The European Union’s data protection framework is currently under review. Stefan Strauss from the Institute of Technology Assessment at the Austrian Academy of Sciences in Vienna argues that current proposals lean towards revitalising the value of privacy and addressing key concerns over transparency and control of personal data use.
Intel has estimated that within a minute approximately 640000 GB of IP data become transferred through the online universe. An increasing amount of this data is directly or indirectly linked to our individual digital identities, not least due to the widespread use of social media. This expansion and convergence between analogue and digital environments has essentially intensified privacy implications. Privacy concepts that meet the changed requirements of handling personal information flows are long overdue. 2013 might be the year in which EU policy makers finally tackle data protection reform, and the current proposal promises to revitalise the value of privacy.
Privacy regulation – a policy vacuum?
A core problem of privacy is the imbalanced control over personal information and increasing information asymmetries between the data controller and the individual whose data are processed. This makes identity management a challenge, especially considering the significant growth of the “identity shadow”: The identity shadow consists of all data which can be used to (re-)identify an individual beyond her control.
The identity shadow reflects one’s identity and at the same time morphs it by enabling new space for re-contextualisation. Thus it extends the feasability of privacy infringement, a problem of increasing concern. A special Eurobarometer survey on data protection and identity management showed that people benefit from communicating through social media, but perceive it as strongly bound to unintended information disclosure. While most users seem to be aware of their own share of responsibility for proper handling of personal information, they lack of options for controlling their personal information flows.
Informational self-determination (ISD) is a key concept in this regard. ISD was legally well-defined by the German Constitutional Court in 1983 and had strong influence on European privacy regulation. ISD defines a state where the individual knows her personal information and is capable of controlling its processing. Core requirements are knowledge over the context in which the information is processed and (at least a certain amount of) control over the flow of personal information in that context. However, as personal information flows through an expanding array of different (digital) contexts in our networked ecosystem mostly unrecognized by the individual concerned, ISD becomes ever trickier. To handle this new complexity two more concepts are essential: privacy by design (PbD) and transparency enhancement. PbD means to equip technologies and applications with privacy features to foster ISD. Transparency is a part of privacy because the individual needs some understandable information about the contexts of the information flow. So transparency enhancement means making distinctions between one context and another more visible and controllable.
How promising is the current proposal in terms of privacy and transparency enhancement?
Against this background expectations are high for the current proposal for a new European data protection framework. The balancing act lies in addressing major privacy challenges together with considering economic aspects. Reactions to the reform are thus quite diverse ranging from envisioning the reinvention of data protection to predicting a tremendous burden to business and innovation. That some companies and industry associations react with resistance is somewhat symptomatic of the underestimated value of privacy. In fact, neglecting privacy can be detrimental to innovation and business development because it is linked to trustworthiness. Lack of privacy protection can lower a company’s credibility and thus its market value. The current proposal contains several useful suggestions where PbD can promote practices that enhance credibility. These include particular norms on data protection by design and by default, privacy impact assessments, the obligatory creation of data protection officers in companies above a specific size, and the stimulation of economic incentives for PbD through data protection seals such as EuroPriSe.
Transparency enhancement is addressed in several parts of the proposal through the following suggestions:
- an obligation for data controllers “to explicitly inform the data subject on the legitimate interests pursued” by processing of personal data
- the highlighting of purpose limitation and consent, and in cases where controllers aim to extend purpose, informed consent is required
- the obligation to notify about data breaches
- the provision to individuals’ of access to data concerning him or herself
- the right not to be subject to profiling by means of automated processing
- the right to be forgotten
Some critics argue that the reform proposed is merely old wine in new bottles as several issues date back to the beginning of discussions about privacy. On the contrary, revitalizing and adapting fundamental privacy principles to the information age is among the strengths of the current proposal. The right to be forgotten is controversial as its technical implementation presents challenges, should be understood as a crucial policy concept. Its inclusion signifies the strong demand for a paradigm shift, highlighting the need for purpose limitation and the necessity to erase data if the purpose for processing it ceases to exist.
Facilitating the free flow of information, while at the same time ensuring a high level of data protection between and across the member states in a harmonized framework is surely a tricky challenge – but also one that has to be coped with to overcome the current policy vacuum in privacy regulation. Whether the reform will succeed or not is unsure but the proposal seems promising largely because it addresses two key aspects of ISD, namely privacy by design and transparency for the user. If ISD is properly managed from both angles – PbD and transparency – consumers and businesses can benefit from a harmonized privacy framework.