Juan Antonio Martínez recently presented a study through the Holy Cross’
School of Church Communications in Rome, on what came to be the Consumer Data Privacy in a Networked World (1), a draft
bill approved by the White House in February 2012, and the European
Commission directive General Data Protection Regulation (GDPR) (2) of January 2012, which both seek to establish a regulatory
framework for privacy in the context of the digital economy.
Legislators from both sides of the Atlantic undeniably have sufficient
reason for concern. First, scandals generated by Wikileaks and Snowden
infiltrations aroused debate in the US Senate and international public
opinion on political espionage within US Security, which was used for
voluntarily collaboration (vaguely permitted by antiterrorism laws) with
major Internet companies that possess the personal data of millions and
millions of users, i.e. citizens. Representatives of some of these
companies (Yahoo, Facebook, Google, Microsoft, Apple, Skype, Twitter), who
once upon a time gave their enthusiastic economic support of the electoral
campaigns of Obama, later decided to distance themselves from the White
House. Obama himself was obliged to give explicit messages, until now only
rhetorical, on the need to review policies regarding citizen vigilance
through data stored everywhere.
Incidentally, it is surprising that the White House’s interest in the
protection of consumer data, rather eloquently expressed in the regulatory
framework adopted by the White House itself just a few months before, has
not actually been “extended” to citizens. It seems as if consumers and
citizens were two distinct categories. As Martínez explains in his study,
the concerns that have led to the Consumer Data Privacy in a Networked World were actually
commercial, not political. The issue under question in this text is who owns users’ data: enterprises in Internet services that have
obtained this data with the consent of the users, or the users themselves?
To what extent? How can a free trade be ensured and technological
innovation be uninhibited?
Not just about spy and infiltration stories
To talk about the Internet is to talk about data. And to talk about data is
ultimately to talk about people. Eric Schmidt , CEO of Google Inc. until
2011, a few years ago said, “There were five exabytes of information
created between the dawn of civilization through 2003, but that much
information is now created every two days, and the pace is increasing.” The
reason for such an exponential increase of stored data is the content
generated by users. For Google’s advisor, the information created by
Internet users and the current state of technology easily allow for
profiling that predicts personal conduct. “People are describing enormous
amounts of things about themselves through videos and photographs and so
forth… [with a cell phone] you can tell us where you are and then you can
tell your friends where you are. [We can use technology] to predict where
you are going to go. Pretty interesting. We can take a picture, and if you
have 14 pictures on the internet with a 95% confidence interval, we can
predict who you are.” Schmidt continues to explain how society is not
prepared for questions that will arise as a consequence of content
generated by users. The following figure gives us an idea of the quantity
of data registered per minute on the web.
Scenarios described in movies such as Terminator, Matrix or Minority Report seem to come alive. But in this
case, the dark side isn’t incarnate in perverse machines, but rather what
some users can do with the personal data of other users. Any action that
would be lost in “analogical” life, remains stored, archived, and in many
cases, at the disposition of the public in the online world.
One Challenge: Two Responses
Below are the main conclusions of Martínez’ study on the two legal texts.
The new European Regulation, which will be directly applicable to all of
Europe upon approval, allows for greater control over personal information.
It establishes, for example, the Right to digital oblivion as the
power to demand the application of reasonable means to remove, and solicit
the removal from a third party, all information that may be of concern to a
person (art. 17)
Another new right that aims at securing the holder ability to dispose of
their personal information is Data portability (art. 18).
A user may request a structured copy of his/her personal information that
may be used by a similar system from the data controller.
One last important novelty of the European Regulation is the individual’s Principle of location. The former legal framework granted the
applicable legislation to the data controller. From now on, the law will
apply to the owner of the data. This will require the equalization of the
norms for companies operating within and outside of the European Union.
The U.S. Consumer Data Privacy in a Networked World is the first
standard that systematically addresses the issue of personal data
protection. The core of this proposal is constituted by the the Consumer
Privacy Bill of Rights, a bill of privacy rights for consumers in the
digital context. This charter establishes a set of principles that serves
companies in the online world as a guide to the establishment of
self-regulating mechanisms regarding privacy issues.
There are seven principles that form this charter: single user control,
transparency of information provided to the consumer, respect for context
in data processing, security, right to access and correction of personal
information, collection of data limited to the service offered by the
company, and corporate responsibility in data processing.
In conclusion, according to Martínez, the principle for respect for context
in processing personal information leaves companies a wide margin to decide
the ends for which the personal data is used. “The norm affirms the key
element to understanding the context of data transfer and processing is
determined by goal of the companies relationship with its consumers. This
criterion gives companies the ability to use personal information for ends
that are distinct from the purpose for gathering it, as well as the
possibility to pass the information to third parties as long as it
represents an improvement in service for its customers”.
For its part, the European Regulation falls short of realism. For example,
the right to be forgotten is not free from technical difficulties, since it
is quite difficult to regain control of personal data as soon as it begins
to circulate the web. Then, the location criterion presupposes a
disadvantage regarding innovation for companies based in European
territory, and it fails to reach companies with headquarters outside of
Europe. We have yet to see the results of the legal proceedings that
companies and citizens of five European countries currently hold against
Google, the most powerful Internet browser, and if they will adapt to the
legal framework established for the protection of personal data.
Conclusion: a new habeas data
Differences aside, which can be traced back to diverse legal traditions and
mentalities, the law makers, pushed by technological changes and social
consequences, are developing new rights that arise from the need for
individuals to have controlling power of their personal information. As
Martínez states, “in order for this power to control to be fully
guaranteed, the holder needs a series of rights that he may exercise while
his data is being processed. Doctrine has nominated these guarantees as
ARCO: access, rectification, cancellation, and opposition.”
Without any rhetorical claims, we can speak of a new habeas data.
This habeas data responds to the same requirements and criteria of
justice that historically led to the habeas corpus at the start of
the modern rule of law, and then to a habeas mente when the
challenges of an society fueled by information prompted the recognition of
a right to privacy, along with other personal rights.
The complete title is
Consumer Data Privacy in a Networked World: A Framework for Promoting
Privacy and Promoting Innovation in the Global Digital Economy
. The full text can be found here:
The complete title is
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the
protection of individuals with regard to the processing of personal
data and on the free movement of such data.
As a European regulation, it is binding to all countries that belong to the
European Union, without the need for a national law to be transposed in
their respective countries. The text in English can be accessed here at: