The information / guarantees balance - protecting informational privacy interests within the European data protection framework.

Abstract

The goal of this thesis is to study the notion of informational privacy, and how it is protected both by the right to privacy and the right to data protection. The age of Big Data has brought with it new ways of creating and processing data, which has led to challenges to the way that individuals are protected from the use of that data. This thesis shows that a new approach is emerging in European data protection law, which is based on protecting informational privacy specifically instead of the existing approaches which have been developed so far. We attempt to study and develop this new approach, and propose a framework based on it and how this might handle the challenges to informational privacy brought about by the age of Big Data. This new approach is based on two core concepts. First, that there is a difference between “data” and “Information”, the second being the combination of “data” and human agency into a new entity, which includes not just data but also human intelligence, biases and imperfections. We assert that the absence of distinction between the two in EU data protection has led to the notion of “personal data” and “identifiability” as defined in the GDPR having challenges in handling data in the information age. The second core concept is what we describe as “Guarantees”. The new approach being developed in data protection law attempts to restrict the processing of personal data by implementing measures which limit what data controllers can do when processing data. These measures all attempt not to prevent all possibility of harmful consequences occurring, but only to ensure that reasonable guarantees are in place to make these consequences unlikely. We thus call those measures “Guarantees”, and build a taxonomy of such Guarantees based on Lawrence Lessig’s four modalities: legal norms, social norms, market forces, and architecture. As such, this thesis asserts that data protection is moving towards an approach having the protection of informational privacy as its core goal, protecting it through a balance between Information and Guarantees binding that Information.