The stresses of 2020 have challenged the data protection community’s understanding of data protection and how to apply its practices. COVID-19 has called for data driven solutions to keep humanity safe by finding new treatments for this very contagious disease. This threat does not lessen the fact that data about health both is sensitive and if misused could cause real harm. In trying to find a path toward safety for individuals and society, data protection authorities have relied upon the principle of proportionality. Proportionality, as defined for criminal and administrative law purposes, connotes a bilateral balancing that most often is between the government’s interests and powers and the individual’s fundamental rights.[1] 

When data protection and privacy authorities discuss proportionality as it relates to the private sector, they typically focus on data minimization, i.e., the company should use a proportionate volume of data to limit the risk to a particular individual. This focus is bilateral; it relates to two sides. This works for simple transactions like completing a transaction. Often, however, the processing in question is not bilateral. Instead, it is multilateral, e.g., a complex process to generate an insight that impacts many individuals, both positively and negatively, beyond the controller and the data subject. Therefore, a bilateral application of proportionality is not useful when the purpose of the processing is insights that impact many individuals and organizations. It is multilateral; it relates to three or more parties and not just the company processing the data for the individual to whom the data pertain. Furthermore, bilateral proportionality, in administrative law, limits the absolute power of the government to restrict life and liberty. When companies are balancing issues, they do not have that absolute power of the government but rather must be cognizant of many stakeholder impacts, i.e., multilateral proportionality.

COVID-19 illustrates this bilateral/multilateral proportionality dichotomy.  COVID-19 is taking place in an era where data, fairly processed, is seen as a salvation and where data processed efficiently may be seen as an agent of evil. The data may be the same in both use cases, and  the technology used also may be the same. The difference is due to the choices made by those that process the data. In many ways, the dilemma is well illustrated in Recital 4 of the GDPR:

“The processing of personal data should be designed to serve mankind.  The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognized in the Charter as enshrined in the treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to effective remedy and to a fair trial, and cultural, religious and linguistic diversity.” (emphasis added)  

Recital 4 suggests that the purpose of data protection ultimately is to make sure data serves mankind. The definition of mankind is “human beings collectively.” Mankind includes individuals of all types, with a mixture of traditions, skills, frailties, and linguistics. The concepts – “designed to serve mankind” and “diversity” – are emphasized in this blog for a reason. They represent the plural nature of the data world and demonstrate that the singular rights of individuals in isolation are not always the objective.

Data protection and privacy law, by its very nature, establishes the process to protect specific fundamental rights. The nature of data protection and privacy law requires a variable approach. However, the wording in Recital 4 is contradictory.  Some of the words in Recital 4 downplay the pluralism that other words suggest. The balancer word is proportionality.  Balancing of interests creates winners and losers. 

Proportionality has been defined in both mathematical and legal policy terms. In mathematics, it means two elements remaining in ratio to each other with a constant. It speaks to a bilateral balance between those two elements. In criminal law, it speaks to the punishment fitting the crime. In administrative law, it speaks to the government’s requirements not overreaching in relationship to an individual. All are bilateral processes.  Bilateralism in policy suggests a fulcrum. How does one party’s gain affect the other party’s status? 

Accountability, the basic building block of modern data protection, has been caught up in bilateralism too. Accountability requires organizations to process data in a responsible and answerable way. Both are an obligation for the organization, not one or the other. The first half of that dual obligation, being responsible, speaks to doing what is right. The second, answerability, speaks to the organization being able to demonstrate that what it says is right is credible. Answerable is dependent on responsible. For some, responsible means processed for fair purposes in a fair manner. For others, answerable means documenting that data were processed according to a set of procedural and mostly regulatory rules. Compliance with procedural rules is fairly easy to prove. Demonstrating something is fair is more difficult to do and much more difficult to judge. 

