How should you go about addressing the ethical challenges of privacy-invasive emerging technologies with a foot in the present but an eye to the long-term future?
The European Data Protection Supervisor (EDPS) – the independent pan-EU data protection agency tasked with monitoring and advising on data protection and privacy compliance issues – has published an Opinion on digital ethics. In the Opinion, entitled ‘Towards a new digital ethics: data, dignity, and technology’, the EDPS urges those stakeholders in the EU and internationally with a part to play in the development and application of future technologies to promote an ethical dimension.
The Opinion highlights the latest technological trends which may involve inappropriate use of personal data. Specific mentions go to the following: big data, the internet of things, ambient computing, drone usage, autonomous vehicles, cloud computing, personal data-dependant business models, as well as 3-D ‘bio-printing’.
The EDPS proposes what it calls a four-tier ‘big data protection ecosystem’ that respects ethical considerations in addressing digital privacy challenges. The four tiers encompassing the EDPS’s vision for ‘future-proof’ rules on data protection are:
- Future-oriented rules that respect the rights to privacy and to data protection – The EDPS states that future-oriented reform must redress the imbalance between innovation in the protection of personal data and its exploitation, making safeguards effective in digitised society. It also encourages the EU to avoid language that will easily become outdated or ‘disputable’, with the aim of ensuring coherence in new laws. This would make it easier to take a holistic approach, says the EDPS, particularly when it has to assess compliance with competition, consumer, as well as data protection rules. In turn, the EDPS suggests that closer dialogue between regulators from different sectors could lead to a response to growing calls for global partnerships.
- Accountable data controllers – The EDPS calls upon organisations to be accountable, which should encompass the adoption of a new ethical compliance approach (exemplified through the development of internal codes and policies) to personal data control and management.
- Privacy-conscious engineering and design of data processing products and services – The EDPS points out that the IT industry has an important role to play in the digital environment through privacy-conscious engineering which can offer technology that processes data while also respecting individuals’ rights.
- Empowered individuals – In tandem with the above, the EDPS advocates individual empowerment wherever possible to create a so-termed ‘prosumer’ environment. This involves acquiring a degree of knowledge to equip individuals with sufficient awareness of the consequences of data collection, thereby enabling reflection upon why our personal data are being processed from the very outset. The EDPS has also underlined the importance of data portability as the “gateway in the digital environment to the user control which individuals are now realising they lack”.
In summary, the EDPS is of the opinion that “In today’s digital environment, complying with the law isn’t enough; we have to consider the ethical dimension of processing personal information”. In particular, there is explicit recognition that law “cannot address the many nuanced scenarios that arise in the digital market”.
This, of course, begs the question how to go about addressing the ethical challenges of privacy-invasive emerging technologies, and whether the EDPS’s approach is the right one being so closely linked to the legal notion of the data protection of ‘personal data’ (by definition, narrowly defined to a class of data, albeit that digital privacy concerns may stretch further than this class)? On the other hand, the EDPS is at pains to highlight the importance of retaining the value of human dignity at the heart of its proposed big data protection ecosystem – a concept not found within, say, the Data Protection Directive, although of course it is mentioned in Article 1 of the EU Charter of Fundamental Rights (“Human dignity is inviolable. It must be respected and protected”). [A more secular approach, unconstrained by the legal framework, can be seen with the creation of the European Group on Ethics in Science and New Technologies, which dates back to 1991.]
The EDPS also proposes in its Opinion to create a new EU data protection ethics board to stimulate an “open and informed” discussion on the nurturing of a new definition of digital ethics in the EU. It suggests that this board be composed of “a select group of distinguished persons from the fields of ethics and philosophy, sociology, psychology, technology and economics“, supported as required by additional experts in areas such as health and policing. The board’s functions would be aimed at improving the assessment of the ethical implications of how personal information is defined and used in the technology environment, with a view to underpinning the rights and freedoms of individuals.
The themes raised in the EDPS complement its earlier Opinion released this summer, in which it set out its recommendations for EU data protection reform (mentioned in my earlier post, here) – with illustrative examples of its recommendations – following the publication of the Council’s general approach to the new Regulation. In particular, the theme of focusing less on excessive formalities or prescriptive detail and investing more on dynamic safeguards is dominant. That opinion contained an annex including a four column table for comparing, article-by-article, the text of the GDPR as adopted respectively by the Commission, the European Parliament, the Council, alongside the EDPS recommendation. [For background, when a proposal for legislation has a possible impact on data protection, the European Commission has to submit it to the EDPS for its analysis. The subsequent opinion published by the EDPS containing its recommendations is issued as a formal part of the EU legislative process. For example, its opinions are usually presented in European Parliament Committees, as well as in relevant working groups in the Council.]
Earlier this year, the EDPS also unveiled its Strategy 2015-2019 in which it specifically advocated integrating ethical insights into its day‑to‑day work as an independent regulator and policy advisor. This four-year plan summarises the major data protection and privacy challenges over the coming years and the EDPS’ three strategic objectives and 10 accompanying actions for meeting them. The objectives and actions in total are:
Data protection goes Digital
- Action 1: Promoting technologies to enhance privacy and data protection
- Action 2 Identifying cross‑disciplinary policy solutions
- Action 3: Increasing transparency, user control and accountability in big data processing
Forging Global Partnerships
- Action 4: Developing an ethical dimension to data protection
- Action 5: Mainstreaming data protection into international agreements
- Action 6: Speaking with a single EU voice in the international arena
Opening a New Chapter for EU Data Protection
- Action 7: Adopting and implementing up‑to‑date data protection rules
- Action 8: Increasing the accountability of EU bodies processing personal information
- Action 9: Facilitating responsible and informed policymaking
- Action 10: Promoting a mature conversation on security and privacy
Back to the current reforms, while the EDPS has stated that it does not expect the outcome of the on-going trilogue negotiations underway to be perfect, it views the legislative process as the “art of the possible”. Quite rightly it also points out that, it is reasonable to expect a similar timeframe before the next major revision of data protection rules, perhaps not until the late 2030s and as final food for thought it comments that “Long before this time, data-driven technologies can be expected to have converged with artificial intelligence, natural language processing and biometric systems, empowering applications with machine-learning ability for advanced intelligence”. In that context, the long-term view certainly seems to be the right approach.