Showing papers in "International Data Privacy Law in 2013"
••
TL;DR: In this paper, the authors argue that this Regulation, in seeking to remedy some longstanding deficiencies with the DPD as well as more recent issues associated with targeting, profiling, and consumer mistrust, relies too heavily on the discredited informed choice model, and therefore fails to fully engage with the impending Big Data tsunami.
Abstract: ‘Big Data’ refers to novel ways in which organizations, including government and businesses, combine diverse digital datasets and then use statistics and other data mining techniques to extract from them both hidden information and surprising correlations. While Big Data promises significant economic and social benefits, it also raises serious privacy concerns. In particular, Big Data challenges the Fair Information Practices (FIPs), which form the basis of all modern privacy law. Probably the most influential privacy law in the world today is the European Union Data Protection Directive 95/46 EC (DPD). 1 In January 2012, the European Commission (EC) released a proposal to reform and replace the DPD by adopting a new Regulation. 2 In what follows, I argue that this Regulation, in seeking to remedy some longstanding deficiencies with the DPD as well as more recent issues associated with targeting, profiling, and consumer mistrust, relies too heavily on the discredited informed choice model, and therefore fails to fully engage with the impending Big Data tsunami. My contention is that when this advancing wave arrives, it will so overwhelm the core privacy principles of informed choice and data minimization on which the DPD rests that reform efforts will not be enough. Rather, an adequate response must combine legal reform with the encouragement of new business models premised on consumer empowerment and supported by a personal data ecosystem. This new business model is important for two reasons: First, existing business models have proven time and again that privacy regulation is no match for them. Businesses inevitably collect and use more and more personal data, and while consumers realize many benefits in exchange, there is little doubt that businesses, not consumers, control the market in personal data with their own interests in mind. Second, a new business model, which I describe below, promises to stand processing of personal data on its head by shifting control over both the collection and use of data from firms to individuals. This new business model arguably stands a chance of making the FIPs efficacious by giving individuals the capacity to benefit from Big Data and hence the motivation to learn about and control how their data are collected and used. It could also enable businesses to profit from a new breed of services
128 citations
••
TL;DR: The over-use of notice and consent presents increasing challenges in an age of ‘Big Data’, and these phenomena are receiving attention particularly in the context of the current review of the OECD Privacy Guidelines.
Abstract: Nowadays individuals are often presented with long and complex privacy notices routinely written by lawyers for lawyers, and are then requested to either ‘consent’ or abandon the use of the desired service.The over-use of notice and consent presents increasing challenges in an age of ‘Big Data’.These phenomena are receiving attention particularly in the context of the current review of the OECD Privacy Guidelines.In 2012 Microsoft sponsored an initiative designed to engage leading regulators, industry executives, public interest advocates, and academic experts in frank discussions about the role of individual control and notice and consent in data protection today, and alternative models for providing better protection for both information privacy and valuable data flows in the emerging world of Big Data and cloud computing.
114 citations
••
TL;DR: This article discusses the relevant jurisprudence of Europe’s two highest courts, the Strasbourg Court or ECtHR and the CJEU, with regard to the differences between privacy and data protection.
Abstract: based on EU secondary legislation and does not yet take into account the fundamental right to data protection enshrined in the Charter of Fundamental Rights of the European Union that has meanwhile become a binding part of EU primary law. Both legal developments raise the question of whether the fundamental right to data protection is only a subset of the right to privacy, or whether it also provides additional protection. This article discusses the relevant jurisprudence of Europe’s two highest courts, the European Court of Human Rights in Strasbourg (the Strasbourg Court or ECtHR) and the CJEU, with regard to the differences between privacy and data protection. Though both courts tend to treat data protection as an expression of the right to privacy, the specifics of each right must be respected. Before turning to the case law, it is necessary to address the two underlying systems of fundamental rights protection, as well as the specific provisions on privacy and data protection within these two systems. Afterwards we will examine the interpretation of the two rights by the two courts and highlight the differences between them. Finally, we will attempt to illustrate the differences and overlaps between privacy and data protection using the example of the pending Google and Google Spain case. The Convention and the Charter
90 citations
••
TL;DR: This article argues that data protection should be ‘reconstructed’ in order to operate as a fully-fledged fundamental right next to the right to privacy and discusses the shortcomings of the current theories and the existing case law of the ECJ on data protection.
