Abstract
Traditionally, privacy and security are considered to be opposing values, constantly to be seen in contrast with each other. The purpose of this article is to demonstrate how technological development, instead of worsening the cleavage between privacy and security, allows considering the two principles to be inter-related and to affect each other reciprocally. By first theorising this relationship, the article will then take the GDPR as a case-study to demonstrate how effective data protection legislation considers the security of individuals, software and data to be crucial feature of such laws.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Warren; Brandeis, [14], p. 195.
DeCew [4]. In the book, the author derives from these distinct developments in US law the distinction between (1) constitutional or decisional privacy and (2) tort or informational privacy.
Katz v. United States, 389 U.S. 347 (1967).
Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos. 11 and 14, 4.11.1950.
Council of Europe, Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, European Treaty Series No. 108, 28.1.1981.
Rodotà [10].
Rossler [11].
Thomson [12].
Jeroen van den Hoven’s distinction between the referential and attributive use of personal data is one of the best examples. By exporting these concepts from the philosophy of language and criticising the use of the definition of “personal data” employed by EU data protection laws, van den Hoven proposes that “instead of defining the object of protection in terms of referentially used descriptions, we need to define the object of protection in terms of the broader notion of ‘identity relevant information’’’. (van den Hoven [13].)
Moor, [9], p. 29.
These are some of the potential risks derived from personal data breaches as suggested by Article 29 Working Party: Guidelines on Personal data breach notification under Regulation 2016/679.
Being inspired by Council of Europe Recommendation CM/Rec (2010)13, the GDPR defines “profiling” as an automated processing operation “consisting of the use of personal data to evaluate certain personal aspects relating to a natural person […]”. By requiring that it must involve some sort of assessment or judgment about an individual or a group of individuals, the GDPR considers profiling more than a simple classification of data in reason of its inherent evaluation of personal aspects used to identify—“to analyse or predict”—characteristics of present or future behaviour. It represents a broadly used practice in an increasing number of sectors—both public and private—helping decision-makers to increase efficiencies and save resources by extracting patterns and placing data subjects into certain categories and groups that allow to predict their likely behaviour, interests, or ability to perform a task. Having raised several questions about the accuracy of its predictions, as well as its inherent risk of discrimination leading to unjustified denial of goods and services, the processes of profiling and automated decision-making are addressed by specific norms of the GDPR.
According to Art. 8 of the Charter of Fundamental Rights of the European Union “(1) Everyone has the right to the protection of personal data concerning him or her. (2) Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. (3) Compliance with these rules shall be subject to control by an independent authority.”
By expanding the field of application of data protection prescriptions to the sectors of external security, Art. 16 TFUE states that “(1) Everyone has the rights to the protection of personal data concerning them. (2) The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.”
Connections between the data protection regulation and the Digital Single Market are evident since EC President Junker’s 2014 Political Guidelines “A New Start for Europe, My Agenda for Job, Growth, Fairness and Democratic Change” in which he states “[…] We must make much better use of the great opportunities offered by digital technologies, which know no border. To do so we will need […] to break down national silos in telecoms regulation, in copyright and data protection legislation […]. To achieve this, I intend to take […] ambitious legislative steps towards a connected Digital Single Market, notably by swiftly concluding negotiations on common European data protection rules […].”
Art. 1(3) of the GDPR.
Recital 15 of the GDPR.
Art. 32(1) of the GDPR.
Opinion 3/2010 on the principle of accountability (WP 173), p. 3 [2].
Gellert [6].
Recital 83 of the GDPR further attributes to the controller or processor the evaluation of inherent risks in order to implement measures that mitigate them, maintaining security and preventing processing in infringement of the Regulation.
Its significance and role are clarified in Recital 84: “In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk […]”.
Art. 35(7) of the GDPR.
Art. 35(1) of the GDPR.
Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP248 rev. 01) [1].
Recital 71 and 91 of the GDPR.
Art. 22(1) of the GDPR.
Recital 91 and Art. 22 of the GDPR.
e.g. ISO 31000:2009, Risk management—Principles and guidelines, International Organisation for Standardisation (ISO).
Art. 4(2) of the GDPR.
