‘Modernising’ data protection Convention 108: A safe basis for a global privacy treaty?

Proposals for the reform or ‘modernisation’ of Council of Europe Data Protection Convention 108 have now been forwarded from the Convention's Consultative Committee for consideration by the Council of Ministers. This article assesses the changes proposed, which strengthen the obligations of Parties to implement the Convention as a matter of effective practice, not just as a law on paper. It tightens most of the existing data protection principles, and adds new ones which better align the Convention with the EU Directive (and proposed Regulation). The Convention Committee will have explicit new functions including assessing candidates for accession, and periodically reviewing implementation by existing parties. However, the proposals concerning the required standard for data export limitations are in some respects ill-defined and dangerous for data subjects. The existing standard that personal data can only be exported if the recipient provides ‘adequate’ protection has been abandoned for an undefined requirement of ‘appropriate’ protection. The article situates the risk of abandoning meaningful data export restrictions in the context of the USA's push for ‘interoperability’ of very different data protection standards.     

The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition

The year 2010 set an important milestone in the development of data protection law in Europe: both Europe's basic regulatory texts, the EU Data Protection Directive and the Council's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), were placed at an amendment process, having served individual data protection for many years and witnessed in the meantime technological developments that threatened to make their provisions obsolete. After briefly presenting Convention 108, the analysis that follows will highlight the Council's data protection system currently in effect as well as developments relating to the Convention's amendment so far with the aim of identifying improvements and shortcomings. While doing this two separate points of view shall be adopted: at first a micro point of view will attempt to identify improvements and shortcomings through an ‘insider’ perspective, that is, judging only the merits and difficulties of the draft text at hand. Afterwards a macroscopic view will be adopted, whereby strategic issues will be discussed pertaining to the important issue of the relationship of the suggested draft with the EU data protection system, as well as, the same draft's potential to constitute the next global information privacy standard.     

The introduction of data breach notification legislation in Australia: A comparative view

This article argues that Australia's recently-passed data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), and its coming into force in 2018, makes an internationally important, yet imperfect, contribution to data breach notification law. Against the backdrop of data breach legislation in the United States and European Union, a comparative analysis is undertaken between these jurisdictions and the Australian scheme to elucidate this argument. Firstly, some context to data breach notification provisions is offered, which are designed to address some of the problems data breaches cause for data privacy and information security. There have been various prominent data breaches affecting Australians over the last few years, which have led to discussion of what can be done to deal with their negative effects. The international context of data breach notification legislation will be discussed, with a focus on the United States and European Union jurisdictions, which have already adopted similar laws. The background to the adoption of the Australia legislation will be examined, including the general context of data privacy and security protection in Australia. The reform itself will be then be considered, along with the extent to which this law is fit for purpose and some outstanding concerns about its application. While data breach notification requirements are likely to be a positive step for data security, further reform is probably necessary to ensure strong cybersecurity. However, such reform should be cognisant of the international trends towards the adoption of data security measures including data breach notification, but lack of alignment in standards, which may be burdensome for entities operating in the transnational data economy.     

Balancing data protection and privacy – The case of information security sensor systems

This article analyses government deployment of information security sensor systems from primarily a European human rights perspective. Sensor systems are designed to detect attacks against information networks by analysing network traffic and comparing this traffic to known attack-vectors, suspicious traffic profiles or content, while also recording attacks and providing information for the prevention of future attacks. The article examines how these sensor systems may be one way of ensuring the necessary protection of personal data stored in government IT-systems, helping governments fulfil positive obligations with regards to data protection under the European Convention on Human Rights (ECHR), the EU Charter of Fundamental Rights (The Charter), as well as data protection and IT-security requirements established in EU-secondary law. It concludes that the implementation of sensor systems illustrates the need to balance data protection against the negative privacy obligations of the state under the ECHR and the Charter and the accompanying need to ensure that surveillance of communications and associated metadata reach established principles of legality and proportionality. The article highlights the difficulty in balancing these positive and negative obligations, makes recommendations on the scope of such sensor systems and the legal safeguards surrounding them to ensure compliance with European human rights law and concludes that there is a risk of privatised policymaking in this field barring further guidance in EU-secondary law or case law.     

Enter the quagmire – the complicated relationship between data protection law and consumer protection law

This article examines the complex relationship between consumer protection law and data protection law, particularly within the EU's online environment, and highlights the problems that stem from this complexity. It suggests that, while there are significant similarities between their respective sources, tools and purposes, there are also arguable differences between consumer protection law and data protection law. One such arguable difference is found in that, while consumer protection law can be seen to merely set a floor in its pursuit of a sufficiently high level of consumer protection, data protection law – due to its clearly articulated dual purposes of (a) protecting individuals with regard to the processing of personal data and (b) providing for the free movement of such data – sets both a floor and a ceiling.Having discussed the relationship between consumer protection law and data protection law in more detail, the argument is made that it seems possible to conclude that the balance struck in the Data Protection Directive, and soon in the General Data Protection Regulation, places limitations on consumer protection law. The implications of this conclusion are then examined briefly in the context of some matters currently coming before the CJEU and the contours of a framework are presented, addressing situations where a data protection-based liability claim is pursued against a third-party non-controller under consumer protection law.     

