Internet of Things – New security and privacy challenges

The Internet of Things, an emerging global Internet-based technical architecture facilitating the exchange of goods and services in global supply chain networks has an impact on the security and privacy of the involved stakeholders. Measures ensuring the architecture's resilience to attacks, data authentication, access control and client privacy need to be established. An adequate legal framework must take the underlying technology into account and would best be established by an international legislator, which is supplemented by the private sector according to specific needs and thereby becomes easily adjustable. The contents of the respective legislation must encompass the right to information, provisions prohibiting or restricting the use of mechanisms of the Internet of Things, rules on IT-security-legislation, provisions supporting the use of mechanisms of the Internet of Things and the establishment of a task force doing research on the legal challenges of the IoT.     

Are data protection laws sufficient for privacy intrusions? The case in Hong Kong

An area of concern which relates to privacy intrusions in Hong Kong is the substantial changes that have taken place in recent years in relation to news gathering and reporting and the activities of local paparazzi. The issue that needs to be addressed is how intrusions of privacy can be protected in Hong Kong. The most significant reform to date has been the enactment of the Personal Data (Privacy) Ordinance which provides rules for the fair handling of information about living individuals. However, the Ordinance is concerned only with data protection and does not provide a general privacy right. This article demonstrates the inadequacies of existing legislation for general privacy protection and examines the possibility of developing a separate action for general privacy via a) an action of extended breach of confidence as demonstrated by the UK model and b) a sui generis cause of action as can be seen in the New Zealand courts.     

The security of network systems — A review

Organisations in both business and government face a considerable risk from inadequately secured information systems. In recognition of these risks, Directorate-General XIII (Telecommunications, Information Industries and Innovation) of the Commission of the European Communities commissioned a series of projects to examine security issues in the use of information technology. The results of one of these studies, concentrating on the security of network systems, is reviewed below.It was an objective of the study that its results should be seen as definitive, authoritative and applicable across the European Community as a whole. In order to meet this objective, the study, led by Coopers & Lybrand, drew upon the skills and experience of 44 organisations in seven European countries, including:

• •⊎ Coopers and Lybrand practices in France, Germany, Italy, the Netherlands and the United Kingdom;
• •⊎ Admiral Management Services Ltd;
• •⊎ The Commission of the European Communities;
• •⊎ 17 vendors of IT products and services in five European countries;
• •⊎ 20 major users of network systems in seven European countries.

In particular, the study benefited from detailed case studies in each of the 20 large and sophisticated users of network systems and from assessments of 27 security products from twelve IT vendors.     

mHealth and data protection – the letter and the spirit of consent legal requirements

In this article, the role of consent is discussed in the framework of fundamental rights and in the context of mobile health technologies (mHealth), such as smart phones, mobile phones or tablet/palm-held computing devices to provide healthcare. The authors surmise how, in practice, although there will be more emphasis on informed consent formally, there will be less space for genuine individual consent. This betrays a focus more on the letter of consent rules in data protection than their spirit. This risks reducing consent to a tick box operation in a manner analogous to consumer transactions, something manifestly unsuitable for consent, even if only in informational terms, during medical procedures.     

E-Government users’ privacy and security concerns and availability of laws in Dubai

The purpose of the study was to review privacy and security concerns and their impact on e-government adoption in Dubai. The research analyzed the literature on e-government, security and privacy concerns of e-government adoption and the legislative provision relating to privacy and security protection. A survey on e-government user concerns on privacy, security and ease of use was also carried out. The data for the survey in this research were collected from 190 respondents in Dubai. The results of the analysis revealed that perceived security, privacy and perceived ease of use were important constructs in e-government adoption. The analysis of legal framework showed that the Federal Constitution, the Penal Code, the new Data Protection Act and the Computer Crime Act could be used to address various privacy and security concerns. Thus, it is important that the policy makers facilitate an appropriate awareness campaign of the existence of both information privacy and security to attract more participation towards the e-government services.     

Restrictions on cryptography in India – A case studyof encryption and privacy

The developments of technology in communications industry have radically altered the ways in which we communicate and exchange information. Along with the speed, efficiency, and cost-saving benefits of the digital revolution come new challenges to the security and privacy of communications and information traversing the global communications infrastructure. As is with any technology the misuse of technology is noticed similarly the encryption technology. Encryption and other advanced technologies may be used, with direct impact on law enforcement and therefore some restrictions are necessary in the interests of national security. The problem, however, is ensuring that the restriction is legitimate and solely for in the interests of national security, the state not being allowed to interfere and keep a track on individuals' activities and private lives without sufficient cause. The individual needs encryption to protect their personal privacy and confidential data such as medical information, personal financial data, and electronic mail. In a networked environment, such information is increasingly at risk of being stolen or misused. Therefore, encryption is critical to building a secure and trusted global information infrastructure. Digital computers have changed the landscape considerably and the entire issue, at its simplest level, boils down to a form of balancing of interests. The specific legal and rights-related problems arising from the issue of cryptography and privacy in the Indian context are examined in this paper.     