Abstract: Data protection has always been linked to privacy in such a way that it is very difficult to assess its very notion, its purpose, and its value without falling back to privacy.
The entry into force of the Lisbon Treaty on 1 December 2009 marked a historic moment for data protection: the right was elevated to the status of a fundamental right within the EU legal order, alongside the right to privacy.
This article discusses the shortcomings of the current theories and the existing case law of the ECJ on data protection and argues that data protection should be ‘reconstructed’ in order to operate as a fully-fledged fundamental right next to the right to privacy.
Two conditions are necessary for this: First, a ‘core’ or ‘essence’ of the right to data protection should be recognized. Second, infringements of the right to data protection should be determined solely on the basis of the relevant data protection principles themselves without the need to recourse to the right to privacy.
34 citations
••
25 citations
••
TL;DR: While understanding the right to be forgotten as a tool enabling users to better control their image and existence on the Internet, this paper analyses the ways in which this right may also function as a hindrance to freedom of expression.
Abstract: value, it is desirable for users to be able to exercise at least a modicum of control over personal information pertaining to themselves that is publicly available online. It is precisely this idea that underpins the European Commission’s proposed legislative reform to its privacy framework known as ‘right to be forgotten’. 2 In enabling individuals to demand erasure of personal data previously shared online, the European Union seeks to give Internet users legal recourse to force data controllers to ‘forget’ their personal information. The application of this right in the digital world, however, may pose an obstacle to free expression and the public interest in access to information. Thus, while understanding the right to be forgotten as a tool enabling users to better control their image and existence on the Internet, this paper analyses the ways in which this right may also function as a hindrance to freedom of expression. The first part of the paper discusses the privacy framework of the EU and the notion of the right to be forgotten, while the second part examines the shortcomings of the concept. It then turns to the potential impact of the right to be forgotten on freedom of expression and access to information. Lastly, the paper addresses the contrast between the right to be forgotten and important perspectives in US privacy law. Development of the EU Privacy Framework and the right to be forgotten
23 citations
••
TL;DR: A widespread extraterritorial application of state law may well end up making it impossible for businesses to engage in cross-border trade, as seen in an unprecedented level of data privacy laws being enacted or revised around the world.
Abstract: The extraterritorial application of a country’s data privacy laws may severely impact the free speech and financial interests of other countries and their citizens. Yet, around the world, data privacy laws with extraterritorial scope are being introduced or reformed without much discussion, debate, or visible opposition. Indeed, we are currently witnessing an unprecedented level of data privacy laws being enacted (eg Singapore and Malaysia) or revised (eg Australia and the European Union) around the world. Most importantly, the European Union (EU) is in the process of modernizing its data privacy law by replacing its Data Protection Directive 1995 with a new data protection Regulation. Interestingly, that Regulation, with its potential for penalties of up to 2 per cent of an offending enterprise’s annual worldwide turnover, looks likely to apply also to any non-EU enterprise that processes data about persons residing in the EU under certain circumstances. This means that the EU law, with its potential for heavy fines and wide extraterritorial scope, is likely to directly affect businesses around the world. As noted elsewhere, in essence, the conundrum we are faced with can be expressed as follows: extraterritorial jurisdictional claims are reasonable because if states do not extend their data protection to the conduct of foreign parties, they are not providing effective protection for their citizens. At the same time, wide extraterritorial jurisdictional claims are arguably unreasonable because it is not possible for those active on the Internet to adjust their conduct to all the laws of all the countries in the world with which they come into contact. In other words, a widespread extraterritorial application of state law may well end up making it impossible for businesses to engage in cross-border trade. On some occasions, articles in this journal have dealt with extraterritoriality in some detail. Most specifically, in two articles published during the journal’s first year, Moerel addressed the extraterritoriality of EU data privacy law. Further, the editorial of issue 3(3) of this journal sought to bring attention to this important
19 citations
••
17 citations
••
TL;DR: It can be argued that the Draft Regulation contains a set of requirements and obligations that can be described as a comprehensive 'Data Protection Compliance Program' ("DPCP") which itself creates an "appropriate balance" between data protection and free flow of information/data.
