C.2 Necessity and possibility of data protection provisions by the example of sensor data (Anne)

C.2 Necessity and possibility of data protection provisions by the example of sensor data

- Anne Laubach -

The increasing digitization offers a wide range of new given possibilities changing the future of everyday´s life in a positive way, especially through the establishment of sensor-augmented environments that lead to a rise of living comfort. On the other hand, data protection impacts on the individuals are hardly predictable. To provide and to strengthen the protection of privacy – especially with regard to the modern data processing – the Federal Constitutional Court has established the ”Right to Informational Self-Determination” in its so-called ”Volkszählungsurteil” in 1983. It protects the individual’s right to decide in general about the award and use of his personal data. Risks for realization of Informational Self-Determination may occur, when using data from sensor-augmented environments, by the fact that the data protection laws are not yet legally applicable or are limited in the legal scope. The protection of the current valid data protection law is in accordance with Art. 2 para. 1 GDPR (General Data Protection Regulation) only given, if the collection, processing and use refers to personal data (Art. 4 no. 1 GDPR). Data from ”human-distant” sensor systems mainly concern environmental conditions and occurrences and does not include information on natural persons. As far as and as long as no personal information is available, data protection law does not apply. Non-personal data may be collected, processed and used without limitations. However, non-personal data may become personal, if the data processing institution acquires additional knowledge, e.g. by accumulating more data or through new analytic methods (e.g. Big Data). If, however, data is being processed without reference to an individual but this reference is established subsequently, not only one single piece of information but rather a whole lot of information may become personal information all at once. Many protective measures provided in data protection law (transparency, purpose binding and necessity of data processing) cannot be effectively implemented at this stage anymore. This later individualization of originally non-personal masses of data to individuals and the consequences, e.g. the creation of profiles, therefore represents high risks for realization of Informational Self-Determination and its protective program. Thus, to cover the risks and limit the consequences of potential disadvantages, which may result out of a “non-regulated” legal area, it might be necessary to focus not only on repressive measures but in addition non-personal data with relevant risks should be subject to cautionary measures. This scientific approach in the area of data protection still is at its very beginning and constitutes new scientific ground.

Tandem partner: C.1