The retention of personal information online: A call for international regulation of privacy law

New technologies permit online businesses to reduce expenses and increase efficiency by, for example, storing information in “the cloud”, engaging in online tracking and targeted advertising, location and tracking technologies, and biometrics. However, the potential for technology to facilitate long term retention of customers' personal information raises concerns about the competing right of individuals to the privacy of their personal information. Although the European Commission has recently released a proposal for regulation to “provide a data subject with the right to be forgotten and to erasure”, neither the OECD Privacy Guidelines nor the APEC Privacy Framework includes any requirement to delete personal information. While New Zealand includes a “limited retention principle” in the Privacy Act 1993, apart from one limited exception the privacy principles cannot be enforced in court. Taking New Zealand privacy law as an example, this paper examines the issue of retention of customer data, explains why this is a serious problem and argues that although it could be addressed by appropriate amendments to domestic laws, domestic privacy legislation may not be sufficient in an online environment. In the same way as other areas of law, such as the intellectual property regime, have turned to global regulatory standards which reflect the international nature of their subject matter, international privacy regulation should be the next stage for the information privacy regime.     

‘Private jurisprudence’ and the right to be forgotten balancing test

Upon receipt of a right to be forgotten request, private actors like Google are responsible for implementing the balancing test between competing rights of privacy and data protection and free expression and access to information. This amounts to private jurisprudence that data subjects, lawyers, and interested parties could, theoretically, game to their advantage. This paper critiques this process and argues two separate, but related points. (1) Search engines have become the sole arbiter of the rights to privacy and data protection under Articles 7 and of the Charter of Fundamental Rights and Articles 8 and 10 of the European Convention of Human Rights, when safeguarding should be a responsibility of state authorities. (2) As private actors face litigation if their decision is not acceptable to the data subject, the right to access information and the public's right to know is compromised. Search engines exert considerable power over access to and Internet usage, yet nevertheless benefit from frameworks that permit a lack of adherence to similar human rights standards as public actors or agencies. As such, empowering search engines as decision-makers over conflicting fundamental rights is problematic. Rather than allow the content of the right to be forgotten to be fleshed out by private actors, the significant body of existing jurisprudence should form the basis for public guidelines on how to implement the right to be forgotten. An analysis of case law of national courts, the European Court of Human Rights and the CJEU reveals two related matters: it is possible to reverse engineer how search engines determine which requests will be actioned and those which will be denied. This paper argues a) collectively the body of jurisprudence is of sufficient standing to develop a public and transparent balancing test that is fair to all stakeholders and b) private actors should no longer be resolving the conflict between competing fundamental rights. The paper closes by positing a framework, loosely based on ICANN's Uniform Domain Resolution Procedure for resolving conflict between conflicting cyber property rights that provides transparency and accountability to the right to be forgotten and removes search engines as arbiters of the balancing test in select cases.     

Automated consent through privacy agents: Legal requirements and technical architecture

The changes imposed by new information technologies, especially pervasive computing and the Internet, require a deep reflection on the fundamental values underlying privacy and the best way to achieve their protection. The explicit consent of the data subject, which is a cornerstone of most data protection regulations, is a typical example of requirement which is very difficult to put into practice in the new world of “pervasive computing” where many data communications necessarily occur without the users' notice. In this paper, we argue that an architecture based on “Privacy Agents” can make privacy rights protection more effective, provided however that this architecture meets a number of legal requirements to ensure the validity of consent delivered through such Privacy Agents. We first present a legal analysis of consent considering successively (1) its nature; (2) its essential features (qualities and defects) and (3) its formal requirements. Then we draw the lessons of this legal analysis for the design of a valid architecture based on Privacy Agents. To conclude, we suggest an implementation of this architecture proposed in a multidisciplinary project involving lawyers and computer scientists.     

There's more to it than data protection – Fundamental rights,privacy and the personal/household exemption in the digital age

Heated debates triggered by the plans to introduce the “right to be forgotten” exposed problems the all-encompassing application of rules on data processing may cause in practice. The purpose of this article is to discuss the compatibility of these rules with the rapidly evolving online environment in the context of the need to guarantee human rights on the internet. The author argues that there is an imbalance in the protection of individual rights online. It results from the limited application of personal/household exception and, in general, the narrow understanding of the concept of online privacy. According to the author in order for data protection laws to flesh out not only the fundamental right of data protection, but also play a mediatory role in balancing other rights, the application of the personal/household exception should be extended to include private online activities. This would reflect the complex character of the very concept of online privacy, diversity of actors and activities shaping online “territories”, as well as the increasingly heterogeneous fabric of the Web.     

