Direito e Informação na Sociedade em Rede: atas Direito e Informação na Sociedade em Rede: atas | Page 70

The EDPS itself recognised, remitting monitoring of compliance predominantly to self-control does not shield against the risk of core principles of data protection being compromised, since it is often a challenging task to decide what is fair and lawful and what is not when it comes to big data analytics47. Plus, risks to human rights and freedoms envisaged under the data protection framework remain largely undefined, and further clarification looks especially hard in view of the objective and subjective, tangible and intangible factors involved (Lynskey, 2015, p. 83). In the end, the key issue resides in leaving the main judgements about how to protect the personal data to the major, mainly private online operators. All things considered, one may doubt that this does not contradict the essential nature of the fundamental right to data protection and the inherent public responsibilities. Indeed, upgrading personal data protection to the rank of a fundamental right, as did the Treaty of Lisbon and the Charter of Fundamental Rights (Article 8), should be regarded as more than a symbolic move. Accordingly, the Charter has been regarded as an effort to make human rights “determine” rather than merely “limit” a EU legal system predominantly designed to guarantee market freedoms (Von Bodgandy, 2000, p. 1321). The issue ultimately is whether the difficulty to render consent and purpose limitation (not to speak of data minimisation) effective in the face of big data applications should not have given rise to an alternative regulatory path, one that better conciliates greater responsibility and accountability of data controllers with reinforcement of the basic data protection principles, including that the basic data protection rules continue to be “subject to control by an independent authority”. This could be done by the means, in particular, of more transparency about how operators and data controllers process personal data, hence, facilitating rights’ enforcement. A recent opinion by the EDPS provides pertinent propositions in this direction48. Indeed, transparency of automated decisions is taking an increasingly important role with the advent of big data. Big data is based not only on information that individuals knowingly give to organisations, but also on data observed or inferred. Based on such considerations, the EDPS explicitly recommended that “the provisions of the proposed EU Data Protection Regulation on transparency be reinforced” and “a new generation of user control” implying “powerful rights of access” and “effective opt-out mechanisms” be furthered. This should amount to broadening the scope of consent by better informing the data subjects about what data is processed about them and for what purposes, including disclosure of the logic used in algorithms to determine assumptions and predictions”49. Remarkably, the EDPS does not conceal its incredulity regarding the effectiveness of the right to object to processing since it is “not frequently exercised in today’s practice”, thus calling for European Data Protection Supervisor, Opinion 7/2015, p. 8. Some of the key decisions an accountable organisation must make under European data protection law require a comprehensive balancing exercise and consideration of many factors, including whether the data processing meets the reasonable expectations of the individuals concerned, whether it may lead to unfair discrimination or may have any other negative impact on the individuals concerned or on society as a whole. These assessments cannot be reduced to a simple and mechanical exercise of ticking off compliance boxes, the EDPS alerts. 48 European Data Protection Supervisor, Opinion 7/2015, p. 4, 8-9 ff. 49 European Data Protection Supervisor, Opinion 7/2015, p. 10. 47 58