I’m writing this post on 5 June—Grundlovsdag (Constitution Day) in Denmark, which marks the monarchy’s transition from absolute to constitutional. (I’m only publishing it the following Tuesday to comply with the blog’s—so strict you could call it cogens—naming principle.) Grundlovsdag is a celebration of consitutionalism and civic values, which I ‘d like to honour with a post about privacy—not just as “data protection”—but as a reflection of human dignity and the quality of democracy.
I think that there are few more important issues than politics. At the same time, the standard of what passes as “communication” in the political domain has dipped very low in many countries—with its sole purpose often limited to dominating the momentary agenda by eliciting an emotional reaction, and in no way relaying argument, world view, or policy. That’s why these days I don’t really comment on political messages, other than to my closest family or friends. For the case described in this post, I make an exception, because I think the story serves as a commentary on why privacy is, in essence, a fundamental rights issue—not “just” data protection.
The case itself unfolded a few weeks ago—and I’ve been holding off on posting on it because I had no intention of getting caught up in the ensuing political “debate”. I won’t name the (EU) country either, because I believe it could have happened anywhere—although as a true blue comparativist I would also hope that the reaction and institutional consequences would vary from one legislation to another.
What happened?
A retired army lieutenant colonel (I’ll refer to him as “Colonel Gustave”) wrote a letter to a fellow army veteran and up-and-coming opposition politician (“General Mustafa”), expressing his support for him as a person, and for his ambitions. This letter would subsequently be published on social media by the leader of General Mustafa’s party. So far—politics. But the interesting turn of events, to me, came when the Ministry of Defence (MOD) weighed in by issuing a disparaging statement of the party leader, in which they characterised Colonel Gustave as “a retiree of 14 years battling addictions.”
Enter GDPR
Following the social media spat, the head of the Data Protection Authority (DPA) made a statement to the press to the effect that information concerning one’s addictions belongs to a special category of personal data, which warrants special protection under the GDPR.
The DPA is right, of course—and I also think thart there’s much more to this. In GDPR terms, I can conceive of two—equally concerning—transgressions: (1) a breach of the principle of accuracy, or (2) a breach of the purpose limitation principle, and ultimately, of confidentiality (also: a data breach).
- If the assertion about Gustave’s alleged addictions was factually untrue, as Gustave himself would later comment, then the MOD, Gustave’s former employer, had published (special category) personal data about him that were inaccurate.
- If, on the other hand, the information about Gustave’s addictions was true and someone in the administration had learned about them in a work context (e.g., human resources, Gustave’s manager, or a colleague), then this someone would then have had to communicate it to others, so that at the end of the telephone game—likely also through a chain of in-house sign-offs—it would finally end up at the MOD press department for publication. As the original purpose of processing for these data (assuming that processing was legal in the first place) would clearly not have been publication and commentary, the person or persons perpetrating this on behalf of the MOD would clearly have violated the GDPR’s purpose limitation and confidentiality principles—likely also committing one, or several data breaches along the way.
While a data protection type might be content with establishing either of these scenarios, or a third one, as what happened—alongside what needs to be done to course-correct and risk-mitigate (possibly also sanction)—I don’t think the issue stops here. I imagine that most observers would agree that a line was crossed. In my opnion, it was not a line representing a technicality, but a universal moral principle.
Because what also took place alongside the violation of Colonel Gustave’s privacy was a violation of his human dignity—the detail that this violation was effected through his personal data is almost circumstantial. But to seek legal remedy for a violation of human dignity—whether through a libel case, or otherwise—is, even in the strongest of judicial systems, complicated, time-consuming, and uncertain. Not to mention potentially highly invasive to one’s privacy, or the implications—in at least certain some parts of the world—if the defendant is a government ministry.
And this, I believe, speaks to the genius of the GDPR. Incidentally, some of the people with whom I do discuss politics strongly believe that the GDPR is the opposite of genius. “Complicated,” “ineffective,” and “dream world” are just some of the characterisations that have been thrown around. Maybe there is truth to them. But the genius of the GDPR doesn’t come from it being a perfect piece of work altogether (no masterpieces are)—it comes from the ease with which it breaks down the complexity of the modern world, and of one of its incredibly important spaces: the online public sphere, for purposes of analysis and enforcement.
The genius of the GDPR lies in that it provides simple and effective tools to investigate, and to remedy, or—to borrow an important term from the social sciences—to operationalise the fundamental rights issue at play here. Whether and how the DPA makes use of these tools will by no means be a reflection on the GDPR, or the principles on which it stands.
The Right Thing on Tuesday 
Leave a comment