17 May 2022 – Online conversation
The online event was moderated by Dr Matija Damjan from the Institute for Comparative Law at the Faculty of Law in Ljubljana who was joined by co-debaters Dr David Sehnálek from the Faculty of Law of the Masaryk University in Brno, Dr Klemen Podobnik and Dr Samo Bardutzky, both form the Faculty of Law of the University of Ljubljana, and Dr Maja Bogataj Jančič from the Intellectual Property Institute in Ljubljana.
The programme began at 14:00 by a keynote speech by Matija Damjan who presented the legal framework for the protection of privacy online. The right to privacy is recognised as one of fundamental rights in the Slovenian constitution as well as in international documents on the protection of human rights such as the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, the European Convention on Human Rights, and the Charter of Fundamental Rights of the European Union. The right comprises several aspects: information privacy covers the collection and management of private and personal data; privacy of the human body concerns genetic and other investigations of bodily fluids, tissues, or orifices; communication privacy is the privacy of mail, telephone conversations and other forms of communication; and spatial privacy protects against intrusions on privacy at home or at work. The Slovenian constitution grants a higher level of protection to communication privacy since any interference with communication privacy requires both an express legislative basis as well as a court order. This is particularly relevant in the digital age where any kind of privacy in electronic environments is expressed by transmitting electronic information.
Slovenian law contains no overall legislative act concerning the protection of privacy, but several mechanisms in various fields of law can be used for that purpose. In civil law, the main such instrument is the request to cease infringement of personality rights (which include the right to privacy) and the granting of just monetary compensation for mental distress suffered owing to the infringement of the right to privacy. The Criminal Code incriminates the following intrusions into privacy: unlawful body search, unlawful eavesdropping and audio recording, unlawful video recording, violation of the secrecy of communications, unlawful publication of private writings, and violation of the inviolability of the home. Criminal procedure further contains procedural safeguards so that the investigative powers of the police are not used in a manner that unduly interferes with the privacy rights. Labour law requires the employer to respect and protect the employee’s privacy, which is particularly relevant in cases of remote work. The legislation on patients’ rights also contains provisions for the protection of the patients’ privacy.
In the digital era, privacy is more exposed than any time before. The main reason for this is because various digital devices and digital services quietly and continuously collect their users’ private information, mainly because such data has commercial value and can be sold. However, the bulk of collected private data is open to hacking and can be misused for fraud, extortion, or misuses by public authorities. For this reason, the specific rules for the protection of privacy in digital environment are even more important. At the European Union level, the E-Privacy Directive was the first binding instrument to tackle this issue. It requires providers of electronic communication services to secure their services to protect personal data. Member states must ensure the confidentiality of communications made over public networks. Furthermore, user consent is required to ensure the legality of unsolicited communications (e.g. spam), the storing of cookies on the users’ devices and the listing of contact data in public directories. The General Data Protection Regulation protects individuals when their personal data is being processed by the private sector and most of the public sector, and the Data Protection Law Enforcement Directive concerns cases where personal data is collected by law enforcement authorities.
The most challenging issue of online privacy today stems from the fact that most seemingly free online services in fact earn money by building profiles of their users’ behaviour and preferences, which can then be used for targeted personalised marketing. They can sell targeted ads across the internet and track whether the ads lead to sales. To make sure that such collection and processing of users’ private data is legal, service providers must obtain their users’ express permission. Users must specifically and freely agree to the use of their data, rather than opt out. However, in practice, most users do in fact quite willingly agree to share their information in exchange for customized services, rewards, and discounts, without ever studying the complex policies and terms of use. One could argue that consumers treasure convenience of free apps above their own privacy. On the other hand, the question can be raised weather such consent is really informed, and weather it is free in cases where no alternative apps or services exist that would not collect private data. The question left for discussion was weather the legal framework should regulate the technical infrastructure for the collection of private data instead of relying on users’ consent. An alternative legislative solution would be to limit the centralised collection of private data and keep private information only on the users’ devices.
