Navigating the Dataverse: Privacy, Technology ... - The ICHRP

More documents

Recommendations

Info

human rights prohibitions (on race, etc.). 186 On the other hand, “profiling” itself is clearly not prohibited by the Data Protection Directive: just the reverse. After all, the whole point of creating profiles is to discriminate. Profiles are a form of discrimination. The question that tends to arise (the next area of anxiety with regard to privacy and dataveillance we will examine) is whether the extensive profiling sanctioned by data protection rules is a form of discrimination we should care about. This, essentially, is the thesis of two important interventions in the surveillance studies debate, Oscar Gandy’s 1993 Panoptic Sort and David Lyon’s 2003 Social Sort. 187 According to the latter, “surveillance today sorts people into categories, assigning worth or risk, in ways that have real effects on their life-chances. Deep discrimination occurs, thus making surveillance not merely a matter of personal privacy but of social justice”. 188 This is a strong claim. Is it correct? Examples from Lyon’s edited volume include the role of CCTV in segregating neighbourhoods; 189 the role of Computer-Based Performance Monitoring (CBPM) in keeping workers stratified and in line; 190 the role of DNA databases in driving up health insurance costs for vulnerable individuals; 191 and the (historical and potential future) role of ID cards in enforcing or preserving patterns of ethnic discrimination or discrimination against immigrants. 192 There is no question that these issues are significant. Even where surveillance merely serves to tag the income categories of motor vehicles (for example) it can contribute to social stratification. 193 Even if dataveillance facilitates certain kinds of discrimination, as it surely does, is it correct to view it as a cause of discrimination. In each of the above cases, the social sort appears to increase the efficiency of forms of discrimination and segregation already practiced. Moreover, not only are they practiced, but in most cases they are legal, at least according to human rights law as generally practiced. (Discriminating against “socio-economic categories” is not only legal, it is the basis of the “price mechanism” itself.) In this area, human rights law, by delegitimising some kinds of discrimination, arguably legitimates others. In this area, human rights law, by delegitimising some kinds of discrimination, arguably legitimates others. 186 Such cases would appear to fall in principle to Europe’s other court (ECHR cases known as “Arts. 8 + 14”, where Article 14 protects against discrimination). See Julie Ringelheim, “Processing Data on Racial or Ethnic Origin for Antidiscrimination Policies: How to Reconcile the Promotion of Equality with the Right to Privacy?” Jean Monnet Working Paper 08/06. 187 Gandy (1993) and Lyon (2003). 188 Lyon (2003), 1. Lyon adds: “surveillance ... is a powerful means of creating and reinforcing long-term social differences.” 189 Clive Norris, “From personal to digital: CCTV, the panopticon, and the technological mediation of suspicion and social control” in Lyon (2003); Francisco Klauser, “A Comparison of the Impact of Protective and Preservative Video Surveillance on Urban Territoriality: the Case of Switzerland”, 2 Surveillance & Society 145 (2004); Ann Rudinow Sætnan, Heidi Mork Lomell and Carsten Wiecek, “Controlling CCTV in Public Spaces: Is Privacy the (Only) Issue? Reflections on Norwegian and Danish observations” 2 Surveillance & Society 396 (2004). 190 Kirstie Ball, “Categorising the workers: electronic surveillance and social ordering in the call centre” in Lyon (2003). 191 Jennifer Poudrier, “‘Racial’ categories and health risks: epidemiological surveillance among Canadian First Nationals” in Lyon (2003). Though discrimination of this sort might as easily be attributed to the absence of universal health care: a non-universal system must presumably discriminate from the outset. 192 Felix Stalder and David Lyon, “Electronic identity cards and social classification” in Lyon (2003). 193 Colin Bennett, Charles Raab, and Priscilla Regan, “People and place: patterns of individual identification within intelligent transport systems” in Lyon (2003). 58 Navigating the Dataverse: Privacy, Technology, Human Rights
Let’s take another example: “risk profiling” by financial institutions. A recent study of the phenomenon found that banks compile risk profiles not only in order to minimise their own risks of default, but also to comply with obligations to ensure they are not facilitating money laundering or terrorism. Indeed, multinationals may be required by their presence in one jurisdiction to apply certain policies everywhere, so “banks [regardless of location] that want to do business in the United States have to implement a worldwide Know Your Customer (KYC) program, partially based on the Patriot Act”. 194 A degree of opacity would appear necessary, in this case, to the evaluation of risk or creditworthiness. Moreover, the requirement to monitor for money-laundering and fraud may exempt banks from full disclosure on data held and processed – indeed, when it comes to terrorism, we again see a destabilising of the public-private divide: “public” (state) and “private” (banking) institutions share an identical rationale for the non-disclosure of personal data to the relevant (“private”) individuals. 