Category Archives: Academic Resource

What’s new in research: Georgetown Law Technology Review, human rights and encryption, and data protection proof free-trade agreements (open access)

I’m starting this week’s “What’s new in research” post with three good news:

  • There is a new technology law journal in town – Georgetown Law Technology Review, which was just launched. It provides full access to its articles, notes and comments. “Few issues are of greater need for careful attention today than the intersection of law and technology“, writes EPIC’s Marc Rotenberg welcoming the new Review.
  • Tilburg Institute for Law, Technology and Society (TILT) launched its Open call for Fellowships Applications for the 2017-2018 academic year. “This programme is for internationally renowned senior scholars who wish to spend the 2017- 2018 academic year, or a semester, in residence at TILT as part of its multi-disciplinary research team to work on some of the most interesting, challenging and urgent issues relating to emerging and disruptive technologies.” I spent three months at TILT in 2012, as a visiting researcher, during my PhD studies. I highly recommend this experience – it’s one of the best environments there are to develop your research in the field of data protection/privacy.



As for the weekend reads proposed this week, they tackle hot topics: human rights and encryption from a global perspective, international trade agreements and data protection from the EU law perspective, newsworthiness and the protection of privacy in the US.  


  1. Human rights and encryption, by Wolfgang Schultz and Joris van Hoboken, published by UNESCO.

“This study focuses on the availability and use of a technology of particular significance in the field of information and communication: encryption, or more broadly cryptography. Over the last decades, encryption has proven uniquely suitable to be used in the digital environments. It has been widely deployed by a variety of actors to ensure protection of information and communication for commercial, personal and public interests. From a human rights perspective, there is a growing recognition that the availability and deployment of encryption by relevant actors is a necessary ingredient for realizing a free and open internet. Specifically, encryption can support free expression, anonymity, access to information, private communication and privacy. Therefore, limitations on encryption need to be carefully scrutinized. This study addresses the relevance of encryption to human rights in the media and communications field, and the legality of interferences, and it offers recommendations for state practice and other stakeholders.”

2. “Trade and Privacy: Complicated Bedfellows? How to Achieve Data Protection-Proof Free Trade Agreements“, by Kristina Irion, Svetlana Yakovleva, Marija Bartl, a study commissioned by the European Consumer Organisation/Bureau Européen des Unions de Consommateurs (BEUC), Center for Digital Democracy (CDD), The Transatlantic Consumer Dialogue (TACD) and European Digital Rights (EDRi).

“This independent study assesses how EU standards on privacy and data protection are safeguarded from liberalisation by existing free trade agreements (the General Agreement of Trade in Services (GATS) and the Comprehensive Economic and Trade Agreement (CETA)) and those that are currently under negotiation (the Trans-atlantic Trade and Investment Partnership (TTIP) and the Trade in Services Agreement (TiSA)). Based on the premise that the EU does not negotiate its privacy and data protection standards, the study clarifies safeguards and risks in respectively the EU legal order and international trade law. In the context of the highly-charged discourse surrounding the new generation free trade agreements under negotiation, this study applies legal methods in order to derive nuanced conclusions about the preservation of the EU’s right to regulate privacy and the protection of personal data.”

3. “Making News: Balancing Newsworthiness and Privacy in the Age of Algorithms, by Erin C. Caroll, published by the Georgetown University Law Center.

“In deciding privacy lawsuits against media defendants, courts have for decades deferred to the media. They have given it wide berth to determine what is newsworthy and so, what is protected under the First Amendment. And in doing so, they have often spoken reverently of the editorial process and journalistic decision-making.

Yet, in just the last several years, news production and consumption has changed dramatically. As we get more of our news from digital and social media sites, the role of information gatekeeper is shifting from journalists to computer engineers, programmers, and app designers. The algorithms that the latter write and that underlie Facebook, Twitter, Instagram, and other platforms are not only influencing what we read but are prompting journalists to approach their craft differently.

While the Restatement (Second) of Torts says that a glance at any morning newspaper can confirm what qualifies as newsworthy, this article argues that the modern-day corollary (which might involve a glance at a Facebook News Feed) is not true. If we want to meaningfully balance privacy and First Amendment rights, then courts should not be so quick to defer to the press in privacy tort cases, especially given that courts’ assumptions about how the press makes newsworthiness decisions may no longer be accurate. This article offers several suggestions for making better-reasoned decisions in privacy cases against the press.”

Enjoy the reads and have a nice weekend!


Find what you’re reading useful? Please consider supporting pdpecho.





What’s new in research: full-access papers on machine learning with personal data, the ethics of Big Data as a public good

Today pdpecho inaugurates a weekly post curating research articles/papers/studies or dissertations in the field of data protection and privacy, that are available under an open access regime and that were recently published.

This week there are three recommended pieces for your weekend read. The first article, published by researchers from Queen Mary University of London and Cambridge University, provides an analysis of the impact of using machine learning to conduct profiling of individuals in the context of the EU General Data Protection Regulation.

The second article is the view of a researcher specialised in International Development, from the University of Amsterdam, on the new trend in humanitarian work to consider data as a public good, regardless of whether it is personal or not.

The last paper is a draft authored by a law student at Yale (published on SSRN), which explores an interesting phenomenon: how data brokers have begun to sell data products to individual consumers interested in tracking the activities of love interests, professional contacts, and other people of interest. The paper underlines that the US privacy law system lacks protection for individuals whose data are sold in this scenario and proposes a solution.

1) Machine Learning with Personal Data (by Dimitra Kamarinou, Christopher Millard, Jatinder Singh)

“This paper provides an analysis of the impact of using machine learning to conduct profiling of individuals in the context of the EU General Data Protection Regulation.

We look at what profiling means and at the right that data subjects have not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning them or significantly affect them. We also look at data subjects’ right to be informed about the existence of automated decision-making, including profiling, and their right to receive meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.

The purpose of this paper is to explore the application of relevant data protection rights and obligations to machine learning, including implications for the development and deployment of machine learning systems and the ways in which personal data are collected and used. In particular, we consider what compliance with the first data protection principle of lawful, fair, and transparent processing means in the context of using machine learning for profiling purposes. We ask whether automated processing utilising machine learning, including for profiling purposes, might in fact offer benefits and not merely present challenges in relation to fair and lawful processing.”

The paper was published as “Queen Mary School of Law Legal Studies Research Paper No. 247/2016″.

“International development and humanitarian organizations are increasingly calling for digital data to be treated as a public good because of its value in supplementing scarce national statistics and informing interventions, including in emergencies. In response to this claim, a ‘responsible data’ movement has evolved to discuss guidelines and frameworks that will establish ethical principles for data sharing. However, this movement is not gaining traction with those who hold the highest-value data, particularly mobile network operators who are proving reluctant to make data collected in low- and middle-income countries accessible through intermediaries.

This paper evaluates how the argument for ‘data as a public good’ fits with the corporate reality of big data, exploring existing models for data sharing. I draw on the idea of corporate data as an ecosystem involving often conflicting rights, duties and claims, in comparison to the utilitarian claim that data’s humanitarian value makes it imperative to share them. I assess the power dynamics implied by the idea of data as a public good, and how differing incentives lead actors to adopt particular ethical positions with regard to the use of data.”

This article is part of the themed issue ‘The ethical impact of data science’ in “Philosophical transactions of the Royal Society A”.

3) What Happens When an Acquaintance Buys Your Data?: A New Privacy Harm in the Age of Data Brokers (by Theodore Rostow)

Privacy scholarship to date has failed to consider a new development in the commercial privacy landscape. Data brokers have begun to sell data products to individual consumers interested in tracking the activities of love interests, professional contacts, and other people of interest. This practice creates an avenue for a new type of privacy harm — “insider control” — which privacy scholarship has yet to recognize.

U.S. privacy laws fail to protect consumers from the possibility of insider control. Apart from two noteworthy frameworks that might offer paths forward, none of the viable reforms offered by privacy scholars would meaningfully limit consumers’ vulnerability. This Note proposes changes to existing privacy doctrines in order to reduce consumers’ exposure to this new harm.”

This paper was published as a draft on SSRN. According to SSRN, the final version will be published in the 34th volume of the Yale Journal on Regulation.


Find what you’re reading useful? Please consider supporting pdpecho.

Research finds that ‘surveillance technologies yield neither the secure utopia nor the police state dystopia promised by their supporters’

Science Magazine published a piece today about the recent book by Keith Guzik, a sociologist at the University of Colorado Denver, “Making Things Stick: Surveillance Technologies and Mexico’s War on Crime”.

Guzik examines Mexico in order to understand how surveillance technologies impact security policy around the world. We could hardly find a more ‘spot on’ theme for general public policy these days.

With Mexico’s War on Crime as the backdrop, Making Things Stick offers an innovative analysis of how surveillance technologies impact governance in the global society. More than just tools to monitor ordinary people, surveillance technologies are imagined by government officials as a way to reform the national state by focusing on the material things—cellular phones, automobiles, human bodies—that can enable crime. In describing the challenges that the Mexican government has encountered in implementing this novel approach to social control, Keith Guzik presents surveillance technologies as a sign of state weakness rather than strength and as an opportunity for civic engagement rather than retreat.

The book is available under an Open Access license following this link: Enjoy the read!

And this is the conclusion of the author, according to Science Mag:

“The failed experiment of the Mexican security programs demonstrates that state surveillance technologies yield neither the secure utopia nor the police state dystopia promised by their supporters and opponents“.


Trouble with Science’s special issue on privacy is that it’s called “The End of Privacy”

scienceThe prestigious Science magazine’s issue released today is dedicated to Privacy. The only problem is that it’s title is “The End of Privacy”. This statement is too dramatic. I don’t think we are facing the end of privacy, but the explosion of privacy invading technologies and practices.

Privacy as an inherent human value cannot disappear.

Privacy as the web of legal protection is not likely to disappear soon. Au contraire. It is likely it will be developed and taken more and more seriously.

The fact remains that privacy is under siege. But if scientific magazines are starting to publish entire issues on this topic, it would be more useful if they would not declare privacy dead, but figure out ways to construe a stronger web (technical, legal or whatever else nature) of protecting privacy.

Never-mind the title. Beyond it, there are some interesting articles:

1) Privacy and human behavior in the age of information, by Alessandro Acquisti, Laura Brandimarte and George Loewenstein.

2) Could your pacemaker be hackable?, by Daniel Clery (Medical devices connected to the Internet are vulnerable to sabotage or data theft).

3) Hiding in plain sight, by Jia You. (Software lets you use location-based apps without revealing where you are).

4) Control use of data to protect privacy, by Susan Landau (“..But notice, designated as a fundamental privacy principle in a different era, makes little sense in situations where collection consists of lots and lots of small amounts of information, whereas consent is no longer realistic, given the complexity and number of decisions that must be made. Thus, efforts to protect privacy by controlling use of data are gaining more attention…”)

While at it, also check my CPDP 2013 paper (presented two years ago at the conference in Brussels and published that year in a Springer volume edited by the organisers of the conference), Forgetting about consent. Why the focus should be on suitable safeguards in data protection law.

In conclusion, no, this is not the end of privacy. This is just the middle of a very, very difficult fight to protect privacy.

“The EU-US interface: Is it possible?” CPDP2015 panel. Recommendation and some thoughts

The organizers of CPDP 2015 made available on their youtube channel some of the panels from this year’s conference, which happened last week in Brussels. This is a wonderful gift for people who weren’t able to attend CPDP this year (like myself). So a big thank you for that!

While all of them seem interesting, I especially recommend the “EU-US interface: Is it possible?” panel. My bet is that the EU privacy legal regime/US privacy legal regime dichotomy and the debates surrounding it will set the framework of “tomorrow”‘s global protection of private life.

Exactly one year ago I wrote a 4 page research proposal for a post-doc position with the title “Finding Neverland: The common ground of the legal systems of privacy protection in the European Union and the United States”. A very brave idea, to say the least, in a general scholarly environment which still widely accepts  Whitman’s liberty vs dignity solution as a fundamental “rift” between the American and European privacy cultures.

The idea I wanted to develop is to stop looking at what seems to be fundamental differences and start searching a common ground from which to build new understandings of protecting private life  accepted by both systems.

While it is true that, for instance, a socket in Europe is not the same as a socket in the US (as a traveller between the two continents I am well aware of that), fundamental human values do not change while crossing the ocean. Ultimately, I can convert the socket into metaphor and say that even if the continents use two very different sockets, the function of those sockets is the same – they are a means to provide energy so that one’s electronic equipment works. So which is this “energy” of the legal regime that protects private life in Europe and in the US?

My hunch is that this common ground is “free will”, and I have a bit of Hegel’s philosophy to back this idea. My research proposal was rejected (in fact, by the institute which, one year later, organized this panel at CPDP 2015 on the EU-US interface in privacy law). But, who knows? One day I may be able to pursue this idea and make it useful somehow for regulators that will have to find this common ground in the end.

You will discover in this panel some interesting ideas. Margot Kaminski (The Ohio State University Moritz College of Law) brings up the fact that free speech is not absolute in the US constitutional system – “copyright protection can win over the first amendment” she says. This argument is important in the free speech vs privacy debate in the US, because it shows that free speech is not “unbeatable”. It could be a starting point, among others, in finding some common ground.

Pierluigi Perri (University of Milan) and David Thaw (University of Pittsburgh) seem to be the ones that focus the most on the common grounds of the two legal regimes. They say that, even if it seems that one system is more preoccupied with state intrusions in private life and the other with corporate intrusions, both systems share a “feared outcome – the chilling effect on action and speech” of these intrusions. They propose a “supervised market based regulation” model.

Dennis Hirsch (Capital University Law School) speaks about the need of global privacy rules or something approximating them, “because data moves so dynamically in so many different ways today and it does not respect borders”. (I happen to agree with this statement – more details, here). Dennis argues in favour of sector co-regulation, that is regulation by government and industry, to be applied in each sector.

Other contributions are made by Joris van Hoboken, University of Amsterdam/New York University (NL/US) and Eduardo Ustaran, Hogan Lovells International (UK).

The panel is chaired by Frederik Zuiderveen Borgesius, University of Amsterdam  and organised by Information Society Project at Yale Law School.


What Happens in the Cloud Stays in the Cloud, or Why the Cloud’s Architecture Should Be Transformed in ‘Virtual Territorial Scope’

This is the paper I presented at the Harvard Institute for Global Law and Policy 5th Conference, on June 3-4, 2013. I decided to make it available open access on SSRN. I hope you will enjoy it and I will be very pleased if any of the readers would provide comments and ideas. The main argument of the paper is that we need global solutions for regulating cloud computing. It begins with a theoretical overview on global governance, internet governance and territorial scope of laws, and it ends with three probable solutions for global rules envisaging the cloud. Among them, I propose the creation of a “Lex Nubia” (those of you who know Latin will know why 😉 ).  My main concern, of course, is related to privacy and data protection in the cloud, but that is not the sole concern I deal with in the paper.


The most common used adjective for cloud computing is “ubiquitous”. This characteristic poses great challenges for law, which might find itself in the need to revise its fundamentals. Regulating a “model” of “ubiquitous network access” which relates to “a shared pool of computing resources” (the NIST definition of cloud computing) is perhaps the most challenging task for regulators worldwide since the appearance of the computer, both procedurally and substantially. Procedurally, because it significantly challenges concepts such as “territorial scope of the law” – what need is there for a territorial scope of a law when regulating a structure which is designed to be “abstracted”, in the sense that nobody knows “where things physically reside” ? Substantially, because the legal implications in connection with cloud computing services are complex and cannot be encompassed by one single branch of law, such as data protection law or competition law. This paper contextualizes the idea of a global legal regime for providing cloud computing services, on one hand by referring to the wider context of global governance and, on the other hand, by pointing out several solutions for such a regime to emerge.

You can download the full text of the paper following this link:

Academic Paper: Personal Jurisdiction and Choice of Law in the Cloud

Authors: Damon C. Andrews, John M. Newman


Cloud computing has revolutionized how society interacts with, and via, technology. Though some early detractors criticized the “cloud” as being nothing more than an empty industry buzzword, we contend that by dovetailing communications and calculating processes for the first time in recorded history, cloud computing is — both practically and legally — a shift in prevailing paradigms. As a practical matter, the cloud brings with it a previously undreamt-of sense of location independence for both suppliers and consumers. And legally, the shift toward deploying computing ability as a service, rather than a product, represents an evolution to a contractual foundation for all relevant interactions.

Already, substantive cloud-related disputes have erupted in a variety of legal fields, including personal privacy, intellectual property, and antitrust, to name a few. Yet before courts can confront such issues, they must first address the two fundamental procedural questions of a lawsuit that form the bases of this Article — first, whether any law applies in the cloud, and, if so, which law ought to apply. Drawing upon novel analyses of analogous Internet jurisprudence, as well as concepts borrowed from disciplines ranging from economics to anthropology, this Article seeks to supply answers to these questions. To do so, we first identify a set ofnormative goals that jurisdictional and choice-of-law methodologies ought to seek to achieve in the unique context of cloud computing. With these goals in mind, we then supply structured analytical guidelines and suggested policy reforms to guide the continued development of jurisdiction and choice of law in the cloud.

Full text: Digital Commons Network


The rights of the person regarding personal data protection – PhD thesis summary

(After three years of intense work in a field  not popular at all in Romanian legal research, I have finally done it 🙂 The public defense of the thesis is scheduled for November 30, 2013, at the University of Craiova. The thesis is in Romanian. The pdf version of the Summary is temporarily available here.)


Personal data protection is the subject of an intense global debate, triggered by the extraordinary development of Information Technology (IT), the ever growing capacity of its products to store, process data and of their inter-connectivity. The debate is especially triggered by the way its products are used.

Personal data protection emerged as a regulatory field in the 1970s in Western and Northern Europe, as well as in the United States of America. It developed with an alert rhythm, presenting alongside its development the characteristics of a global regulatory phenomenon.

Romania enacted its first data protection law as late as 2001, as a consequence of its pre-accession obligations to join the European Union (EU). In spite of the long lack of preoccupation towards personal data protection, currently this field is also regulated in the Civil Code, under the section dedicated to personality rights – more precisely in Article 77, which specifically refers to the protection of personal data.

This thesis fills in the lacunae in the Romanian legal literature with regard to personal data protection, characterizing the right to personal data protection as a subjective right (droit subjectif) and making an exhaustive critique of the rights of the data subject to directly control data processing, which are analyzed as prerogatives of the general data protection right.

Therefore, the main question this thesis answers is: “What are the roles of the ‘control’ rights of the data subject in data protection law and how do they become effective, having regard to the complex system of norms which regulate them?”

Part I of the thesis establishes the main coordinates of a general theory of personal data protection. A one-dimensional theoretical foundation of this field is absent in the Romanian legal literature, while in the foreign legal literature the main fundamental theoretical preoccupation seems to be the differentiation between personal data protection and the protection of private life. To achieve this goal, the endeavor within Part 1 is divided in two chapters, the first one characterizing data protection as a regulatory field and the second one theorizing the right to personal data protection as a droit subjectif civil (subjective right).

The first chapter represents a historical misce an scéne, which is multi-dimensional from a territorial point of view, and contextual with regard to the data protection regulations. There are three main ideas which emerge from this analysis.   

First, it is underlined that the emergence of technologies to store and process information imposed the necessity of a juridical mechanism to protect individual freedom in relation to storing and processing personal information.

Second, this mechanism has been enacted relatively simultaneously in the 1970s and the beginning of the 1980s in Western democracies, having similar forms and principles. This led to the theories regarding the global convergence of data protection norms.

Finally, even though legal writers have identified until now several generations of data protection regulations, in fact the only substantial difference between the content of these regulations in different moments in time is the development from multiple dispersed norms with a common purpose – data protection, to the recognition and enactment of a subjective right to data protection.

With regard to the particularities of the Romanian data protection system presented in this chapter, the analysis of the transposition in the Romanian legal system of data protection norms can be remarked, starting with the substantiation of their necessity and underlying the differences between the transposition law (Law no. 667/2001) and Directive 95/46 for the protection of the individual with regard to data processing. These differences can lead in certain cases to the conclusion that transposition errors exist. For instance, such is the case with the broader understanding provided in the Romanian law for the lawful grounds of data processing.

The detailed provisions regarding informational privacy contained in the new Civil Code (NCC), as well as the concern showed strictly for personal data protection (Art. 77 NCC), are an indication of the fact that Romania has a modern civil code. It is built to support the individual in front of the digital age challenges, on one hand, and with regard to the interferences in her private life, on the other hand.  As it was already underlined in the legal literature, “certainly, this regulation will greatly contribute to the civilization of some inter-human interactions which are in great suffering in these rough times we are passing through, but also to holding back the uncontrolled zeal of authorities, which, under different pretexts, disregard rights such as the right to private life or dignity”[1].

However, in the near future, the existing rules regarding personal data protection – which have a broad material scope, will be put aside from the national legal system by the new EU Data Protection Regulation and the new EU data protection directive in criminal matters, which are currently under legislative debate in the European Parliament and the European Council (as long as they will be contrary to the new EU legislation).

Chapter 2, starting from the droit objectif of data protection, substantializes the existence of data protection in informational self-determination, which is further grounded in free will. The chapter continues with the transition from the identification of an interest which can be protected by data protection provisions to theorizing the right to personal data protection as droit subjectif.

Therefore, the classical elements of the droit subjectif are identified with regard to the right to personal data protection and detailed – the subject (titulaire) of the right, the object, and the content of the right, while its legal protection will be comprehensively studied in Part III of the thesis.

A significant contribution of Chapter 2 to data protection theory is the contextualization of the role of consent in the protection of personal data. According to it, the focus in data protection law should be removed from consent and placed upon the suitable safeguards of the data subject, such as the rights to control data processing, purpose limitation and accountability mechanisms. All of these safeguards are regulated with the purpose to create a complex system of protection of the data subject. These three types of safeguards are identified as being the prerogatives within the content of the right to personal data protection.

It was showed that, ultimately, the philosophy of data protection could be summarized: every person should have the right not to be subject to data processing, unless it is made on one of the recognized legal grounds (which are identified as being part of the meta-content of the right to personal data protection), and it is subject to suitable safeguards (which are identified as prerogatives within the content of the right to personal data protection). As the consent of the data subject is merely one of several legal grounds enshrined in data protection law, it was argued that the importance of consent in this field must be hierarchized bellow the necessity to clarify and detail the “suitable safeguards”. This is a consequence of coordinating the prerogatives of the right to personal data protection with the right’s object, an object which has a procedural nature and which represents an aggregation of mechanisms as normative instruments for transparency.

Therefore, it is further argued that the right to personal data protection is a non-pecuniary subjective right (droit subjectif), substantialized with the purpose to protect the interests of the person in the context of the Information Society. Its structure is complex, and its essence is rather procedural. It is showed, nevertheless, that all the classical elements of the droit subjectif have correspondents in the provision of the right to personal data protection.

The rights of the data subject which facilitate the informational self-determination, named in this thesis “control rights”, are systemized in Part II, following the structure of the European Commission’s proposal for a General Data Protection Regulation, which divides the rights into three categories: information and access rights, rectification and erasure rights, as well as the right to object (to data processing in general, and also to automated decisions taken on the basis of profiling).

According to one of the data protection principles, the data subject enjoys the possibility of directly participating to the processing of her data, and influencing it. This principle is known as the data subject participation and control principle. Along with seven other principles – fair and lawful processing, data minimization, purpose specification, data quality, disclosure limitations, information security and sensitivity principles, it plays an important part for the lawful processing of private data, having regard to the ultimate purpose of the protection of personal liberties. The rights of the data subject – right to information, right to access, right to rectification, right to objection, right not to be subject of an automated decision based on profiling, the proposed right to be forgotten and right to data portability (which are regulated in the draft data protection regulation), are normative expressions of the data subject participation and control principle with regard to data processing.

Authors, like Poullet, consider that the express provision of these subjective rights of the data subject in Convention 108 of the Council of Europe (with regard to personal data protection; adopted in 1981) marks the second generation of data protection laws and allows the data subject to control the use of her informational image and to assess the reasons of its utilization. It must be mentioned that, contrary to this opinion, most of the data protection laws enforced in Europe in the ‘70s have had regard to the fact that “the stream of personal data primarily flows from the weak actors to the strong”[2], guaranteeing from the beginning a set of rights of the data subject: the right to information and access, the right to rectification and the right to erasure. This set of rights has evolved within the national laws, being further regulated in detail by EU Directive 95/46 on the protection of individuals with regard to the processing of personal data.

Within the chapters of Part II, the content of each subjective right expressly enshrined in data protection law is conceptually grounded and its current provision is also analyzed from the point of view of the evolution of its normative history. The rights of the data subject are studied having regard firstly to Romanian law, and subsequently to the EU directives regulating in the field of data protection and the legislative proposals from the EU data protection reform package – the General Data Protection Regulation (GDPR) and the directive of data protection in criminal matters, which are currently in the process of being adopted. The case-law of the European Court of Human Rights in Strasbourg under Article 8 (respect for private life) of the European Convention of Human Rights will also be taken into account, especially with regard to the right to access. The necessity of such a comprehensive approach on the rights of the data subject is evident in the multi-layered legal system of a Member State of the EU.

