Information can harm people, e.g. being denied a mortgage or insurance based on your online surfing. But what exactly is it about information that is harmful, and how can people be protected? The current legal answer is that legal protection is granted when a) there is information b) about or potentially affecting a person c) who is identified or identifiable. This is personal data. But what will become of legal protection when all information is personal data due to developments in data analytics, and how will law be able to meaningfully protect against information-induced harms?
Legal protection triggered by personal data will be difficult to maintain. Yet, alternatives for structuring legal protection other than through the concept of personal data are lacking. It is important that we anticipate on this shift and conduct fundamental research on how information harms people and how legal protection can be more effective.
We look for substitutes for the notion of personal data to fundamentally re-organize legal protection. The project is unique in integrating how law, economics, and information studies conceptualize information.
Three project objectives are:
(1) analyse the challenges of personal data-centred legal protection;
(2) consider alternative organising notion(s) rooted in a better understanding of information and how it affects people from the perspectives of law, economics, and information studies;
(3) indicate directions for improved legal protection.
The project concluded that in the present age where information-related problems are often mediated or caused by algorithms and do not involve human interpretation, anchoring legal protection against information-related wrongs in the concept of "personal data" is problematic. It will results in debates which information is included and which is excluded from the scope of protection, and enables big players with enough resources to play around the rules. Legal, economic and information science tracks of the poject converge on the conclusion that data is not a suitable object of regulation when the aim is to address the wrongs commonly associated with data processing. Instead, we identify two types of problems which require different solutions: 1) problems where meaning of information to a human is instrumental for a harm to occur (e.g. intrusion into private life through access to "private information", e.g. on family life and health) and 2) problems where the meaning of information to a human is immaterial. The former can be addressed by regulating access to and use of certain information. The latter are best addressed through regulation of problematic practices, such as algorithmic consumer manipulation and discrimination. This is best done through sectoral legislation, much of which already exists but needs to be updated to the digital context. To inform the reform of the sectoral legislation, our political-ecological approach can be used, which calls to consider each regulatory problem in terms of an ecosystem where data may but may also not play a decisive role. This sectoral legislation must be underlines by the regulation of design and use of computer software because it amplifies the existing societal problems in a unique way and hence warrants specific regulation. This model of legal protection results in a legal regime that is more targeted and scalable.
