sep 10
Aristotle and balancing in the EU General Data Protection Regulation

Blog inspired by talks with Esther Hoorn and Melika Nariman

----

​These are interesting times! Reviewing the way we do things in academic research, with the privacy principles in mind, as stated in the GDPR.

What are these principles?

Privacy Principles GDPR.png

Principles no one can really refute, I assume. The question, however, remains: how to do justice to these principles? The answer to this follows from the nature of the right to privacy; it is not an absolute right, but a fundamental right amongst other fundamental rights. 

“The right to the protection of personal data is 
not an absolute right; it must be considered in relation 
to its function in society and be balanced 
against other fundamental rights, 
in accordance with the principle of proportionality.” 

Recital (4) GDPR

This means that in some cases it is acceptable that, for instance, 'threats to public health' or 'national security' are weighed against the privacy rights of individuals. 

In the Ebola virus ​case, for instance, the spread of the disease was reasonably expected only to be contained if the outbreak could be geographically plotted, based on medical information of individuals, thus allowing appropriate measures taken, such as defining quarantined areas. 'Although broad public disclosure of Protected Health Information​ is limited, HIPAA’s Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to ​Protected Health Information that is necessary to carry out their health mission.' ​See also: Tammy Ward Woffenden et al​: Balancing Privacy and Public Health during an Ebola Outbreak​. ABA Health eSource​, Vol. 11 No. 3​,  November 2014. Source: https://www.americanbar.org/publications/aba_health_esource/2014-2015/november/privacy.html

We learn from the Ebola case the importance of 'balancing' of rights. 

How do we balance the right to privacy? Which logic is to be followed? The GDPR states in Article 8:

Article 8 GDPR - Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.

Prof. Dr. Gloria González Fuster (VUB, Brussels), identified the three balancing aspects from this article 8 GDPR and presented the visual representation below of the three dimensions of the balancing act in the GDPR:

dimensions of balancing.png


Source: Recent jurisprudence of the European Court of Human Rights and the Court of Justice of the European Union. Brussels Privacy Hub, VUB Brussel, June 30 2017.

So, in the context of academic research, the individual's privacy rights are balanced with the legitimate interests of the researcher, and the balancing is controlled by an independent authority, for instance, the national Data Protection Authority. 

In the Ebola case, in our example, the independent authority would be ​the Department of Health and Human Services, which controls compliancy to the 'Health Insurance Portability and Accountability Act' (HIPAA).

Additional help to understand the logic of balancing is provided by the 'Article 29 Data Protection Working Party' in their Opinion 06/2014: Opinion 06/2014 on the "Notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC". Adopted by the European Commission on 9 April 2014. Note that technically this adopted opinion adresses the topic of legitimate interests under the Directive, the the precursor of the GDPR. Be that as it may, the following four steps of balancing were adopted and help us to understand the logic of balancing and the hierarchy of relevant aspects:

1. Legitimate interests of controller or 3rd party
  • freedom of expression
  • direct marketing and other forms of advertisement
  • enforcement of legal claims
  • prevention of fraud, misuse of services, or money laundering
  • physical safety, security, IT and network security
  • whistle-blowing schemes
2. Impact on data subject
  • Actual and potential repercussions
  • Nature of the data
  • How the data are processed
  • Reasonable expectations data subject
  • Nature of controller vis-à-vis data subject 
3. Make provisional balance
  • “Necessary”
  • Least intrusive means
  • Reasonably effective 
  • Balance of interests 
4. Safeguards
  • Measures to ensure that the data cannot be used to take decisions or other actions with regard to individuals.
  • anonymisation techniques, aggregation of data
  • privacy-enhancing technologies, privacy by design
  • increased transparency
  • general and unconditional right to opt-out ​


Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf 

Aristotle

In a previous blog​ I adressed the underlying Kantian moral philosophy of the GDPR. With Kant, we saw as our moral right  safeguarding our own privacy and as or moral obligation safeguarding the privacy of the individuals involved in our research.

Aristotles' splendid contribution in the Nicomachean Ethics​ on ​the nature of moral virtues are, I propose, relevant in our understanding of balancing of rights. 

Aristotle defines moral virtue as a disposition to behave in the right manner and as a mean between extremes of deficiency and excess, which are vices:

Virtue then is a settled disposition of the mind determining the coice of actions and emotions, consisting essentially in the observance of the mean relative to us, this being determined by principle, that is, as the prudent man would determine it. And it is a mean state between two vices, one of excess and one of defect.

Source: Aristotle, The Nicomeachean Ethics, II. vi. 15, 16. Translation by H. Rackham. Harvard University Press. Cambridge, Massachusetts, 1990.

​Aristotle illustrates the moral virtue 'courage' as the mean between the vices 'fear' and 'confidence' [II. vii. 2]. He continues, stating that moral actions can only be praised or condoned when they are voluntary acts [III. i. 1] and chosen [III. ii. 2] in a given situation:

by acting in dangerous situations and forming a habit of fear or of confidence we become courageous or cowardly. [II. i. 7]

In a certaing situation; when a general has a strategic military advantage compared to his enemy - the moral of his soldiers is high and the troops are well equiped and positioned, it shall be considered courageous when he strikes the enemy. Whereas the decision to strike when in a strategic disadvantage, shall be condoned, for it is not well chosen (amongst possible alternative decisions) and considered 'overconfident', for unnecessarily risking the own soldier's lives.

To conclude, Aristotle balances between excess and defect, given a certain context, and finds the mean in the voluntarily chosen act​​. Choice involves ​reasoning and some process of thought [III. ii. 17].

In his study of moral virtues, Aristotle implicitly defines the adequacy and proportionality principles. They consitute the reasoned chosen mean between two extremes (too much / too little) given a certain situation. 

His approach provides a simple rule of thumb: What would be adequate, given the situation, and what would be proportional (not too much and not too little)?.​

Aristotle after Lysippos [Public domain], via Wikimedia Commons.jpg
Aristotle after Lysippos [Public domain], via Wikimedia Commons. 
Source: https://upload.wikimedia.org/wikipedia/commons/a/ae/Aristotle_Altemps_Inv8575.jpg​ 

Balancing

With Kant and Aristotle in mind, we have the moral obligation to safeguard the privacy rights of the individuals involved in our research​, yet we must balance these rights with our own legitimate interests as a researcher, to do research of which it can reasonably be expected that the newly derived insights will be in the public interest. Will have societal relevance and impact. 

Balancing is done by assessing, in a reasonable and a fair manner, scenarios in which the impact on the privacy rights of individuals are minimal and will not cause harm to these individuals, thus allowing a certain research project to be done, with a justifiable research question and a reasonable foreseeable benefit for the public. Choosing the mean is choosing the scenario that is adequate and proportional.

These principles make it practically impossible to define for once and for all what adequate and proportional is in any given situation. It depends on the context and the assessment of the impact on the individuals involved in our research​. 

I would however suggest that providing such a rule of thumb is indeed possible, given a specific research scenario (eg qualitative national research, based on survey data from participating individuals, who have stated their informed consent for their participation). How can this specific research project be designed as to be least intrusive to participating individuals and at the same time reasonably effective in terms of research outcomes en valuable time spent​?

Comments

There are no comments for this post.

 Blog Tools