Who owns our data?, Beat Rudin?
Text: Beat Rudin
We disclose data about ourselves on the internet all the time,
without realizing it. A computer scientist and a lawyer show that research into safeguarding privacy can go hand in hand with asserting a right to privacy.
Data protection is not principally about data security, as computer scientists often think. It is also not about the protection of data, as the term might suggest. Rather, it is about the protection of the fundamental and personal rights of the people about whom we process data. They should be able to decide as a matter of principle what information they reveal about themselves, and to whom.
Yet, the state, the economy, and research need information. Even social interaction does not work without information. Processing of personal data by the state represents a violation of the fundamental right to “informational self-determination” and is permissible only when it is legally sanctioned and proportionate. Private processing of data can be a violation of personal rights, and is only legal and, therefore, permissible when sanctioned by the consent of the person concerned, by an overriding public or private interest or by a law.
Take the example of research. If, where data are being used for research purposes, it is not possible to work out to whom they refer – in other words, if the data are collected anonymously or are anonymized – no personal rights can be infringed. There is no need to invoke data protection law in order to conduct research using such data. However, if the data are only pseudonymized, or even include identifying information, meaning that they can be linked back to the person they relate to, it is necessary to secure the consent of the “data donors” – under the Human Research Act, there is provision for general consent – or legal permission to (continue to) use the data without consent.
So far, so good. Still, this system, which strikes a balance between the competing interests of the need to carry out tasks, in the broadest sense, and personal rights, is now being called into question by various developments. The political response to threats is reflexive, rather than reflective. Consent is no longer the outcome of a process of negotiation between equals. Saying “yes” to the installation of an app on a smartphone allows the provider to vacuum up data from the user’s contacts – without asking them. With the advent of big data, huge amounts of anonymized data can be linked up to make it possible, in certain circumstances, to identify the persons concerned. And cost pressures can lead to the outsourcing of applications and data to a cloud where you can longer control who uses the data, and for what purpose.