What is “fair” in “fair and lawful” processing of personal data?

An article by article analysis of the GDPR from an ethics perspective need not go any further than the first line when it comes to its Article 5: “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”.

What is “lawful processing” one can well understand: Whatever is allowed by the law. One can also imagine what is more or less a “transparent manner of processing”, despite its time-sensitive content. What is, however, “fair processing” of personal data? How could one possibly describe what is “fair” in our lives? Why is it mentioned here? How does it affect application of the GDPR?

Ever since Antigone decided that what was fair was to bury her dead brother despite state law that ordered against it, and paid for that decision with her life, the tension between what people consider fair and what the law actually says holds strong until today. A complete re-run of the debate largely exceeds not only the limits of these notes but also their purposes, this being ultimately a debate pertaining to law rather than ethics.

Acknowledging however this gap lawyers have devised a number of ways to go around it or even use it to written law’s benefit: After all, a law that is considered unethical offers justification to many not to observe it and therefore does not serve its purposes well. It is in fact one of these clever legal tricks that we are faced with here, when discussing the “fair and lawful processing” basic GDPR principle.

Fair and lawful” have been an inseparable pair since data protection’s first appearance. They were present in Convention 108 of the Council of Europe back in 1981 and never missed a data protection legal instrument ever since, either at national or international level. They thus became inseparable, a commonplace term by now. Indeed, what would be weird today is for anybody to refer to them separately, that is calling for only lawful or only fair personal data processing.

However, are they indeed one and the same? Intrinsically connected in this manner?

As regards the type of their connection, one must distinguish between the legal and the ethical analysis. As far as the legal interpretation of the GDPR is concerned things are quite straightforward: For a particular processing operation to be lawful it needs to be both, lawful and fair. A lawful but not fair operation is ultimately unlawful; The other way around is unlawful anyway (something to which Antigone would bitterly object).

Ethical problems arise when we try to say what “fair personal data processing” is, even if the “fairness” criterion, as seen, is inferior to the “lawful” one in the GDPR.

When is a personal data processing operation fair and when it isn’t?

Little help is provided by official sources. The UK ICO uses a triple criterion of not processing “the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned“. While at first sight this is a brave effort to define what “fair processing” is, I am afraid that in practice it confuses rather than elucidates: When is an effect “unduly detrimental“? What should be considered “unexpected” to a given person? What “misleading“? Overall, then, three new question in place of one.

The Article 29 Working Party made an even more valiant effort, in its Guidelines on profiling of 2018, providing a concrete example in this regard:  “A data broker sells consumer profiles to financial companies without consumer permission or knowledge of the underlying data. The profiles define consumers into categories (carrying titles such as “Rural and Barely Making It,” “Ethnic Second-City Strugglers,” “Tough Start: Young Single Parents,”) or “score” them, focusing on consumers’ financial vulnerability. The financial companies offer these consumers payday loans and other “non-traditional” financial services (high-cost loans and other financially risky products)“.

I think that this example, same as above, creates even more confusion. First, the processing seems to be unlawful anyway (tellingly, it comes from a USA example). Second, categorizing or scoring consumers is not outright unlawful under the GDPR, after all these being guidelines on how to conduct lawful profiling.

What we are therefore left with is the discriminating, if not blatantly offensive, characterizations of people in this example.

While I would say that this is too little to assist lawyers, I think it is good enough to help with the ethical analysis. In fact, this example can be used to demonstrate exactly the problem with the “fairness” principle in the GDPR.

In essence, what is and what is not fair is in the eye of the beholder.

A characterization leading to categorization as “rural and barely making it” is unfair? Or, “tough start: young single parents”? To some they may sound offensive while to others they may sound as an accurate description of reality. And, at any event, if this data agency is any good in its job, then presumably indeed poor single parents who have a tough start with newborns would fall under a certain category. If it was named “Category A” would that have solved the problem of this processing?

Or, is it not a problem of names used and it is a problem of the financial deals offered to each category of people? The example says that people falling under underprivileged categories received worst-terms loans or were marketed with non-traditional financial products. Well, I would imagine that traditional products would be denied to them anyway (why not consider such denial by the banks also unfair, under the same context?). Could these people not benefit from financial possibilities open to them of which they are probably unaware? If we consider non-traditional financial products as “unfair”, then I suppose that some other state agency, the one responsible to oversee financial markets, is not doing its job well.

My purpose in the above two paragraphs is not to bring down the Article 29WP example; My purpose is to demonstrate how difficult, if not impossible, it is to find a good one, simply because, one could debate what is fair and what is not for ages. There is simply too much arbitrariness in it.

So, why have it in the GPPR anyway? As said, it is a clever legal trick to regulate processing that is lawful but makes us feel uncomfortable. If we only had the lawful criterion then we would have to allow it. Now, under the fairness criterion we are offered with some flexible options. This is not unusual either: In business law, business ethics are central interpretational tools in contracts and business practices.

Fair personal data processing” is therefore a dynamic filter. What was not fair in the 1990s may well be fair today. The opposite is presumably also possible but less likely (if we perceive ethics as expanding liberty over time rather than reducing it). One cannot go to extremes, on either way of the political spectrum, while interpreting what “fair” is; Moderation and time-specificity are central here. In essence, fairness under the GDPR is the timestamp for our societies.


*** This is part of the GDPR ethics series; A broad mission statement may be found in its opening text***


Tagged with: ,

Member of the Greek GDPR implementation law-making committee

Appointed a member of the law-making committee drafting the GDPR (and the Police and Criminal Justice Data Protection Directive) implementation law in Greece. The law-making committee, established under the Greek Ministry of Justice, has been in session since 2016 but has not been able to produce a final legislative act yet, although public consultation has already taken place on a previous draft. Under its current mandate the committee needs to conclude all relevant works until end of February 2019.

Tagged with: ,

Επεξεργασία Δεδομένων Επιβατών, ή γιατί είναι η ασφάλεια που σου εξασφαλίζει την ελευθερία

Πρόσφατα εκδόθηκε νόμος σύμφωνα με τον οποίο από δω και πέρα τα δεδομένα των επιβατών αεροπλάνων, πλοίων κ.λπ. θα αποτελούν αντικείμενο επεξεργασίας για σκοπούς ασφαλείας.

Τέτοιες επεξεργασίες ξεκίνησαν στην Αμερική το 2001. Μετά την επίθεση στους Δίδυμους Πύργους οι Αμερικανοί αποφάσισαν ότι ήθελαν να γνωρίζουν όσο πιο αναλυτικά γίνεται ποιοι επισκέπτονται τη χώρα τους. Τις αντίστοιχες επεξεργασίες τις επέβαλλαν στους Ευρωπαίους. Στην αρχή είμασταν διστακτικοί όμως μετά τις επιθέσεις σε ευρωπαϊκές πρωτεύουσες αυτό κρίθηκε οριστικά ως μια καλή ιδέα (της οποίας όμως η αποτελεσματικότητα ακόμα δεν έχει αποδειχτεί).

Σε κάθε περίπτωση, η Κοινοτική Οδηγία εκδόθηκε, μετά από πολύ κόπο, το 2016, και ορίστε τώρα ο ελληνικός νόμος που εναρμονίζει την εσωτερική μας νομοθεσία με τις διατάξεις της.

Και τι μας νοιάζει εμάς, θα μου πείτε, και μάλλον θα έχετε δίκιο. Οποιοσδήποτε ταξιδιώτης καθίσει να το σκεφτεί έστω και για λίγο φαντάζομαι ότι θα φανταστεί πως τα δεδομένα του, κατά το χρόνο του ταξιδιού του, τα επεξεργάζονται αρχές ασφαλείας κάπου στην χώρα υποδοχής. Είναι ο κόσμος μας τέτοιος, που δεν νομίζω ότι έχει απομείνει κανείς ανυποψίαστος ως προς αυτό. Και πράγματι θα είχε δίκιο, αφού η αλήθεια είναι ότι και πριν από αυτό τον παραπάνω νόμο δεδομένα επιβατών πράγματι αποτελούσαν αντικείμενο επεξεργασίας για σκοπούς ασφαλείας, απλά ήταν λιγότερα και πιο φτωχά.

