“Unringing the bell” with regards to advent of big data is not possible: datafcation, when seen as a byproduct of automation, is as irreversible as it is indispensable. Over time, consumers, data subjects and regulators can be expected to improve their understanding of the risks surrounding the use of large quantities of personal data. The gradual and ongoing improvements in, for example, the chemical industry and commercial aviation have shown that shifting technologies away from Perrow’s
complex/tightly coupled quadrant is certainly possible and must be pursued in proportion to the risk.
Considering the preceding chapters, changing the focus of EU data protection law should be seriously considered, at least in the area of contract, consent and special categories of data. Several models developed in the social and the exact sciences are suitable to inform legislative choices that make a cycle of permanent improvement of data protection law possible.
Nevertheless, the model proposed in section 6.3 above is still incomplete. After all, the expected impact of big data afects not just contracts for consumers, but also matters of health care, labour relations and the exercise of public authority. The issued raised by big data are probably not solvable through legislation alone. There is a number of areas where an interdisciplinary approach could lead to better solutions, based on an improved understanding of the efects of big data:
An observatory at the European level. The most important step in reducing risks is the promotion of knowledge and awareness of their existence. In a feld developing as rapidly as big data, this awareness requires constant monitoring to minimise the risk that regulatory eforts get stuck in the Collingridge dilemma.501 Diferent
developments will be relevant for diferent stakeholders. Data controllers, journalists, the academic community, consumer groups and human rights organisations, as well as government institutions, the EU and the Council of Europe are all indispensable for forming a complete picture that can support thoroughness and coherence in policy development. Analogous to European observatories in the feld of energy poverty, intellectual property, employment, cultural diversity and audiovisual media, a multidisciplinary “Big Data Observatory” could be charged with discerning and contextualising relevant developments in big data applications. An observatory could also serve as a place where research programmes into the efects of datafcation, as
well as remedies for their adverse efects, could be commissioned or evaluated, and provide participation opportunities for civil society.
Promotion of shared values as guiding principle. Addressing the risks and power shifts associated with big data requires that legislators, data subjects and controllers understand that the focus of the GDPR is too narrow to address all the risks associated with it. Tackling social, economical and political efects, like the for-proft fragmentation of the marketplace of ideas or rent-seeking behaviour by platform providers, requires that other areas of regulation be explored. Based on the preceding chapters, competition law and consumer protection law could be well-suited to address certain issues relating to power shifts. Indeed, laws in these felds were enacted with similar power shifts in mind. An exclusive focus on the rights and freedoms of natural persons will have inherent limits when addressing efects at larger scales. Similar to the fndings of Van der Sloot, this research suggests that regulatory eforts specifcally designed for the promotion of shared values will be essential in addressing big data’s risks and power shifts.502
Reducing information asymmetries and power diferentials. Based on the preceding chapters, it is also advisable to work towards reducing the information asymmetry resulting from datafcation. Data scientists are working on several aspects of this problem. Two examples: Harkous et al. are aiming to reduce the opacity of privacy policies using machine learning algorithms, and Sandvig et al. are designing new methods for the visualisation of the efects of algorithms.503 These eforts can
help reduce the shifting of institutional power towards controllers by increasing the reciprocity of interactions and by making it easier for data subjects to make informed decisions. Addressing structural power shifts through research and discourse may require new forms of sub-politics or the extension of existing formal forums to enable the participation of parties lacking structural power.504 An Observatory, existing
502 Bart Van Der Sloot, ‘Privacy as Virtue: Moving beyond the Individual in the Age of Big
Data’ (Universiteit van Amsterdam 2017) 196–197.
503 Hamza Harkous and others, ‘Polisis: Automated Analysis and Presentation of Privacy
Policies Using Deep Learning’ [2018] arXiv preprint arXiv:1802.02561; Christian Sandvig and others, ‘Auditing Algorithms: Research Methods for Detecting Discrimination on Internet Platforms’ (2014); Ke Yang and others, ‘A Nutritional Label for Rankings’, Proceedings of the 2018 International Conference on Management of Data (ACM 2018).
504 See Nissenbaum’s suggestion in Jaron Lanier and E Glen Weyl, ‘A Blueprint for a Better
Digital Society’ (Harvard Business Review, 26 September 2018) <https://hbr.org/2018/09/a- blueprint-for-a-better-digital-society> accessed 20 March 2019.
standardisation forums, or specialised institutions could all ofer such a forum at diferent levels of centralisation.
Permanent improvement through enforcement, preparedness and response.
Finally, addressing the power shifts and risks associated with big data requires a long- term commitment from controllers, data subjects and their organisations, legislators, supervisory authorities and the courts. Big data can become a prime area where conflicts between fundamental rights will develop. The identifcation of new risks will be more useful when followed up by suitable prevention measures and response capabilities. Judicial decisions will have to clarify how big data afects the position of the right to private life between other fundamental rights like the freedom to conduct a business, freedom of expression or the freedom to enter into a contract.
System accidents involving big data lack the visibility and physical turmoil shared by many disasters in the physical world, and liability for these accidents may be difcult to determine when there is no physical damage. The GDPR’s penalty provisions provide a partial solution, but their efectiveness will depend on the interpretation of complex standards. Therefore, requiring that controllers implement a plan-do-check- act cycle aimed at accident prevention is essential for continuous improvement. Finally, well-rounded risk management implies that systems for incident response are available. Similar to the requirements of the Seveso III directive, controllers and supervisory authorities should identify and test appropriate measures to mitigate the efects of foreseeable incidents and provide the response capabilities necessary to implement them when the next normal accident occurs.