Who is responsible for what?
The GDPR replaces a directive dating back to 1995, therefore becoming the new European framework for the processing and circulation of personal data, the information that companies rely on to offer services and products. European legislation was becoming obsolete in the face of a digital explosion, the emergence of new uses and the introduction of new economic models.
GDPR, which came into effect on 25 May, takes another look at the right to portability of data: everyone can now retrieve the personal data that a service provider has stored. “But from the moment I retrieve my data, which I want to use, who becomes responsible for what?” says Nicolas. “Personal Cloud solutions are emerging with very different architectures. There should therefore be a level of responsibility that is graduated according to the level of responsibility or sovereignty that the individual wants to exert over his data and depending on the technical architecture.”
The GDP-ERE project proposes analysing the impact of Personal Cloud architectures on issues of responsibility, comparing this analysis with the rules enacted by the GDPR, and envisaging legislative and technological evolutions to better capture the sharing of responsibility required between the various parties , by providing each of them with the appropriate tools to assume them.
A collaboration born several years ago
“Célia and I met through the Institute for Digital Society (ISN - Institut de la Société Numérique) created by Nozha Boujemaa, who had at the time already noticed an interest in bringing together scientists with economists and lawyers. This gave us the chance to realise that we used fairly similar concepts in different disciplines and that our approaches could mutually feed into one another,” explains Nicolas. “At Inria, in the Petrus team, we are interested in the Personal Cloud and the digital heritage of individuals. At UVSQ's Dante Laboratory, Célia is interested in the notion of ownership of personal data and informational self-determination. We quickly found points of convergence and began to set up a working group.”
A new chain of responsibilities
With the GDPR reform, a new chain of responsibilities was conceived, according to a logic of compliance: the operator is responsible for data processing but so are its subcontractors. As part of Personal Cloud tools, depending on the architectures, it is the user who can be qualified as responsible for processing their data.
The GDP-ERE project explores the distribution of responsibility between the individual and the provider. “On the legal side, we are going to try and study how to apply the GDPR to cases like Personal Cloud knowing that the legislation has not been designed for this type of data processing model, where the user is active,” explains Célia. Especially in terms of liability, the classic regime that applies outside any special legislation, is the common law that takes into account the active role of a person in engaging their responsibility. This leads to the risk of disproportionate responsibility for the individual with regard to his capabilities, and of an unclear understanding of the responsibilities associated with platform providers , even limiting the deployment of the latter.
The research carried out within the framework of the GDP-ERE project will therefore lead to verifying whether the individual is capable of assuming the new power conferred on him . Célia stressed that this is an essential condition for the announced empowerment to keep its promises and not create a ‘boomerang effect’: in other words, that it does not lead to the individual being excluded from the protection that the law now gives him over his personal data. This amounts to checking the equation that ‘data portability + responsibility = empowerment of the individual’, to guarantee the effectiveness of individual digital sovereignty.
Collaboration to highlight solutions that work in several disciplines
Célia and Nicolas set themselves a double objective. Firstly, their aim is to analyse the impact of current Personal Cloud architectures on the issues of responsibility and compare this analysis with the legislation and rules enacted by the GDPR. And secondly, they will formulate recommendations on legislative and technological matters, on the basis of a varying level of responsibilities graduated according to the level of sovereignty that the individual intends to keep over his data, in order to preserve their empowerment and to guard against the risks of a boomerang effect linked to this new empowerment. To do this, they intend to recruit a PhD student on the legal side and a post-doctorate on the IT side. “An extra objective,” according to Nicolas, “will be to analyse ‘compliant’ and ‘transparent by design’ technical solutions to ensure the responsibility lies with the right person: the host, the publisher, the user, etc.”
In order to enable each player to exercise their prerogatives in an informed way and to shoulder their responsibilities with the right tools, both relying on the relationships created by their respective teams with industrial players of the Personal Cloud like Cozy Cloud or Hippocad, to share they analyses and eventually consider how to implement them in real-life cases.