By Reijo Aarnio
Senior Adviser, Sitra
Former Data Protection Ombudsman, Finland DPA
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
Senior Adviser, Sitra
Former Data Protection Ombudsman, Finland DPA
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
Recital 2 of the EU’s General Data Protection Regulation (2016/679, GDPR) contains one of the finest juridical ideas. The GDPR is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons. I would add to this the serving of people and quality of life, especially quality of life in the digital sphere.
Consent alone does not guarantee data-related balance
A human-centric data economy must not be based too much on consent “alone”. More empowerment of data subjects is needed. Consent is an excellent juridical instrument, acknowledged also in the Charter of Fundamental Rights of the European Union as a key basis for the processing of personal data. Consent is a unilateral expression of intent indicating a person’s data-related right of self-determination and thus it differs from a contract, for example.
Naturally, consent requires that the party requesting it acts according to consent-related statutory requirements. After receiving consent, the data controller must adhere to it and also accept that consent can be withdrawn unilaterally. Does consent oblige the data controller to actively take action, such as share personal data?
The GDPR gives the data subject a new right – the right to data portability (GDPR, Article 20). Recital 68 describes this right and provides grounds for it: the need to further strengthen the data subject’s control over his or her own data and his or her right to transmit it to another controller. According to this recital, this right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract.
The structure has some essential deficiencies. First of all, the regulation also contains other legal bases for processing other than consent or a contract. The GDPR does recognise the data controller’s legitimate interests. Why couldn’t the data subject’s legitimate interests also constitute a right that enables the exercise of their data-related right of self-determination? The right to rectification, the right to be forgotten, the right to object to the processing of personal data and the right to restrict processing do not, as such, offer sufficient means to exercise this data-related right of self-determination.
Furthermore, the right to data portability does not apply to personal data in the possession of the public sector, although data portability should be part of the principle of service that is an element of good administration. As a result, no fair data-related balance has emerged between data controllers and data subjects and consumers have not had the opportunities to take part in competitive tendering among service providers within the internal market, to gain a better freedom of choice or to reap product- or service-related financial benefits.
The individual may not be left alone
Where does this concern stem from? While data is being described as “the new oil” or another business raw material, we should understand that it is actually the only raw materialfor which its use is not regulated in a satisfactory manner.
The best-case scenario is that regulation is global and based on human rights. Luckily, we at least have the GDPR, which strengthens this value base and binds data-related rights to fundamental and human rights. However, at the same time, transnational digital giants continue to dictate the terms, conditions and methods of data use, outside the scope of the parliamentary system. The individual has been left quite alone against them.
Data protection is a freedom that should be defended
When it comes to the use of the digital raw material, or our personal data, problems with consumer protection and competition law have also been identified. An illegal dominant position in the market may be based on personal data.
I have been delighted to notice that the protection of personal data and sustainable development, an absolute necessity for the environment, have approached each other. Data protection is related to the energy economy, mobility and traffic, smart homes and many other phenomena that can, at their worst, challenge ecological resilience and climate.
For its part, data protection also protects the fairness of our election systems and, consequently, the whole of democracy. Indeed, the protection of privacy has sometimes been defined as the right to mind one’s own business and to form opinions without the intervention of others. Data protection is a freedom that should be defended.
New business models challenge data policy
Business models have changed, too. They have moved from direct customer relationships through value chains to entirely new ecosystems that are based on data sharing. The consumer must be reinstated as the king of this hill and provided with more power over the use of their personal data.
Luckily, the European Union and many of its individual member states have started to react to this situation. We can expect a whole new wave of legislation. It will force the member states to consider the quality of their data policies and their role in societal decision-making.
What about business operators and the third sector? They must not be left alone in the midst of this difficult-to-grasp transformation. By supporting them, we will also support the realisation of the recital I quoted at the beginning of this text.
Digital sovereignty
In conclusion, it is good that we have woken up to cybersecurity. Now we also need to be awakened to the need to strengthen a human-centric, fair data economy and the right of digital self-determination (digital sovereignty).
