Revoking consent: A ‘blind spot’ in data protection law?

The flow of personal data throughout the public and private sectors is central to the functioning of modern society. The processing of these data is, however, increasingly being viewed as a major concern, particularly in light of many recent high profile data losses. It is generally assumed that individuals have a right to withdraw, or revoke, their consent to the processing of their personal data by others; however this may not be straightforward in practice, or addressed adequately by the law. Examination of the creation of data protection legislation in Europe and the UK, and its relationship with human rights law, suggests that such a general right to withdraw consent was assumed to be inbuilt, despite the lack of express provisions in both the European Data Protection Directive and UK Data Protection Act. In this article we highlight potential shortcomings in the provisions that most closely relate to this right in the UK Act. These raise questions as to the extent of meaningful rights of revocation, and thus rights of informational privacy, afforded to individuals in a democratic society.     

Privacy regulations on biometrics in Australia

This paper aims to provide an analysis of the current regulatory environment, at the federal level, of privacy protection concerning biometrics in Australia. The study only focuses on the federal Privacy Act 1988 (Cth) and the Biometrics Institute Privacy Code. The discussion is based on the legal concerns of the use of biometrics, and an analysis is made concerning the implications of privacy protection sources.     

“In the public interest”: The privacy implications of international business-to-business sharing of cyber-threat intelligence

This article reports on preliminary findings and recommendations of a cross-discipline project to accelerate international business-to-business automated sharing of cyber-threat intelligence, particularly IP addresses. The article outlines the project and its objectives and the importance of determining whether IP addresses can be lawfully shared as cyber threat intelligence.The goal of the project is to enhance cyber-threat intelligence sharing throughout the cyber ecosystem. The findings and recommendations from this project enable businesses to navigate the international legal environment and develop their policy and procedures to enable timely, effective and legal sharing of cyber-threat information. The project is the first of its kind in the world. It is unique in both focus and scope. Unlike the cyber-threat information sharing reviews and initiatives being developed at country and regional levels, the focus of this project and this article is on business-to-business sharing. The scope of this project in terms of the 34 jurisdictions reviewed as to their data protection requirements is more comprehensive than any similar study to date.This article focuses on the sharing of IP addresses as cyber threat intelligence in the context of the new European Union (EU) data protection initiatives agreed in December 2015 and formally adopted by the European Council and Parliament in April 2016. The new EU General Data Protection Regulation (GDPR) applies to EU member countries, a major focus of the international cyber threat sharing project. The research also reveals that EU data protection requirements, particularly the currently applicable law of the Data Protection Directive 95/46/EC (1995 Directive) (the rules of which the GDPR will replace in practice in 2018), generally form the basis of current data protection requirements in countries outside Europe. It is expected that this influence will continue and that the GDPR will shape the development of data protection internationally.In this article, the authors examine whether static and dynamic IP addresses are “personal data” as defined in the GDPR and its predecessor the 1995 Directive that is currently the model for data protection in many jurisdictions outside Europe. The authors then consider whether sharing of that data by a business without the consent of the data subject, can be justified in the public interest so as to override individual rights under Articles 7 and 8(1) of the Charter of Fundamental Rights of the European Union, which underpin EU data protection. The analysis shows that the sharing of cyber threat intelligence is in the public interest so as to override the rights of a data subject, as long as it is carried out in ways that are strictly necessary in order to achieve security objectives. The article concludes by summarizing the project findings to date, and how they inform international sharing of cyber-threat intelligence within the private sector.     

论网络环境下个人资料隐私权的法律保护

随着互联网络的发展,隐私权的保护问题越来越突出,其重点是个人资料隐私权的保护。个人资料隐私权则是指自然人对本人的个人资料加以控制和支配,不受他人非法侵犯、知悉、收集、利用和公开的权利。网络环境下侵犯个人资料隐私权主要有:非法收集个人资料;非法公开个人资料;不当使用个人资料;不当处理个人资料等形式。世界各国对个人资料隐私权保护主要采取技术方式、自律方式、他律方式以及"安全港"方式。我国应尽快制定相应的个人资料保护法。     

Russian data retention requirements: Obligation to store the content of communications

