Profiling the mobile customer – Is industry self-regulation adequate to protect consumer privacy when behavioural advertisers target mobile phones? – Part II

Mobile customers are increasingly being tracked and profiled by behavioural advertisers to enhance delivery of personalized advertising. This type of profiling relies on automated processes that mine databases containing personally-identifying or anonymous consumer data, and it raises a host of significant concerns about privacy and data protection. This second article in a two part series on “Profiling the Mobile Customer” explores how to best protect consumers’ privacy and personal data through available mechanisms that include industry self-regulation, privacy-enhancing technologies and legislative reform.¹ It discusses how well privacy and personal data concerns related to consumer profiling are addressed by two leading industry self-regulatory codes from the UK and the U.S. that aim to establish fair information practices for behavioural advertising by their member companies. It also discusses the current limitations of using technology to protect consumers from privacy abuses related to profiling. Concluding that industry self-regulation and available privacy-enhancing technologies will not be adequate to close important privacy gaps related to consumer profiling without legislative reform, it offers suggestions for EU and U.S. regulators about how to do this.²     

Profiling the mobile customer – Privacy concerns when behavioural advertisers target mobile phones – Part I

Mobile customers are being tracked and profiled by behavioural advertisers to be able to send them personalized advertising. This process involves data mining consumer databases containing personally-identifying or anonymous data and it raises a host of important privacy concerns. This article, the first in a two part series on consumer information privacy issues on Profiling the Mobile Customer, addresses the questions: “What is profiling in the context of behavioural advertising?” and “How will consumer profiling impact the privacy of mobile customers?” The article examines the EU and U.S. regulatory frameworks for protecting privacy and personal data in regards to profiling by behavioural advertisers that targets mobile customers. It identifies potential harms to privacy and personal data related to profiling for behavioural advertising. It evaluates the extent to which the existing regulatory frameworks in the EU and the U.S. provide an adequate level of privacy protection and identifies key privacy gaps that the behavioural advertising industry and regulators will need to address to adequately protect mobile consumers from profiling by marketers. The upcoming second article in this series will discuss whether industry self-regulation or privacy-enhancing technologies will be adequate to address these privacy gaps and makes suggestions for principles to guide this process.¹     

The Transfer of Personal Data to Third Countries Under EU Directive 95/46/EC

The 1981 Council of Europe Convention 108 and EU Directive 95/46/ EC assert that data protection is privacy protection. Consequently, countries with data protection rules control trans-border data flows to protect the rights of their citizens. Under the Directive, but subject to some derogations, personal data may only be transferred to third countries with adequate protection. 'Adequacy' is to be assessed in the light of all the circumstances. Alternative safeguards can be provided by means such as contractual arrangements. The Data Protection Commissioners have tried to define 'adequacy' as the usual data protection principles plus an assurance of compliance. This can be delivered by self-regulation as well as formal law. The Directive has not made a radical break with the past. The usual principles are those found in Convention 108 and in the 1980 OECD Guidelines. Those instruments also dealt with the control of trans-border data flows because of fears of restrictions on the free flow of information. The flexibility of the effective current UK law, which permits flows whilst preventing those which would lead to a breach of data protection, would have prevented the acrimony of the current debate with third countries. National laws on transborder data flows long pre-date the Directive and data protection authorities can be expected to continue to promote pragmatic methods of protecting exported data such as the use of model contracts either as a basis for derogation from 'adequacy' or as part of a package to satisfy the adequacy test. Work is taking place to build bridges between those with formal law and others relying on self-regulation. In Ottawa last October OECD ministers reaffirmed the 1980 Guidelines and if practical privacy protection can be secured globally, transborder data-flow control is of much less concern.     

Reconstructing consumer privacy protection on‐line: a modest proposal

Problems with consumer trust and confidence in the Internet as a safe environment in which to shop, browse and associate are well documented, as are the correlations between this lack of consumer trust and fears about privacy and security online. This paper attempts first to show why existing legal and extra‐legal modes for the protection of privacy online are failing to protect consumers and promote consumer trust. In particular it critiques the European regime of mandatory data protection laws as outdated and inappropriate to a world of multinational corporatism and ubiquitous transnational data flows via cyberspace. In the second part lessons are drawn from the crisis currently faced by intellectual property in cyberspace, particularly in reference to MP3 music files and peer‐to‐peer downloading and useful parallels are drawn from the solution devised by William Fisher of the Berkman Centre, Harvard, in the form of an alternative payment scheme for copyright holders. Finally, the insights drawn from Fisher's work are combined with original proposals drawn from a comparison of the consumer–data collector relationship in cyberspace with the roles played by truster, trustee and beneficiary in the institution of common law trust. The resulting ‘modest proposal’ suggests that a ‘privacy tax’ be levied on the profits made by data collectors and data processors. This could fund no‐fault compensation for identified ‘privacy harms’, improve public privacy enforcement resources, provide privacy‐enhancing technologies to individuals, satisfy the desire of commerce for less data protection‐related internal bureaucracy and possibly create the conditions for better promotion of consumer trust and confidence. The uptake of electronic commerce would thus be significantly enhanced.     

Protecting the privacy and security of sensitive customer data in the cloud

The global ubiquity of cloud computing may expose consumers' sensitive personal data to significant privacy and security threats. A critical challenge for the cloud computing industry is to earn consumers' trust by ensuring adequate privacy and security for sensitive consumer data. Regulating consumer privacy and security also challenges government enforcement of data protection laws that were designed with national borders in mind. From an information privacy perspective, this article analyses how well the regulatory frameworks in place in Europe and the United States help protect the privacy and security of sensitive consumer data in the cloud. It makes suggestions for regulatory reform to protect sensitive information in cloud computing environments and to remove regulatory constraints that limit the growth of this vibrant new industry.     

South Korea's innovations in data privacy principles: Asian comparisons

Over the last two decades, at least a dozen Asian jurisdictions have adopted significant data privacy (or ‘data protection’) laws. South Korea started to implement such laws in relation to its public sector in the 1990s, then its private sector from 2001, culminating in the comprehensive Personal Information Privacy Act of 2011. Internationally, there have been two stages in the development of data privacy principles (the common core of such laws), the first typified by the OECD's data protection Guidelines of 1981, and the second typified by the European Union data protection Directive of 1995, with a third stage currently under development.     

The retention of personal information online: A call for international regulation of privacy law

New technologies permit online businesses to reduce expenses and increase efficiency by, for example, storing information in “the cloud”, engaging in online tracking and targeted advertising, location and tracking technologies, and biometrics. However, the potential for technology to facilitate long term retention of customers' personal information raises concerns about the competing right of individuals to the privacy of their personal information. Although the European Commission has recently released a proposal for regulation to “provide a data subject with the right to be forgotten and to erasure”, neither the OECD Privacy Guidelines nor the APEC Privacy Framework includes any requirement to delete personal information. While New Zealand includes a “limited retention principle” in the Privacy Act 1993, apart from one limited exception the privacy principles cannot be enforced in court. Taking New Zealand privacy law as an example, this paper examines the issue of retention of customer data, explains why this is a serious problem and argues that although it could be addressed by appropriate amendments to domestic laws, domestic privacy legislation may not be sufficient in an online environment. In the same way as other areas of law, such as the intellectual property regime, have turned to global regulatory standards which reflect the international nature of their subject matter, international privacy regulation should be the next stage for the information privacy regime.     

For privacy's sake: Consumer “opt outs” for smart meters

When balancing consumer privacy and data protection rights with the important societal benefits to be obtained from smart meters, should consumers be allowed to opt out? If so, what should a smart meter opt out mechanism look like? Further, may consumers be charged additional fees for the privilege of opting out without violating their privacy and data protection rights? The EU/U.S. comparative law analysis provided in this paper aims to help energy suppliers and regulators craft opt out mechanisms to protect individual privacy and data protection rights while also achieving important societal benefits from smart meters.     

Smart meters and the information panopticon: beyond the rhetoric of compliance

The Smart Meter Implementation Programme is the Government's flagship energy policy. In its search for solutions to address privacy dilemmas raised by smart meters, the Government has been content with using data protection principles as a policy framework to regulate the processing of consumers' personal information. This is worrying since the question of who has access to what type of information and how it is used cannot simply be regarded as raising information security, authenticity and integrity issues. If we are to go beyond the rhetoric of protecting the privacy rights of energy consumers we must scrutinise the context in which legitimate interests and reasonable expectations of privacy subsist. To remedy this apparent policy oversight, the paper undertakes two tasks: first, to clarify the content and application of data protection and privacy rights to smart meters; and second, it outlines a policy framework that will address the lack of specificity on how best innovation and privacy issues can be better calibrated. More importantly, it calls for targeted substantive reforms, development of accessible privacy policies and information management practices that promote transparency and accountability and deployment of technological solutions that will help reduce emerging fault lines between innovation and privacy in this sphere of energy policymaking.     

Narratives about privacy and forgetting in English law

This paper examines narratives about the right of privacy in the UK. It argues that until relatively recently the dominant narrative was one that associated privacy with celebrity claimants and media defendants. Other narratives, such as those concerned with digital privacy and data protection, did not feature as prominently. But changing technological and social contexts mean that these narratives are now understood to be of immense importance too. This paper explores these narratives against the backdrop of the European Commission's proposals for a ‘right to be forgotten’ (now relabelled a ‘right to erasure’), the subject-matter of this special issue, as well as the 2014 Google Spain judgment. The paper emphasises the importance of forgetting as an aspect of the right to privacy and argues that while the UK legislator and courts have been slow to give effect to erasure remedies, they must now start exploring the bounds of legal possibility in order to meet the challenges of the digital age.     

Privacy principles,risks and harms

The protection of privacy is predicated on the individual's right to privacy and stipulates a number of principles that are primarily focused on information privacy or data protection and, as such, are insufficient to apply to other types of privacy and to the protection of other entities beyond the individual. This article identifies additional privacy principles that would apply to other types of privacy and would enhance the consideration of risks or harms to the individual, to groups and to society as a whole if they are violated. They also relate to the way privacy impact assessment (PIA) may be conducted. There are important reasons for generating consideration of and debate about these principles. First, they help to recalibrate a focus in Europe on data protection to the relative neglect of other types of privacy. Second, it is of critical importance at a time when PIA (renamed ‘data protection impact assessment’, or DPIA) may become mandatory under the European Commission's proposed Data Protection Regulation. Such assessment is an important instrument for identifying and mitigating privacy risks, but should address all types of privacy. Third, one can construct an indicative table identifying harms or risks to these additional privacy principles, which can serve as an important tool or instrument for a broader PIA to address other types of privacy.     

Effective approaches to regulate mobile advertising: Moving towards a coordinated legal,self-regulatory and technical response

This article aims to contribute to the ongoing discourse about the issue of privacy in the mobile advertising domain. The article discusses the fundamental principles and information practices used in digital environments for protecting individuals' private data. Major challenges are identified that should be addressed, so that fair information principles can be applied in the context of m-advertising. It also points out the limitations of these principles. Furthermore, the article discusses a range of models that is available for regulating the collection, use and disclosure of personal data, such as legislation, self-regulation and technical approaches. It is intended to promote an effective approach to improve consumer privacy in the mobile advertising domain.     

Citizens' perceptions of data protection and privacy in Europe

Data protection and privacy gain social importance as technology and data flows play an ever greater role in shaping social structure. Despite this, understanding of public opinion on these issues is conspicuously lacking. This article is a meta-analysis of public opinion surveys on data protection and privacy focussed on EU citizens. The article firstly considers the understanding and awareness of the legal framework for protection as a solid manifestation of the complex concepts of data protection and privacy. This is followed by a consideration of perceptions of privacy and data protection in relation to other social goals, focussing on the most visible of these contexts–the debate surrounding privacy, data protection and security. The article then considers how citizens perceive the ‘real world’ environment in which data processing takes place, before finally considering the public's perception and evaluation of the operation of framework against environment.     

Loan Sharks v. Short‐term Lenders: How Do the Law and Regulators Draw the Line?

With the Office of Fair Trading (OFT) having just published its ‘comprehensive review’ of some aspects of the business of short‐term lenders, this article examines the phenomenon of short‐term lenders. It draws on the legal and conceptual changes in the United Kingdom's consumer credit sector that have aided their proliferation. It argues that short‐term lenders in their current form are no different from loan sharks and that the current legal and regulatory framework has failed to provide the required protection for vulnerable credit consumers. It highlights how the United Kingdom's legal approach to consumer protection has been to the detriment of short‐term borrowers.     

大数据时代社区应急治理中居民隐私顾虑之化解

大数据时代社区应急治理现代化既要运用大数据技术提高应对突发事件的效能,也要兼顾对居民隐私权的有效保护,消除居民隐私顾虑。隐私权的双重属性和社区应急治理中不规范的居民信息采集、使用和泄露行为会导致出现侵害居民隐私权的情况,使居民产生隐私顾虑。因此,大数据环境下社区应急治理需加强对居民隐私的保护,从法律、责任、多元主体协同等层面建立居民隐私顾虑化解机制,平衡社区应急治理中社区公共利益与居民个人利益的张力和冲突,提高社区应急治理效能和治理现代化水平。     

Mapping the development of China's data protection law: Major actors,core values,and shifting power relations

This Article seeks to map the possible paths of the development of China's data protection law by examining the changing power relations among three major actors - the State, digital enterprises and the public in the context of China's booming data-driven economy. We argue that focusing on different core values, these three major actors are the key driving forces shaping China's data protection regime. Their dynamic and multidimensional power relations have been casting the development of China's data protection law with various uncertainties. When persuing different, yet not always conflicting values, these three major actors may both cooperate and compete with each other. Based on our careful analysis of the shifting power relations, we identify and assess three possible paths of the development of China's data protection law. We are much concerned that the proposed comprehensive data protection law might be a new attempt of the State to win legitimacy abroad, while actually trying to reinforce massive surveillance besides economic goals. We argue that a modest alternative may be that this law might show some genuine efforts for protecting data privacy, but still with poor enforcement. Last, we argue that the most desirable development would be that this law could provide basic but meaningful and effective protection for data privacy, and lay a good foundation for further development.     

Privacy and Search Engines: Forgetting or Contextualizing?

This article considers the much‐criticized ‘right to be forgotten’ in the context of the European Court of Justice's judgment in the Google Spain case. It defends the ‘right to be forgotten’ as a metaphor that can provide us with a better understanding of the particular privacy concerns of the search‐engine age and their interaction with the freedom to access information, and draws on Goffman's idea of ‘information games’ and Nissenbaum's theory of ‘contextual integrity’. While supporting the principles that underpin the judgment, the article rejects the Court's binary approach of ‘forgetting’ versus ‘remembering’ personal information. Instead, it argues that the EU legislator should introduce more nuanced means of addressing modern privacy concerns. By establishing two remedies – ‘delisting’ or ‘reordering’, depending on the nature of the information – online information flows can be adjusted to preserve both the right to privacy and the freedom to access information in more contextually appropriate ways.     

Governing ghostbots

This article discusses the legal implications of a novel phenomenon, namely, digital reincarnations of deceased persons, sometimes known as post-mortem avatars, deepfakes, replicas, holographs, or chatbots. To elide these multiple names, we use the term 'ghostbots'. The piece is an early attempt to discuss the potential social and individual harms, roughly grouped around notions of privacy (including post-mortem privacy), property, personal data and reputation, arising from ghostbots, how they are regulated and whether they need to be adequately regulated further. For reasons of space and focus, the article does not deal with copyright implications, fraud, consumer protection, tort, product liability, and pornography laws, including the non-consensual use of intimate images (‘revenge porn’). This paper focuses on law, although we fully acknowledge and refer to the role of philosophy and ethics in this domain.We canvas two interesting legal developments with implications for ghostbots, namely, the proposed EU Artificial Intelligence (AI) Act and the 2021 New York law amending publicity rights to protect the rights of celebrities whose personality is used in post-mortem ‘replicas’. The latter especially evidences a remarkable shift from the norm we have chronicled in previous articles of no respect for post-mortem privacy to a growing recognition that personality rights do need protection post-mortem in a world where pop stars and actors are routinely re-created using AI. While the legislative motivation here may still be primarily to protect economic interests, we argue it also shows a concern for dignitary and privacy interests.Given the apparent concern for the appropriation of personality post-mortem, possibly in defiance or ignorance of what the deceased would have wished, we propose an early solution to regulate the rise of ghostbots, namely an enforceable ‘do not bot me’ clause in analogue or digital wills.     

Singapore's Personal Data Protection legislation: Business perspectives

As global digitalisation of information and interconnecting technologies along with new marketing practices and business processes vastly increase the opportunities for data collection, storage, usage and delivery, there is a corresponding increase in consumer expectations of data privacy. These expectations must be met if business organisations are to promote consumer trust and confidence and maintain their overall competitiveness in a global market. It goes without saying that information is the most valuable business asset and “privacy is good business and information can be the basis of bigger business”. The need to protect data privacy has long been recognised and implemented by major trading nations. Surprisingly, Singapore as a financial centre and nation aspiring to be a trusted data hosting hub has been slow in enacting specific data protection laws. The first piece of legislation that has emerged is a light-touch baseline framework applicable to all organisations except the public sector. This article considers the new legislation from the business perspective and the implications for private sector business organisations facing the challenges of compliance.     

Regulating intersectional activity: privacy and energy efficiency,laws and technology

Using a case study, this paper explores the extent to which one area of law (privacy and data protection) can intersect with, and be challenged by, proposals for delivery of another goal – greater energy efficiency. The article then explores the extent to which these fields are becoming more integrated; and also the risks of relying on technology (notably through Privacy by Design) to do this, particularly given the uncertainties embraced by lawyers and which can be problematic to technologists. Having identified challenges in meeting both energy efficiency and privacy/data protection goals at the same time, the article develops two responses. One looks more widely in law, to competition, to prevent particular activity and to confirm the relevance of greater legal interdisciplinarity. The other is a more multi-faceted collaborative governance approach, involving legal and technical expertise and consumer perspectives, with standards having a valuable role. Addressing climate change through greater energy efficiency should be an appropriate motivation to bring about this second approach, which draws on wider environmental governance developments. With largely a UK and EU focus, but seeking to be of transnational relevance, the paper makes key contributions as to the capacity and limits of how law can address societal challenges; explores the risks of assuming that social and legal problems can be readily addressed by technology; confirms the need for lawyers to look to other fields of law; and assists progress in an increasingly intersectional and dynamic field.