The classic assumption in privacy theory is that individuals can invoke a right to privacy to protect their individual interests. I argue that privacy is not always/only an individual right, but can also be a group right or a right of other non-individual entities, and that privacy also provides protection to social and public interest.
These arguments not only have a theoretical value; they have practical significance. In the Big Data era, roughly two things have happened: (1) the number of data collections has exploded and (2) data collection is no longer (necessarily) focussed on an individual, but concerns large groups. This means that (1) it is practically undoable for an individual to assess each and every time, whether her data is collected, by whom and whether that is legitimate, and if not so, to go to court and (2) that many of the Big Data technologies/applications, such as smart cities, mass surveillance, living labs, predictive policing, etc. do not so much affect the interests of one or another individual, they affect everyone or large parts of society. In this light, I've argued for a fundamental revision of procedural law and connected this to other systemic issues, such as environmental pollution and systemic racism.
This article, titled 'Privacy in the Post-NSA Era: Time for a Fundamental Revision?', discusses moving towards a new privacy paradigm to deal with issues such as mass surveillance by the NSA. It brings together several themes in my work, such as the focus in individual rights, on individual interests and on balancing.
Big Brother Watch and others have filed a complaint against the United Kingdom under the European Convention on Human Rights about a violation of Article 8, the right to privacy. It regards the NSA affair and UK-based surveillance activities operated by secret services. The question is whether it will be declared admissible and, if so, whether the European Court of Human Rights will find a violation. This article discusses three possible challenges for these types of complaints and analyses whether the current privacy paradigm is still adequate in view of the development known as Big Data.
Download the article here.
As it is currently regulated, the right to privacy is predominantly conceived as a subjective right protecting the individual interests of natural persons. In order to determine whether this right has been affected in a specific situation, the so-called ‘noninterference’ principle is applied. Using this liberal concept, it follows that the right to privacy is undermined if an ‘infringement’ with that right by a third party can be demonstrated. Although the ‘infringement’-criterion works well when applied to more traditional privacy violations, such as a third party entering the home of an individual or eavesdropping on a private conversation, with respect to modern data-driven technologies, it is often very difficult to demonstrate an actual and concrete ‘infringement’ on a person’s right or freedom. Therefore, an increasing number of privacy scholars advocates the use of another principle, namely the republican idea of ‘non-domination’. At the core of this principle is not the question of whether there has been an ‘interference’ with a right; rather, it looks at existing power relations and the potential for the abuse of power. Interestingly, in recent times, the European Court of Human Rights seems to accept the republican approach to privacy when it deals with complex data-driven cases.
Together with a colleague, I've conducted research for the Dutch government on the modernisation of Dutch Procedural law in light of the data-driven society. We have indicated as core bottleneck that current procedural law is very much focussed on providing individual interests protection by granting natural persons subjective claim rights. We have mapped a number of alternatives, both in constitutional law, criminal law, civil law and administrative law such as, but not limited to: elaborate constitutional review of legislative processes, special advocates, amicus curia participation, public interest litigation, and collective actions. All had the common theme of either focussing on non-individual interests (group interests, collective interests, public interests, etc.) or focussing on non-individual ways of claiming rights (group rights, collective rights, representation, etc.) or both.
This chapter will question the logic behind focussing solely on 'personal data' in the EU data protection regime. It will do so in three steps. First, it will discuss the tension between the current legal paradigm, which is grounded in a static conceptualisation of data, and the technological reality, in which the status of data is constantly in flux. Second, it will argue why the boundaries between personal data and non-personal data, between metadata and content data, between anonymous and identifying data and between non-sensitive and sensitive data is increasingly difficult to draw. Third, it will suggest why the logic underpinning the distinction between the various legal categories of data may no longer be valid in the age of Big Data. Finally, the conclusion to this chapter will discuss the implications of these three arguments for the regulation of data. It will propose a regime for the regulation of non-personal data.