My theses – what we need is:
Consent alone does not guarantee data-related balance
A human-centric data economy must not be based too much on consent “alone”. More empowerment of data subjects is needed. Consent is an excellent juridical instrument, acknowledged also in the Charter of Fundamental Rights of the European Union as a key basis for the processing of personal data. Consent is a unilateral expression of intent indicating a person’s data-related right of self-determination and thus it differs from a contract, for example.
Naturally, consent requires that the party requesting it acts according to consent-related statutory requirements. After receiving consent, the data controller must adhere to it and also accept that consent can be withdrawn unilaterally. Does consent oblige the data controller to actively take action, such as share personal data?
The GDPR gives the data subject a new right – the right to data portability (GDPR, Article 20). Recital 68 describes this right and provides grounds for it: the need to further strengthen the data subject’s control over his or her own data and his or her right to transmit it to another controller. According to this recital, this right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract.
The structure has some essential deficiencies. First of all, the regulation also contains other legal bases for processing other than consent or a contract. The GDPR does recognise the data controller’s legitimate interests. Why couldn’t the data subject’s legitimate interests also constitute a right that enables the exercise of their data-related right of self-determination? The right to rectification, the right to be forgotten, the right to object to the processing of personal data and the right to restrict processing do not, as such, offer sufficient means to exercise this data-related right of self-determination.
Furthermore, the right to data portability does not apply to personal data in the possession of the public sector, although data portability should be part of the principle of service that is an element of good administration. As a result, no fair data-related balance has emerged between data controllers and data subjects and consumers have not had the opportunities to take part in competitive tendering among service providers within the internal market, to gain a better freedom of choice or to reap product- or service-related financial benefits.
The individual may not be left alone
Where does this concern stem from? While data is being described as “the new oil” or another business raw material, we should understand that it is actually the only raw materialfor which its use is not regulated in a satisfactory manner.
The best-case scenario is that regulation is global and based on human rights. Luckily, we at least have the GDPR, which strengthens this value base and binds data-related rights to fundamental and human rights. However, at the same time, transnational digital giants continue to dictate the terms, conditions and methods of data use, outside the scope of the parliamentary system. The individual has been left quite alone against them.
Data protection is a freedom that should be defended
When it comes to the use of the digital raw material, or our personal data, problems with consumer protection and competition law have also been identified. An illegal dominant position in the market may be based on personal data.
I have been delighted to notice that the protection of personal data and sustainable development, an absolute necessity for the environment, have approached each other. Data protection is related to the energy economy, mobility and traffic, smart homes and many other phenomena that can, at their worst, challenge ecological resilience and climate.
For its part, data protection also protects the fairness of our election systems and, consequently, the whole of democracy. Indeed, the protection of privacy has sometimes been defined as the right to mind one’s own business and to form opinions without the intervention of others. Data protection is a freedom that should be defended.
New business models challenge data policy
Business models have changed, too. They have moved from direct customer relationships through value chains to entirely new ecosystems that are based on data sharing. The consumer must be reinstated as the king of this hill and provided with more power over the use of their personal data.
Luckily, the European Union and many of its individual member states have started to react to this situation. We can expect a whole new wave of legislation. It will force the member states to consider the quality of their data policies and their role in societal decision-making.
What about business operators and the third sector? They must not be left alone in the midst of this difficult-to-grasp transformation. By supporting them, we will also support the realisation of the recital I quoted at the beginning of this text.
Digital sovereignty
In conclusion, it is good that we have woken up to cybersecurity. Now we also need to be awakened to the need to strengthen a human-centric, fair data economy and the right of digital self-determination (digital sovereignty).
My theses – what we need is:
- a human-centric future that is based on a stronger data-related right of self-determination;
- stronger digital sovereignty and decision-making that respects human rights; and
- more comprehensive and democratic global regulation of “digital natural resources”.