Pricing privacy – the right to know the value of your personal data

The commodification of digital identities is an emerging reality in the data-driven economy. Personal data of individuals represent monetary value in the data-driven economy and are often considered a counter performance for “free” digital services or for discounts for online products and services. Furthermore, customer data and profiling algorithms are already considered a business asset and protected through trade secrets. At the same time, individuals do not seem to be fully aware of the monetary value of their personal data and tend to underestimate their economic power within the data-driven economy and to passively succumb to the propertization of their digital identity. An effort that can increase awareness of consumers/users on their own personal information could be making them aware of the monetary value of their personal data. In other words, if individuals are shown the “price” of their personal data, they can acquire higher awareness about their power in the digital market and thus be effectively empowered for the protection of their information privacy. This paper analyzes whether consumers/users should have a right to know the value of their personal data. After analyzing how EU legislation is already developing in the direction of propertization and monetization of personal data, different models for quantifying the value of personal data are investigated. These models are discussed, not to determine the actual prices of personal data, but to show that the monetary value of personal data can be quantified, a conditio-sine-qua-non for the right to know the value of your personal data. Next, active choice models, in which users are offered the option to pay for online services, either with their personal data or with money, are discussed. It is concluded, however, that these models are incompatible with EU data protection law. Finally, practical, moral and cognitive problems of pricing privacy are discussed as an introduction to further research. We conclude that such research is needed to see to which extent these problems can be solved or mitigated. Only then, it can be determined whether the benefits of introducing a right to know the value of your personal data outweigh the problems and hurdles related to it.     

The principle of security safeguards: Unauthorized activities

The principle of information security safeguards is a key information privacy principle contained in every privacy legislation measure, framework, and guideline. This principle requires data controllers to use an adequate level of safeguards before processing personal information. However, privacy literature neither explains what this adequate level is nor how to achieve it. Hence, a knowledge gap has been created between privacy advocates and data controllers who are responsible for providing adequate protection. This paper takes a step toward bridging this knowledge gap by presenting an analysis of how Data Protection and Privacy Commissioners have evaluated the adequacy level of security protection measures given to personal information in selected privacy invasive cases. This study addresses both security measures used to protect personal information against unauthorized activities and the use of personal information in authentication mechanisms. This analysis also lays a foundation for building a set of guidelines that can be used by data controllers for designing, implementing, and operating both technological and organizational measures used to protect personal information.     

Dissolving privacy,one merger at a time: Competition,data and third party tracking

Amid growing concern about the use and abuse of personal data over the last decade, there is an emerging suggestion that regulators may need to turn their attention towards the concentrations of power deriving from large-scale data accumulation. No longer the preserve of data protection or privacy law, personal data is receiving attention within competition and antitrust law. Recent mergers and acquisitions between large digital technology platforms have raised important questions about how these different areas intersect and how they can complement one another in order to protect consumer welfare while ensuring competitive markets.This paper draws attention to one particularly complicated kind of digital data-intensive industry: that of third party tracking, in which a firm does not (only or primarily) collect and process personal data of its own customers or users, but rather data from the users of other ‘first party’ services. Mergers and acquisitions between firms active in the third party tracking industry raise unique challenges for privacy and fundamental rights which are often missed in regulatory decisions and academic discussions of data and market concentration. In this paper, we combine empirical and normative insights to shed light on the role of competition regulators in addressing the specific challenges of mergers and acquisitions in the third party tracking industry. After critically assessing some of the US and EU case law in this area, we argue that a bolder approach is needed; one that engages in a pluralist analysis of economic and noneconomic concerns about concentrations of power and control over data.     

