Unexpected consequence of strict EU data protection legislation: legal system must decide what makes an individual

The new General Data Protection Regulation, which will take effect in May, enhances citizens’ right to privacy but evokes a serious question: what will happen to freedom of speech, and will we be able to ensure flexible services?

 “Whenever we protect privacy, we compromise on some other right, be it the right to access information, the rights of the media, the right to information or freedom of speech. We must examine such developments critically,” says Susanna Lindroos-Hovinheimo, university lecturer at the University of Helsinki Faculty of Law.

The question is particularly topical in Europe right now. The EU’s General Data Protection Regulation was approved by the European Parliament and the Council of Europe in spring 2016. The Regulation is already in place, and it will be put into practice from 25 May 2018, when the two-year transition period for data controllers and companies to amend their data protection practices expires.

The Regulation signals a significant boost to privacy protection, and places new responsibilities on companies and other institutions maintaining registers of personal information. A multidisciplinary project group led by the University of Helsinki is studying the right to privacy as part of society. The project leader is Susanna Lindroos-Hovinheimo from the University of Helsinki.

 “It’s very interesting that privacy is such a prominent topic in public discourse right now, and that the EU has taken such major steps to protect it,” says Lindroos-Hovinheimo.

According to her, it is now crucial to study whether all the legislative details intended to protect personal information actually work. Adopting these measures will cause additional expenses, which will ultimately have to be paid by citizens.

 “When we interpret the Regulation, we will be dealing with many different kinds of assumptions of what people consider to be personal or intimate information,” explains Lindroos-Hovinheimo.

Under the Regulation, any information that can be used to identify and recognise a person will be considered personal information. Such information includes a person’s most public feature, their name, but also dynamic IP addresses, which are not directly personal per se.

Changes to the definition of an individual and person

From the perspective of jurisprudential studies, the issue is not just IP addresses. When we determine what constitutes personal information or privacy, we also have to define what we mean by humanity or who is considered to be an individual.

 “It’s very interesting that privacy is such a prominent topic in public discourse right now and that the EU has taken such major steps to protect it,” says Lindroos-Hovinheimo.

The analysis of privacy is in many ways also in the realm of classical philosophy, mingling legal questions with interdisciplinary discussion. According to Lindroos-Hovinheimo, courts are being given an impossible task.

 “If philosophy has not been able to settle on a definition of what it means to be human over 2000 years, how could the legal system do it?”

Defining the limits of an individual and argumentation in the courts reveal what justice considers to be human. They change as the society around them changes.

For quite some time, the western justice system has relied on a liberal, individualistic understanding of humans. We are individuals first and members of a community second. This understanding is reflected in the General Data Protection Regulation. However, the modern history of privacy is not very long. It began during the Enlightenment and the dawn of the new age, but the exact dates vary from Europe to America.

Strong political message

Previously, personal information was protected in the European Union with a directive, and on the national level, legislators were free to decide on the details. From May 2018 onwards, the protection of personal data will be uniform across all EU member states, with no more national wiggle-room.

The Regulation imposes more work and expenses for companies and public administration. Consequently, it has met with significant resistance.

Officials continue to debate the practical instructions, but at the same time, a completely new field of business has sprung into being: companies which profit from consulting on all the things companies and organisations will have to do to fulfil the responsibilities decreed by the Regulation. The Regulation also gives more work to lawyers.

Deeper research

Susanna Lindroos-Hovinheimo considers the EU Regulation a politically brave decision and a powerful statement for the individual.

 “This is the first time in the world that personal data protection has been raised to this level. It is a globally pioneering decision, the first time a legislator has taken such forceful action,” she says.

However, Lindroos-Hovinheimo believes the Regulation, which will be applied from May, is confusing.

 “We are currently in a situation where nobody really knows what’s allowed and what’s forbidden.”

According to her, this is exactly the reason why data protection should be studied. 

 “A society under the rule of law means that we must avoid ambiguous rules,” Lindroos-Hovinheimo points out.

