LinkedIn article, published on September 16, 2018

Are digital ethics being hijacked by EU’s General Data Protection Regulation? The European Data Protection Supervisor having set up an Ethics Advisory Group, the 40th International Conference of Data Protection and Privacy Commissioners having dedicated this year’s topic to digital ethics, and all EU funded (H2020) research projects customarily connecting the two, one would be tempted to say yes. Perhaps this is a natural response towards a perceived or existing gap – the GDPR does it simply because it can, having the legal provisions to back up its findings.

Be it as it may, it appears that the discussion on digital ethics today revolves around the EU data protection model. The GDPR being the latter’s standard-setting text, I believe that there is some merit in discussing the GDPR’s own ethics. To me, these include both the GDPR moral principles (what to do and not to do) and its policy options (how these moral principles came to exist). This series will follow the structure of the GDPR, not so much as an article-by-article analysis (the 1/99 on their title being more of a personal benchmark), than in an effort to reveal (some of) its reasoning and ethics-related issues. Needless to say, none of this constitutes legal advice nor anything other than personal ruminations at best.

The digital being incorporated by now into all aspects of human life; human life being composed of (digitized) data; the GDPR regulating personal data processing in (and out of…) Europe; all of the above provide the background against which the GDPR made its presence felt, to say the least, in the digital ethics discussion.

Is the GDPR an adequate tool to do that? I do not think so. First and foremost, there is much discussion on whether Europe’s individual right to data protection is a right by itself or a mere tool, a right of rights. How could anyone exercise any of his or her basic rights without the interface of the right to data protection? All human basic rights depend on the processing of personal data – in fact, they attach a certain behaviour to each type of processing. The right to data protection offers us control over our personal data – making it therefore the gatekeeper for all rights and freedoms to kick in.

Then, there is the complex, Oedipal (or rather, Electra) relationship with the right to privacy. The right to data protection is a spin-off of the right to privacy, only recently having won its autonomy and special place in the list of basic human rights in Europe. It is technical and case-specific, where privacy is general and comprehensive. It provides concrete guidance and solutions (hence its appeal) whereas the right to privacy has to do battle with Aristotle’s man being by nature a social being.

Finally, the GDPR is a law, not a text of philosophy. It is the result of political, social and legal (European) expediency. It had to build upon a legal (non-digital) background, It came as the result of five years of intense lobbying and negotiations, and, were it not for the Snowden revelations, it may never have seen the light of day.

I think that, if one asks from the GDPR to set digital ethics, he or she runs the risk of putting the cart before the horse. Ideally, (European) digital ethics would first have been formulated, and then legal provisions (not only in the field of data protection) would have applied them in practice. The GDPR is a “technical” piece of legislation whose only mandate is to make Article 16 TFEU concrete. It may have become omnipresent in our daily lives, because to-date it is the only regulatory instrument to dictate behaviour on the digital, however in order for its legal provisions to become ethical propositions a leap of faith is required – and a lot of discussion and analysis to better our odds while making it.