Profiling the mobile customer – Privacy concerns when behavioural advertisers target mobile phones – Part I

Mobile customers are being tracked and profiled by behavioural advertisers to be able to send them personalized advertising. This process involves data mining consumer databases containing personally-identifying or anonymous data and it raises a host of important privacy concerns. This article, the first in a two part series on consumer information privacy issues on Profiling the Mobile Customer, addresses the questions: “What is profiling in the context of behavioural advertising?” and “How will consumer profiling impact the privacy of mobile customers?” The article examines the EU and U.S. regulatory frameworks for protecting privacy and personal data in regards to profiling by behavioural advertisers that targets mobile customers. It identifies potential harms to privacy and personal data related to profiling for behavioural advertising. It evaluates the extent to which the existing regulatory frameworks in the EU and the U.S. provide an adequate level of privacy protection and identifies key privacy gaps that the behavioural advertising industry and regulators will need to address to adequately protect mobile consumers from profiling by marketers. The upcoming second article in this series will discuss whether industry self-regulation or privacy-enhancing technologies will be adequate to address these privacy gaps and makes suggestions for principles to guide this process.¹     

Privacy by design and anonymisation techniques in action: Case study of Match technology

Privacy by Design is now enjoying widespread acceptance. The EU has recently expressly included it as one of the key principles in the revised data protection legal framework. But how does Privacy by design and data anonymisation work in practise? In this article the authors address this question from a practical point of view by analysing a case study on EU Financial Intelligence Units (“FIUs”) using the Ma³tch technology as additional feature to the existing exchange of information via FIU.NET decentralised computer network. They present, analyse, and evaluate Ma³tch technology from the perspective of personal data protection. The authors conclude that Ma³tch technology can be seen as a valuable example of Privacy by Design. It achieves data anonymisation and enhances data minimisation and data security, which are the fundamental elements of Privacy by Design. Therefore, it may not only improve the exchange of information among FIUs and allow for the data processing to be in line with applicable data protection requirements, but it may also substantially contribute to the protection of privacy of related data subjects. At the same time, the case study clearly shows that Privacy by Design needs to be supported and complemented by appropriate organisational and technical procedures to assure that the technology solutions devised to protect privacy would in fact do so.     

Rethinking the one-stop-shop mechanism: Legal certainty and legitimate expectation

This paper aims to contribute to the discussion concerning the one-stop-shop mechanism proposed in the General Data Protection Regulation (hereinafter “GDPR”). The choice of regulation as the instrument to legislate on data protection is already an unmistakable indication that unification and simplification (together with respect of data subjects' interests) shall be the guide for every legal discussion on the matter. The one-stop-shop mechanism (hereinafter “OSS”) clearly reflects the unification and simplification which the reform aims for. We believe that OSS is logically connected with the idea of one Data Protection Authority (hereinafter “DPA”) with an exclusive jurisdiction and that this can only mean that, given one controller, no other DPA can be a competent authority.² In other words, OSS implies a single and comprehensive competent authority of a given controller. In our analysis we argue that such architecture: a) works well with the “consistency mechanism”; b) provides guarantees to data subjects for a clear allocation of powers (legal certainty); and c) is not at odds with the complaint lodging procedure. Our position on fundamental questions is as follows. What is the perimeter of competence of the DPA in charge? We believe that it should have enforcement power on every issue of the controller, including issuing the fines. How to reconcile such dominant role of one DPA with the principle of co-operation among DPAs? We do not consider co-operation at odds with the rule that decisions are taken by just one single authority. Finally, we share some suggestions on how to make the jurisdiction allocation mechanism (the main establishment criterion) more straightforward.     

Privacy and Search Engines: Forgetting or Contextualizing?

This article considers the much‐criticized ‘right to be forgotten’ in the context of the European Court of Justice's judgment in the Google Spain case. It defends the ‘right to be forgotten’ as a metaphor that can provide us with a better understanding of the particular privacy concerns of the search‐engine age and their interaction with the freedom to access information, and draws on Goffman's idea of ‘information games’ and Nissenbaum's theory of ‘contextual integrity’. While supporting the principles that underpin the judgment, the article rejects the Court's binary approach of ‘forgetting’ versus ‘remembering’ personal information. Instead, it argues that the EU legislator should introduce more nuanced means of addressing modern privacy concerns. By establishing two remedies – ‘delisting’ or ‘reordering’, depending on the nature of the information – online information flows can be adjusted to preserve both the right to privacy and the freedom to access information in more contextually appropriate ways.     

