European Policy, Privacy & Data
Rethinking Privacy Self-Management and Data Sovereignty in the Age of Big Data
We begin by looking closely at the political philosophies and legal theories grounded in the rights of individuals that have shaped data-protection frameworks in the United States, the European Union and Germany. Each of these systems approaches data protection differently, yet each is premised on the concept of an individual having some control over his or her personal information. The basis for this analysis is the American perspective. The U.S. regulates data by type and sector. The focus lies here on individual consent, which many U.S. companies apply in a “take it or leave it” approach. In Germany, the processing of personal data also needs individual consent in theory, as it interferes with the right of informational self-determination. However, individual consent is only seldom obtained in practice. Instead, numerous regulations give organizations the right to engage in personal-data processing even without the explicit agreement of the individual. Nevertheless, the principle of informational self-determination grants individuals various constitutionally protected rights − for example, the right to examine, correct or delete stored personal data − which enable them to exercise control over their data. The European Union’s legal framework also bases its data-protection mechanisms on the concept of individual control, thus assigning responsibility for data management to the individual. Thus, principles such as transparency, purpose specification and data minimization have shaped existing legislation on both sides of the Atlantic.
Finally, we examine possible new ways to achieve individual control in this big-data world. We investigate three complementary notions of privacy self-management that may offer a way forward in constructing modern privacy regulations, with data sovereignty playing the central role. The first concept, dealing with education and data portability, would give more responsibility to individuals, empowering as well as burdening them. However, since the empowerment of individuals alone cannot address all the challenges presented by big data, a second approach would make companies responsible for data protection in the form of voluntary industry self-regulation. This would relieve individuals of a portion of the data-management burden; however, self-regulation often fails to meet the standards of accountability and transparency fully. To account for this potential shortfall, a third concept is introduced, in which third parties would perform state-mandated impact assessments of data-management practices, advocating for users’ interests and creating greater transparency. However, while these third-party assessments could help users, there is a risk of treating users in a patronizing manner. To prevent this, users would need to engage in the education addressed in the first concept, thus enabling them to use the assessments in a self-determined manner. These collective approaches can address the challenges posed by big data. The basis for their implementation remains governmental regulation, which assigns rights to individuals, creates a dependable framework and balances power asymmetries. As regulatory systems have been stretched to their limits by the challenges of digitization, a multipronged approach of the kind advocated by this report is necessary to overcome the weaknesses inevitable in any single concept.