Chapter 3 details the right to inform and the right to access the personal data being processed. The protection of personal data would lack efficiency if data subjects would not be able to acknowledge the existence of the processing, its context, and would not know what particular data are processed, how are they used and who has access to them. The two rights are the expression of a transparency principle, but a two-dimensional transparency, respectively transparency managed by the data controller and exclusively opposable to the data subject.

Informational self-determination has as starting point this kind of transparency. If the data subject does not know that her data are being processed and stored in certain databases, then it would be impossible for her to exercise any of the prerogatives which follow from legally guaranteeing the right to the protection of private data.

On the other hand, in the legal literature it was also underlined, with regard to data access, that “this right consistently constitutes a significant burden, both administratively and financially, to data controllers”[3].

The right to information and the right to access are enshrined in the first data protection laws, starting with the Bundesdatenschutzgesetz – the German federal law adopted in 1977, followed by Loi relatif a l’informatique, aux fichiers et aux libertes, adopted in France in 1978, the Data Protection Act, adopted in 1984 by the British Parliament, and the Wet Perssonregistraties, adopted in 1989 in The Netherlands. Initially, the distinction between the two rights is not clear, the French law being the only one which differentiates them. Both the German and the British law enshrine similar prerogatives to both of the rights, one under the right to information, and the other under the right to access.

The two rights appear under the guise of “possibilities” in Convention 108 of the Council of Europe, and as individual subjective rights within Directive 95/46, along with the right to object, the right to rectify data and the right not to be subject to decisions based on automated data processing. Articles 10, 11 and 12 of Directive 95/46 provide that every time personal information is collected, the data subjects must be informed about the details of the data processing and have the right to receive a copy of all the processed data. The three articles from Directive 95/46 have been transposed in Law no. 677/2001 on the protection of individuals with regard to the processing of personal data, in Articles 12 and 13, which are analyzed in detail in Chapter 3 from the point of view of their content and procedure for their adjudication.

The idea of a legal regime which would guarantee the access of individuals to their own information has appeared for the first time in the Romanian system, after the 1989 Revolution, with regard to the personal files created by the Securitate (the secret service of the former Romanian communist regime). Two years after Law no. 187/1999 – which guarantees the access to these files, was enforced, the transposition law of Directive 95/46 was adopted, in a system which, until then, had not recognized a social and legal necessity to protect personal data beyond the sensitive matter of accessing the files of the former Securitate. It must be underlined, nevertheless, that the right to access, according to Article 13 of the Law no. 677/2001, provides a considerably simplified procedure for accessing personal data than the procedure required by the National Council for the Study of the Securitate’s Archives. This raises the question of a national provision which does not comply with the harmonization standard established by a directive in its rationae materiae scope.

The provisions of Law no. 677/2001 with regard to the rights to information and access represent, to a high degree, a correct transposition of the provisions of Directive 95/46, including from the point of view of their exceptions and restrictions. The only inadvertence refers to the omission, in the case of the right to access, of the condition that access must be asked for “without constraint”. This condition, even though is provided in Article 12(1) of Directive 95/46, is not mentioned in the GDPR proposal. However, until the GDPR enters into force, Article 12 of Directive 95/46 can be invoked by the data subject as long as she considers that she was constrained to ask for access to the processed data.

Nevertheless, it must be underlined that Law no. 677/2001 has strengthened the protection of the two rights by adding compulsory details of the processing to be offered to the data subject, compared to the set of details required by Directive 95/46.

Chapter 4 analyzes the rights to intervene directly in the data processing operation. One may say that, after information and access, a second “step” towards informational self-determination allows the data subject to directly intervene in the data processing operations. The data subject has the right to obtain the rectification, update and even erasure of her processed private data. Without this second component of the prerogatives of the right to personal data protection, informational self-determination would remain utopian.

The Romanian data protection law regulates in Article 14 “the right to intervene upon the data”, the content of which enshrines the rectification, erasure, blocking and update of personal data. Directive 95/46 does not literally provide for a distinct right to intervention upon the data, but it regulates the erasure, blocking and rectification of data within Article 12 – “the right to access”. The solution of the Romanian legislature expresses the essence of these rights. They ultimately represent the possibility of the data subject to directly intervene in the process of data processing.

The possibility of the data subject to effectively and concretely intervene in the data processing has generated most of the controversies about the rights of the data subject as enshrined in the EU data protection reform package. The European Commission has introduced in the draft GDPR two new “interventional” rights – the right to be forgotten, which, in fact, represents the development of the right to erasure, and the right to data portability.

The intention to regulate these rights has generated two opposite opinions. On one hand, the European Commission is supported in its endeavor especially by the European Data Protection Supervisor, by the non-governmental organizations which promote the protection of human rights in the digital age and by most of the European academia in the field of law and technology. On the other hand, global IT companies, some of the governments of the EU member states, as well as part of the American law and technology academia have criticized the regulation of the two rights. Both perspectives are detailed in this chapter.

Both the supporters and the critics of the right to data portability and the right to be forgotten seem to omit the fact that incarnations of these rights already exist in the current data protection law in the European Union. This is one of the reasons why the rights to intervention were grouped in the same chapter of the thesis, to make it easier for the reader to compare the norms in the first data protection laws, the current legal framework and the proposed regulation and directive from the reform package.

Among the conclusions of the chapter, it can be underlined that, even though the right to be forgotten, technically, is the right to erasure which presupposes the existence of two correlative obligations, one of result – erasure of data, and one of best efforts – the information of third parties who had access to data about the erasure request, obligations which are opposable to data controllers on a quasi-global level, it represents much more: it protects the autonomy, liberty and identity of the individual in an over-digitalized world, not only in space, but also in the temporal dimension (which justifies the idea of “forgetfulness”).

With regard to the right to data portability, it is the exponent of a new generation of juridical concepts of the regulation of private life. One should admit that its functions are complex, effecting not only privacy, but also competition between service providers of the Information Society. Nevertheless, its regulation in a data protection normative act indicates that the fundamental role of data portability is to offer data subjects enhanced control over their informational self-determination.

The right to object to data processing and the right to object to automated decisions based on profiling are studied in Chapter 5.

