Database Reference
In-Depth Information
these rules may even supersede data protection legislation. For instance, data
minimisation rules and prohibitions on the processing of sensitive data may be
overruled if they undermine the accuracy of a profiling exercise, or if they deny us
the possibility to detect discrimination in a profiling exercise.
A goal-oriented approach will likely mean less focus on ex-ante protection and
more focus on ex-post protection mechanisms. A positive effect of this shift is that
it will force data controllers to actually make an assessment of the risks involved
in their data processing and profiling activities, rather than reducing privacy and
data protection to a mere compliance issue, as is currently often the case.
7.7.4 From 'Privacy by Design' to 'Ethics by Design'
Apart from the application of data protection and the rules associated with it, we
should also examine other means of regulation. In particular the 'code as code' so-
lution of privacy by design should be taken into consideration (Lessig 2006). 'Pri-
vacy by design' refers to the notion that we must incorporate privacy-protecting
measures into the architecture of information systems (Borking 2010). In this way
we can 'hardwire' the rules into the system. While privacy by design is an impor-
tant measure when it comes to the protection of the individual in the context of
profiling we should also be cognisant of the limitations and drawbacks of such an
approach. In particular, we should take into account the limitations of privacy and
data protection law in drafting functional and legal requirements for IT systems.
Rather than a narrow focus on privacy and data protection we should look towards
the actual goal of the profiling exercise and determine whether we can apply ap-
propriate safeguards. This requires a broader focus than privacy, so instead of pri-
vacy by design we should focus on ethics by design. While closely related to the
idea of privacy by design, ethics by design allows for a more focused, context sen-
sitive approach to dealing with the possible risks of profiling.
7.8 Conclusion
Profiling is becoming an increasingly important tool for the public and private sec-
tor. While an effective tool, profiling might also entail risks for individuals and
groups. These risks include stereotyping, inaccuracies in the application of pro-
files, stigmatisation, de-individualisation and abuse of profiles.
Currently these risks are addressed mainly through the application of data pro-
tection law. However, it is questionable whether this legal framework in its current
form and application effectively mitigates the risks of profiling.
By stretching the definition of personal data to include profiles and the identifi-
ers that link these profiles to individuals (e.g., IP-addresses and cookies) the pro-
tection mechanisms of the Data protection directive apply. While such an ap-
proach is understandable, there are some drawbacks. Because of the binary and
procedural nature of data protection law there is no way to differentiate in the ap-
plication of the Data protection directive. Labelling all data as personal data either
because there are moral reasons to have some form of protection, or because there
Search WWH ::




Custom Search