The European Union’s data protection framework is currently under review. Stefan Strauss argues that current proposals lean towards revitalising the value of privacy and addressing key concerns over transparency and control of personal data use.
Intel has estimated that every minute approximately 640000 GB of IP data are transferred through the online universe. An increasing amount of this data is directly or indirectly linked to our individual digital identities, not least due to the widespread use of social media. This expansion and convergence between analogue and digital environments has massive privacy implications, and privacy concepts that meet the changed requirements for handling flows of personal information are long overdue. 2013 might be the year in which EU policy makers finally tackle data protection reform, and the European Commission’s current proposal promises to revitalise the value of privacy.
Privacy regulation – a policy vacuum?
A core problem of privacy is the imbalanced control over personal information and the increasing information asymmetries between the data controller and the individual whose data are processed. This makes identity management a challenge, especially considering the significant growth of the “identity shadow”. The identity shadow, illustrated in Figure 1, below, consists of all data which can be used to (re-)identify an individual beyond her control.
Alice enters information in various context while information about her use and devices is also gathered, but is she aware of how they are linked and the shadow of information she leaves?
Source: Figure adapted from Strauß 2011 p. 211
The identity shadow reflects one’s identity and at the same time morphs it by enabling new space for re-contextualisation. This it also makes privacy infringement a greater possibility, a problem of increasing concern. A special Eurobarometer survey on data protection and identity management showed that people benefit from communicating through social media, but perceive it as strongly bound to unintended information disclosure. While most users seem to be aware of their own share of responsibility for proper handling of personal information, they lack of options for controlling their personal information flows.
Informational self-determination (ISD) is a key concept in this regard. ISD defines a state where the individual knows her personal information and is capable of controlling how it is processed. ISD was legally well-defined by the German Constitutional Court in 1983 and had strong influence on European privacy regulation. The core requirements for IDS are knowledge over the context in which the information is processed and (at least a certain amount of) control over the flow of personal information in that context. However, as personal information flows through an expanding array of different (digital) contexts in our networked ecosystem mostly unrecognized by the individual concerned, ISD becomes ever trickier. To handle this new complexity two more concepts are essential: privacy by design (PbD) and transparency enhancement. PbD means to equip technologies and applications with privacy features to foster ISD. Transparency is a part of privacy because the individual needs some understandable information about the contexts of the information flow. So transparency enhancement means making distinctions between one context and another more visible and controllable.
How promising is the current proposal in terms of privacy and transparency enhancement?
Against this background expectations are high for the current proposal for a new European data protection framework. The balancing act lies in addressing major privacy challenges together with considering economic aspects. Reactions to the reform are thus quite diverse ranging from envisioning the reinvention of data protection to predicting a tremendous burden to business and innovation. That some companies and industry associations react with resistance is somewhat symptomatic of the underestimated value of privacy. In fact, neglecting privacy can be detrimental to innovation and business development because it is linked to trustworthiness. Lack of privacy protection can lower a company’s credibility and thus its market value. The current proposal contains several useful suggestions where PbD can promote practices that enhance credibility. These include particular norms on data protection by design and by default, privacy impact assessments, the obligatory creation of data protection officers in companies above a specific size, and the stimulation of economic incentives for PbD through data protection seals such as EuroPriSe.
Transparency enhancement is addressed in several parts of the proposal through the following suggestions:
- an obligation for data controllers “to explicitly inform the data subject on the legitimate interests pursued” by processing of personal data
- the highlighting of purpose limitation and consent, and in cases where controllers aim to extend purpose, informed consent is required
- the obligation to notify about data breaches
- the provision to individuals’ of access to data concerning him or herself
- the right not to be subject to profiling by means of automated processing
- the right to be forgotten
Some critics argue that the reform proposed is merely old wine in new bottles as several issues date back to the beginning of discussions about privacy. On the contrary, revitalizing and adapting fundamental privacy principles for the information age is among the strengths of the current proposal. The right to be forgotten is controversial as its technical implementation presents challenges, should be understood as a crucial policy concept. Its inclusion signifies the strong demand for a paradigm shift, highlighting the need for purpose limitation and the necessity to erase data if the purpose for processing it ceases to exist.
Facilitating the free flow of information, while at the same time ensuring a high level of data protection between and across the member states in a harmonized framework is surely a tricky challenge – but also one that has to be coped with to overcome the current policy vacuum in privacy regulation. Whether the reform will succeed or not is uncertain, but the proposal seems promising largely because it addresses two key aspects of ISD, namely privacy by design and transparency for the user. If ISD is properly managed from both angles – PbD and transparency – consumers and businesses can benefit from a harmonized privacy framework.
Digital identities and their “shadows” are explicitly included for instance in Art. 4 (1) of the proposal, which refers to direct or indirect identification ‘(…) in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;’ (Art. 4 (1)).
This article originally appeared on the LSE Media Policy Project’s blog.
Note: This article gives the views of the author, and not the position of EUROPP – European Politics and Policy, nor of the London School of Economics.
Shortened URL for this post: http://bit.ly/16mwaL9
About the author
Stefan Strauss – Austrian Academy of Sciences, Vienna
Stefan Strauss is a researcher at the Institute of Technology Assessment at the Austrian Academy of Sciences in Vienna. His research focuses on the steering mechanisms of information systems (e-governance) and their impacts on political processes, identity construction, surveillance and privacy protection.