Profiling the mobile customer – Is industry self-regulation adequate to protect consumer privacy when behavioural advertisers target mobile phones? – Part II

Mobile customers are increasingly being tracked and profiled by behavioural advertisers to enhance delivery of personalized advertising. This type of profiling relies on automated processes that mine databases containing personally-identifying or anonymous consumer data, and it raises a host of significant concerns about privacy and data protection. This second article in a two part series on “Profiling the Mobile Customer” explores how to best protect consumers’ privacy and personal data through available mechanisms that include industry self-regulation, privacy-enhancing technologies and legislative reform.¹ It discusses how well privacy and personal data concerns related to consumer profiling are addressed by two leading industry self-regulatory codes from the UK and the U.S. that aim to establish fair information practices for behavioural advertising by their member companies. It also discusses the current limitations of using technology to protect consumers from privacy abuses related to profiling. Concluding that industry self-regulation and available privacy-enhancing technologies will not be adequate to close important privacy gaps related to consumer profiling without legislative reform, it offers suggestions for EU and U.S. regulators about how to do this.²     

Automated consent through privacy agents: Legal requirements and technical architecture

The changes imposed by new information technologies, especially pervasive computing and the Internet, require a deep reflection on the fundamental values underlying privacy and the best way to achieve their protection. The explicit consent of the data subject, which is a cornerstone of most data protection regulations, is a typical example of requirement which is very difficult to put into practice in the new world of “pervasive computing” where many data communications necessarily occur without the users' notice. In this paper, we argue that an architecture based on “Privacy Agents” can make privacy rights protection more effective, provided however that this architecture meets a number of legal requirements to ensure the validity of consent delivered through such Privacy Agents. We first present a legal analysis of consent considering successively (1) its nature; (2) its essential features (qualities and defects) and (3) its formal requirements. Then we draw the lessons of this legal analysis for the design of a valid architecture based on Privacy Agents. To conclude, we suggest an implementation of this architecture proposed in a multidisciplinary project involving lawyers and computer scientists.     

公共空间运用大规模监控的法理逻辑及限度——基于个人信息有序共享之视角

为应对现代化进程中的社会风险,安抚公众对风险的恐慌情绪,公共空间大规模监控随之诞生,并迅速在现实社会和网络空间中全面运用。公共治理不能取安全保障而舍隐私保护,公共空间大规模监控的运用并非以牺牲隐私权为代价,而是在保障安全法益的同时兼顾隐私法益的保护。在此"既保障安全,又保护隐私"的法理念下,公共空间大规模监控的运用体现了风险治理从个人本位走向社会本位的转变趋势,并促进了个人信息保护从自主支配到有序共享的逻辑转换。为寻求安全保障与隐私保护之间的平衡路径,在公共空间合理运用大规模监控措施,就必须加强信息收集、存储、使用的阶段性控制,建立个人信息合理使用制度,实现个人信息的有序共享。     

民法典框架下个人数据财产法益的体系构建

从欧盟个人数据保护相关立法的变迁可以发现,个人数据从隐私权保护的传统模式开始出现向财产权保护模式过渡的迹象。这并不意味着数据产业界的新机会,而是调节数据主体与数据控制者之间日益失衡关系的新尝试。财产权保护模式有着隐私权保护模式无可比拟的优势,却也存在权利定性和范围界定上的困难。与非个人数据更为鲜明的财产属性不同,个人数据上的民事权益应该构建为一个以数据主体的财产利益为基础、以数据控制者对个人数据的占有利益为核心的财产法益体系。数据控制者及其义务作为个人数据财产法益体系的中心,才能在保护数据主体和发挥数据效用之间保持平衡。     

网络空间个人信息的保护问题研究——兼论电子商务营销过程中消费者的隐私权保护

电子商务的兴起改变了传统的营销、交易方式。丰富的网络信息和个人数据使得服务商可以根据每个人的喜爱和偏好为消费者提供更具针对性的服务,从而极大方便了消费者对商品的选购。可以说,成功的电子商务营销离不开对个人数据资料的收集和处理。但是,这种个性化的营销也存在着个人数据资料被滥用的潜在危险。因此,如何在电子商务营销过程中加强对消费者隐私权的保护就成为当前亟待解决的问题。     

The USPS as an OSP: A Remedy for Users’ Online Privacy Concerns

New digital technologies, and a legal system that has failed to keep pace, are allowing government and the private sector to engage in unparalleled unauthorized surveillance of online personal data contained in emails and in the aggregation of users’ online searches. This article argues that the U.S. Postal Service — compelled to protect communications privacy by its enabling statute, the Fourth Amendment, and other federal laws — should provide email and browser-search engine services to shield users from unauthorized online behavioral marketing and tracking by the private sector and metadata collection by government, and, just as important, give users legal remedies against such abuses. To that end, this article provides a legal analysis and rationale to support the USPS's authority to offer such nontraditional postal services.     