Misuse of private information as a tort: The implications of Google v Judith Vidal-Hall

The Court of Appeal in the recent decision of Google Inc v Judith Vidal Hall¹ has made a number of remarkable rulings in the area of privacy. An important aspect of this decision is that it clarified the legal foundation in which an action for unauthorised disclosure of private information is found. However, the decision itself is not without flaws. This paper seeks to analyse potential problems with the action being classified as a tort as well as the scope of misuse of private information being a form of privacy protection.     

隐私权概念的再界定

隐私权在我国虽然已经得到广泛承认,但是关于其边界等问题仍然存在争议,需要继续研究。隐私权固然存在宪法上的基础,但是主要属于民事权利的范畴。它的具体属性应当是具体人格权而非一般人格权,而且应当在我国未来的《人格权法》中得到规定。隐私权主要包括生活安宁和私人秘密两个方面,未来隐私权的内容也应当以此为基础进行发展和扩张。个人信息资料权不宜纳入隐私权的范畴,它是相对独立于隐私权的一种权利。     

The Singapore Personal Data Protection Act and an assessment of future trends in data privacy reform

In the first part of this paper, I will present and explain the Singapore Personal Data Protection Act (“PDPA”) in the context of legislative developments in the Asian region and against the well-established international baseline privacy standards. In the course of the above evaluation, reference will be made to the national laws and policy on data privacy prior to the enactment of the PDPA as well as current social and market practices in relation to personal data. In the second part of this paper, I will decipher and assess the future trends in data privacy reform and the future development of the privacy regime in Singapore and beyond. In the course of this analysis, international standards, technological trends and recent legal developments in other jurisdictions will be considered.     

Copiepresse SCRL & alii v. Google Inc. – In its decision of 5 May 2011, the Brussels Court of Appeal confirms the prohibitory injunction order banning Google News and Google’s “in cache” function

In 2003, Google made available in Belgium its online free service “Google News”, which consisted in offering Internet users a computer-generated press review. In his orders of 5 September 2006 (previously commented in [2007] 23 CLSR 82–85) and of 13 February 2007 (previously commented in [2007] 23 CLSR 290–293) the President of the High Court of Brussels found that, by offering this service, Google infringed the copyrights of Belgian press editors and authors. On 5 May 2011, the Brussels Court of Appeal upheld to a very large extent the first instance decision. The Court confirmed that Google’s “cache” function and its “Google News” service were infringing the claimants’ copyrights and that Google could not rely on any copyright limitation (such as the exceptions for quotation or for report on news events), legislation or fundamental right.     

The “process” of patenting: Why should we care about a potential U.S. Supreme Court decision in Bilski v. Doll?

In Bilski v. Doll, the U.S. Supreme Court is called to define one of the categories of patent-eligible subject matter, “process” patents. In 2008, the Court of Appeals for the Federal Circuit held that the category has a narrow meaning, and that to be eligible for a process patent under 35 U.S.C. § 101, the invention must involve a machine or apparatus or involve a transformation to a different state or thing, ultimately rejecting the patent application as unpatentable subject matter. The patent applicants have asked the U.S. Supreme Court to determine two issues: first, the meaning of “process” in 35 U.S.C. § 101 and whether the lower court properly relied on a “machine-or-transformation” test, and second, the test's potential conflict with 35 U.S.C. § 273, which provides protection for “method[s] of doing or conducting business.” The Court's decision could change the way that research and business are done, and patent protection for such investments. Parts 1 and 2 of this article address Bilski directly and what is and is not in dispute. Part 3 addresses the “machine-or-transformation” test, while Parts 4 and 5 address reasons not to adopt such a test.     

Robots in the cloud with privacy: A new threat to data protection?