The general right to object to data processing, as well as the rights of the data subject to object to decisions based on profiles represent the category of the rights of the data subject with the least clear content. This might happen because the two rights are not a part of the common body of provisions of the first data protection laws in Europe, unlike the two categories of rights studied above – “the rights to know” and the rights to directly intervene in the data processing operation.

Comparing the material scope of the two rights, the general right to object is the expression of theoretical preoccupations, which are linked to the grounds of a fundamental right to informational self-determination, while the right of the person to object to decisions based on profiling is rather the response to practical and current concrete problems. The succinct characterization of profiling made in one of the subsections of this chapter shows the danger for individual liberty, lato sensu, on one hand, and for democratic societies, on the other hand. This danger is represented by profiling beyond any control.

Inspired by the first French data protection law of 1978, Directive 95/46 regulated a general right of the data subject to object to the processing, in exceptional circumstances, even if the processing complies with the law. The main condition for a successful objection request is the existence of “compelling legitimate grounds” in a particular situation.

The normative evolution of the general right to object is analyzed in the first section of the chapter, underlying the absence of this prerogative from the first data protection laws in Europe, and also from the data protection international legal instruments. Subsequently, the content of the right to object as regulated by Law no. 677/2001 is analyzed having regard to the correspondent provisions from Directive 95/46, followed by the development of this right in the EU data protection reform package.

One of the conclusions of Chapter 5 is that the Romanian legislator has extended significantly the material scope of the general right to object, compared to the provisions of Directive 95/46. Hence, while the directive limits the application of the right to object for the situations in which the processing is necessary for the performance of a task carried out in the public interest and the processing is necessary for the purposes of the legitimate interests pursued by the controller, the Romanian data protection law does not limit the application of the right depending on the lawful basis for data processing, which means that it is possible to object to the processing including when the data subject has consented to it, but also when the lawful ground for processing is a legal obligation of the controller.

The right of the data subject not to be subject to a decision based on automated processing is contextualized within the framework of an analysis of profiling as a phenomenon of the current economy. The prerogatives of the data subject against the arbitrary effects profiling can have on individuals are subsequently analyzed.

The analysis of the rights of the data subject reveals without doubt the existence of a general right to informational self-determination, guaranteed by the specific provisions of data protection. The data subject not only has the right to be informed about the existence of data processing operations and to know their details, but can also directly intervene on them by requiring the erasure, rectification or the updating of data. Moreover, she can object to the processing, even if it is lawful. In principle, the control of the data subject over her informational image is substantial.

However, its substance is diminished because of the limited material scope of certain rights and their exceptions and restrictions regulated in the data protection normative acts – all of which are being analyzed and exemplified in Part II of the paper. Perhaps the most diminishing factor of its substance comes from the passivity of the data subject. The data subject must effectively exercise their rights so that they will assure the control over their informational identity.

In this regard, Part III describes the ways in which the data subject can defend the rights enshrined in the wider content of the right to the protection of private data, by analyzing the simple civil actions to achieve this purpose, and the more complex action in civil liability, before the national courts.

Access to justice of the data subject to protect her rights has a special place in the Romanian data protection system, because it is regulated in the chapter dedicated to “the rights of the data subject in the context of data processing” (Chapter IV, Law no. 677/2001), at Article 18 – “the right to a judicial remedy”.

The data subject can protect the prerogatives of the content of the right to data protection by making recourse to criminal liability, liability resulting in contraventions or civil liability. The thesis aimed to analyze only the last two.

Civil remedies for data protection law breaches are of two types. First, the protection of the rights of the data subject can be done through civil actions in realization of the rights, a possibility which results from Article 18 of Law no. 677/2001. Second, if the data subject considers that she suffered damages resulting from the data protection law breaches, she can make use of a civil action in civil liability, according to Article 18(2) of Law no. 677/2001, which refers to any breach of the data protection law, not exclusively to breaches of the provisions of Chapter IV regarding the rights of the data subject.

Civil liability of data controllers and of data processors can be also invoked in court making use of the provisions of the new Civil Code: Article 1349 – the general clause for civil liability, corroborated with Article 253 – the clause for civil liability in the case of breach of non-pecuniary rights.

The liability resulting in contraventions of data controllers that do not comply with data protection law can be engaged on the basis of Articles 31-35 of the Law no. 677/2001, which regulates “contraventions and sanctions” in the field of data protection, but also on the basis of Article 13 of Law no. 506/2004 of personal data processing and the protection of private data in the electronic communications sector. A fundamental role in the application of sanctions in the field of data protection pertains to Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal – ANSPDPC (The National Authority for Supervising Personal Data Processing).

Finally, if we look upon personal data protection lato sensu and we corroborate it with the specific prerogatives of the right to the protection of private life, then we can conclude that criminal liability can also be engaged with regard to data controllers, according to Article 195 of the Criminal Code, which sanctions the crime of “violating the secret of correspondence”. As a matter of fact, Law no. 677/2001 refers to “crimes” in the chapter dedicated to sanctions, admitting that some characteristics of the regulated contraventions can be transformed in the content of a “crime”, but without specifically regulating such crimes sanctioned by penal law. This last aspect is not a part of the proposed scope of this thesis and will not be analyzed.

Even though there seems to be an inflation of legal procedures conferred to the data subject in order to guarantee her right to personal data protection, they are rarely utilized. According to preliminary data from a report of the Agency for Fundamental Rights of the European Union (“Data Protection: Redress Mechanisms and Their Use”) dedicated to redress mechanisms for damages caused by data protection law breaches in 16 member states of the EU, including Romania, data protection cases are few and dispersed among a variety of national courts and redress for damages caused by data protection law breaches is centered around Data Protection Authorities. These facts have several causes of a normative and institutional nature, but, at the same time, are justified by the attitude that the citizens of the EU, in general, and Romanians, in particular, have regarding personal data processing. According to the most recent Eurobarometer in this field (Eurobarometer No. 359), published in 2011, 33% of Europeans and 39% of Romanians “completely agree” that the disclosure of personal data is not a major problem, while 70% of Europeans and 61% of Romanians have complete trust that the national public authorities protect their personal data.

Chapter 6 analyzes the civil actions in realization of the rights which are available to data subjects, marking the distinction between the legal grounds for such actions, on one hand, and the legal grounds for judicial redress for the damages caused by the unlawful processing of personal data, on the other hand. A few practical uses of the actions in realization are also discussed. For instance, the confusion made by the Romanian judicial actors between the right to access personal data and the right to access information of public interest is highlighted (Section 3).

