Privacy by design and anonymisation techniques in action: Case study of Match technology

Privacy by Design is now enjoying widespread acceptance. The EU has recently expressly included it as one of the key principles in the revised data protection legal framework. But how does Privacy by design and data anonymisation work in practise? In this article the authors address this question from a practical point of view by analysing a case study on EU Financial Intelligence Units (“FIUs”) using the Ma³tch technology as additional feature to the existing exchange of information via FIU.NET decentralised computer network. They present, analyse, and evaluate Ma³tch technology from the perspective of personal data protection. The authors conclude that Ma³tch technology can be seen as a valuable example of Privacy by Design. It achieves data anonymisation and enhances data minimisation and data security, which are the fundamental elements of Privacy by Design. Therefore, it may not only improve the exchange of information among FIUs and allow for the data processing to be in line with applicable data protection requirements, but it may also substantially contribute to the protection of privacy of related data subjects. At the same time, the case study clearly shows that Privacy by Design needs to be supported and complemented by appropriate organisational and technical procedures to assure that the technology solutions devised to protect privacy would in fact do so.     

Are data protection laws sufficient for privacy intrusions? The case in Hong Kong

An area of concern which relates to privacy intrusions in Hong Kong is the substantial changes that have taken place in recent years in relation to news gathering and reporting and the activities of local paparazzi. The issue that needs to be addressed is how intrusions of privacy can be protected in Hong Kong. The most significant reform to date has been the enactment of the Personal Data (Privacy) Ordinance which provides rules for the fair handling of information about living individuals. However, the Ordinance is concerned only with data protection and does not provide a general privacy right. This article demonstrates the inadequacies of existing legislation for general privacy protection and examines the possibility of developing a separate action for general privacy via a) an action of extended breach of confidence as demonstrated by the UK model and b) a sui generis cause of action as can be seen in the New Zealand courts.     

EU Accession to the ECHR: Between Autonomy and Adaptation

After the European Union's accession to the European Convention on Human Rights the EU will become subject to legally binding judicial decisions of the European Court of Human Rights (ECtHR) and participate in statutory bodies of the Council of Europe (Parliamentary Assembly; Committee of Ministers) when they act under the Convention. Convention rights and their interpretation by the ECtHR will be directly enforceable against the EU institutions and against Member States when acting within the scope of EU law. This will vest the ECHR with additional force in a number of Member States, including Germany and the UK. All Member States will further be subject to additional constraints when acting under the Convention system. The article considers the reasons for, and consequences of the EU's primus inter pares position under the Convention and within the Council of Europe, and the likely practical effect of the EU's accession for its Member States.     

The retention of personal information online: A call for international regulation of privacy law

New technologies permit online businesses to reduce expenses and increase efficiency by, for example, storing information in “the cloud”, engaging in online tracking and targeted advertising, location and tracking technologies, and biometrics. However, the potential for technology to facilitate long term retention of customers' personal information raises concerns about the competing right of individuals to the privacy of their personal information. Although the European Commission has recently released a proposal for regulation to “provide a data subject with the right to be forgotten and to erasure”, neither the OECD Privacy Guidelines nor the APEC Privacy Framework includes any requirement to delete personal information. While New Zealand includes a “limited retention principle” in the Privacy Act 1993, apart from one limited exception the privacy principles cannot be enforced in court. Taking New Zealand privacy law as an example, this paper examines the issue of retention of customer data, explains why this is a serious problem and argues that although it could be addressed by appropriate amendments to domestic laws, domestic privacy legislation may not be sufficient in an online environment. In the same way as other areas of law, such as the intellectual property regime, have turned to global regulatory standards which reflect the international nature of their subject matter, international privacy regulation should be the next stage for the information privacy regime.     

Open-source intelligence and privacy by design

As demonstrated by other papers on this issue, open-source intelligence (OSINT) by state authorities poses challenges for privacy protection and intellectual-property enforcement. A possible strategy to address these challenges is to adapt the design of OSINT tools to embed normative requirements, in particular legal requirements. The experience of the VIRTUOSO platform will be used to illustrate this strategy. Ideally, the technical development process of OSINT tools is combined with legal and ethical safeguards in such a way that the resulting products have a legally compliant design, are acceptable within society (social embedding), and at the same time meet in a sufficiently flexible way the varying requirements of different end-user groups. This paper uses the analytic framework of privacy design strategies (minimise, separate, aggregate, hide, inform, control, enforce, and demonstrate), arguing that two approaches for embedding legal compliance seem promising to explore in particular. One approach is the concept of revocable privacy with spread responsibility. The other approach uses a policy mark-up language to define Enterprise Privacy Policies, which determine appropriate data handling.     

