Beyond Data Protection: Regulating information and protection against risks of the digital society

On 21st- 22nd September 2023, we attended the “Beyond Data Protection Conference: Regulating Information and Protection against Risks of the Digital Society” in Utrecht, The Netherlands.

Day 01

During those two days, researchers from all over the world discussed data-induced harms through lenses that are alternative to data protection. As presented by Professor Nadya Purtova (Universiteit Utrecht) during the academic-policy roundtable “Data protection: how to keep it relevant in 2033”, personal data-centric legal solutions have created new challenges such as (1) over-inclusiveness, due to the broadness of the “personal data” concept; (2) under-inclusiveness, as data protection laws do not usually address all the data-related topics and outcomes they should (being controllers lack of expertise of one the reasons for it); and (3) the legal uncertainty posed by the lack of regulatory precision.

Professor Michael Veale (UCL) argued for the need to focus on the bigger picture. According to him, data protection conversations - or “have you moved the data from this place to that place?” conversations - tend to overlook broader discussions on how we organise our digital society, and about what business models should be allowed. Doing so would be similar to trying to address traffic safety by only regulating cars: it would leave out of the equation other major factors that contribute to the problem, such as urbanism, awareness, environment, transportation, etc.

To Professor Lokke Moerel (Tilburg University), the idea that you could get consent for something that is harmful or misleading is counterintuitive. Her prediction is that data protection authorities will be the ones informing other authorities as opposed to having such broad laws.

There was also discussion about the concept of ensuring ‘fairness’ in the use of data and code, the proliferation of GDPR compliance as an industry, privacy and data protection being linked but separate concepts, and whether we should focus on ‘harms’ or ‘being wronged’.

Professor Michael Veale (UCL) presented at the conference

Day 02

In the session 3C “Data to the people: reflecting on participation and inclusion in AI uses for healthcare,” organised by Nicola and Maria, participants were invited to reflect on the possibilities and concerns that the use of data healthcare poses to different communities today, and could pose in the next ten and twenty years.

To that end, we used a “futures wheel”, “a form of structured brainstorming that helps participants visualise how important trends or events might impact the policy or strategy area in question, (…) particularly useful for identifying and mapping connections and causalities.”

Credit: Tools for Futures Thinking and Foresight Across UK Government. Edition 1.0, November 2017, p. 110

“Futures wheel” created by participants of session 3C of the 2023 Beyond Data Protection Conference

The group decided to focus on specific data (weight and blood pressure) to enable reflections on more concrete scenarios. There were some positives to begin with, such as individuals being able to understand their personal health more, and supporting health researchers with understanding disease. Short-term concerns of the participants were around individual repercussions of having those pieces of information, such as its impact on self-image and lifestyle, and the immediate financial burden of having it informing insurance companies prices. As profiling and citizen scoring had been concepts that were discussed earlier in the conference, some participants came back to these ideas in this context, considering bleaker impacts of interventions, e.g. by the state, that might intend to help, but actually over-surveil and reduce autonomy.

Long-term discussions, on the other hand, focused on matters of market power, through competition and business models, and state power, through social scoring and inferences for access to public services. A particular topic that fueled these discussions were business models and perceived commercial opportunities focused on tech and data in the health industry. Information about food consumption, for example, gathered from the use of food delivery apps and grocery shopping, could inform pharmaceutical companies about the illnesses customers could develop due to their eating habits. This setting could be aggravated in a scenario where the same company owns the food supply and the medicine supply ((in some places, supermarkets and pharmacies are co-located or owned by the same company), therefore creating a vicious circle in which those advertising what we should eat are the same ones profiting from any medical treatment we might need because of it.