Normative challenges of identification in the Internet of Things: Privacy,profiling, discrimination,and the GDPR

In the Internet of Things (IoT), identification and access control technologies provide essential infrastructure to link data between a user's devices with unique identities, and provide seamless and linked up services. At the same time, profiling methods based on linked records can reveal unexpected details about users' identity and private life, which can conflict with privacy rights and lead to economic, social, and other forms of discriminatory treatment. A balance must be struck between identification and access control required for the IoT to function and user rights to privacy and identity. Striking this balance is not an easy task because of weaknesses in cybersecurity and anonymisation techniques. The EU General Data Protection Regulation (GDPR), set to come into force in May 2018, may provide essential guidance to achieve a fair balance between the interests of IoT providers and users. Through a review of academic and policy literature, this paper maps the inherent tension between privacy and identifiability in the IoT. It focuses on four challenges: (1) profiling, inference, and discrimination; (2) control and context-sensitive sharing of identity; (3) consent and uncertainty; and (4) honesty, trust, and transparency. The paper will then examine the extent to which several standards defined in the GDPR will provide meaningful protection for privacy and control over identity for users of IoT. The paper concludes that in order to minimise the privacy impact of the conflicts between data protection principles and identification in the IoT, GDPR standards urgently require further specification and implementation into the design and deployment of IoT technologies.     

EU General Data Protection Regulation: Changes and implications for personal data collecting companies

The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR's coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR's practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.     

Property rights in personal data: Learning from the American discourse

This contribution is an attempt to facilitate a meaningful European discussion on propertization of personal data by explaining the idea as it emerged in its ‘mother-jurisdiction’, the United States. The piece starts with an overview of how the current US legal system addresses the data protection problem and whether, according to the US commentators, the law does it effectively. Furthermore, the contribution presents propertization of personal information as an alternative to the existing data protection regime and one of the ways to fill in the alleged gaps in the US data protection system. The article maps the US propertization debate. Pro-propertization arguments are considered from economic perspective as well as from the perspective of the limitations of the US legal and political system. In continuation it analyses proposals on how property rights in personal data would have to be regulated, if at all, in case the idea of propertization is accepted. The main points of criticism of propertization are also sketched. The article concludes with a brief summary of the US propertization discourse and, most importantly, with a list of the lessons Europeans can learn from their American counterparts engaging in the debate in the home jurisdiction. Among the main messages is that the outcome of the debate depends on the definition of the problem propertization is called on to tackle, and that it is the substance of the actual rights with regard to personal data that matters, and not whether we label them as property rights or not.     

A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

Technological innovation within the Spanish tax administration and data subjects' right to access: An opportunity knocks

In this paper, we analyse the data subjects' right to access their personal data in the context of the Spanish Tax Administration and the legal consequences of the upcoming General Data Protection Regulation. The results show that there are still difficulties related to the scope of this right, the establishment of proper storage criteria, and in the procedures used by the data controllers to provide accurate information to the data subjects. This situation highlights the necessity to incorporate such technological innovation as metadata labelling and automatic computerised procedures to ensure an optimum management of the data subjects' access to their tax related personal information.     

The Normativity of the Private Ownership Form

One of the most acute charges against private property observes that ownership generates a trespassory duty of exclusion that far exceeds the requirements of a commitment to values such as freedom and well‐being, and accordingly there exists an analytical mismatch between the form of protecting ownership and the functions that this protection may serve. This article develops a novel account of ownership's normativity, maintaining that, apart from the functions it may render to external values, the form of ownership is in itself a source of value, in virtue of the society it may engender between free and equal persons. Any gap between the form and the function of ownership need not plague private ownership, because the functions of ownership do not exhaust the explanation of its good. The formal core of private property is a distinctively social one, even in the most isolated case of trespass to property.     

South Korea's innovations in data privacy principles: Asian comparisons

Over the last two decades, at least a dozen Asian jurisdictions have adopted significant data privacy (or ‘data protection’) laws. South Korea started to implement such laws in relation to its public sector in the 1990s, then its private sector from 2001, culminating in the comprehensive Personal Information Privacy Act of 2011. Internationally, there have been two stages in the development of data privacy principles (the common core of such laws), the first typified by the OECD's data protection Guidelines of 1981, and the second typified by the European Union data protection Directive of 1995, with a third stage currently under development.     

The right to data portability in the GDPR: Towards user-centric interoperability of digital services

The right to data portability is one of the most important novelties within the EU General Data Protection Regulation, both in terms of warranting control rights to data subjects and in terms of being found at the intersection between data protection and other fields of law (competition law, intellectual property, consumer protection, etc.). It constitutes, thus, a valuable case of development and diffusion of effective user-centric privacy enhancing technologies and a first tool to allow individuals to enjoy the immaterial wealth of their personal data in the data economy. Indeed, a free portability of personal data from one controller to another can be a strong tool for data subjects in order to foster competition of digital services and interoperability of platforms and in order to enhance controllership of individuals on their own data. However, the adopted formulation of the right to data portability in the GDPR could benefit from further clarification: several interpretations are possible, particularly with regard to the object of the right and its interrelation with other rights, potentially leading to additional challenges within its technical implementation. The aim of this article is to propose a first systematic interpretation of this new right, by suggesting a pragmatic and extensive approach, particularly taking advantage as much as possible of the interrelationship that this new legal provision can have with regard to the Digital Single Market and the fundamental rights of digital users. In sum, the right to data portability can be approximated under two different perspectives: the minimalist approach (the adieu scenario) and the empowering approach (the fusing scenario), which the authors consider highly preferable.     

