Browsing by Author "Wrigley, John Samuel Peter"

Technology has had an undeniable impact on both society and law, particularly in the realm of personal data. The use of bots has allowed for the processing of information on an unprecedented scale. This thesis asks whether the General Data Protection Regulation (“the GDPR”) will be able to provide appropriate protection for data subjects when processing is performed by bots, while also balancing the rights and interests of data controllers, and promoting the healthy and socially desirable development of technology. In chapter I, this thesis begins by searching for a common definition of bots. It is concluded that “what is a bot?” cannot be answered with a simple definition, but should instead involve asking whether a particular program exhibits a number of different factors, including whether it is self-executing, whether it acts without human interference and whether it operates within a wider network. The thesis then divides bots into three broad categories: automated process bots, data miners and decision makers. The thesis then turns to the law. It begins with an overview of data protection law in Europe, summarising the hierarchy of laws and their purposes. It concludes that European data protection law operates on three levels: human rights (e.g. the ECHR), general regulation (e.g. the GDPR) and then specific regulation (e.g. the ePrivacy Directive). Chapter II of this thesis contains an in-depth analysis of the GDPR. It examines the most important aspects of data protection law raised by processing by bots: the basic concepts of data protection law (being the concepts of personal data, processing, controller and processor); the justification for processing (with a particular focus on consent); data quality principles and data subject rights; and the right to data portability, the right to object and the right not to be subject to an automated decision. As part of this examination, the thesis looks at the contents of the legal rules, how they apply to processing by bots and whether this is desirable or not. The general findings of this section are that the GDPR has a number of issues when applied to processing by bots, but that none of these issues necessarily prevent data controllers from using bots, and many provisions do encourage bots to develop in a socially desirable way. However, notable issues with the law include that the definition of personal data is extremely wide when considering the capabilities of bots to identify, or re-identify, data subjects from supposedly anonymous data sets; that consent may not provide an adequate level of protection for data subjects (both in general and particularly in relation to bots); that the data quality principles are extremely vague and may not fit processing by bots particularly neatly; that the right to object, although clearly intended to apply to bots, is somewhat limited by other factors; and that the right not to be subject to automated individual decision making suffers from a number of drafting ambiguities, but (if interpreted correctly) could provide good protection, although there is a risk that the ability to consent to such decisions will render this protection useless in practice. Chapter III then examines the impact of the different regulatory approaches. This chapter begins by looking at the weaknesses of the general regulatory approach, before considering whether a specific regulatory approach aimed directly at bots would be able to address these issues. It is concluded that although the specific regulatory approach does have some strengths, its weaknesses (e.g. difficulties with defining the scope of the regulation) render it unattractive as a solution. Instead, the thesis recommends a hybrid approach, where a general regulatory structure is complimented by specific rules where necessary. Finally, ch. III looks at non-legal regulation and concludes that it can be a useful compliment to help address some of the ambiguities caused by a general regulatory approach. The thesis concludes by considering the arguments discussed above and finding that, on balance, the GDPR is capable of providing adequate protection to data subjects, while balancing the rights and interests of data controllers and promoting the healthy and socially desirable development of technology. However, the current implementation of the GDPR is not perfect. There is, therefore, still work to be done on improving the law, both in terms of statutory interpretation of the existing laws, the use of amending legislation where necessary, and the growth of complimentary non-legal regulatory methods.