Showing papers in "International Data Privacy Law in 2014"

The trouble with European data protection law

Abstract: • The trouble with European data protection law, as with Alfred Hitchcock's Harry, is that it is dead. The current legal reform will fail to revive it, since its three main objectives are based on fallacies. • The first fallacy is the delusion that data protection law can give individuals control over their data, which it cannot. The second is the misconception that the reform simplifies the law, while in fact it makes compliance even more complex. The third is the assumption that data protection law should be comprehensive, which stretches data protection to the point of breaking and makes it meaningless law in the books. • Unless data protection reform starts looking in other directions—going back to basics, playing other regulatory tunes on different instruments in other legal areas, and revitalising the spirit of data protection by stimulating best practices—data protection will remain dead. Or, worse perhaps, a zombie.

Do data protection rules protect the individual and should they? An assessment of the proposed General Data Protection Regulation

Abstract: Currently under discussion is the European Commission’s proposal for a General Data Protection Regulation, which will replace the Data Protection Directive from 1995 over time. The Regulation proposes to introduce a number of specific obligations and rights in order to protect the interests of the citizen and consumer and provides far-reaching powers for governmental agencies to enforce these rules. However, not only is this directly against the original purpose of and ratio behind data protection rules, moreover, an increased emphasis on consumer interests and rights to control personal data seems an inadequate tool for solving the current problems involved with Big Data.

Customer data analytics: privacy settings for ‘Big Data’ business

Abstract: The ongoing US Federal Trade Commission inquiry into the business activities of so-called data brokers ignited a global privacy policy debate about the matching of disparate datasets to assemble profiles of individuals. The internet privacy policy agenda in 2011 was dominated by global discussion about online behavioural advertising, a push in the United States for ‘do not track’ when online browsing, and a European debate about consumer consent requirements for internet cookies. In 2012 the European Union again turned its focused inward and, in particular, to a debate about the European Commission’s proposal for a comprehensive rewrite of the privacy directive with a draft General Data Protection Regulation and draft General Data Protection Directive. In early 2012 there was a broader debate on consumer privacy issues that was first enlivened by the

The myths pertaining to the proposed General Data Protection Regulation

Abstract: Expectations and myths In all fields of law it is a common expectation that new rules are instigated in order to solve issues that the old rules could not solve. The legal situation is to be improved as it does not meet the demands of society satisfactorily. In a field such as data protection, in which the very generally framed rules have significant impact on almost all parts of society and where it is well-known that legal change is complex and challenging, this expectation must be taken particularly seriously. The fundamental right to the protection of personal data must be fulfilled in a way that is better than it was before. Against this background it is necessary to consider carefully to which extent the proposed General Data Protection Regulation (hereafter the Regulation) will actually change the law as it follows not only from the wording of the current Data Protection Directive 95/46 (hereafter the Directive) but also compared with the practice that has developed during the life span of the Directive. Many of the rules in the Directive are flexible and data protection law is in many respects not the same as it was in 1998 when the Directive came into force. It is even more important to consider whether data protection will be sufficiently adjusted to current data processing and be balanced in an acceptable way viewed from the divergent perspectives of data subjects, controllers, and society. The proposed Regulation may be seen as a combination of new rules, codifications of practice, and the status quo. Data protection is not completely new and quite a lot of the changes are not entirely unexpected. A fundamental question is whether data protection law is being adjusted in order to better match the current information technology or whether in the long run the only real and decisive novelty is that the law will be communicated through a regulation rather than a directive. In other words whether the legal policy battle primarily concerns how strong a player the EU should be in this field. Another way to phrase this question is whether

Systematic government access to personal data: a comparative analysis

Abstract: In recent years, there has been an increase worldwide in government demands for data held by the private sector, driven by a variety of factors. This increase includes an expansion in government requests for what could be called ‘systematic access’: direct access by the government to private-sector databases or networks, or government access, whether direct or mediated by the company that maintains the database or network, to large volumes of data. Recent revelations about systematic access programmes conducted by the United States, the United Kingdom and other countries have dramatically illustrated the issue and brought it to the forefront of international debates. Systematic access raises hard questions for companies that face demands for government access to data they hold. They must decide whether the demand or request is lawful, though the law may be vague. Although it seems that systematic access is growing, there are also cases—in Germany, Canada, and the UK—where government proposals for expanded access have recently been rejected due to public and corporate concerns about privacy, cost, and the impact on innovation. Companies must also decide what information about their responses to these demands they may disclose to their customers and to the public—the ‘transparency’ issue that has received increased attention since June 2013 as discussed in this article. This paper is the culmination of research that began in 2011, and included the commissioning of outside experts to write reports about laws, court decisions, and actual practices relating to systematic government access to private-sector data in 13 countries (Australia, Brazil, Canada, China, France, Germany, India, Israel, Italy, This article builds on the symposia on systematic government access to privatesector data contained in Volume 2 Number 4 and Volume 4 Number 1 of IDPL

The proposal for a new General Data Protection Regulation—problems solved?

