Arthur Laudrain is supported by a Rotary Foundation Global Grant part funded by Rotary District 1650 in France. He is studying for a PhD in Cyber Security at the University of Oxford. His Rotary scholarship is for four years 2018-19, 2019-20, 2020-21, 2021-22.
This article was published in CyberWorld in June 2018
When it comes to data protection in Europe, the European Union’s GDPR seems to be the focus of attention for businesses and scholars alike. This article’s premise is that we should not forget the more fundamental legal framework surrounding privacy and personal data, and thus suggests to address the European Court of Human Rights (ECHR) through the trendy topic of smart-cities.
Indeed, the ECHR has been developing an extensive jurisprudence on the protection of personal data. Their handling, primarily when they relate to individual persons, is restricted in purpose, time and ownership. In parallel, smart cities and the Internet of Things (IoT) are changing the nature, scale and purpose of data collected by institutions, public or private. Even more so, they are likely to profoundly challenge our conceptions of private life, consent to data collection and to ownership by third-parties. Reconciling these structural changes to our social lives with the fundamental right to privacy will present significant challenges for all stalk holders.
Smart-cities and the Internet of Things: Ubiquitous and pervasive computing
If smart-cities, in their original meaning, merely designated a centralised model of city management which relied on ICT-intensive infrastructures, today’s smart cities are increasingly user-centric. The IoT for the purpose of smart-cities relies mostly on sensors attached to everyday objects, such as cameras, short-range identifiers (RFID/NFC) or geo-locators embedded in pavements, public transports or buildings.
Two major trends in the development of smart-cities affect privacy. As an old technology widely deployed in all major urban infrastructures, CCTV is often one of the first to be upgraded in a smart-city philosophy, and provides an excellent illustration of the phenomenon.
The first trend is that sensors and related databases are being more widely shared among different public entities, and within a broader geographic zone. This is the case in Brussels for example, where a centralised command and control centre manages and shares access to all CCTV. This more extensive sharing does not only concern different police sectors, but other public service institutions as well, such as the environment and cleaning service of the Brussels municipality. Such a broader sharing implies de facto a repurposing of both the sensors and the related stored data, and is the likely consequence of better cooperation between public services.
Second, public authorities are increasingly deploying sensors and databases fitted with artificial intelligence capabilities. As these sensors or databases are interconnected, powerful algorithms are able to collate these multiple sources of data. This is the case in China, for instance, where CCTV footage is embedded with a face recognition software connected to the national, regional or municipal identification database, but also to personal public transport check-in data. This trend is made possible by advances in AI technology, and reflects the ubiquity of the IoT. However, this poses a direct risk to the privacy of individuals because of the underlying cross-referencing possibility. The spokesman of an advanced CCTV system manufacturer in China told the BBC in 2017: ‘We can match every face with an ID card and trace all your movements back one week in time. We can match your face with your car, match you with your relatives and people you’re in touch with. With enough cameras, we can know who you frequently meet.’
In other words, IoT sensors, when exploited as part of a wide network, are becoming more efficient than smartphones in tracking people’s activities. This statement in itself says a lot. Individuals roughly know what their personal devices’ capabilities are. They know how to, and actually can, turn them off, although it seems even US soldiers trained to operational security (OPSEC) methods massively failed to do it. This level of understanding and ownership is far from given with IoT devices and smart-city infrastructures, and it raises a number of legal issues.
The European Convention of Human Rights: An instrument living with its society
The ECHR is a treaty established in 1950. As of 2017, it consists of 47 High-Contracting parties. The object and purpose of the Convention is to maintain ‘peace and justice’ by setting up a regime of ‘collective enforcement’ of human rights, on the basis of a ‘common heritage […] of ideals’. Because the Convention protects the most fundamental human rights and possesses an independent court, it was described as what comes closest to a ‘European bill of rights’.
The Convention is characterised by its strong focus on social and political rights, by the scope of its application (its member-states convene 800 million people) and by its strong enforcement mechanism. The latter rests principally on the ability given to individuals to petition their case to the Court when they have exhausted national remedies.
The Court has taken a teleological approach to the interpretation of the Convention. It stated in 1975 that the Convention’s interpretation must be the ‘most appropriate one’ to further its object and purpose. Accordingly, the Court affirmed in Tyrer v UK, and again more recently in Rantsev v Cyprus and Russia, that the rights protected by the Convention must be understood and interpreted in light of ‘present-day conditions’. This doctrine was coined as dynamic interpretation.