The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals

The recent release by the European Commission of the first drafts for the amendment of the EU data protection regulatory framework is the culmination of a consulting and preparation process that lasted more than two years. At the same time, it opens up a law-making process that is intended to take at least as much time. The Commission has undertaken the herculean task to amend the whole EU data protection edifice, through the introduction of a General Data Protection Regulation, intended to replace the EU Data Protection Directive 95/46/EC, and a Police and Criminal Justice Data Protection Directive, intended to replace the Framework Decision 2008/977/JHA. This paper shall focus at the replacement of the EU Data Protection Directive by the draft General Data Protection Regulation. Due to the fact that the draft Regulation is a long (and ambitious) text, a selection has been made, with the aim of highlighting its treatment of basic data protection principles and elements, in order to identify merits and shortcomings for the general data protection purposes.     

The exploitation of Business Register data from a public sector information and data protection perspective: A case study

Business Registers (BRs) are a very important information resource for investors, creditors, financial institutions and public authorities. The possibility to aggregate and interconnect these data at a European level could enhance the transparency of companies towards those actors and add a great deal of value to the raw Business Register data. The European BRITE project intended to provide adequate tools to meet these demands. BRITE will provide easier access and cross-border interoperability of Business Register data throughout Europe. On the other hand, the processing of BR data within the BRs and BRITE triggers several important European legislations such as the Data Protection Directive and the Directive on the re-use of public sector information. In this paper, the processing of BR data will be analysed from the perspective of both data protection and public sector information laws, analysing as well the relation between both regulations. Do these regulations strike an optimal balance between the interests of private data vendors to re-use BR data and enhance business transparency and the need to protect the personal data of natural persons?     

The retention of personal information online: A call for international regulation of privacy law

New technologies permit online businesses to reduce expenses and increase efficiency by, for example, storing information in “the cloud”, engaging in online tracking and targeted advertising, location and tracking technologies, and biometrics. However, the potential for technology to facilitate long term retention of customers' personal information raises concerns about the competing right of individuals to the privacy of their personal information. Although the European Commission has recently released a proposal for regulation to “provide a data subject with the right to be forgotten and to erasure”, neither the OECD Privacy Guidelines nor the APEC Privacy Framework includes any requirement to delete personal information. While New Zealand includes a “limited retention principle” in the Privacy Act 1993, apart from one limited exception the privacy principles cannot be enforced in court. Taking New Zealand privacy law as an example, this paper examines the issue of retention of customer data, explains why this is a serious problem and argues that although it could be addressed by appropriate amendments to domestic laws, domestic privacy legislation may not be sufficient in an online environment. In the same way as other areas of law, such as the intellectual property regime, have turned to global regulatory standards which reflect the international nature of their subject matter, international privacy regulation should be the next stage for the information privacy regime.     

User review portability: Why and how?

User reviews of products on the e-commerce platforms are a critical determinant of inter-platform competition, as a large number of consumers base their purchasing choices on the related reviews written by other users. The network effects between the number of reviews and new users give a sustainable competitive advantage to incumbent platforms. While business literature has recognised the commercial value of the user reviews, legal scholarship has paid little attention to levelling the playing field between incumbents and new e-commerce platforms by exploring the portability of user reviews. This paper bridges this gap. We explore the possibility of porting user reviews through two legal mechanisms—first, traditional Intellectual Property law; second, the new Right to Data Portability (RtDP) as enshrined in the GDPR. After recognising the limitations of these mechanisms in enabling the portability of reviews, we suggest that pure data aggregators, such as Personal Information Management Services (PIMS), are best placed to make user reviews available to multiple platforms.     

大数据时代网络谣言的合作规制

大数据时代对网络谣言的规制,既是机遇也是挑战。谣言借助网络的手段,无论是传播的方式、手段以及谣言的表现形式都会发生巨大而又深刻的变化。针对网络谣言规制已形成道德规制、法律规制、技术规制三种模式,但各有优劣,应当引入合作规制理念。在网络谣言规制主体上除了政府,还应强化网络服务商的监管责任,依靠其他社会组织,动员社会广泛参与,进行合作治理。在网络谣言治理方式的选择上,采取多元的治理方式,要坚持法治手段为底线,道德熏陶为引导、网络技术手段为保障的整合方式,从而形成制度合力来应对网络谣言。     

