Abstract
Starting from the observation that it is increasingly difficult to effectively control a priori all data collections or the production of new knowledge on individuals, we argue that the only available option is to strengthen a posteriori controls on the use of personal data and to ensure that the victims of data misuses can get compensations which are significant enough to represent a deterrence for data controllers. We also argue that the consequences of such misuses of personal data often take the form of unfair discriminations and this trend is likely to increase with the generalisation of the use of profiles. For this reason, we advocate the establishment of stronger connections between anti-discrimination and data protection laws, in particular to ensure that any data processing resulting in unfair differences of treatments between individuals is prohibited and is subject to effective compensations and sanctions.
This work was funded by an INRIA postdoctoral position.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We use the term “inference” here to denote the derivation of new knowledge on the basis of available data. This new knowledge may typically involve facts (e.g. a taxi driver’s address inferred from the GPS data provided by his cab) or predictions (such as the likely destination of a vehicle on the basis of previous journeys).
- 2.
- 3.
Art. 24 of European Directive 95/46/EC: “The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive”.
- 4.
Art. 9, § 1, French Civil Code: “Everyone has the right to privacy”. See also Directive 2009/136/EC of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.
- 5.
Art. L. 225–1 (and the following) of the French Penal Code. See also, Council Directive 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin and Council Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation.
- 6.
Art. 18 and following of European Directive 95/46/EC.
- 7.
Art. 23 and 24 of French law 78–17 of 6 Jan. 1978.
- 8.
No mention will be made here of data processing for security purposes on behalf of the state, under Art. 26 and Art. 27 of the law of 6 January 1978.
- 9.
Art. 18 of European Directive 95/46/EC and Art. 22 III of French law 78–17 of 6 Jan. 1978.
- 10.
When the law of 6 January 1978 was amended by the law of 6 August 2004, the formalities preceding the constitution of government data processing were slimmed down considerably, while the powers of the CNIL to carry out a posteriori verifications are not binding on the state. For further information on the powers of the CNIL with respect to public-sector data records, see Le Clainche (2005).
- 11.
“Ubiquitous” computing refers to the integration into the human environment (e.g. within objects, clothes and even, in extreme cases, implanted under the skin) of a variety of small computing devices (sensors, actuators, etc.) with the capacity to spontaneously collect data, communicate and perform simple computations.
- 12.
Although such behaviour often results from the lack of awareness of the subjects and their ignorance of the risks of de-anonymisation and undesired use of the disclosed data.
- 13.
Paul Ohm (2010): “These scientists have demonstrated they can often ‘reidentify’ or ‘deanonymize’ individuals hidden in anonymized data with astonishing ease. By understanding this research, we will realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention”.
- 14.
For legal study of these rulings, see Lepage (2008).
- 15.
Customers favouring personnel from a particular ethnic origin.
- 16.
Actually, personalization has always been a common business practice, and the point made here is obviously not to object to personalization in general or even to stigmatise it.
- 17.
The questions raised about the status of group profiles illustrates this difficulty (see the discussion above).
- 18.
As an example, does knowledge inference fall under data collection, data processing, or both?
- 19.
On this subject, reference could be made to the detailed analysis by Zarsky (2002).
- 20.
The Dataloss db group maintains a database of data breaches with statistics about the types of data, breaches and business concerned: http://datalossdb.org/latest_incidents.
- 21.
As an illustration, the CNIL has conducted in 2009 an investigation on the STIC, a large national police database of recorded offences. According to its annual report, this database contains a lot of erroneous or obsolete records because 80% of the decisions to close an investigation for lack of evidence are not forwarded by the courts. This situation is especially alarming considering that the STIC can be used in the administrative enquiries required in the recruitment process of certain categories of professions, which, according to the CNIL, concerns about one million people in France.
- 22.
Art. 1263–1 of the French Civil Procedure Code: “Associations regularly reported since at least five years and intending, by their constitutions, to fight against discriminations may bring an action in court”.
- 23.
Art. 15 paragraph 1 of European Directive 95/46/EC states that: “Member States shall grant the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc”.
- 24.
Accountability should involve a requirement of transparency to ensure, for example, that data controllers cannot resort to intellectual property right protection law to object to the disclosure to the national authority of the algorithms used to process the data (including, for example, profiling algorithms).
- 25.
Many examples in the past have shown the deterrence effect of class actions and their benefits for consumers. Regarding personal data, the recent loss by Sony of a huge amount of personal information (77 million names, addresses, email addresses, birthdates, passwords and logins, profile data, purchase history and possibly credit cards according to the Dataloss web site http://datalossdb.org/about) illustrates the difference in terms of means of defense between European and American consumers: 55 purported class-action complaints have been filed in the United States against Sony, which places the company in a difficult position (Sony is now seeking coverage of the damages by its insurers). In Europe, national data protection authorities conduct their own investigations but, whatever their conclusions will be, they will have very little means of pressure against a worldwide company like Sony and consumers would have to file complaints on an individual basis. As far as the deterrence effect is concerned, it is still too early to fully assess it in this case, but a number of measures have already been taken by Sony, based on a combination of technical, organizational and legal means (see Sony identity theft protection program: http://blog.us.playstation.com/2011/05/05/sony-offering-free-allclear-id-plus-identity-theft-protection-in-the-united-states-through-debix-inc/).
- 26.
