Skip to main content
SpringerLink
Log in

A Purpose-Based Taxonomy for Better Governance of Personal Data in the Internet of Things Era: The Example of Wellness Data

  • Chapter
Data Protection and Privacy: (In)visibilities and Infrastructures

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 36))

Abstract

Tomorrow, the rise of the Internet of Things will allow us to collect and process a growing amount of real-time data related to our body. This phenomenon will unlock new opportunities both in health- and non-health-related sectors but also challenge the frontiers of what we used to consider private. Beyond these frontiers, not all data is created with the same level of sensitivity and risk, and we propose a new taxonomy based on purpose rather than anticipated sensitivity of the personal data collected. We believe this new taxonomy can help companies govern data flows in a way that strikes a better balance between the protection of personal data, drawing examples from both the European Union and the United States regulatory context, and research and innovation opportunities as well as incentivizes them to develop more user-centric business models. In the end, a better governance of personal data can help citizens become more responsible for the choices they make.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJEU L 119/1, 4.5.2016, http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32016R0679.

  2. 2.

    Act n°78–17 of 6 January 1978 on information technology, data files and civil liberties amended inter alia by Act of 6 August 2004 relative to the protection of individuals with regard to the processing of personal data, English version: http://www.cnil.fr/fileadmin/documents/en/Act78-17VA.pdf.

  3. 3.

    Act n° 78–17, article 8-I: “The collection and processing of personal data that reveals, directly or indirectly, the racial and ethnic origins, the political, philosophical, religious opinions or trade union affiliation of persons, or which concern their health or sexual life, is prohibited.”

  4. 4.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L 281, 23/11/1995, p. 0031–0050. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.

  5. 5.

    Privacy Act of 1974, 5 U.S.C. § 552a - Records maintained on individuals.

  6. 6.

    Article 29 Data Protection Working Party, “Opinion 4/2007 on the concept of personal data”, June 20, 2007, 01248/07/EN, WP 136,

    http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf.

  7. 7.

    Direction de la recherche, des études, de l’évaluation et des statistiques (DREES), Données de santé : anonymisation et risques de réidentification, July 2015, dossiers solidarité et santé, n°64, 103 pages, http://www.drees.sante.gouv.fr/IMG/pdf/dss64-2.pdf.

  8. 8.

    Article 29 Data Protection Working Party, “Opinion 05/2014 on Anonymisation Techniques”, April 10, 2014, 0829/14/EN, WP 216, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf.

  9. 9.

    This area is the focus of a number of privacy scholars, such as Latanya Sweeney’s infamous experiment with the “anonymized data” released by the Massachusetts Group Insurance Commission. For more details, refer to Ohm, Paul, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization”, UCLA Law Review, Vol. 57 (2010): p. 1701 or, Sweeney, Latanya. “Only You, Your Doctor, and Many Others May Know.”

  10. 10.

    On this notion of statistical accuracy and privacy, Angiuli, Olivia, Blitzstein, Joe and Waldo, Jim. “How to de-identify your data.” Communications of the ACM 58, no. 12 (2015): 48–55.

  11. 11.

    Wolf Gary, “Know Thyself: Tracking Every facet of Life, from Sleep to Mood to Pain, 24/7/365”, WIRED (2009), http://archive.wired.com/medtech/health/magazine/17-07/lbnp_knowthyself.

  12. 12.

    The White House, Executive Office of the President, Big Data: Seizing Opportunities, Preserving Values, May 2014: “Bio-repositories that link genomic data to health care data are on the leading edge of confronting important questions about personal privacy in the context of health research and treatment,” p. 29,

    https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf.

  13. 13.

    Mundie, Craig, “Privacy Pragmatism”, Foreign Affairs, March/April 2014, https://www.foreignaffairs.com/articles/2014-02-12/privacy-pragmatism.

  14. 14.

    Directive 95/46/EC, article 6-b: personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes”.

  15. 15.

    US 1974 Privacy Act, 5 U.S.C. § 552a. Records maintained on individuals which defining an “routine use”, “with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected”.

  16. 16.

    “Apple Boss delivers strongest attack yet on Facebook and Google over privacy”, The Guardian, June 3, 2015, http://www.theguardian.com/technology/2015/jun/03/apple-tim-cook-google-facebook-privacy.

  17. 17.

    As explained in the latest book of Cardon, Dominique, and Antonio A. Casilli. Qu’est.-ce que le digital labor?. INA, 2015.

  18. 18.

    Interview with Antonio Casilli : “Les Usines Digitales Du Web : L’Humanité Interviewe Antonio Casilli (31 Mars 2014).” Antonio A. Casilli. Accessed March 25, 2016. http://www.casilli.fr/2014/03/31/les-usines-digitales-du-web-lhumanite-interviewe-antonio-casilli-31-mars-2014/

  19. 19.

    Collin, Pierre, and Colin, Nicolas. “Mission d’expertise sur la fiscalité de l’économie numérique. ” Ministère des Finances et de l’Économie. Rapport au Ministre de l’économie et des finances, au Ministre du redressement productif, au Ministre délégué chargé du budget et à la Ministre déléguée chargée des petites et moyennes entreprises, de l’innovation et de l’économie numérique (2013).

    http://www.economie.gouv.fr/files/rapport-fiscalite-du-numerique_2013.pdf.