Perceptions of controllers on EU data protection reform: A Finnish perspective

Data protection regulations are undergoing a global reform. The European Commission proposed a reform of the EU data protection framework in 2012. One major driver for the reform has been the research on the consumer perceptions indicating that the consumers are worried about their personal privacy. However, there has been practically no research on perceptions of companies (the controllers of the personal data) and on the data protection reform. This research analyses the awareness and the willingness to act towards compliance regarding the proposed General Data Protection Regulation (GDPR) in Finland in 2013. The GDPR will replace the Finnish Personal Data Act and therefore plays a central role in the Finnish privacy regulation. This research found that the general level of awareness was low: only 43% of the controllers were aware of the forthcoming reform. The willingness to act or to take steps towards the compliance was even lower: 31% of controllers said that they are planning to act towards compliance during this year. These results indicate that the companies are quite unfamiliar with the reform that correlates with other relevant studies in Europe. Personal data are said to be the oil of the digital economy, the hottest commodity of the market today. There are companies that understand this, but the majority seems to ignore this at least what comes to their awareness regarding the reform, even the reform captures many of the best practices regarding processing of personal data.     

Investigating the legal protection of data,information and knowledge under the EU data protection regime

Information science distinguishes between the semantic forms/intangibles of data, information and knowledge. Data (e.g. an attribute of a data record in a relational database) does not have any meaning by itself. Information is data brought into context (e.g. data related to its primary key), and knowledge is the collection of information for useful intent (e.g. a database). This paper investigates the mapping of semantic forms in information science (i.e. data, information, knowledge) to correlative concepts in information law (primarily data protection legislation) with a view to investigating how such semantic forms are legally protected. The paper first proposes a data, information, knowledge, rules (DIKR) hierarchy in the context of relational database theory, and interprets this hierarchy with respect to data protection concepts. The paper then gives an in-depth discussion of the elements of the DIKR hierarchy (data, information, knowledge, deduced knowledge, induced knowledge) and how they relate to the EU Data Protection Directive 95/46/EC. These relationships are summarized in the form of a two dimensional correlation matrix. Finally the paper discusses how the semantic forms identified are protected under the EU Data Protection Directive, and gives insightful observations about the connection between information law and information science.     

非法使用他人技术秘密完成发明创造的权利归属问题研究

非法使用他人技术秘密完成发明创造的权利归属规则需基于“使用商业秘密”的具体行为类型分别确定。非法使用人直接使用他人技术秘密完成之发明创造系由他人技术秘密直接转化而来,技术秘密权利人可通过变更专利权权属的方式要求非法使用人返还其无形财产。非法使用人根据他人技术秘密调整、优化、改进自身技术方案后完成之发明创造的实质性特点皆由非法使用人创造性地贡献之,故其专利权应归属于非法使用人。非法使用人对技术秘密进行修改、改进后完成之发明创造的实质性特点,尽管由非法使用人与技术秘密权利人共同贡献,但由于双方缺乏能够形成专利权共有关系的法律或事实依据,故其不能由双方共有。此时,专利权权属可由非法使用人主张,技术秘密权利人可主张先用权抗辩。     

A comparison of proposed legislative data privacy protections in the United States

The use of online consumer tracking methods has raised significant privacy concerns for consumers and policymakers for decades. Advertisers using these methods analyze web-viewing habits to predict consumer preferences and actions. The advertising industry in the United States has promoted self-regulatory principles to respond to these concerns. However, in December 2010, the U.S. Federal Trade Commission reported that these efforts “have been too slow and up to now have failed to provide adequate and meaningful protection.” President Barack Obama's administration has supported broader legislation for comprehensive protection of individuals' private data. The leading model for data privacy protection is the 1980 Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This article examines two leading legislative privacy proposals in the context of the OECD principles. This examination concludes that, although the proposals do not provide sufficient comprehensive privacy protections, they do fill significant gaps in current U.S. privacy laws.     

Protecting the privacy and security of sensitive customer data in the cloud

The global ubiquity of cloud computing may expose consumers' sensitive personal data to significant privacy and security threats. A critical challenge for the cloud computing industry is to earn consumers' trust by ensuring adequate privacy and security for sensitive consumer data. Regulating consumer privacy and security also challenges government enforcement of data protection laws that were designed with national borders in mind. From an information privacy perspective, this article analyses how well the regulatory frameworks in place in Europe and the United States help protect the privacy and security of sensitive consumer data in the cloud. It makes suggestions for regulatory reform to protect sensitive information in cloud computing environments and to remove regulatory constraints that limit the growth of this vibrant new industry.     

The right of reputation in the Internet era1

Protecting one's reputation has arguably become harder in this time of YouTube, ‘blogs’ and mobile phone cameras. The simple truth is that it is easier to get ‘caught’ doing something inappropriate and it is easier for people to publish defamatory materials. This article is a somewhat eclectic selection of issues of particular significance to the right of reputation in our modern Internet-based society.     

论数据可携权在我国的引入——以开放银行为视角

欧盟、英国、澳大利亚、美国加州、印度、马来西亚等法域已经引入了数据可携权.我国是否应引入数据可携权,目前尚未达成共识.开放银行是数据可携权最先行也是最有价值的应用场景,开放银行的理论基础是数据可携权.从开放银行的视角看,我国应引入数据可携权.但无论是数据可携权的引入,还是开放银行的实施,都宜循序渐进地分步骤、分阶段进行...