Data Protection Day

By Dr Jose Tomas Llanos, Research Fellow in PACE (Privacy Aware Cloud Ecosystems) at UCL STEaPP

Data Protection Day (or Data Privacy Day outside Europe) is an international holiday held every year on 28 January. The declared purpose of this holiday is “to give everyone a chance to understand what personal data is collected and processed and why, and what our rights are with respect to this processing.”[1] The date was not randomly chosen: it is the anniversary of the opening for signature, in 1981, of Council of Europe’s Convention 108 for the Protection of individuals with regard to automatic processing of personal data.[2]

Convention 108 introduced the concept of ‘protection of personal data’, as well as important data protection principles that were later enshrined in the Data Protection Directive[3] and included (in a somewhat more elaborate fashion) in the General Data Protection Regulation (GDPR)[4]: personal data must be obtained and processed fairly and lawfully (lawfulness and fairness); stored for specified and legitimate purposes and not used in a way incompatible with those purposes (purpose limitation); adequate, relevant and not excessive in relation to the purposes for which they are stored (i.e. data minimisation); accurate and, where necessary, kept up to date (accuracy); and preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored (storage limitation).[5]

Let us take a step back and put these developments into context. The notion of personal data protection and most of the core principles that guide our current data protection regulatory framework were elaborated in the early 80s, that is, at a time where mullets were popular,[6] the ‘Walkman’ had just been launched into the market,[7] and of more relevance to our discussion, there was no Internet, no smartphones, and consequently no large-scale, pervasive and relentless personal data collection by for-profit entities. Accordingly, one could admire the foresight of Convention 108’s drafters.[8] Very few people could have anticipated the technological advances that enabled the emergence of data-driven business models under which personal data are the currency to pay to access a product or service (think of Google and Facebook), let alone the extent of surveillance conducted for the sake of targeted ads and content personalisation. The protection of personal data and the data protection principles set out in Convention 108 are more important than ever in our ‘information economy’.[9]

Alternatively, one could criticise the insistence in concepts and principles that seem no longer appropriate and/or are not duly observed. In the world of big data, valuable and often unexpected insights, predictions and inferences are extracted from the processing of seemingly innocuous and unrelated data sources. This reality strikes at the core of the purpose limitation and data minimisation principles (to name a few), as the collection of more data increases the likelihood of valuable information being yielded, and data processed for one or more specific purposes often leads to unrelated (i.e. incompatible) outcomes. Crucially, ‘lawful’ processing of personal data requires a legal basis, the most common of which is data subjects’ consent. Yet, the ‘notice and consent’ mechanism is broken. We, data subjects (or users, depending on the angle), are bombarded with data processing notices and complex terms of service which we are supposed to fully read and understand to signify our agreement to the processing of our personal data. In reality, we just ‘tick the box’ without reading and understanding anything, thereby ‘authorising’ highly privacy-intrusive operations. As a natural consequence, we do not know “what personal data is collected and processed and why, and what our rights are with respect to this processing”. In the light of this regulatory failure, should consent retain the importance it once had when personal data processing was a rather sporadic phenomenon?[10]

The Data Protection Day is a good opportunity to reflect on the strength and appropriateness of our data protection laws, and in particular to think about potential ways to promote individuals’ data protection rights in manner compatible with technological progress and innovation. Convention 108’s notions and principles, as later developed and enshrined in subsequent regulations and statutes, are for the most part sound and adequate. However, if taken literally, they risk placing an unacceptable burden on data subjects and becoming ineffective. It is submitted that new approaches are required to adapt data protection enforcement to the reality of our information economy, in an attempt to restore the meaning of data protection concepts and principles that seem increasingly obsolete.

In the PACE (Privacy Aware Cloud Ecosystems) project being conducted at UCL STEaPP (in conjunction with Cardiff University and Newcastle University), we are working to devise and realise one of such approaches. We acknowledge the significance of consent, but at the same time are aware that current consent mechanisms invariably contribute to data subjects’ ignorance about firms’ data processing practices. We acknowledge that the data protection principles first conceived in Convention 108 are fundamental safeguards to prevent undue harms to individuals’ autonomy, but believe that properly informed data subjects can override their application if they deem so fit or convenient, thereby enabling and legitimising data-driven innovation.

In concrete, we are developing a technological solution that allows individuals to see what data are collected by each cloud-based service or website they use, for what purposes such data are collected, and to whom that data are shared. Thus, on the most fundamental level, PACE seeks to educate data subjects by raising awareness of (the extent of) personal data processing by the technologies they use, an objective largely in line with Data Protection Day’s stated goal. The solution relies on blockchain technology to record and audit individuals’ data trails, thereby increasing transparency and accountability in controllers’ data processing operations. Moreover, the solution operates as a type of autonomous consent management agent designed to both combat ‘consent fatigue’ motivated by the abundance of consent notices and increase the level of control over one’s personal data.

Crucially, depending on the value exchange at hand and their privacy preferences, on the PACE interface individuals can authorise data processing practices that may lead to excessive data collection or breach core data protection principles, thus seeking to strike a balance between individuals’ autonomy and data-driven business models and innovation.

Ultimately, in the PACE project, every day is Data Protection Day.

---

[1] See Council of Europe, ‘Data Protection Day’, available at https://web.archive.org/web/20131227074032/http://www.coe.int/t/dghl/standardsetting/dataprotection/Data_protection_day_en.asp

[2] Council of Europe, Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data (28 January 1981), available at https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680078b37

[3] See Article 6 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281/31

[4] See Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1

[5] See Article 105 of Convention 108

[6] For those who are young enough not to be familiar with this word, a ‘mullet’ is a type of hairstyle featuring short hair at the front and sides, but long hair at the back. It was the embodiment of the expression ‘business in the front, party in the back’. For more information see https://en.wikipedia.org/wiki/Mullet_(haircut)

[7] The original ‘Walkman’ was a portable cassette player launched in 1979 that allowed people to listen to music ‘on the move’ for the first time. For more information see https://en.wikipedia.org/wiki/Walkman

[8] It must be noted that Convention 108 is undergoing a modernisation process in the light of IT developments that challenge its effective implementation. CETS 223 will update its text upon its entry into force. However, the modifications introduced largely resemble the GDPR, and consequently involve no substantial change in data protection’s core principles. See Council of Europe Treaty Series No. 223, Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (10 October 2018), available at https://rm.coe.int/16808ac918

[9] Broadly speaking, the information economy represents the structural shift in the global economy away from a purely manufacturing or agriculturally based economy to one dominated by services with a disproportionate emphasis on digitized information. See generally Andrew Murray, Information Technology Law: The Law and Society (Third Edition, Oxford University Press 2016)

[10] At the time of enactment of the highly consent-based Data Protection Directive, only 1% of the EU population was using the Internet, Amazon and eBay were still being launched, the founder of Facebook was 11 years old and Google did not exist. In this setting, consent was a suitable mechanism to exercise one’s informational self-determination, as consent requests for data processing were exceptional. At present times, conversely, reading all Terms of Service that are presented to us would be close to a full-time job. See McDonald, A.M. and Cranor, L.F. The cost of reading privacy policies. I/S: A Journal of Law and Policy for the Information Society (2008)