Abstract: Both Directive 95/46/EC and the new data protection framework proposed by the European Commission (the Draft Regulation published on January 25, 2012) aim to find an appropriate balance between data subjects’ rights and safeguards, and the free processing (and flow) of information across the European Union (and beyond), for an economic, compatible growth in line with the expectations of society (the "appropriate balance"). Therefore, lawful processing should be subject to the so-called "balancing test" which establishes the ultimate level of protection that can effectively be guaranteed when personal data is processed. In this respect, it can be argued that the Draft Regulation contains a set of requirements and obligations that can be described as a comprehensive 'Data Protection Compliance Program' ("DPCP") which itself creates an "appropriate balance" between data protection and free flow of information/data.
16 citations
••
TL;DR: In 2010, the Economic Community of West African States (ECOWAS) adopted a sub-regional framework for its member states to harmonize the emerging national data protection legislation and perhaps to prevent disruption of flow of personal data.
Abstract: Over four decades of the development of data protection laws, the world has witnessed data protection regimes finally arriving in Africa. At present, there are eleven African countries out of 54 with comprehensive data protection legislation. These are Cape Verde (22 January 2001), Seychelles (24 December 2003), Burkina Faso (20 April 2004), Mauritius (17 June 2004), Tunisia (27 July 2004), Senegal (15 January 2008), Morocco (18 February 2009), Benin (27 April 2009), Angola (17 June 2011), Gabon (25 September 2011), and Ghana (10 February 2012). At the same time, in an attempt to harmonize the emerging national data protection legislation and perhaps to prevent disruption of flow of personal data, in 2010 the Economic Community of West African States (ECOWAS) adopted a sub-regional framework for its member states. In contrast, in the same year the East African Community (EAC) adopted data privacy recommendations for its members. While these recommendations do not stipulate substantive data protection principles as is the case with most other sub-regional and regional codes of data protection, they intend to encourage the member states to align with the international best practices. The Southern African Development Community (SADC) and the African Union (AU) are still considering drafts of data privacy instruments. As is the case elsewhere, the emerging data protection regime in Africa is partly influenced by the European Union Data Protection Directive 95/46/EC. The international regime for the transfer of personal data contained in the Directive 95/46/EC, particularly Articles 25–26, is most frequently cited by commentators as one of the forces behind this development. Article 25 of the EU Directive restricts the transfer of personal data to third countries, that is non EU/EEA countries, unless such countries afford an ‘adequate’ level of data protection. However, under Article 26 of Directive 95/ 46/EC personal data may still be transferred from EU/ EEA to third countries even if such countries fail to pass the ‘adequacy’ test. Yet, this is only a limited option as it is a derogation from the main rule in Article 25 of the Directive. Undoubtedly, the requirements of Article 25 of Directive 95/46/EC necessitated the above four African
16 citations
••
TL;DR: The recent revelations have exceeded what was publicly known, and have put the phenomenon of government access to online data in a whole new light, and the importance of asking the right questions is stressed so that decisions can be made about what the proper balance is between privacy and security.
