Can you briefly describe what your research project is about?
Broadly speaking, the Privacy-Aware Cloud Ecosystems (PACE) project aims to develop a computational infrastructure capable of both enabling users to better understand which entities have access to and process their personal data and enabling cloud-hosted services to elicit meaningful user consent for personal data processing. Both positive developments, in turn, have the potential to improve compliance with the General Data Protection Regulation (GDPR) in a way that is dynamic and more consistent with the expectations of cloud ecosystems’ stakeholders (i.e. cloud service providers, cloud service customers and data subjects).
How is it different from other research projects in the topic?
Legal research on data protection in general and consent in particular almost invariably follows a silo approach, with an excessive focus on the current regulatory framework and its pitfalls, paying lip service to other disciplines that can dramatically contribute to improving data protection law compliance and thereby protect individuals’ fundamental rights. PACE, conversely, is a multi-disciplinary project, featuring the involvement of data scientists from Cardiff University and Newcastle University, as well as public policy scholars from UCL STEaPP. The computer science team is developing a permission-based ledger built upon blockchain technology that will ensure that all personal data access instances by diverse players in cloud ecosystems can be securely recorded and verified by users of cloud-hosted services. This solution will improve transparency by enabling the possibility to audit users’ data trails, thereby eliciting greater trust. The public policy team, in turn, is developing a set of policy requirements that will align with the GDPR and will be embedded in the technological solution. All recorded events on the blockchain will comply with said requirements, thereby promoting data protection law compliance. Accordingly, PACE is a unique and ambitious multi-faceted project, not so much aimed at exposing the rather apparent pitfalls of the data protection regulatory framework in the context of cloud ecosystems, but instead seeking to take advantage of technology to produce a solution capable of adapting such framework to the actual operation of cloud-based services.
What do you find exciting about this project?
The fact that user consent as a legal basis legitimising the processing of personal data has been rendered unfit for purpose in the digital economy is undisputed. With the increasing adoption of online services, users are bombarded with consent requests, leading to a scenario where we just ‘tick the box’ and agree to highly intrusive data processing practices, without understanding the potential consequences of these actions. Worst still, data protection concerns are compounded in cloud ecosystems, where a common infrastructure scattered across different parts of the world is shared amongst an array of entities, and personal data is transferred in ways that data subjects and even data controllers cannot possibly anticipate. This state of affairs depicts a bleak data protection scenario, which fuels user distrust and prevents the full realisation of the benefits that cloud technology can offer. As a competition and data protection law scholar focused on online platform markets, I was increasingly concerned by such a dreary scenario, overwhelmed by a growing sense of hopelessness arising from the observation that the emergence of privacy-enhancing market solutions was highly unlikely. However, PACE does in fact have a remarkable potential to endow again user consent with meaning, restore its role in the protection of users’ autonomy and informational self-determination, and enable the launching of new privacy-driven services. Being able to participate in a project having such potential for positive impact is tremendously exciting, as I was not even dreaming about such a possibility only a few months ago.
What are you working on now to prepare for the next stage of the project?
We are at the very early stages of PACE, so great challenges lie ahead! Currently, I am conducting a literature review of consent in the cloud, as well as identifying data protection concerns posed by blockchain technology. These activities have provided the basis for two data protection law articles, hopefully, to be published in the first half of the next year. Importantly, I am making multiple efforts to achieve the necessary coordination with the other teams involved in PACE, with a view to kickstarting the project on the right track.