PROTECTING CONSUMER DATA IN A PARTICIPATORY ECONOMY

Student's Name
PhD Proposal - Page 1 of 19

Abstract

This proposal describes the best model for consumer data protection in a participatory

economy. It also elaborates on the effects expected for UK consumers after the occurrence of

Brexit regarding data protection laws. It examines the changes in the law that could affect

consumers in the UK market when they are no longer part of the EU participatory economy. This

is explained using the example of Uber business, which has attained a high number of customers,

thus disrupting traditional taxis. The proposal also explains why the “General Data Protection

Regulation (GDPR) from the EU” legislation is the best regulation for consumer data protection

in a participatory economy.
PhD Proposal - Page 2 of 19

Protecting Consumer Data for Consumers in a Participatory Economy

1. Introduction

A participatory economy is one where major decision are made as a group. The European

Union is a participatory economy because overall market decisions are made jointly by member

nations. The EU economy has regulations that prescribe how member nations operate. Included

in those regulations is the General Data Protection Regulation, which purports to protect and

enforce customer privacy rights.1 If a member nation leaves the EU but continues to do business

with it, the remaining member nations lose their ability to have a direct impact on how the

former member nation operates in light of EU laws and regulations. Nations that were part of the

EU may leave certain regulations to the EU instead of promulgating them internally and must

figure out how to handle them when it leaves. The United Kingdom will have to either adopt the

GDPR or otherwise adopt a new law that protects the privacy of consumer data. In analysing

what the UK should do to protect consumer data, it is important to analyse the purposes of

consumer data protection regulations. The best consumer data protection regulations create a

balance between the need to protect the self-interest of customers and that of businesses. 2

Protection also promotes fair competition in the market, where no single player can utilize

private information at the expense of competitors.

States are allowed to have their interpretation of the GDPR and make certain adjustments

to the law. The law provides an opportunity for the state's legislature to amend the law to match

the needs of the states. They are allowed quite a bit leeway in GDPR just like any laws. States

are permitted to act like independent countries within the federal government. The EU also

1
S Al-Mamari and J Devenney, ‘General Principles of Consumer Protection in e-Commerce Trade: A Comparative
Study between Islamic Law and EU Laws’ (dissertation)
2
‘General Data Protection Regulation’ (InTouch Systems) <https://www.intouchsystems.co.uk/gdpr> accessed 9
March 2020
PhD Proposal - Page 3 of 19

allows the member countries to slightly leeway from GDPR to match the needs of the country.

They do not have to adhere to the regulations strictly.

1.1 Aims and Objectives

The paper’s main objectives are to identify the qualities of the best consumer data

protection model and the effect of Brexit on data protection in the UK.
PhD Proposal - Page 4 of 19

2. Literature Review

When the UK leaves the EU, it should adopt the GDPR instead of creating its own

consumer data privacy regulation because the GDPR is an adequate regulation for managing

consumer data privacy. There is no need for the UK to reinvent the wheel. The GDPR meets the

necessity for good consumer data privacy regulation. The best consumer data protection

regulation is one that enables the lawful processing of data while ensuring fairness and

transparency when processing consumer data. The first element ensures that data belonging to a

customer cannot be processed without legal approval. The second element ensures that the

processing enhances fairness and transparency concerning consumer data. 3 One of the principles

the GDPR is created upon is ensuring that all processing is legal. It also meets the need to

enhance fairness and transparency with customer data.4

The advantages of the GDPR are that it is a regulatory framework that ensures that data

exchange is appropriately governed. In the participatory economy of the EU, all member nations

must understand and agree on how to treat consumer data. Otherwise, the necessary transparency

that drives a participatory economy is lost. The GDPR encourages companies to have a plan that

protects the processes of collection of data, its use, and its storage, and eventually its

destruction5. The GDPR legislation ensures that customer data is appropriately used and that

companies find ways to prevent the exploitation of the customers through access by third parties.

