Every year on 28 January the European Commission 'celebrates' the Day of Privacy.  It was on this day in 1981 that the European Data Proection Act was signed. 'The Act was in fact the first set of regulations for protecting personal data,' Custers explains. He conducts research on privacy, including online privacy, within the eLaw group at the Faculty of Law. 'The Act was compiled before the internet age. All kinds of databases were due to be set up and the Council of Europe decided that rules were needed on how to handle all that information.'  

Rules for personal data

‘These are very basic rules,' Custers says. 'You have to let a person know in advance what their data will be used for, as an example, and obviously you can't change your goal afterwards, or use the data for some other purpose.' Another point is that you are not allowed to store more data than needed for the purpose, you have to make sure the data are well protected and you have to be transparent about how you handle the data. A European guideline was drawn up in 1995 based on these rules, and our Dutch legislation is in turn based on this European guideline. The first ruling was the Protection of Personal Data Act and since May last year the new General Data Protection Act (AVG).' 

Nothing new in the Act

If these rules sound familiar, there's good reason for that. 'It's quite remarkable that that very first Act  is not so very different from our new Data Protection Act. The difference is that the AVG stipulates some heavy fines for people who don't adhere to the rules.' These fines are substantial: a company can be fined 2 to 4% of its worldwide income. 'These are sums are big enough to make even the big multinationals like Google and Amazon sit up and listen.' And that's a good thing, says Custers. 'Our society and our companies have developed enormously since 1981, and it's become much easier for them to share data. It's all too easy to break the rule about not using data for a different purpose.' 

Predicting sensitive information

The enormous amounts of data that we deal with today and the increase in the calculating power of our computers means it is possible to make predictions. We refer to this as data science. ‘Facebook and Google are already doing that now: based on their data they can predict what kind of person you are and what you like. But it goes further, Custers says, and that's where the threat to the public comes in. 'With all that data it's also possible to predict sensitive information, such as your religion, sexual preference and even your health. And then it's really important who gets hold of this information. If a doctor finds you have particular health risks, it may be an advantage for you to know about them, but on the other hand you may not want the information to get into the hands of your insurer.' 

From Big Brother to Kafka

Custer sees a further threat to our privacy in the fact that decisions are increasingly being made by algorithms - and the human link is completely missing from the process.  But that also means an important safety valve has disappeared. If an algorithm takes a wrong decision on the basis of errors or some problem with the data, that can't simply be amended. 'Take a speeding fine, for example. That's completely automated. But what happens if your number plate is read wrongly?  You have to lodge an appeal and a human being has to be able to put the mistake right. Otherwise you'll get a situation like 'The Trial, Kafka's famous novel in which a man is wrongly accused of a crime and convicted,  even though he knows nothing about it.' According to Custers, the nature of privacy has changed in recent years. 'From Big Brother who watches everything you do, to Kafka: you're faced with a decision on which you have had absolutely no influence.' 

Text: Marieke Epping
Mail the editors

• data science
• privacy