The Romanian legislator procedurally guarantees the protection of the prerogatives of the data subject with regard to data processing by regulating expressis verbis a “right to a judicial remedy”. The fact that judicial remedies against breaches of data protection law are regulated under the guise of a subjective right within Law no. 677/2001 makes the Romanian system of data protection to be prepared to effectively protect the data subject. However, it seems to be just “prepared”, as the effectiveness of the protection is influenced by several factors, such as the level of information of the data subject with regard to the dangers of unlawful data processing and the level of knowledge of the actors of the judicial system – magistrates and lawyers, about the mechanisms of protection of the data subject in the context of personal data processing, or the responsibility of data controllers with regard to the data processing operations they engage in. Having regard to all of these facts, the effectiveness of the protection of the rights of the data subject through civil actions is still awaited to manifest.

The right of the data subject to a judicial remedy confers to its titulaire all the premises for the adjudication of the right to personal data protection in Romanian law, establishing a rule of territorial competence, according to which the court of the domicile of the data subject is competent to decide on the civil actions for the protection of her rights provided for by Law no. 677/2001, and exempting the data subject to pay the special judicial fee for the introduction to Court of actions concerning data protection breaches.

The conditions to exercise civil actions for data breaches are analyzed in this chapter, by thoroughly looking into the provisions of Law no. 677/2001. This chapter also presents the argument that not only the rights of the data subject, understood stricto sensu – the right to access, to information, to object, and the right not to be the object to an individual decision based on automated profiling can be defended through civil actions in realization, but also any civil right correlative to any obligation of the data controller regulated by Law no. 677/2001.

One of the particularities underlined was the lack of “determined interest” for an action in realization of the right to be informed. Another one was the confusion between the right to access personal data and the right to access public information which often appears in the case-law of Romanian courts and which was tackled before the European Court of Human Rights in Strasbourg in Trăilescu case.

The passive capacity to stand trial is also analyzed for proceedings regarding the realization of rights of the data subject. Therefore, the concepts of data controller and data processor are analyzed. In this context, a test was proposed in order to establish the material scope of data protection provisions: “there is no data processing operation without a data controller and no data controller without a data processing operation”. This perspective alleviates the proof of the existence of a responsible legal or natural person for the fulfillment of obligations stemming from processing personal data, as it was showed in the case of search engines identified as data controllers which have to comply with their data protection legal obligations.

Regarding the passive capacity to stand trial in civil proceedings through which the rights of the data subject are protected, it was observed that in the special case of the action in realization of the right not to be the object of a decision based on automated data processing, having regard to the de facto elements of each case, it is possible for a third party to the data processing operation to have passive capacity to stand trial, considering that according to this right “decisions” taken on the ground of profiling can be revoked.

Chapter 7 is a radiography of civil liability for damages created by the breach of non-pecuniary rights, having regard on one hand that Article 18(2) of Law no. 677/2001 provides for the possibility of the data subject to bring a legal action to cover the damage suffered as a result of unlawful data processing, and on the other hand that the new Civil Code provides for a complex system of compensation for damages created by the breach of non-pecuniary rights.

It is argued that civil liability for this type of damage presents sufficient characteristics to support the conclusion that, starting with the entering into force of the new Civil Code, the legal regime of civil liability in Romanian civil law was enriched with an autonomous cause of action in the case of damage created by breach of non-pecuniary rights.

In this regard, it must first be acknowledged that the new Civil Code enshrines a specific provision for the compensation of pecuniary and non-pecuniary damages created by breach of non-pecuniary rights – Article 253(4). It represents an individualization of the general cause of action for civil liability in the new Civil Code – Article 1349.

Secondly, the regulation in the new Civil Code of a complex system of compensation for the damage caused by breach of non-pecuniary rights must be taken into account. This system entails ordinary and emergency non-pecuniary measures, but also pecuniary compensation.

Thirdly, after analyzing the content of the express provision for compensation for damages created by breach of non-pecuniary rights in the new Civil Code, the significant legal literature on this matter and, especially, the case-law of Romanian courts [a significant part of this chapter being dedicated to the latter], the conclusions show a reconfiguration of the general conditions needed to trigger civil responsibility. They need to be subjected to a complex verification having regard to the case law of European Court of Human Rights and the Court of Justice of the European Union [if applicable] on fundamental rights, and also to the limits of non-pecuniary civil rights detailed in the new Civil Code.

In conclusion, civil liability for damage caused by breach of non-pecuniary rights has autonomous standing in the legal regime of civil liability in Romanian civil law, presenting numerous particularities.

Therefore, the autonomous legal ground which triggers the civil liability of data controllers must be applied and interpreted within the complex system of the entire civil liability mechanism of the Romanian civil law. This system, in the case of data protection, can be imagined as a Matryoshka doll. The smallest of the “dolls” is represented by the hypothesis enshrined in Article 18(2) of Law no. 677/2001, which is comprised by the hypothesis of civil liability for damages created by breach of non-pecuniary rights enshrined in Article 253(4) NCC, which is comprised by the general provision for civil liability, enshrined in Article 1349 NCC. As such, each hypothesis has its own individuality and independent existence. However, they can be used as a whole, this characteristic conferring uniqueness to the whole system and effectiveness in protecting the rights of the data subject and, ultimately, the right to personal data protection.

Considering that the right to personal data protection is a subjective non-pecuniary right, the dispositions in Articles 252-256 NCC are applicable to its protection, starting with the rules of a mixed system of compensation for the non-pecuniary damage, and finishing with the rules envisaging the revised test which triggers civil liability. The specialization of civil liability for damages caused by breach of unlawful data processing pursuant to Article 18(2) of Law no. 677/2001 has as a consequence the systemic application of data protection law, in order to establish whether there was indeed a breach.

Chapter 8 details the administrative means of protection of the civil rights of the data subject, introducing the National Authority for the Supervision of Personal Data Processing (NASPDP), its competences and procedures.

According to paragraph 62 of the Preamble of Directive 95/46, data protection authorities, in general, are fundamental for an effective data protection system. Their purpose is not solely to sanction breaches of the rights of the data subject, but also to be an integrated part in the system for the protection of personal data, having several roles: punitive, normative and consultative. This is why the creation of national data protection authorities was imposed by the EU as harmonization standard through Article 28 of Directive 95/46. According to Article 28(1) of the DPD, each Member State must have one or more public authorities responsible for monitoring the application within its territory of the data protection laws, which must act with complete independence in exercising the functions entrusted to them.

