Alfonso Scirocco

Bio: Alfonso Scirocco is an academic researcher. The author has contributed to research in topics: Treaty & Data Protection Directive. The author has an hindex of 1, co-authored 1 publications receiving 37 citations.

The UK’s Legal Response to Terrorist Communication in the 21st Century: Striking the right balance between individual privacy and collective security in the digital age.

Abstract: The dynamics of private life have changed along with the vast advancements in 21st Century communications technology. Private conversations no longer simply take place in the citizens’ home or through using a landline telephone, but rather online through the Internet, social media and through the ever-growing list of chat applications available on the smartphone that allows encryption. However, what often follows the legitimate use of technological advancements is criminal, or in this case terrorist exploitation. In the digital age it has become increasingly easy for terrorist groups to communicate their propaganda and for individual terrorists to communicate freely. This has served to create an investigatory capabilities gap thereby increasing the pressures on UK policing and security agencies’, in fulfilling their task of protecting national security and protecting the citizens’ right to life. In response, the UK and the European Union (EU) have attempted to close the capabilities gap and thereby ensure collective security, by enacting new laws allowing the law enforcement agencies’ to monitor electronic communications. The UK Government has recently enacted the Investigatory Powers Act 2016 (IPA) that introduces and preserves the ability to bulk collect, and retain electronic communications data, and to attain the operators’ assistance in decryption. Although the IPA attempts to take a human rights approach, the main contentious elements in the Act are those in relation to the authorities’ capabilities to intercept electronic communications data on mass, and to retain such data. Specifically, concerns currently surround the introduction of ‘backdoors’ into encrypted online services, and bulk interception and equipment interference warrants, and bulk personal data sets, all of which serve to weaken the security and individual data protection and privacy rights of, potentially, the entire population. The Court of Justice of the European Union (CJEU) has been the most influential judicial body in terms of individual data protection, and thereby on the UK’s law making process, through its key judgements in Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and others, and the conjoined case of Karntner Landesregierung, Michael Seitlinger, Christof Tschohl and others (Digital Rights Ireland). The CJEU has done this by asserting the EU’s constitutional and legal prowess in protecting data protection, such as Article 8 of the Charter of Fundamental Rights and byway of two directives, namely the Data Protection Directive in 1995 and the e-Privacy Directive in 2002. In order to close the capabilities gap ensuring national security, the UK Government must ensure the law endures by safeguarding the cohesiveness with the jurisprudence of the CJEU and the European Court of Human Rights (ECtHR). The courts do focus on different elements, built around the Conventional rights, with the CJEU focused on data protection and the ECtHR on Article 8 right to privacy. To solve the balance between individual privacy and collective security, a human rights focus is required with emphasis placed on the practical reality that one cannot assert privacy rights, if one’s right to life is not fully protected in the first place. This focus must re-forge the UK’s counterterrorism legal structure. Taken in conjunction with the UK’s already broadly worded counterterrorism legal framework, particularly the lack of a freedom fighter exclusion within the legal definition of terrorism, the consequence is to almost criminalise any expression of a view that the armed resistance to a brutal or repressive anti-democratic regime, could in certain circumstances be justifiable, even where such resistance is directed away from non-combatant casualties’. Although the current counterterrorism structure is broad, the UK and the EU must police the Internet and remove the safe places used by criminals and terrorists. The IPA fashions a way within which to achieve this, but because it can be aimed at the whole population, subject to authorisation safeguards, and following historical case law dealing with blanket policies that effect the innocent, it is likely to receive continual CJEU and ECtHR judicial scrutiny. Post the UK’s exit from the EU however, the CJEU may become less important leaving the ECtHR to conduct the analysis. At present, the UK must follow CJEU rulings when the matter concerns EU law, whereas ECtHR decisions are merely recommendatory. The thesis found that overall, the balance between collective security and individual data privacy rights in the UK are fairly stable because of the role and importance of judicial review; judicial independence, and the over-arching scrutiny provided by commissioners and parliamentary committees. It is further argued that a blanket approach to retaining electronic communications data is necessary in finding the terrorist in the ever growing haystacks, because sometimes privacy rights and data protection must be curtailed to ensure the state can protect citizens’ rights to life.

Safeguarding data protection in an open data world : On the idea of balancing open data and data protection in the development of the smart city environment

Abstract: ion is a third strategy through which the values underlying privacy and data protection can be safeguarded by designing technologies as to limit, as much as possible in light of the processing purposes, the detail in which personal data is processed. As opposed to minimisation, abstraction does not limit the quantity of the data processed, but its granularity. Abstraction can be implemented by summarising certain attributes into less granular versions (e.g. by processing whether a data subject is a minor or not rather than the exact age), by grouping individual data into an aggregate group profile, or by perturbing the personal data processed by approximation or through the addition of random noise. A relevant pattern would be for instance location data fuzzing, 314 through which the accuracy of location information is decreased in a way that aims at preserving its general utility. Let us say that a smart city project requires the monitoring of individuals’ location data to identify aggregated movement patterns to be used as a basis for data-driven spatial planning: to what extent can the information capture technologies deployed abstract the data gathered while still being able to fulfil their goals? Even when personal data must be collected, and regardless of the level of detail necessary to achieve the processing’s purposes, data subjects’ information can be concealed. Hiding personal data, a last data-oriented strategy, can be achieved through several tactics: access restrictions, obfuscation (e.g. through encryption), disassociation to prevent linkability, and mixing it to hide its origin or its relationship with other data. The use of pseudonymous identities315 is a design pattern that well exemplifies how hiding personal information can be a valid design strategy – if a smart city service provider does not need to know a user’s real identity, it may very well be required to deal with a pseudonym, so that the identification of the data subject’s identity would need an additional step (and further transaction costs) to be performed. Likewise, when users’ inputs can lead to privacy breaches, a system that foresees the possibility to generate fake inputs that cannot be distinguished from real inputs so that the system operator cannot identify an unidentified data subject or infer the attributes of an identified data subject316 is a viable privacy pattern to implement the ‘hide’ strategy. Aside from the data-oriented privacy by design strategies and tactics above, there are also a number of process-oriented options through which the values underlying privacy and data protection can be transposed into the technologies that make up the technological layer of the smart city construct. The provision of information by design helps curbing the information asymmetry inherent to the deployment of smart city technologies. Informing data subjects, timely and adequately, about the processing of their personal data is a first process-oriented strategy, and can be implemented through the tactics of supplying information about the processing to data subjects, explaining its logic, and notifying individual data subjects about processing events that specifically concern them. Examples of design patterns that implement 313 See https://privacypatterns.org/patterns/Personal-data-store. 314 See https://privacypatterns.org/patterns/Location-granularity. 315 See https://privacypatterns.org/patterns/Pseudonymous-identity. 316 See https://privacypatterns.org/patterns/Use-of-dummies.

Recent developments in data protection at European Union level

Abstract: This article gives an overview of the main developments in data protection at European Union level. It discusses the impact of the Lisbon Treaty, as well as some elements of the Stockholm Programme and two public consultations by the Commission on a future framework for data protection within the European Union and on the usefulness of an agreement with the United States on data protection principles to be applied on transatlantic exchanges. Finally, it explains two recent Court cases of significance for data protection. On 2 March 2010 the German Federal Constitutional Court (the ‘Bundesverfassungsgericht’) ruled on the legality of the retention of telecommunications data and on 9 March 2010 the European Court of Justice specified the criteria for the independence of data protection authorities under European Union law.