Enter the quagmire – the complicated relationship between data protection law and consumer protection law

This article examines the complex relationship between consumer protection law and data protection law, particularly within the EU's online environment, and highlights the problems that stem from this complexity. It suggests that, while there are significant similarities between their respective sources, tools and purposes, there are also arguable differences between consumer protection law and data protection law. One such arguable difference is found in that, while consumer protection law can be seen to merely set a floor in its pursuit of a sufficiently high level of consumer protection, data protection law – due to its clearly articulated dual purposes of (a) protecting individuals with regard to the processing of personal data and (b) providing for the free movement of such data – sets both a floor and a ceiling.Having discussed the relationship between consumer protection law and data protection law in more detail, the argument is made that it seems possible to conclude that the balance struck in the Data Protection Directive, and soon in the General Data Protection Regulation, places limitations on consumer protection law. The implications of this conclusion are then examined briefly in the context of some matters currently coming before the CJEU and the contours of a framework are presented, addressing situations where a data protection-based liability claim is pursued against a third-party non-controller under consumer protection law.     

Pricing privacy – the right to know the value of your personal data

The commodification of digital identities is an emerging reality in the data-driven economy. Personal data of individuals represent monetary value in the data-driven economy and are often considered a counter performance for “free” digital services or for discounts for online products and services. Furthermore, customer data and profiling algorithms are already considered a business asset and protected through trade secrets. At the same time, individuals do not seem to be fully aware of the monetary value of their personal data and tend to underestimate their economic power within the data-driven economy and to passively succumb to the propertization of their digital identity. An effort that can increase awareness of consumers/users on their own personal information could be making them aware of the monetary value of their personal data. In other words, if individuals are shown the “price” of their personal data, they can acquire higher awareness about their power in the digital market and thus be effectively empowered for the protection of their information privacy. This paper analyzes whether consumers/users should have a right to know the value of their personal data. After analyzing how EU legislation is already developing in the direction of propertization and monetization of personal data, different models for quantifying the value of personal data are investigated. These models are discussed, not to determine the actual prices of personal data, but to show that the monetary value of personal data can be quantified, a conditio-sine-qua-non for the right to know the value of your personal data. Next, active choice models, in which users are offered the option to pay for online services, either with their personal data or with money, are discussed. It is concluded, however, that these models are incompatible with EU data protection law. Finally, practical, moral and cognitive problems of pricing privacy are discussed as an introduction to further research. We conclude that such research is needed to see to which extent these problems can be solved or mitigated. Only then, it can be determined whether the benefits of introducing a right to know the value of your personal data outweigh the problems and hurdles related to it.     

There's more to it than data protection – Fundamental rights,privacy and the personal/household exemption in the digital age

Heated debates triggered by the plans to introduce the “right to be forgotten” exposed problems the all-encompassing application of rules on data processing may cause in practice. The purpose of this article is to discuss the compatibility of these rules with the rapidly evolving online environment in the context of the need to guarantee human rights on the internet. The author argues that there is an imbalance in the protection of individual rights online. It results from the limited application of personal/household exception and, in general, the narrow understanding of the concept of online privacy. According to the author in order for data protection laws to flesh out not only the fundamental right of data protection, but also play a mediatory role in balancing other rights, the application of the personal/household exception should be extended to include private online activities. This would reflect the complex character of the very concept of online privacy, diversity of actors and activities shaping online “territories”, as well as the increasingly heterogeneous fabric of the Web.     

Biometrics,e-identity and the balance between security and privacy： A case study of Passenger Name Record （PNR） system

The proposal of European Commission for a Framework Decision on the use of Passenger Name Record （PNR） data for law enforcement purposes, specially combating terrorism, raises new security and privacy issues such as the compatibility with the proporsionality principle. Aftermath of the September 11 attacks a new political-law status of ＂war＂ against the so-called unlawful combatants of the ＂enemy is established. Some measures against terrorism may seem reasonable in a situation of war although they would never be acceptable in a time of piece.     

Balancing in a crisis? Bioterrorism, public health and privacy

Post-September 11, the government has been rapidly funding public health initiatives to bolster the Nation's ability to respond to bioterrorist attacks. While the infusion of money into the public health system is laudable, the pressure to enact legislation quickly has resulted in laws and policies that ignore privacy and civil liberties and that favor anti-bioterror initiatives over more common public health concerns. A public health agenda that ignores privacy and civil liberties will undermine public trust, leading people to not fully participate in critical public health activities. Our Nation is far more likely to succeed in preventing and responding to a potential act of bioterrorism if we embrace the principle that advancing public health and preserving individual liberties are symbiotic and inextricable.     

