The « GDP-ERE » project
In a world that is being shaken up by artificial intelligence and the exploitation of personal data, the place of individuals and the control of their data have emerged as central issues in the new General Data Protection Regulation (GDPR) and the law for a Digital Republic. Célia Zolynski, Professor of Private Law at the Université de Versailles - Saint-Quentin-en-Yvelines (UVSQ), and Nicolas Anciaux, researcher at Inria, took the opportunity offered by the DATAIA Institute to continue to collaborate with computer scientists and lawyers to analyze the Personal Cloud architectures proposed today and establish the responsibilities of each with the central objective of protecting the individual.
Who is responsible for what?
The GDPR replaces a directive dating from 1995 and thus becomes the new European framework for the processing and circulation of personal data, the information on which companies rely to offer services and products. European legislation was becoming obsolete in view of the digital explosion, the emergence of new uses and the implementation of new economic models.
The GDPR, which came into force on May 25, takes another look at the right to data portability: everyone can now retrieve the personal data that a service provider has stored. "But from the moment I retrieve my data, that I want to use it, who becomes responsible for what? "Personal Cloud solutions are currently emerging with very different architectures. There should therefore be a level of responsibility graduated according to the level of responsibility or sovereignty that the individual wants to exercise over his data and according to the technical architecture. »
The GDP-ERE project aims to analyse the impact of Personal Cloud architectures on liability issues, to compare this analysis with the rules laid down by the GDPR and to consider legislative and technological developments to better capture the necessary sharing of responsibility between the different parties by providing each of them with the appropriate tools to support them.
A collaboration that began several years ago
"Celia and I met within the framework of the ISN, the Institute of Digital Society created by Nozha Boujemaa who had already identified at the time the interest of bringing scientists together with economists and lawyers. This gave us the opportunity to realize that we were using fairly similar concepts in different disciplines and that our expertise could feed into each other," says Nicolas. "At Inria, in the Petrus team, we are interested in the Personal Cloud and the digital heritage of individuals. At the Laboratoire Dante de l’UVSQ, Célia is interested in the notion of ownership of personal data and informational self-determination. We quickly found points of convergence and started to set up a working group."
A new chain of responsibilities
With the reform of the GDPR, a new chain of responsibilities has been designed, according to a compliance logic: the operator is responsible for data processing but also its subcontractors. Within the framework of Personal Cloud tools, depending on the architectures, it is the user who can be qualified as the controller of his data.
The GDP-ERE project is concerned with the distribution of responsibility between the individual and the supplier. "From a legal point of view, we will try to study how to apply the GDPR to cases such as the Personal Cloud, knowing that the legislation was not designed for this type of data processing model where the user is active," explains Celia. Especially since, in terms of liability, the traditional regime that applies outside any special legislation is the common law that takes into account the active participation of a person to engage his liability. This creates the risk of a disproportionate responsibility of the individual in relation to his or her abilities and a lack of clarity on the scope of responsibilities associated with platform providers, which may limit their deployment.
The research carried out within the GDP-ERE project will therefore lead to checking whether the individual is able to assume the new power thus conferred on him. Celia stresses that this is an essential condition for the empowerment announced to keep its promises and not produce a "boomerang effect", i.e. it does not lead to separating the individual from the protection that the law currently confers on him on his personal data. This amounts to verifying the equation according to which "data portability + responsibility = empowerment", to guarantee the effectiveness of the individual's digital sovereignty.
Collaborate to bring out solutions that work in several disciplines
Celia and Nicolas have set themselves a double objective. On the one hand, it is a question of analysing the impact of current Personal Cloud architectures on user responsibility and comparing this analysis with the legislation and rules laid down by the GDPR. On the other hand, it will be a question of formulating legislative and technological recommendations, on the basis of a graduated level of responsibilities varying according to the level of sovereignty that the individual intends to maintain over his data, in order to preserve his autonomy and to protect himself against the risks of a boomerang effect linked to this new empowerment. To do this, they plan to recruit a doctoral student in legal studies and a post-doc in IT. "A complementary objective, according to Nicolas, will be to analyse the "compliant" and "transparent by design" technical solutions aimed at ensuring that the responsibility rests with the right person: the host, the publisher, the user etc...".
In order to enable each actor to exercise their prerogatives in an informed manner and to assume their responsibilities with appropriate tools, both rely on the relationships forged by their respective teams with industrial players in the Personal Cloud such as Cozy Cloud or Hippocad, to share their analyses and ultimately consider their implementation in real cases.