Data processors have a duty to protect citizens' privacy

27 June 2017

Adequately protecting citizens' privacy is particularly difficult in a world in which data flows are continuously growing and data analysis is becoming increasingly faster. It is high time that privacy be no longer simply regarded as an individual right but also as an obligation of data processors, contends lawyer and philosopher Bart van der Sloot. That is the correct approach according to virtue ethics. He defended his doctoral thesis on Friday 30 June at the University of Amsterdam. His research was funded from the NWO programme Research Talent.

Man watching footage of securitycameras.Photo: Shutterstock Andrey_Popov

‘The individual has the right to claim their privacy’, says Van der Sloot, ‘but is often completely unaware of the processing of a wide range of data that is related to them. For example, what does the average citizen know about the data collected by the National Security Agency (NSA)? Do they realise that nowadays cameras hang on virtually every street corner? And if they decide to protest against that, then they are usually powerless against the large multinationals or government organisations that own the data.’

Van der Sloot investigated whether privacy should be approached in a different manner, for example as an obligation of the data processor. He bases this approach on virtue ethics, a philosophical school of thought that emphasises the obligations of persons and institutes. Obligations are not always given in negative form, such as not harming anybody, but also in positive form, such as treating people well.

How can you apply this virtue ethics approach to privacy and data protection regulations? ‘Back in the twentieth century, the American professor Lon L. Fuller contended that states have a set of minimum and maximum obligations that are not directly related to the rights or interests of the individual. This can be found in his book Morality of Law that was published in 1964. The minimum obligations encompass the judicial principles of transparency and clarity of the law. Equally so, the law may not desire the impossible from citizens. The maximum obligations are related to efforts to give citizens as much freedom as possible.’

Van der Sloot says that states must always satisfy a set of minimum requirements with respect to data processing, even when this does not concern personal data. ‘The regulations should at least always satisfy the minimum conditions of legitimacy and legality,’ he says. ‘The government, for example, may not collect data without being honest about that and permitting democratic control. The analysis of the data – so not just its collection or use – must also be subjected to restraint. If states failed to adhere to this, then they act undemocratically and outside of the rule of law, irrespective of whether individuals have suffered actual damage from the contested practices.’

States also have the duty to strengthen the autonomy of citizens, increased diversity in society and counteract 'social stratification'. ‘If police figures reveal that people with a certain ethnic background are more prevalent in crime statistics, then the state should not only use this knowledge to take further action against these groups, but also to counteract the causes.’

Additional information

Bart van der Sloot completed his doctoral thesis ‘Privacy As Virtue: Moving Beyond the Individual in the Age of Big Data’ at the Institute for Information Law, Faculty of Law, University of Amsterdam. He is now a researcher at the Tilburg Institute for Law, Technology, and Society at the University of Tilburg. His supervisors are professor Nico van Eijk and professor Beate Roessler. The associate supervisor is Dr Natali Helberger.

Source: University of Amsterdam UvA