The first and foremost impact of dynamic interpretation is that it extends the reach of the rights protected by the Convention over time. In such an ‘anti-textualist’ and ‘anti-originalist’ approach, the process of interpretation leads to the discovery of new grounds of application of human rights, as societies change. Some usages and values that were predominant in 1950 are today either unacceptable or inexistent. High-profile cases for which rulings were influenced by society’s evolution addressed topics such as children born out of wedlock, corporal punishment or the criminalisation of homosexual behaviour. If the Court was to interpret the Convention stricto sensu in its 1950 context, achieving the Convention’s purpose today would be of considerable difficulty.
Data protection as a Human Right
The Convention provides for the right to respect for four distinct interests: one’s private life, family life, his or her home and correspondence. These interests may be subject to interferences by public or private entities to the extent that they are justified and that there exist sufficient safeguards in the domestic legal order.
The Court stated that the scope of private life could not be ‘susceptible to an exhaustive definition’. Nonetheless, it developed an open scope that can encompass ‘multiple aspects of the person’s physical and social identity’. Notably, the Court determined that private life cannot be restricted to a certain geography or social circle. Rather, the right to private life includes a wide-ranging ability to ‘develop relationships with other human beings’ for the ‘fulfilment of one’s own personality’ or for other purposes such as business. Consequently, the scope of private life goes much beyond one’s home or personal devices.
As opposed to the EU Charter, the Convention does not dedicate an article to personal data. However, the Court has developed an extensive case-law record addressing the issue. It ruled in 2008 and reaffirmed in 2014 that protection of personal data is a fundamental requirement for an individual to enjoy his or her right to private and family life, thus enshrining data protection within the meaning and scope of article 8.
What does that imply for smart-cities?
First, we may have to collectively rethink our approach to personal data and consent to their collection. IoT devices and infrastructures that make a smart city are meant to be invisible and forgotten. They will be present in such a comprehensive and integrated fashion with private and public services that individuals will gradually lose the freedom to choose whether to expose themselves to them. Choosing not to would prevent people from living a normal life, i.e. not being able to use public transport. Indeed, today we can hardly decide to live without regular internet access, which has become an essential part of one’s private and professional activities and as such, is considered a basic human right in a number of countries such as France. In consequence, we may have to consider moving towards a context-based consent, where consent would be assumed or not, depending on the situation.
Second, the increasing number of the sources and variety in the nature of data collected is expected to bring tremendous value to their collation and cross-analysis, better known as big data analytics. The processing of data outside of the entity that collected it forecasts a trend of wider sharing and repurposing of personal data, both of which require specific consent and procedural safeguards under the principles of necessity and legality.
Finally, and consequently to both previous issues we highlighted, it is likely we will need to rethink the current binary notion of public and private spaces. In Von Hannover v Germany, the Court found that even public figures can benefit from reasonable expectations of privacy in public spaces, outside of their professional activities. Thus, these expectations should benefit private individuals at least at an equal level, if not a higher one. This approach seems justified, as the line between public and private spaces collapse, both online and in the real world. Parallels can notably be drawn with social media, where some spaces are open (public) and others can be restricted to friends or followers.
Conclusion and opening
The dynamic interpretation doctrine adopted by the Court implies that the scope of the right to privacy is redefined as society evolves. As usages of technology evolve, but also as moral values and expectations of ethical standards evolve, so does the scope and meaning of the right to privacy. The substantial widening of the right to access to information is only the latest example in a long trend among the case-law record.
These evolutions in societal usages and values can thus bring new obligations to states, positive or negative, enlarging the scope of the right in scale and nature that could not have been foreseen by the Convention’s drafters nor by states when they ratified it. The scope of the right to privacy is thus potentially ‘limitless’. Smart-cities will likely require data protection specialists and human rights scholars to take a fresh approach to founding principles of privacy. This will undoubtedly impact not only citizens across Europe, but also businesses around the world that rely on their data.
Disclaimer: The views expressed are exclusively those of the author. This article was produced and adapted from an academic work in progress at Leiden Law School, Netherlands. For brevity and clarity, referencing may fall short of academic standards. As a result, this article should not be considered as scientific writing.