Το σημείωμα όμως αυτό δεν το γράφω για να ενημερώσω, ή τουλάχιστον όχι μόνο για αυτό. Πολύ περισσότερο ο νέος νόμος μου δίνει την αφορμή να σας διαβεβαιώσω ότι όση περισσότερη ασφάλεια τόσο περισσότερη ελευθερία για καθέναν μας. Ή, με άλλα λόγια, ότι η ασφάλεια είναι προϋπόθεση της ελευθερίας.

Γνωρίζω πολύ καλά ότι αυτό μπορεί να ακουστεί περίεργο ή ακόμα και ύποπτο. Ο μέσος Έλληνας στα βάθη της ψυχής του είναι δύσπιστος προς την έννοια της ασφάλειας. Γιατί συμβαίνει αυτό δεν μπορώ εύκολα να πω. Ιστορικά δεν το βλέπω να εξηγείται, αφού άλλες ευρωπαϊκές κοινωνίες με ίδια ιστορία δεν νιώθουν έτσι σήμερα. Ίσως να είναι κατάλοιπο της γενιάς του Πολυτεχνείου, η οποία εκτός από τα λεφτόδεντρα μας κληροδότησε και την αρνητική εικόνα για την αστυνομία. Ίσως όμως να είναι και θέμα του, μεσογειακού, DNA μας.

Αν είναι πράγματι θέμα της γενιάς του Πολυτεχνείου τότε με τον ίδιο τρόπο που θα λυθεί το συνταξιοδοτικό θα λυθεί και αυτό το πρόβλημα.

Μέχρι τότε όμως κάποιες σκέψεις σχετικά:

– Βασική προϋπόθεση της ελευθερίας είναι η ασφάλεια. Ο άνθρωπος αν δεν νιώσει ασφαλής δεν μπορεί να νιώσει ελεύθερος. Θα έχει σταματήσει πολύ πριν, στο στάδιο ακόμα εκείνο που φοβάται. Που φοβάται για την σωματική ή ψυχική-συναισθηματική του ακεραιότητα. Ότι δηλαδή είναι πιθανό κάποιος να ασκήσει σωματική ή ψυχολογική βία πάνω του. Ότι μπορεί ο ίδιος ή οι γύρω του να πάθουν κάτι κακό. Και, όποιος φοβάται δεν είναι ελεύθερος.

– Απαιτείται επομένως ο άνθρωπος να νιώθει ασφαλής. Πως γίνεται αυτό; Στα οργανωμένα κράτη αυτή είναι μια παροχή του κράτους. Στα δημοκρατικά οργανωμένα κράτη αυτή είναι μια παροχή που παρέχεται βάσει δημοκρατικά αποφασισμένων κανόνων. Κανόνες που ακολουθούν όλοι: Οι πολίτες, η αστυνομία, τα δικαστήρια, και όσοι ελέγχουν τη λειτουργία όλων αυτών. Κάπως έτσι είναι οι κοινωνίες που ζούμε στον δυτικό δημοκρατικό κόσμο τα τελευταία διακόσια, και βάλε, χρόνια. Οι κατά καιρούς εναλλακτικές, για να το πω κομψά, αποδείχτηκαν ελάχιστα ελκυστικές.

Για να το κάνω επομένως “λιανά”, προκαλώντας και λίγο, η ελευθερία καθενός μας παρέχεται από την αστυνομία. Το ξέρω ότι αυτή η φράση θα έκανε κάμποσους να κουνηθούν από την καρέκλα τους, όμως έτσι ακριβώς είναι. Από μια αστυνομία που εφαρμόζει κανόνες που όλοι μας συν-αποφασίσαμε, και η οποία ελέγχεται στο έργο της από τα όργανα που όλοι μας συν-ιδρύσαμε.

