ECDF-professor Max von Grafenstein (University of the Arts Berlin) is a scientific supervisor at freemove, a transdisciplinary project exploring mobility data. The Technology Foundation Berlin spoke with him about data protection and his role in digital projects after a workshop on the research project. The interview was conducted by Frauke Nippel.
Data protection issues are considered by many to be complicated, indeed, hardly transparent. Can you understand that?
Max von Grafenstein: In fact, for a long time, some things were conceptually unclear in data protection law. What exactly is data protection law supposed to protect? Normally, there is a protected good that is worth protecting in itself; property, for example, is a protected good that must be protected against theft – But data? Data in itself is not a protected good, but the autonomy of the individual, which is threatened by the asymmetry of information power that can follow from data processing, is: One can invade people's private lives, discriminate against them, undermine their rights of freedom or participation, etc., in other words, their autonomous exercise of fundamental rights, on the basis of the information that can be generated relatively easily from the data and used for a wide variety of purposes.
Legally, it makes a big difference whether I define the data as a protected good or whether I protect it from the threat that can arise for the fundamental rights. If fundamental rights and the threat to them become the focus of interest, I must ask myself next: how plausible is this threat? Does every use of data really aim to affect all fundamental rights in the same way? Is it a problem if the master craftsman stores a customer's address in order to later send an invoice for his service, or the school collects data on children in order to better organize the school day? Can I really make no distinction in the handling of data between a company focused on data and the school or the craft enterprise?
This legal clarification will make things easier for practitioners because it will make it possible to examine the practical handling of data in a more differentiated way.
In what way?
Max von Grafenstein: Data protection remains a complicated area of law, no question. And it is clear that many companies cannot employ in-house lawyers or, if they do have such a person, he or she is not necessarily specialized in data protection issues.
But now that fundamental matters have been clarified, future work can focus on methodological issues. I assume that certain standardized procedures will develop, that practitioners will cooperate with data protection authorities, and that over time certain practices will prove themselves, which will be recorded in statements, codes of conduct, certification programs, and the like.
Practitioners will then be able to choose, for example, certification procedures for handling collected data; data protection by prescription, as it were. Our freemove project on mobility data also has such a goal: Ideally, the end result should be a certificate that enables users to handle mobility data in a privacy-compliant manner for defined issues. Based on the possibilities offered by the GDPR* and current developments, I think this is very realistic. The way we deal with data will change.
However, it still takes time. The first certification programs are not expected to be approved by the authorities until the course of next year, four years after the GDPR came into force. There were simply a lot of conceptual questions to be clarified.
In the workshop, you encouraged the practitioners to see data protection as an aid in the conceptual work for digital projects. What do you mean by that?
Max von Grafenstein: Data protection forces us to think carefully during the project design phase about how to handle data so that the risks for those affected are as low as possible. These are not only legal issues, but also technical and organizational ones that need to be clarified as early as the planning phase. If you adapt a technical system to such design principles only after the fact, it will be expensive. In addition, data protection puts the data carriers, i.e., customers or users of digital projects, at the center of considerations. That, too, is a very positive effect.
Incidentally, data protection also favors many innovations, creates new services, and so on. In current practice, its bad reputation stems primarily from its ill-conceived application, which makes compliance with regulations an end in itself and completely forgets the actual meaning and purpose of the regulations. Fortunately, this is increasingly understood by companies, which use well-practiced data protection more and more as a quality feature and even a competitive advantage.
*Primary Data Protection Regulation