Title: .B.1. THE RIGHT TO BE INFORMED

The right to be informed exists in the obligation of the controller to provide data subjects with the identity of the controller (and of his representative) and the purposes of the processing for which the data are intended. If necessary to guarantee a fair processing, the data subject must also be provided with: the recipients or categories of recipients of the data, whether replies to the questions are obligatory or voluntary, the possible consequences of failure to reply and the existence of the right of access to and the right to rectify the data concerning him (article 10).

When the data have not been obtained from the data subject himself but from a third party, the controller or his representative must at the time of recording the personal data or, if disclosure to a third party is envisaged, no later than the time when the data are first disclosed, provide the data subject with information as described above, including the indication of categories of data concerned (article 11).  

At this point we will give attention to this information procedure as such because AmI should somehow also be based on what we can tentatively call ‘ambient law’. Obviously one cannot imagine an automated AmI world where the law obliges data controllers to continuously present the information on the purpose of data collection information to individual users. Such purpose specification would put too much of a burden on both the data subject and the data controller. Thinking of user convenience, this would create an overload of information, whereas AmI and profiles are in fact designed to limit the information stream towards an individual.

The information procedure of article 10 reflects a kind of formalisation of the data collection and processing procedures. It aims at making the data collection both legal and legitimate without however really informing the individual. If information on the purpose is available, the data subject will most often not have the time to read it or may not understand the privacy disclaimer. As mentioned, a purpose can be described in general terms such that any specific purpose will fall within its scope. And in most cases, the privacy disclaimer is written in the language of the place of data collection, which is not necessarily a language understood by the data subject. What is needed is a balance between the fact that the information targeted at the data subject should be as limited as possible to enhance the user’s comfort and the user’s interest to be informed of the purposes of the collection and processing. One could think of legislation and technology that keep this information “ambient” by obliging AmI service providers to supply the purpose information in such a format so that the intelligent agent of the user can recognise the purposes independently and take decisions according to the user’s preferences. A user could instruct his personal agent to automatically allow certain categories of purposes, while disallowing other specific categories. On top of that the PDA can signal the user if the information falls outside the scope of both, in which case the data subject can decide himself. This could shift the balance of power from the data controller towards the consumer. It could also allow the user to define when and to what extent his data can be made anonymous by the data controller in order to construct group profiles.