The Cybercrime Convention Committee's 2017 Guidance Note on Production Orders: Unilateralist transborder access to electronic evidence promoted via soft law

This article provides a critical analysis of the Council of Europe Cybercrime Convention Committee's Guidance Note of Production Orders, published on 1 March 2017. The article looks at the legal controversies surrounding production orders with a cross-border element. It explains the Guidance Note's background and origins, the basic provisions in the Cybercrime Convention allowing the law enforcement authorities to order and obtain certain information and discusses the requirements that follow from the relevant provisions of the Convention. This analysis is complemented by four critical remarks on the way the Guidance Note pushes the boundaries of acceptable treaty interpretation on the necessity of the Guidance Note, its position in regard to extraterritorial enforcement jurisdiction and sovereignty, its reticence towards fundamental rights and its refusal to define or clarify the important notion of “subscriber information”. The article argues that unilateralism is not a solution. Instead of soft law plumbing, what is needed is an agreement between sovereign states checked by their constituencies.     

The ‘Strasbourg Effect’ on data protection in light of the ‘Brussels Effect’: Logic,mechanics and prospects

This article considers various factors that will shape the potential effect of the Council of Europe's modernised Convention on data protection (Convention 108+) on non-European states’ regulatory policy. It does so by elucidating the logic and mechanics of this effect in light of the ‘Brussels Effect’ that is commonly attributed, in part, to EU data protection law. The central arguments advanced in the article are that the impact of Convention 108+ beyond Europe will rest primarily on the Council of Europe's ideational power tempered by processes of acculturation, and secondarily on the degree to which the EU is willing to use the ‘Brussels Effect’ as a vehicle for promoting non-European states’ accession to the Convention.     

Options towards a global standard for the protection of individuals with regard to the processing of personal data

PurposeStates have adopted a number of international instrument dedicated in full or in part to privacy and data protection, at multilateral or regional levels, in binding or non-binding form. This article discusses the potential and context of the emergence of a possible global standard on data protection focusing on the 1981 Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data, as amended (Convention 108+).AimsWith due regard being paid to the dynamic technological and business environment that surrounds policy-making in the field of personal data protection, this article attempts to look at some strengths, weaknesses, opportunities and challenges of Convention 108+ in the competition for becoming a global standard. It seeks to identify possible future directions and priorities, taking into account the evolving nature of international relations in a more multipolar world where multilateralism is less obviously the preferred approach to international issues.FindingsInformed by an in-depth study of relevant international instruments relating to the right to privacy this article explores several strengths and opportunities that may be built on to promote a global role for Convention 108+, but also some weaknesses and threats. In sum, it concludes that the Convention is relatively well placed to ambition becoming a global standard.     

The GDPR: A game changer for electronic identification schemes? The case study of Gov.UK Verify

This article offers an interdisciplinary analysis of the General Data Protection Regulation (GDPR) in the context of electronic identification schemes. Gov.UK Verify, the UK Government's electronic identification scheme, and its compatibility with some important aspects of EU data protection law are reviewed. An in-depth examination of Gov.UK Verify's architecture and the most significant constituent elements of both the Data Protection Directive and the imminent GDPR – notably the legitimising grounds for the processing of personal data and the doctrine of joint controllership – highlight several flaws inherent in the Gov.UK Verify's development and mode of operation. This article advances the argument that Gov.UK Verify is incompatible with some major substantive provisions of the EU Data Protection Framework. It also provides some general insight as to how to interpret the requirement of a legitimate legal basis and the doctrine of joint controllership. It ultimately suggests that the choice of the appropriate legal basis should depend upon a holistic approach to the relationship between the actors involved in the processing activities.     

Say cheese! Privacy and facial recognition

The popular social networking site, Facebook, recently launched a facial recognition tool to help users tag photographs they uploaded to Facebook. This generated significant controversy, arising as much as anything, from the company’s failure to adequately inform users of this new service and to explain how the technology works.The incident illustrates the sensitivity of facial recognition technology and the potential conflict with data privacy laws. However, facial recognition has been around for some time and is used by businesses and public organisations for a variety of purposes – primarily in relation to law enforcement, border control, photo editing and social networking. There are also indications that the technology could be used by commercial entities for marketing purposes in the future.This article considers the technology, its practical applications and the manner in which European data protection laws regulate its use. In particular, how much control should we have over our own image? What uses of this technology are, and are not, acceptable? Ultimately, does European data protection law provide an adequate framework for this technology? Is it a framework which protects the privacy of individuals without unduly constraining the development of innovative and beneficial applications and business models?     

