Emergent technologies and the transformations of privacy and data protection (Guest Editorial)

PRESCIENT, the acronym for Privacy and emerging fields of science and technology: Towards a common framework for privacy and ethical assessment, was a three-year research project funded by the European Commission under its Seventh Framework Programme, part of the Science in Society activities of the EC's DG Research and Innovation. The research project was carried out by a multidisciplinary and international research consortium consisting of the Fraunhofer Institute for Systems and Innovation Research ISI (Karlsruhe), Trilateral Research & Consulting (London), the Centre for Science, Society and Citizenship (CSSC, Rome) and the Vrije Universiteit Brussel's research group on Law, Science, Technology and Society (LSTS, Brussels). Started in 2010 the project has ended in March 2013.

PRESCIENT's aim was to provide insights that may contribute to an early identification of privacy related issues arising from emerging technologies, taking seriously both the need to distinguish between privacy and data protection, and the contrasts between the legal, socioeconomic and ethical conceptualizations of each, which do not necessarily match neither have the same kind of consequences. In other words, the project wanted to elaborate the means for an early anticipation of dangers and risks related to emerging technologies along the lines of a imaginary matrix with two rows distinguishing between privacy and data protection issues, and four columns representing distinct approaches: the legal, ethical, social and economical approaches.

Among other things the project has elaborated an extended sociological privacy typology that takes into account current and future challenges posed by emergent technologies such as soft biometrics, full DNA sequencing, unmanned aircraft systems or human enhancement technologies (Kukk and Hüsing, 2011, Finn and Wright, 2012, Finn et al., 2013). The legal research aimed at outlining the manner in which EU law has constructed the rights to privacy and to personal data protection. Indeed, from a legal viewpoint the two rights have a different content and architecture, and they are underpinned by another rationale (data protection therefore being both more and less than "informational privacy", as is often posited). Building upon this, it has then tried to determine how to best articulate the two rights in the face of future and emergent technologies (for a more in depth account see, Gellert and Gutwirth, 2013). The ethical approach to privacy and data protection, concerned with morality in social sciences and humanities terms, has then investigated the ethical caveats surrounding privacy and data protection. Finally the PRESCIENT team has suggested a framework for an integrated approach towards privacy and ethical impact assessment which is a timely topic in the light of the current reform of the European data protection framework and technology governance approaches summarised under the umbrella term "responsible research and innovation" (Owen et al., 2012; Wright and Friedewald, 2013).

On 27 and 28 November 2012, the PRESCIENT consortium organised the project's final conference in Berlin. This well attended International Conference on Privacy and Emerging Technologies brought together a impressive list of speakers and interventions, representing different perspectives and scientific disciplines, as well as representatives of different concerns and views on the issues. The articles brought together in the present issue of Computer Law and Security Review are all an elaboration of legal papers that were submitted and/or presented during the November 2012 conference. In the wake of the conference, the authors have resubmitted their papers, which then were all reviewed by at least two competent and interested peers. This has lead (when possible) to a further sharpening and improvement of the quality of the contributions. Therefore editors do want to expressly thank the reviewers for their commitment and the high quality of their input: Anthony Amicelle, Sari Depreeuw, Elspeth Guild, Bert-Jaap Koops, Christophe Lazarro, Ronald Leenes, Florian Münch, Andrew Murray, Kjetil Rommetveit, Jean-Paul Van Bendegem, Peggy Valcke and Karen Yeung.Xxx Steve : you should add to the list the reviewers you contacted for our contributions xxx Additionally, the guest editors are happy to express their special thanks to the editor in chief of the Computer Law and Security Review, Steve Saxby, for having held an sharp and helpful eye on the whole process and organised the review of the papers involving one of the editors.

The harvest is impressive. Speaking at a high level, all the articles follow the same movement: starting from issues that are effectively rooted in the emergence of technologies that spawn new and sometimes wholly unexplored possibilities which in turn affect privacy and/or data protection, they deploy not only innovative and prospective legal analysis but they also propose conceptual and forward-looking options.

In the first article, Mathias Leese, who is a researcher at Security Ethics section of the International Centre for Ethics in the Sciences and Humanities of the University of Tübingen, shows how commercial trusted traveller programs are turned into a crucial element of security policies in aviation, ands more particularly of data based passengers risk assessment. Passengers are more or less voluntarily enrolled in such programmes that provide some immediate advantages, but on the flipside they increase a more intrusive collection of personal data for a more extensive and performing profiling. The author inquires how such evolution impinges upon the citizen-state and consumer-market relations in terms of privacy and data protection thus become increasingly blurred.

In her contribution Zuzanna Warso, who is responsible for reviewing the impact of EU legislation on human rights at the Helsinki Foundation for Human Rights, an NGO in Warsaw, holds the proposed "right to be forgotten" against the light of both the fast evolving online environment and the tough objective to guarantee human rights on the web. For the author the main issue at stake is the absence or underdetermination of a concept of privacy in the online world. She links this to the width of the application of the household exception in data protection and to the challenge to devise online "territories".

