1. Introduction
The "Guidelines on the protection of individuals with regard to the processing of personal data in a world of Big Data" (hereinafter Guidelines), adopted by the Consultative Committee of Convention 108 in January 2017 represents the first international guidance on the use of big data, which is a form of data processing that rises significant questions concerning the protection of fundamental rights.1
The role of individual self-determination with regard to the use of data and the risk assessment of big data applications represent two of the main aspects of the Guidelines and, in this regard, the Council of Europe suggests novel solutions to address the challenges of the new data processing paradigm based on analytics.
In light of the above, this article is divided into two main parts: the second section describes the impact of the new model of predictive analysis on the main principles of data protection regulation, while the third section discusses the provisions of the Guidelines and focuses on the risk assessment procedure adopted by the Consultative Committee.
2. Big Data: a new paradigm of data processing
The advent of big data analytics2 has suggested a new paradigm in portraying our societies, where the traditional approach adopted in statistical studies is complemented or replaced by predictive analysis. Data visualization has played a relevant role in this change, making it possible real-time analysis of streams of data and prediction of their future trends.3 Moreover, algorithms are used to discover hidden correlations between the variables that characterize large datasets.
Like in the past, with regard to the traditional statistical studies, this kind of analysis is not exclusively carried on for mere scientific purposes, but is mainly conducted to provide insights about individuals and society to decision-makers. This relationship between data processing and the adoption of strategic decisions ―which affect individuals in different contexts (e.g. financial services, healthcare services, urban planning)― has become progressively stronger by reason of the increased availability of data as a result of the so-called datification process.
This is an ongoing process to "capture quantifiable information"4, which aims to transform reality into data.5 In this sense, even human beings can be considered as aggregates of information,6 which represent their private or public identities. This relationship between individual nature and personal data has been recognised by the courts in various decisions concerning the right to privacy and ―more recently― the right to be forgotten.7
Nevertheless, the complexity of human beings cannot be reduced to a mere aggregate of data, since they are primarily persons. For this reason, the information referring to them are not neutral or raw data that, in the present digital economy, can be freely used and assimilated to mere goods, regardless they are qualified as private or common. Personal data, as well as the other forms of expression of a given person, are part of her identity and, therefore, should be safeguarded within the framework of personality rights and fundamental rights and freedoms.8
According to this theoretical framework, individual name, image and social identity (i.e. reputation and honour) have been recognised as attributes of human beings and safeguarded by law over the centuries. Against this scenario, the right to the protection of personal data represents the most recent development of the category of personality rights, since its origin is strictly related to the early stages of the digitalisation of information, which is the foundational stone of the present process of datafication and of our (big) data-driven society.
Like the right to privacy was the answer to the assault to the private sphere conducted by the penny press at the end of the XIX century,9 the right to the protection of personal information is the answer given by legislators in the '70s to the rising citizens' concern about the risks of new forms of computer-based social control. Over the years, this risk has changed its nature and source, from the original concern about government surveillance and economic exploitation of personal information to the present public and private partnership in surveillance and the adoption of information-based predictive decision-making systems.
This increasing exploitation of personal information and the development of data processing technologies led legislators to adopt different procedural regulations on data protection and, since the so-called second generation of data protection laws,10 the right to the protection of personal information was placed in the wider context of fundamental rights. In this sense, the Convention 108 on the Protection of Individuals with regard to Automatic Processing of Personal Data, adopted by the Council of Europe in 1981, considers data protection as an expression of the broader right to privacy.11
Although nowadays the right to data protection is ―more correctly― considered as an autonomous right, which differs from the right to privacy, the qualification provided by the Convention 108 was consistent with the theoretical framework at that time. Anyway, the most important element of this qualification consists in the level of protection accorded to personal information. In this sense, the protection of personal information is put at the highest level, in the context of fundamental rights.
More recently, the Charter of Fundamental Rights of the European Union has expressly recognised the "right to the protection of personal data"12 as an autonomous right, different from the right to respect for private and family life, and has grant to everyone "the right to the protection of personal data concerning him or her".
