GDPR as an Instance of Neoliberal Governmentality

On 18 November 2022, Schiller International University organized a global online seminar to discuss the General Data Protection Regulation (GDPR) of the European Union that entered into force in 2018 and is widely seen as a ‘gold standard’ for personal data protection. The central provision is the requirement that individual users should consent in a ‘clear affirmative action’ to the processing of their data for it to be considered legal.  

Dr. Ivan Manokha emphasized to what extent GDPR is in fact an instance of neoliberal governmentality – which is 1. the assumption that proper functioning of the market will not arise spontaneously but through an active state policy, which should take the form of indirect intervention; and 2. involves a devolution of responsibility to individuals for their well-being and for managing various risks.  GDPR effectively places the responsibility for managing risks of personal data processing on individuals themselves. 

What are the implications of this? In practice, the way the procedure for giving consent operates hardly enables individual responsibility to be exercised, for individual users are presented with non-negotiable ‘take-it-leave’ contracts – various terms of service (TOS) or privacy policies – that they are requested to accept by ticking a box or clicking on the ‘Agree’ button in order to get access to the service. With limited resources at their disposal, the absolute majority of users mechanically accept these agreements without ever consulting them.  

From the perspective of the GDPR, however, such mechanical acceptance constitutes ‘informed consent’ and renders the processing of personal data legal. For firms that use personal data for business purposes, this arrangement is ideal. Indeed, it constructs their relationship with individual users that is based on constant privacy as a legitimate and fair transaction between equal partners and enables data markets to grow further.  

In other words, the GDPR normalizes the functioning of the data market by reinforcing the distinction between ‘legal’ and ‘illegal’ collection of personal data, with only the latter being constructed as problematic. Indeed, when data leaks happen – and they do occur frequently – they are viewed as ‘data thefts’, and various private and public actors express their outrage. Often, they are also highly mediatized as were, for example, the case with Cambridge Analytica and other big data breaches.  

At the same time, incomparably larger amounts of personal data are collected on a daily basis by various service providers from users who have simply ticked the box or hit the ‘Accept’ button, which does not generate any public outcry for it is seen as legitimate. The GDPR (and similar regulations) effectively make a distinction between ‘legal’ and ‘illegal’ privacy invasion, with only the latter being designated as unacceptable, while the former ends up being further normalized and objectified.  

Obviously, this makes an important contribution to the legitimacy of actors engaged in data monetization and thereby helps them carry on with their business models that are based on privacy invasion. One may distinguish two ways in which firms use personal data: 1. data processing as the main source of profits, as well as 2. data processing as an auxiliary source of earnings.  

As a conclusion, with the arrival of the GDPR as the ‘gold standard’ of data protection, nothing has really changed with respect to the use of private data: the number of subscribers to different platforms and services, not only did not diminish, but continued to grow at the same rate. The same applies to profits generated by firms that use personal data. The only thing that has changed is that now these activities, – once the user clicked on the ‘Accept’ button – acquire a legal status. It might sound too harsh but for firms that use personal data for business purposes this arrangement is ideal. 

* Dr. Ivan Manokha teaches International Relations & Diplomacy at Schiller International University in Paris. In his research, he investigates the relationship between neoliberal governmentality and individual rights, and more recently he has worked on the implications of new technologies of surveillance and data collection and processing for human rights. His most recent publications focus on self-censorship and self-discipline in the context of digital surveillance, as well as on the transformation of personal data into a commodity that is being used to generate profits by different actors operating in the global data economy. 

This event was convened by Dr. Myriam Benraad, Global Academic Chair in International Relations & Diplomacy at Schiller International University.