The weakness in bilateralism has been accelerating since analytic processes have been transformed by big data over the last fifteen years. Advanced analytics gave mankind the ability to reach new insights by looking at data correlations absent preconceived notions. These insights can be both beneficial and detrimental. The question is beneficial and detrimental to whom. For example, insights have resulted in new approaches to tackling cancer and the ability to isolate the vulnerable who might be exploited.  New treatments for cancer most likely are deemed fair; exploiting the vulnerable most likely is not fair. If fair is the test, then fair to whom and fair for what must be answered. What is fair for numerous parties, might not be fair to others. For example, is it fair for cancer patients to preclude data pertaining to their biology being used with the data from others to improve cancer treatments in the future? 

Artificial intelligence, the next stage of advanced analytics, is forcing many fields to search for means to provide context to fair. One of the best definitions of fairness comes from the High-Level Expert Group on AI, European Commission, as part of their recommendations on “Ethics Guidelines for Trustworthy AI.” It defines a Principle of Fairness as:

“The development, deployment and use of AI systems must be fair. While we acknowledge that there are many different interpretations of fairness, we believe that fairness has both a substantive and a procedural dimension. The substantive dimension implies a commitment to ensuring equal and just distribution of both benefits and costs and ensuring that individuals and groups are free from unfair bias, discrimination and stigmatisation. If unfair biases can be avoided, AI systems could even increase societal fairness. Equal opportunity in terms of access to education, goods, services and technology should also be fostered. Moreover, the use of AI systems should never lead to people being deceived or unjustifiably impaired in their freedom of choice. Additionally, fairness implies that AI practitioners should respect the principle of proportionality between means and ends and consider carefully how to balance competing interests and objectives. The procedural dimension of fairness entails the ability to contest and seek effective redress against decisions made by AI systems and by the humans operating them. In order to do so, the entity accountable for the decision must be identifiable, and the decision-making processes should be explicable.”

The fairness definition from the High-Level Experts Group is helpful. It suggests that proportionality includes both means and ends and the balancing of interests for numerous parties in society. Society is plural because it means an aggregate of individuals living together. Therefore, according to the Principle of Fairness, proportionality means the fundamental rights (plural) for the many individuals (plural) that comprise a society (plural).

The COVID-19 discussion earlier demonstrates this definition. Thousands of victims put tens of thousands of other individuals at risk of an extremely contagious disease. The risk from this disease goes beyond health to issues of economic survival and national security. Data that pertains to mankind determines what is fair. Data protection authorities, reaching for bilateral balance, have required data holders to think in terms of proportionality.  But as described in criminal and administrative law, including evaluating the individual rights versus government rights, proportionality is bilateral in nature. Yet, the COVID-19 analysis is not bilateral. The interests of multiple stakeholders are at issue. Proportionality as it relates to COVID-19 is multilateral. Often multilateral, rather than bilateral, proportionality should be applied in the private sector context.    

This blog suggests an additional definition for proportionality is necessary.   A definition is needed that goes beyond a bilateral fulcrum balancing two factors to a multilateral gyroscope balancing many factors. A gyroscope balances left and right, up and down, and side to the side. This conclusion allows movement beyond the current limits of the proportionality principle in order to consider the numerous interests (plural) of the numerous parties (plural) that make up society (plural). 

So, the guiding principle in a data driven world of exploding insights, both good and bad, should be that a definition for proportionality that requires assessments that are multi-factor and multi-stakeholder and that demonstrate how a fairness determination was arrived at is necessary.  Such a guiding principle also might, as the High-Level Experts Group noted, suggest part of the solution is “the entity accountable for the decision must be identifiable, and the decision-making processes should be explicable.” This guidance gets organizations closer to demonstrable fairness.

Future IAF blogs and work will explore how multilateral proportionality informs demonstratable accountability and IAF model legislation.

---

[1] Kolfschooten and Ruijter’s law review article “Covid-19 and Privacy in the European Union” discusses  proportionality as it relates to government power.