If the UK continues with the GDPR, it can implement plans to cater to the needs of the

consumer and their privacy6. The GDPR legislation allows the country’s legal systems and

3
I Graef, T Tombal, and AD Streel, ‘Limits and Enablers of Data Sharing. An Analytical Framework for EU
Competition, Data Protection and Consumer Law’ (2019) SSRN Electronic Journal
4
‘General Data Protection Regulation’ (InTouch Systems) <https://www.intouchsystems.co.uk/gdpr> accessed
March 9, 2020
5
Pavlovic, Dusan. "Self-exclusion mechanism and GDPR principles." (2019).
6
. Duncan, Bob, Andreas Happe, and Alfred Bratterud. "Achieving GDPR Compliance with
Unikernels." International Journal on Advances in Security Volume 11, Number 3 & 4, 2018 (2018).
PhD Proposal - Page 5 of 19

companies to recognize and protect the privacy of the customer. In the past, customer data could

be collected without the customer’s consent, and the companies then used the data for activities

that the customer was not aware of 7. Large data firms could obtain data from companies and

would have few if any consequences as a result of the data misuse. The GDPR provides a

mechanism when companies mishandle customer data. Firms have re-evaluated their data

security measures and have put emphasis on how consumer data should be handled and protected

from unauthorized access. Companies now use the GDPR to protect themselves from legal action

that comes from the breaches8. Companies that follow the GDPR guidelines with respect to

protecting consumer data are protected from liability 9. There are specific elements to the

protection, including the need for a data protection controller and processor. Furthermore, the

law requires companies to notify customers of the data breach promptly. Further, when

companies use new technologies, they are required to create a plan to manage the technology

against violations.

Companies have realized that consumers are vital, and the violation of privacy can have

negative effects on their business10. The GDPR does not favour third party relationships in the

sharing of the data. They are seen as more likely to bring a breach of privacy of the data because

they do not have direct contractual agreements with customers. The GDPR legislation of

protecting consumer data recognizes breaches are common when there is a long chain of

responsibility in the data.

7
Lachaud, Eric. "Adhering to GDPR codes of conduct: A possible option for SMEs to GDPR certification." Journal
of Data Protection & Privacy 3, no. 1 (2019): 48-68.
8
Sarkar, Subhadeep, Jean-Pierre Banatre, Louis Rilling, and Christine Morin. ".
9
S. Sirur, J. Nurse and H. Webb "Are we there yet? Understanding the challenges faced in complying with the
General Data Protection Regulation (GDPR)." In Proceedings of the 2nd International Workshop on Multimedia
Privacy and Security, (2018) 88-95.
10
Addis, Maria Chiara, and Maria Kutar. "The general data protection regulation (GDPR), emerging technologies
and UK organisations:
PhD Proposal - Page 6 of 19

The consumers’ data is legally protected to ensure that the customers are protected from

illegal uses. For instance, companies might use customer data customers to engage in marketing

activities without the consent of the consumer. The GDPR is fair because it protects customers

from the company exploiting data and failing to compensate the customer for the data adequately

use11. The regulation aims to protect the rights of both parties. Fairness arises from protecting

those rights to ensure that both the consumer and the company can flourish in a competitive

market economy12.

In addition to requiring companies to compensate customers, the GDPR concomitantly

protects companies from nefarious uses of data by outsiders. For example, ensuring that third

parties do not access data improperly 13. For instance, the location data that the consumer

provides to Uber drivers are protected by ensuring that third parties cannot access it for other

purposes. The inability of drivers to use location data for personal gain is an aspect of fairness.

Even though the UK should adopt the GDPR, it still has limitations. It is the main aim to

bring fairness and transparency to customers and how they can transact. However, it does not

require companies to explain data risks to customers. The GDPR does not push for the training

and education of consumer on their data privacy, and it would be inaccurate to state that the

regulation was designed with customer education in mind. Instead, the GDPR was designed by a

government entity without having customer input. The regulation would be more effective if it

first understood the needs of consumers and the preferences on data privacy14.

