Cover Page The handle

(1)

Cover Page

The handle

http://hdl.handle.net/1887/68574

holds various files of this Leiden University

dissertation.

Author: Ursic, H.

(2)

Uncontrollable:

Data Subject Rights and the

Data-driven Economy

PROEFSCHRIFT

ter verkrijging van

de graad van Doctor aan de Universiteit Leiden, op gezag van Rector Magnificus prof. mr. C.J.J.M. Stolker,

volgens besluit van het College voor Promoties te verdedigen op donderdag 7 februari 2019

klokke 10.00 uur

door

Helena Uršič

(3)

Promotor: prof. dr. S. van der Hof Co-promotor: dr. ir. B.M.H. Custers

Promotiecommissie: prof. dr. L. Edwards (Newcastle University, UK) prof. dr. E. Kosta (Tilburg Universiteit)

(4)

1. INTRODUCTION ... 15

1.1. The big data revolution and control over personal data ... 15

1.2. Research question(s) ... 18

1.3. Methodology ... 20

1.4. Introducing the main concepts ... 21

1.5. A cautionary remark regarding scope ... 22

1.6. Structure ... 23

2. THE RISE OF THE DATA-DRIVEN ECONOMY AND THE INDIVIDUAL ... 27

2.1. Introduction ... 27

2.2. Technologies that created the data-driven economy ... 28

2.2.1. Internet (of Things) ... 29

2.2.2. Datafication ... 30

2.2.3. Infinite data storage ... 31

2.2.4. Data analytics ... 32

2.3. How does the data-driven (big data) economy work? ... 33

2.3.1. Data acquisition ... 34

2.3.2. Data analytics and other software used to gain insights ... 36

2.3.3. Generating value through decision-making ... 38

2.4. The individual in the data-driven economy ... 39

2.4.1. Benefits ... 40

2.4.1.1. Convenience ... 40

2.4.1.2. Self-expression and self-control ... 41

2.4.1.3. Reduced cost and/or (in)direct monetary benefits ... 41

2.4.1.4. New knowledge and innovations ... 42

2.4.1.5. Security of data and citizens ... 43

2.4.2. Risks ... 43 2.4.2.1. Compromised privacy ... 44 2.4.2.2. Lack of transparency ... 45 2.4.2.3. Undermined autonomy ... 47 2.4.2.4. Power asymmetries ... 48 2.4.2.5. Discrimination ... 49 2.5. Conclusions ... 49

3. SAFEGUARDING INDIVIDUALS IN THE DATA-DRIVEN ECONOMY – LEGAL FRAMEWORK

53

3.1. Introduction ... 53

3.2. EU fundamental rights and personal data in the data-driven economy ... 54

3.2.1. Introduction ... 54

3.2.2. Protection of private life in the EU system of fundamental rights ... 57

3.2.2.1. The ECHR system of protection of personal data and private life ... 57

3.2.2.1.1. The right to private life under Article 8 of the ECHR ... 57

3.2.2.1.2. Protection of personal data under Article 8 of the ECHR ... 58

(5)

3.2.2.2.2. The right to data protection in Article 8 of the EU Charter ... 60

3.2.2.2.2.1. The reasons to codify data protection as a human right ... 61

3.2.2.2.2.2. Differences between the data protection right and the right to privacy ... 62

3.2.3. The prohibition of discrimination ... 65

3.2.4. Freedom of expression and thoughts ... 68

3.2.5. Consumer protection ... 69

3.2.6. Human dignity ... 70

3.2.7. The rule of law as the cornerstone of the EU human rights system – the relevance for the data-driven era ... 71

3.2.8. Freedom to do business ... 72

3.3. EU secondary law ... 73

3.3.1. Introduction ... 73

3.3.2. Data protection law ... 74

3.3.2.1. General data protection ... 74

3.3.2.1.1. Personal data at the heart of data protection law ... 75

3.3.2.1.2. Protection-oriented duties of commercial data users ... 77

3.3.2.1.2.1. Definitions of data users ... 77

3.3.2.1.2.2. Protection principles for personal data users ... 78

3.3.2.1.3. Control-enhancing rights of data subject rights ... 82

3.3.2.1.3.1. Definition of data subjects ... 82

3.3.2.1.3.2. Data subject rights ... 82

3.3.2.2. Protection of privacy in public communication networks (ePrivacy) ... 83

3.3.3. Cybersecurity provisions ... 84

3.3.4. Competition law ... 86

3.3.5. Consumer protection law ... 88

3.4. Conclusions ... 90

4. CONTROL AS A CENTRAL NOTION IN THE DISCUSSION ON DATA SUBJECT RIGHTS ... 93

4.1. Introduction ... 93

4.2. Roots of the term ... 94

4.2.1. Ordinary language and dictionary meaning ... 94

4.2.2. Control in philosophy ... 94

4.2.3. Control in psychology ... 95

4.3. Individual control over data and fundamental rights ... 97

4.3.1. Control over personal data and the right to informational self-determination ... 97

4.3.2. Control over personal data and the right to privacy ... 99

4.3.3. Control over personal data and the right to data protection ... 100

4.3.4. Control over personal data and the right to property ... 101

4.4. Control and EU data protection law ... 102

4.4.1. Policy vision for individual control in the data-driven economy ... 103

4.4.2. Reflections of control in the GDPR ... 104

4.4.3. Clustering control rights in the GDPR ... 105

4.5. Individual control – a challenging aspiration ... 107

4.6. Conclusions ... 107

5. THE RIGHT TO INFORMATION ... 111

(6)

