We are pleased to present this guest post from Prof. Lokke Moerel, a leading EU privacy lawyer. We think her blog and paper are fascinating and important contributions to the current discussion of key privacy topics, including big data, the Internet of Things, and EU data protection laws.
Let us imagine a mobile phone application that traces your movements and phone calls in order to inform you whether you are likely to catch influenza. The app can even tell you which friends you should avoid in order to minimize your risk of catching the flu – even if those friends have not yet been affected by it themselves (this is not fiction, see research of MIT Professor Alex Pentland). Would you install this application on your smartphone as soon as you had the chance? Then imagine the use of a similar app by the World Health Organization, in order to protect public health during pandemics. Two applications that both collect and process personal data for the same purpose: the monitoring and personalized prediction of health and illness. But the sentiments that these two applications give rise to are likely very different.
When we pause to reflect on this, the conclusion is that it is not so much the purposes for which personal data might be used that are the primary consideration here, but rather the interests that are served by the use of the data collected. And yet, both the current and the upcoming EU data protection regime are based primarily on the purpose for which data are collected and processed, while the interests served play a much more subordinate role. This raises the question of whether this legal regime can be effective and can be considered legitimate as we move into a future whereby society is driven by data.
In my paper with Prof. Corien Prins: “Privacy for the homo digitalis: Proposal for a new regulatory framework for data protection in the light of Big Data and the Internet of Things,” we analyze innovations in data processing as a result of developments such as big data and the Internet of Things and discuss why these developments undermine the effectiveness and legitimacy of the current as well as upcoming EU data protection regime, thereby focusing on the private sector. The paper includes a detailed analysis of key data processing principles used in the European data protection regime (purpose limitation, informational self-determination and data quality) and argues that due to social trends and technological developments, the principle of purpose limitation should be abandoned as a separate criterion. Also, other principles (such as consent and the performance of an agreement) should no longer be recognised as grounds that play a role on their own in legitimizing data processing. Instead, we propose a single test: whether there is a legitimate interest for the whole life cycle of personal data processing (collection, use, further use and destruction of data). We argue that such a test will provide for a more effective data protection regime that will have more legitimacy than the assessment under the existing legal regime that is primarily based on the purposes for which data may be collected and further used. This test has been drafted in such a way that it enables companies to comply with the new requirements under the upcoming EU General Data Protection Regulation, which will become effective in 2018. We conclude our analysis with proposals to increase the effectiveness of enforcement of the data protection rules.