Abstract: When introducing the reform package for data protection legislation in the Union, 1 the EU Commission gave two main reasons for its activity, namely the differences in implementation of the existing EU data protection framework in the member states and legal uncertainty concerning how to deal with the ‘significant risks associated notably with online activity’. 2 The proposal took the approach that the first problem should be remedied by having a data protection regulation instead of a directive, and the second problem should be solved by additional legal provisions dealing specifically with the risks of the online world. Does the proposal take the correct

When two worlds collide: the interface between competition law and data protection

Abstract: In his seminal article ‘The Limits of Antitrust’, Easterbrook argued that ‘when everything is relevant, nothing is dispositive’; therefore, when applying competition law, judges should resort to clear presumptions rather than balancing the proand anti-competitive effects of particular conduct. In the intervening 20 years, much ink has been spilled on the issue of whether competition law should take into consideration wider policy objectives. This discussion has been given renewed impetus in recent months following the publication of a ‘preliminary opinion on the intersection of data protection, consumer protection and competition law’ in March of this year by the European Data Protection Supervisor (EDPS). The publication of this report was followed by a workshop held under Chatham House rules in Brussels in June, a summary of which was published by the EDPS in July. The report reflects lively discussions on several issues familiar to data protection experts, such as the role of personal data in the digital economy and how to foster privacy as a competitive advantage. However, it also serves to launch a debate regarding matters which have been overlooked or unsubstantiated thus far. Most significantly, the report queries whether the traditional tools of competition law, which focus on parameters such as price, quality, and choice can explain the impact of certain business practices on data protection and privacy. It also questions ‘wider issues’ in competition law enforcement, for instance whether the Commission’s current case-by-case approach is correct in the digital environment or whether specific guidelines or a study should be introduced to inform authorities dealing with antitrust and merger cases involving personal data. These are queries which need to be addressed and the EDPS is to be applauded for kick-starting this discussion, whatever its outcome. Many of web 2.0’s datacentric services are two-sided platforms which are characterised by network effects: the more users they have, the more users they acquire. This leads to winnertakes-all markets which makes the application of key data protection concepts, such as consent, more difficult. Quite simply, individual control over personal data (or ‘informational self-determination’) becomes illusory when individuals are dealing with monopolies. For this reason, competition law is frequently depicted as the silver bullet which will render data protection rules more effective by injecting competition into monopolised markets and facilitating individual choice. However, that competition law can or even should play this role is contested by experts in that field. A discussion on the potential—and limits—of competition law was therefore conspicuously lacking until the EDPS initiative in March. Nevertheless, it is not yet apparent whether, and if so how, the two fields actually intersect. In recent years, the enforcement activity of DG Competition has been guided by a consumer welfare standard, according to which competition law should seek to deliver benefits to consumers in the form of ‘lower prices, better quality and a wider choice of new or improved goods and services’. This approach assumes that consumer welfare is negatively affected only when a particular practice has the effect of foreclosing an equally efficient competitor

Article 4 of the EU Data Protection Directive and the irrelevance of the EU–US Safe Harbor Program?

Abstract: The relationship between the EU–US Safe Harbor Program and the applicable law provisions set forth in the EU Data Protection Directive and the proposed EU Data Protection Regulation requires clarif ...

Privacy management practices in the proposed EU regulation

Abstract: Article 32a DPR requires the controller to carry out a risk analysis of the potential impact of the intended data processing on the rights and freedoms of the data subjects with the objective of assessing whether the processing operations are likely to present specific risks. The respective risks are listed in detail; furthermore, depending on the results of the risk analysis, the provision invites companies to take certain measures. Article 33 DPR deals with the Data Protection Impact Assessment (DPIA). The instrument of the DPIA has already been developed in connection with the use of the RFID technology; Article 33 now lists ten pillars in the lifecycle management of personal data which are to be implemented by the controllers (for example a systematic description of the envisaged processing operations, an assignment of the necessity and proportionality of the processing operations, an assessment of the related risks, a description of the implemented measures, a list of safeguards and security measures, a list of recipients of personal data, an assessment of the context of data processing, etc.). Article 33a DPR requires controllers to carry out a data protection compliance review within two years of having done an impact assessment. Subject to the outcome of this review, further measures are to be implemented, mainly in case of compliance inconsistencies.

