D7.4: Implications of profiling practices on democracy

Title: (HOW) CAN DATA PROTECTION BE EFFECTIVE?

Gutwirth and De Hert rightly conclude that data protection legislation was the lawyers reflex to cope with the increasing data explosion; a first attempt to counter the powers that would evolve from new technologies like profiling. The question remains how this attempt can be effective. Data protection legislation is a form of administrative law; it imposes a set of obligations and prohibitions on data controllers and data processors and distributes rights to citizens. To supervise all this the EU has chosen to install national supervisory authorities and the art. 29 Working Party. Many lawyers and policy makers suffer from a modernist reflex that calls for new legislation whenever a problem arises. The idea is that if we create new obligations and grant new rights, the world will organise itself accordingly. If not, even more rules are enacted to further the implementation of those that turned out ineffective. The problem with administrative law is that it exhibits the strength but also the weaknesses of rule by law. The presumption that issues around the environment, biotechnology and profiling technologies can be solved by imposing rules on the stakeholders (enacting environmental law, prohibitions of stemcell research or data protection legislation) is problematic, if the changing landscape in which such rules must apply is not seriously taken into account. If we turn back to the fair information principles, enumerated in section , and think of the unobtrusive and ubiquitous computing technologies that are already embedded in our environment, the principles seem written for another – less complex - age. If unlimited collection of data is technologically possible and profitable while effective control is an illusion; if the amount of data is such that no person would even have the time to keep track of the collection and storage of her personal data, its purpose and the identity of the data controller, let alone to correct, complete and update her data and/or to erase, rectify, complete or amend her data; if use of data collected for another purpose, or disclosure of data for other purposes is technologically possible and profitable while effective control is an illusion; if consent is a burden for both the data subject and the data controller; and if, last but not least, the fact that data subjects are usually not aware of the data traces they leave behind makes it impossible to trace the data controller let alone hold her accountable for non compliance with the fair information principles - if all this, than we may be fooling ourselves in thinking that such legislation will make much of a difference.

What we need is an intelligent interplay between technological design and legal regulation, with a keen eye to market forces and business models as they will fit with such design and regulation (legal regulation may invite predatory greed or prudent enterprise; technological design may empower those that are already in charge or weaker parties). As Lawrence Lessig has argued extensively, the architecture of our world is not only a matter of enacted law, but also a matter of the way we design our technologies. Like law, technologies regulate our world: constraining our actions while creating new options, enriching our world while also implementing certain choices. The challenge is to integrate these two aspects of our shared world: to construct common architectures, built of legal and technological constraints that intelligently interact. The central question should be how to construct infrastructures that enhance our freedom, that reinvent our constitutional democracy in a world that can no longer be ruled solely from the perspective of the national or supranational state. The point is not to weave a seamless web around us, integrating a legal network with advanced information and communication technologies in order to normalise us into a comfortable existence where most choices are made for us by our intelligent agents. Both law and technological design should be used to create an order that facilitates and empowers individuals to construct their identity in constant interaction with others, while participating in the construction of our common world.

So, the disciplines of law and technological design need to create common ground and shared vocabularies that recognise both the similarities and the differences between the way law and technology regulate. Lawyers will have to give up the attempt to rule the world as a voluntaristic project and technologists will have to give up possible dreams of a technologically predefined world, however comfortable. In fact this is what the FIDIS consortium is working on: identity management systems and devices – the one recurrent topic of the research of the FIDIS consortium – is being studied from legal and technological perspectives in ways that can be said to aim for the reinvention of democracy and the rule of law. It may be the case that the artificial construction of the legal person as the mask that both protects the person of flesh and bones and enables her to take part in the life of the community as a legal person, is developing its counterpart in the digital persona, intelligent agent or identity management device that functions in the same way: as a shield and a gateway, as protection and interface.