The basic structures of data protection law still date from the era of punch cards and file folders. Since the census verdict of the Federal Constitutional Court of Germany (Bundesverfassungsgericht), societal handling of personal data and the perception of their sensitivity have undergone some fundamental changes.
For many “digital natives” in the twenty-first century, sharing meal times, appointments, even intimate moments with an indeterminate group of people on social networks is a natural part of their everyday life. “Smart” objects are increasingly tempting consumers with the promise of simplifying their everyday life. Based on consent provided on a single occasion, these objects are generating increasingly large data flows. To a large extent, personal data are no longer under the control of individuals once they have been fed into the front end of a data collector.
The digital measurement of the world raises many fundamental questions. Three subject areas loom large:
1. Legal handling of the economisation of data. The commodification of data results in companies buying as well as trading them as economic goods – they can also be used as a ‘means of payment’. At the time of early data and privacy protection, the transformation of the importance of data into an economic good still appeared alien. Consequently, the fundamental question arises how economic and privacy law interests regarding data can be reconciled. Questions regarding data licences, data sovereignty and data ownership emerge.
But how can data protection principles (especially of transparency, data economy and appropriate need) be realised and enforced in an era of digital enclosure and voluntary release without hindering the economic innovativeness of digital technologies?
2. New methods of data use clearly indicate the limits of conventional data protection law. The idea of technology-neutral protection of personal data has been shaken in the era of big data, IoT and artificial intelligence. The personal connection of data as the main starting point for the question whether data protection is necessary as well as the objective connection of the data (non-sensitive or sensitive, cf. Art. 9 GDPR), no longer draws any sharp distinction in order to counter actual threats, such as profiling. This raises the question whether the digital age actually requires complete readjustment of informational self-determination and understanding of privacy. However, what alternative doctrinal approaches are possible to make data protection law fit for the digital age – and are they really superior to the conventional understanding?
3. Under the functional conditions of complex mechanisms of data analytics, endowing consent to the processing of one’s personal data is becoming a particular challenge in the digital space. From the viewpoint of constitutional law, it is always the gilt-edged solution for taking the right to informational self-determination into account. However, the consent is often part of the privacy statement that many consumers often accept unread. The project explores what possibilities exist to configure the consent to be future-proof.
Prof. Dr. Mario Martini