The minimum competences that a data protection authority must have, according to Article 28(3) of the directive, are the following: (i) investigative powers, (ii) effective powers of intervention, such as that of delivering opinions before processing operations are carried out, of ordering the blocking, erasure or destruction of data, (iii) the power to engage in legal proceedings where the national data protection provisions have been violated. To these, Article 28(2) DPD adds (iv) the competence to be a consultative body for administrative measures or regulations in the field of personal data protection.

The sanctions to be applied for violations of data protection law are decided by the Member States, without the Directive establishing a minimum level for the value of the sanctions or the type of legal responsibility to be engaged in the case of data protection law violations. According to a Fundamental Rights Agency report (“Data Protection in the European Union: The Role of Data Protection Authorities”, 2010), the transposition of such a general provision into national legal systems generated significant variations, which were also influenced by national laws in administrative and criminal law, both at the time of the entering into force of data protection law and at the time of their subsequent application.

Romania initially chose to confer the function of a data protection authority to the already existing Ombudsman, according to the first version of Law no. 677/2001. This option proved to be deficient, four years later the Parliament voting a special law for the creation of a new public authority – NASPDP.

The Romanian DPA enjoys efficient legal means to ensure an effective protection for the rights of the data subject, which are in accordance with EU law. However, the activity of the NASPDP does not often rise to the level of its competences and its fundamental role it has in the protection of the fundamental rights of the data subjects. The EU Fundamental Rights Agency remarked in the 2010 report on DPAs, with regard to the activity of the European data protection authorities, that “in many Member States, DPAs are not in a position to carry out the entirety of their tasks because of the limited economic and human resources available to them”, enumerating Romania to be among those states. Moreover, the Agency observes that in many states, such as Bulgaria, Denmark, Slovakia and Romania, “a gap exists between the protection of the right to privacy in theory, which may formally conform to the requirements of EU and international law, and its protection in the law in practice”.

As a conclusion of Part III, data subjects enjoy a multitude of legal means of protection for their rights with regard to personal data processing. In this entire system of protection, the data subjects themselves play the fundamental role, because as long as they will acknowledge the risks of unlawful processing of their private data by different data controllers, they will also realize that the initiative to protect their fundamental rights through the procedural rights contained within the right of personal data protection belongs to them. It is the only way in which this extremely detailed and well construed normative system will become effective.

In conclusion, the thesis showed that the rights of the data subject to control the processing of their private data; the right to be informed, the right to access, the right to rectification, the right to object to data processing and the right to object to automated individual decisions, are prerogatives within the content of the subjective right to the protection of personal data. The thesis also analyzed in detail the particularities of the transposition of these rights from Directive 95/46 in the Romanian legal system, the influence which the ECHR case-law has upon them, especially upon the right to access, and the way in which they will be regulated in the near future in the EU. The entire endeavor leads to the conclusion that individuals have sufficient legal instruments to protect their personality rights in the Information Society. For those rights to be effective, individuals themselves need to acknowledge the risks entailed by data processing and digital storage of personal data, and the existence of their rights and the means to exercise them.

[1] E. Chelaru, Drepturile personalităţii în reglementarea Noului Cod Civil, Revista Dreptul, nr. 10/2011, p. 61.

[2] S. Gutwirth, Privacy and the Information Age, Rownan & Littlefield Publishers, Inc., SUA, 2002, p. 85.

[3] P. Carey, Data Protection. A practical guide to UK and EU law, 3rd edition, Oxford University Press, 2009, p. 130.

The Data Surveillance State in the US and Europe

by Joel Reidenberg


The democracies on both sides of the Atlantic are trying to balance the legitimate needs of the law enforcement and intelligence communities to access online transactional data with the basic rights of citizens to be free from state intrusions on their privacy.
From the recent revelations of massive collection of telecommunications data by the US government to the disclosures of the UK tapping transatlantic telecommunications cables, and of the Swedish government’s warrantless wiretap rules, national data surveillance seems to have few boundaries that the law has effectively protected.
American law has generally focused on access restraints for government to obtain privately held information, ignored the collection and storage of data, and granted special privileges to national security actors. By contrast, Europe emphasizes rules related to the collection and retention of data and focuses less on due process obstacles for government access, while also giving government easier access for national security.
In each system, the elusive linkage between retention and access, the privatization of state surveillance activity, and flawed oversight for national security create extensive transparency of citizen’s data and undermine values of democracy including the presumption of innocence, the state’s monopoly on law enforcement, and the zone of individual freedom.
In effect, government data surveillance law in both Europe and the United States has reached a turning point for the future of information privacy online. Three proposals can help to secure privacy that is necessary to preserve democratic values: stricter retention limits must be combined with stronger access controls; government access to personal information must be logged and transparent to citizens; and government officials must be personally liable for over-reaching behavior.

Wake Forest Law Review forthcoming

Full-text paper (draft) HERE.

Harvard Business Review: The Value of Big Data Isn’t the Data

Kristian J. Hammond wrote an interesting piece on the real value of big data in the Harvard Business Review blog:

“It is clear that a new age is upon us. Evidence-based decision-making (aka Big Data) is not just the latest fad, it’s the future of how we are going to guide and grow business. But let’s be very clear: There is a huge distinction to be made between “evidence” and “data.” The former is the end game for understanding where your business has been and where it needs to go. The latter is the instrument that lets us get to that end game. Data itself isn’t the solution. It’s just part of the path to that solution.

The confusion here is understandable. In an effort to move from the Wild West world of shoot-from-the-hip decision making to a more evidence-based model, companies realized that they would need data. As a result, organizations started metering and monitoring every aspect of their businesses. Sales, manufacturing, shipping, costs and whatever else could be captured were all tracked and turned into well-controlled (or not so well-controlled) data.

I would argue that what you want and what you need is to turn that data into a story. A story explains the data rather than just exposing it or displaying it. A narrative that gives you context to today’s numbers by exploring the trends and comparisons that you need in order to make sense of it all. The belief that Artificial Intelligence can support the generation of natural language reporting from data is what drove me to help found our company, Narrative Science. I fundamentally believe that a machine can tackle and succeed at freeing insight from data to provide the last mile in making big data useful, and this belief was the driver in building out a technology platform that makes it real.”