The 2012 CLSR-LSPI seminar on privacy,data protection & cyber-security – Presented at the 7th international conference on Legal,Security and Privacy Issues in IT law (LSPI) October 2–4, 2012, Athens

This has been a big year for privacy with so much going on within the EU regarding reform of data protection. What are the implications of reform here and what are the issues that concern us about the proposed new data protection regime contained in the proposed Regulation? We hear a lot about the ‘right to be forgotten’. How is that possible in the digital age within the online world? And what can be done about the big players who stand charged with the erosion of privacy viz Facebook, Google, Skype & YouTube etc? How can the law keep up with technological change when the latter is moving so fast e.g. with RFID, Cloud and social networking? To what extent can data breach notification, net neutrality and privacy impact assessment help and how should the law approach issues of liability and criminality in relation to privacy? What is the state of play too in the relationship between privacy policy and state surveillance and, given its implications for privacy, what obligations should governments adopt in response to cybersecurity regulation and data management? Is there a place for privacy self-regulation and if so in what respects and how effective are the Information Commissioners who often complain of being under resourced? In reviewing the way privacy law has emerged do we now need a completely new approach to the whole issue? Has the law crept into its present form simply by default? Do we need some new thinking now that reflects the fact that law is only one dimension in the battle for privacy? If so what are the other factors we need to recognise?     

The Role of Self-Control in College Student’s Perceived Risk and Fear of Online Victimization

College student use of the internet for online social networking purposes is increasing in popularity. Facebook is a social networking website used by college students, with estimates of over 7.5 million users spanning over 2,000 colleges and universities. Unfortunately, Facebook users can encounter some detrimental consequences, including fear of victimization. The purpose of the present study is to examine the correlates and structure of potential fear from using Facebook. Using self-report data from 224 college students at a southeastern university during the spring 2007 semester, we examine the link that low self-control has with perceived risk and with fear of online victimization among Facebook users. The results of the present study are discussed in the context of policy implications.     

The European Union's approach to online behavioural advertising: Protecting individuals or restricting business?

The European Union (EU) has firmly set its stall out to protect individuals' data and privacy and has demonstrated this through the rejection of the old opt-out regime and the introduction of the new opt-in rules. These require businesses to obtain individual's prior and informed consent before their data are collected, stored and used for the purposes of online behavioural advertising (OBA). Individuals in the EU are afforded protection from the apparent dangers relating to data privacy and misuse that is associated with OBA, which is beyond the expectation of most Internet users. However, there are some criticisms levelled at the law that the EU has produced. Is simply gaining informed consent sufficient for protecting all types of information? Do certain types of information require a higher level of consent than others? Does the law fulfil its aim of protecting data subject's privacy and data? Is the current law restrictive to business? Do individuals know or care that their information is being collected for the purposes of targeted advertising and is there a better way to ensure that they do? Finally, will proposed new law to be found in the EU Data Protection Regulation solve any of these problems? This article will assess whether, as a policy decision, the EU's current approach has been too cautious in its attempts to protect individuals or restrict business.     

From ugly duckling to Swan. The rise of data protection and its limits

This article considers the development of data protection laws from a position on the periphery of legal consciousness to the situation where it is the subject of intensive legal and media publicity. Focusing on the recent controversies surrounding the use of Facebook apps for political purposes, the article will consider the role and limitations of data and privacy protection laws. The question will be posed – if not answered – whether national or regional laws can be effective in what increasingly is a global information society.     

Social networking sites and the legal profession: Balancing benefits with navigating minefields

The purpose of this article is to review the impact of social networking sites on law, the legal profession and dispute resolution. Within a very short period of time, social networking sites such as Facebook, Twitter, and MySpace, combined with social networking hardware platforms, such as iPad, iPhone, Blackberry, and Android, have infiltrated the profession of law and dispute resolution. Many legal professionals now have a social networking profile, use information on social networking sites as evidence, and interact with other lawyers and judges through such forums. This increased interaction in a publically accessible and viewable medium presents a challenge to the legal profession's traditional ideas of independence, confidentiality, and rules of evidence. Social networking mediums are here to stay. Therefore, this article looks at how this trend affects law and the legal profession, what issues it presents to lawyers and judges, whether new laws are necessary to take into account the impact of social networking sites and the benefits of such technology in fostering access to justice and helping parties achieve justice.     