Breach of Confidence as a Privacy Remedy in the Human Rights Act Era

This article examines the impact of the Human Rights Act (HRA) on the current lack of a remedy for non-consensual publication of personal information by the media. It argues that the action for breach of confidence is now ripe for development into a privacy law in all but name and that the normative impetus for this enterprise can be found in the HRA which will require domestic courts to consider Convention jurisprudence. It will suggest that when Strasbourg decisions are examined in the context of more general Convention doctrines, they may be seen to suggest the need for an effective privacy remedy. Drawing upon approaches from other jurisdictions it seeks to demonstrate that principled solutions may be found to the thicket of legal problems associated with such development. It contends that the main objection to this enterprise, the perceived threat to media freedom, is largely misplaced, as analysis at the theoretical and doctrinal levels reveals that speech and privacy interests are in many respects mutually supportive and the areas of conflict small and readily susceptible to resolution.     

Workplace Monitoring and the Right to Private Life at Work

In Barbulescu v Romania, the European Court of Human Rights clarified the application of the Article 8 right to private life in the workplace, and the extent of the state's positive obligations to protect the right against workplace monitoring. The decision establishes that there is an irreducible core to the right to private life at work that does not depend on an employee's reasonable expectations of privacy, and sets out clear principles for striking a fair balance between Article 8 and the employer's interests in the context of workplace monitoring. This article considers the nature of states’ positive obligation to protect human rights at work, the scope of the right to private life, and the impact of the decision on domestic law of unfair dismissal.     

Will the European Commission be able to standardise legal technology design without a legal method?

Privacy by Design (PbD) is a kind of precautionary legal technology design. It takes opportunities for fundamental rights without creating risks for them. Now the EU Commission “promised” to implement PbD with Art. 23(4) of its proposal of a General Data Protection Regulation. It suggests setting up a committee that can define technical standards for PbD. However the Commission did not keep its promise. Should it be left to the IT security experts who sit in the committee but do not have the legal expertise, to decide on our privacy or, by using overly detailed specifications, to prevent businesses from marketing innovative products? This paper asserts that the Commission's implementation of PbD is not acceptable as it stands and makes positive contributions for the work of a future PbD committee so that the Commission can keep its promise to introduce precautionary legal technology design.     

Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law

‘Privacy by design’ is an increasingly popular paradigm. It is the principle or concept that privacy should be promoted as a default setting of every new ICT system and should be built into systems from the design stage. The draft General Data Protection Regulation embraces ‘privacy by design’ without detailing how it can or should be applied. This paper discusses what the proposed legal obligation for ‘privacy by design’ implies in practice for online businesses. In particular, does it entail hard-coding privacy requirements in system design? First, the ‘privacy by design’ provision in the proposed Regulation is analysed and interpreted. Next, we discuss an extreme interpretation – embedding data protection requirements in system software – and identify five complicating issues. On the basis of these complications, we conclude that ‘privacy by design’ should not be interpreted as trying to achieve rule compliance by techno-regulation. Instead, fostering the right mindset of those responsible for developing and running data processing systems may prove to be more productive. Therefore, in terms of the regulatory tool-box, privacy by design should be approached less from a ‘code’ perspective, but rather from the perspective of ‘communication’ strategies.     

The principle of security safeguards: Unauthorized activities

The principle of information security safeguards is a key information privacy principle contained in every privacy legislation measure, framework, and guideline. This principle requires data controllers to use an adequate level of safeguards before processing personal information. However, privacy literature neither explains what this adequate level is nor how to achieve it. Hence, a knowledge gap has been created between privacy advocates and data controllers who are responsible for providing adequate protection. This paper takes a step toward bridging this knowledge gap by presenting an analysis of how Data Protection and Privacy Commissioners have evaluated the adequacy level of security protection measures given to personal information in selected privacy invasive cases. This study addresses both security measures used to protect personal information against unauthorized activities and the use of personal information in authentication mechanisms. This analysis also lays a foundation for building a set of guidelines that can be used by data controllers for designing, implementing, and operating both technological and organizational measures used to protect personal information.     

Automated consent through privacy agents: Legal requirements and technical architecture

The changes imposed by new information technologies, especially pervasive computing and the Internet, require a deep reflection on the fundamental values underlying privacy and the best way to achieve their protection. The explicit consent of the data subject, which is a cornerstone of most data protection regulations, is a typical example of requirement which is very difficult to put into practice in the new world of “pervasive computing” where many data communications necessarily occur without the users' notice. In this paper, we argue that an architecture based on “Privacy Agents” can make privacy rights protection more effective, provided however that this architecture meets a number of legal requirements to ensure the validity of consent delivered through such Privacy Agents. We first present a legal analysis of consent considering successively (1) its nature; (2) its essential features (qualities and defects) and (3) its formal requirements. Then we draw the lessons of this legal analysis for the design of a valid architecture based on Privacy Agents. To conclude, we suggest an implementation of this architecture proposed in a multidisciplinary project involving lawyers and computer scientists.     