Transboundary data protection and international business compliance

Abstract: † This paper assesses the effectiveness of the EU data protection reform for EU residents’ privacy in the cloud. It starts off by examining the potential threats of forum shopping for Binding Corporate Rules (BCRs) and discusses the ongoing challenges for enforcing BCRs for processors in cloud services. It also covers the insufficient protection of EU data against foreign surveillance. † It proposes ways of eliminating those threats by considering cloud services ‘risky activities’ for both controller and processor as per the Privacy Risk Assessment obligation present in the General Data Protection Regulation (GDPR). Offering a solution to the challenges so identified, the author refers to international soft law and the ongoing debate on its applicability to private enterprises, summarized within the UN ‘Protect, Respect and Remedy’ Framework.

‘A third party to whom data are disclosed’: A third group among those processing data

Abstract: • The concepts of ‘data controller’ and ‘data processor’ in the Data Protection Directive are not exhaustive. The Directive defines them by excluding certain criteria (eg determining the means and purposes of the data processing, and carrying it out on behalf of the data controller). Thus, entities that do not fulfil such legal requirements when processing data are excluded from the scope of those concepts, and are considered as part of a third group of those who are processing data. • Moreover, Article 7 (f) of the Directive refers to ‘third parties to whom data are disclosed’ and provides descriptions that imply that this category is based on a different assumption to those relating to data controllers and data processors, and is applicable to anyone who carries out data processing as an essentially personal activity. • Articles 11, 12, and 14 of the Directive also establish a legal status that exempts these ‘third parties’ from some obligations that data controllers must fulfil. • This article analyses and endorses the existence of this third category and the legal issues and problems that arise when trying to subject anyone who processes data to the legal regime applicable to data controllers and processors.

Getting European data protection off the ground

Abstract: The paper critically discusses fundamental issues in European data protection law and outlines their possible solutions.

Through the looking GLΛSS: Google Glass™, privacy, and opacity, with an Israeli law twist

Abstract: In 1787 the Founding Fathers or today, Parents, of America assembled in Philadelphia to adopt the Constitution. At the same time, Jeremy Bentham and his brother Samuel came together in what is now Belarus and thought up the Panopticon. Managing the clash between liberty and surveillance is, in a nutshell, what privacy law is about. Equilibria are found at which liberty and surveillance can co-exist, but these are disrupted from time to time, especially by social change and technological change. Examples of social change affecting privacy law would include war, changes in government, women’s rights, free press, economic forces, and more. Examples of technological change include trains, linotype presses, telegrams and telephony, computers and the internet. Much has been written about the pervasiveness of recent technological developments that challenge and endanger our privacy, from social networking to biometric databases. Privacy vis-à-vis government has come sharply into focus following recent revelations of PRISM and Tempora, details regarding the domestic use of drones in the USA, and the use of CCTV in the successful hunt for the Boston bombers. This article focuses on one emerging technology that has the potential to alter considerably the privacy landscape—namely, Google GLLSS. Glass is essentially a tiny computer on a frame of spectacles. Also attached are a miniature display, which sits atop where a spectacles’ lens would normally be; a camera; a microphone; and a bone-conduction transducer, which is a kind of subtle little speaker beside the ear; and a GPS. It also contains a light sensor, a proximity sensor, Bluetooth connectivity, an accelerometer, a gyroscope, and a magnetometer. Glass runs the Android operating system, and apps— called Glassware—are being developed for Glass much as they are for smartphones. Glass is not yet commercially available as of the time of writing, but has been

Systematic Government Access to Private-Sector Data Redux

Abstract: In November 2012 we published a symposium issue (volume 2, number 4 of IDPL) containing a series of papers analysing the laws and practices of nine countries (Australia, Canada, China, Germany, India, Israel, Japan, the UK, and the USA) relating to systematic government access to personal data held by the private sector. Those papers, developed as part of a multi-year project funded by The Privacy Projects—a not-for-profit organization dedicated to improving current privacy policies, practices and technologies through research, collaboration, and education—demonstrated considerable consistency in the laws and practices of the nine countries examined. According to a guest editorial that accompanied the papers, common trends included:

The puzzle of Japanese data privacy enforcement

Abstract: Japan’s data privacy laws have been in force since 2003, sufficient time for evidence of their enforcement to become apparent and be assessed. This article first explains the legislative and administrative structure of Japanese data privacy law, and then examines each aspect of enforcement of the law, and such evidence of the effectiveness of enforcement as is available. The public sector, and the private sector, and the co-regulatory systems are considered. This examination shows that the enforcement mechanisms in the Japanese system are not used to any significant extent. it also shows that the ways in which thy work are not transparent enough. We reject claims made by government bodies and academics that Japanese businesses comply with the legislation without being required to do so. The extent of compliance is a separate enquiry outside the scope of this article. The result is that the Japanese system asks observers to take it on trust that it is effective. The absence of evidence is in itself a deficiency, a failure to provide transparency of the enforcement system. Put politely, the effectiveness of Japanese data privacy law remains a puzzle. Major reforms are proposed by the government which may provide much more effective means of enforcement, but are only likely to succeed if they also make that enforcement more transparent.

The EU data protection reform and the (forgotten) use of criminal sanctions

Abstract: The proposed data protection regulation2 includes mention of the use of criminal and administrative sanctions. Both were possible in EU data protection law but, after the reform, the use of administrative sanctions will become mandatory. With regard to criminal sanctions to address data protection wrongs, nothing changes: member states can choose to create them or not. Why is the new EU, with its enhanced post-Lisbon powers, so timid and '1995-ish' with regard to criminal law? How is it possible that, to reform a set of rules created by a directive, a regulation is chosen with the aim of harmonising just about everything in EU data protection law, but not the chapter on sanctions and enforcement? This contribution lists some explanatory factors and reflects on future regulatory choices in member states.

Taking stock after four years

Abstract: Though it is sometimes hard for us to believe, four years have passed since the first issue of IDPL was published in early 2011. There have been many important developments in the world of data protection and privacy law during this time, and, we like to think, our journal has become an established part of the landscape. Though we usually devote these editorials to considering substantive legal developments, we would like to take this opportunity to reflect on the last four years, and what lies ahead, both for IDPL in particular and for privacy law scholarship in general. We are proud that IDPL has become recognized as a leading journal in its field. It remains (to our knowledge) the only English-language journal exclusively devoted to data protection and privacy law that has a global perspective and subjects all published articles to doubleblind peer review. We would like to think that IDPL makes a continuing contribution to the recognition of data privacy law as an important field of scholarly inquiry. We have tried to keep the global importance of the subject in mind by also publishing articles covering the law of countries and regions outside of Europe and North America. Thus, we have been pleased to publish articles on jurisdictions such as Angola, Brazil, Cape Verde, China, Malaysia, Mauritius, Nepal, Trinidad and Tobago, and others about which it has traditionally been difficult to find reliable information in English. Indeed, we consciously chose the title ‘International Data Privacy Law’ in order to avoid terminology that might seem focused too much on a particular legal system, and to demonstrate the global importance of the topic. We are also glad to have been able to cover a number of ‘hot topics’; perhaps the best example of this has been the series of articles we published about public sector access to private data under the law of a number of countries (a comparative analysis is included in this issue). We will continue to cover, and when possible anticipate, topics of current interest. We are obviously a subscription journal, which allows the good people at Oxford University Press to invest in the resources necessary to produce a highquality publication. However, we are aware of our responsibility to make our content available to the wider scholarly community, and thus make at least one article of each issue freely available for download on the Internet (in addition to these editorials, which are always freely available); from time to time we have also made entire issues downloadable for free. We are also pleased to have joined one of the OUP scholarly ‘bundles’, so that IDPL is now available to thousands of libraries worldwide. It is perhaps useful for readers and potential contributors to address some questions that are often posed to us. One is what the deadline is for submitting an article; the answer is that, since we publish quarterly, we have a constant interest in quality submissions, so that contributors need not worry about missing a deadline. Once articles have been copyedited and typeset, they are placed in the “Advance Access” section of our website, and are thus available online in advance of publication in a particular issue of IDPL. We are also asked how ‘legal’ a submission should be. We are a legal journal, and expect submissions to focus on legal issues. However, this does not mean that we will not consider articles that are not solely concerned with the law, as long as they deal with jurisprudential, policy, or regulatory issues. Indeed, we believe that questions lying at the intersection of data privacy law and other areas are often among the most interesting subjects for scholarly investigation. In this regard, we would also emphasize that, despite our commitment to quality scholarship, we are not a typical ‘law review’ in terms of publishing lengthy, often ponderous, pieces with hundreds of footnotes. While we expect submissions to be properly footnoted (details of which can be found in our ‘Instructions to Authors’ document on the web site), we disfavour obscure