Digital Integrity — disrupting the personal data economy

Alexis Roussel is the co-author of Our precious digital integrity (Slatkine)

There is nothing natural, nor inevitable about the fact that our personal data is traded in open markets. And yet this has become the norm of the digital economy for billions of people’s data. This needs to change.

Today is the five-year anniversary of the General Data Protection Regulation (GDPR) and while the regulatory framework managed to put the question of digital privacy on the global agenda, it has been a disappointment when it comes to enforcement. Furthermore, the GDPR does nothing to challenge the fact that people have been subjected to information about them being produced and traded on open markets.

This week, we are at the Computers, Privacy and Data Protection Conference (CPDP) in Brussels. In addition to opening the conference with a discussion on the privacy implications of the cashless society, we conducted a workshop introducing the “Right to Digital Integrity”. This is currently being incorporated into the constitutions of several cantons in Switzerland. We were joined by Alexander Barclay, Delegate for digital policy of the State of Geneva, and Lusine Vardanyan, researcher at the Palacký University Olomouc, author of the paper Digital Integrity: A Foundation for Digital Rights and the New Manifestation of Human Dignity.

Left to right: Alexander Barclay, Delegate for State of Geneva, Lusine Vardanyan of Palacký University Olomouc, Alexis Roussel, COO of Nym and Harry Halpin, CEO of Nym

The digital society has been in the making for half a century. From the beginning, developers and lawyers have pointed out the likely abuses of global information systems, all built without taking the rights of people into account. Sure enough, in recent times, an entire system and economy has emerged around the commodification and exploitation of personal data — namely surveillance capitalism as revealed by Edward Snowden and analysed by Shoshana Zuboff.

The societal response has been data protection laws, culminating with the adoption of the GDPR in Europe. It is now the most aggressive regulation vis-à-vis the private companies that participate in this surveillance economy. But the GDPR largely spares nation states themselves in its material scope and is really just a tool for market regulation, merely seeking to mitigate some of its negative effects. It does not manage to protect fundamental rights or challenge the underlying principles of the surveillance economy.

The foundation of the GDPR lies in the protection of privacy, a fundamental right that existed already long before the Internet appeared. But this is a limited approach that is not able to respond to the societal threats of the surveillance economy. Nor is it able to deal with the historical impact that our digital tools have on individuals and the organizations of our societies.

In the face of what can be described as a failed approach to data protection, there is now a call for a more fundamental digital right. The principle of informational self-determination is emerging in European case law and judges are seeking to extend protection beyond violations of privacy. However, they are trapped by the hierarchy of norms: the right to data protection as per Article 8 of the Charter of Fundamental Rights of the European Union only offers a partial and limited form of protection. This article reaffirms the right to data protection, enshrines the importance of consent when processing data, but once again does not call into question the underlying model of a surveillance economy.

The Right to Digital Integrity

In 2018, the francophone data protection authorities, led by Commission Nationale de l’Informatique et des Libertés (CNIL), declared that “personal data is constituent elements of the human person, who therefore has inalienable rights over them”. This statement is a frontal rebuttal to the notion of “personal data is a commodity”. Personal data is reframed as a constitutive element of a person, in the same way as their physical body. The proposal is a fundamental shift in understanding of data and yet this reframing largely goes unnoticed, with the CNIL itself not yet drawing the full conclusions of its proposal. If our data is indeed a constituent element of the human person, it is deserving of the same integrity and security protections as our bodies. And just like organ trade is highly illegal, personal data should not be traded in the open markets.

Since 2010, I have been exploring the extension of the concept of integrity of the person to their digital existence within political think-tanks in Switzerland working on digital rights issues. Grégoire Barbey and I co-authored a book “Our precious digital integrity” on the notion of a ‘right to digital integrity’. In this book, we explored how the emergence of such a right can lead to the emergence of a digital economy that is very different from the one we know. In fact, if implemented, it would necessarily lead to a revised security policy, protecting the integrity of the human being also in their digital sphere.

Shortly after we published our book, a symposium was organized by the Faculty of Law of the University of Neuchâtel discussing the ‘right to digital integrity’. The Valais Constituent Assembly, in charge of drafting the new Constitution of the Canton of Valais in Switzerland, then decided to integrate the ‘right to digital integrity’ in their draft. The vote is expected to take place next year in 2024.

From “data protection” to the “digital life”

The primary contribution of the ‘right to digital integrity’ is that it takes a more comprehensive approach to what life in the digital age entails. What is at stake is not simply data protection, but the fact that much of humanity lives digital lives deserving of protection to safeguard their autonomy. This autonomy entails that their integrity is not violated.

The adoption of the ‘right to digital integrity’ in the constitutions of Swiss cantons is in full swing, and is already transforming the approach to data protection. For example, the Valais Constituent Assembly has moved away from the classic approach to data protection, which seeks to avoid the “abusive processing” of data, by proposing a prohibition of “data processing without consent” as a general rule. In contrast to the GDPR, this means the burden of proof is shifted from those who are the subject of the processing to those who carry out the processing. In the same draft, the ‘right to digital integrity’ is granted, including through the “ability to interact freely through digital technologies”. A right to open and non-discriminatory access to the Internet is recognized, as is the right to communicate with the authorities, without being required to exclusively use a specific technology.

In Geneva, a similar proposal is up for vote on the 18th of June 2023, a constitutional law submitted to the Geneva Grand Council. It proposes the introduction of a new article in the Constitution recognizing the ‘right to digital integrity’ with the following wording:

“Digital integrity includes, in particular, the right to be protected against the abusive processing of data related to one’s digital life, the right to security in digital space, the right to an offline life as well as the right to be forgotten.”

This is the first time the concept of “digital life” appears in a Constitution.

Furthermore, articulating a ‘right to security in the digital space’ allows for a profound paradigm shift in the security approach: the digital world can no longer be seen by the security authorities merely as a tool that can be compromised for some security scare. Instead, they have to actively contribute to securing the underlying infrastructures for digital life in order to allow citizens to lead their digital lives with serenity.

Following the trend of Valais and Geneva, the cantons of Jura, Neuchâtel and Vaud have also started debates on the ‘right to digital integrity’. And now, even the federal parliament.

Neuchâtel is the home of Nym, and here the ‘right to digital integrity’ is being advanced even further to include the ‘right to not to be monitored, analyzed and measured’. This recognises that the right to digital integrity in fact implies the right to remain anonymous, full stop. This is a radical step forward towards guaranteeing the autonomy and dignity of people in the digital age.

What next?

Our democracies are trapped in a paradox: our governments have rolled out privacy laws and mass-surveillance laws at the same time. But these two are fundamentally incompatible. The focus on privacy alone does not resolve this paradox. Instead, privacy, the right to anonymity and digital integrity needs to be incorporated into the fabric of our society.

At Nym, we work on building privacy into the core of our digital infrastructures. On a transparent network like the Internet, in order to establish a truly private conversation, this communication must be unobservable. This is what the Nym mixnet achieves.

Similarly, in a transparent society like the one we all live in, the legal system also has to provide a protective shroud for anonymity for people, to safeguard our digital integrity.