This thesis addresses the question of how data protection law should respond
to the challenges arising from the ever-increasing prevalence of big data. The
investigation is conducted with the case study of online behavioural
advertising (OBA) and within the EU data protection legal framework,
especially the General Data Protection Regulation (GDPR). It is argued that
data protection law should respond to the big data challenges by leveraging
the regulatory options that are either already in place in the current legal
regime or potentially available to policymakers.
With the highly complex, powerful and opaque OBA network, in both
technical and economic terms, the use of big data may pose fundamental
threats to certain individualistic, collective or societal values. Despite a limited
number of economic benefits such as free access to online services and the
growth of the digital market, the latent risks of OBA call for an effective
regulatory regime on big data.
While the EU’s GDPR represents the latest and most comprehensive legal
framework regulating the use of personal data, it has still fallen short on
certain important aspects. The regulatory model characterised by
individualised consent and the necessity test remains insufficient in fully
protecting data subjects as autonomous persons, consumers and citizens in the
context of OBA.
There is thus a pressing need for policymakers to review their regulatory
toolbox in the light of the potential threats. On the one hand, it is necessary to
reconsider the possibilities to blacklist or whitelist certain data uses with
mechanisms that are either in place in the legal framework or can be
introduced additionally. On the other hand, it is also necessary to realise the
full range of policy options that can be adopted to assist individuals in making
informed decisions in the age of big data