As we look ahead to a world turned upside down by artificial intelligence and the exploitation of personal data, the place of individuals and control over their data have emerged as central issues in the new General Data Protection Regulation (RGPD) and the Law for a Digital Republic.

Célia Zolynski, professor of private law at the University of Versailles - Saint-Quentin-en-Yvelines (UVSQ), and Nicolas Anciaux, researcher at Inria, seized the opportunity offered by the DATAIA Institute to continue to bring computer scientists and legal experts together to analyze the Personal Cloud architectures proposed today and establish the responsibilities of each with the central objective of protecting the individual.

Who is responsible for what?

The RGPD replaces a directive dating back to 1995 and thus becomes the new European framework concerning the processing and circulation of personal data, the information on which companies rely to offer services and products. European legislation was becoming outdated in light of the digital explosion, the emergence of new uses and the implementation of new business models. The RGPD, which came into force on May 25, takes a different look at the right to data portability: anyone can now retrieve the personal data that a service provider will have stored. “But from the moment I recover my data, that I want to make use of it, who becomes responsible for what?” stresses Nicolas. “Personal Cloud solutions are currently emerging with very different architectures. So there should be a graduated level of responsibility depending on the level of responsibility or sovereignty the individual wants to exercise over their data, and depending on the technical architecture.” The GDP-ERE project aims to analyze the impact of Personal Cloud architectures on liability issues, to compare this analysis with the rules laid down by the RGPD and to consider legislative and technological developments to better capture the necessary sharing of responsibility between the various parties, providing each of them with the appropriate tools to endorse them.

A collaboration that began several years ago

“Célia and I met through ISN, the Institut de la Société Numérique (Digital Society Institute) created by Nozha Boujemaa, who had already recognized the value of bringing together scientists, economists and lawyers. This gave us the opportunity to realize that we were using fairly similar concepts in different disciplines, and that our expertise could be mutually nourishing,” notes Nicolas. “At Inria, in the Petrus team, we are interested in Personal Cloud and the digital heritage of individuals. At UVSQ's Laboratoire Dante, Célia is interested in the notion of personal data ownership and informational self-determination. We quickly found points of convergence and began to set up a working group.”

A new chain of responsibilities

With the RGPD reform, a new chain of responsibilities has been thought out, based on a compliance logic: the operator is responsible for data processing, but so are its subcontractors. In the context of Personal Cloud tools, depending on the architectures, it is the user who can be qualified as the data controller. The GDP-ERE project is looking at the division of responsibility between the individual and the provider. “From a legal point of view, we're going to try to study how to apply the RGPD to cases such as Personal Cloud knowing that the legislation wasn't designed for this type of data processing model where the user is active,” Celia explains to us. All the more so as, in terms of liability, the classic regime that applies outside any special legislation is common law, which takes into account a person's active part in engaging his or her liability.  As a result, there is a risk that individuals will be held disproportionately responsible for their actions, and that the extent of liability associated with platform providers will be unclear, thereby limiting their deployment.

The research carried out as part of the GDP-ERE project will therefore focus on whether the individual is capable of assuming the new power thus conferred. Célia stresses that this is an essential condition if the empowerment announced is to live up to its promises, and not produce a “boomerang effect”, i.e. that it does not lead to the individual being deprived of the protection that the law currently confers on his or her personal data. This means verifying the equation “data portability + responsibility = empowerment”, to guarantee the effectiveness of the individual's digital sovereignty.

Working together to develop solutions that work across disciplines

Célia and Nicolas have set themselves a dual objective. On the one hand, the aim is to analyze the impact of current Personal Cloud architectures on user liability, and to compare this analysis with legislation and the rules laid down by the RGPD. And on the other hand, it will be a matter of formulating legislative and technological recommendations, based on a graduated level of responsibility varying according to the level of sovereignty that the individual intends to retain over his or her data, in order to preserve autonomy and guard against the risks of boomerang effect linked to this new empowerment. To achieve this, they plan to recruit a PhD student for the legal side of their project, followed by a post-doc for the IT side. According to Nicolas, “A complementary objective will be to analyze ‘compliant’ and ‘transparent by design’ technical solutions aimed at ensuring that responsibility falls on the right person: the host, the publisher, the user, etc.”. To enable each player to exercise their prerogatives in an enlightened way and assume their responsibilities with the appropriate tools, both are counting on the relationships their respective teams have built up with industry players in the Personal Cloud, such as Cozy Cloud and Hippocad, to share their analyses and ultimately envisage their implementation in real-life cases.

Contacts : Célia Zolynski | Nicolas Anciaux