11
Diker Vanberg, Aysem, and Mehmet B. Ünver. "The right to data portability in the GDPR and EU competition
law: odd couple or dynamic duo?." European Journal of Law and Technology 8, no. 1 (2017).
12
Graham, Georgina, and Ashley Hurst. "GDPR enforcement: How are EU regulators flexing their muscles?." IQ:
The RIM Quarterly 35, no. 3 (2019): 20.
13
Linden, Thomas, Rishabh Khandelwal, Hamza Harkous, and Kassem Fawaz. "The privacy policy landscape after
the GDPR." Proceedings on Privacy Enhancing Technologies 2020, no. 1 (2020): 47-64.
14
Gal, Michal, and Oshrit Aviv. "The Unintended Competitive Consequences of the GDPR." Journal of
Competition Law and Economics, Forthcoming (2020).
PhD Proposal - Page 7 of 19

The GDPR also does not protect the consumer data from benefitting companies 15.

Consumers’ data has been used to profit companies without the consumers realizing that their

personal data is used by the companies to enrich themselves. The GDPR should be able to cover

all the aspects of the consumer data. Failure to protect the consumer data in the case of Uber can

cause loss of huge amounts of data, which could lead to a crisis on the part of the company and

the consumer. The company could lose payment information from the consumer. The consumer

could risk being manipulated to pay double the price of the company services.

The GDPR can thus be considered fair and transparent despite its limitations. The

provisions of the legislation are grounded on the EU law. After Brexit, the UK should maintain

the GDPR legislation for its consumer protection because it is fair and effective¸ because it limits

the use of data by companies.

Per Regulation (EU) No 575/2013, any whistleblower can be protected in any of the

member states of the EU. The country that has breached the regulations of the union is to receive

sanctions from the member states until they rectify the mistake. Protecting the whistleblowers

provide an opportunity for people to come forward to the union and report the wrongdoings of

their country.

3. Methodology and Design

The study will use a literature review approach. Specifically, the study will look at past

data collected by other researchers and analyse the information.

3.1. Research Subject and Sampling

The research will be looking at secondary sources determining whether or not privacy

laws have a significant impact on how safe customers feel about their data.

15
Teixeira, Gonçalo Almeida, Miguel Mira da Silva, and Ruben Pereira. "The critical success factors of GDPR
implementation: a systematic literature review." Digital Policy, Regulation and Governance (2019).
PhD Proposal - Page 8 of 19
PhD Proposal - Page 9 of 19

4. Ethical Considerations

This study has no significant ethical concerns as it will not work with any participants.

5. Expected Outcomes and Contributions

This study should determine how effectively companies follow the data protection

protocols outlined in the GDPR.

6. Correlation with the School of Law Research

My research interest supports reforms aimed at strengthening consumer protection. This

also relates to Professor Willett’s major legislative reform of laws, policies and regulations in

UK consumer law.16

Various scholars from the Research Cluster of Commercial Law at the School of Law,

University of Essex, are focusing academic efforts on consumer protection. My research interest

in examining the role of the UK’s digital economy consumer protection is significant in light of

Brexit. The research proposal is also aligned with the School of Law’s current research priorities.

In particular, the proposal is aligned with Professor Christopher Willett’s 17 interests in UK

consumer and contract law, the quality and safety of goods and services as well as unfair terms

and conditions; Dr. Andrea Fejos’s18 interests in the consumer in the digital age, consumer

protection and new technologies and post-crisis, a new direction in consumer protection; and Dr.

16
Professor Christopher Willett, University of Essex [website] <https://www.essex.ac.uk/people/wille56200/
christopher-willett> accessed 30 December 2019
17
Professor Christopher Willett, University of Essex [website] <https://www.essex.ac.uk/people/wille56200/
christopher-willett> accessed 30 December 2019
18
Andrea Fejos, University of Essex [website] <https://www.essex.ac.uk/people/fejos32004/andrea-fejos> accessed
30 December 2019
PhD Proposal - Page 10 of 19

Onyeka Osuji’s19 interests in consumer protection and online lending, consumer protection,

sustainable development and Credit, Consumers and the Law: After the Global Storm.