Abstract: Both the offline and online media have reported extensively on access by the US National Security Agency (NSA) to electronic communications data held by private companies, most notably via the so-called PRISM program. Meanwhile, there is growing concern regarding reports the UK’s Government Communications Headquarters (GCHQ) is conducting massive surveillance of communications traffic both on its own behalf and for the benefit of other members of the ‘Five Eyes Alliance’ (comprising the UK, the USA, Canada, Australia, and New Zealand), and other European governments have been reported to have entered into arrangements to share the data collected by the USA and the UK. At least one European government (France) allegedly also runs a vast electronic surveillance operation of its own. We hesitate to make pronouncements about such developments before the facts are clear, but feel justified in predicting that they will have significant long-term impacts on data protection and privacy law around the world, and on the political, economic, and social climate for data processing. Not that there is anything new in systematic governmental access to private sector data. In November 2012 we published a symposium issue (volume 2, number 4 of IDPL) containing legal analysis of such access in nine countries (Australia, Canada, China, Germany, India, Israel, Japan, the UK, and the USA; further reports will be published in an upcoming issue), and a guest editorial concluded that it is a widespread phenomenon and gives rise to a number of legal issues that should be urgently addressed. Systematic government access to private data thus goes far beyond a particular country and a particular intelligence agency. Nevertheless, in their scope and detail, the recent revelations have exceeded what was publicly known, and have put the phenomenon of government access to online data in a whole new light. We acknowledge that data protection and privacy are not absolute rights, and the difficulty of balancing them against other important societal values, such as public security. These sorts of determinations go beyond what can be dealt with in an editorial; rather, we want to stress the importance of asking the right questions so that decisions can be made about what the proper balance is between privacy and security. The following are a few fundamental questions raised by these revelations:
••
••
••
••
TL;DR: It is predicted that the extraterritorial application of data privacy laws will emerge more clearly as one of the most significant and urgent cross-border law questions over the coming years.
Abstract: Back in 1996, Rotenberg noted that: ‘Privacy will be to the information economy of the next century what consumer protection and environmental concerns have been to the industrial society of the 20th century.’ This prophecy has largely been fulfilled. However, one aspect of data privacy law that has yet to gain the attention it deserves is the extraterritorial scope of data privacy laws. In a world so characterized by globalization, it is highly surprising that this issue has gained so little attention. Thus, our prophecy is that the extraterritorial application of data privacy laws will emerge more clearly as one of the most significant and urgent cross-border law questions over the coming years. This point of view is supported by the fact that data privacy laws with extraterritorial reach are currently being enacted (e.g. Singapore and Malaysia), or revised (e.g. Australia and the EU), around the world (due in no small part to a desire to better address online privacy concerns) and their role is growing in importance, not least due to:
••
TL;DR: C countering the phenomena of data lock-in and 'social' lock- in is fundamental in order to offer privacy-oriented and trustworthy services, which increase user propensity to share data and stimulate the digital economy and fair competition.
Abstract: The increasing demand from individuals to have their privacy respected or to take decisions about the management of their information assumes a significant role in business activities and it becomes an important element for building public trust in service providers. In this scenario, keeping the focus of data protection only on the individual and his or her decisions is no longer adequate. If legislators consider data protection as a fundamental right, it is necessary to reinforce its protection in order to make it effective and not conditioned by the asymmetries which characterize the relationship between data subject and data controllers. This aim is implemented by the EU proposal by means of three different instruments: data protection impact assessment, privacy by design/by default solutions, and the data minimization principle. The competitive value of data protection can be assured and enhanced only if the user's self-determination over personal data is guaranteed. From this point of view, countering the phenomena of data lock-in and ‘social' lock-in is fundamental in order to offer privacy-oriented and trustworthy services, which increase user propensity to share data and stimulate the digital economy and fair competition.
••
TL;DR: Wang et al. as mentioned in this paper pointed out that the pursuit of social monitoring and public shaming through Internet powered manhunts, which is known as human flesh search (HFS), appears increasingly rampant in China and is insufficiently regulated.