  20. 20.

    Cardon, Dominique, “La Vie Privée Se Porte Bien, Merci Pour Elle - Digital Society Forum.”Accessed March 5, 016. http://digital-society-forum.orange.com/fr/les-forums/473-la_vie_privee_se_porte_bien_merci_pour_elle.

  21. 21.

    Slogan of the Quantified Self movement as explained in the Wolf, Wired, op. cit.

  22. 22.

    Zimmer, Ben, “Wellness - The New York Times.” Accessed March 25, 2016. http://www.nytimes.com/2010/04/18/magazine/18FOB-onlanguage-t.html.

  23. 23.

    Pharabod, Anne-Sylvie, “Quelles Sont Les Pratiques de Mesure de Soi ?” Digital Humanities - Les Sciences Humaines et Sociales à Orange Labs. Accessed March 25, 2016. http://digital-humanities.orange.com/publications/articles/65-quelles_sont_les_pratiques_de_mesure_de_soi.

  24. 24.

    Jonathan L. Zittrain, The Future of the Internet - And How to Stop It. Yale University Press, 2008.

  25. 25.

    Winner, Langdon. “Do artifacts have politics?” Daedalus (1980): 121–136.

  26. 26.

    To paraphrase the title of Wired’s 2009 article: “You Are What Google Says You Are.” WIRED (2009). Accessed March 25, 2016. http://www.wired.com/2009/02/you-are-what-go

  27. 27.

    Tyler Cowen, “The Measured Worker”, MIT Technology Review (2015)

  28. 28.

    Special Eurobarometer 431, Data Protection, Report Fieldwork: March 2015, Publication: June 2015, http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_en.pdf.

  29. 29.

    “France Fines Google Over ‘Right To Be Forgotten.’” Fortune, March 24, 2016. Accessed March 25, 2016. http://fortune.com/2016/03/24/france-google-right-to-be-forgotten/

  30. 30.

    Nissenbaum, Helen, “Privacy as Contextual Integrity”, Washington Law Review, 79:1, 2004, 101–139 or Nissenbaum, Helen, “Respect for Context as a Benchmark for Privacy Online: What it Is and Isn’t”, The Futures of Privacy, Fondation Télécom, Think Tank Futur Numérique, Cahier de prospective, 2014. Accessed March 25, 2016. http://www.fondation-telecom.org/actualites/le-cahier-de-prospective-the-futures-of-privacy-est-disponible-199/.

  31. 31.

    This approach is the one promoted by the Article 29 Data Protection Working Party in its Opinion on the Recent Developments on the Internet of Things. Article 29 Data Protection Working Party, Opinion 8/2014 on the Recent Developments on the Internet of Things, September 16, 2014, 14/EN, WP 223, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf.

  32. 32.

    Art. 25of the General Data Protection Regulation.

  33. 33.

    The General Data Protection Regulation defines in its article 4(11) the data subject’s consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”; it requires in its article 6–1(a) that “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” and in the article 9 that, for health data, “the data subject has given explicit consent to the processing.”

  34. 34.

    Special Eurobarometer 431, Data Protection, op. cit.

  35. 35.

    Cardon, Digital Society Forum, op.cit.

  36. 36.

    Turow, Joseph, Hennessy, Michael and Draper, Nora. “The tradeoff fallacy: How marketers are misrepresenting American consumers and opening them up to exploitation.” The Annenberg School for Communication, University of Pennsylvania (2015). Accessed March 25, 2016. https://www.asc.upenn.edu/sites/default/files/TradeoffFallacy_1.pdf.

  37. 37.

    Art. 5–1(b) of the General Data Protection Regulation.

  38. 38.

    Searls, Doc. The intention economy: when customers take charge. Harvard Business Press, 2013.

  39. 39.

    As explained in “‘Going Dark’ Versus a ‘Golden Age for Surveillance’ | Center for Democracy & Technology.” Accessed March 25, 2016. https://cdt.org/blog/%E2%80%98going-dark%E2%80%99-versus-a-%E2%80%98golden-age-for-surveillance%E2%80%99.

  40. 40.

    Bruce Schneier, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, W. W. Norton & Company, April 2015.

  41. 41.

    Hardy, Quentin, “Using Algorithms to Determine Character - The New York Times.” Accessed March 25, 2016. http://bits.blogs.nytimes.com/2015/07/26/using-algorithms-to-determine-character.html.

  42. 42.

    Bernard, Tara Siegel. “Giving Out Private Data for Discount in Insurance.” The New York Times, April 8, 2015. Accessed March 25, 2016. http://www.nytimes.com/2015/04/08/your-money/giving-out-private-data-for-discount-in-insurance.html.

  43. 43.

    An early example can be found in the privacy-protecting search engine DuckDuckGo: contrary to Google, DuckDuckGo pledged to collect as little information as possible on its users, but this comes at a cost in terms of the quality of the searches since they are less tailored as a result.