From ugly duckling to Swan. The rise of data protection and its limits

This article considers the development of data protection laws from a position on the periphery of legal consciousness to the situation where it is the subject of intensive legal and media publicity. Focusing on the recent controversies surrounding the use of Facebook apps for political purposes, the article will consider the role and limitations of data and privacy protection laws. The question will be posed – if not answered – whether national or regional laws can be effective in what increasingly is a global information society.     

What the publisher can teach the patient: intellectual property and privacy in an era of trusted privication

This article begins with a premise that intellectual property and privacy have something significant and yet understated in common: both are about balancing a creator's desire to control a particular set of data with consumers' desires to access and redistribute that data. Both law and technology influence such balancing, making it more or less palatable to use data for particular purposes--whether one is an individual making a copy of a popular song for a friend, or a hospital selling a list of maternity ward patients to a day care service. In the shadow of the Internet's rapid development and concomitant easing of barriers to data sharing, holders of intellectual property are pairing increased legal protection with the technologies of "trusted systems." I describe how these technologies might allow more thorough mass distribution of data, while allowing publishers to retain unprecedented control over their wares. For instance, an e-Book seller might charge one price for a read-only copy that could not be printed or forwarded and charge an additional fee for each copy or printout made. Taking up the case of medical privacy, I then suggest that those who worry about the confidentiality of medical records, particularly as they are digitized by recent congressional mandate, might seek to augment comparatively paltry legal protections with trusted systems technologies. For instance, a trusted system could allow a patient to specify how and by whom her records could be used; within limits, she could allow full access to her primary care physician, while allowing only time-limited access to emergency care providers, non-personally identifiable access to medical researchers, and no access at all for marketing purposes. These technologies could allow for new kinds of privacy protection, without sacrificing the legitimate interests of the consumers of medical records.     

Governing ghostbots

This article discusses the legal implications of a novel phenomenon, namely, digital reincarnations of deceased persons, sometimes known as post-mortem avatars, deepfakes, replicas, holographs, or chatbots. To elide these multiple names, we use the term 'ghostbots'. The piece is an early attempt to discuss the potential social and individual harms, roughly grouped around notions of privacy (including post-mortem privacy), property, personal data and reputation, arising from ghostbots, how they are regulated and whether they need to be adequately regulated further. For reasons of space and focus, the article does not deal with copyright implications, fraud, consumer protection, tort, product liability, and pornography laws, including the non-consensual use of intimate images (‘revenge porn’). This paper focuses on law, although we fully acknowledge and refer to the role of philosophy and ethics in this domain.We canvas two interesting legal developments with implications for ghostbots, namely, the proposed EU Artificial Intelligence (AI) Act and the 2021 New York law amending publicity rights to protect the rights of celebrities whose personality is used in post-mortem ‘replicas’. The latter especially evidences a remarkable shift from the norm we have chronicled in previous articles of no respect for post-mortem privacy to a growing recognition that personality rights do need protection post-mortem in a world where pop stars and actors are routinely re-created using AI. While the legislative motivation here may still be primarily to protect economic interests, we argue it also shows a concern for dignitary and privacy interests.Given the apparent concern for the appropriation of personality post-mortem, possibly in defiance or ignorance of what the deceased would have wished, we propose an early solution to regulate the rise of ghostbots, namely an enforceable ‘do not bot me’ clause in analogue or digital wills.     

The right to data portability in the GDPR: Towards user-centric interoperability of digital services

