Published online by Cambridge University Press: 26 April 2017
Data Protection Officer at the European Medicines Agency (EMA) and Visiting Lecturer in Global Risk Regulation at the University of Fribourg. The views expressed in this article are the personal opinions of the author. The author is indebted to Professor Luciano Floridi for the stimulating discussions about data ethics and for the comments received in the course of drafting this paper; email: alessandro.spina@ema.europa.eu.
1 Wolfgang Amadeus Mozart, Le Mariage de Figaro, Libretto by L. Da Ponte, opera buffa in four acts first represented at the Burgtheater, Vienna in 1786. The original text in Italian can be translated into English as follows: “And then when the time comes/that my master wants me/ dong dong: in three bounds/I am ready to serve him”.
2 C Hood, H Rothstein and R Baldwin, The Government of Risk: Understanding Risk Regulation Regimes (Oxford University Press 2001) 23.
3 For example, the GDPR foresees the creation of a new EU body, the European Data Protection Board (EDPB) composed of the various supervisory authorities with series of important tasks, including issuing guidelines and recommendations, necessary to operationalize the new regulatory framework.
4 Recital 53 of Directive 95/46/EC. In the GDPR, the special category of sensitive data is maintained.
5 This claim seems to confuse the application of risk analysis to two different issues: the rules aimed at regulating risks and the processes by which the rules are enforced on the basis of the alleged risk of non-compliance. Although risk plays a role in both, risk regulation and risk-based regulation are completely different concepts. For a overview of risk-based regulatory models cf: J Black and R Baldwin, “Really responsive Risk Based Regulation” (2010) 32 Law and Policy 181; J Black and R Baldwin, “When risk based regulation aims low: A strategic framework” (2012) 6 (2) Regulation and Governance 131. This understanding of risk-based regulation has been the object of a specific statement issued by the Article 29 Working Party, the network of independent national data protection authorities created by Directive 95/46/EC during the adoption of the legislative proposal of the GDPR. Cf “Statement on the role of risk-based approach in data protection legal framework”, adopted on the 30 May 2014, available at <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf>.
6 For example, with regard to “the right to be forgotten” it is clarified that the right of the data subject to have his or her data erased and no longer processed is particularly important in those cases where “the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing and later wants to remove such personal data, especially on the Internet” (Recital 65).
7 A Ward, “US regulator accepts chip in a pill application”, Financial Times, 10 September 2015, available at: <https://www.ft.com/content/decece84-57b1-11e5-a28b-50226830d644>. It appears that the regulatory review of the digital pill by the FDA was not as swift as originally thought by the developers and it will require more testing: <http://www.mobihealthnews.com/content/fda-declines-approve-proteus-otsuka-sensor-equipped-pill-asks-more-tests>.
8 Article 29 Working Party Opinion on smart metering No 12/2011 adopted on 4 April 2011 available at: <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp183_en.pdf>.
9 This point is particularly visible when the offer of services implies a transfer of personal data which data subjects are not able to monetize. The difference between a ride in a traditional taxi and in an Uber car is not only about the pricing modalities, but that in the case of Uber, the transaction between the parties is partly monetary and partly based on a voluntary transfer of geolocation and behavioural data. For an in-depth study of the legal issues connected with the competition offered by digital platforms, see A Ezrachi and ME Stucke, Virtual Competition: The Promise and Perils of the Algorithm-Driven Economy (Cambridge MA: Harvard University Press 2016).
10 For a reference on “data ethics” see L Floridi and M Taddeo, “What is Data Ethics?” (2016) 374 Philosophical Transactions of the Royal Society Part A. More in general about the impact that new digital technologies are having on knowledge and ethics is L Floridi, The Fourth Revolution: How the Infosphere is Reshaping Human Reality (Oxford University Press 2014).
11 Council for Big Data, Ethics and Society, “Perspectives on Big Data, Ethics and Society”, report prepared by Jacob Metcalfe, Emily F Keller and danah boyd, May 2016 available at: <http://bdes.datasociety.net/wp-content/uploads/2016/05/Perspectives-on-Big-Data.pdf>, 5.
12 E Parisier, The Filter Bubble: What the Internet is Hiding From You (New York: Penguin Press 2011); W Quattrociocchi, A Scala and C Sunstein, Echo Chambers on Facebook (2016) paper available at: <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2795110>.
13 F Pasquale, The Black Box Society: the Secret Algorithms that Control Money and Information (Cambridge, MA: Harvard University Press 2015).
14 C O’Neilly, Weapons of Math Destruction. How Big Data Increases Inequality and Threatens Democracy (Allen Lane 2016).
15 B D Mittelstadt, P Allo, M Taddeo, S Wachter and L Floridi, “The Ethics of Algorithms: Mapping the Debate” in (2016) 3(2) Big Data & Society 1.
16 H Jonas, The Imperative of Responsibility. In search of an Ethics for the Technological Age (University of Chicago Press 1984) 20.