Smart meters and the information panopticon: beyond the rhetoric of compliance

The Smart Meter Implementation Programme is the Government's flagship energy policy. In its search for solutions to address privacy dilemmas raised by smart meters, the Government has been content with using data protection principles as a policy framework to regulate the processing of consumers' personal information. This is worrying since the question of who has access to what type of information and how it is used cannot simply be regarded as raising information security, authenticity and integrity issues. If we are to go beyond the rhetoric of protecting the privacy rights of energy consumers we must scrutinise the context in which legitimate interests and reasonable expectations of privacy subsist. To remedy this apparent policy oversight, the paper undertakes two tasks: first, to clarify the content and application of data protection and privacy rights to smart meters; and second, it outlines a policy framework that will address the lack of specificity on how best innovation and privacy issues can be better calibrated. More importantly, it calls for targeted substantive reforms, development of accessible privacy policies and information management practices that promote transparency and accountability and deployment of technological solutions that will help reduce emerging fault lines between innovation and privacy in this sphere of energy policymaking.     

Is “Big Data” creepy?

We now live in a world of Big Data, massive repositories of structured, unstructured or semi-structured data. This is seen as a valuable resource for organisations, given the potential to analyse and exploit that data to turn it into useful information. However, the cost and risk of continuing to hold that data can also make it a burden for many organisations.     

Personal data protection in employment: New legal challenges for Malaysia

The purpose of this article is to discuss and apply data protection principles in the context of employment. The Personal Data Protection Act (PDPA), passed by the Malaysian Parliament in 2010, has affected many aspects of life in Malaysia, including employment. Storage of data by employers is rampant. Management, as the data user, is duty bound to safeguard the employees' data according to the PDPA. Likewise, the employees, as data subjects, enjoy some rights under the PDPA. The author also examines issues of privacy law: whether such law exists in Malaysia and, if so, whether it can be reconciled with the PDPA's principles. The author adopts legal methodology anchored in exploratory analysis, with the legislative text as the main reference point.     

Regulating electronic identity in the European Union: An analysis of the Lisbon Treaty’s competences and legal basis for eID

This paper discusses the feasibility of EU legal action in the field of electronic identity (eID) within the new distribution of legal competences and the provision of novel legal basis engendered by the Treaty of Lisbon. The article attempts to find a ‘legal anchor’ to the idea of a pan-European electronic identity within EU law, looking at the issues of competences and legal basis. After examining various different areas of competence and the most feasible (and probable) candidates for a legal basis supporting an EU legal framework for eID, the paper argues that the latter should be found in the combination of Article 16 TFEU (concerning the right to the protection of personal data) with Article 3 TUE, and Articles 26 and 114 TFEU (concerning the establishment and functioning of the Internal Market), which also constitute the area of competence where an eID legal initiative can be pursued.     

An international legal framework for data protection: Issues and prospects

The processing of personal data across national borders by both governments and the private sector has increased exponentially in recent years, as has the need for legal protections for personal data. This article examines calls for a global legal framework for data protection, and in particular suggestions that have been made in this regard by the International Law Commission and various national data protection authorities. It first examines the scope of a potential legal framework, and proceeds to analyze the status of data protection in international law. The article then considers the various options through which an international framework could be enacted, before drawing some conclusions about the form and scope such a framework could take, the institutions that could coordinate the work on it, and whether the time is ripe for a multinational convention on data protection.     

Towards a new generation of CCTV networks: Erosion of data protection safeguards?

CCTV networks are progressively being replaced by more flexible and adaptable video surveillance systems based on internet protocol (IP) technologies. The use of wireless IP systems allows for the emergence of flexible networks and for their customization, while at the same time video analytics is easing the retrieval of the most relevant information. These technological advances, however, bring with them threats of a new kind for fundamental freedoms that cannot always be properly assessed by current legal safeguards. This paper analyses the ability of current data protection laws in providing an adequate answer to these new risks.     

Electronic health record: Wiring Europe’s healthcare

The European Commission wants to boost the digital economy by enabling all Europeans to have access to online medical records anywhere in Europe by 2020. With the newly enacted Directive 2011/24/EU on patients’ rights in cross-border healthcare due for implementation by 2013, it is inevitable that a centralised European health record system will become a reality even before 2020. However, the concept of a centralised supranational central server raises concern about storing electronic medical records in a central location. The privacy threat posed by a supranational network is a key concern. Cross-border and Interoperable electronic health record systems make confidential data more easily and rapidly accessible to a wider audience and increase the risk that personal data concerning health could be accidentally exposed or easily distributed to unauthorised parties by enabling greater access to a compilation of the personal data concerning health, from different sources, and throughout a lifetime.     

Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) devotes particular attention to the protection of personal data of children. The rationale is that children are less aware of the risks and the potential consequences of the processing of their personal data on their rights. Yet, the text of the GDPR offers little clarity as to the actual implementation and impact of a number of provisions that may significantly affect children and their rights, leading to legal uncertainty for data controllers, parents and children. This uncertainty relates for instance to the age of consent for processing children's data in relation to information society services, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required vis-à-vis children. This article aims to identify a number of key issues and questions – both theoretical and practical – that raise concerns from a multi-dimensional children's rights perspective, and to clarify remaining ambiguities in the run-up to the actual application of the GDPR from 25 May 2018 onwards.     

India’s national ID system: Danger grows in a privacy vacuum

India is juggling demands and proposals for at least three national data surveillance projects of vast scope. This article focuses on the unique identification (UID) number, which it is proposed will be allocated to India’s 1.2 billion people, with 600 M UIDs to be allocated by 2015. Draft legislation to create the Authority which will administer the UID contains few protections for privacy or other liberties. They are needed because there is otherwise a privacy vacuum in Indian law. The Bill leaves most of the details of the demographic and biometric information which will be required to be included Regulations, and imposes no controls on which organisations can require UIDs, or what they can do with them. This article focuses on the planning documents for the UID, and the Bill, to argue that India may be building an identification system that puts peoples’ liberties at risk, and does so in a way which will be largely out of control of democratic or judicial restraints on such a powerful use of information technology.     

Effective approaches to regulate mobile advertising: Moving towards a coordinated legal,self-regulatory and technical response

This article aims to contribute to the ongoing discourse about the issue of privacy in the mobile advertising domain. The article discusses the fundamental principles and information practices used in digital environments for protecting individuals' private data. Major challenges are identified that should be addressed, so that fair information principles can be applied in the context of m-advertising. It also points out the limitations of these principles. Furthermore, the article discusses a range of models that is available for regulating the collection, use and disclosure of personal data, such as legislation, self-regulation and technical approaches. It is intended to promote an effective approach to improve consumer privacy in the mobile advertising domain.     

Mandatory implementation for in-vehicle eCall: Privacy compatible?

This article examines whether there are any objections to implementing a mandatory eCall system in the Community and how these could be dealt with. It starts with a short introduction to the motives why the European Commission considers a mandatory in-vehicle eCall. The art. 29 Working Party has issued a working document on eCall identifying several issues regarding personal data protection. The issues in this document will serve as a reference to determine whether there are any objections regarding data protection to implementing a mandatory eCall system. Additionally we will look at a possible eCall implementation in the Community.     

From porn to cybersecurity passing by copyright: How mass surveillance technologies are gaining legitimacy … The case of deep packet inspection technologies

Recent coverage in the press regarding large-scale passive pervasive network monitoring by various state and government agencies has increased interest in both the legal and technical issues surrounding such operations. The monitoring may take the form of which systems (and thus potentially which people) are communicating with which other systems, commonly referred to as the metadata for a communication, or it may go further and look into the content of the traffic being exchanged over the network. In particular the monitoring may rely upon the implementation of Deep Packet Inspection (DPI) technologies. These technologies are able to make anything that happens on a network visible and recordable. While in practice the sheer volume of traffic passing through a DPI system may make it impractical to record all network data, if the system systematically records certain types of traffic, or looks for specific patterns in all traffic, the privacy concerns are highly significant. The aim of this paper is twofold: first, to show that despite the increasing public awareness in relation to the capabilities of Internet service providers (ISPs), a cross-field and comparative examination shows that DPI technologies are in fact progressively gaining legal legitimacy; second to stress the need to rethink the relationship between data protection law and the right to private life, as enshrined in Article 8 of the European Convention on human rights and Article 7 of the European Charter of fundamental rights, in order to adequately confine DPI practices. As a result, it will also appear that the principle of technical neutrality underlying ISP's liability exemptions is misleading.