  44. 44.

    Falque-Pierrotin, Isabelle, “InsurTech : Pourquoi L’assurance Doit Se Réinventer, Articles.” Accessed March 25, 2016. http://www.lesechos.fr/la-releve-2016/edition-2016/021779969166-insurtech-pourquoi-lassurance-doit-se-reinventer-1208465.php.

  45. 45.

    A similar argument is made in Morozov, Evgeny, “Facebook Isn’t a Charity. The Poor Will Pay by Surrendering Their Data” Accessed March 25, 2016. http://www.theguardian.com/commentisfree/2015/apr/26/facebook-isnt-charity-poor-pay-by-surrending-their-data.

  46. 46.

    As in the dystopian fiction Egger, Dave, The Circle, Knopf.

  47. 47.

    That was the case when it was revealed in 2012 that Target had figured out a pregnancy before the woman’s father: “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did - Forbes.” Accessed March 25, 2016. http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#205eaf7a34c6.

  48. 48.

    European Commission, Digital Agenda for Europe, Pillar III : Trust and Security, http://ec.europa.eu/digital-agenda/en/our-goals/pillar-iii-trust-security.

  49. 49.

    Art. 20 of the General Data Protection Regulation.

  50. 50.

    Art. 11 of Directive 95/46/EC and art. 13 the General Data Protection Regulation.

  51. 51.

    In this sense, see art. 14 “Information to be provided where personal data have not been obtained from the data subject” of the General Data Protection Regulation.

  52. 52.

    The designation of a DPO is not compulsory in all cases (see inter alia art. 37 of the General Data Protection Regulation.

  53. 53.

    Art. 4–15 of the General Data Protection Regulation.

  54. 54.

    Hecketsweiler, Chloé, “La Télémédecine Au Chevet Des Déserts Médicaux.” Accessed March 25, 2016. http://www.lemonde.fr/medecine/article/2015/06/11/la-telemedecine-au-chevet-des-deserts-medicaux_4651494_1650718.html.

  55. 55.

    Berne, Xavier, “Le Projet de Loi Sur La Santé Relance Le « Dossier Médical Personnel »,” October 17, 2014. http://www.nextinpact.com/news/90456-le-projet-loi-sur-sante-relance-dossier-medical-personnel.htm.

  56. 56.

    Mello, Michelle M., Jeffrey K. Francer, Marc Wilenzick, Patricia Teden, Barbara E. Bierer, and Mark Barnes. “Preparing for responsible sharing of clinical trial data.” New England Journal of Medicine 369, no. 17 (2013): 1651–1658. DOI: 10.1056/NEJMhle1309073.

  57. 57.

    “Commission open data en santé. ” Ministère des Affaires sociales et de la Santé. Rapport au Ministre des Affaires sociales et de la Santé (2014). Accessed March 25, 2016. http://www.drees.sante.gouv.fr/IMG/pdf/rapport_final_commission_open_data-2.pdf

  58. 58.

    Trouiller, Patrice, Piero Olliaro, Els Torreele, James Orbinski, Richard Laing, and Nathan Ford. “Drug development for neglected diseases: a deficient market and a public-health policy failure.” The Lancet 359, no. 9324 (2002): 2188–2194. DOI: 10.1016/S0140–6736(02)09096–7

  59. 59.

    Commission open data en santé, op. cit.

  60. 60.

    Strom, Brian L., Marc Buyse, John Hughes, and Bartha M. Knoppers. “Data sharing, year 1—access to data from industry-sponsored clinical trials.” New England Journal of Medicine 371, no. 22 (2014): 2052–2054. DOI: 10.1056/NEJMp1411794.

  61. 61.

    Ibid.

  62. 62.

    Hughes, Eric. “A Cypherpunk’s manifesto.” (1993)

Author information

Authors and Affiliations

  1. Telecom ParisTech/SES, 46 rue Barrault, 75013, Paris, France

    Claire Levallois-Barth & Hugo Zylberberg

  2. Institut Mines-Telecom, Paris, France

    Claire Levallois-Barth & Hugo Zylberberg

Authors
  1. Claire Levallois-Barth
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hugo Zylberberg
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Claire Levallois-Barth .

Editor information

Editors and Affiliations

  1. Tilburg Institute for Law, Technology, & Society, Tilburg University, Tilburg, The Netherlands

    Ronald Leenes

  2. Law, Science, Technology, & Society (LSTS), Vrije Universiteit Brussel (VUB), Brussels, Belgium

    Rosamunde van Brakel , Serge Gutwirth  & Paul De Hert ,  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Levallois-Barth, C., Zylberberg, H. (2017). A Purpose-Based Taxonomy for Better Governance of Personal Data in the Internet of Things Era: The Example of Wellness Data. In: Leenes, R., van Brakel, R., Gutwirth, S., De Hert, P. (eds) Data Protection and Privacy: (In)visibilities and Infrastructures. Law, Governance and Technology Series(), vol 36. Springer, Cham. https://doi.org/10.1007/978-3-319-50796-5_6

Download citation

Publish with us

Policies and ethics

Search

Navigation