2024: A Privacy Odyssey

1. How did we get here?

Europe is said to have established the gold standard in terms of protection of personal data with the General Data Protection Regulation and we await what is arguably the world's first comprehensive horizontal regulation on Artificial Intelligence: the EU AI Act.

However, legislation is not an end in itself, in a democracy it serves as protecting the rights and freedoms of its citizens. So regulations are only as 'golden' as their practical effect is for citizens.

What are sound empirical and trustworthy indicators of the practical effect of, for instance, data protection regulation? Let's learn from empirical studies on citizen's perception of data protection.

To be sure: "The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality." (GDPR, Recital 4).

1.1. Citizen's perception of protection of personal data

Let's compare two studies; one from 2012 and one from 2021. The relevance: the GDPR entered into force on 24 May 2016 and applied since 25 May 2018.

(1) Dara Hallinan, Michael Friedewald, Paul McCarthy, Citizens' perceptions of data protection and privacy in Europe. In: Computer Law & Security Review, Volume 28, Issue 3, 2012. Pages 263-272.

(2) Lyn E. Pleger, Katharina Guirguis, Alexander Mertes, Making public concerns tangible: An empirical study of German and UK citizens’ perception of data protection and data security. In: Computers in Human Behavior, Volume 122, 2021.

1.1.1. Cognitive Dissonance

Ad (1) The 2012 article is a 'meta-analysis of public opinion surveys on public understanding and knowledge of data protection and privacy in Europe'. And although 'in general, public opinion surveys and their results are an imprecise tool in the creation of an image of a diverse public', it is also clear that:

i. 'the public allocates data protection and privacy significant importance';

ii. 'there is confusion, or at least an apparent lack of distinction, between privacy and data protection';

iii. 'knowledge of deeper aspects of data protection was rarely forthcoming. There was equally a disconnection between the abstract perception of importance and how, and to what end, the data protection frameworks fit into a broader system of law and society.';

iv. 'It is remarkable that individuals do not use privacy enhancing technologies more. In Flash Eurobarometer 225, only 22% of respondents claimed to have used privacy enhancing tools, whilst 56% had never heard of the technology. Amongst the reasons cited were a lack of belief in their effectiveness or that respondents wouldn't know how to use or install them.'; and

v. 'higher trust was shown in government than in private sector actors, although, there appeared to be an undercurrent of distrust related to both'.

Or formulated concisely:

"There is thus a degree of cognitive dissonance, particularly considering the high abstract importance allocated to privacy. Considering limited information, bounded rationality and behavioural distortions present in a decision in a data environment, it appears that the public are being forced to act in an environment they have no template for approaching."

Can we expect things to have improved, given the impact of the implementation of the GDPR and its enforcement?

1.1.2. Treat Citizens' Data Protection Concerns Seriously and Address them Proactively and Continuously

Ad (2) The 2021 article is based on a mixed-methods design consisting of a media analysis and an online survey of 1000 respondents from the UK and Germany, which investigates the conception of data protection and data security from the citizens’ point of view. In the study the focus was mainly on the relation state - citizen.

The article's main findings and recommendations in 2 quotes:

'Findings indicate a common lack of understanding of the concepts of data protection and data security. We argue that citizens’ understanding of these concepts is a prerequisite for governments to adequately address citizens’ concerns regarding e-government initiatives.'

and

'Combe (2009, p. 395) argues that “[in] a civil society, privacy safeguards are a cornerstone of basic human rights and are enshrined in a series of legislative measures to ensure standards are adhered to by recipients of personal information, be they public or private organisations, or individuals.” A state, therefore, creates the context and implements the legal provisions for companies to protect their customer data. Governments aiming at an “information society” need to not only treat concerns of their citizens seriously but should also address them proactively and continuously (Lips et al., 2005, p. 1).'.