19
Dr Onyeka Osuji, University of Essex [website] <https://www.essex.ac.uk/people/osuji09409/onyeka-osuji>
accessed 30 December 2019
PhD Proposal - Page 11 of 19

8. WORK PLAN

Milestone for Year 1

Milestone Estimated Completion Time

Preliminary study review 5-6 months

Writing study background, research aims and

6 weeks
objectives

Milestone for Year 2

Milestone Estimated Completion Time

Study outline 2-3 weeks
Describe study methodology 5 weeks
Analyzing statistical results using SPSS 3 months
PhD Proposal - Page 12 of 19

Milestones for Year 3

Milestone Estimated Completion Time

Posting quantitative results 5 weeks
Analyzing findings and extracting inferences 5 weeks
Reviewing the first draft 5 months
Defending thesis 6 weeks
Final reviews 2 months
Final draft submission 3 weeks

9.0 RESOURCES

Resource Estimate Costs

Technological devices $3,500
Scholarly materials $100
Printing costs $500
Travelling costs $1,500
Tokens to participants $500
Tape recorders $1,000
Total budget $6,600
PhD Proposal - Page 13 of 19

Bibliography

Addis, Maria Chiara, and Maria Kutar. "The general data protection regulation (GDPR),

emerging technologies and UK organizations: awareness, implementation and readiness."

In Proceedings of the UK Academy for Information Systems Conference Proceedings,

Oxford, UK, pp. 20-21. 2018.

Al-Mamari S and Devenney J, ‘General Principles of Consumer Protection in e-Commerce

Trade: a Comparative Study between Islamic Law and EU Laws’ (dissertation)

Brill J, ‘The Intersection of Privacy and Consumer Protection’(2018) The Cambridge

Handbook of Consumer Privacy 355

Butler, Oliver. "Obligations imposed on private parties by the GDPR and UK Data Protection

Law: Blurring the public-private divide." European Public Law 24, no. 3 (2018): 555-572.

Chua HN and others, ‘Compliance to Personal Data Protection Principles: A Study of How

Organizations Frame Privacy Policy Notices’ (2017) Telematics and Informatics 34, 157-170

Diker Vanberg, Aysem, and Mehmet B. Ünver. "The right to data portability in the GDPR

and EU competition law: odd couple or dynamic duo?." European Journal of Law and

Technology 8, no. 1 (2017).

Duncan, Bob, Andreas Happe, and Alfred Bratterud. "Achieving GDPR Compliance with

Unikernels." International Journal on Advances in Security Volume 11, Number 3 & 4,

2018 (2018).
PhD Proposal - Page 14 of 19

Gal, Michal, and Oshrit Aviv. "The Unintended Competitive Consequences of the

GDPR." Journal of Competition Law and Economics, Forthcoming (2020).

“General Data Protection Regulation” (InTouch Systems)

<https://www.intouchsystems.co.uk/gdpr> accessed March 9, 2020.

Graef I, Clifford D, and Valcke P, ‘Fairness and Enforcement: Bridging Competition, Data

Protection, and Consumer Law’ (2018) International Data Privacy Law 8, 200-223

Graef I, Tombal T, and Streel AD, ‘Limits and Enablers of Data Sharing. An Analytical

Framework for EU Competition, Data Protection and Consumer Law’ (2019) SSRN

Electronic Journal

Greenleaf G and Tian G, ‘Data Protection Widened by China's Consumer Law Changes’

(2013) Privacy Laws & Business International Report 126, 27-28

HN Chua and others, ‘Compliance to Personal Data Protection Principles: A Study of How

