Periodic Reporting for period 4 - INFO-LEG (Understanding information for legal protection of people against information-induced harms)
Berichtszeitraum: 2021-09-01 bis 2023-09-30
Information can harm people, e.g. being denied a mortgage or insurance based on your online surfing. But what exactly is it about information that is harmful, and how can people be protected? The current legal answer is that legal protection is granted when a) there is information b) about or potentially affecting a person c) who is identified or identifiable. This is personal data. But what will become of legal protection when all information is personal data due to developments in data analytics, and how will law be able to meaningfully protect against information-induced harms?
Legal protection triggered by personal data will be difficult to maintain. Yet, alternatives for structuring legal protection other than through the concept of personal data are lacking. It is important that we anticipate on this shift and conduct fundamental research on how information harms people and how legal protection can be more effective.
We look for substitutes for the notion of personal data to fundamentally re-organize legal protection. The project is unique in integrating how law, economics, and information studies conceptualize information.
Three project objectives are:
(1) analyse the challenges of personal data-centred legal protection;
(2) consider alternative organising notion(s) rooted in a better understanding of information and how it affects people from the perspectives of law, economics, and information studies;
(3) indicate directions for improved legal protection.
The project concluded that in the present age where information-related problems are often mediated or caused by algorithms and do not involve human interpretation, anchoring legal protection against information-related wrongs in the concept of "personal data" is problematic. It will results in debates which information is included and which is excluded from the scope of protection, and enables big players with enough resources to play around the rules. Legal, economic and information science tracks of the poject converge on the conclusion that data is not a suitable object of regulation when the aim is to address the wrongs commonly associated with data processing. Instead, we identify two types of problems which require different solutions: 1) problems where meaning of information to a human is instrumental for a harm to occur (e.g. intrusion into private life through access to "private information", e.g. on family life and health) and 2) problems where the meaning of information to a human is immaterial. The former can be addressed by regulating access to and use of certain information. The latter are best addressed through regulation of problematic practices, such as algorithmic consumer manipulation and discrimination. This is best done through sectoral legislation, much of which already exists but needs to be updated to the digital context. To inform the reform of the sectoral legislation, our political-ecological approach can be used, which calls to consider each regulatory problem in terms of an ecosystem where data may but may also not play a decisive role. This sectoral legislation must be underlines by the regulation of design and use of computer software because it amplifies the existing societal problems in a unique way and hence warrants specific regulation. This model of legal protection results in a legal regime that is more targeted and scalable.
Legal protection triggered by personal data will be difficult to maintain. Yet, alternatives for structuring legal protection other than through the concept of personal data are lacking. It is important that we anticipate on this shift and conduct fundamental research on how information harms people and how legal protection can be more effective.
We look for substitutes for the notion of personal data to fundamentally re-organize legal protection. The project is unique in integrating how law, economics, and information studies conceptualize information.
Three project objectives are:
(1) analyse the challenges of personal data-centred legal protection;
(2) consider alternative organising notion(s) rooted in a better understanding of information and how it affects people from the perspectives of law, economics, and information studies;
(3) indicate directions for improved legal protection.
The project concluded that in the present age where information-related problems are often mediated or caused by algorithms and do not involve human interpretation, anchoring legal protection against information-related wrongs in the concept of "personal data" is problematic. It will results in debates which information is included and which is excluded from the scope of protection, and enables big players with enough resources to play around the rules. Legal, economic and information science tracks of the poject converge on the conclusion that data is not a suitable object of regulation when the aim is to address the wrongs commonly associated with data processing. Instead, we identify two types of problems which require different solutions: 1) problems where meaning of information to a human is instrumental for a harm to occur (e.g. intrusion into private life through access to "private information", e.g. on family life and health) and 2) problems where the meaning of information to a human is immaterial. The former can be addressed by regulating access to and use of certain information. The latter are best addressed through regulation of problematic practices, such as algorithmic consumer manipulation and discrimination. This is best done through sectoral legislation, much of which already exists but needs to be updated to the digital context. To inform the reform of the sectoral legislation, our political-ecological approach can be used, which calls to consider each regulatory problem in terms of an ecosystem where data may but may also not play a decisive role. This sectoral legislation must be underlines by the regulation of design and use of computer software because it amplifies the existing societal problems in a unique way and hence warrants specific regulation. This model of legal protection results in a legal regime that is more targeted and scalable.
Work proceeded in 3 stages:
Stage 1 (Problem analysis): review of the literature conceptualizing societal problems data protection law is meant to address. The problems were articulated in three ways: as harms of personal data processing; problematic practices; and values to be protected. In the EU, the protective objectives of the GDPR are very broad and underdefined, including everything involving personal data processing. The EU and US personal-data centred approaches to legal protection against information-related problems were analysed and critiqued for resulting in the application that is too broad or too narrow, and imprecise to achieve their objectives. Economic and technical drivers behind the expansion of the application of the concept of personal data were identified.
