top of page

Social media companies and the impact of GDPR; has the time come for the next big step?

Most laws, whether national or regional (i.e., EU law) either protect or regulate privacy through personal data. However, none of these targets the problematic issue of the social media business model. For more on the topic of the social media business model, read Sara’s article: Surveillance capitalism and social media companies; has the time for regulation finally come?

In the UK, the Data Protection Act (DPA) 2018 was implemented because of the EU General Data Protection Regulation, the so-called GDPR. [1] Such legislation protects the people’s personal data from businesses and public bodies, covering the fair, legal and transparent use of data, its destruction after a certain period of time, and an additional legal protection concerning sensitive information such as sexual orientation, health, ethnicity or religious and political opinions. [2] The DPA 2018, also, imposes high fines for breaches concerning the use of personal data. [3]

Photo by Christian Dina on Pexels (Edited)

With anti-vaccine campaigns flooding social media, the UK is in the process of implementing stricter regulation, notably over illegal content and disinformation or misinformation. [4] This new regulatory framework will concern harmful content, such as cyberbullying, age-inappropriate content, as well as the promotion of violence. [5] It will also appoint Ofcom as an independent regulator to ensure fair control and compliance enforcement while protecting the right to freedom of expression. [6]

The main weakness identified in this new regulatory framework proposal is that it avoids addressing the issue of surveillance capitalism: the ‘personalised-advertising, algorithm-fuelled, maximized-engagement-at-any-cost business model’ of social media/internet companies which contributes largely to the development of a noxious online environment. [7] Whereas regulating harmful content and the collection of personal data is definitely a helpful step, the new framework has missed the issue of surveillance capitalism, for example, by not banning the behavioural manipulation behind customised advertising or related content. [8]

For the internet and data protection regulation, many countries, mainly in Africa, Asia and South America have limited or no laws on the issue. [9] In contrast, Europe, North America, China and Australia possess heavy regulation and enforcement of data protection. [10] Despite tougher regulations in the so-called Western world, much of that legislation still misses the core issues encompassed under the umbrella of the social media business model.

EU Member States follow the GDPR. In addition, Germany has passed a series of laws addressing internet safety. [11] Their latest law forces large companies to set up procedures for complaints concerning content published, as well as an obligation to remove such illegal content within 24 hours. [12] As a result of this law, in 2019, Facebook was fined 2 million euros by the German government for ‘under-reporting illegal activity on its platforms’. [13]

The EU has proposed several measures dealing with internet safety, such as the ePrivacy Regulation on the confidentiality of electronic communication, privacy control and regulation of internet cookie consent, but this instrument has not been adopted yet. [14] The European Commission has also issued a recommendation to its Member States on ‘measures to effectively tackle illegal content online’. [15] However, EU recommendations are not binding for its Member States.

The most significant piece of legislation, put in place in 2018, concerns the protection of data at the European level, a regulation imposing direct legal effect on EU Member States. The GDPR’s core principles are to process data in a fair and lawful manner, to limit the purpose of data, as well as data minimisation and storage limitations. [16] It requires companies to inform individuals of such data collection processes and about their data protection rights. [17] Whilst the GDPR only covers personal data, which is no doubt very important to protect the privacy of individuals, it fails to address the use of behavioural data. [18]

As a result, the GDPR offers insufficient protection against the collection and analyses of users’ behavioural data and any subsequent predictions made by social media companies. The reason for stressing this is because such conduct causes the behavioural modification and manipulation of the internet itself, and importantly, the respective behaviour of social media users. [19]

Such companies manoeuvre outside the reach of GDPR or any other similar legal mechanisms, in legal systems where they can keep using behavioural data abundantly while complying with the GDPR and related rules on personal data in those countries where this is required. When they do not, their international presence and commercial authority enable them to pay the fines caused by such breaches.


[1] European Parliament and Council of European Union (EC) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [2016] OJ L119. [2] 'Data Protection' (GOV.UK, 2021) accessed 6 January 2021. [3] ibid. [4] 'UK Leads The Way In A ‘New Age Of Accountability’ For Social Media' (GOV.UK, 2020) accessed 6 January 2021. [5] House of Commons Briefing Paper 8743 (26/02/2020) 2. [6] ibid 3. [7] Blaine Haggart and Natasha Tusikov, 'What The U.K.’S Online Harms White Paper Teaches Us About Internet Regulation' (The Conversation, 2019) accessed 6 January 2021. [8] ibid. [9] 'DLA Piper Global Data Protection Laws Of The World - World Map' (, 2021) accessed 6 January 2021. [10] ibid. [11] 'Law In Germany - DLA Piper Global Data Protection Laws Of The World' (, 2021) accessed 6 January 2021. [12] 'Social Media: How Do Other Governments Regulate It?' (BBC News, 2020) accessed 6 January 2021. [13] ibid. [14] 'The EU ePR (ePrivacy Regulation) | What You Need To Know' ( accessed 6 January 2021. [15] Commission Recommendation on measures to effectively tackle illegal content online [2018] OJ 1 1177. [16] 'What Are The Main Aspects Of The General Data Protection Regulation (GDPR) That A Public Administration Should Be Aware Of?' (European Commission - European Commission, 2021) accessed 6 January 2021. [17] ibid. [18] 'What Data Can We Process And Under Which Conditions?' (European Commission - European Commission, 2021) accessed 6 January 2021. [19] Jane Andrew, ‘The General Data Protection Regulation in the Age of Surveillance Capitalism’ (2019) Springer Journal of Business Ethics 11.

209 views0 comments


bottom of page