Navigating the Dataverse: Privacy, Technology ... - The ICHRP
Navigating the Dataverse: Privacy, Technology ... - The ICHRP
Navigating the Dataverse: Privacy, Technology ... - The ICHRP
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Let’s take ano<strong>the</strong>r example: “risk profiling” by financial institutions. A recent study of <strong>the</strong><br />
phenomenon found that banks compile risk profiles not only in order to minimise <strong>the</strong>ir<br />
own risks of default, but also to comply with obligations to ensure <strong>the</strong>y are not facilitating<br />
money laundering or terrorism. Indeed, multinationals may be required by <strong>the</strong>ir presence<br />
in one jurisdiction to apply certain policies everywhere, so “banks [regardless of location]<br />
that want to do business in <strong>the</strong> United States have to implement a worldwide Know Your<br />
Customer (KYC) program, partially based on <strong>the</strong> Patriot Act”. 194<br />
A degree of opacity would appear necessary, in this case, to <strong>the</strong> evaluation of risk or creditworthiness.<br />
Moreover, <strong>the</strong> requirement to monitor for money-laundering and fraud may<br />
exempt banks from full disclosure on data held and processed – indeed, when it comes<br />
to terrorism, we again see a destabilising of <strong>the</strong> public-private divide: “public” (state)<br />
and “private” (banking) institutions share an identical rationale for <strong>the</strong> non-disclosure of<br />
personal data to <strong>the</strong> relevant (“private”) individuals. 195 <strong>The</strong> consequences for <strong>the</strong> data<br />
subject may be significant. “Although <strong>the</strong>se risk profiles may be lacking reliability, <strong>the</strong>y are<br />
applied to take measures against high risk clients [who] may be put under close scrutiny,<br />
rejected financial services, blacklisted, etc. Clients often have little means of redress as<br />
transparency regarding profiling and its implications is lacking”. 196<br />
Here we find <strong>the</strong> familiar opacity-transparency dichotomy, but <strong>the</strong> space restricted from<br />
view in this case does not protect <strong>the</strong> privacy/autonomy of <strong>the</strong> individual – it ra<strong>the</strong>r<br />
protects <strong>the</strong> autonomy (<strong>the</strong> decisional, local and informational privacy) of <strong>the</strong> relevant<br />
institution. Moreover this relative asymmetry of autonomy appears unavoidable if<br />
institutions (public or private) are to correctly gauge <strong>the</strong> trustworthiness of <strong>the</strong> clients <strong>the</strong>y<br />
manage. We are back, <strong>the</strong>n, at <strong>the</strong> rationale for surveillance outlined at <strong>the</strong> beginning<br />
of Chapter 3. Informational asymmetry is beginning to look, in <strong>the</strong>se examples, as a<br />
systemic requirement if an information-saturated world is to function according to widely<br />
accepted principles of security.<br />
To end Chapter 5, let us engage in a thought experiment. Suppose <strong>the</strong> Data Protection<br />
Directive extends to data subjects a right of access to data held about <strong>the</strong>m (subject, as<br />
usual, to certain standard qualifications and exceptions). Suppose also that its provisions<br />
applied to all data held by corporations and governments – including, for <strong>the</strong> sake of<br />
<strong>the</strong> experiment, those outside <strong>the</strong> EU. Would it be possible to assimilate, parse, analyse,<br />
maintain, comprehend, manage <strong>the</strong> volume of information that would be unear<strong>the</strong>d on any<br />
given individual? 197 Or to evaluate and suppress non-compliant “data”? Or to “control” <strong>the</strong><br />
rest? What would be <strong>the</strong> necessary conditions for such management? How could it be done<br />
in such a way that any “informational asymmetries” are eliminated? <strong>The</strong> mind boggles.<br />
Chapter 5 has looked at <strong>the</strong> legal framework governing an individual’s control over <strong>the</strong><br />
information generated about <strong>the</strong> self. It has noted a number of human rights principles<br />
relevant in this domain: privacy, non-discrimination and data-protection. An investigation<br />
of <strong>the</strong> relevant legal practice tends to show that existing human rights norms in <strong>the</strong><br />
domain of privacy are not equipped or intended to address <strong>the</strong> anxieties of <strong>the</strong> dataverse.<br />
Indeed, it is unclear whe<strong>the</strong>r <strong>the</strong>y can be articulated in human rights terms at all. <strong>The</strong><br />
194 Bart Custers, “D 7.16: Profiling in Financial Institutions”, FIDIS (2009), 10: “In order to track fraud, money laundering<br />
and terrorist funding, financial institutions have a legal obligation to create risk profiles of <strong>the</strong>ir clients”.<br />
195 An intriguing question is whe<strong>the</strong>r banks might be exempted from disclosing risk profiles held on clients<br />
to <strong>the</strong>m, under <strong>the</strong> Directive’s Article 13(1)(g) (as <strong>the</strong> risk profile might arguably be intended to protect<br />
“<strong>the</strong> data subject or <strong>the</strong> rights and freedoms of o<strong>the</strong>rs”) or 13(2) (as <strong>the</strong> risk profile might present “clearly<br />
no risk of breaching <strong>the</strong> privacy of <strong>the</strong> data subject”.)<br />
196 Custers (2009), 8. On this general <strong>the</strong>me, Nock (1993).<br />
197 For a similar point concerning “consent” in <strong>the</strong> Directive, Hildebrandt (2005), 45.<br />
<strong>Navigating</strong> <strong>the</strong> <strong>Dataverse</strong>: <strong>Privacy</strong>, <strong>Technology</strong>, Human Rights 59