Privacy as a societal value Bart van der Sloot Institute for Information Law, UvA Scientific Council for Government Policy (WRR) Amsterdam Platform for Privacy Research

Overview (1) Current Privacy Paradigm (2) Big Data (3) Privacy as societal interest

(1) Current Privacy Paradigm European Convention on Human Rights of the Council of Europe (1950) ARTICLE 8 - Right to respect for private and family life 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

(1) Current Privacy Paradigm European Charter on Fundamental Rights Article 7 Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications. Article 8 Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.

(1) Current Privacy Paradigm Individual right ECHR ARTICLE 34 Individual applications The Court may receive applications from any person, nongovernmental organisation or group of individuals claiming to be the victim of a violation by one of the High Contracting Parties of the rights set forth in the Convention or the Protocols thereto. The High Contracting Parties undertake not to hinder in any way the effective exercise of this right Focussed on natural persons No actio popularis, hypothetical or abstract claims

(1) Current Privacy Paradigm Individual right Data Protection Directive Article 2 Definitions For the purposes of this Directive: (a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

(1) Current Privacy Paradigm Individual interests Originally, duties of care for governmental institutions and data controllers Not to interfere with private life, home, communications, except when necessary To process data safe, legitimate, proportional, etc. Now, only indivudal interests Relative interests

(1) Current Privacy Paradigm Balance of interests There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Mostly confliciting with societal interest Private and public interest are balanced

(1) Current Privacy Paradigm Focus on legal regulation First documents were mainly codes of conduct, with only marginal legal enforcement Now, there is an increased focus on legal regulation and sanctions

(2) Big Data Massive amounts of data stored By citizens (smartphones), businesses (cookies) and states (covert surveillence) Use/goal only clear after processing Not targeted at specific individuals Data mostly aggregated – group profiles and statistical patterns Datasets shared, connected and harvested

(2) Big Data Data protection rules Personal /sensitive data – anonimous/ metadata > move towards circular data streams Data minimisation > move towards maximum gathering of data Purspose limitation > move towards re-use/secondary use Safety and confidentiality > move towards sharing data and open data

(2) Big Data 1. Individual right 2. Individual interest Unaware of potential violation Unable to claim right (in practical sense) To complicated to give a realistic form of consent 2. Individual interest Individual interest vague and abstract Societal interest at stake? 3. Balanced against each other Societal interests vague and abstract Absolute norms? 4. Legal regulation Terrorial problem/lack of shared values Societal interests > political realm

(3) Privacy as societal interest Privacy is also a societal interest It is constitutive for Friendships Trust in the government and legitimacy of the state Democracy > secrecy of ballot The legal domain > confidentiality between lawyer and client Journalism > confidentiality sources and journalists Medical sector > confidentiality doctor and patient

(3) Privacy as societal interest Anita Allen: ‘First, confidentiality encourages seeking medical care. Individuals will be more inclined to seek medical attention if they believe they can do so on a confidential basis. It is reassuring to believe others will not be told without permission that one is unwell or declining, has abused illegal drugs, been unfaithful to one ’s partner, obtained an abortion, or enlarged one ’s breasts. […] Second, confidentiality contributes to full and frank disclosures. Individuals seeking care will be more open and honest if they believe the facts and impressions reported to health providers will remain confidential. It may be easier to speak freely about embarrassing symptoms if one believes the content of what one says will not be broadcast to the world at large.’

(3) Privacy as societal interest 1. Privacy should not only be regarded as an individual right: Duties of states and data controllers to protect the privacy Class actions by groups and civil society and enforcement by DPAs 2. Privacy should not only be about consequences for the citizen: Intentions and duties of care for state and data controllers Societal interests involved with privacy and data protection

(3) Privacy as societal interest 3. Cases should not only be resolved by balancing interests: Instrinsic assessement of the quality of laws, policies and research proposals Absolute prohibitions on certain uses and practices 4. Privacy should not only be regulated through black letter law: focussing on guidelines, codes of conduct and soft law Regulation through reputation