Stage 2 (exploration of alternative organising notions): We analysed legal and regulatory theory to understand how effective legal protection should be built. This analysis was supported by illustrations from multiple legal domains across multiple jurisdictions. We looked at how law understands information and concluded that it has no such consistent and theoretically-grounded understanding. We examined how information and information-related concepts such as data and meaning are understood in other disciplines: information studies and economics. Theoretical research was complemented by 3 empirical case studies: behavioral advertising, smart grids and smart cities.
Stage 3 (Analysis and operationalization of new organizing notions): based on the findings of stage 2, informed by the legal and regulatory theory on how legal protection should be constructed, and the political-ecological approach to mapping information-related problems and their solutions, we proposed a new scalable and more targeted approach to legal protection which is not anchored in “personal data”.
The results of the project have been disseminated through:
11 peer-reviewed publications;
1 PhD thesis;
8 other academic publications (under review with peer reviewed journals);
37 conference and workshop presentations, including to industry and policymakers;
2 international conferences and 4 academic workshops;
2 expert workshops.
Our findings can be used to inform reform of what is now data protection law. Our findings, particularly, on the insustainability of personal data-centred legal protection are referenced in at least 5 EU policy documents (acc to journal statistics) and have shifted the status quo in EU data law which now recognizes that it is difficult to distinguish between personal and non-personal data in datasets. Our conceptualization of information can be used in other areas of law dealing with information problems, e.g. freedom of speech or intellectual property.
Stage 1 (Problem analysis): review of the literature conceptualizing societal problems data protection law is meant to address. The problems were articulated in three ways: as harms of personal data processing; problematic practices; and values to be protected. In the EU, the protective objectives of the GDPR are very broad and underdefined, including everything involving personal data processing. The EU and US personal-data centred approaches to legal protection against information-related problems were analysed and critiqued for resulting in the application that is too broad or too narrow, and imprecise to achieve their objectives. Economic and technical drivers behind the expansion of the application of the concept of personal data were identified.
Stage 2 (exploration of alternative organising notions): We analysed legal and regulatory theory to understand how effective legal protection should be built. This analysis was supported by illustrations from multiple legal domains across multiple jurisdictions. We looked at how law understands information and concluded that it has no such consistent and theoretically-grounded understanding. We examined how information and information-related concepts such as data and meaning are understood in other disciplines: information studies and economics. Theoretical research was complemented by 3 empirical case studies: behavioral advertising, smart grids and smart cities.
Stage 3 (Analysis and operationalization of new organizing notions): based on the findings of stage 2, informed by the legal and regulatory theory on how legal protection should be constructed, and the political-ecological approach to mapping information-related problems and their solutions, we proposed a new scalable and more targeted approach to legal protection which is not anchored in “personal data”.
The results of the project have been disseminated through:
11 peer-reviewed publications;
1 PhD thesis;
8 other academic publications (under review with peer reviewed journals);
37 conference and workshop presentations, including to industry and policymakers;
2 international conferences and 4 academic workshops;
2 expert workshops.
Our findings can be used to inform reform of what is now data protection law. Our findings, particularly, on the insustainability of personal data-centred legal protection are referenced in at least 5 EU policy documents (acc to journal statistics) and have shifted the status quo in EU data law which now recognizes that it is difficult to distinguish between personal and non-personal data in datasets. Our conceptualization of information can be used in other areas of law dealing with information problems, e.g. freedom of speech or intellectual property.
We went beyond state of art in the following ways:
• The project triggered a major shift in the legal academic discourse in data protection away from focusing on the issues of regulation of processing of personal data to other potential objects of regulation, such as infrastructure, etc.
• Articulated first the problem of personal-data centred legal protection against information-related harms;
• Offered alternatives to the personal-data centred legal protection against information-related harms, based on the integrated multidisciplinary understanding of information and the mechanics of its impact on people;
• Developed an understanding of information that can inform how other legal domains dealing with information can resolve information-related problems;
• Offered a critical systematization of the economic literature o data as a good and pointed to the limitations of the data-centred economic models for achieving broad social objectives;
• Took the scientific debate on data commons on a new level by proposing a political-ecological approach to governing digital society.
• The project triggered a major shift in the legal academic discourse in data protection away from focusing on the issues of regulation of processing of personal data to other potential objects of regulation, such as infrastructure, etc.
• Articulated first the problem of personal-data centred legal protection against information-related harms;
• Offered alternatives to the personal-data centred legal protection against information-related harms, based on the integrated multidisciplinary understanding of information and the mechanics of its impact on people;
• Developed an understanding of information that can inform how other legal domains dealing with information can resolve information-related problems;
• Offered a critical systematization of the economic literature o data as a good and pointed to the limitations of the data-centred economic models for achieving broad social objectives;
• Took the scientific debate on data commons on a new level by proposing a political-ecological approach to governing digital society.