The focus of this paper is on the class of robots for personal or domestic use, which are connected to a networked repository on the internet that allows such machines to share the information required for object recognition, navigation and task completion in the real world. The aim is to shed light on how these robots will challenge current rules on data protection and privacy. On one hand, a new generation of network-centric applications could in fact collect data incessantly and in ways that are “out of control,” because such machines are increasingly “autonomous.” On the other hand, it is likely that individual interaction with personal machines, domestic robots, and so forth, will also affect what U.S. common lawyers sum up with the Katz's test as a reasonable “expectation of privacy.” Whilst lawyers continue to liken people's responsibility for the behaviour of robots to the traditional liability for harm provoked by animals, children, or employees, attention should be drawn to the different ways in which humans will treat, train, or manage their robots-in-the-cloud, and how the human–robot interaction may affect the multiple types of information that are appropriate to reveal, share, or transfer, in a given context.     

The liability of website owners for defamation in Israel: A challenge yet to be solved?

From the end of the twentieth century to the present we have witnessed the effects of technology on the way we consume and distribute information. The print media, which in many ways was the natural product of the printing revolution, has given way to the electronic media with websites providing the new “town squares” in which the public discourse is held on political, economic and social issues among others. The Israeli legal system, like the legal systems in other countries, faces a variety of challenges and complex ethical and legal issues when required to regulate (often retrospectively) the manner and processes through which the discourse will be conducted in the virtual “town hall”. In essence, this article focuses on one of the many questions occupying the Israeli legal system and that is whether website owners should be liable in defamation for speech published by third parties on the Internet (through blogs, tweets on Twitter, posts on Facebook,¹ uploaded video clips on YouTube and the like) when no connection exists between the third party and the site owner apart from the fact that the third party has used the website as a platform to publish the offensive speech. The issue of the liability of the website owner has ramifications for the injured party's capacity to institute an action for defamation against the website owner, as often only the latter will be in a position to compensate the injured party (financially) for the offensive speech. The Israeli legal system, which in many ways furnishes a unique and interesting framework for examining the question posed above, as we explain in the body of the article, presents a fascinating example of how the Israeli legislature and the courts have dealt and continue to deal with claims filed against website owners for damage to reputation as a result of speech published by third parties. The article offers a comprehensive review of the status of the right to freedom of speech, anonymity and the right to reputation in Israel, the considerations for and against the imposition of liability on website owners and the latest case law on these questions.     

Data protection legislation: What is at stake for our society and democracy?

The author starts by questioning the main privacy challenges raised by our present and future information society viewed as a “global village”. Apart from a comparison with the traditional village of our parents, he identifies the two complementary and not dissociable facets of our privacy: the right to seclusion and the right to participate fully in our society. According to the first German Constitutional Court recognizing the right to informational self-determination as a new constitutional right, he underlines the need to analyse the data protection as a tool for ensuring both the citizens' dignity and our democracy.     

… and still we are left wanting: Malta's White Paper on digital rights

CLSR welcomes occasional comment pieces on issues of current importance in the law and technology field from different jurisdictions. In this instance the Government of Malta published a White Paper in October 2012 for public consultation, proposing the introduction of the following four so-called “digital rights” in the Constitution of Malta: (1) the right to Internet access; (2) the right to informational access; (3) the right to informational freedom and (4) the right to digital informational self-determination. The author believes that the proposal is indeed a step in the right direction but lacks punch where it matters most and does not go far enough.     

日本法上的劳动者人格保护—以劳动者健康隐私为中心

劳动者人格保护是现代劳动法上的重要内容。从以恢复劳动者之对等人格的集体劳动法律发展伊始,劳动者如何获得法律上"人"之对待,是促使劳动法发展演进的动力来源之一。我国劳动法上的劳动者人格研究甚少,基本停滞于"劳动者尊严"的保护原则宣誓上,其中,劳动者的健康隐私,在近年社会运动过程中获得了反歧视法上的保护。然而,无论是何种劳动者隐私,均属于劳动者人格权的范围,应当从劳动者人格权保护上予以正视。以日本劳动者人格保护中的健康隐私保护为例,其在实体法和判例法上的经验,可为我国劳动者人格保护问题的研究深入提供借鉴。     

个人信息保护法制管窥

现代意义的隐私权乃是一种“个人信息控制权”,因此有必要对收集、利用、保存、传播他人信息的行为全面进行规范,许多国家先后制定了个人信息保护法。在立法模式上,根据是否以一部法律对公共部门和非公共部门的个人信息处理行为进行规范,分为总括和分离两种模式。在立法内容上,“OECD劝告”曾确立个人信息保护的八项原则,同时个人信息主体的权利可具体化为五项权利。另外,对特定行业制定特别规定是普遍采取的做法。