By Simon Davies
A European Commission official has warned that implementation of new privacy rules in the EU will present a substantial challenge to technologists and lawmakers in the face of ubiquitous information systems.
Gérald Santucci, head of the Commission’s Knowledge Sharing Unit set out his views in a personal capacity in a provocative essay prepared for the Privacy Surgeon. The essay is available here or by clicking the icon in the right hand column of this page.
Santucci broadly praised the draft data protection regulation currently being considered by the European Parliament but warned that society still needed to make fundamental choices about the balance between flows of information and the protection of privacy.
“Data collection and video surveillance will continue to grow as ubiquitous computing pervades almost all areas of our culture, either harnessed to our body or hovering over cities to monitor people from the sky. As technology moves to the nano scale, wearable devices will be both on us (e.g. smart glasses and other head-mounted displays, devices connected to the smartphone in the fitness and sports environment) and in us (e.g. a nanorobot navigating through the human circulatory system or shielding the human body against pathogens).”
“Therefore the question is: do we want to live in a surveillance society that might ensure justice for all, yet privacy for none? Are we ready to live in a “City of Control” or do we definitely cherish a “City of Trust”?”
Santucci signals that some conventional legal practices would fail in the face of such technologies. “Looking at these issues, it appears clearly that current approaches to data protection, primarily based on contractual agreements, are largely inadequate to address such asymmetries. We need new thinking and new concepts to structure an interdisciplinary discussion”.
What is at stake is the capability of the EU to integrate modern, adequate legal data protection into its socio-technical fabric
The advice comes at a critical moment for the draft regulation which is on deadline for negotiation before the current parliamentary term expires. However Santucci raises fundamental questions that need to be taken seriously during the negotiations.
“The difficulty we have today to provide clear interpretations of the terms “personal data” and “privacy” is very likely to increase in the upcoming years as emerging digital technologies raise questions about who is responsible for data protection when data is scattered “in the clouds” or embedded in smart connected objects and when individuals disclose a great deal of personal data – their own and others’ – on social networking sites. Rapid changes in digital technology highlight the challenges of ensuring that individuals have control over their personal data.”
Santucci acknowledged three components of the regulation that he regards as “game changer” elements: – Data Protection Impact Assessment, the Right to be Forgotten and Privacy by Design. However he is clearly concerned about the longer term, warning: “…at the confluence of science, technology and society the challenges are becoming so complex and intertwined that a real, total new narrative is necessary in order to interpret the world as it is and to make it a better place for human beings to live in.”
The challenge is no longer about how to technically enforce legal compliance… but about the design of novel articulations of fundamental legal rights into network infrastructures instead of the printing press.
“The “success” of the Regulation will depend primarily on a cultural change: the challenge is no longer about how to technically enforce legal compliance – legal issues cannot be solved by technical solutions – but about the design of novel articulations of fundamental legal rights into network infrastructures instead of the printing press.”
“What remains possible is to develop techniques that aim at preventing the unwanted collection and spread of personal data (e.g., robot.txt, do-not-track, access control).’ And in a warning shot to rogue companies he added “Policy makers in the EU should support the principle of minimal disclosure in order to ensure that minimum amount of personal data is collected and stored online. In addition, they should enforce compliance with rules and regulations to address tracking and profiling online by misbehaving players.”
Finally, Santucci declares a keen interest in the concept of “privacies”, in which an individual could be enabled to create multiple temporary personalities across a wide technological spectrum, each of which can be adapted to a particular environment.
“Just as privacy needs to be re-thought by considering privacies, trust is an issue that should not be addressed in terms of the actions required to create or restore trust. We should focus instead on the conditions that are necessary to empower citizens to orient themselves properly in a hyper-connected environment and make their decisions themselves.”