EDPL 1|2015 1Book Reviews

Book ReviewsThe Book Reviews section will introduce you to the latest and most interesting books on a wide rangeof topics pertaining to the law and policy of data protection. For further information on the submis-sion of reviews please contact the Book Reviews Editor Bart van der Sloot at b.vandersloot@uva.nl.

Reforming European Data Protection Lawby Serge Gutwirth, Ronald Leenes andPaul de Hert (eds.)Springer, 2015, 406 p.€ 137,79; Hardcover

Bart van der Sloot*

Reforming European Data Protection Law is the con-ference book of the yearly Computers, Privacy andData Protection conference held in Brussels. This isthe conference book of the year 2014. The conferenceis by now the standard (legal/policy) conference togo to in Europe for everyone interested in privacy,data protection and technology. This book containsthe best papers presented at the conference (and pa-pers written in the conference’s slipstream), whichalready hosts the fine fleur of international privacyscholars, regulators and activists.The book is divided in five parts. The first part

contains two chapters on profiling, the second partconsists of four chapters on risk assessments, thethird part offers three papers on the right to be for-gotten, the fourth part provides the reader with twochapters on the balance of privacy and security andfinally, part five contains five chapters on data pro-tection by design and related issues. There are manycontributions in the book that deserve careful read-ing, such as the first chapter (Bosco, Creemers, Fer-raris, Guagnin and Koops) with a careful attempt todefine profiling, the third chapter (Geminn andRoss-nagel) laying down a systematic approach to the le-gal evaluation of security measures, chapter 9 (Zan-fir) which discusses the origins of the right to be for-gotten, chapter eleven (Leese) on the evolution of theconflict between privacy and security in Europe,chapter fourteen (Trepte, Teutsch, Masur, Eicher, Fis-cher, Hennhöfer and Lind) on empirical research on

privacy awareness and chapter sixteen (Stevovic,Bassi, Giori, Casati and Armellin) on the use of pri-vacy by design in medical records sharing. However,it goes too far todiscuss each chapter indetail. Rather,three contributions will be reviewed in more detail,one from part two, one from part three and one frompart four.Part two, concerning risk assessments, contains an

interesting chapter byLeonHempel (Centre forTech-nology and Society, Berlin) and Hans Lammerant(Law Science Technology & Society, Brussel) titled“Impact Assessments as Negotiated Knowledge”. Asis well known, the General Data Protection Regula-tion, which will replace the current Data ProtectionDirective in time, specifies that data controllers mayhave the obligation to engage in risk assessments andimpact assessments as part of their general duty ofcare. Impact assessments are generally seen as toolsthat enhance data protection by laying down an ex-tra obligation for data controllers with an eye on pre-venting harm to data subjects. Hempel and Lammer-ant, however, take a more critical view. They engagewith Ulrich Beck’s theoretical approach proposed inhis widely acclaimed book Risk Society. They arguethat, first of all, risk assessments are not only legalor technical instruments, they should be approachedrather as political instruments. Impact assessmentsdecentralize power and responsibilities. Drawingfrom previous lessons learned in relation to Environ-mental ImpactAssessments, onwhich the idea ofDa-ta Protection Impact Assessments (DPIAs) is based,they conclude that DPIAs are rather the outcome ofa political process in which there are negotiations onwhat is considered a “risk”, how this is measured andinwhatway this is assessed. These are not fixed prin-ciples, there is not oneway to conduct DPIAs. Rather,every DPIA is the unique outcome of a politicalprocess and of the negotiations by the stakeholders.This alsomeans that impact assessmentsdonotbringthe unbridled truth – they cannot be viewed merelyas tools that bring transparency and knowledge tothe often politicized decision making process with

* Bart van der Sloot is Researcher at the Institute for InformationLaw, University of Amsterdam; b.vandersloot@uva.nl.