The right to data portability is one of the most important novelties within the EU General Data Protection Regulation, both in terms of warranting control rights to data subjects and in terms of being found at the intersection between data protection and other fields of law (competition law, intellectual property, consumer protection, etc.). It constitutes, thus, a valuable case of development and diffusion of effective user-centric privacy enhancing technologies and a first tool to allow individuals to enjoy the immaterial wealth of their personal data in the data economy. Indeed, a free portability of personal data from one controller to another can be a strong tool for data subjects in order to foster competition of digital services and interoperability of platforms and in order to enhance controllership of individuals on their own data. However, the adopted formulation of the right to data portability in the GDPR could benefit from further clarification: several interpretations are possible, particularly with regard to the object of the right and its interrelation with other rights, potentially leading to additional challenges within its technical implementation. The aim of this article is to propose a first systematic interpretation of this new right, by suggesting a pragmatic and extensive approach, particularly taking advantage as much as possible of the interrelationship that this new legal provision can have with regard to the Digital Single Market and the fundamental rights of digital users. In sum, the right to data portability can be approximated under two different perspectives: the minimalist approach (the adieu scenario) and the empowering approach (the fusing scenario), which the authors consider highly preferable.     

Profiling the mobile customer – Privacy concerns when behavioural advertisers target mobile phones – Part I

Mobile customers are being tracked and profiled by behavioural advertisers to be able to send them personalized advertising. This process involves data mining consumer databases containing personally-identifying or anonymous data and it raises a host of important privacy concerns. This article, the first in a two part series on consumer information privacy issues on Profiling the Mobile Customer, addresses the questions: “What is profiling in the context of behavioural advertising?” and “How will consumer profiling impact the privacy of mobile customers?” The article examines the EU and U.S. regulatory frameworks for protecting privacy and personal data in regards to profiling by behavioural advertisers that targets mobile customers. It identifies potential harms to privacy and personal data related to profiling for behavioural advertising. It evaluates the extent to which the existing regulatory frameworks in the EU and the U.S. provide an adequate level of privacy protection and identifies key privacy gaps that the behavioural advertising industry and regulators will need to address to adequately protect mobile consumers from profiling by marketers. The upcoming second article in this series will discuss whether industry self-regulation or privacy-enhancing technologies will be adequate to address these privacy gaps and makes suggestions for principles to guide this process.¹     

CLOUD act agreements from an EU perspective

For many years, transatlantic cooperation between the EU and the US in the area of personal data exchange has been a subject of special interest on the part of lawmakers, courts – including supranational ones – NGOs and the public. When implementing recent reform of data protection law, the European Union decided to further strengthen guarantees of the protection of privacy in cyberspace. At the same time, however, it faced the practical problem of how to ensure compliance with these principles in relation to third countries. The approach proposed in the GDPR, which is based on a newly-defined territorial scope of application, clearly indicates an attempt to apply EU rules extraterritorially in relation to data processors in third countries.Irrespective of EU activity, the United States has also introduced its own regulations addressing the same problem. An example is the federal law adopted in 2018, specifying how to execute national court orders for the transfer of electronic data. The CLOUD Act was established in response to legal doubts raised in the Microsoft v United States case regarding the transfer of electronic data stored in the cloud by US obliged entities to law enforcement authorities, as well as in cases where this data is physically located in another country and its transfer could result in violating the legal norms of a foreign jurisdiction. The CLOUD Act also facilitates bilateral international agreements that enable the cross-border transfer of e-evidence for the purposes of ongoing criminal proceedings. Both the content of the new regulations and the model proposed by the US legislature for future agreements concluded on the basis of the CLOUD Act can be seen as an alternative to regulations arising from EU law.The purpose of this paper is to analyse the CLOUD Act and CLOUD Act Agreements from the perspective of EU law and, in particular, attempt to answer the question as to whether this new legal mechanism brings the EU and the USA closer to finding common ground with regard to a coherent model of exchange and protection of personal data.     

数据法定继承规则的情境化构建

设置合理的数据法定继承规则至关重要。数据的可继承性不应受到财产性悖论、人格权益论、个人信息保护规则与通信秘密规则的阻碍,但被继承人以遗嘱或在用户协议的菜单式选项中予以排除可能导致数据不可继承。面对弱化的家庭和个性化法律的展望,现行法定继承人范围和顺位规则受到挑战,建议以情感属性较强的数据为“试点”,将“与该数据具备最密切情感联系之人”纳入法定继承人的范围。在数据遗产继承的具体方式上,采取继承人数据使用权限的视角更具实益。可以根据数据的身份重要程度、公开程度、是否涉及第三方隐私等属性,通过调整用户组策略下的数据使用权限设置情境化的数据法定继承规则。     

