U.K. Cutting-edge technology has once again overtaken legislation that is poorly adapted for the digital age. This time, proposals for reform will also prove to be inadequate in light of recent research. The introduction of a General Data Protection Regulation, envisioned to harmonize EU Member States’ laws on privacy and data protection, has stalled amidst debate over its implications for business in Europe. Putting aside the red tape, I would like to highlight one inconvenient fact that the legislators seem to have overlooked: the internet is currently illegal in Europe, and it will continue to be illegal under the new law.
First, a note on the current regime: Directive 95/46/EC prohibits the processing of personal data other than where the subject has given their unambiguous consent, made their own data public or where necessary for compliance. The definition of ‘personal data’ covers any information relating to an identifiable natural person. Importantly, Article 8 identifies certain special categories of data that deserve more stringent protection, such as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or data concerning sex life. Businesses and researchers must have the explicit consent of participants to collect these special categories of data.
However, a study published in PNAS in March 2013 suggests that some businesses may nevertheless be collecting sensitive information about us on a massive scale in disregard or ignorance of these strict legal protections. In the study, researchers at the University of Cambridge Psychometrics Centre and Microsoft Research demonstrate that it is possible to predict a wide range of intimate psychological traits from only samples of digital behaviour, such as a person’s Facebook Likes. Personality, intelligence, satisfaction with life, political and religious views and even sexual orientation were predicted with high accuracy, along with many other intensely private attributes. Over 6 million people took up to 30 psychometric questionnaires via the myPersonality application and received scientific feedback on their responses before opting in to submit their data. This has resulted in the largest and most rich social science database in history, samples of which are anonymised and made available to other academics for free.
The researchers’ findings are undoubtedly remarkable from a technological standpoint, but they also raise an extremely awkward question regarding the state of our privacy law framework:
If brands, banks and other businesses collect samples of our online behaviour to provide their services, and it is now possible to translate these samples into sensitive personal information about individuals, is virtually every company in Europe currently acting outside the law? And if so, how can we trust the European Union in the future to protect our privacy over the financial interests of data-hungry businesses or governments?
The PNAS article, published only two months after the new law was first proposed, was extensively covered by worldwide media and featured in discussions within the European Parliament. One might therefore expect this legal paradox to have been addressed in the new Data Protection Regulation, but it was not. Despite expanding authorities’ enforcement powers, tightening the consent requirement and hinting at an individual’s right to be forgotten, the new provisions will not alter the definition of personal data or the special categories to account for the sensitivity of information that can be extracted from secondary analysis or database matching. In my opinion, the research clearly proves that legislation needs to be far better attuned to the intricacies of online behavior and to how our digital footprints can be used. Without this sensitivity to innovation in the information age, the EU can never be truly effective at protecting personal information.
Notwithstanding delays in the adoption of the new law, I believe that the EU is determined to find a pragmatic way of enforcing responsible use of personal data, but it risks falling short of that goal if it does not account for companies’ ability to translate our disparate digital footprints into a hologram of our private selves. Permit me, therefore, to remain skeptical about the power of the new law to drive real change in how big data companies collect and analyze our private information when, in practice, it is unfortunately still the case that the more popular a service, the more likely we are to ignore the fine print and just click ‘accept’. In the meantime, researchers traditionally lacking in design, marketing or sales experience continue to struggle to collect sufficient high-quality data for genuine academic projects.
In a time when individuals’ treatment of their own data may at times seem hypocritical or illogical, the EU should ask itself if it is comfortable leaving citizens to fend for themselves in a market that is more complex, imbalanced and intrusive than ever before. I, for one, do not feel reassured by its recent legislative efforts.
A picture speaks a thousand words, but a click can gossip. Take the University of Cambridge One-Click Personality Test to reveal what your Facebook Likes say about you and your friends.