Organizations Frame Privacy Policy Notices’ (2017) 34 Telematics and Informatics 157-170

J Brill, ‘The Intersection of Privacy and Consumer Protection’ The Cambridge Handbook of

Consumer Privacy 355

Kemp K and Buckley RP, ‘Protecting Financial Consumer Data in Developing Countries: An

Alternative to the Flawed Consent Model’ (2017) Georgetown Journal of International

Affairs 18, 35-46

King NJ and Forder J, ‘Data Analytics and Consumer Profiling: Finding Appropriate Privacy

Principles for Discovered Data’ (2016) Computer Law & Security Review 32, 696-714
PhD Proposal - Page 15 of 19

Kirillova EA, ‘The Principles of the Consumer Right Protection in Electronic Trade: A

Comparative Law Analysis’ (2016) International Journal of Economics and Financial Issues

6, 117-122

La Diega GN, ‘Uber Law and Awareness by Design. An Empirical Study on Online

Platforms and Dehumanized Negotiations’ (2015) European Journal of Consumer Law 2,

383-413

Lachaud, Eric. "Adhering to GDPR codes of conduct: A possible option for SMEs to GDPR

certification." Journal of Data Protection & Privacy 3, no. 1 (2019): 48-68.

Linden, Thomas, Rishabh Khandelwal, Hamza Harkous, and Kassem Fawaz. "The privacy

policy landscape after the GDPR." Proceedings on Privacy Enhancing Technologies 2020,

no. 1 (2020): 47-64.

Mantelero A, ‘The Future of Consumer Data Protection in the E.U. Re-Thinking the ‘Notice

and Consent’ Paradigm in the New Era of Predictive Analytics’ (2014) Computer Law &

Security Review 30, 643-660

Mckim CA, ‘The Value of Mixed Methods Research’ (2016) Journal of Mixed Methods

Research 11, 202-222

Mercer Shannon Togawa, ‘The Limitations of European Data Protection As A Model For

Global Privacy Regulation’ (2020) AJIL Unbound 114, 20-25 doi:10.1017/aju.2019.83

PhD Proposal - Page 16 of 19

Mohajan Haradhan Kumar, ‘Two Criteria for Good Measurements in Research: Validity and

Reliability’ (2017) Annals of Spiru Haret University. Economic Series 17, no. 4, 59-82

doi:10.26458/1746

Pavlovic, Dusan. "Self-exclusion mechanism and GDPR principles." (2019).

Pierce TW, ‘Ethical Considerations for Student-Based Reminiscence Projects’ (2019) The

International Journal of Reminiscence and Life Review 6, 34-39

Rasalam James and Raymond Elson, ‘Cybersecurity and management’s ethical

responsibilities: the case of Equifax and Uber’ (2019) Global Journal of Business Pedagogy

3, no. 3, 8-15

Sarkar, Subhadeep, Jean-Pierre Banatre, Louis Rilling, and Christine Morin. "Towards

Enforcement of the EU GDPR: Enabling Data Erasure." In 2018 IEEE International

Conference on Internet of Things (iThings) and IEEE Green Computing and

Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom)

and IEEE Smart Data (SmartData), pp. 222-229. IEEE, 2018.

Sirur, S., J. Nurse and H. Webb "Are we there yet? Understanding the challenges faced in

complying with the General Data Protection Regulation (GDPR)." In Proceedings of the 2nd

International Workshop on Multimedia Privacy and Security, (2018) 88-95.

Skok Walter and Samantha Baker, ‘Evaluating the Impact of Uber on London's Taxi Service:

A Strategic Review’ (2018) Knowledge and Process Management 25, no. 4, 232-246

doi:10.1002/kpm.1575
PhD Proposal - Page 17 of 19

Teixeira, Gonçalo Almeida, Miguel Mira da Silva, and Ruben Pereira. "The critical success

factors of GDPR implementation: a systematic literature review." Digital Policy, Regulation

and Governance (2019).