195 The consequences for the data subject may be significant. “Although these risk profiles may be lacking reliability, they are applied to take measures against high risk clients [who] may be put under close scrutiny, rejected financial services, blacklisted, etc. Clients often have little means of redress as transparency regarding profiling and its implications is lacking”. 196 Here we find the familiar opacity-transparency dichotomy, but the space restricted from view in this case does not protect the privacy/autonomy of the individual – it rather protects the autonomy (the decisional, local and informational privacy) of the relevant institution. Moreover this relative asymmetry of autonomy appears unavoidable if institutions (public or private) are to correctly gauge the trustworthiness of the clients they manage. We are back, then, at the rationale for surveillance outlined at the beginning of Chapter 3. Informational asymmetry is beginning to look, in these examples, as a systemic requirement if an information-saturated world is to function according to widely accepted principles of security. To end Chapter 5, let us engage in a thought experiment. Suppose the Data Protection Directive extends to data subjects a right of access to data held about them (subject, as usual, to certain standard qualifications and exceptions). Suppose also that its provisions applied to all data held by corporations and governments – including, for the sake of the experiment, those outside the EU. Would it be possible to assimilate, parse, analyse, maintain, comprehend, manage the volume of information that would be unearthed on any given individual? 197 Or to evaluate and suppress non-compliant “data”? Or to “control” the rest? What would be the necessary conditions for such management? How could it be done in such a way that any “informational asymmetries” are eliminated? The mind boggles. Chapter 5 has looked at the legal framework governing an individual’s control over the information generated about the self. It has noted a number of human rights principles relevant in this domain: privacy, non-discrimination and data-protection. An investigation of the relevant legal practice tends to show that existing human rights norms in the domain of privacy are not equipped or intended to address the anxieties of the dataverse. Indeed, it is unclear whether they can be articulated in human rights terms at all. The 194 Bart Custers, “D 7.16: Profiling in Financial Institutions”, FIDIS (2009), 10: “In order to track fraud, money laundering and terrorist funding, financial institutions have a legal obligation to create risk profiles of their clients”. 195 An intriguing question is whether banks might be exempted from disclosing risk profiles held on clients to them, under the Directive’s Article 13(1)(g) (as the risk profile might arguably be intended to protect “the data subject or the rights and freedoms of others”) or 13(2) (as the risk profile might present “clearly no risk of breaching the privacy of the data subject”.) 196 Custers (2009), 8. On this general theme, Nock (1993). 197 For a similar point concerning “consent” in the Directive, Hildebrandt (2005), 45. Navigating the Dataverse: Privacy, Technology, Human Rights 59
Page 1 and 2:
Navigating the Dataverse Privacy, T
Page 3 and 4:
Navigating the Dataverse: Privacy,
Page 5 and 6:
Navigating the Dataverse: Privacy,
Page 7 and 8:
Contents Acknowledgements Executive
Page 9:
Acknowledgements This Discussion Pa
Page 12 and 13:
As to the first, the Discussion Pap
Page 14 and 15:
contesting profiles so long as cert
Page 16 and 17:
▪ Human rights organisations can
Page 18 and 19:
gathering technologies as illustrat
Page 20 and 21:
information is extensively gathered
Page 22 and 23:
themselves were reproduced in onlin
Page 25 and 26: I. A Short History of Privacy Altho
Page 27 and 28: property. 20 This establishes the l
Page 29 and 30: Privacy must be viewed as an ideal
Page 31 and 32: During the 1980s, partly as a resul
Page 33 and 34: e removed merely by an effort of cl
Page 35 and 36: II. The Privacy-Technology Dynamic
Page 37 and 38: dataverse. Not only are there many
Page 39 and 40: internet, when it arrived shortly t
Page 41 and 42: simply are not - they don’t exist
Page 43 and 44: III. Security and Surveillance Havi
Page 45 and 46: When we talk about state surveillan
Page 47 and 48: stimulation of economic activity. S
Page 49 and 50: Digital Personhood How should we th
Page 51 and 52: Identity is therefore unitary and a
Page 53 and 54: IV. Privacy across Borders: Persona
Page 55 and 56: Where research on communications an
Page 57 and 58: The Expanding Dataverse Biometric I
Page 59 and 60: peoples of most countries, enormous
Page 61 and 62: Such protections do not shield indi
Page 63 and 64: V. Law, Privacy, Profiling This Dis
Page 65 and 66: Griswold set the pattern for one br
Page 67 and 68: terrorist”. 144 In Posner’s vie
Page 69 and 70: ut it has not so far accepted that
Page 71 and 72: 2. The Court turned to the practice
Page 73 and 74: normative statements on the substan
Page 75: individual may have multiple profil
Page 79 and 80: VI. Boundaries and Borders We have
Page 81 and 82: process” to empirical research in
Page 83 and 84: As a result, communicational pruden
Page 85 and 86: Business School: “The amount of p
Page 87 and 88: the domain of international law. In
Page 89 and 90: A U.S. Secret Service liaison poste
Page 91 and 92: examples to the experience of a sho
Page 93 and 94: Conclusion This Discussion Paper ha
Page 95: The rise of contemporary data harve
Page 100: This ICHRP Discussion Paper examine
show all

Navigating the Dataverse: Privacy, Technology ... - The ICHRP

Create successful ePaper yourself

Delete template?

Save as template?