Citizens' perceptions of data protection and privacy in Europe

Data protection and privacy gain social importance as technology and data flows play an ever greater role in shaping social structure. Despite this, understanding of public opinion on these issues is conspicuously lacking. This article is a meta-analysis of public opinion surveys on data protection and privacy focussed on EU citizens. The article firstly considers the understanding and awareness of the legal framework for protection as a solid manifestation of the complex concepts of data protection and privacy. This is followed by a consideration of perceptions of privacy and data protection in relation to other social goals, focussing on the most visible of these contexts–the debate surrounding privacy, data protection and security. The article then considers how citizens perceive the ‘real world’ environment in which data processing takes place, before finally considering the public's perception and evaluation of the operation of framework against environment.     

The Transfer of Personal Data to Third Countries Under EU Directive 95/46/EC

The 1981 Council of Europe Convention 108 and EU Directive 95/46/ EC assert that data protection is privacy protection. Consequently, countries with data protection rules control trans-border data flows to protect the rights of their citizens. Under the Directive, but subject to some derogations, personal data may only be transferred to third countries with adequate protection. 'Adequacy' is to be assessed in the light of all the circumstances. Alternative safeguards can be provided by means such as contractual arrangements. The Data Protection Commissioners have tried to define 'adequacy' as the usual data protection principles plus an assurance of compliance. This can be delivered by self-regulation as well as formal law. The Directive has not made a radical break with the past. The usual principles are those found in Convention 108 and in the 1980 OECD Guidelines. Those instruments also dealt with the control of trans-border data flows because of fears of restrictions on the free flow of information. The flexibility of the effective current UK law, which permits flows whilst preventing those which would lead to a breach of data protection, would have prevented the acrimony of the current debate with third countries. National laws on transborder data flows long pre-date the Directive and data protection authorities can be expected to continue to promote pragmatic methods of protecting exported data such as the use of model contracts either as a basis for derogation from 'adequacy' or as part of a package to satisfy the adequacy test. Work is taking place to build bridges between those with formal law and others relying on self-regulation. In Ottawa last October OECD ministers reaffirmed the 1980 Guidelines and if practical privacy protection can be secured globally, transborder data-flow control is of much less concern.     

论企业数据权益的法律保护——基于数据法律性质的分析

在互联网与大数据时代,数据已经成为企业的重要资产,对企业数据权益应当进行合理保护。但对企业数据不宜进行绝对化与排他性的财产权保护,因为此种保护违背数据的基本特征——数据并不具有排他性与竞争性。保护企业数据权益应当以促进数据共享为目标,企业数据的合理保护应当有利于促进数据共享。对企业数据应当进行类型化与场景化保护。对于非公开的企业数据,应当提供商业秘密保护;对于半公开的数据库数据,应当提供类似欧盟的数据库特殊权利保护;对于公开的网络平台数据,应当采取竞争法保护,避免恶性搭便车行为。法律还应当为企业主动公开的数据提供特殊类型的保护,允许企业设置白名单与黑名单。此外,法律也应当协调保护个人数据与企业数据,在优先保护个人数据的前提下,实现个人数据隐私期待与企业数据权益的共赢。     

Normative challenges of identification in the Internet of Things: Privacy,profiling, discrimination,and the GDPR

In the Internet of Things (IoT), identification and access control technologies provide essential infrastructure to link data between a user's devices with unique identities, and provide seamless and linked up services. At the same time, profiling methods based on linked records can reveal unexpected details about users' identity and private life, which can conflict with privacy rights and lead to economic, social, and other forms of discriminatory treatment. A balance must be struck between identification and access control required for the IoT to function and user rights to privacy and identity. Striking this balance is not an easy task because of weaknesses in cybersecurity and anonymisation techniques. The EU General Data Protection Regulation (GDPR), set to come into force in May 2018, may provide essential guidance to achieve a fair balance between the interests of IoT providers and users. Through a review of academic and policy literature, this paper maps the inherent tension between privacy and identifiability in the IoT. It focuses on four challenges: (1) profiling, inference, and discrimination; (2) control and context-sensitive sharing of identity; (3) consent and uncertainty; and (4) honesty, trust, and transparency. The paper will then examine the extent to which several standards defined in the GDPR will provide meaningful protection for privacy and control over identity for users of IoT. The paper concludes that in order to minimise the privacy impact of the conflicts between data protection principles and identification in the IoT, GDPR standards urgently require further specification and implementation into the design and deployment of IoT technologies.     