Data protection involves major issues which touch on many areas of our lives. The processing of data covers everything we do to information, including storage, collection, organisation and even deletion.

 “Our project studies the situation broadly. We do not interpret the letter of the Regulation. Our focus is on all phenomena which are adjacent to it, including which ideologies and whose opinions the Regulation serves,” says Lindroos-Hovinheimo.

 “Partially this is about fighting back against giant American corporations, such as Google and Facebook. European courts are taking a stand, stating that privacy must be respected.”

This is a broader trend in the EU, and the research group is trying to determine where it originated and what it means for the individual.

 “We do not interpret the letter of the Regulation. Our focus is on all phenomena which are adjacent to it, including which ideologies and whose opinions the Regulation serves,” says Lindroos-Hovinheimo.

There will also be problems which could not have been predicted during the drafting process of the Regulation. For example, technology is constantly developing, which will influence issues relating to data protection despite efforts to make the Regulation as general, flexible and technology independent as possible.

 “For example, services based on robotics will have to collect data and, and they will require personal information to function. I’m sure we will be seeking balance for quite some time,” says Lindroos-Hovinheimo.

Social media challenges our understanding of privacy

According to Lindroos-Hovinheimo, social media platforms are particularly interesting to researchers of privacy. In terms of legislation, social media represents a “mixed space”: partially public, partially private. The relationship between public and private may also depend on the role of the user or the way they use media.

People should be allowed to decide how their personal information is used on social media and when to remove it.

 “The right to control information is legally important, and the Regulation hopes to enhance individual autonomy,” says Lindroos-Hovinheimo.

When we use social media systems, we enter a vast amount of our personal information voluntarily. In light of the General Data Protection Regulation, the interpretation of these responsibilities and rights becomes problematic: who is the data controller of the various platforms, who is responsible for protecting personal information? Should communication through such channels be considered private correspondence, or are social media platforms public spaces? The public realm is governed by different rules than private homes or closed letters.

 “For example on Facebook, you have consented to having your posts be visible in the news feed. But you should also have the right to control how your information is used and how it can be removed – and this is what the legislation is hoping to ensure,” states Lindroos-Hovinheimo.

See also: Master's Programme in International Business Law

Research project on the right to privacy

The regulation of privacy is undergoing rapid changes in Europe. In May 2018, all EU member states will put the new General Data Protection Regulation into practice, which will significantly boost privacy. A new University of Helsinki research project Reconfiguring Privacy – The Political Foundations of Privacy Regulation studies the shifting meanings of privacy. The project is led by University Lecturer Susanna Lindroos-Hovinheimo at the Faculty of Law, and involves researchers Riku Neuvonen from the University of Tampere and Niklas Vainio from the University of Turku. The goal is to determine what kinds of economic, political and moral assumptions of privacy are at work in contemporary European law.

Protection of personal information has evolved alongside traditional privacy protection. The relationship of these rights is unclear and causes uncertainty in how the laws and regulations should be applied. A stronger right to privacy is increasingly in opposition to other rights, such as freedom of speech. The situation is further confused by the fact that international courts, particularly the European Court of Human Rights and the European Court of Justice, interpret privacy in different ways. The study analyses the definitions of privacy that can be derived from the decisions of the courts.

The project is cross-disciplinary. The topic of the research is not legislation as an independent field, unlike in traditional jurisprudential studies. The definition and extent of privacy is the topic of political, ideological and financial struggles, which reflect on the legal system. The regulation of privacy is also constantly dependent on technological development. To gain a comprehensive understanding of the topic, the project examines the legal system as a part of society. This requires tools from beyond jurisprudential studies. In fact, the project arose from the need to combine the strengths of legal and social sciences researchers, and involves researchers from the universities of Tampere and Turku as well as Aalto University, the University of Gothenburg, the University of Groningen and the University of London, in addition to experts of legal practice from both the private and public sectors.