Abstract: The Internet has become a driving force that is shaping Chinese society, and which causes conflicts between free speech and privacy. The pursuit of social monitoring and public shaming through Internet powered manhunts, which is known as human flesh search (HFS), appears increasingly rampant in China and is insufficiently regulated. HFS reflects the desire for justice on the part of netizens, and has the potential to open up access to government and promote transparency. However, there is a dark side to the phenomenon of HFS, since it inevitably raises longstanding concerns over the unreasonable intrusion on another critical value, that is, of personal privacy.
••
••
••
••
TL;DR: In this paper, the authors examine host providers' liabilities and duties with regard to user-generated content, focusing on the novelties contained in the ‘Proposal for a Data Protection Regulation’, recently advanced by the EU Commission.
Abstract: † This article examines host providers’ liabilities and duties with regard to user-generated content, focusing on the novelties contained in the ‘Proposal for a Data Protection Regulation’, recently advanced by the EU Commission. † First it considers how the Proposal addresses the contentious overlap of e-commerce immunities and data protection rules. † Then it considers providers’ knowledge that illegal personal information has been uploaded on their platform, and examine whether such knowledge should terminate providers’ immunity. † Finally, it critically assesses the right to be forgotten, newly introduced in the Proposal, and the sanctions for its violation.
••
TL;DR: The Data Protection Commissioner will continue to work to raise the profile of data protection among the citizens of Mauritius, and to meet high standards in issuing decisions and dealing with legal issues that are brought before her.
Abstract: † The Data Protection Commissioner of Mauritius faces many challenges as the country upgrades its legal framework to become closer to EU standards. † The Commissioner’s decisions have thus far always respected the law, as well as taking basic jurisprudential principles into account. † The Commissioner will continue to work to raise the profile of data protection among the citizens of Mauritius, and to meet high standards in issuing decisions and dealing with legal issues that are brought before her.
••
••
••
••
TL;DR: IDPL is regarded as a forum for discussing important issues of data protection and privacy law, and thus as a way to give something back to what it regard as one of the most fascinating and important areas of law.
Abstract: Over the last decade, privacy has become big business. Company executives hobnob with data protection regulators at conferences held all over the world; associations of privacy officers are experiencing exponential growth in membership; data protection has become a money-maker for consultancies and law firms (as well as for academics who provide consulting services); and lobbyists engage policy-makers in an effort to influence data protection and privacy regulation. In the past, data protection was seen mainly as a cost factor, but now it is increasingly becoming a way to make money, and to ensure the continued trust of customers, employees, and business partners. The economic importance of data processing makes it natural that the business of privacy would expand as well. Viewing privacy as a business opportunity can result in increased attention and resources being devoted to its protection. In recent years, governments and regulators have emphasized that respect for data protection and privacy should be seen as a way to strengthen confidence in online commerce, and have encouraged the growth of the professional side of privacy; indeed, there is evidence that viewing privacy as a business enabler can itself be a powerful factor to encourage respect for regulation. All of this has led more and more companies to take steps to protect privacy as a way to strengthen their brands and enhance customer confidence through measures such as appointing internal privacy compliance officers and taking the impact of business decisions on privacy into account before they are implemented, developments that are all to the good. At the same time, these developments raise questions. Most countries with data protection laws regard privacy as a fundamental right, and viewing the protection of a fundamental right as a money-making opportunity may seem distasteful. The number and cost of conferences and seminars covering privacy issues often seems excessive (not to mention the environmental implications of privacy experts travelling all over the world to attend them). The increasing number of professional firms offering consulting or legal services may have contributed to the emerging view of privacy compliance as a complex and costly exercise. And many smalland medium-sized companies struggle to afford the high cost of the privacy compliance industry, with the result that many simply ignore compliance altogether. It would be hypocritical for the editors to paint the ‘privacy industry’ in too negative a light, since each of us is involved in it in one way or another. On the contrary, we believe that creating economic incentives is one of the most effective ways to further privacy and data protection, and that the growth of privacy as a business area holds the potential to motivate compliance with privacy regulation and individual expectations not just as a matter of law, but for pragmatic economic reasons as well. We see nothing wrong per se with making money from data protection and privacy, as long as the monetary rewards are kept in proportion to the reasons that privacy is protected in the first place. Data protection is not purely a money-making activity like investment banking, but exists to protect fundamental values cherished by societies around the world. This means that everyone involved in the business of data privacy should ask not just how to make it more profitable for themselves, but also how they can use it to give something back to society. Making such contributions need not be a grandiose endeavour, and can include things such as writing articles to explain complicated legal issues to a wider audience; teaching data privacy law to students; and engaging in pro bono activities on behalf of individuals and small organizations. Indeed, we regard IDPL as a forum for discussing important issues of data protection and privacy law, and thus as a way to give something back to what we regard as one of the most fascinating and important areas of law.