The constitutional law 2008–724 of 23 July 2008 on modernising the institutions of the Fifth Republic (the current constitution in France) in France’s official gazette J.O.R.F 171 of 24 July 2008, p.11890, plans to merge HALDE within a new authority called the “Defender of Rights”. For more information on this “Defender of Rights”, which was put in place in 2011, see « Loi organique no 2011–333 du 29 mars 2011 relative au Défenseur des droits, JORF n° 0075 du 30 mars 2011 », p. 5497 and « Loi organique n° 2011–334 du 29 mars 2011 relative au défenseur des droits, JORF no 0075 du 30 mars 2011 », p. 5504.
- 27.
HALDE ruling no. 2006–45 of 13 March 2006 and CNIL ruling no. 2006–077 of 21 March 2006. The agreement is available from the HALDE website: http://www.halde.fr/IMG/pdf/Convention_CNIL.pdf.
- 28.
The CNIL has also executed an agreement with the French Directorate General for Competition, Consumer Affairs and Prevention of Fraud (DGCCRF). This agreement is intended to encourage the exchange of information between the two authorities in order to reinforce their control measures.
References
Bacon, Francis. 1597. Meditationes Sacrae.
Bygrave, Lee. 2001. Minding the machine: Art 15 of the EC Data Protection Directive and automated profiling. Computer Law and Security Report 17:17–24.
Gutwirth, Serge, and Mireille Hildebrandt, eds. 2008. Profiling the European citizen: Cross-disciplinary perspectives. Springer Verlag.
Gutwirth, Serge, and Mireille Hildebrandt. 2010. Some caveats on profiling. In Data protection in a profiled world, ed. Serge Gutwirth, Yves Poullet and Paul de Hert, 31–41. Springer Verlag.
Hildebrandt, Mireille. 2009. Who is profiling who? Invisible visibility. In Reinventing data protection, ed. Serge Gutwirth et al., 239–252. Springer Verlag.
Le Clainche, Julien. 2005. Pouvoirs a posteriori de la CNIL: les risques de l’excès de prudence [CNIL’s authority to conduct a posteriori verifications: the risks of being over-cautious]. Revue Lamy Droit de l’Immatériel 11:43–47.
Le Métayer, Daniel, Shara Monteleone, and Joël Moret-Bailly. 2009. Les ressources du droit alliées aux moyens de la technologie: application à la protection des données personnelles [Combining the resources of law and the resources of technology: application to personal data protection]. Revue Lamy Droit de l’Immatériel 51:65–82.
Le Métayer, Daniel, and Shara Monteleone. 2009. Automated consent through privacy agents: Legal requirements and technical architecture. The Computer Law and Security Review 25 (2): 136–144.
Lepage, Agathe. 2008. Les professeurs notés sur Internet [Teachers graded on the internet]. Communications Commerce Electronique 4:58.
Lyon, David, ed. 2003. Surveillance as social sorting—Privacy risk and digital discrimination. Routledge.
Narayanan, Arvind, and Vitaly Shmatikov. 2010. Privacy and security: Myths and fallacies of personally identifiable information. Communications of the ACM 53 (6): 24–26.
Nora, Simon, and Alain Minc. 1978. L’informatisation de la société. Documentation française.
Ohm, Paul. 2010. Broken promises of privacy: Responding to the surprising failure of anonymization. UCLA Law Review 57:1701.
Ringelheim, Julie. 2010. Recueil de données, catégories ethniques et mesure des discriminations: un débat européen [Data collection, ethnic categories and discrimination assessment: a European debate]. Revue trimestrielle des droits de l’homme 21 (82): 269–314.
Rouvroy, Antoinette, and Yves Poullet. 2009. The right to informational self-determination and the value of self-development: Reassessing the importance of privacy for democracy. In Reinventing data protection, ed. Serge Gutwirth et al., 45–76. Springer Verlag.
Schreurs, Wim, Mireille Hildebrandt, Els Kindt, and Michaėl Vanfleteren. 2008. Cogitas, Ergo Sum: The role of protection law and non-discrimination law in group profiling in the private sector. In Profiling the European citizen: Cross-disciplinary perspectives, ed. Mireille Hildebrandt and Serge Gutwirth, 241–270. Springer Verlag.
Stehr, Nico. 2000. Le savoir en tant que pouvoir d’action [Knowledge as power of action]. Sociologie et société 32 (1): 157–170.
Thomas, Samuel. 2009. Le fichage ethno-racial: un outil de discrimination. [Ethno-racial data records: a tool for discrimination]. SOS Racisme.
Zarsky, Tal. 2002. Mine your own business! Making the case for the implications of the data mining of personal information in the forum of public opinion. Yale Journal of Law and Technology 5 (4): 17–47.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer Science+Business Media B.V.
About this chapter
Cite this chapter
Le Métayer, D., Le Clainche, J. (2012). From the Protection of Data to the Protection of Individuals: Extending the Application of Non-discrimination Principles. In: Gutwirth, S., Leenes, R., De Hert, P., Poullet, Y. (eds) European Data Protection: In Good Health?. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-2903-2_15
Download citation
DOI: https://doi.org/10.1007/978-94-007-2903-2_15
Published:
Publisher Name: Springer, Dordrecht
Print ISBN: 978-94-007-2902-5
Online ISBN: 978-94-007-2903-2
eBook Packages: Humanities, Social Sciences and LawLaw and Criminology (R0)