D7.4: Implications of profiling practices on democracy

Title: PRIVACY IS DEAD (REQUIESCAT IN PACE)

How does profiling relate to privacy? Leaving aside data protection as a privacy instrument (because data protection should be viewed separately, as Gutwirth & De Hert rightly argue), profiling as such does not – to me – seem a really significant privacy threat; that is, large-scale collection and storage of personal data can be seen as a privacy threat, but privacy is not really affected if the data remain stored in computers and do not enter the heads of people who make decisions about other people. It is only when an individual profile is used in an individual case that privacy may be at stake, because the profile user perhaps knows more about the profiled subject than she needs to know for the purpose of the particular transaction; but does that really affect the profiled person in her private sphere? I like the notion of privacy as a safeguard against – unjust – judgement from others, because others should judge us only by relevant criteria and not by irrelevant criteria that, precisely because they are irrelevant in the particular context at issue, should remain private. However, why not call a spade a spade and say that in this respect, it is not so much privacy that is at stake, but fair judgement and fair treatment? Privacy may be a servant to many masters, but here, I think, it is largely the master of fair treatment that privacy is serving. We risk blurring the discussion by bringing on board the multiple – and, to many people, confused – associations that surround the notion of privacy, and so, we had better turn our heads to anti-discrimination law as the core issue in profiling, and disregard privacy as being at stake.

(Besides, privacy is doomed anyway. Not because it is consciously pushed aside in favour of other interests – although it often is nowadays – but because it is slowly but surely being eroded through the ever-increasing advances in technology that make people and society transparent, and because somehow people do not notice or care that they end up with ever smaller opportunities to withdraw in a private sphere. This, at least, is my vision for the next decade or so. Conceivably, a return-to-privacy wave may come up once the current era of technology push and security hype has passed. It may arrive too late, however, if privacy-destroying infrastructures by then have paved the world’s ways.)

Data protection is dead (Long live data protection)

How does profiling relate to data protection? The texts create the impression of assuming rather lightly that data-protection law applies – or should apply – throughout the process of profiling, but of course, in many types of the profiling taxonomy given above, data are not traceable to unique persons, and hence are not personal data subject to data-protection law. Indeed, for many types of profiling, it is not necessary to process uniquely identifiable data; in many cases, data that correlate not at the individual level but at a more generic level or anonymised data will suffice. Data-protection law typically plays a role in pre-profiling, when personal data are being collected, and in profile use, when profiles are applied to unique individuals. What happens in between may or may not legalistically fall under the scope of data-protection law, but that is insignificant as compared to the pre- and post-processing stages.

A more important issue is why we should really be concerned with data protection. The monster of data-protection principles and data-protection laws that has been brought to life since the 1970s seems to be based on one major assumption: we need to prevent data processing as much as we can, in order to prevent misuse of personal data. Only by allowing the minimum of data to be collected in the first place, and by allowing the data to be processed only for the purpose for which they were collected, will we prevent data monsters from harming people by undue knowledge of them.  

Admirable as this assumption may be, it is outdated and doomed to fail in the current information society. Data storage devices and data networks are here to stay. They create such huge opportunities for collecting and processing data, and especially for interconnecting and correlating data, that trying to prevent data collection and trying to restrict data processing is banging one’s head against a brick wall. The brick wall is not affected, as organisations happily continue large-scale data collection and correlation, with or without the blessing of the god of data protection. But the head is hurt, over and over again as data-protection laws and principles are infringed, without any material redress in practice.  

Therefore, to my view, the focus of data protection should be radically shifted. Instead of focusing on the early, enabling stages of data processing, it should concentrate on the later, usage stage of data processing. What data protection really is, or should be, about is decent treatment of people in society. Contrary to what Mireille Hildebrandt suggests as the values that data protection should protect (see section ), the core value that I perceive is common decency. Decency that shows itself in using correct, up-to-date, and relevant data, decency by adequately securing data against data snoopers, decency in using information in a correct way. Only by stressing much more the use of data, and adequately enforcing decency norms in that use, will data-protection principles be able to survive the information age. And if that is done, data protection may have a long and prosperous life as a core value in the information society. It may then become, what it really fails to be now, a tool of transparency that enhances the rule of law.

Taking this view of data protection as input for an assessment of profiling, it is again the last stage of profiling – profile use – that we should be concerned with. The earlier stages of pre-profiling and profile making are either immaterial for data protection, because decency in human relationships is not at issue here, or they are elusive for data protection and uncontrollable in practice anyway. Data protection might, on the other hand, help in the later stage of profiling to ensure anti-discrimination and fair treatment that I indicated earlier to be the main concerns with profile use.

Who am I?

How does profiling relate to the sense of self, or ipse-identity? Hildebrandt makes the crucial distinction between idem and ipse as two meanings of identity. She is concerned with ipse-identity, the sense of self that enables people to develop and act as true and valuable human beings in society. I see the importance of ipse-identity as a significant, perhaps crucial, part of democracy and the rule of law, but actually fail to be convinced that profiling in some sense impacts on ipse-identity. Again, qualitative examples if not quantitative data are needed if it is to be argued that people cannot develop their sense of self adequately because they are being profiled.

I see a clear connection between the human person and ipse-identity on the one hand, and the legal person and idem-identity on the other. In legal relationships (and I use this term broadly: each relationship that somehow has a legally relevant aspect), we act with legal persons – the objectified construct that is the external part of a person that interacts with and in society. Identification in this respect usually means idem-identity: we want to know that we are dealing with the same – legal – person as last time, or with a specific – legal – person with this name or attribute. It is immaterial in these transactions whether we are dealing with a – human – person whose interior entails a well developed or a crippled sense of self. Profiling, at least on the face of it, only has to do with using profiles in legal relationships: you take a decision about someone by judging whether or not this person meets the profile or the profile-based rule. This is idem-identity: are we talking about the right – legal – person? The profiler, nor the profiled, is concerned with ipse-identity here: the question “are we talking about a true human being?” simply does not come up.

What I have to infer from Hildebrand’s analysis is that profiling, under the face of it, somehow does impact the sense of self. By changing the range of opportunities offered to us by profiling organisations, we are restricted in our choices and hence in the ability to develop ourselves as we otherwise would have done. This claim can be read at two levels:

• the sense of self is affected subjectively: this – human – person in this case actually feels restricted (regardless whether there is an objectified reason to feel thus); this is an interesting psychological question, but unless a methodologically sound survey shows that significant parts of the population are thus being psychologically hampered in their sense of self by certain types or fields of profiling (which I doubt that any survey could come up with), I fail to see the relevance of such subjective impact on the rule of law or on fundamental legal principles;

• the sense of self is affected objectively: that is, there is sufficient reason to believe that this kind of – legal – person in this kind of case has good reason to be thought to be hampered in developing her sense of self as a human person; such a claim might be argued for by qualitative examples that are ordinary enough to be prevalent in society rather than far-fetched examples of rare applications of profiling; perhaps such examples may be given, although I have not read them in Hildebrandts text; but if they exist, we should assess the seriousness of the particular restrictions of the sense of self that this kind of profiling implies; after all, there are countless factors that influence the ability to self-develop because they enhance or restrict opportunities (genetics, nutrition, education, where you happen to be born, your mother’s job, social surroundings, peer group, etc. etc.), and it remains to be seen how serious the impact of profiling is when compared to that list of factors, at least from the perspective of democracy or the rule of law being at stake.