••
••
••
TL;DR: Traditional data protection regulation provides limited comfort for those concerned about the impact of F2D, and facial recognition as such is a broader phenomenon than F1D.
Abstract: The constant development of technology gives rise to an equally constant stream of privacy issues. One of the most interesting recent developments is what we can call face-to-data (F2D). F2D refers to at least partially automated processes for accessing personal information about a person based on an image of that person’s face. Ground-breaking research by a team of researchers from Carnegie Mellon University has highlighted that advances in face recognition technology, combined with the widespread posting of images linked to names on, for example, social media sites, and the processing power provided by advances in cloud computing, create a new set of privacy issues, similar to, but also distinct from, traditional privacy issues associated with facial recognition. The Carnegie Mellon University team ran a series of experiments. For example, using a search tool, they built up a database of images and names collected from publicly available Facebook profiles. They then captured images of consenting students and ran those images through off-the-shelf face-recognition software, linking in the data gained from the Facebook profiles. In the test, about a third of the students were identified. The Carnegie Mellon work is striking because it uses commonly available devices (ie an iPhone) to perform highly effective facial recognition using candid photographs, and then links those to a series of databases to generate an immediate response. So, for example, a person may use a phone on a street, take a picture, and within seconds have back the Social Security Number and street addresses of the people photographed. Information that can then be used to, manually or through automated processes, extract further personal data about those people. In light of this, the facial recognition aspect is only one part of the overall process of concern here, and facial recognition as such is a broader phenomenon than F2D. Thus, to properly understand the phenomenon we are dealing with, it is undesirable to discuss F2D merely as a facial recognition issue. F2D can of course serve a variety of goals ranging from government surveillance, to business use and to satisfy personal curiosity, and it is interesting to consider how current data privacy laws address F2D. And with privacy laws being developed or changed in so many parts of the world, it is even more interesting to consider how the next generation of data privacy laws will address F2D. As is well known, the privacy regulation of today is largely focused on data use that falls outside the private sphere; that is, in those countries that do have some form of privacy regulation in place, there is typically some form of exemption for data use in the context of the ‘private affairs’ of individuals. This means that in most countries, while F2D for business purposes may be regulated, personal use would typically be unregulated. Furthermore, even in those countries, such as within the European Union, where commercial use may fall under applicable data protection schemes, it may be possible to circumvent the regulatory impact by placing a simple notice onsite informing potential customers of the use of F2D at that location, and then assuming that their failure to object to the processing should legitimize it. The conclusion is that traditional data protection regulation provides limited comfort for those concerned about the impact of F2D. While there have been some improvements to the rules governing consent in the EU General Data Protection Regulation proposed by the European Commission in January 2012, it seems unlikely that even the world’s most modern and protective legislative initiative will satisfy fully those fearing the privacy impact of F2D.
••
TL;DR: One of the functions of most data protection authorities is to decide complaints filed to them by individuals and institutions, and interpret data protection legislation.
Abstract: One of the functions of most data protection authorities is to decide complaints filed to them by individuals and institutions.
In the course of passing their decisions, data protection authorities interpret data protection legislation...