5.2. The link to fundamental values ... 112

5.3. Regulatory framework under the GDPR ... 113

5.3.1. The content of the communicated information ... 113

5.3.1.1. The information catalogue ... 113

5.3.1.1.1. Information about legal bases ... 115

5.3.1.1.2. Information about the length of the storage period ... 116

5.3.1.1.3. Information about third parties and recipients of data ... 117

5.3.1.1.4. Information about new (other) purposes of data processing ... 118

5.3.1.1.5. Information about the sources of data ... 120

5.3.1.2. The right to explanation ... 121

5.3.1.2.1. Information about automated decision-making in Articles 13 and 14 ... 121

5.3.2. The quality of communication ... 124

5.3.3. The form of communicating the information provisions ... 127

5.3.3.1. Privacy policies and/or notices ... 127

5.3.3.1.1. Icons and other visualisations ... 129

5.3.3.1.2. Standardised privacy policies ... 131

5.3.3.1.3. Information incorporated in standard terms and conditions ... 132

5.3.4. Timing ... 133

5.3.4.1. When in time? ... 133

5.3.4.2. How often in time? ... 133

5.3.5. Restrictions ... 134

5.4. The right to information in the electronic communication sector ... 135

5.4.1. Privacy of electronic communication ... 135

5.4.2. Informing about placing the cookies and location tracking ... 136

5.4.3. Informing users about Wi-Fi tracking ... 138

5.4.4. Information on cybersecurity ... 138

5.5. The right to information as a control affording entitlement ... 139

5.5.1. Limits to data subjects’ control ... 139

5.5.2. Enablers to data subjects’ control ... 141

5.6. Conclusions ... 142

6. THE RIGHT OF ACCESS UNDER EU DATA PROTECTION LAW ... 146

6.1. Introduction ... 146

6.2. The right of access under the GDPR ... 148

6.2.1. The right of access under the GDPR ... 148

6.2.2. Examples of specific applications of right of access ... 150

6.2.2.1. The right of access on a continuum between personal and anonymised data ... 150

6.2.2.2. Accessing shared data and coupled databases ... 152

6.2.2.3. Access to information on automated decision-making ... 153

6.3. Regulatory boundaries of data subjects’ data requests ... 155

6.3.1. Limitations regarding the cost, frequency, and scope of requests ... 155

6.3.2. Further exceptions ... 157

6.4. How the right of access works in practice ... 157

6.5. The right of access as a control affording entitlement ... 159

(7)

7. THE RIGHT TO BE FORGOTTEN ... 165

7.1. Introduction ... 165

7.2. Values underpinning the RTBF ... 166

7.3. Towards the GDPR’s version of the RTBF ... 167

7.3.1. The right to oblivion in criminal law ... 167

7.3.2. The RTBF under the data protection directive ... 168

7.4. The RTBF under the GDPR ... 168

7.4.1. The CJEU paving the way towards the GDPR in line with the 2012 proposal ... 168

7.4.1.1. Google Spain ... 169

7.4.1.2. Manni ... 173

7.4.2. The RTBF and its manifestations under the GDPR ... 174

7.4.2.1. Analysis of Article 17 of the GDPR – the right to erasure or the (explicit) RTBF ... 175

7.4.2.1.1. General ... 175

7.4.2.1.2. The meaning of ‘informing third parties’ ... 177

7.4.2.2. Other types of online ‘forgetting’ ... 180

7.4.2.2.1. The right to object ... 180

7.4.2.2.2. Consent withdrawal ... 181

7.5. Options to operationalise the RTBF beyond the GDPR ... 182

7.5.1. The right to a clean slate ... 182

7.5.2. Technical solutions to operationalise the RTBF ... 184

7.5.2.1. My Account by Google and Privacy Basics by Facebook ... 184

7.5.2.2. Deletion-by-default ... 185

7.5.2.3. Expiration dates ... 185

7.5.2.4. Obfuscation ... 186

7.5.2.5. Down-ranking ... 187

7.6. The RTBF as a control affording entitlement ... 187

7.6.2.1. Technological forces ... 189

7.6.2.2. Economic forces ... 190

7.7. Conclusions ... 191

8. DATA PORTABILITY AS A DATA SUBJECT RIGHT ... 194

8.1. Introduction ... 194

8.2. How and when the idea of data portability emerged ... 195

8.2.1. Commercial initiatives ... 195

8.2.2. Regulatory initiatives ... 196

8.3. Personal data portability under the GDPR ... 197

8.3.1. Three components of the right ... 197

8.3.1.1. ‘The […] right to receive the personal data […] in a structured, commonly used and machine-readable format’ ... 197

8.3.1.2. ‘[…] the right to transmit those data to another controller without hindrance’ ... 199

