The General Data Protection Regulation (GDPR) came into force in 2018. It was intended to protect the rights and freedoms of individual citizens from the risks of personal data processing. Meanwhile, the phenomenon known as big data has continued to advance at a fast pace. PhD defence on 12 September.
Michiel Rhoen studied Applied Physics and in his subsequent work as an active duty fire officer he was involved in the control of technological risks. He went on to study law, graduating in 2013. 'Around this time, the term big data became familiar with the general public and one aspect of its discussion almost immediately concerned the risks in relation to privacy. This focused mainly on the dominant position that large corporations could accrue as they were able to build profiles on almost everyone', Rhoen explains. 'These profiles are based on an increasing amount of personal data which is collected during daily activities - such as chatting with friends, reading the paper or listening to music. So this is something that affects us several times a day'. At the same time, an initial text was published for what would later become the GDPR. 'I wondered to what extent the GDPR - as it was proposed then - would outline the risks arising from big data and what would be done about them.'
The line separating data from big data
'It's not easy to draw a line separating data from big data. The first concerns about big data arose in the 1970s when government authorities began to digitalise population records. Big data is actually the main result of computerization. As soon as you use a computer for something, it provides you with data. But at the same time, the computer also generates data about what you are doing; this is known as metadata. The amount of computers generating metadata is perhaps far greater than you would expect: when you use the Internet, a mobile phone or a smart TV, for example, you connect to perhaps dozens of other computers and these all generate data on your activities. Metadata can provide highly effective profiles since it knows when, how and even with whom you were active online. And anyone who controls a piece of the Internet can collect metadata. Sometimes this is even obligatory because the authorities want to see who mailed whom and when, in the case a crime has been committed for example.'
In his PhD research, Rhoen examines to what extent the GDPR reflects current scientific views on how to deal with technological risks and dominant market positions. 'I looked in particular at situations where consumers agree to the processing of their personal data. Think of the numerous 'I agree' buttons you have to click on when visiting a website. Rhoen compared the GDPR with environmental legislation, which also regulates risks, and consumer protection laws. 'Together with a researcher from the Faculty of Science of Utrecht University, I investigated whether the GDPR's anti-discrimination provisions are sufficient to prevent, identify and combat automatic discrimination that can occur as a result of the automated processing of data via algorithms.'
