Profiling the mobile customer – Privacy concerns when behavioural advertisers target mobile phones – Part I

Mobile customers are being tracked and profiled by behavioural advertisers to be able to send them personalized advertising. This process involves data mining consumer databases containing personally-identifying or anonymous data and it raises a host of important privacy concerns. This article, the first in a two part series on consumer information privacy issues on Profiling the Mobile Customer, addresses the questions: “What is profiling in the context of behavioural advertising?” and “How will consumer profiling impact the privacy of mobile customers?” The article examines the EU and U.S. regulatory frameworks for protecting privacy and personal data in regards to profiling by behavioural advertisers that targets mobile customers. It identifies potential harms to privacy and personal data related to profiling for behavioural advertising. It evaluates the extent to which the existing regulatory frameworks in the EU and the U.S. provide an adequate level of privacy protection and identifies key privacy gaps that the behavioural advertising industry and regulators will need to address to adequately protect mobile consumers from profiling by marketers. The upcoming second article in this series will discuss whether industry self-regulation or privacy-enhancing technologies will be adequate to address these privacy gaps and makes suggestions for principles to guide this process.¹     

The future of consumer data protection in the E.U. Re-thinking the “notice and consent” paradigm in the new era of predictive analytics

The new E.U. proposal for a general data protection regulation has been introduced to give an answer to the challenges of the evolving digital environment. In some cases, these expectations could be disappointed, since the proposal is still based on the traditional main pillars of the last generation of data protection laws. In the field of consumer data protection, these pillars are the purpose specification principle, the use limitation principle and the “notice and consent” model. Nevertheless, the complexity of data processing, the power of modern analytics and the “transformative” use of personal information drastically limit the awareness of consumers, their capability to evaluate the various consequences of their choices and to give a free and informed consent.     

The “process” of patenting: Why should we care about a potential U.S. Supreme Court decision in Bilski v. Doll?

In Bilski v. Doll, the U.S. Supreme Court is called to define one of the categories of patent-eligible subject matter, “process” patents. In 2008, the Court of Appeals for the Federal Circuit held that the category has a narrow meaning, and that to be eligible for a process patent under 35 U.S.C. § 101, the invention must involve a machine or apparatus or involve a transformation to a different state or thing, ultimately rejecting the patent application as unpatentable subject matter. The patent applicants have asked the U.S. Supreme Court to determine two issues: first, the meaning of “process” in 35 U.S.C. § 101 and whether the lower court properly relied on a “machine-or-transformation” test, and second, the test's potential conflict with 35 U.S.C. § 273, which provides protection for “method[s] of doing or conducting business.” The Court's decision could change the way that research and business are done, and patent protection for such investments. Parts 1 and 2 of this article address Bilski directly and what is and is not in dispute. Part 3 addresses the “machine-or-transformation” test, while Parts 4 and 5 address reasons not to adopt such a test.     

Cursing the Cloud (or) Controlling the Cloud?

Inspired by the cloud computing hypes, this paper responds to some of the hypes, but not to all. The hype in this paper refers to the level of the adequacy of data protection and privacy in a cloud computing (the Cloud) environment. Paradoxically, this paper proffers observational insights that surround the Cloud from the perspectives of data protection and privacy. It examines briefly the efforts of January 2010 led by Microsoft and anticipating “liability” scenarios. The liability rhetorically refers to the illegal access in the Cloud. This paper does not focus entirely on the technology sophistication; however, it analyses two scenarios of illegal access. To mitigate the liability, it suggests a “Cloud Compliant Strategy (CCS)” being a proposed model to control the Cloud. The observational insights of this paper have also intertwined with the adequacy of data protection from the lenses of the European Union (EU) Data Protection Directive 95/46/EC (DPD) and Safe Harbor provisions (SH).     

Robots in the cloud with privacy: A new threat to data protection?

The focus of this paper is on the class of robots for personal or domestic use, which are connected to a networked repository on the internet that allows such machines to share the information required for object recognition, navigation and task completion in the real world. The aim is to shed light on how these robots will challenge current rules on data protection and privacy. On one hand, a new generation of network-centric applications could in fact collect data incessantly and in ways that are “out of control,” because such machines are increasingly “autonomous.” On the other hand, it is likely that individual interaction with personal machines, domestic robots, and so forth, will also affect what U.S. common lawyers sum up with the Katz's test as a reasonable “expectation of privacy.” Whilst lawyers continue to liken people's responsibility for the behaviour of robots to the traditional liability for harm provoked by animals, children, or employees, attention should be drawn to the different ways in which humans will treat, train, or manage their robots-in-the-cloud, and how the human–robot interaction may affect the multiple types of information that are appropriate to reveal, share, or transfer, in a given context.     

Singapore's Personal Data Protection legislation: Business perspectives

As global digitalisation of information and interconnecting technologies along with new marketing practices and business processes vastly increase the opportunities for data collection, storage, usage and delivery, there is a corresponding increase in consumer expectations of data privacy. These expectations must be met if business organisations are to promote consumer trust and confidence and maintain their overall competitiveness in a global market. It goes without saying that information is the most valuable business asset and “privacy is good business and information can be the basis of bigger business”. The need to protect data privacy has long been recognised and implemented by major trading nations. Surprisingly, Singapore as a financial centre and nation aspiring to be a trusted data hosting hub has been slow in enacting specific data protection laws. The first piece of legislation that has emerged is a light-touch baseline framework applicable to all organisations except the public sector. This article considers the new legislation from the business perspective and the implications for private sector business organisations facing the challenges of compliance.     

Data protection legislation: What is at stake for our society and democracy?

The author starts by questioning the main privacy challenges raised by our present and future information society viewed as a “global village”. Apart from a comparison with the traditional village of our parents, he identifies the two complementary and not dissociable facets of our privacy: the right to seclusion and the right to participate fully in our society. According to the first German Constitutional Court recognizing the right to informational self-determination as a new constitutional right, he underlines the need to analyse the data protection as a tool for ensuring both the citizens' dignity and our democracy.     

Rethinking the one-stop-shop mechanism: Legal certainty and legitimate expectation

This paper aims to contribute to the discussion concerning the one-stop-shop mechanism proposed in the General Data Protection Regulation (hereinafter “GDPR”). The choice of regulation as the instrument to legislate on data protection is already an unmistakable indication that unification and simplification (together with respect of data subjects' interests) shall be the guide for every legal discussion on the matter. The one-stop-shop mechanism (hereinafter “OSS”) clearly reflects the unification and simplification which the reform aims for. We believe that OSS is logically connected with the idea of one Data Protection Authority (hereinafter “DPA”) with an exclusive jurisdiction and that this can only mean that, given one controller, no other DPA can be a competent authority.² In other words, OSS implies a single and comprehensive competent authority of a given controller. In our analysis we argue that such architecture: a) works well with the “consistency mechanism”; b) provides guarantees to data subjects for a clear allocation of powers (legal certainty); and c) is not at odds with the complaint lodging procedure. Our position on fundamental questions is as follows. What is the perimeter of competence of the DPA in charge? We believe that it should have enforcement power on every issue of the controller, including issuing the fines. How to reconcile such dominant role of one DPA with the principle of co-operation among DPAs? We do not consider co-operation at odds with the rule that decisions are taken by just one single authority. Finally, we share some suggestions on how to make the jurisdiction allocation mechanism (the main establishment criterion) more straightforward.     

EU law requirements to provide information to website visitors

This is the first of a planned series of articles considering the EU’s limited harmonisation of the laws regulating the activities of businesses using the Internet. This first article considers five key EU directives, all of which require website operators to provide a variety of information to website visitors. We consider the circumstances in which the various requirements apply and the information that must be provided, to simplify the process of navigating through rules which, although similar in nature, arise from disparate sources. We consider data privacy and “ePrivacy” rules; consumer protection rules arising in the field of e-commerce; and rules protecting potential creditors dealing over the Internet with limited liability companies.     

The Singapore Personal Data Protection Act and an assessment of future trends in data privacy reform

In the first part of this paper, I will present and explain the Singapore Personal Data Protection Act (“PDPA”) in the context of legislative developments in the Asian region and against the well-established international baseline privacy standards. In the course of the above evaluation, reference will be made to the national laws and policy on data privacy prior to the enactment of the PDPA as well as current social and market practices in relation to personal data. In the second part of this paper, I will decipher and assess the future trends in data privacy reform and the future development of the privacy regime in Singapore and beyond. In the course of this analysis, international standards, technological trends and recent legal developments in other jurisdictions will be considered.     

A comparison of proposed legislative data privacy protections in the United States

The use of online consumer tracking methods has raised significant privacy concerns for consumers and policymakers for decades. Advertisers using these methods analyze web-viewing habits to predict consumer preferences and actions. The advertising industry in the United States has promoted self-regulatory principles to respond to these concerns. However, in December 2010, the U.S. Federal Trade Commission reported that these efforts “have been too slow and up to now have failed to provide adequate and meaningful protection.” President Barack Obama's administration has supported broader legislation for comprehensive protection of individuals' private data. The leading model for data privacy protection is the 1980 Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This article examines two leading legislative privacy proposals in the context of the OECD principles. This examination concludes that, although the proposals do not provide sufficient comprehensive privacy protections, they do fill significant gaps in current U.S. privacy laws.     

The Transition to Group Decision Making in Child Protection Cases: Obtaining Better Results for Children and Families

It was only a few years ago that in most jurisdictions across the United States, decisions at each stage of a child welfare case were made by individual professionals (law enforcement, child protection workers, social workers, and judges) who were all a part of the community's response to child abuse and neglect crises. In the last decade, the development and continuing evolution of best practices have brought about many changes in how professionals approach the resolution of these issues, how they convene interested persons in the decision‐making process, and how families and children participate in decisions. This article will examine some of these changes, with a particular focus on the expanding use of groups and the inclusion of families in these groups to make better decisions in child protection cases.     

There's more to it than data protection – Fundamental rights,privacy and the personal/household exemption in the digital age

Heated debates triggered by the plans to introduce the “right to be forgotten” exposed problems the all-encompassing application of rules on data processing may cause in practice. The purpose of this article is to discuss the compatibility of these rules with the rapidly evolving online environment in the context of the need to guarantee human rights on the internet. The author argues that there is an imbalance in the protection of individual rights online. It results from the limited application of personal/household exception and, in general, the narrow understanding of the concept of online privacy. According to the author in order for data protection laws to flesh out not only the fundamental right of data protection, but also play a mediatory role in balancing other rights, the application of the personal/household exception should be extended to include private online activities. This would reflect the complex character of the very concept of online privacy, diversity of actors and activities shaping online “territories”, as well as the increasingly heterogeneous fabric of the Web.     

“Opt in” and “opt out” mechanisms in the internet era – towards a common theory

In order to provide for adequate legal protection mainly in mass-transactions on the internet, both the legislature and private parties increasingly, resort to so-called “opt in” and “opt out” mechanisms. Whether or not an “opt in” or an “opt out” mechanism is used is often decided on a case-by-case basis. The same is true regarding the circumstances under which private parties are or should be allowed to resort to “opt out” mechanisms, and if so, what restrictions should safeguard the free will of the addressees of such mechanisms. This paper argues that the existing “opt in” and “opt out” schemes should not be regarded and discussed as isolated phenomena. Rather, they should be analyzed from the viewpoint of a common underlying legal theory which builds on the common character of the underlying regulatory structure of all “opt in” and “opt out” schemes. This requires a complex matrix which comprises not only the opposites of “in” and “out”, but also of “active” and “inactive”, of “preference” and “non-preference” for the respective default rules, as well as of “ex ante” and “ex post” enforcement of the law. It also involves normative, economic, psychological and, last but not least, technical issues.     

‘Modernising’ data protection Convention 108: A safe basis for a global privacy treaty?

Proposals for the reform or ‘modernisation’ of Council of Europe Data Protection Convention 108 have now been forwarded from the Convention's Consultative Committee for consideration by the Council of Ministers. This article assesses the changes proposed, which strengthen the obligations of Parties to implement the Convention as a matter of effective practice, not just as a law on paper. It tightens most of the existing data protection principles, and adds new ones which better align the Convention with the EU Directive (and proposed Regulation). The Convention Committee will have explicit new functions including assessing candidates for accession, and periodically reviewing implementation by existing parties. However, the proposals concerning the required standard for data export limitations are in some respects ill-defined and dangerous for data subjects. The existing standard that personal data can only be exported if the recipient provides ‘adequate’ protection has been abandoned for an undefined requirement of ‘appropriate’ protection. The article situates the risk of abandoning meaningful data export restrictions in the context of the USA's push for ‘interoperability’ of very different data protection standards.     

Data security: Past,present and future

The loss by Her Majesty's Revenue and Customs (HMRC) of two CDs containing 25 million child benefit details has changed the data security landscape forever. No longer is data security the exclusive and rather arcane preserve of spotty technology professionals or data protection lawyers. HMRC has thrust data security onto the front pages of the mainstream media and brought it very suddenly to the top of the political and commercial agendas of senior politicians and boards of directors. In this article, the author will outline the reasons behind the rise of data security as a front line issue and examine the lessons to be learnt from HMRC. He will analyse the different facets of data security risk and explore ways in which organisations can go about managing it. He will outline the attitude of regulators to data security and where regulatory developments are likely to take us. The final part of the article looks into the future, with particular focus on the emergence of privacy enhancing technologies.     

European national news

The regular article tracking developments at the national level in key European countries in the area of IT and communications - co-ordinated by Herbert Smith LLP and contributed to by firms across Europe. This column provides a concise alerting service of important national developments in key European countries. Part of its purpose is to compliment the Journal’s feature articles and briefing notes by keeping readers abreast of what is currently happening “on the ground” at a national level in implementing EU level legislation and international conventions and treaties. Where an item of European National News is of particular significance, CLSR may also cover it in more detail in the current or a subsequent edition.     

A study of criminal justice policymakers' perspectives: The forgotten component in boot camp programs and goals

Does occupation (sheriff, prosecutor, prison administrator, or parole/probation official) influence selection of boot camp components; especially the traditional positions of “punishers,” usually sheriffs and prosecuting attorneys, and “reformers,” usually prison and probation? As part of a larger study and at the request of the Missouri Department of Corrections, 670 questionnaires were mailed to all Missouri sheriffs, prosecutors, selected prison administrators, probation/parole staff, all public defenders, selected legislatures, and judges in Missouri. Respondents were asked to rank potential boot camp goals and programs using a Likert-type preferences scale of 1 = low preference to 5 = high preference. Three hundred fifty-three were returned, for a return rate of 53 percent. Using the Missouri survey data, the research question for this article was: Did occupation influence selection of boot camp components? To test the association of occupation with selection, a shorter list was compiled from the Missouri survey data of six typical “punishment” items and six typical “reform” items as selected from the literature. Means and a t-test of significance were calculated. Results showed traditional positions of “punishment” and “reform” did not drive program choices. Preference for “reform” items by all occupations was higher than preference for “punishment” items. Results showed a potential shift away from the early military - punishment style of early boot camps. Correctional agencies thinking of reconfiguring or building new boot camps could use the results as a guide.     

The rule of law online: Treating data like the sale of goods: Lessons for the internet from OECD and CISG and sacking Google as the regulator

The decision of the Court of Justice of the European Union (“CJEU”) in the case of Google Spain SL v Agencia Española de Protección de Datos (AEPD) ² [“the Google decision”] to require Google to enforce a right to be forgotten has caused a furore and sets a dangerous precedent in internet regulation. ³ It is setting up the search engine as a form of Internet Government and fracturing the balance between privacy and freedom of information in the connected world. In a world where we have become attuned to full exposure by routinely signing over access to information, privacy is no longer the issue – the real concern is control. This paper seeks to address the issues of whether we have a right to privacy anymore, who should be making decisions about what is available and where and how a global convention on access to information might be achieved.