8.3.1.3. ‘[…] the right to have the personal data transmitted directly from one controller to another, where technically feasible.’ ... 199

8.3.2. The restrictive definition of the right to data portability ... 200

8.3.2.1. ‘[…] data provided’ ... 200

8.3.2.2. ‘[…] concerns a data subject’ ... 201

(8)

8.3.2.4. ‘[…]the processing is carried out by automated means’ ... 202

8.3.2.5. ‘The right should not apply to processing necessary for the performance of a task […] in the public interest or in the exercise of official authority […]’ ... 202

8.3.2.6. ‘That right shall not adversely affect the rights and freedoms of others.’ ... 202

8.4. Data portability v. other data subject rights ... 203

8.4.1. The right of access ... 203

8.4.2. The right to erasure (the RTBF) ... 203

8.4.3. The right to information ... 204

8.5. Data portability in other legal fields ... 204

8.5.1. Data portability as a competition law measure ... 205

8.5.2. Data portability as another aspect of the right to access industrial data ... 207

8.5.3. Personal data portability at the intersection between consumer and data protection 209 8.6. The right to personal data portability as a control affording entitlement ... 210

8.6.1.1. Control over personal data transfers ... 210

8.6.1.2. Enabling control over (re)uses of data ... 211

8.6.1.3. Enabling control over multilevel data flows and complexity ... 213

8.6.1.4. Enabling free development of personality and equality ... 214

8.7. Conclusions ... 215

9. DATA SUBJECT RIGHTS IN RELATION TO PROFILING ... 219

9.1. Introduction ... 219

9.2. Profiling as a building block of the data-driven value chain ... 219

9.2.1. The definition of profiling ... 219

9.2.2. Data science methods used for profiling ... 222

9.2.3. Risks of profiling ... 223

9.2.3.1. Possible harms ... 223

9.2.3.2. Profiling with no human intervention – the real danger? ... 224

9.3. How the GDPR tackles profiling on the individual level ... 225

9.3.1. The GDPR’s definition of profiling ... 225

9.3.2. The difficulties with asserting the legal basis for profiling ... 226

9.3.3. Individual rights in relation to profiling ... 228

9.3.3.1. Hildebrandt’s choice architecture ... 228

9.3.3.2. The right to object ... 229

9.3.3.3. The right not to be subject to solely automated decisions ... 232

9.3.3.3.1. The prohibition ... 232

9.3.3.3.2. The right to contest – technological due process? ... 235

9.4. Provisions on profiling as control affording entitlements ... 237

9.5. Conclusions ... 238

10. CONCLUSIONS AND RECOMMENDATIONS ... 241

10.1. Introduction ... 241

(9)

10.2.1. The effectiveness assessment ... 242

10.2.1.1. Data subject control rights as a vehicle of lawfulness, transparency and fairness, ... 243

10.2.1.1.1. Lawfulness ... 243

10.2.1.1.2. Transparency ... 244

10.2.1.1.3. Fairness ... 246

10.2.1.2. Data subject rights as a vehicle of purpose limitation ... 247

10.2.1.3. Data subject rights as a vehicle of data minimisation and storage limitation ... 248

10.2.1.4. Data subject rights as a vehicle of accuracy, integrity, and confidentiality ... 249

10.2.1.5. Data subject rights as a vehicle of accountability ... 250

10.2.2. Concluding remarks ... 250

10.3. The way forward for data subject rights ... 251

10.3.1. Abandoning control rights ... 251

10.3.2. Alternatives to data subject rights ... 252

10.3.2.1. Turning to technological solutions ... 252

10.3.2.2. Legal solutions ... 254

10.3.2.2.1. Holistic approach within the GDPR ... 254

10.3.2.2.2. Holistic approach outside the GDPR ... 255

10.3.2.2.2.1. Consumer protection ... 255

10.3.2.2.2.2. Competition law ... 257

10.3.2.2.2.3. Regulation of AI ... 258

10.3.3. Recommendations ... 258

Samenvatting (Dutch Summary) ... 260

Bibliography ... 263

Curriculum Vitae ... 288

Figure 1: Data-driven value chain ... 34

(10)

Abbreviations

SME

Small and/or medium enterprise

EU

European union

DPD

Data protection directive

GDPR

General data protection regulation

ECHR

European Convention of Human Rights

CJEU

The Court of Justice of the EU

IoT

Internet of Things

AI

Artificial Intelligence

NHS

National Health Service

RFID

Radio-frequency ID

UK

United Kingdom

US

United States of America

NSA

US National Security Agency

ECtHR

The European Court of Human Rights

OECD

Organization for Economic Cooperation and Development

TFEU

Treaty on the functioning of the EU

NIS

Network and Information Security

EDPS

European Data Protection Supervisor

CMA

UK Competition and Markets Authority

DCD

Directive on Digital Content

LIBE

Committee on Civil Liberties, Justice and Home Affairs

RWD

Real-world data

DPA

Data protection authority

B2C

Business to consumer

ISO

International standardization organisation

NCC

National consumer council (Norway)

PbD

Privacy by design

RTBF

The right to be forgotten

URL

Uniform (Web) Resource Locator

(11)