Εναλλακτική δεν υπάρχει. Επειδή ο άνθρωπος έχει έμφυτη ανάγκη να νιώθει ασφαλής, αν αυτό δεν το κάνει η αστυνομία καλά και σύμφωνα με τα παραπάνω τότε τον ρόλο της θα αναπληρώσουν οι αναρχικοί στα Εξάρχεια, οι χρυσαυγίτες στον Άγιο Παντελεήμονα και οι εταιρείες security στα βόρεια προάστια. Η φύση, ως γνωστόν, απεχθάνεται τα κενά.

Για αυτό ένας καινούργιος νόμος με αντικείμενο την ασφάλεια που δημιουργήθηκε από πολίτες για πολίτες είναι λόγος ανακούφισης και όχι ανησυχίας. Επειδή επιτέλους μπαίνουν ισορροπημένοι κανόνες σε πρακτικές που φοβόμασταν ότι ήδη εφαρμόζονταν για το, υποθετικό, καλό μας. Ο νόμος λύνει όλες αυτές τις ανησυχίες – καλύτερα ή χειρότερα αυτό είναι αντικείμενο επιστημονικής ανάλυσης, αλλά πάντως τις καταγράφει και τις αντιμετωπίζει. Επομένως, ανησυχία χρειάζεται μόνο αν θα τα καταφέρουμε με την εφαρμογή του. Αν όσοι κληθούν να τον εφαρμόσουν γνωρίζουν και μπορούν να κάνουν καλά τη δουλειά τους και αν όσοι κληθούν να τους ελέγξουν γνωρίζουν και μπορούν, και κυρίως μένουν ανεπηρέαστοι, στο έργο του ελέγχου τους.

Tagged with:

Have you already bought domain names with your children’s names?

While recently purchasing yet more personal domain names to point to my website I was tempted to think about the future and therefore run a search for domain names with my children’s names. Some are still available, others not. So, should I buy the ones available and place alerts for the other ones just in case? Several of my friends had embarked on a purchasing frenzy as soon as their children were born, covering all imaginable combinations of domain names with their newborns’ names. Should I copy them? Or should I let life take its course?

What is in a personal domain name anyway? Technically it is a unique identifier on the internet, a promise that we be discoverable within a sea of a billion internet users. As a unique identifier it is as valuable as our tax or social security number, or even our name. Personal domain names have been marketed as carving out real estate of our own on the internet, but I do not agree with this metaphor.

A domain name can be for life but it can also change to keep up with changes in our circumstances. We can use it immediately or store it away. Hidden away personal domain names are unreachable to anybody else. Against basic intellectual property law, this is indeed one item of intellectual property that can be kept away from all humanity — a small egoistical action available to each one of us. A personal domain name can even be under-used, forced to merely forward internet users to another domain name that is more desirable to us. And, of course, it can be abandoned at any moment for somebody else to take.

Personal domain names are harsh reminders of our unique-lessness. Thousands carry the same name as us. Personal domain names are up for grabs by whoever is the fastest or better informed. Others will have to patiently wait, if ever to be rewarded or be given a second chance.

Therefore, as with any good in scarcity therein lies their true worth. A prestigious, in vogue, personal domain name adds value to the social image of its holder. Less so a less common one — and we have yet to see domain names that are looked down on.

Social image value, however, lies in the eye of the beholder: Because new domain name extensions are added periodically one has to remain alert as to what is available and, even better, trendy. Today, your name ending in “.com” is considered best. However new alternatives pop up all the time: Should we add a “.me” personal domain name as well? What about “.name”? Perhaps also a domain name with our profession in it (e.g. “.accountant”)? The list is practically endless, ultimately connected with how we see, and wish to project, our own self.

Personal domain names are a relatively recent concern. In the early days of the internet nobody imagined a domain name of one’s person. Speculation at best evolved around foreseeable popular domain names such as “business.com” or “sex.com”. So-called cybersquatters, a term derived again from the real estate domain, only purchased domain names of famous companies in order to resell them with a handsome profit. Nobody ever imagined registering personal domain names for their own use, much less for their children.

