What next for privacy and data protection? My CPDP2018 takeaways

The CPDP conference is the central hub of the European data protection community, bringing together policy wonks and makers, the burgeoning privacy industry, and a plethora of legal scholars. It is huge, successful, and a lot of fun. Now that I’ve had a week or so to chew on and process all my notes, here are the main themes that I’ve taken away as the next big issues in data, privacy and data protection – keeping in mind that I am not a lawyer, and I work on issues of global data justice.

YAY GDPR! But we still have our work cut out for us.

It’s a major accomplishment and it was not easy to get this level of protection – see the fantastic documentary Democracy for the story following Jan Albrecht. I am proud to be European and to have this protection. It’s a major accomplishment and let’s celebrate it.

Still, the GDPR is also limited in several ways, ways that legal scholars are working on and formed much of the basis of the conference. I cannot possibly do it all justice – but there are a few things that I can say from an interdisciplinary perspective;

  1. Relying on notification and consent is not scaleable – see what smartphone notifications look like when you have 8 million followers;
  2. There are debates about whether the concept of personal data, upon which the GDPR is based, is now so broad and inclusive that it is no longer relevant – see the recent ERC by my colleague Nadya Purtova and her fantastic panel on the subject with Peter Hustinx;
  3. The responsibilities in the GDPR are based on particular actors in particular sectors, but the multiple uses of data and connecting databases is making boundaries between sectors blurry, which is problematic for the GDPR;
  4. The GDPR is still based on individual rights and doesn’t so easily address collective harms, nor does it help for most people who are not well informed or where harms are not visible;

This isn’t going to develop into a well-structured critique of the GDPR, but rather these are the points that jumped out at me.

Data ethics is not enough. Trust is certainly not enough.

Considering the size and global interconnectivity of the data market, the dynamics of surveillance capitalism and legal enclosures that enable it mean that we need structural elements to create economic incentives and new directions. Much like CSR wouldn’t shift the underlying structures of the global economy towards fair trade and sustainability, data ethics won’t solve everything.

Indeed, as Mireille Hildebrandt commented, this is precisely why we have the rule of law, to prevent us from relying on this.

In the same-same-but-different sort of way, trust is not something we can rely on – trust implies that we do not have to ensure. I ‘trust you to pay me back’ means I don’t have to see any proof that you’ll back me back. Relying on trust as a concept means the individual is inherently vulnerable and the power lies in the hands of the provider of services, not the other way around.

There is a growing call for trust certification and trust marks as a positive incentive for companies to see data protection as an asset – the ‘carrot’ instead of the stick – and there was some very interesting work presented on these issues at this panel on private law. Yet let us be realistic, this is never going to restructure the global data economy as a whole. Therefore –>

We need to regulate the data market.

Clearly at a conference with a critical mass of legal scholars you saw this one coming. Yet rather than the broad sweeping statement there was a deep dive into how and what that might mean.

For instance, there was also a major panel on regulating monopolies which is well worth watching, drawing on discussions of anti-trust law. Particularly Barry Lynn, of Open Markets Institute (the one that infamously got kicked out of New America because they stood up to Google) was an inspiring mix of a preacher’s rant, sound economic advice, and a provocation. For someone with a background in development studies like me, it was an entry way into discerning between the neoliberal Chicago school and the potential of citizen-centred markets.

Individual rights are not the best way to solve collective problems.

There are several issues which are generally bundled into the tension between the individual and the collective.

The first is exemplified by last week’s Strava security scandal, where a data visualisation of the routes taken by the users of the fitness app unintentionally revealed the sensitive information of army base locations. Aggregated information can reveal vulnerabilities and risks with very concrete consequence without necessarily saying anything about the person or individuals. For a more in-depth discussion you can also check Taylor et. al’s book on group privacy, which has an interdisciplinary group of people who can’t seem to agree on anything except that it’s important.

The second is a cross-cultural question: the liberal individual upon which the human rights framework is based is a Western perspective that we will need to move beyond for a truly global conversation. It requires us to think about identity and the collective in ways that we aren’t quite sure how to do yet. Still, just because it’s a difficult question doesn’t mean we shouldn’t ask it. (Indeed, I tend to be that person in the room that asks the question that gets uncomfortable and awkward looks from panellists. #sorrynotsorry) This is precisely why I’m going to pursue further this further in my work on global data justice.

Lastly, and this might need some more substantiating from a legal scholar who has a better understanding of the nuances of the issue (any volunteers?) – but in court cases and legal studies, they speak now of fundamental rights and the essence of these rights, as being even more fundamental, and there are questions being asked as to whether the essence of the rights was violated in a particular case or not. As I’m sure you can gather I can’t speak much to this, but it struck me as a non-lawyer that the concept of fundamental rights was on shaky ground.

Where to next?

There are three strands that jumped out as warranting further exploration:

  1. Moving beyond a distributive paradigm and seeing data as an asset; which would require a reformulation of what data is and reshaping the market,
  2.  To what extent paternalism as an approach is legitimate and when, for which there was another excellent panel here (last round on a Friday evening, ooof)
  3. There is a lot to learn from an ecological approach, both in terms of interdependency and limits – something I am going to explore further in a paper for the Data Justice Conference in May (Come along!)


Just because these are all hard questions, doesn’t mean we shouldn’t be asking them. On the contrary.

Here is some fodder which has continued to resonate for inspiration: