The necessity of the implementation of Privacy by Design in sectors where data protection concerns arise

This article examines the extent to which Privacy by Design can safeguard privacy and personal data within a rapidly evolving society. This paper will first briefly explain the theoretical concept and the general principles of Privacy by Design, as laid down in the General Data Protection Regulation. Then, by indicating specific examples of the implementation of the Privacy by Design approach, it will be demonstrated why the implementation of Privacy by Design is a necessity in a number of sectors where specific data protection concerns arise (biometrics, e-health and video-surveillance) and how it can be implemented.     

Data protection in Malaysia and Hong Kong: One step forward,two steps back?

Continuing rapid developments in information communication technology has led to an ever increasing amount of personal information being collected, processed, stored and used, without the individual even knowing about it. For countries which have domestic legislation relating to privacy and data protection, it has afforded the opportunity for a review. For others, it has opened up the opportunity to legislate. The aim of the paper is three-fold. First, the paper aims to deal with data protection regime in Malaysia and in Hong Kong by examining the salient features of the newly enacted Malaysia's Personal Data Protection Act 2010 and the recent recommendations for legislative reform to the Personal Data (Privacy) Ordinance in Hong Kong. Second, it considers whether the laws are more concerned with legitimising data protection practices of organizations and businesses rather than the protection of individuals' privacy interests. Finally, the paper briefly considers whether the laws adequately address the impact to individuals' data privacy brought about by technological advancements before providing a conclusion.     

Profiling the mobile customer – Is industry self-regulation adequate to protect consumer privacy when behavioural advertisers target mobile phones? – Part II

Mobile customers are increasingly being tracked and profiled by behavioural advertisers to enhance delivery of personalized advertising. This type of profiling relies on automated processes that mine databases containing personally-identifying or anonymous consumer data, and it raises a host of significant concerns about privacy and data protection. This second article in a two part series on “Profiling the Mobile Customer” explores how to best protect consumers’ privacy and personal data through available mechanisms that include industry self-regulation, privacy-enhancing technologies and legislative reform.¹ It discusses how well privacy and personal data concerns related to consumer profiling are addressed by two leading industry self-regulatory codes from the UK and the U.S. that aim to establish fair information practices for behavioural advertising by their member companies. It also discusses the current limitations of using technology to protect consumers from privacy abuses related to profiling. Concluding that industry self-regulation and available privacy-enhancing technologies will not be adequate to close important privacy gaps related to consumer profiling without legislative reform, it offers suggestions for EU and U.S. regulators about how to do this.²     

A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

A comparison of proposed legislative data privacy protections in the United States

The use of online consumer tracking methods has raised significant privacy concerns for consumers and policymakers for decades. Advertisers using these methods analyze web-viewing habits to predict consumer preferences and actions. The advertising industry in the United States has promoted self-regulatory principles to respond to these concerns. However, in December 2010, the U.S. Federal Trade Commission reported that these efforts “have been too slow and up to now have failed to provide adequate and meaningful protection.” President Barack Obama's administration has supported broader legislation for comprehensive protection of individuals' private data. The leading model for data privacy protection is the 1980 Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This article examines two leading legislative privacy proposals in the context of the OECD principles. This examination concludes that, although the proposals do not provide sufficient comprehensive privacy protections, they do fill significant gaps in current U.S. privacy laws.     

South Korea's innovations in data privacy principles: Asian comparisons

Over the last two decades, at least a dozen Asian jurisdictions have adopted significant data privacy (or ‘data protection’) laws. South Korea started to implement such laws in relation to its public sector in the 1990s, then its private sector from 2001, culminating in the comprehensive Personal Information Privacy Act of 2011. Internationally, there have been two stages in the development of data privacy principles (the common core of such laws), the first typified by the OECD's data protection Guidelines of 1981, and the second typified by the European Union data protection Directive of 1995, with a third stage currently under development.     

Opening up personal data protection: A conceptual controversy

The existence of a fundamental right to the protection of personal data in European Union (EU) law is nowadays undisputed. Established in the EU Charter of Fundamental Rights in 2000, it is increasingly permeating EU secondary law, and is expected to play a key role in the future EU personal data protection landscape. The right's reinforced visibility has rendered manifest the co-existence of two possible and contrasting interpretations as to what it come to mean. If some envision it as a primarily permissive right, enabling the processing of such data under certain conditions, others picture it as having a prohibitive nature, implying that any processing of data is a limitation of the right, be it legitimate or illegitimate. This paper investigates existing tensions between different understandings of the right to the protection of personal data, and explores the assumptions and conceptual legacies underlying both approaches. It traces their historical lineages, and, focusing on the right to personal data protection as established by the EU Charter, analyses the different arguments that can ground contrasted readings of its Article 8. It also reviews the conceptualisations of personal data protection as present in the literature, and finally contrasts all these perspectives with the construal of the right by the EU Court of Justice.     

Privacy regulations on biometrics in Australia

This paper aims to provide an analysis of the current regulatory environment, at the federal level, of privacy protection concerning biometrics in Australia. The study only focuses on the federal Privacy Act 1988 (Cth) and the Biometrics Institute Privacy Code. The discussion is based on the legal concerns of the use of biometrics, and an analysis is made concerning the implications of privacy protection sources.     

The fundamental right of data protection in the European Union: in search of an uncharted right

The entry into force of the EU Charter of Fundamental Rights and the ensuing introduction of the right to data protection as a new fundamental right in the legal order of the EU has raised some challenges. This article is an attempt to bring clarity on some of these questions. We will therefore try to address the issue of the place of the right to the protection of personal data within the global architecture of the Charter, but also the relationship between this new fundamental right and the already existing instruments. In doing so, we will analyse the most pertinent case law of the Court of Luxembourg, only to find out that it creates more confusion than clarity. The lesson we draw from this overview is that the reasoning of the Court is permeated by a ‘privacy thinking’, which consists not only in overly linking the rights to privacy and data protection, but also in applying the modus operandi of the former to the latter (which are different we contend). The same flawed reasoning seems to be at work in the EU Charter of Fundamental Rights. Therefore, it is crucial that the different modi operandi be acknowledged, and that any upcoming data protection instrument is accurately framed in relation with Article 8 of the Charter.     

Privacy and security by design: Comparing the EU and Israeli approaches to embedding privacy and security

Policymakers in the European Union and Israel are searching for regulatory strategies on how to best protect their citizens informational privacy. More recently, the focus has shifted towards Privacy and Security by Design as a mean to address current privacy concerns. While Privacy and Security by Design in itself is not a new idea, its implementation has taken new forms within the General Data Protection Regulation, as well as in various Israeli laws, inter alia, the Privacy Protection Regulations on Data Security. In this article we first analyse these implementations of Privacy and Security by Design and then compare the European and Israeli approaches with one another. We address the question of which approach provides more guidance to developers with respect on how to embed Privacy and Security by Design measures into new services and products. We conclude by pointing to empirical research needed to further analyse the impact of the two different regulatory strategies.     

The retention of personal information online: A call for international regulation of privacy law

New technologies permit online businesses to reduce expenses and increase efficiency by, for example, storing information in “the cloud”, engaging in online tracking and targeted advertising, location and tracking technologies, and biometrics. However, the potential for technology to facilitate long term retention of customers' personal information raises concerns about the competing right of individuals to the privacy of their personal information. Although the European Commission has recently released a proposal for regulation to “provide a data subject with the right to be forgotten and to erasure”, neither the OECD Privacy Guidelines nor the APEC Privacy Framework includes any requirement to delete personal information. While New Zealand includes a “limited retention principle” in the Privacy Act 1993, apart from one limited exception the privacy principles cannot be enforced in court. Taking New Zealand privacy law as an example, this paper examines the issue of retention of customer data, explains why this is a serious problem and argues that although it could be addressed by appropriate amendments to domestic laws, domestic privacy legislation may not be sufficient in an online environment. In the same way as other areas of law, such as the intellectual property regime, have turned to global regulatory standards which reflect the international nature of their subject matter, international privacy regulation should be the next stage for the information privacy regime.     

Privacy on the Internet

Privacy, the right to an inviolable private life, is one of the most valued and most fragile possessions in modern human society. According to only one of the best-known definitions, privacy is the right to be left alone; the right for every human being to enjoy a space protected by law from arbitrary encroachment, including that of the government. "Every unjustified violation of individual privacy by the state, whatever the means used, must be regarded as a violation of the Fourth Amendment [to the U.S. Constitution—S.S.]," as U.S. Supreme Court Justice Louis Brandeis noted in his famous opinion on wiretapping.¹ Privacy is a fundamental human right, and it has been meticulously studied and analyzed. According to one classification scheme,² privacy can provisionally be divided into four types: privacy of personal data, physical privacy, territorial privacy, and the privacy of communications.     

Regulating intersectional activity: privacy and energy efficiency,laws and technology

Using a case study, this paper explores the extent to which one area of law (privacy and data protection) can intersect with, and be challenged by, proposals for delivery of another goal – greater energy efficiency. The article then explores the extent to which these fields are becoming more integrated; and also the risks of relying on technology (notably through Privacy by Design) to do this, particularly given the uncertainties embraced by lawyers and which can be problematic to technologists. Having identified challenges in meeting both energy efficiency and privacy/data protection goals at the same time, the article develops two responses. One looks more widely in law, to competition, to prevent particular activity and to confirm the relevance of greater legal interdisciplinarity. The other is a more multi-faceted collaborative governance approach, involving legal and technical expertise and consumer perspectives, with standards having a valuable role. Addressing climate change through greater energy efficiency should be an appropriate motivation to bring about this second approach, which draws on wider environmental governance developments. With largely a UK and EU focus, but seeking to be of transnational relevance, the paper makes key contributions as to the capacity and limits of how law can address societal challenges; explores the risks of assuming that social and legal problems can be readily addressed by technology; confirms the need for lawyers to look to other fields of law; and assists progress in an increasingly intersectional and dynamic field.     

Pricing privacy – the right to know the value of your personal data

The commodification of digital identities is an emerging reality in the data-driven economy. Personal data of individuals represent monetary value in the data-driven economy and are often considered a counter performance for “free” digital services or for discounts for online products and services. Furthermore, customer data and profiling algorithms are already considered a business asset and protected through trade secrets. At the same time, individuals do not seem to be fully aware of the monetary value of their personal data and tend to underestimate their economic power within the data-driven economy and to passively succumb to the propertization of their digital identity. An effort that can increase awareness of consumers/users on their own personal information could be making them aware of the monetary value of their personal data. In other words, if individuals are shown the “price” of their personal data, they can acquire higher awareness about their power in the digital market and thus be effectively empowered for the protection of their information privacy. This paper analyzes whether consumers/users should have a right to know the value of their personal data. After analyzing how EU legislation is already developing in the direction of propertization and monetization of personal data, different models for quantifying the value of personal data are investigated. These models are discussed, not to determine the actual prices of personal data, but to show that the monetary value of personal data can be quantified, a conditio-sine-qua-non for the right to know the value of your personal data. Next, active choice models, in which users are offered the option to pay for online services, either with their personal data or with money, are discussed. It is concluded, however, that these models are incompatible with EU data protection law. Finally, practical, moral and cognitive problems of pricing privacy are discussed as an introduction to further research. We conclude that such research is needed to see to which extent these problems can be solved or mitigated. Only then, it can be determined whether the benefits of introducing a right to know the value of your personal data outweigh the problems and hurdles related to it.     

Citizens' perceptions of data protection and privacy in Europe

Data protection and privacy gain social importance as technology and data flows play an ever greater role in shaping social structure. Despite this, understanding of public opinion on these issues is conspicuously lacking. This article is a meta-analysis of public opinion surveys on data protection and privacy focussed on EU citizens. The article firstly considers the understanding and awareness of the legal framework for protection as a solid manifestation of the complex concepts of data protection and privacy. This is followed by a consideration of perceptions of privacy and data protection in relation to other social goals, focussing on the most visible of these contexts–the debate surrounding privacy, data protection and security. The article then considers how citizens perceive the ‘real world’ environment in which data processing takes place, before finally considering the public's perception and evaluation of the operation of framework against environment.     

Privacy notices versus informational self-determination: Minding the gap

Privacy notices are instruments that intend to inform individuals of the processing of their personal data, their rights as data subjects, as well as any other information required by data protection or privacy laws. The goal of this paper is to clarify the current discourse regarding the (in)utility of privacy notices, particularly in the context of online transactions. The perspective is a European one, meaning that the analysis shall be geared towards the European Data protection framework, particularly the European Data Protection Directive. The paper discusses the role that privacy notices play under the European data protection framework today, summarizes the main critiques regarding the use of privacy notices in practice and develops a number of recommendations.     

民法典框架下个人数据财产法益的体系构建

从欧盟个人数据保护相关立法的变迁可以发现,个人数据从隐私权保护的传统模式开始出现向财产权保护模式过渡的迹象。这并不意味着数据产业界的新机会,而是调节数据主体与数据控制者之间日益失衡关系的新尝试。财产权保护模式有着隐私权保护模式无可比拟的优势,却也存在权利定性和范围界定上的困难。与非个人数据更为鲜明的财产属性不同,个人数据上的民事权益应该构建为一个以数据主体的财产利益为基础、以数据控制者对个人数据的占有利益为核心的财产法益体系。数据控制者及其义务作为个人数据财产法益体系的中心,才能在保护数据主体和发挥数据效用之间保持平衡。     

Medical data breaches: Notification delayed is notification denied

The EU and the United States have implemented data breach notification rules that cover the health sectors. Nevertheless, data breach incidents involving medical data continue to rise, especially in the US and the UK. The HITECH Act, Pub. L. 111-5 Title XIII is the first federal health breach notification law in the US to be characterized by less government intrusions, while the revised EU Privacy Directive, 2009/136/EC calls for tougher privacy protection for data held by electronic communication providers. While the EU law sets a global de facto standard, the law remains toothless without strong enforcement mechanisms.     

Profiling the mobile customer – Privacy concerns when behavioural advertisers target mobile phones – Part I

Mobile customers are being tracked and profiled by behavioural advertisers to be able to send them personalized advertising. This process involves data mining consumer databases containing personally-identifying or anonymous data and it raises a host of important privacy concerns. This article, the first in a two part series on consumer information privacy issues on Profiling the Mobile Customer, addresses the questions: “What is profiling in the context of behavioural advertising?” and “How will consumer profiling impact the privacy of mobile customers?” The article examines the EU and U.S. regulatory frameworks for protecting privacy and personal data in regards to profiling by behavioural advertisers that targets mobile customers. It identifies potential harms to privacy and personal data related to profiling for behavioural advertising. It evaluates the extent to which the existing regulatory frameworks in the EU and the U.S. provide an adequate level of privacy protection and identifies key privacy gaps that the behavioural advertising industry and regulators will need to address to adequately protect mobile consumers from profiling by marketers. The upcoming second article in this series will discuss whether industry self-regulation or privacy-enhancing technologies will be adequate to address these privacy gaps and makes suggestions for principles to guide this process.¹     

Will the European Commission be able to standardise legal technology design without a legal method?

Privacy by Design (PbD) is a kind of precautionary legal technology design. It takes opportunities for fundamental rights without creating risks for them. Now the EU Commission “promised” to implement PbD with Art. 23(4) of its proposal of a General Data Protection Regulation. It suggests setting up a committee that can define technical standards for PbD. However the Commission did not keep its promise. Should it be left to the IT security experts who sit in the committee but do not have the legal expertise, to decide on our privacy or, by using overly detailed specifications, to prevent businesses from marketing innovative products? This paper asserts that the Commission's implementation of PbD is not acceptable as it stands and makes positive contributions for the work of a future PbD committee so that the Commission can keep its promise to introduce precautionary legal technology design.