specific efforts by operators to render this right more effective and“ easy to exercise” 50.
In sum, increased transparency, more powerful rights of access, and effective opt-out mechanisms, together with strengthened powers of supervisory authorities 51 feature preconditions to allow users’ control over their data in the big data context. Yet, so far, these views seem to have hardly been incorporated into the new data protection regime.
Against this background, it is legitimate to infer that the policy options embedded in the GDPR offer better explanations for the prominence of selfregulatory approaches than technological change alone. As happened with other ICT as they emerged, the EU legislator has not really explored all possible means to protect the fundamental rights and values threatened by big data technologies( Gonçalves, Gameiro, 2012, p. 320 ff).
5. Conclusion
The current data protection reform seemingly fails to cope with the dynamics of big data technologies, and to provide the appropriate caution that should be expected from a law designed to protect a fundamental human right. Notwithstanding the ambition of the novel regulation, the decision-making power on what and how to collect, store, process and apply personal information is turning to the operators and data controllers to the disadvantage of data subjects and supervisory authorities. Technological conditions, namely the automatisation inherent to data mining and data analytics, render the effectiveness of key data protection principles harder to pursue. But it is also true that the suppleness of the regime is being boosted by the Regulation’ s own emphasis on self-regulatory modes.
To a certain extent, this trend follows up from the legitimate interest exception and the compatibility assessment requirement upon which the EU data protection regime has relied since its inception. Today, however, the big data context paves the way for an ampler margin for the operators to summon their legitimate interest and avoid the consent of the data subjects. The GDPR’ s leaning towards self-regulatory approaches relying on risk assessment and management and notification of breaches, as well as on self-defense by Internet users, seemingly guided by the intent not to impair technological innovation and competitiveness in the Digital Single Market, ends up favouring the movement of personal data to the detriment of the rights of the data subjects. So, rather than a specific difficulty of EU law to cope with technological progresses in the ICT domain, the preference for self-regulatory approaches to personal data protection may be better accounted for by the inherent policy choices. Though somehow paradoxically, the novel EU data protection regime thus seems to being used as an indirect means of driving technological innovation.
50 European Data Protection Supervisor, Opinion 7 / 2015, p. 11.
51 European Data Protection Supervisor, Opinion 7 / 2015, p. 17.
59