Privacy notices versus informational self-determination: Minding the gap

Privacy notices are instruments that intend to inform individuals of the processing of their personal data, their rights as data subjects, as well as any other information required by data protection or privacy laws. The goal of this paper is to clarify the current discourse regarding the (in)utility of privacy notices, particularly in the context of online transactions. The perspective is a European one, meaning that the analysis shall be geared towards the European Data protection framework, particularly the European Data Protection Directive. The paper discusses the role that privacy notices play under the European data protection framework today, summarizes the main critiques regarding the use of privacy notices in practice and develops a number of recommendations.     

Bullying and sexting in social networks: Protecting minors from criminal acts or empowering minors to cope with risky behaviour?

The availability and use of social networking sites creates both opportunities and risks for their young users. This article evaluates the applicability of the current legal framework to (cyber)bullying and sexting, two types of (potentially harmful) behaviour that are increasingly occurring between peers in the social networking environment. The analysis includes a mapping of applicable legislative provisions at the European and national level, an analysis of the Terms of Service of the largest social networking provider, Facebook, and an overview and assessment of self-regulatory initiatives that have been taken by the industry in this area in Europe. The ultimate goal is to identify a number of elements for a comprehensive strategy to ensure that risks of (cyber)bullying and sexting are dealt with in a manner that empowers young users.     

The art of trolling law enforcement: a review and model for implementing ‘flame trolling' legislation enacted in Great Britain (1981–2012)

The advancement of information and communications technology often results in early adoption, followed by concern over a digital divide, followed by mass adoption and then, inevitably, abuse and misuse of that platform. The most recent of these technologies is social networking services. The early adopters used Friendster and MySpace, and the masses now use Facebook and Twitter. The abuse of people on these platforms was called Cyberbullying in the case of the first two in the 2000s, and Internet trolling in the case of the second two in the 2010s. This paper reviews the legislation enacted in the UK parliament between 1981 and 2012 to deal with these offences, called ‘flame trolling’, for those based on transgress humour, or electronic message faults more generally. The paper presents a framework that includes a ‘Trolling Magnitude Scale’ based on established trolling culture, in order to link the legislative offences to the severities of those faults, as well as to the ability of specific Internet users to tolerate them or otherwise. The paper concludes that by using this framework law enforcement agencies such as the police can apply the laws more fairly and proportionally to protect free speech and at the same time be tough on the causes of electronic message faults in the form of Internet abuse and data misuse.     

Restoring Dignity and Harmony to United States-European Union Data Protection Regulation

Global data protection laws can be described, at best, as contradictory in philosophy and practice. The 2015 decision by the Court of Justice for the European Union declaring the mechanism for data transfer between the United States and European Union known as “Safe Harbor” invalid and the criticism of its replacement, Privacy Shield, is representative of the conflict in this area. Such contention often stems from the differences in privacy rationales and theories of the United States and European Union. This article examines the recent developments in data protection regulations, and makes the argument that issues such as data protection, and specifically data shared with intelligence agencies, should be analyzed through the privacy principle of dignity and that the law of confidentiality should be applied to data protection cases, thereby instilling more harmony into the data privacy approaches of the United States and the European Union.     

The German Facebook case: the law and economics of the relationship between competition and data protection law

European Journal of Law and Economics - Can competition law consider effects on privacy, or should privacy concerns of data-collecting behaviour only be dealt with by data protection law? In this...     

Governing digital societies: Private platforms,public values

Online digital platforms have deeply penetrated every sector in society, disrupting markets, labor relations and institutions, while transforming social and civic practices. Moreover, platform dynamics have affected the very core of democratic processes and political communication. After a decade of platform euphoria, in which tech companies were celebrated for empowering ordinary users, problems have been mounting over the past three years. Disinformation, fake news, and hate speech spread via YouTube, Twitter, and Facebook poisoned public discourse and influenced elections. The Facebook—Cambridge Analytica scandal epitomized the many privacy breaches and security leaks dogging social media networks. Further compounded by charges of tax evasion and the undermining of fair labor laws, big tech companies are facing a serious ‘techlash’. As some argued, the promotion of longstanding public values such as tolerance, democracy, and transparency are increasingly compromised by the global ‘exports’ of American tech companies which dominate the online infrastructure for the distribution of online cultural goods: news, video, social talk, and private communication (Geltzer & Gosh, 2018). As extensively discussed in our book ‘The Platform Society: Public Values in a Connected World’, the digitization and ‘platformization’ of societies involve several intense struggles between competing ideological systems and their contesting actors, prompting important questions: Who should be responsible for anchoring public values in platform societies that are driven by algorithms and fueled by data? What kind of public values should be negotiated? And how can European citizens and governments guard certain social and cultural values while being dependent on a platform ecosystem which architecture is based on commercial values and is rooted in a neolibertarian world view?     

‘Notice and staydown’ and social media: amending Article 13 of the Proposed Directive on Copyright

ABSTRACT

This paper critically assesses the compatibility of content recognition and filtering technology or so-called notice and staydown approach with the right of social network platforms and users to a fair trial, privacy and freedom of expression under Articles 6, 8 and 10 of the European Convention on Human Rights (1950) (ECHR). The analysis draws on Article 13 of the European Commission’s proposal for a Directive on Copyright, the case-law of the Strasbourg and Luxembourg Court and academic literature. It argues that the adoption of content recognition and filtering technology could pose a threat to social network platforms and user human rights. It considers the compliance of ‘notice and staydown’ with the European Court of Human Rights’ (ECtHR) three-part, non-cumulative test, to determine whether a ‘notice and staydown’ approach is, firstly, ‘in accordance with the law’, secondly, pursues one or more legitimate aims included in Article 8(2) and 10(2) ECHR and thirdly, is ‘necessary’ and ‘proportionate’. It concludes that ‘notice and staydown’ could infringe part one and part three of the ECtHR test as well as the ECtHR principle of equality of arms, thereby violating the rights of social network platforms and users under Articles 6, 8 and 10 of the Convention.     

Citizens' perceptions of data protection and privacy in Europe

Data protection and privacy gain social importance as technology and data flows play an ever greater role in shaping social structure. Despite this, understanding of public opinion on these issues is conspicuously lacking. This article is a meta-analysis of public opinion surveys on data protection and privacy focussed on EU citizens. The article firstly considers the understanding and awareness of the legal framework for protection as a solid manifestation of the complex concepts of data protection and privacy. This is followed by a consideration of perceptions of privacy and data protection in relation to other social goals, focussing on the most visible of these contexts–the debate surrounding privacy, data protection and security. The article then considers how citizens perceive the ‘real world’ environment in which data processing takes place, before finally considering the public's perception and evaluation of the operation of framework against environment.     

Privacy and the precautionary principle

The precautionary principle – which implies that where there are threats of serious or irreversible damage, lack of full scientific certainty shall not be used as a reason for postponing protective measures – has been adopted as a standard of environmental and health protection in international and European legislation. This article offers an overview of the precautionary principle as a legal standard applicable to European privacy and data protection legislation. For this reason, it takes particularly into account the guidelines of this legislation as well as the privacy impact assessment framework, raised by the European Commission through the Recommendation on Radio-Frequency Identification applications. In brief, the article stresses the role of the precautionary principle in improving privacy protection through liability, prudence and transparency.     

When a ‘Like’ Is Not a ‘Like’: A New Fragmented Approach to Data Controllership

In Fashion ID, the Court of Justice of the European Union (‘CJEU’) held that an operator of a website featuring a Facebook ‘Like’ button is a data controller under EU Directive 95/46 (‘Directive’) jointly with Facebook in respect of the collection and transmission of the personal data of website visitors to Facebook, but Facebook alone is a data controller for any subsequent data processing. While the CJEUs expansive interpretation of joint controllership aims to leave ‘no gaps’ in the protection of individuals, we question whether the proposed solution to ‘fragment’ controllership into different stages of processing helps to achieve that goal. We argue that CJEUs ‘fragmented’ approach is incompatible with the GDPR, as it does not reveal the intended purposes of data processing, and thus negates informed and specific consent. We suggest that such ‘fragmentation’ undermines the consistency, predictability and transparency of EU data protection law by obscuring the pervasiveness of data commodification in the digital economy.     

