitimate interest. For Meta to successfully integrate Fitbit without encountering privacy invasion issues, they must ensure that Fitbit’s terms of service differ from those of Instagram or any other Meta subsidiary.
Despite the initial critique of Zuboff’s book, her insights on surveillance capitalism and its future implications highlight the crucial role of data processing in our daily lives. There are strong arguments to suggest that surveillance capitalist companies should self-regulate; otherwise, laws and regulations such as the GDPR will inevitably intervene.
Finally, although consent is more lawful than legitimate interest, it would be challenging, if not impossible, for surveillance capitalist companies to operate solely on consent. For a company like Meta, which is deeply embedded in social media and data sharing, their terms of service must be agreed upon for users to access their services. In the case of Fitbit, adopting a consent-based approach would not ensure informed consent, as users are unlikely to read the terms of service and fine print, potentially leading to privacy invasion by Meta.

 

References:

1- ‘What Is Privacy?’ (OAIC) <https://www.oaic.gov.au/privacy/your-privacy-rights/what-is-privacy>.
2- ibid.
3- ‘The Main Differences between the DPD and the GDPR and How to Address Those Moving Forward’ <https://britishlegalitforum.com/wp-content/uploads/2017/02/GDPR-Whitepaper-British-Legal-Technology-Forum-2017-Sponsor.pdf>.
4- Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for the Future at the New Frontier of Power (Profile Books 2019).
5- SeeUnity (n 3).
6- Global Freedom of Expression/University of Columbia, ‘Reviewing Schrems v. Data Protection Commissioner’ (2016) <https://globalfreedomofexpression.columbia.edu/cases/schrems-v-data-protection-commissioner/>.
7- Global Freedom of Expression/University of Columbia (n 6).
8- Schrems v Data Protection Commissioner [2015] Court of Justice of the European Union C 362/14.
9- Schrems v Data Protection Commissioner (High Court of Ireland) [2014] High court of Ireland C 362/14.
10- European Union Data Protection Directive 1995.
11- DPD (n 10).
12- The General Data Protection Regulation 2016.
13- GDPR (n 12).
14- SeeUnity (n 3).
15- GDPR (n 12).
16- GDPR (n 12).
17- Nick Barney, ‘Surveillance Capitalism’ (December 2022) <https://www.techtarget.com/whatis/definition/surveillance-capitalism>.
18- Zuboff (n 4).
19- Zuboff (n 4).
20- Ella Hafermalz, ‘Book Review – The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power’ (2021) <https://www.cairn.info/revue-management-2021-4-page-70.htm>.
21- Zuboff (n 4).
22- Victor R. Lee, ‘What’s Happening in the “Quantified Self” Movement?’ 1032-1038.
23- Chongwoo Choe and Zhijun Chen, ‘Google’s Merger with Fitbit Puts Our Health Data at Risk. It Should Be Opposed.’ [2020] Monash Business School/Economics.
24- Zuboff (n 4).
25- Hafermalz (n 20).
26- Mark Yates, ‘“Behavioral Surplus” Is Not Evil – It’s Essential to Customer Experience’ (20 May 2019) <https://blog-idceurope.com/behavioral-surplus-for-cx/>.
27- Hafermalz (n 20).
28- Choe and Chen (n 23).
29- GDPR (n 12).
30- GDPR (n 12).
31- ‘Rape and Sexual Offences – Chapter 6: Consent’ (21 May 2021) <https://www.cps.gov.uk/legal-guidance/rape-and-sexual-offences-chapter-6-consent>.
32- Zuboff (n 4).
33- Choe and Chen (n 23).
34- GDPR (n 12).
35- Sagacity, ‘Consent vs Legitimate Interest – What You Need to Know’ (sagacitysolutions) <https://www.sagacitysolutions.co.uk/about/news-and-blog/what-is-the-difference-between-legitimate-interest-and-consent/>.
36- Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ German law journal.
37- GDPR (n 12).
38- GDPR (n 12).
39- GDPR (n 12).
40- Zuboff (n 4).
41- Zuboff (n 4).
42- Margaret Jane Radin, Boilerplate: The Fineprint, Vanishing Rights, and The Rule of Law (Princeton University Press 2011).
43- Zuboff (n 4).
44- Zuboff (n 4).
45- Zuboff (n 4).
46- “Recommendations for Implementing Transparency, Consent and Legitimate Interest Under the GDPR,” Centre for Information Policy Leadership, Hunton and Williams LLP, GDPR Implementation Project, May 19, 2017.

 

Bibliography – Articles:
1. Andrew D. Murray, ‘Data Transfers between the EU and UK Post Brexit?’ Oxford University Press (2017).
2. Chongwoo Choe and Zhijun Chen, ‘Google’s Merger with Fitbit Puts Our Health ‎Data at Risk. It Should Be Opposed.’ [2020] Monash Business ‎School/Economics
3. Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ German law journal
4. Ella Hafermalz, ‘Book Review – The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power’ (2021) <https://www.cairn.info/revue-management-2021-4-page-70.htm>
5. Mark Yates, ‘“Behavioral Surplus” Is Not Evil – It’s Essential to Customer Experience’ (20 May 2019) <https://blog-idceurope.com/behavioral-surplus-for-cx/>
6. Margaret Jane Radin, Boilerplate: The Fineprint, Vanishing Rights, and The Rule of Law (Princeton University Press 2011)
7. Neil M. Richards and Daniel J. Solove, Privacy’s Other Path: Recovering the Law of Confidentiality
8. Nick Barney, ‘Surveillance Capitalism’ (December 2022) <https://www.techtarget.com/whatis/definition/surveillance-capitalism>
9. Shoshana Zuboff Z, The Age of Surveillance Capitalism: The Fight for the Future at the New Frontier of Power (Profile Books 2019)
10. Victor R. Lee, ‘What’s Happening in the “Quantified Self” Movement?’ 1032
11. ‘Rape and Sexual Offences – Chapter 6: Consent’ (21 May 2021) <https://www.cps.gov.uk/legal-guidance/rape-and-sexual-offences-chapter-6-consent>
12. ‘The Main Differences between the DPD and the GDPR and How to Address Those Moving Forward’ <https://britishlegalitforum.com/wp-content/uploads/2017/02/GDPR-Whitepaper-British-Legal-Technology-Forum-2017-Sponsor.pdf>
13. ‘What Is Privacy?’ (OAIC) <https://www.oaic.gov.au/privacy/your-privacy-rights/what-is-privacy>

Bibliography – Cases:
1. Court of Justice of the European Union, ‘JUDGMENT OF THE COURT (Grand Chamber) Schrems v Data Protection Commissioner’ <https://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d2dc30dd5b610279af57461688cfc1d680446584.e34KaxiLc3qMb40Rch0SaxuRbN90?text=&docid=169195&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=356030>
2. Global Freedom of Expression/University of Columbia, ‘Reviewing Schrems v. Data Protection Commissioner’ (2016) <https://globalfreedomofexpression.columbia.edu/cases/schrems-v-data-protection-commissioner/>
3. Sagacity, ‘Consent vs Legitimate Interest – What You Need to Know’ (sagacity solutions) <https://www.sagacitysolutions.co.uk/about/news-and-blog/what-is-the-difference-between-legitimate-interest-and-consent/>
4. Schrems v Data Protection Commissioner (High Court of Ireland) [2014] High Court of Ireland C 362/14

Bibliography – Legislation:
1. European Union Data Protection Directive 1995
2. The General Data Protection Regulation 2016

Back To Top