Administrative,legal, and ethical practices in the psychological testing of law enforcement officers

Recently, more law enforcement agencies have chosen to use psychological testing as an important component of their preemployment screening programs. Important legal and ethical issues have been raised by the increased use of psychological testing for this purpose. These issues include the applicant's right to privacy, the validity of the psychological instrument(s) used, the definition of what constitutes an “unsuitable” candidate, and the existence of racial and/or sexual bias. This article presents ten suggestions that address some of these issues and that may aid law enforcement agencies in adopting the spirit of the Uniform Guidelines on Employee Selection Procedures and other psychological-testing standards.     

The limits of privacy in automated profiling and data mining

Automated profiling of groups and individuals is a common practice in our information society. The increasing possibilities of data mining significantly enhance the abilities to carry out such profiling. Depending on its application, profiling and data mining may cause particular risks such as discrimination, de-individualisation and information asymmetries. In this article we provide an overview of the risks associated with data mining and the strategies that have been proposed over the years to mitigate these risks. From there we shall examine whether current safeguards that are mainly based on privacy and data protection law (such as data minimisation and data exclusion) are sufficient. Based on these findings we shall suggest alternative policy options and regulatory instruments for dealing with the risks of data mining, integrating ideas from the field of computer science and that of law and ethics.     

30 years on - The review of the Council of Europe Data Protection Convention 108

The Council of Europe is engaging in a process of revising its Data Protection Convention (Convention 108) to meet and overcome these challenges. The Council of Europe celebrates this year the 30th Anniversary of its Data Protection Convention (usually referred to as Convention 108) which has served as the backbone of international law in over 40 European countries and has influenced policy and legislation far beyond Europe’s shores. With new data protection challenges arising every day, the Convention is revising its Data Protection Convention. Computer Law and Security Review (CLSR) together with the Intl. Association of IT Lawyers (IAITL) and ILAWS have submitted comments in response to the Expert Committee’s public consultation on this document. CLSR aims to position itself at the forefront of policy discussion drawing upon the high quality scholarly contributions from leading experts around the world.     

A comparison of proposed legislative data privacy protections in the United States

The use of online consumer tracking methods has raised significant privacy concerns for consumers and policymakers for decades. Advertisers using these methods analyze web-viewing habits to predict consumer preferences and actions. The advertising industry in the United States has promoted self-regulatory principles to respond to these concerns. However, in December 2010, the U.S. Federal Trade Commission reported that these efforts “have been too slow and up to now have failed to provide adequate and meaningful protection.” President Barack Obama's administration has supported broader legislation for comprehensive protection of individuals' private data. The leading model for data privacy protection is the 1980 Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This article examines two leading legislative privacy proposals in the context of the OECD principles. This examination concludes that, although the proposals do not provide sufficient comprehensive privacy protections, they do fill significant gaps in current U.S. privacy laws.     

Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) devotes particular attention to the protection of personal data of children. The rationale is that children are less aware of the risks and the potential consequences of the processing of their personal data on their rights. Yet, the text of the GDPR offers little clarity as to the actual implementation and impact of a number of provisions that may significantly affect children and their rights, leading to legal uncertainty for data controllers, parents and children. This uncertainty relates for instance to the age of consent for processing children's data in relation to information society services, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required vis-à-vis children. This article aims to identify a number of key issues and questions – both theoretical and practical – that raise concerns from a multi-dimensional children's rights perspective, and to clarify remaining ambiguities in the run-up to the actual application of the GDPR from 25 May 2018 onwards.     

Profiling the mobile customer – Privacy concerns when behavioural advertisers target mobile phones – Part I

Mobile customers are being tracked and profiled by behavioural advertisers to be able to send them personalized advertising. This process involves data mining consumer databases containing personally-identifying or anonymous data and it raises a host of important privacy concerns. This article, the first in a two part series on consumer information privacy issues on Profiling the Mobile Customer, addresses the questions: “What is profiling in the context of behavioural advertising?” and “How will consumer profiling impact the privacy of mobile customers?” The article examines the EU and U.S. regulatory frameworks for protecting privacy and personal data in regards to profiling by behavioural advertisers that targets mobile customers. It identifies potential harms to privacy and personal data related to profiling for behavioural advertising. It evaluates the extent to which the existing regulatory frameworks in the EU and the U.S. provide an adequate level of privacy protection and identifies key privacy gaps that the behavioural advertising industry and regulators will need to address to adequately protect mobile consumers from profiling by marketers. The upcoming second article in this series will discuss whether industry self-regulation or privacy-enhancing technologies will be adequate to address these privacy gaps and makes suggestions for principles to guide this process.¹