Current situation and outlook
Last year I concluded the preface saying that "big data" has become an increasingly topical subject. As a result of technological developments, vast storage capacity, the possibility of transferring large amounts of data rapidly over large distances, as well as the ability to carry out a precise analysis of these sources, data will become a new raw material (or new capital) in the future data-driven society. This change represents a massive threat to our privacy.
If ever the world needed concrete evidence of this, Edward Snowden's revelations have provided it. The impressive amount of material he has gathered and made public regarding the scandalous surveillance practices of the NSA and their partners has unleashed a global debate on the huge scale of global surveillance today. The naivety of the oft quoted sentence "anyone who has nothing to hide has nothing to fear" has been exposed. What is surprising, however, is that this scandal has been met by general indifference by both the public and politicians.
In truth, we should be taking a very careful look at the instruments of state surveillance and consider what counterstrategies may be needed to hold it in check. Because one thing is clear: the "transparent man" is no longer an illusion but has long been a reality. The digitisation of our environment has inexorably lead us to a situation where sooner or later everything becomes public, whether we like it or not. In the Snowden case, the secret service itself has become the victim of its own misdeeds.
Many commentators have focussed on what the authorities have been doing behind everyone's back, instead of on the broader picture of dragnet surveillance. This is too simplistic. The fact is that the private sector is also closely associated with big data. Data is the key to business, money and power. As the private sector continues to accumulate mountains upon mountains of data, they have at their disposal the instruments needed to analyse in the most minute detail an individual's preferences, characteristics, strengths and weaknesses. If private businesses can do this, clearly the state authorities can, too. The NSA, which is just one among many agencies, also uses Facebook and other services to get hold of the data that is available.
The reason why this mountain of data is so worrying is that when you combine it with the enormous computing capacity and automated analytical methods that are available today, it is possible to make accurate predictions about a person's current and future behaviour. The patterns that can be detected can reveal quite astonishing facts. The correlations that are uncovered do not necessarily have to be logically connected with one another. If the volume of data is large enough, the algorithm may be capable of identifying a pattern which, with a high degree of probability, is able to predict that someone who wears yellow shoes has a bald pate. Of course, one could object that the probability and the circumstances under which a bald individual might wear yellow shows is of little consequence, at least at first sight.
My response to that would be that the danger is very real, because this could be used to uncover an individual's compromising actions or characteristics. I say dangerous because the algorithm cannot offer any hard evidence, and even less can it establish any causal links. All it can do is to tell us whether something will happen or a statement is true with a greater or lesser degree of probability. If an algorithm is capable of identifying a pattern which points to a possible criminal behaviour, the effect on the individual concerned can be quite devastating. Mr X may well find himself in a very uncomfortable situation if a secret service relies on an algorithm which identifies him as a terrorist. The situation is exacerbated by the fact that the result of the algorithm could also apply to many other persons if the number of individuals being checked is large enough. That is exactly how the NSA operates, because the imprecision of the analysis is not something to which it attaches much importance.
To take another example from a related field, consider household appliances and other technical devices that can communicate with one another via the Internet without the knowledge of their users. This is referred to as the "Internet of Things". Household devices secretly send data back to the manufacturer who in turn passes on that information to others. Thus televisions inform broadcasters every time a viewer changes channels. Apparently, smart TVs can even rummage through hard disks as soon as they are connected and send back an index of all data files to the manufacturer. The Internet of Things is on course to become the largest supplier of big data.
Another related issue is the re-use of public sector information (open government data). This gives the public authorities the means to become a big data supplier. Although nobody would dispute that this could generate a great deal of value added for businesses and society as a whole, if the data is then combined with other information, it could be used to identify a specific individual.
What are the implications of all this on the revision of the Data Protection Act, bearing in mind that the process is already underway?
Experts agree that big data represents a major challenge for data protection because of the enormous risks that are involved. Basic technical and legal data protection mechanisms are being undermined and eroded. Or as Viktor Mayer-Schönberger and Kenneth Cukier put it in their book "Big Data": "Big data can condemn us to becoming permanent prisoners of our past actions and can be used against us when systems claim to be able to predict our future behaviour." I believe that we need to have a fundamental review to determine how the core principles of purpose, consent and transparency in relation to the use of big data can be guaranteed. We also need to answer the question as to whether we should allow the evaluation of extensive data sets and limitless correlations, particularly considering that on the basis of probabilities, decisions will be taken which could have negative consequences for the individual.
However, what is clear is that there are no reliable concepts available today that can help us navigate our way out of this conundrum. Is the idea of a basic digital law, as postulated by the lawyer and author Juli Zeh, an idea worth exploring? She argues that control over personal data should be the exclusive preserve of the individual, and that any access by a third party to a digital identity should only be allowed with the person's express consent. Government access to the data would be restricted exclusively to cases involving criminal prosecutions.
Mayer-Schönberger and Cukier adopt a different approach. They suggest that big data applications should be subject to a formal data protection audit, whilst at the same time relaxing the requirements in terms of purpose and consent. The risk that big data predictions, as well the algorithms and data sets on which they are based, might create a black box without any clear allocation of responsibilities could be addressed, they suggest, by establishing a new supervisory body. An "algorithmician" would become an independent body, operating in a manner similar to that of an auditor, and would verify the choice of data, the quality of the tools used for the analysis and predictions - including algorithms and mathematical models -as well as the interpretation of the results, and take corrective measures should the need arise.
The Data Protection Act needs to be revised as a matter of the utmost urgency since the use of big data has already begun, calling into question some of the fundamental principles established in the DPA. We must lose no time in setting up an interdisciplinary panel of experts which would be asked to carry out a comprehensive analysis and make the appropriate recommendations. The Swiss Parliament has already taken a step in the right direction by adopting the motion presented by Senator Rechsteiner. On one point there can be no doubt: the constitutional right to privacy will be threatened unless politicians take immediate action.
One final word about the Freedom of Information Act. The Federal Office of Justice has asked for an evaluation to be made of the law as a result of a barrage of criticism emanating from various departments of the federal administration. In the past, it was often argued that the numerous provisions contained in the Act hampered the work of the administration. Entire government departments have even demanded that they be excluded from the scope of the law. This is a trend which we follow with great concern. The law was adopted by Parliament with the clear aim of making government activity more transparent, thereby increasing the trust of citizens in state institutions. Particularly when public procurement contracts and subsidies are involved, we find that any request for the relevant documents to be disclosed is met with stiff resistance. The importance of creating greater transparency in this sector has been graphically highlighted by the corruption scandal at the State Secretariat for Economic Affairs (SECO).