U.S Federal Trade Commission hosts public forum on facial recognition technology

On December 8, 2011, the United States Federal Trade Commission hosted “Face Facts, A Forum on Facial Recognition Technology,” a one-day public forum exploring emerging issues in the field of facial recognition in Washington, D.C. Consisting of thought leaders from academics, government and industry, four panels analyzed and discussed the technology behind facial recognition, current and potential uses of that technology, and the privacy and security concerns raised by this newly-emerging technology. The event was open to the public and was made available on the Internet via webcast.     

论网络隐私权的立法保护

在日新月异的高科技发展过程中,弘扬人的主体性,保障人格尊严、生活自由、个人权利之不可侵犯,是民法学与时俱进的使命。网络信息技术的飞速发展和广泛应用,在带给人们方便、快捷的生活方式和巨大商业利益的同时,也给人们隐私权的保护带来了新的挑战。实践中网上侵权事件,尤其是侵害网络隐私权的事件频繁发生,使得网络隐私权的立法保护成为理论和实践中的一个热点问题。本文通过研究以美国和欧盟为代表的两大立法模式以及目前我国在网络隐私权方面的立法状况,对构建我国网络隐私权立法保护体系提出了一些对策和建议。     

社交网络对于个人隐私的挑战

社交网络的两个主要作用是建立和扩展人际关系.然而,大部分的社交网络用户并不知道有关他们个人隐私的信息未经其允许会被泄漏,并通过多种传播方式进行传播,以致有可能因个人隐私的泄漏而使隐私权受损.同时,现代计算机加密技术的高度复杂性也使得一般的网络用户根本无法使用加密技术对其个人隐私进行自我保护.隐私信息的商品化更加刺激了相关信息的传播.因此,我国应借鉴国外相关立法和规范社交网络经验,从制定网络隐私法、加强网络伦理建设等方面引导社交网络信息传播向良性、健康的方向发展.     

Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies

The European Union's General Data Protection Regulation (GDPR) became applicable in May 2018. Due to the GDPR's extraterritorial scope, which could result in massive fines for U.S. companies, comparative data privacy law is of great current interest. In June 2018, California passed its own Consumer Privacy Act, echoing some of the provisions of the GDPR. Despite the many articles comparing the two schemes of law, little attention has been given to the foundation of these laws, that is, what exactly encompasses the data referred to by these laws? By understanding how the term “personal data” or “personal information” is defined in both jurisdictions, and why these definitions and the treatment of protected data are so different, companies can strategize to take advantage of these developments in the European Union. After explaining the differences in how data is treated in the United States and the European Union by exploring the definitions, regulations, and court cases, we will explore the five legal strategy pathways that companies might pursue with respect to the legal aspects of data transfer and privacy law compliance. While these strategies range from ignoring the law to adopting the European model worldwide, this analysis of legal strategy reveals a means for companies to gain a competitive advantage through their adoption of a worldwide compliance scheme.     

Global Privacy Concerns and Regulation-- Is the United States a World Apart?

The regulatory approach to privacy protection taken by many foreign jurisdictions is markedly different from that of the United States. The European Union (EU) best illustrates the international approach with its comprehensive privacy directive that applies to all EU members. By contrast, the approach regarding data privacy in the United States has been to pass industry-specific laws and often only in response to public outcry over some privacy concern. These fundamental differences have been the source of some conflict in international commercial transacting. Now that the global community is committed to eliminating terrorism, it remains to be seen if these different attitudes toward privacy by the United States and much of the rest of the world will affect global attempts to weed out terrorists. This article discusses the constitutional basis for most US policy approaches to privacy regulation. The article explains how the US constitution is the source for most of the differences between the US and international regulatory approaches to information privacy. Finally, the discussion addresses how new issues regarding privacy in the war on terrorism may be addressed by US Constitutional law.