Direito e Informação na Sociedade em Rede: atas Direito e Informação na Sociedade em Rede: atas | Page 70
The EDPS itself recognised, remitting monitoring of compliance predominantly
to self-control does not shield against the risk of core principles of data protection
being compromised, since it is often a challenging task to decide what is fair and lawful
and what is not when it comes to big data analytics47. Plus, risks to human rights and
freedoms envisaged under the data protection framework remain largely undefined,
and further clarification looks especially hard in view of the objective and subjective,
tangible and intangible factors involved (Lynskey, 2015, p. 83).
In the end, the key issue resides in leaving the main judgements about how to
protect the personal data to the major, mainly private online operators. All things
considered, one may doubt that this does not contradict the essential nature of the
fundamental right to data protection and the inherent public responsibilities. Indeed,
upgrading personal data protection to the rank of a fundamental right, as did the
Treaty of Lisbon and the Charter of Fundamental Rights (Article 8), should be
regarded as more than a symbolic move. Accordingly, the Charter has been regarded
as an effort to make human rights “determine” rather than merely “limit” a EU legal
system predominantly designed to guarantee market freedoms (Von Bodgandy, 2000,
p. 1321). The issue ultimately is whether the difficulty to render consent and purpose
limitation (not to speak of data minimisation) effective in the face of big data
applications should not have given rise to an alternative regulatory path, one that
better conciliates greater responsibility and accountability of data controllers with
reinforcement of the basic data protection principles, including that the basic data
protection rules continue to be “subject to control by an independent authority”. This
could be done by the means, in particular, of more transparency about how operators
and data controllers process personal data, hence, facilitating rights’ enforcement. A
recent opinion by the EDPS provides pertinent propositions in this direction48.
Indeed, transparency of automated decisions is taking an increasingly important
role with the advent of big data. Big data is based not only on information that
individuals knowingly give to organisations, but also on data observed or inferred.
Based on such considerations, the EDPS explicitly recommended that “the provisions
of the proposed EU Data Protection Regulation on transparency be reinforced” and
“a new generation of user control” implying “powerful rights of access” and
“effective opt-out mechanisms” be furthered. This should amount to broadening the
scope of consent by better informing the data subjects about what data is processed
about them and for what purposes, including disclosure of the logic used in
algorithms to determine assumptions and predictions”49. Remarkably, the EDPS does
not conceal its incredulity regarding the effectiveness of the right to object to
processing since it is “not frequently exercised in today’s practice”, thus calling for
European Data Protection Supervisor, Opinion 7/2015, p. 8. Some of the key decisions an accountable
organisation must make under European data protection law require a comprehensive balancing exercise and
consideration of many factors, including whether the data processing meets the reasonable expectations of the
individuals concerned, whether it may lead to unfair discrimination or may have any other negative impact on
the individuals concerned or on society as a whole. These assessments cannot be reduced to a simple and
mechanical exercise of ticking off compliance boxes, the EDPS alerts.
48 European Data Protection Supervisor, Opinion 7/2015, p. 4, 8-9 ff.
49 European Data Protection Supervisor, Opinion 7/2015, p. 10.
47
58