EDPL 1|20152 Book Reviews

regard to data protection. Rather, they must be re-garded themselves as the outcome of a politicized de-cisionmaking process. “Impacts”, they conclude, “arenot value-free notions but stand for impacts on rec-ognized interests. As such, impact assessments arealso derived in negotiations, and the knowledge pro-duced on impacts is negotiated knowledge.” Thischapter is certainly worthwhile reading for everyoneinterested inDPIAs and for those looking for a slight-ly more critical approach. The chapter is very wellwritten and offers a new perspective on a heavily de-bated topic.Chapter 7 consists of a collaboration by the speak-

ers of a panel at CPDP on the right to be forgotten.Consequently, there are seven authors, namelyPaulan Korenhof (Tilburg Institute for Law, Technol-ogy, and Society), Jef Ausloos (Faculty of Law, Leu-ven), Ivan Szekely (Open Society Archives, Bu-dapest), Meg Ambrose, (Communication, Culture &TechnologyDepartment,Washington), Giovanni Sar-tor (European University Institute, Florence) andRonald Leenes (Tilburg Institute for Law, Technolo-gy, and Society). The chapter is titled “Timing theRight to be Forgotten: A study into ‘time’ as a factorin deciding about retention or erasure of data”. Itdeals, as the title suggests, with the element of timeinrespectof the right tobe forgotten. Itdraws lessons,among others, from the natural capacity of humansto remember and more specifically, the human ten-dency to forget (or even disregard) most informationavailable to them. Whether a person remembers aparticular fact, study shows, depends on the passingof time, the meaning of the information (the rele-vance) and the regularitywithwhich the informationis used. Of course, however, the internet is differentfrom natural memory. First of all, it is an externalmemory, a tool used for remembering. Humans haveof course used such tools since the dawn of time.However, different from other external memories(such as books), the internet is best defined as a trans-active memory. This means that the content of thememory constantly changes and that it can be alteredbymany people; thememory, in this sense, is democ-ratized and depended on many people, rather thanon one single author. This means also that the claimthat the internet is an archive is denied by the au-thors – at most it is a lazy historian, they claim. Sub-sequently, the authors analyze how the element oftime already plays a role in current privacy and dataprotection rules. They discuss, inter alia, the notion

of consent, the legitimate interests of the data con-troller, the purpose specification principle, the rightto object, the storage of data and data retention, andshow how time affects these doctrines. The authorscontinue with three very insightful graphs in whichthey demonstrate how the element of time and theimpact of data processing affects, inter alia, the inter-ests of the data subjects, of the uploaders of informa-tion and of the provider. For everyone interested inthe right to be forgotten, this chapter is a must read– perhaps this is the best contribution of the book.Chapter 10 is written by Govert Valkenburg (Fac-

ulty of Arts and Social Sciences, Maastricht) and istitled “Privacy Versus Security: Problems and Possi-bilities for the Trade-Off Model”. This chapter ad-dresses the thorny issues of balancing or weighingdifferent interests, which has been done to death inthe privacy and security discourse. If the balancingapproach is applied, it is mostly to argue that securi-ty interests outweigh privacy interests, as security ismore important or because national security servesa general interest, while privacy only serves the per-sonal interests of specific individuals. This, of course,to the dismay of privacy advocates, liberal politiciansand many privacy scholars. The author of the chap-terdiscusses theargumentsoftenput forwardagainstthe balancing of interests, but also proposes new ar-guments for applying the metaphor of balancing. Asan example, the chapter discusses the complexitiesof the practice of body scanners installed at airportsfor security purposes. The author argues that the bal-ancing act is problematic only when it is used as asimple justification for imposing security measuresthat encroach privacy, for example, by using the ar-gument “this small piece of privacy must be sacri-ficed in order to promote national security”. The au-thor argues that the trade-off model could still beused as a heuristic device to trace potential difficul-ties in the application of security technologies. In do-ing so, the author hopes to challenge two extreme po-sitions, namely thosewhouse themodel to argue thatprivacy should by default be overruled by nationalsecurity interests and those who say that the balanc-ing act should be abandoned altogether, as both pri-vacy and security should be retained without one be-ing sacrificed for the other. Rather, the author urgesthe reader to take a nuanced approach and to ac-knowledge the complexities often at stake in thesekinds of decision making process. This contributionis certainly well written and worthwhile reading. It