The legal construction of personal information protection and privacy under the Chinese Civil Code

Personal information protection and privacy interact in diverse ways, especially in the contemporary information age. Although books and articles have focused on this topic, the new tendencies of worldwide legislation and judicial practice bring challenges, as the legal construction of personal information protection and privacy differs from culture to culture and time to time. In 2017, the General Provisions of the Civil Law of the People's Republic of China (“the General Provisions of the Chinese Civil Code” hereafter)¹ (expired) addresses the legal concepts of personal information protection and the right to privacy simultaneously, to which this article refers as the dual model, differing from the one-dimensional mode of privacy protection before. Subsequently, the “The Right to Privacy and the Protection of Personal Information,” a chapter of the newly issued Civil Code of the People's Republic of China's (“the Chinese Civil Code” hereafter), ascertains the dual model and details related provisions. It has been dubbed a landmark ruling of China's personal information protection, greatly boosting the modernization of China's civil system.Despite the many articles that discuss approaches to China's civil protections, little attention has been given to the fundamental question concerning what exactly encompasses the personal information protection and privacy to which these laws refer. Based on the regulations and applicability of the General Provisions of the Chinese Civil Code and the Chinese Civil Code, this paper explores the legal construction of personal information protection and privacy under Chinese legal orders, including the differences, similarities, and interplay between the two rights. By distinguishing the legal value, contents and remedial approaches, this paper concludes that the two rights are distinct but overlap. On one side, personal information protection is elevated to the status of a separate civil right in the legal context of China, rather than part of privacy. On the other side, tailored regulations should be establish according to the criteria of the nature of information, the extent of information processing, and the elements of damage when confronted with overlaps in the two rights in judicial practice. Thus, this paper provides a perspective from which to clarify the approaches to civil protection of personal information and privacy in China and a reference model for enactment of the Chinese Personal Information Protection Law in the future.     

Disclosure,Exposure and the ʻRight to be Forgottenʼ after Google Spain: Interrogating Google Search's webmaster,end user and Lumen notification practices

This article argues that Google's essentially blanket and unsafeguarded dissemination to webmasters of URLs delisted under the Google Spain judgment disclosures claimants’ personal data, cannot be justified either on the purported basis of their consent or a legal requirement but instead seriously infringes European data protection standards. Such disclosure would only be compatible with the initially contextually sensitive context of collection where it was (i) reasonably necessary and explicitly limited to the purposes of checking the legality of the initial decision and/or bona fide research and (ii) prevented unauthorised repurposing or other misuse through robust safeguards. Strict necessity thresholds would need to apply where disclosure involved special categories of data or was subject to reasoned objection by a data subject and international transfers would require further controls, ideally as provided by the European Commission's standard contractual clauses. Disclosing identifiable data on removals to end users would directly and fundamentally undermine a data subject's rights and, therefore, ipso facto violate purpose limitation and legality, irrespective of whether rights are claimed in data protection, defamation or civil privacy. The public's legitimate interests in receiving information on personal data removals are best secured through safeguarded scientific research, which search engines should facilitate.     

Property rights in personal data: Learning from the American discourse

This contribution is an attempt to facilitate a meaningful European discussion on propertization of personal data by explaining the idea as it emerged in its ‘mother-jurisdiction’, the United States. The piece starts with an overview of how the current US legal system addresses the data protection problem and whether, according to the US commentators, the law does it effectively. Furthermore, the contribution presents propertization of personal information as an alternative to the existing data protection regime and one of the ways to fill in the alleged gaps in the US data protection system. The article maps the US propertization debate. Pro-propertization arguments are considered from economic perspective as well as from the perspective of the limitations of the US legal and political system. In continuation it analyses proposals on how property rights in personal data would have to be regulated, if at all, in case the idea of propertization is accepted. The main points of criticism of propertization are also sketched. The article concludes with a brief summary of the US propertization discourse and, most importantly, with a list of the lessons Europeans can learn from their American counterparts engaging in the debate in the home jurisdiction. Among the main messages is that the outcome of the debate depends on the definition of the problem propertization is called on to tackle, and that it is the substance of the actual rights with regard to personal data that matters, and not whether we label them as property rights or not.