Against this scenario, the European model of data protection is based on the safeguard of the data subject's individual right to control "his or her personal data and the processing of such data".13 This is in line with the original notion of data protection as data control that was elaborated by legal scholars in the '70s,14 which led legislators to adopt a model of protection primarily focused on the individual dimension.15
Nevertheless, both this idea of control over personal information and the notion of data protection as an individual right show their limits in the context of the present forms of data processing based on analytics. In this sense, on the one hand, the traditional paradigm of "notice and consent" does not adequately address the complexity of data processing16 and, on the other hand, data collection and analysis are even more focused on the collective dimension, due to their attempt to understand, predict and orient the behaviour of groups of persons.
The use of big data analytics creates "a new truth regime",17 in which general strategies are adopted on a large scale on the basis of descriptions of society generated by algorithms,18 which predict future collective behaviour.19 These strategies are then applied to specific individuals, given the fact that they are part of one or more groups generated by analytics.20
Nevertheless, this "categorical" approach characterizing the use of analytics21, leads decision-makers to adopt common solutions for individuals belonging to the same cluster generated by analytics, without considering each individual per se, her unique identity that may differ from the stereotypical models created by algorithms.
In this sense, the use of big data analytics to support decisions exceeds the boundaries of the individual dimension and assumes a collective dimension,22 with potential harmful consequences for some groups.23 Therefore, the potential prejudice is no longer circumscribed to the well-known privacy-related risks (e.g. illegitimate use of personal information, data security), but it also concerns the negative impact on other fundamental rights, such as the right to non-discrimination.24
Against this background, the adoption of a fundamental rights impact assessment has been proposed by the United Nations Special Rapporteur on the right to privacy (Joe Cannataci), but it seems still far from being developed at global level. Nevertheless, a first step in this direction is the Privacy, Ethical and Social Impact Assessment (PESIA),25 which has been adopted by the Council of Europe in its Guidelines on Big Data. This model of assessment goes beyond the traditional impact assessment focused on data quality and data security, since it also encompasses the societal consequences of data uses and the analysis of their potential conflicts with ethical values.
Moreover, the intent of the Guidelines to take into account the collective dimension of the use of personal information26 is not only evident in the scope of PESIA, but also in the participatory model adopted in the assessment procedure, which aims to give voice to the different stakeholders potentially affected by data processing.27
Although there are several provisions of these Guidelines that suggest novel approaches in protecting personal information and fundamental rights in the big data environment (e.g. the provisions concerning the role of the human intervention in Big Data-supported decisions28) the risk assessment procedure represents the core of the Guidelines. In this sense, the risk assessment procedure29 plays a central role with regard to different elements concerning the social and ethical dimensions of data uses, data subject's self-determination, the relationships between the purposes of data collection and data uses,30 the by design approach31 and the use of anonymous data32 and open data.33
3. The PESIA model in the context of the Guidelines of the Council of Europe
The Guidelines adopted by the Consultative Committee of Convention 108 are non-legally binding practical and operative instructions provided by the Council of Europe to the Parties of the Convention. This is in line with the regulatory model of the Council of Europe, which adopts a principle-based approach complemented by guidelines that provide a sector-specific interpretations of the principles of the Convention. Through the adoption of its guidelines, the Consultative Committee aims to facilitate an effective application of the principles of the Convention.34 In this sense, the Guidelines are primarily addressed to data controllers and data processors.
The main limit of these Guidelines regards their scope, since they concern a given technology in general (i.e. big data), rather than its application in a given sector (e.g. healthcare services). For this reason, the reached result is not completely satisfactory for various operators, who would like to have specific answers with regard to the applications of analytics in given fields.