EDPL 1|2015 3Book Reviews

provides the reader with a good starting point forreadingmore about the quite elaborate scholarly dis-cussion on the idea of balancing and of weighing in-terests as such. For example, how canmoral interestsbe weighed in the first place (they have no weight,there is no uniform scale on which to weigh themand no commonly accepted/standard method ofweighing)? Is the weighing of interests suitable withregard tohumanrights suchasprivacy (humanrightswere designed to protect the basic conditions of hu-man existence, not as relative interests which can beoverruled if the benefits outweigh the costs)? Etc.Consequently, the reader should use the insightfuland very detailed work of Govert Valkenburg as anintroduction in the wide literature skeptical of theidea of balancing moral interests as such.

The Black Box Society. The Secret Algorithms ThatControl Money and Informationby Frank PasqualeHarvard University Press, 2015, 311 p.€ 31,50; Hardcover

Alessandro Spina*

A skeptical view holds that Big Data is only a com-mercial buzzword in the field of technology, the lastina seriesof similarlyambiguousandephemeral con-cepts used to define potential revolutionary applica-tions of digital innovation such as 2.0 or crowd-intel-ligence. However, the scale of data processing is un-precedented and extraordinary: it may suffice to re-call that every minute there are approximately fourmillions searches on Google. Further evidence is inthe way “connected” individuals access informationand make decisions in everyday activities from pur-chasing goods or services to interacting with friendsthrough social networks. The concept Big Data cap-tures not only the immense quantity of data nowavailable but also to the sophisticated analytical ca-pacity of organisations to use the data and extractknowledge. This represents a new form of “algorith-mic” power – as brilliantly exposed few years ago byViktor Mayer-Schönberger and Kenneth Cukier in

Big Data. A Revolution that will transformhowwe live,work and think (2013). While the implications of al-gorithmic power have been so far both under-ex-plored and under-estimated in legal doctrine, howev-er the book The Black Box Society fills this gap withan important, intelligent and timely contribution.The book will be an important reference for inform-ing public debates about privacy and data protection,in particular in Europe where new legislation, theGeneral Data Protection Regulation (GDPR), specifi-cally conceived as a reform of EU data protection lawin order to meet the challenges of the digital econo-my is currently under consideration. His Author,Frank Pasquale, a Professor of law at the Universityof Maryland, has written extensively on search en-gines and digital reputation, transparency and infor-mationlaw; he is an active blogger (on www.concur-ringopinions.com) and tweeting scholar.The book is composed of six chapters: in the first

two chapters (I and II) the Author offers an introduc-tion to and an overview of algorithmic power. Thefollowing two chapters (III and IV) present a morein-depth analysis of this emerging form of algorith-mic power; chapter III is dedicated to the activitiesand practices of Internet companies, in particular op-erators of digital search engines, such as Google;chapter IV focuses on the the finance industry andhow Big Data technologies have become embeddedin its practices. The final two chapters (V and VI)would like to present the reflections of the Authorfor addressing the problems raised and discussed inthe preceding chapters, setting out legal and politi-cal solutions for a re-balance of algorithmic power inour society.In the introduction, the Author conveys two ma-

jor ideas about the relevance of concepts such as in-formation, knowledge and power in the era of BigData. The first is that, at the core of the informationeconomy, the success of individuals, business andtheir products is crucially based on reputation, andreputation depends heavily on the synthesis of dataand perceptions. Therefore, those organizations thatrank, index, or rate individuals or business (e.g.through credit scoring) yield a considerable and of-ten unaccountable power –which can be captured bythemetaphorical image of the “blackbox”. The secondpoint is that there are different strategies by whichthese organisationsmaintain this asymmetrical pow-er. One obvious strategy is the use of secrecy, whichcan be declined either in the form of the “real” or “le-

* Alessandro Spina is Data Protection Officer at the EuropeanMedicines Agency, London; alessandro.spina@ema.europa.eu.The views expressed in this book review are those of the soleauthor.