Safeguarding Privacy; Beyond Legal and Technology: Ethics
Reg: "All right... all right... but apart from better sanitation and medicine and education and irrigation and public health and roads and a freshwater system and baths and public order... what have the Romans done for us?"
Source: Monty Python's Life of Brian
Last week a new answer was added: "Ethics!". For during the 2018 International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Brussels [22-26 October] the focus was on what should be done, to 'ensure that technology is designed and developed to serve humankind, and not the other way around'; to 'put dignity back into digital'.
Giovanni Buttarelli, the European Data Protection Supervisor, already started preparations for the ICDPPC as early as 2015, with his opinion: Towards a new digital ethics. Data, dignity and technology, the establishment of the Ethics Advisory Group (EAG) and the 2015-2019 EDPS Strategy: Leading by Example, in which: "Developing an ethical dimension to data protection" was identified as one of ten objectives. In 2017 Buttarelli contributed with 'Data Protection and Ethics' in: 3TH1CS. A reinvention of ethics in the digital age? Edited by Philipp Otto and Eike Gr?f. In 2018: "Towards a digital ethics", the EAG report was published.
Buttarelli graduated “cum laude” from La Sapienza University in Rome in 1984. He was appointed as a Professor at the Faculty of Law at Lumsa University in Rome, in 2005, where he lectured on the Protection of Personal data and Fundamental Rights in Italy and Europe.
So, it is safe to state that, Roman Buttarelli has indeed done a lot for us, by consistently putting Ethics on the agenda. See his opening speech 'Choose Humanity: Putting Dignity back into Digital' at the ICDPPC:
But Buttarelli was not alone. Tim Cook, to me, really stood out in committing to answering ethical questions, both personally and as Apple's CEO:
At Apple, we are optimistic about technology’s awesome potential for good. But we know that it won’t happen on its own. Every day, we work to infuse the devices we make with the humanity that makes us. As I’ve said before, “Technology is capable of doing great things. But it doesn’t want to do great things. It doesn’t want anything. That part takes all of us.”
See his keynote address here:
See also my Twitter recap of the ICDPPC highlights:
On Ethics: Aristotle and Kant
To me, ethics is closely related to safeguarding privacy, and underlying the privacy principles in the GDPR. To me it means: "Do no harm, and be publicly accountable for your deliberate, conscious, practical judgment.". See also this interview for Erasmus Magazine.
I see ethics in the Aristotelean tradition - as a character trait, something that is done consistently and deliberately, not just in debate, but in actions, and as a result of a motivated choice, based on experience, given a certain context, between 'too little' and 'too much'; the Aristotelean "golden mean".
See more here on the relevance of Aristotle and 'balancing' in the GDPR.
Paul Nemitz revealed in December 2016, during the PI Lab annual conference, that the GDPR has an underlying Kantian Moral Philosophy. At that time he was acting Director Fundamental Rights and Union Citizenship; DG Justice and Consumers.
This specific reference to Kant's 'Categorical Imperative' was a real eye opener to me, but made perfect sense. Two phrasings by Kant of his Categorical Imperative:
Act only according to that maxim by which you can at the same time will that it should become a universal law.
— Immanuel Kant, Groundwork of the Metaphysics of Morals (1785)
The categorical imperative is, Kant states, an absolute, unconditional requirement that must be obeyed in all circumstances and is justified as an end in itself. Kant proceeds in his second formulation of the categorical imperative:
Act in such a way that you treat humanity, whether in your own person or in the person of any other, never merely as a means to an end, but always at the same time as an end.
— Immanuel Kant, Groundwork of the Metaphysics of Morals (1785)
So with Nemitz's appeal to Kantian moral philosophy, we see our own role as guardians of both our own privacy and the privacy of others.
For practical application I translated the Categorical Imperative into two questions, which I still use today, when I talk with someone about processing personal data:
Q1: Would you be comfortable, if you, and all the details of your processing, would be on the frontpage of tomorrow's newspaper?
This appeals to the moral accountability of the processing and the purpose of the processing that should be justifiable in itself. If I feel the ethical relevance of the processing didn't come across yet, I ask a second question:
Q2: Would you be comfortable, if your minor daughter would be subject of your processing?
This appeals to the aspect of treating someone as an end, not a means, something we do more naturally to protect our own kids. What it does, is shift attention from your role as 'a processor, processing data of a data subject', to 'your responsibility as a human being to protect other human being's fundamental rights equally as you would protect your own rights'.
This, to me, is an elegant way of looking at safeguarding privacy: if you think about it, it is something we expect from others in the same way we can be expected by others - not because the GDPR states it, but because we want to be treated as an end, not a means, and we pay this respect to others in a similar way.
Suggested further reading:
