Pricing privacy – the right to know the value of your personal data

The commodification of digital identities is an emerging reality in the data-driven economy. Personal data of individuals represent monetary value in the data-driven economy and are often considered a counter performance for “free” digital services or for discounts for online products and services. Furthermore, customer data and profiling algorithms are already considered a business asset and protected through trade secrets. At the same time, individuals do not seem to be fully aware of the monetary value of their personal data and tend to underestimate their economic power within the data-driven economy and to passively succumb to the propertization of their digital identity. An effort that can increase awareness of consumers/users on their own personal information could be making them aware of the monetary value of their personal data. In other words, if individuals are shown the “price” of their personal data, they can acquire higher awareness about their power in the digital market and thus be effectively empowered for the protection of their information privacy. This paper analyzes whether consumers/users should have a right to know the value of their personal data. After analyzing how EU legislation is already developing in the direction of propertization and monetization of personal data, different models for quantifying the value of personal data are investigated. These models are discussed, not to determine the actual prices of personal data, but to show that the monetary value of personal data can be quantified, a conditio-sine-qua-non for the right to know the value of your personal data. Next, active choice models, in which users are offered the option to pay for online services, either with their personal data or with money, are discussed. It is concluded, however, that these models are incompatible with EU data protection law. Finally, practical, moral and cognitive problems of pricing privacy are discussed as an introduction to further research. We conclude that such research is needed to see to which extent these problems can be solved or mitigated. Only then, it can be determined whether the benefits of introducing a right to know the value of your personal data outweigh the problems and hurdles related to it.     

How to attribute the right to data portability in Europe: A comparative analysis of legislations

The number of online services is constantly growing, offering numerous and unprecedented advantages for consumers. Often, the access to these services requires the disclosure of personal information. This personal data is very valuable as it concedes significant advantages over competitors, allowing better answers to the customer's needs and therefore offering services of a better quality. For some services, analysing the customers' data is at the core of their business model. Furthermore, personal data has a monetary value as it enables the service providers to pursue targeted advertising. Usually, the first companies who provide a service will benefit from large volumes of data and might create market entrance barriers for new online providers, thus preventing users from the benefits of competition. Furthermore, by holding a grip on this personal data, they are making it more expensive or burdensome for the user to shift to a new service. Because of this value, online services tend to keep collected information and impede their users to reuse the personal data they have provided. This behaviour results in the creation of a lock-in effect. Upcoming awareness for this problem has led to the demand of a right to data portability. The aim of this paper is to analyse the different legislative systems that exist or have been recently created in this regard that would grant a right to data portability. Firstly, this article draws up the framework of data portability, explaining its origin, general aspects, advantages as well as its possible downfalls. Secondly, the core of the article is approached as the different ways of granting data portability are analysed. In this regard, the possible application of European Competition Law to prohibit restrictions to data portability is examined. Afterwards, an examination of the application of U.S. Antitrust Law is made to determine whether it could be a source of inspiration for European legislators. Finally, an analysis of the new General Data Protection Regulation is made with respect to the development of data portability throughout the European legislative procedure. This article makes a cross-examination of legislations, compares them with one another in order to offer a reflection on the future of portable data in Europe, and finally attempts to identify the best approach to attribute data portability.     

“大数据杀熟”行为政府治理路径探讨

“大数据杀熟”行为严重损害了消费者权益。相对于传统商业“杀熟”行为,“大数据杀熟”行为更隐蔽,消费者维权更艰难。这种利用算法应用技术损害消费者权益的行为严重违背商业伦理,不仅关乎消费者个人权益,更会影响公共利益,仅凭市场调节难以纠正,需要通过法律进行救济。政府应在遵循辅助性原则的前提下,通过算法应用技术备案、建立“政府-社会”合作规制等制度,用新制度规制新技术,更好地发挥政府在治理“大数据杀熟”行为过程中的作用,保护消费者权益和社会公共利益。     

EU General Data Protection Regulation: Changes and implications for personal data collecting companies

The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR's coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR's practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.     

The exploitation of Business Register data from a public sector information and data protection perspective: A case study

Business Registers (BRs) are a very important information resource for investors, creditors, financial institutions and public authorities. The possibility to aggregate and interconnect these data at a European level could enhance the transparency of companies towards those actors and add a great deal of value to the raw Business Register data. The European BRITE project intended to provide adequate tools to meet these demands. BRITE will provide easier access and cross-border interoperability of Business Register data throughout Europe. On the other hand, the processing of BR data within the BRs and BRITE triggers several important European legislations such as the Data Protection Directive and the Directive on the re-use of public sector information. In this paper, the processing of BR data will be analysed from the perspective of both data protection and public sector information laws, analysing as well the relation between both regulations. Do these regulations strike an optimal balance between the interests of private data vendors to re-use BR data and enhance business transparency and the need to protect the personal data of natural persons?     

The new German Data Protection Act and its compatibility with the European Data Protection Directive

A substitution of the right to maintain mailing lists for marketing purposes (the so-called list privilege) by a strict opt-in requirement as proposed by the German Government for the amendment of the German Data Protection Act does not conform with European law. Making the use of relatively innocuous data like name and address for marketing purposes subject to the data subject's declaration of consent infringes upon the requirements of the European Data Protection Directive. The Directive allows for the use of personal data either on the basis of a data subject's declaration of consent or after a balancing of legally protected interests. Reducing this two-track model to a one-track model (based on the data subject's declaration of consent only) does not do justice to the idea of balancing of interests or free movement of goods and services which are a mandatory part of European law. The draft bill interferes drastically with the free movement of goods and services. A tightening of the opt-in requirements would be a severe burden for the German economy because it is impossible for businesses to distribute their goods and services without the help of marketing measures. The economic cycle would be hit at its weakest point, i.e. the link between businesses and consumers which is gaining more and more importance especially with a view to cross-border competition.     

Mystery shopping: demand-side phenomena in markets for personal plight legal services

ABSTRACT

“Personal plight” is the sector of the legal services industry in which the clients are individuals, and the legal needs arise from disputes. This article proposes that competition among personal plight law firms is suppressed by three demand-side phenomena. First, consumers confront high search costs. Identifying competing law firms willing and able to provide the needed services often requires significant expenditure of temporal and psychological resources. Second, comparable price and quality information about firms is scarce for consumers. Both of these factors impede comparison shopping and reduce competitive pressure on firms. A third competition-suppressing factor is observed in tort legal service markets, where offerings are typically priced on a contingency basis. Contingency fees have relatively low salience to consumers, and this reduces consumers’ willingness to negotiate and comparison-shop on the basis of price. This analysis is supported by the author’s empirical research with Ontario personal plight lawyers as well as the existing literature. The article concludes by suggesting possible consequences of this analysis for regulatory policy.     

Regulatory Disclosure of Offending Companies in the Dutch Financial Market: Consumer Protection or Enforcement Publicity?

Regulatory disclosure of names of offending companies is increasingly popular as an alternative to traditional command and control regulation. The goals and intended effects of disclosure are not always clear, however. Do regulators wish to increase their transparency, or do they intend to name and shame? This article aims to contribute to a better understanding of the underlying working mechanism of regulatory disclosure of offenders' names through a case study of the Dutch Authority for Financial Markets' disclosure policy. It distinguishes two types of disclosure strategies: consumer oriented and firm oriented. The case study shows that although informing consumers was the primary purpose of disclosure as intended by the Dutch legislature, the purpose in practice has shifted to informing companies about the regulators' enforcement policy. The nature of the disclosed information makes it unlikely that disclosure adequately prevents financial risk taking by consumers. Instead of empowering consumers, disclosure has been incorporated in a traditional deterrence logic, turning out not to be an example of new governance but instead a modern version of command and control enforcement publicity.     

The obligation to provide “non-personalised” search results under the Chinese E-commerce law

Pursuant to Article 18(1) of the Chinese E-Commerce Law, e-commerce business has an obligation, when providing search results for goods and services based on consumers’ hobbies, consumption habit, or any other traits, to provide them with options that do not target their identifiable personal traits. The law does not provide any elaboration on the precise scope of application of the said provision. Yet, a plain literal interpretation of this obligation may lead to a broad requirement where the business operator has to provide a truly random “non-personalised” set of search results in all circumstances whenever personalised services are provided. Such an interpretation is in all likelihood unreasonable and impractical. This article argues that the proper interpretation of Article 18(1) should be based on its regulatory purpose to protect the lawful rights and interests of consumers. It further considers the precise types of rights and interests that ought to be protected by Article 18(1), and concludes that its appropriate scope of application should be limited to targeted personalisation of search results, which infringe on the consumers’ right to obtain true information and entitlement to human dignity. Personalisation which does not violate the said right and entitlement, should not fall within the regulatory ambit of Article 18(1).     

The Lion, the Dragon and the Wardrobe Guarding the Doorway to Information and Communications Privacy on the Internet: A Comparative Case Study of Hong Kong and Singapore - Two Differing Asian Approaches

Almost a decade ago, the electronic commerce revolution began,led by such companies as Amazon.com and Ebay.com. These companieshave grown into the internet business giants they are today,diversifying in the products they sell, the services they provideand the jurisdictions they conduct business in. However, asidefrom these rare examples, most medium and small internet-basedbusiness enterprises have grown with the dot.com bubble anddissolved when it burst mid-way through the decade. Now, atthe 10th Anniversary of Electronic Commerce, after we have seenthe dot.com way of doing business launch like a rocket and plungelike a comet, subsequently emerging into a more cautious, butno less potential, avenue of doing business, other challengesnow face the industry as a whole to retain and obtain customers.Internet users are becoming increasingly wary of online transactions.²The irony is that as internet users become technologically savvy,they also become more aware of the dangers which connectivityentails and this inhibits their online behaviour. Chief amongthese concerns, and second only to cybercrimes, is the maintenanceof privacy in the context of the protection of personal information,particularly from the unsavory elements trawling the cyberworld.For cyber-trade and the e-commerce market to grow, and for thecontinued efficiency and utility of the internet for G2C andB2C transactions,³ governments and industries must re-instillthe trust and confidence of internet users both in commercialand non-commercial interaction.⁴     

"彩信"手机侵犯隐私权之法律探讨

2002年10月1日中国移动公司正式推出融合彩色图像、声音、文字于一体的"彩信"业务,即媒体短消息业务(MultimediaMessageService,"MMS")。该业务使用户能用"彩信"手机拍摄照片,通过"MMS"网络系统将照片以短消息的形式发送到其他"彩信"手机上或者发送到互联网上。信息获取和传输技术创造性的革新将人们的生活私事进一步公开化地暴露在他人面前。"彩信"手机和业务的出现对隐私权的保护提出了新的课题。通过分析"彩信"手机侵权方式的特点、性质和我国立法现状提出了一些思考。     

China's new regulatory regime tailored for the sharing economy: The case of Uber under Chinese local government regulation in comparison to the EU,US, and the UK

Although Uber's arrival in China has resulted in disruptive competition for incumbent taxi companies, it offers an attractive alternative in China's supply-demand-imbalanced urban passenger transport system. China's regulatory regime for Uber has evolved in three stages: from the regulatory vacuum prior to 2015 to its official legalization in 2015–2016, and the enactment of numerous local regulations in 2016, with specific and more demanding requirements for Uber. This policy is a part of the Chinese approach to the gradual liberalization of the urban passenger transport market. Policymakers should consider ‘fair competition’ as the guiding principle to balance the interests of sharing firms and incumbent service providers, as well as between different sharing firms. The core value of this principle lies in the benefits it provides for consumers and the way it engenders a pro-competitive market environment. The labor protection arrangements for sharing firms’ laborers should be more flexible and diversified. In order to recognize whether an Uber-Driver is an employee or independent contractor, a new standard taking into account a range of factors should be established through collective negotiations between the participants of the sharing economy, and dialogues between members of the judiciary, academics, and the policymakers. Further, consumer protection law and personal data protection provisions should apply when sharing firms misuse their distinctive algorithmic management model to compete unfairly to the detriment of consumers and other users. Ex ante regulatory measures designed to protect the personal data of users should be introduced for deployment in the context of the sharing economy. When enforcing these rules, a balance should be struck ensuring free data flow that is essential to sharing firms’ innovation and competition, and the need to ensure the level of data security required to underpin a well-functioning sharing society.     

Smart meters and the information panopticon: beyond the rhetoric of compliance

The Smart Meter Implementation Programme is the Government's flagship energy policy. In its search for solutions to address privacy dilemmas raised by smart meters, the Government has been content with using data protection principles as a policy framework to regulate the processing of consumers' personal information. This is worrying since the question of who has access to what type of information and how it is used cannot simply be regarded as raising information security, authenticity and integrity issues. If we are to go beyond the rhetoric of protecting the privacy rights of energy consumers we must scrutinise the context in which legitimate interests and reasonable expectations of privacy subsist. To remedy this apparent policy oversight, the paper undertakes two tasks: first, to clarify the content and application of data protection and privacy rights to smart meters; and second, it outlines a policy framework that will address the lack of specificity on how best innovation and privacy issues can be better calibrated. More importantly, it calls for targeted substantive reforms, development of accessible privacy policies and information management practices that promote transparency and accountability and deployment of technological solutions that will help reduce emerging fault lines between innovation and privacy in this sphere of energy policymaking.     

The Transparency Trap: Non‐Financial Disclosure and the Responsibility of Business to Respect Human Rights

This article examines the potential for transparency programs to improve corporations’ human rights performance. The primary focus is on “general” transparency programs such as the inclusion of human rights issues in sustainability reports. Regulators increasingly rely on such programs, one of which is the EU Directive on the Disclosure of Non‐financial Information, which many commentators view as a model for legislation in other countries and for a business and human rights treaty. This article identifies several problems with this approach. The human rights metrics used in current sustainability reporting standards often lack validity or are based upon data that is most easily collected, rather than most important. Moreover, the empirical evidence on sustainability reporting shows continued problems of selective disclosure, impression management, incomparable disclosures, and the use of disclosure as an end in itself (as opposed to a process that leads to organizational change). To move forward, regulators should shift focus to a model grounded in regulatory pluralism. Under this approach, regulators would combine a selection of targeted transparency mechanisms to create a more complete regulatory system that corrects for one disclosure mechanism's weaknesses by including others that have complementary strengths.     

Profiling tax and financial behaviour with big data under the GDPR

Big data and machine learning algorithms have paved the way towards the bulk accumulation of tax and financial data which are exploited to either provide novel financial services to consumers or to augment authorities with automated conformance checks. In this regard, the international and EU policies toward collecting and exchanging a large amount of personal tax and financial data to facilitate innovation and to promote transparency in the financial and tax domain have been increased substantially over the last years. However, this vast collection and utilization of “big” tax and financial data raise also considerations around privacy and data protection, especially when these data are fed to clever algorithms to build detailed personal profiles or to take automated decisions which may exceptionally affect people's lives. Ultimately, these practices of profiling tax and financial behaviour provide fertile ground for discriminating processing of individuals and groups.In light of the above, this paper aims to shed light on the following four interdependent and highly disputed areas: firstly, to review the most well-known profiling and automated decision risks emerged from big data technology and machine learning algorithmic processing as well as to analyse their impact on the tax and financial privacy rights through their immense profiling practices; secondly, to document the current EU initiatives toward financial and tax transparency, namely the AEOI, PSD2, MiFID2, and data retention policies, along with their implications for personal data protection when used for profiling and automated decision purposes; thirdly, to highlight the way forward for mitigating the risks of profiling and automated decision in the big data era and to investigate the protection of individuals against these practices in the light of the new technical and legal frameworks; in this respect, we finally delve into the regulatory EU efforts towards fairer and accountable profiling and automated decision processes, and in particular we examine the extent to which the GDPR provisions establishes a protection regime for individuals against advanced profiling techniques, enabling thus accountability and transparency.     

信息信义义务理论之批判

“信息信义义务”理论已掀起网络平台监管争论的汹涌波涛,该理论经由杰克·巴尔金(Jack Balkin)教授发展,旨在“一碗水端平”一般用户与搜集、分析、出卖个人信息为业的数据公司之间的关系。在处理医患关系、律师与客户、会计师与客户的关系时,法律课以医生、律师和会计师特殊的注意、保密和忠实义务。巴尔金教授主张,与之相类似,在处理脸书(Facebook)、谷歌(Google)和推特(Twitter)等公司与终端用户的关系时,也应课以公司类似的特殊义务。过去数年里,该论断赢得了广泛的支持,鲜有敌手。但信息信义义务理论存在潜在矛盾和模棱两可之处,其是否有能力解决上述问题使人生疑。故此,本文揭示上述理论缺陷,意在瓦解“信息信义义务”新理论共识。尽管我们同意巴尔金教授“占主导地位的网络平台造成损害,由此呼唤法律的介入管制”的论断,但我们质疑信息信义义务这套理论是否能充分、恰当地回应所谓的信息不安全问题,更勿论一些更为根本的问题——建立于监视渗透基础上的优势市场份额以及与商业模式相关的根本问题。我们也呼吁重视信息信义义务这一理论框架的潜在成本——我们担心,该理论框架会对网络平台的结构性权利产生一种盲目的自满,也过早地放弃了对公共监管的更美愿景。     

Transparency Mechanisms: Building Publicness into Public Services

Recent changes in patterns of public service provision, sometimes associated with the 'regulatory state', have been said to have eroded citizenship and diminished accountability. This paper responds to these challenges by outlining a toolbox of four transparency mechanisms – information, choice, representation, and voice – as alternative devices that can be built into the architecture of public service regimes, to increase responsiveness and answerability. Using insights drawn from cybernetics and transaction cost analysis, this paper looks at the consequences of different choices of combinations of mechanisms in allocating authority in line with competing administrative doctrines of fiduciary trusteeship and consumer sovereignty. Attention is drawn to differences in 'cost profiles' between different public services that can facilitate or inhibit consumer choice as a basis for understanding the suitability of different combinations of mechanisms to specific public services. A contingency model determining the suitability of particular mechanisms to particular services of different 'cost-profiles' is presented. Given the variety of public services and among different public service architectures in the regulatory state, it is argued that this differentiated approach to transparency and accountability provides a more effective response to holding public services accountable than narrower traditional notions of political accountability.     

Supplemental Security Income for the Aged, Blind and Disabled (SSI) program demonstration project; treatment of cash received and conserved to pay for medical or social services--SSA. Notice

The Commissioner of Social Security will conduct a demonstration project to test how certain altered resources counting rules might apply in the SSI program. The SSI program is authorized by title XVI of the Social Security Act (the Act). The rules which will be tested are those that apply to the treatment of cash received and conserved to pay for medical or social services. Cash which is received for the purposes of payment for medical or social services is not counted as income to the beneficiary when received. If cash received for medical or social services which is not a reimbursement for these services already paid for by the beneficiary is conserved, it is not counted as a resource for the calendar month following the month of receipt, so long as it remains separately identifiable from other resources of the individual. Beginning with the second calendar month following the month of receipt, cash received for the payment of medical or social services becomes a countable resource used in the determination of SSI eligibility. The Health Care Financing Administration of the Department of Health and Human Services (DHHS) is collaborating with the States of Arkansas, Florida, New Jersey and New York and with the National Program Office at the University of Maryland's Center on Aging, the Robert Wood Johnson Foundation, the Office of the Assistant Secretary for Planning and Evaluation of the DHHS, the National Council on Aging and Mathematica Policy Research (the evaluator) on a demonstration project to provide greater autonomy to the consumers of personal assistance services. Personal assistance services are help with the basic activities of daily living, including bathing, dressing, transferring, toileting, and eating, and/or instrumental activities of daily living such as housekeeping, meal preparation, shopping, laundry, money management and medication management. Consumers of personal assistance services who participate in this demonstration will be empowered by purchasing the services they require (including medical and social services) to perform the activities of daily living. In order to accomplish the objective of the demonstration project, cash allowances and information services will be provided directly to persons with disabilities to enable them to choose and purchase services from providers which they feel would best meet their needs. Medicaid is the predominant source of public financing for personal assistance services programs for the aged, blind and disabled. The demonstration which will permit the States of Arkansas, Florida, New Jersey and New York to waive certain requirements under title XIX of the Act to participate in this "Cash and Counseling" demonstration is within the authority granted to the Secretary of Health and Human Services (HHS) by section 1115 of the Act. Medicaid beneficiaries who participate in this demonstration will be given cash to purchase the services they need from traditional and nontraditional providers as they deem appropriate. Counseling will be available for these beneficiaries to assist them in effective use of funds allotted for personal assistance services. Many of the Medicaid beneficiaries who participate in the Cash and Counseling demonstration will be SSI beneficiaries or belong to coverage groups using eligibility methodologies related to those of the SSI program under title XIX of the Act. The Commissioner of Social Security wishes to test the appropriateness of current SSI rules which require counting cash received for the purchase of medical or social services as resources if retained for more than one month after the month of receipt. The test will also be used to assist the Secretary of HHS in testing the possibility of providing greater autonomy to the consumers of personal assistance services by empowering them to purchase the services they require (including medical and social services) to perform their activities of daily living. (ABSTRACT TRUNCATED)     

Location privacy: The challenges of mobile service devices

Adding to the current debate, this article focuses on the personal data and privacy challenges posed by private industry's use of smart mobile devices that provide location-based services to users and consumers. Directly relevant to personal data protection are valid concerns about the collection, retention, use and accessibility of this kind of personal data, in relation to which a key issue is whether valid consent is ever obtained from users. While it is indisputable that geo-location technologies serve important functions, their potential use for surveillance and invasion of privacy should not be overlooked. Thus, in this study we address the question of how a legal regime can ensure the proper functionality of geo-location technologies while preventing their misuse. In doing so, we examine whether information gathered from geo-location technologies is a form of personal data, how it is related to privacy and whether current legal protection mechanisms are adequate. We argue that geo-location data are indeed a type of personal data. Not only is this kind of data related to an identified or identifiable person, it can reveal also core biographical personal data. What is needed is the strengthening of the existing law that protects personal data (including location data), and a flexible legal response that can incorporate the ever-evolving and unknown advances in technology.     

Ready or not? A systematic review of case studies using data-driven approaches to detect real-world antitrust violations

Cartels and other anti-competitive behaviour by companies have a tremendously negative impact on the economy and, ultimately, on consumers. To detect such anti-competitive behaviour, competition authorities need reliable tools. Recently, new data-driven approaches have started to emerge in the area of computational antitrust that can complement already established tools, such as leniency programs. Our systematic review of case studies shows how data-driven approaches can be used to detect real-world antitrust violations. Relying on statistical analysis or machine learning, ever more sophisticated methods have been developed and applied to real-world scenarios to identify whether an antitrust infringement has taken place. Our review suggests that the approaches already applied in case studies have become more complex and more sophisticated over time, and may also be transferrable to further types of cases. While computational tools may not yet be ready to take over antitrust enforcement, they are ready to be employed more fully.