On September 11, 2015 the European Data Protection Supervisor (EDPS) Giovanni Buttarelli released an Opinion about digital privacy and dignity entitled Towards a new digital ethics. The document was published in an effort to encourage open discussion about privacy concerns facing the European Union and to emphasize that regulations should focus on preserving human dignity. The Opinion outlines technologies the EDPS believes to pose the greatest threat to privacy and discusses the entities responsible for preventing infringement. It also announces his plans to create an Ethics Board responsible for analyzing the ethical effects of defining and using private data.
The EDPS is an independent supervisory authority who was appointed by the European Parliament and Council in 2014 to advise the European institutions and bodies on privacy legislation and cooperate with authorities to ensure that personal data is protected. Increasing concerns about the proliferation of privacy-threatening technology have driven the EDPS to release a statement about the association between ethics and digital security. This Opinion is a follow up to the EU Data Protection Reform, and further opinions are expected as the EDPS works on his five-year strategy to constructively improve and monitor data security.
Much of the Opinion outlines modern digital technology the EDPS believes to pose the biggest threat to preserving private information in an ethical manner. In addition to examining current innovations, Buttarelli extends his research to analyze the potential for security breaches in up-and-coming developments. Big data, the Internet of Things (IoT), cloud computing, data business models and autonomous devices were of particular interest. The EDPS expressed his concern that personal, sometimes inaccurate, information collected using these technologies is being used to establish profiles that undermine our dignity and make us vulnerable to discrimination.
Big data, the process of collecting large sums of data from various sources and processing it with the help of algorithms, poses a significant obstacle to preserving privacy. In addition to the better-known use of big data–personalized advertising–the process is also used for more impactful purposes such as determining insurance rates and loans. The EDPS worries that business models that rely on summarizing a person by pulling information, especially from sources unknown to the individual, undermine their dignity. Among Buttarelli’s goals is curtailing the practice of reducing people to data, and establishing steps to regulate big data is a part of the process.
Another trend that warranted attention was the Internet of Things (IoT), networks of devices that remotely collect and exchange information. Some gadgets that make up the IoT network are extremely beneficial to human wellbeing, but their services rely on private information. Wearable health monitoring devices and accident prevention technology that fall under the IoT umbrella can potentially save lives, but they also rely on gathering, storing and transferring personal information. Advanced collection technology, such as heat sensors and authentication applications, are often used in combination with cloud storage to carry out IoT processes. The collected data may include IP addresses, passwords, health conditions and physical locations; details that must be utilized in an ethical way.
The Opinion suggests that obtaining access to such data puts users at risk of stereotyping, especially in the health and auto industries. Nevertheless, the EDPS maintains that it is possible for security checks to protect the dignity of the public without stifling remarkable innovation. He plans to bring experts together to discuss what steps can be taken to guard data collected by IoT devices without hindering their usefulness.
While he did not offer sample legislation to counter threatening trends, the EDPS did identify technologies that warrant further analysis. The Opinion served primarily as a jumping-off point for further, more specific discussion about security regulation. Equipped with information about technologies of concern, business leaders and IT technicians could work together with legislators and privacy experts to propose ethical solutions.
In addition to highlighting areas of concern, the EDPS identified parties that must be held accountable for securing privacy measures. He indicated that an ‘ecosystem’ made up of legislators, corporations, IT developers and individuals was responsible for maintaining ethical privacy standards.
Not exactly known to shoulder the responsibility for company ethics, IT developers were challenged to seek out solutions to digital privacy concerns. In particular, developers were asked to implement personalization tools to safeguard private information in devices and networks. According to Buttarelli, technological design decisions should, “support our values and fundamental rights.” He suggested that further research on privacy and auditing technology would play a role in achieving these goals.
Businesses that utilize private data were naturally directed to use such information for necessary functions only. This was the most challenging of directives, as utilizing personal content in a variety of ways is often a part of company business models. It will be interesting to see whether discussions the EDPS hopes to initiate will produce realistic alternative profit models and suggestions for circumventing personal data usage.
Nevertheless, Buttarelli stressed that businesses should be using private information to meet clear objectives. He also called on them to enforce strict and clear auditing procedures that involve oversight by independent regulators. The EDPS suggested that corporations implement auditing regulations, introduce audit certifications, and set up company codes of conduct.
Without fear of repercussions, it is unlikely that companies will make privacy a top concern, especially in cases where it interferes with profits. That is why legislators were named as a part of the ecosystem responsible for ensuring information security and personal dignity. It is worth noting that EU laws already prohibit the use of information in unlimited ways, even in cases where individuals offer full consent. Therefore, EU legislators have already set in place basic data protection regulations they can build upon after more direct EDPS protocols are proposed.
Buttarelli asked that IT developers, businesses and legislators ensure privacy and offer clear guidance to those who do not understand how their data is collected and used. But he did not ignore the responsibility of individuals to monitor their own behavior and make sure their information was utilized correctly and gathered properly. According to the EDPS, “individuals are not passive beings requiring absolute protection against exploitation.” He offered sample research that suggested misinformation was not uncommon in credit reports, and directed individuals to challenge questionable results that might lead to discrimination. Consumers who were unsatisfied with corporate services could pressure businesses to step up by shopping around and purchasing from more reputable companies.
The parties in Buttarelli’s ecosystem each have unique motives for managing private information, but according to the EDPS, one factor must underlie all of their goals: human dignity. It is difficult to create a one-size-fits-all plan for processing private data because future technology is not exactly easy to police. Despite his thorough analysis of trends that may evolve into privacy threats, regulations for the unknown will not address all imminent problems.
What can guide leaders, developers and the public in maintaining ethical approaches to data privacy is ensuring that new technologies and regulations uphold an individual’s dignity. In other words, producers and processors of technology should regularly ask themselves whether they are using private data in ways that can lead to stereotyping, stigmatization or exclusion. They should also consider whether personal data is used as a profiting tool rather than an imperative aspect of operation. If dignity is compromised in exchange for technology, we should debate whether that technology is worth the price.
Despite his concerns over unethical use of private data, the EDPS remained optimistic about the EU’s ability to preserve privacy without stifling innovation. He challenged developers to create technology that limited the ability to single out individuals and to concentrate on methods of collecting unidentifiable data, assuming the private information was necessary in the first place.
To help him evaluate how a balance between human dignity, innovation and business models can be achieved, the EDPS announced he would establish an Ethics Advisory Board in the coming months. The board will include several experts in the fields of technology and economics. Given the board’s focus on ethics, members will also include specialists who can provide information about the social implications of privacy risks. Among them will be sociologists, psychologists and ethics philosophers. When needed, additional authorities will be invited to weigh in on solutions to privacy obstacles and their ethical compromises.
An ethics board proposal and the list of threatening technologies and responsible parties were all laid out to establish a framework for further discussion. The Opinion of the EDPS echoed his belief that personal dignity did not have to hinder innovation as long as the EU challenged itself to come up with solutions that prioritized dignity in technology. According to the EDPS, now is a prime time for the EU to adopt a fresh approach to handling private data in an ethical manner. Although technological trends are not all predictable, proactive collaboration between experts and the public can ensure that security and dignity will become an integral part of future developments.
Add new comment