Where are the Missing Data Subjects? Data Protection, Control and Public Participation
by Athena Christofi, Jonas Breuer, Max von Grafenstein, Mihalis Kritikos, Roos Groothuizen, Ine van Zeeland, Jo Pierson
The General Data Protection Regulation (GDPR) has been around for almost three years now. In this regulation, individual participation rights, such as access, rectification, or erasure of personal data are central. In fact, the very legality of processing of personal data seems to depend on ideas of participation. Consent, for example, is supposed to empower individuals to have control over their data. However, fast-paced technological developments demonstrate the flaws in this approach, showing that consent is far from an effective tool towards more empowerment. Perhaps more empowerment can be achieved if data subjects participate in decision-making about their data? Especially in the context of smart cities, where public sector administrators must prove accountability and democratic legitimation of their decisions, citizen participation in an early stage of the decision-making process can lead to a higher sense of empowerment.
COMPLEMENTING RIGHTS WITH INVOLVEMENT IN DECISION-MAKING
Public participation, as a concept, describes the belief that those affected by a project, decision, or development have a right to take part in the decision-making process. In urban public spaces, ubiquitous collection and processing of (personal) data is justified by the potential utility benefits to city dwellers. Yet, this ubiquity of data processing can also bring about risks to citizens’ fundamental rights. It certainly reduces the ability of citizens to understand what is happening, let alone to control what data is collected and how it is used.
Data processing technologies gradually change the nature of urban spaces and governance. As a consequence, the question of citizen participation becomes pressing. Citizen participation can legitimize urban developments, and how risks and benefits are balanced in the name of public interests. If we consider how technologies impact many aspects of our lives, the idea of ‘empowerment through involvement’ is relevant also beyond the smart city context.
From a normative viewpoint, legitimacy and acceptance are the goals of public participation. We might ask why we would consider another layer of legitimacy, since the GDPR, as a government regulation, is already democratically legitimized. Admittedly, the legitimacy chain has been long: European legislators have either directly or indirectly been voted into office and created this regulation through democratic procedures and negotiations. In addition, the GDPR is vague. We are therefore still left with questions: how broad should involvement be, and how should we approach it to meet goals of legitimacy?
Data protection law provides tools to empower individuals. Such tools are, for instance, requiring consent from those whose data are processed, the ‘data subjects’, and specific rights for data subjects to have some control over what happens with their data. While these tools are important, by the time individuals can act upon them decisions have already been made on the assessment of risks and how to balance interests. Against this backdrop, the question is how individuals can be involved in decision-making about the desirability, necessity, and proportionality of a processing operation, even before their data are processed.
ENTER THE GDPR: ARTICLE 35(9)
The possibility of involving data subjects at an early stage in decision-making is not only theoretical. Article 35 of the GDPR introduces the so-called Data Protection Impact Assessment (DPIA), an exercise that is specifically designed to anticipate and address risks of data processing before it takes place. The article provides that: ‘Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.’ (Art.35(9) GDPR). This seems to open the door to some form of public participation or stakeholder involvement. It hints at another empowerment tool for data subjects to complement consent and data subject rights.
However, the vague formulation of this legal provision makes it challenging to interpret. What obligations actually result from Article 35 in practice? The obligation to seek views of data subjects is only triggered ‘where appropriate’, yet the contexts and circumstances that would make this appropriate are not specified in the GDPR, nor in guidelines of Data Protection Authorities (DPAs). Then there is the clause ‘without prejudice’, which is phrased in a very broad way: commercial and public interests, as well as information security, can be invoked as reasons to not seek the views of data subjects. This can be the case even when there are ways to involve people in the DPIA without jeopardizing any of these concerns – for example, confidential information and non-technical reports can be redacted.
As long as DPA guidance does not specify the provision’s vague wording, its interpretation and application lie with so-called ‘data controllers’. Data controllers decide on procedures and purposes of data processing, so they generally have the most responsibility in protecting the rights of the data subjects. They arguably have little interest in triggering Article 35(9), because consulting data subjects would make the DPIA exercise (even more) complex, requiring a strategy and additional efforts. In the absence of clear guidance from DPAs, and without intrinsic motivation from data controllers, the provision may become meaningless.
ALL THAT HASSLE! BUT WHY?
Data controllers who understand the motives and goals of participation are able to better structure the consultation process in practice. They are better able to determine:
- who to involve (which data subjects or representatives),
- which information to give them,
- what questions to ask and
- via which process.
What also may help are (I) reflections and (II) clarity on the goals of data subject involvement and (III) seeing involvement as a key performance indicator. Citizen involvement may have democratic legitimacy and acceptance as a goal, but it would still leave us with certain challenges. Should citizen involvement be about input legitimacy, procedural legitimacy, output legitimacy? And how broad should involvement of data subjects or their representatives be, to meet the legitimacy goal?