Art. 58(2) of the GDPR.
Art. 19(2) of the eIDAS Regulation requires trust service providers to notify supervisory bodies when breaches of security or losses of integrity impact significantly on the trust service provider or on the personal data stored therein.
Art.14 and Art.16 of the NIS Directive require digital service providers and operators of essential services to notify security incidents to their competent authorities.
Art. 3 of the ePrivacy Directive required that providers of publicly available electronic communication services ought to notify breaches to competent national authorities.
Cavoukian, [3], p. 126.
Recital 46 of the Data Protection Directive.
Art. 25 of the GDPR prescribes the moment in time in which the implementation of the specific measures defined in Art. 24 should occur.
Recital 78 of the GDPR.
Preliminary Opinion on privacy by design (Opinion 5/2018) [5].
According to the ISO/TS 25237:2017 standard, a pseudonym is “a personal identifier that is different from the normally used personal identifier and is used with pseudonymised data to provide dataset coherence linking all the information about a data subject, without disclosing the real world person identity”.
Hintze, El Emam [7].
Maldoff, [8].
Art. 6(4) of the GDPR.
Art. 33 and Art. 34 of the GDPR.
Art. 89(1) of the GDPR.
Art. 11 and Art. 12(2) of the GDPR.
Art. 83(2) of the GDPR.
On various occasions, including at the Europol´s Data Protection Experts Network ERA conference “Freedom and Security—Killing the Zero Sum Process”, the Data Protection Officer of the European Union Agency for Law Enforcement Cooperation (Europol) has put forward this argument.
References
Article 29 Working Party: Guidelines on data protection impact assessment (DPIA) and determining whether processing is “likely to result in a high risk” (2017). for the purposes of Regulation 2016/679 (WP248 rev. 01) (2017). Available at https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236
Article 29 Working Party: Opinion 3/2010 on the principle of accountability. WP (WP 173) (2010). Available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf
Cavoukian, A.: Privacy by Design: the Definitive Workshop. Identity in the Information Society (2010)
DeCew, J.W.: Pursuit of Privacy: Law, Ethics, and the Rise of Technology. Cornell University Press, Ithaca (1997)
European Data Protection Supervisor (EDPS): Protection Supervisor (EDPS): Preliminary opinion on privacy by design (Opinion 5/2018) (2018). Available at https://edps.europa.eu/sites/edp/files/publication/18-05-31_preliminary_opinion_on_privacy_by_design_en_0.pdf
Gellert, R.: Understanding the notion of risk in the general data protection regulation. Computer Law Secur. Rev. (2018). Available at https://www.sciencedirect.com/science/article/pii/S0267364917302698
Hintze, M., El Emam, K.: Comparing the benefits of pseudonymisation and anonymisation under the GDPR. J. Data Protect. Privacy 145–158 (2018). Available at https://www.ingentaconnect.com/content/hsp/jdpp/2018/00000002/00000002/art00005
Maldoff, G.: Top 10 Operational Impacts of the GDPR, Part 8: Pseudonymization (2018). Available at https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-8-pseudonymization/
Moor, J.H.: Towards a theory of privacy in the information age. Computer Soc. (1997)
Rodotà, S.: Tecnologie e Diritti, il Mulino, Bologna (1995)
Rössler, B.: Privacies: Philosophical Evaluations. Stanford University Press, Stanford (2004)
Thompson, J.J.: The right to privacy. Philos. Publ. Affairs 4, 295–314 (1975)
van den Hoven, J.: Information technology, privacy, and the protection of personal data. In: van den Hoven, J., Weckert, J. (eds.) Information Technology and Moral Philosophy, pp. 301–322. Cambridge University Press, Cambridge (2008)
Warren, S., Brandeis, L.: The right to privacy. Harvard Law Rev. 4(5), 193–220 (1890). Available at https://www.jstor.org/stable/1321160?seq=1#metadata_info_tab_contents
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Ventrella, E. The symbiotic relationship between privacy and security in the context of the general data protection regulation. ERA Forum 20, 455–469 (2020). https://doi.org/10.1007/s12027-019-00578-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12027-019-00578-6