It was most likely the 2006 Time Magazine “You” person of the year article that first brought to our attention that each one of us is the product. And, for any product to have any luck in modern society good marketing is imperative. Social media presence aside, a prestigious personal domain name and a corresponding good-looking personal website is the starting point and at the same time the point of reference upon which such a personal promotional policy builds.

Apparently however one needs to be worth of one’s domain name. If you wish you to be the only one carrying a domain name of your name among the thousands or even millions that carry the same name as you, well, then you better deserve it. Keeping a prestigious personal domain name is meritocracy on the internet: One can only support it through a correspondingly long list of achievements.

However, this is exactly where the real problems kick-in: If you are unlucky enough to be named Mark Zuckerberg, can you really claim the domain name “markzuckerberg.com”? Even worst, if your kid happens to carry the same name as the then President of the USA or the next trendy multi-billionaire, could it still keep the “.com” personal domain name you so prudently acquired for it at its birth? Even my own (rare) name is shared not only by Greece’s most famous singer but also by a prominent line of politicians and lawyers. What gives me the moral (not legal, legal is served on the first come-first served principle) to keep my name’s “.com” domain name against them?

This is why I never quite liked the real estate metaphor: A moderately priced real estate may be bought and kept for life by anybody. A 30-Euro/per year personal domain name may be bought by anybody, but it can well come to be that he or she at some point will simply feel not entitled to keep it any longer.

Even if this is not the case, a locked away domain name can be depressing. Asset idleness makes us restless. A personal domain name without a good-looking, updated personal website is our next project waiting to take place, tormenting us until it does, particularly if its start is endlessly postponed towards an unforeseeable future.


So, in view of the above, should we buy one, or more, for our children?

Thales replied to Solon that he remained single because he did not like the idea of having to worry about children; Parenting had always been a demanding job. While our basic instinct is to equip our children as best as possible so as to navigate life successfully (which after all led to a field of law, on inheritance rights, as old as humans), exactly how is that to take place has long been a point of debate.

A thousand years ago unwillingness to divide (low yield) land dictated that only the firstborn inherited all assets, leaving children next in line to hope for a military career, priesthood, or a good marriage. Kant’s emancipation through knowledge made things easier for second-borns, and I think that the rise of intellectual property finally made life a level playing field. Or, perhaps this is not true any longer: The Economist recently spoke of an “hereditary meritocracy”, whereby upper classes pay more (attention) to their children’s education, leading to the creation of an intellectual capital that is transformed later on into tangible property.

So, are personal domain names with our children’s names part of the intellectual property to be inherited to them, together with a good education and all our other social capital (our own name and reputation and social network), in order for them to perform better in their lives? Only two decades ago Magris wrote that he had been collecting Meissen porcelain sets piece-by-piece for years, in order to pass them on even as half-sets to his children thus allowing them to start their own collection. In an IKEA world, are personal domain names for our children the Meissen porcelain sets equivalent?

I think that the problem with Meissen porcelains is that they need to be used in context. Magris can well use them to serve his guests, however if one is found with an inherited Meissen set whereby however his or her other life circumstances do not concur, then that porcelain set risks becoming a depressing relic of a past life that was but no longer is, of a life that could be, of an unfulfilled promise or, even worst, potential.

Why would anyone wish to inflict so much pain to his or her children? I suppose there are two ways of seeing this, the aggressive one, whereby setting the bar high incentivises, and the passive one, whereby parent’s ambitions should not be imposed upon their children in fear of failure. Coming from a European background I would tend towards the latter but I can well understand proponents of the former.

So, I did not buy domain names with my children’s names after all. Technological developments aside (that in one sweep could easily render all today’s domain name system obsolete), I believe it is a matter of expectations. I choose not to impose on my children what I think they should do, what I think they should accomplish. Nor set them on a constant struggle to justify keeping their personal domain name against all others. I would prefer not to set any expectations for them whatsoever. However, I fully understand those parents that think different, and, for example, choose to place a bet on their infant sons making the national team before they reach thirty — after all, quite a few of them got a nice pay-check out of their blind faith to their offspring’s potential.