This paper presents an analysis of Russian data retention regulations. The most controversial point of the Russian data retention requirements is an obligation to keep the content of communications that is untypical for legislation of European and other countries. These regulations that oblige telecom operators and Internet communication services to store the content of communications should come into force on July 1, 2018.The article describes in detail the main components of the data retention mechanism: the triggers for its application, its scope, exemptions and barriers to its enforcement. Attention is paid to specific principles for implementation of content retention requirements based on the concepts of proportionality, reasonableness and effectiveness.Particular consideration is given to the comparative aspects of the Russian data retention legislation and those applying in different countries (mainly EU member states). The article focuses on the differences between the Russian and EU approaches to the question of how to strike a balance between public security interests and privacy. While the EU model of data retention is developing in the context of profound disputes on human rights protection, the Russian model is mostly concentrated on security interests and addresses mainly economic, technological aspects of its implementation.The paper stresses that a range of factors (legal, economic and technological) needs to be taken into account for developing an optimal data retention system. Human rights guarantees play the key role in legitimization of such intrusive measures as data retention. Great attention should be paid to the procedures, precise definitions, specification of entitled authorities and the grounds for access to data, providing legal immunities and privileges, etc. Only this extensive range of legal guarantees can balance intervention effect of state surveillance and justify data retention practices.     

Pricing privacy – the right to know the value of your personal data

The commodification of digital identities is an emerging reality in the data-driven economy. Personal data of individuals represent monetary value in the data-driven economy and are often considered a counter performance for “free” digital services or for discounts for online products and services. Furthermore, customer data and profiling algorithms are already considered a business asset and protected through trade secrets. At the same time, individuals do not seem to be fully aware of the monetary value of their personal data and tend to underestimate their economic power within the data-driven economy and to passively succumb to the propertization of their digital identity. An effort that can increase awareness of consumers/users on their own personal information could be making them aware of the monetary value of their personal data. In other words, if individuals are shown the “price” of their personal data, they can acquire higher awareness about their power in the digital market and thus be effectively empowered for the protection of their information privacy. This paper analyzes whether consumers/users should have a right to know the value of their personal data. After analyzing how EU legislation is already developing in the direction of propertization and monetization of personal data, different models for quantifying the value of personal data are investigated. These models are discussed, not to determine the actual prices of personal data, but to show that the monetary value of personal data can be quantified, a conditio-sine-qua-non for the right to know the value of your personal data. Next, active choice models, in which users are offered the option to pay for online services, either with their personal data or with money, are discussed. It is concluded, however, that these models are incompatible with EU data protection law. Finally, practical, moral and cognitive problems of pricing privacy are discussed as an introduction to further research. We conclude that such research is needed to see to which extent these problems can be solved or mitigated. Only then, it can be determined whether the benefits of introducing a right to know the value of your personal data outweigh the problems and hurdles related to it.     

Data integration in IoT ecosystem: Information linkage as a privacy threat

Internet of things (IoT) is changing the way data is collected and processed. The scale and variety of devices, communication networks, and protocols involved in data collection present critical challenges for data processing and analyses. Newer and more sophisticated methods for data integration and aggregation are required to enhance the value of real-time and historical IoT data. Moreover, the pervasive nature of IoT data presents a number of privacy threats because of intermediate data processing steps, including data acquisition, data aggregation, fusion and integration. User profiling and record linkage are well studied topics in online social networks (OSNs); however, these have become more critical in IoT applications where different systems share and integrate data and information. The proposed study aims to discuss the privacy threat of information linkage, technical and legal approaches to address it in a heterogeneous IoT ecosystem. The paper illustrates and explains information linkage during the process of data integration in a smart neighbourhood scenario. Through this work, the authors aim to enable a technical and legal framework to ensure stakeholders awareness and protection of subjects about privacy breaches due to information linkage.     

Digital identity – From emergent legal concept to new reality

Over the past decade, digital identity has gone from a largely unrecognized emergent legal concept to something that is now well known, but still not fully understood. Most individuals now know that they have a digital identity but its legal nature, its transactional functions, and its implications now and for the future, are not generally well understood.This article tracks the emergence of digital identity from the time it was recognized as a new legal and commercial concept to the present time; and outlines its impact and significance for individuals, governments, the private sector and even what is means to be a nation and a citizen in the digital era. The author recounts her experience in recognizing the implications of digital identity in 2006 to its current importance and the implications of future evolutions including an international digital identity, the groundwork for which is being laid now.