The keynote speech was followed by a roundtable debate which had as its starting point the provocative question whether privacy online is worth protecting at all if users are willing to give it away for free. Samo Bardutzky pointed out that privacy as a fundamental right is first and foremost applicable in relations between the individual and the public power, although this classic notion of protecting individuals against interferences of the state has been surpassed somewhat by the idea of positive obligations. The right to privacy is negative in character in the sense of protecting one’s intimate sphere from interferences, but the obligation of the state is to provide a legislative framework for protecting this right even in horizontal relationships. The Covid-19 pandemic has brought us an example when individuals had practically no choice but to turn over their data and consent to their processing. This happened during the period when one was allowed to travel outside one’s municipality in Slovenia only if one installed an application for tracking the spread of Covid-19, which was developed and offered by the state. However, the constitutional assessment of such a measure could be less stringent than in other cases of state interferences with one’s privacy since a clear public policy objective existed for the measures and the data collected was not used against individuals.
Another important aspect of the right to privacy is the right to self-determination. Privacy can be understood in the sense of having the right to make your own decisions about your own life, which is not confined within the four walls of your own home. The European Court of Human Rights held that Article 8 of the ECHR also protects the right to identity and personal development, including the right to establish and develop relationships with other human beings. In this respect, privacy is exactly the opposite of what we usually understand under this term, namely a contact with the outside world. In that sense, the way in which we now interact online is a part of this function of privacy. So, sharing of private data, e.g. on dating apps, may be seen as an indispensable part of the opportunity to develop one’s personality through contact with the outside world and thus a unique way of participating as a member of society.
David Sehnálek first discussed the differences in the protection of privacy in horizontal and in vertical relationships on the example of the use of secretly made recordings in court proceedings. Under the Czech law, a significant difference in permissibility of such evidence exists between criminal proceedings, where the evidence is used by the state against the individual, and civil proceedings where it is used in a relationship between equal individuals. In the former case, the conditions are strict and based on the court’s approval; in the latter case, the Czech courts try to protect the significantly weaker party in cases where such disparity between the parties exists. As far as the illusion of privacy online is concerned, the consumers should be aware how the legislation protects their personal data. However, they do provide their often-sensitive data mostly voluntarily and knowingly in return for free electronic services. Google’s search is simply better and more accurate and is therefore chosen regardless of the data protection level. The problem is that an average consumer has no idea about what specific data Google collects about them. Dr Sehnálek sees room for regulation in the form of codes of conduct, in other words more horizontal legal self-regulation.
Maja Bogataj Jančič pointed out that there are no simple technological solutions for the problem discussed. Yet, relying on privacy rules and individuals’ rights alone will not solve it either. The true societal value that should be protected is the interaction of one individual with another, which large corporations are trying to control. Giving rights to individuals will not suffice unless Facebook and other internet giants are regulated in advance, combined with effective inspection and enforcements. Creating quasi property rights on personal data is not the way forward, as it would only create the illusion of additional control that could then in fact be transferred to big companies based on individual users’ consent. Rather than relying on individualistic solutions we should take into consideration the communities within which individuals interact.
In Klemen Podobnik’s view the main challenge for effective protection of online privacy right now is not the regulation but the design of the internet itself, particularly the fact that the big technology companies can control everything. A simple technical solution for that is called Freedom Box, which is a small private server that anyone can use to run digital services such as email, chat, etc., and keep their private information in their own hands rather than giving it over to big companies. Ex ante regulation will not solve the online privacy issue because most people do not care about the private information they give away. The problem is that most internet users have a wrong perception of the internet. It is not a different world, a cyberspace where you go and then return home. Antitrust rules cannot do anything effective regarding Facebook and Google. If the design of the network is wrong, no amount of ex ante or ex post regulation will solve that.
The final part of the seminar consisted of a Q&A session and general discussion with the audience, which revolved around the issue of privacy by default and privacy by design as an alternative to basing data collection and processing mainly on users’ consent. The potential role of data trusts and other data sharing institutions has been discussed. Maja Bogataj Jančič pointed at the recent GPAI study which found no practical use cases of such institutions.
The webinar concluded at 15:30 with an invitation to both the audience and the debaters to join us again at the second dissemination event which will be held in October 2022 and will be devoted to the topic of mass surveillance and the privacy of communication.