Robots in the cloud with privacy: A new threat to data protection?

The focus of this paper is on the class of robots for personal or domestic use, which are connected to a networked repository on the internet that allows such machines to share the information required for object recognition, navigation and task completion in the real world. The aim is to shed light on how these robots will challenge current rules on data protection and privacy. On one hand, a new generation of network-centric applications could in fact collect data incessantly and in ways that are “out of control,” because such machines are increasingly “autonomous.” On the other hand, it is likely that individual interaction with personal machines, domestic robots, and so forth, will also affect what U.S. common lawyers sum up with the Katz's test as a reasonable “expectation of privacy.” Whilst lawyers continue to liken people's responsibility for the behaviour of robots to the traditional liability for harm provoked by animals, children, or employees, attention should be drawn to the different ways in which humans will treat, train, or manage their robots-in-the-cloud, and how the human–robot interaction may affect the multiple types of information that are appropriate to reveal, share, or transfer, in a given context.     

Civilian uses of unmanned aerial vehicles and the threat to the right to privacy – An Israeli case study

In recent years we have witnessed a growing demand for the use of Unmanned Aerial Vehicles (“UAVs”) in civilian contexts. Government authorities (such as law enforcement agencies), corporations and private individuals have identified the advantages inherent in the use of UAVs. At the same time, corporations marketing and manufacturing UAVs for civilian purposes, and the industries that support these manufacturers, have identified the enormous economic potential which may be derived from the sale and maintenance of UAVs (and the cameras and other equipment assembled into them). Hence, in the coming years, we will undoubtedly witness a rapid expansion of the civilian use of UAVs.     

One law to rule them all? The reach of EU data protection law after the Google v CNIL case

Google v CNIL is, arguably, one of the landmark cases of EU data protection law and it has been an important development regarding its territorial reach. The judgment's findings in this regard have been controversial and have led to much discussion about their legitimacy and potential repercussions. This paper examines two aspects of this case. First, it considers the holdings of this judgment regarding the global application of EU law in relation to international law and sovereignty. This article argues that though EU decision-makers might have a degree of ‘data imperialism’ in their thinking, this judgment is not at odds with neither international law nor sovereignty. Second, the paper examines the methodology of the Court and the role it accorded to the Charter of Fundamental Rights of the EU– an aspect that many commentators overlook. In this regard, I argue that the Court's methodology was problematic and that it failed to duly consider the role of the Charter, thus fragmenting EU law.     

The CLSR-LSPI Seminar – ‘The future of privacy regulation in the online world’

The annual CLSR-LSPI Seminar (www.lspi.net) took place on 19 September 2011 at the Sixth Legal, Security & Privacy Issues in IT Conference (LSPI) at University of Nicosia, Cyprus. The event, led by Prof. Steve Saxby, Editor-in-Chief of CLSR, invited contributions from five legal specialists on a variety of current issues dealing with the future of privacy. A lively discussion took place amongst those present after each intervention. The reports of those who presented are recorded below.     

Who decides on the future of data protection? Role of law firms in shaping European data protection regime

Drawing on theories of European integration and governance and sociological studies on the influence of elite law firms on rule-setting, this paper shows that law firms (a) operate in the area of data protection that is of extreme complexity and requires expert knowledge; and (b) display characteristics similar to other actors who succeeded in influencing agenda-setting and the results of policy-making despite having no formal competence to do so. This article proposes a hypothesis of the influence of elite law firms in EU data protection rule-setting. It argues that the EU data protection sector is prone to such influence as it is by definition transnational and, at some technical and some core points, inadequate to reflect the real data processing practices and therefore is entrenched with uncertainty. Therefore, the research into politics of data protection in Europe cannot disregard the role of these actors in shaping the European data protection regime.     

“Personal information of privacy nature” under Chinese Civil Code

Chinese Civil Code separates the civil right to privacy and the civil interest of personal information through the proposal of the PIPN in Article 1034, which constructs a different model from both EU and US. Although this distinction is of great significance, it brings potential problems, too. The PIPN is a kind of personal information which is unwilling to be known to others with privacy nature, which can be defined through a method of combining basic definition plus enumerations. It is recommended to consider the context and purpose of processing personal information when deciding the PIPN, and the level of privateness, availability, risk and identifiability will be considered to the privacy test. Based on Chinese reality, ID number, biometric information, financial information should be list as the typical kinds of the PIPN in the future legislation.