Other reasons to involve data subjects can be taking into account their reasonable expectations and their perceptions of ‘risks to their fundamental rights’. Risk perceptions are subjective and inevitably differ among data subjects, so it may indeed be interesting to ask data subjects about the types of risks they actually see.
Involving citizens requires a certain minimum of understanding from them about what happens with their data, so they can evaluate their expectations and risk perceptions. Artist Roos Groothuizen has enabled citizens to consider risks to their privacy and personal data through games. She has developed the Black Box Bellagio casino game, where “you play and find out which personal data you are willing to share with your fellow players. During the game you will learn to look at your personal data in an alternative way. Do you care about your privacy or about winning the game? How far do you go?”
Other GDPR provisions besides Article 35(9) also call for data subject involvement. For instance, controllers need to implement the requirements of the regulation and protect the rights of data subjects in an effective manner, and ultimately this effectiveness depends on usability for data subjects of the tools provided to exercise their rights. This is normally assessed by user-centered or participatory design methods. Article 35(9) GDPR may nevertheless be particularly helpful when it comes to questions on the appropriateness of risk protection measures that do not concern their usability.
LESSONS FROM OTHER IMPACT ASSESSMENTS AND THE NEED FOR INTERDISCIPLINARITY
When it comes to the involvement of citizens in science and technology, and in particular the understanding and assessment of risks, there are other types of impact assessments where lessons can be learned. In the case of Environmental Impact Assessments for instance, legislation has created procedural obligations and rights for participation, in the hope that if they are followed and exercised, they will help increase environmental protection. Technology Assessments – processes to study and assess the effects of a new technology on society – often explore societal views to understand the hopes and fears of citizens and other stakeholders. Experiences, pitfalls, and best practices encountered in these impact assessments can be leveraged to structure participation processes for DPIAs in effective ways. The European Parliament’s Panel for the Future of Science and Technology (STOA) provides several examples of how citizens are involved in assessments in science and technology development.
Ultimately though, such processes can only work if there is interest from data subjects to provide input, and if controllers are able to communicate legal and technical knowledge on the risks and benefits of processing technologies. The nature of the risks of data processing technologies – which are often complex, invisible and difficult to grasp – makes this a challenging task.
Interdisciplinary knowledge and efforts can facilitate understanding. As mentioned above, artists can play an interesting role here. There are projects which attest to art’s potential to focus people’s interest and transfer knowledge by making the invisibility of personal data processing more tangible. Art can also illustrate the opportunities of new technologies. Roos Groothuizen’s newest exposition is an escape room from which it is impossible to escape: “I want to delete it all, but not now.” Examples such as the casino game and the escape room help raise awareness and provide insights in fun and playful ways. However, it can be difficult to engage a variety of people, beyond an elitist bubble, in enjoying art. Not calling it ‘art’ (but instead ‘a casino’) can already attract different groups.
THE WAY FORWARD
In sum, there is real potential in the alignment of GDPR principles with more general public participation and citizen empowerment debates. Meanwhile, there are still many barriers and challenges to realize that potential. The interdisciplinary research project SPECTRE is focusing on the way forward to address those challenges. How can urban dwellers in (smart) cities be involved in decision-making processes that shape their urban environments, and can data protection impact assessments and other rights be leveraged in doing so? Clearly, an interdisciplinary angle is the way to tackle this complex topic.
The GDPR and its provisions alone are far from sufficient to address such ambitious goals. Often abstract and vague, and in any case beyond the knowledge, capabilities and interest of the average citizens, it is decisive to complement them with practical means to make them understandable, operationalizable and interesting for laymen citizens and public servants.
Jonas Breuer is a doctoral researcher at the Vrije Universiteit Brussel (imec-SMIT). He conducts his research within the SPECTRE project.
Athena Christofi is a doctoral researcher at KU Leuven (CiTiP). She conducts her research within the SPECTRE project. She holds an LLM in European Law from the College of Europe.
Prof. Dr. Maximilian von Grafenstein LL.M. is Professor of Digital Self-Determination at the Einstein Center Digital Future in Berlin (University of the Arts). He is also Vice President of the Academic Board of the European Association of Data Protection Professionals (EADPP).
Roos Groothuizen is an Independent Media Artist and Designer with a passion for digital rights. As part of art collective Telemagic and as a solo artist, she studies and contextualises our human relationship with invisible technology.
Dr Mihalis Kritikos is a Policy Analyst at the European Parliament working as a legal / ethics advisor on Science and Technology issues (STOA/EPRS) and Fellow of the European Centre of Excellence on the Regulation of Robotics at the Scuola Superiore Sant’Anna.
Ine van Zeeland is a PhD researcher within the VUB research chair on Data Protection On The Ground.
Jo Pierson heads the research unit ‘Data, Privacy & Empowerment’ at imec-SMIT and is professor in the VUB Department of Media and Communication Studies. He holds the VUB research chair on Data Protection On The Ground.
For more information on the SPECTRE research project and the broader research trajectory that underlies this discussion, please visit spectreproject.be.