With Ugo Pagallo, who is a professor of jurisprudence the Law School of the University of Torino, we move to the meeting point of the internet of things and robotics: domestic robots which are connected to a networked repository on the Internet, that allows such machines to realise their functions, do exchange real word information with information available in "the cloud". Indeed, such "autonomic" information streams affect data protection and strongly call for a protection through "privacy by design" which appears particularly suited here. But the author also warns that privacy by design may fall short in coping with issues that depend on the cultural context and the type of application with which we are dealing: robots as "lovers," as "human cubs," as "pets," etc. Ultimately, such "robots in the cloud" applications might well fundamentally question the current principles of data protection (and particularly, the informed consent as legitimation of the processing).

In the fourth article Mireille Hildebrandt and Laura Tielemans, respectively a professor linked to the Vrije Universiteit Brussel, the Radboud Universiteit Nijmegen and the Erasmus Universiteit Rotterdam and a researcher at the Law, Science, Technology & Society group at the Vrije Universiteit Brussel, argue that to achieve a technology neutral law, technology specific law is sometimes needed as a compensation. This argument is built upon a relational conception of technology and its essential non-neutrality. Illustrations are drawn from the EU Cookie Directive of 2009 and the foreseen obligation of "data protection by design" in the proposed General Data Protection Regulation.

Raphaël Gellert and Serge Gutwirth, who are respectively a researcher and a professor at the Law, Science, Technology & Society group at the Vrije Universiteit Brussel, focus upon the contrasts and interplays between privacy and data protection, which, as they show, differ both formally and substantially though overlaps also do exist. To further analyse these differences and similarities they take body-scanners, human enhancement technologies and genome sequencing as case studies, which leads them to rethink the relationship between privacy and data protection, and ultimately, the status and content of data protection as a fundamental right.

The latter is the precisely the object of the sixth article authored by Gloria González Fuster and Serge Gutwirth, who are again respectively a researcher and a professor at the Law, Science, Technology & Society group at the Vrije Universiteit Brussel. The authors show that the fundamental right to data protection is subject to two co-existing and contrasting interpretations. If some envision it as a primarily permissive right, enabling the processing of such data under certain conditions, others picture it as having a prohibitive nature, implying that any processing of data is a limitation of the right, be it legitimate or illegitimate. The article digs deeper into the tensions between the different understandings of the right to the protection of personal data, and explores the assumptions, histories and conceptual legacies underlying both approaches. It also reviews the conceptualisations of personal data protection as present in the literature, and finally contrasts all these perspectives with the construal of the right by the EU Court of Justice.

The last contribution is a philosophical essay by Ivan Székely, who is Counsellor of the Open Society Archives at Central European University, associate professor at the Budapest University of Technology and Economics. Székely surveys the possibilities of regulating future and emerging technologies at the intersection of law, technology and society, whereby he dissects the anticipated further erosion of personal privacy against the background of a reflection about the relation between legal regulation and the underlying values in the predictable but unknowable milieu of future life conditions. While studying the immutability of fundamental values, the author offers a brief survey of the role of public opinion, as well as of the limitations of taking into account the majority opinion, followed by a thought experiment about the possible ways of regulating the "Code", approaching it from the direction of two fundamental rights, the right to human dignity and the freedom of academic research. After reaching conflicting conclusions and making a few suggestions about possible ways to regulate the area, the author makes a proposal about the introduction of a small-scale experimental tool, metaphorically named as a predictive learning model of regulation. Despite the difficulties and the uncertainties, the essay's overall perspective on the role of legal regulation is not a pessimistic one, as long as it is used flexibly and in conjunction with other means of regulation.

In a time of transition in the field of privacy and data protection regulation we want to demonstrate that, far from the dystopian or fatalist discourses according to which, privacy would be dead in the information age, it is still a living and vibrant right that can - and needs to - be reinvented and re-enacted everyday, and this notwithstanding the strong and successful parallel development of data protection. Data protection does not (at all) take over the role and importance of privacy: it works differently, does not the same, covers other issues, and so on. Privacy is there to stay. Future and emerging technologies can participate to the activation of the realisation of this endeavour. Yet, how exactly to successfully work in that direction is a matter of future collective experiments. The different contributions of this special issue have laid some groundwork, but we are still at the beginning and much is still to be done in devising the kind of (information) society we want to live in.
We wish you pleasant readings, which we hope will foster inspiration for further discussion and reflection.
June 2013

References:

Finn, R.L. & Wright, D., 2012. Unmanned aircraft systems: Surveillance, ethics and privacy in civil applications. Computer Law & Security Review, 28, 184-194.
Finn, R.L., Wright, D. & Friedewald, M., 2013. Seven types of privacy. In S. Gutwirth, R. Leenes, P. De Hert & Y. Poullet (eds.) European Data Protection: Coming of Age. Dordrecht: Springer, 3-32.
Gellert, R. & Gutwirth, S., 2013. The legal construction of privacy and data protection. Computer Law & Security Review, 29 (this issue).
Kukk, P. & Hüsing, B., 2011. Privacy, data protection and policy implications in whole genome sequencing. In R. Van Est & D. Stemerding (eds.) Making Perfect Life. Bio-engineering (in) the 21st Century. European Governance Challenges in Bio-Engineering. Brussels: European Parliament, 37-70.
Owen, R., Macnaghten, P. & Stilgoe, J., 2012. Responsible research and innovation: From science in society to science for society, with society. Science and Public Policy, 39, 751-760.
Wright, D. & Friedewald, M., 2013. Integrating privacy and ethical impact assessment. Science and Public Policy, 40, Forthcoming.