1.2. The EU citizen's data protection's rights; not a tangible reality

So, although a lot has happened since Samuel D. Warren and Louis D. Brandeis coined "The Right to Privacy" in the United States in 1890, the European citizen's practical understanding of privacy, data protection, let alone, the de facto data protection (by design and by default), ensured by government and/or the private sector, or even the individual citizen's de facto right to access a redress mechanism to enforce data protection rights, is still not a tangible reality.

1.3. Professor Daniel Solove: The Myth of the Privacy Paradox

One may conclude: 'Well, EU citizens think privacy is important, however, they do not behave in a manner that ensures their privacy. This surely means that privacy is dead.'.

But this reasoning is identified by professor Solove as: the 'Myth of the Privacy Paradox', which he, as far as I am concerned, very convincingly deconstructed in his 2020 article.

(See also the post I wrote about Solove's Myth debunking arguments: O Mensch! Gib acht! The Privacy Paradox and other Myths, and our Call to Action.)

In short: Solove challenges the notion of a conflict between individuals' stated values regarding privacy, and their actual behaviors related to privacy. He argues that the privacy paradox is a myth, created by faulty logic, unwarranted generalizations, and conflated issues. For, according to Solove, attitudes and behaviors concerning privacy are distinct phenomena, and attributing a lower value to privacy based solely on observed behavior would be fallacious. This is why he proposes to focus on regulating the architectures governing information usage rather than attempting to manage individual privacy practices directly.

2. Next steps

From a Government perspective; what are the national and sector implementation guidelines and best practices for, for instance:

• Zero Trust Architecture
• Privacy By Design and By Default
• Privacy Enhancing Technologies
• Pseudonymisation and Anonymization
• Synthetic data
• (Post Quantum) Encryption
• ...

Where are the national expert centres? To create and ensure services and tooling by the government and private sector for the citizens and customers that enable EU citizen's individual privacy behavior that is more in line with their privacy values?

On a less technical level, do we have a clear understanding of data protection and the answer to the question: 'Cui Bono'?

Given the data protection framework in a given country; who benefits de facto? The citizen? The government? The businesses?

Do we opt for Privacy Liberalism (balancing act between the legitimate interests of society and the protection of individual privacy and autonomy, recognizing that privacy is essential for the flourishing of liberal democratic values such as personal autonomy, freedom, equality, and human dignity [Individual Autonomy, Right to Privacy, Limits on Government Surveillance, Freedom of Expression and Thought]) or for the Communitarian approach to Privacy (a holistic approach that considers both individual and societal interests, with a focus on promoting collective well-being and maintaining the integrity of communities [Social Harmony, Common Good, Cultural Integrity, Social Justice])?

What does this mean for the design of and transparency towards citizens with regards to the Common European Data Spaces, which 'will make more (personal) data available for access and reuse. This will be done in a trustworthy and secure environment for the benefit of European businesses and citizens'.

The EU Data Governance Act has a similar goal and 'seeks to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data'.

Will additional future work on the architecture of data protection, the technical implementation and the (philosophical and ethical) purposes of data protection strategies, also make reality of the second motto of the GDPR: "On the protection of natural persons with regard to the processing of personal data and on the free movement of such data"?

3. The Time is Now

Awaiting the EU AI Act, I notice a big attention shift from data protection work to AI work, and I see this as a privacy risk. We are, in my opinion, not successful yet, in ensuring, on a foundational level, data protection to citizens with regards to fairly simple data flows concerning personal data. Let alone black box algorithms processing personal data by linking large data lakes.

I like to be wrong here...

4. Epilogue

So why use the image of the monolith of '2001: A Space Odyssey' for this post? One common interpretation is that the monolith represents a catalyst for human evolution and technological advancement. It is my sincere hope that we are in time to build in safeguards for our evolution and technological advancement.

PS. The Privacy Liberalism vs Communitarian approach to Privacy section was inspired by a recent talk with Jeroen Terstegge . A topic that deserves a broader audience and dialogue.