Tagged with: ,

What your hard drive reveals about you — and software design

I recently had a hard time explaining to my kids the use of folders in hard drives. Hierarchy they could more or less understand, as well as the fact that documents, photos and other files need to be found at a specific place. What they could not come to terms with was content specificity: They simply could not follow my reasoning why any separate topic requires a new folder, found within another folder on the wider topic, found within a folder of the general topic, etc.

At some point I understood that it is probably me, not them. I remembered similar realisations whenever I happened to work on younger colleagues’ computers. Desktop clutter aside, they mostly used a very shallow folder structure: One or two levels below the basic folder would generally do, each folder including maybe several dozens of files.

For me it is quite the opposite. My hard drive is full of sub-subfolders, however each one includes only a few files, sometimes even only one. Each filename invariably carries the date it was created. Why the difference?

If I search back, my first realisation that something was wrong came when I first used Evernote, many years ago. Why did it make so much fuss about tags? And why was there only one level of notebook structure? Even stacks did not seem to do it for me.

The same happened when I recently switched from Windows to macOS: Who would possibly wish to organise files based on their colour?

However, as signs increase at an alarming pace I cannot help but wonder, am I the exemption and not the rule? Am I the, inevitable, backwards compatibility requirement for any new software release? Or software could, and should, cater for all types of human brains, liberating humans in the process?


Introduction of the new series and mission statement


I belong to a generation that was not born into the digital but was brought up in it. Not that we had any choice. The digital transformation caught us in our early, formative years and it changed everything. We therefore had to adapt what we already knew to the digital. However we were the last ones that were required to do so — the next generation was brought up thinking the internet is a public utility. So I feel that I need to take a photograph and discuss technology’s why and how come. How it all far too quickly became what it is. And, hopefully, how the digital can finally embrace the human. I find that often the breakneck pace of technological progress fails to acknowledge the human condition.

These notes are also aimed at helping me to make sense of the digital. Too often those of us involved professionally with it are found in a whirlwind, where new and aspiring world-changing ideas appear and disappear overnight. Technologies not older than our children come to dominate human lives, asking pressingly for well-thought-of regulation. Sometimes I feel that a deep breath is needed, followed by an effort to connect the dots and identify true added value.

Why now? Like Renan, it was not until I was well advanced in life that I began to have any souvenirs. And, strangely enough it was the coming into effect of an important new piece of legislation, in 2018, that first caused me a strong backwards impulse, a pressing feeling to re-visit what has been achieved so far. This series is complementary to the GDPR ethics series: It shall take into consideration technology at large and not only personal data processing. Occasionally they may intersect, because indeed the GDPR today seems to be the go-to legal/ethics panacea for any and all new technologies, however while the GDPR ethics series is aimed at explaining its moral principles and policy options this series is aimed at discussing the why and the how come of information technology affecting our daily lives.


On our need to organise and categorise - also electronically
So, coming back to the folder structure, I believe that the gap between my own computer files’ organisation and that of younger generations came to be because I actually have worked with a filing cabinet. I was therefore trained to compartmentalise information. To think in terms of paper files and alphabetical or chronological indexes. Without them any paper file would be useless. Tags or colours were simply irrelevant.

On the other hand information technology allows a variety of searches onto any collection of data. A “structured set of [personal] data which are accessible according to specific criteria” is no longer necessary. It may even be unwanted, divulging personal biases of the organiser (as in algorithmic bias). Ultimately, a folder system may not even be needed at all. Humans need to make information accessible to them: If this can be achieved in any number of ways, why spend time and effort organising it as if filing cabinets could be replicated on hard drives?

So, why do Windows and macOS developers still bother with folders? Why does Evernote still use stacks? Why does OneNote replicate a typical, traditional, old-fashioned paper notebook? One explanation would be, so that my generation (now prime and supposedly able to pay users) can still feel at home. A more plausible one would perhaps be that humans need to categorise, in a more or less Aristotelian manner. Whether this human-userbias is inevitable, because humans for the moment design and use these technologies, and, if this is true, whether it is developing a crippling or an enabling effect for both (technology and humans), is exactly what this series is set out to explore.


Tagged with: ,