This outcome is inevitable due to the wide range of big data applications, but the awareness of this limit led the Consultative Committee of the Convention to recognise in the Guidelines that "given the expanding breadth of Big Data in various sector-specific applications, the present Guidelines provide a general guidance, which may be complemented by further guidance and tailored best practices on the protection of individuals within specific fields of application of Big Data (e.g. health sector, financial sector, public sector such as law enforcement)".35
Apart from this limit, the Guidelines represent an important step in regulating big data use, since the issues concerning analytics are not specifically addressed by the most recent data protection regulations, such as Regulation (EU) 2016/679.36
The main instrument to address the potential negative impact of big data on individuals and society is represented by risk management. In defining the key principles for risk management, the Guidelines suggest the adoption of a precautionary approach to regulating data protection in the field of big data.37
The precautionary approach is adopted with regard to any new application of technology that may produce potential risks for individuals and society, which cannot be exactly calculated or quantified in advance.38 In this sense, the obscurity of big data uses, the uncertainty characterising the concrete applications of data science and the potential high impact of big data analytics on essential aspects of society may warrant the adoption of this approach as the default setting.39
Regarding the scope of risk assessment, while in the Regulation (EU) 2016/679 - as well as in Directive 95/46/EC - it mainly focuses on data security and data quality, in the Guidelines the Data Protection Impact Assessment evolves into a broader and more complex Privacy, Ethical and Social Impact Assessment (PESIA) to encompasses the societal consequences of data uses mentioned above.40
Obviously, an assessment concerning the compliance of data use with ethical and social values is more complicated than the traditional data protection assessment, since social and ethical values are necessarily context-based and change from one community to another.41 In this sense, the Guidelines recognise the relative nature of social and ethical values.42
To address this issue, the Guidelines urge both data controllers and data processors to use personal information in a manner that is not in conflict with the "ethical values commonly accepted in the relevant community or communities and should not prejudice societal interests, values and norms".43
Moreover, in order to provide a general benchmark of values to be taken into account in conducting the PESIA, the Guidelines identify "the common guiding ethical values" in the international charters of human rights and fundamental freedoms, such as the European Convention on Human Rights.44
Nevertheless, international charters and ethical values commonly accepted in a community45 may only provide a high-level guidance. For this reason, the Guidelines combine this general suggestion with a more tailored option, represented by "ad hoc ethics committees",46 which should identify the specific ethical values to be safeguarded with regard to a given use of data, providing more detailed and context-based guidance for risk assessment.
In conclusion, the PESIA model is based on a system of values which is organised on three different layers with a progressive granularity: the "common guiding ethical values" provided by the international charters of human rights, the values and social interests of given communities and the tailored application of these values provided by ethics committees, which focuses on a given use of data.
Regarding the procedure of assessment, the Guidelines adopt the traditional circular scheme that characterises the risk-assessment,47 which is divided into four stages:48 1) identification of risks, 2) analysis of the potential impact of these risks, 3) selection and adoption of the measures to prevent or mitigate the risks, 4) regular review of the effectiveness of the measures.49
With regard to the measures to prevent or mitigate the risks, the Guidelines also make an explicit reference to by-design and by-default solutions.50 The existing strict relationship between risk assessment and solutions by design implies that any change in the nature of the assessment affects the architectural solutions adopted. Thus, the multiple impact assessment suggested by the Council of Europe necessarily leads data controller to consider a broader range of by-design solutions to mitigate the additional ethical and social concerns.51
Given the complexity of this assessment and the various aspects that should be taken into account, it cannot be conducted only by data protection experts, but "should be carried out by persons with adequate professional qualifications and knowledge to evaluate the different impacts, including the legal, social, ethical and technical dimensions".52
Finally, the collective dimension of the potential impact of the use of data leds the Consultative Committee to encourage the involvement of all the relevant stakeholders, giving voice to the different groups of persons potentially affected by the use of data.53
4. Conclusions
The Guidelines on the protection of individuals with regard to the processing of personal data in the big data context represent the first attempt to provide practical guidance to address the issues related to the use of big data and to reduce their potential negative impacts on society.
These Guidelines, as well as the Privacy, Ethical and Social Impact Assessment that they outline, confirm the importance of going beyond the mere declarations of fundamental rights and to provide practical instructions and operative methodologies to put them into practice.
In light of the above, these Guidelines confirm the attention of part of our society to the potential implications of the use of data, adopting a viewpoint that refuses vague notions (such as "citizen empowerment" or "digital sovereignty") often used to provide a mere formal protection to personal data, but looks ahead to concrete and robust forms of assessment of the compliance of data use with the ethical and social values accepted in a given community.54