论个人隐私权的行政法保护

从隐私权的私权属性出发,应该确立以私权为核心的隐私权行政法保护理念;行政权力公共利益属性决定了隐私权行政法保护离不开行政公开制度建构;在平衡政府权力与个人权利的关系中,制定个人隐私权保护法,为隐私权行政法保护提供直接法律依据。     

The Open Architecture of European Human Rights Law

The evolution of the European human rights regime is often described as the development of an integrated order with the European Convention of Human Rights as its governing 'constitutional instrument'. It is argued that the regime is better regarded as pluralist - characterised by a heterarchical relationship between its constituent parts that is ultimately defined politically and not legally. The emergence and workings of this pluralist order are traced through the interaction of the European Court of Human Rights with domestic courts in the European Union. These cases not only show conflicts over questions of ultimate supremacy but also significant convergence and harmony in practice. The analysis of the factors leading to this convergence indicates that central characteristics of pluralism – incrementalism and the openness of ultimate authority – have contributed significantly to the generally smooth evolution of the European human rights regime. This suggests a broader appeal of pluralist models as alternatives to constitutionalism in the construction of postnational authority and law.     

Data security: Past,present and future

The loss by Her Majesty's Revenue and Customs (HMRC) of two CDs containing 25 million child benefit details has changed the data security landscape forever. No longer is data security the exclusive and rather arcane preserve of spotty technology professionals or data protection lawyers. HMRC has thrust data security onto the front pages of the mainstream media and brought it very suddenly to the top of the political and commercial agendas of senior politicians and boards of directors. In this article, the author will outline the reasons behind the rise of data security as a front line issue and examine the lessons to be learnt from HMRC. He will analyse the different facets of data security risk and explore ways in which organisations can go about managing it. He will outline the attitude of regulators to data security and where regulatory developments are likely to take us. The final part of the article looks into the future, with particular focus on the emergence of privacy enhancing technologies.     

隐私权视野下的网上公开裁判文书之限

裁判文书的上网是落实审判公开的一项有力措施,但其对隐私权的威胁亦不容忽视。裁判文书的全文上网原则上应预先获得当事人的同意,当然,若裁判文书涉及公共利益,则隐私权也应受到限制。但因公共利益的需要而将裁判文书上网时,仍应对具有可识别性的个人信息和其他重要信息予以保密。被害人、证人、未成年人的隐私权应予特殊保护。调解书原则上不应通过网络公开。     

Regulating intersectional activity: privacy and energy efficiency,laws and technology

Using a case study, this paper explores the extent to which one area of law (privacy and data protection) can intersect with, and be challenged by, proposals for delivery of another goal – greater energy efficiency. The article then explores the extent to which these fields are becoming more integrated; and also the risks of relying on technology (notably through Privacy by Design) to do this, particularly given the uncertainties embraced by lawyers and which can be problematic to technologists. Having identified challenges in meeting both energy efficiency and privacy/data protection goals at the same time, the article develops two responses. One looks more widely in law, to competition, to prevent particular activity and to confirm the relevance of greater legal interdisciplinarity. The other is a more multi-faceted collaborative governance approach, involving legal and technical expertise and consumer perspectives, with standards having a valuable role. Addressing climate change through greater energy efficiency should be an appropriate motivation to bring about this second approach, which draws on wider environmental governance developments. With largely a UK and EU focus, but seeking to be of transnational relevance, the paper makes key contributions as to the capacity and limits of how law can address societal challenges; explores the risks of assuming that social and legal problems can be readily addressed by technology; confirms the need for lawyers to look to other fields of law; and assists progress in an increasingly intersectional and dynamic field.     

Privacy and security by design: Comparing the EU and Israeli approaches to embedding privacy and security

Policymakers in the European Union and Israel are searching for regulatory strategies on how to best protect their citizens informational privacy. More recently, the focus has shifted towards Privacy and Security by Design as a mean to address current privacy concerns. While Privacy and Security by Design in itself is not a new idea, its implementation has taken new forms within the General Data Protection Regulation, as well as in various Israeli laws, inter alia, the Privacy Protection Regulations on Data Security. In this article we first analyse these implementations of Privacy and Security by Design and then compare the European and Israeli approaches with one another. We address the question of which approach provides more guidance to developers with respect on how to embed Privacy and Security by Design measures into new services and products. We conclude by pointing to empirical research needed to further analyse the impact of the two different regulatory strategies.     

The fundamental right of data protection in the European Union: in search of an uncharted right

The entry into force of the EU Charter of Fundamental Rights and the ensuing introduction of the right to data protection as a new fundamental right in the legal order of the EU has raised some challenges. This article is an attempt to bring clarity on some of these questions. We will therefore try to address the issue of the place of the right to the protection of personal data within the global architecture of the Charter, but also the relationship between this new fundamental right and the already existing instruments. In doing so, we will analyse the most pertinent case law of the Court of Luxembourg, only to find out that it creates more confusion than clarity. The lesson we draw from this overview is that the reasoning of the Court is permeated by a ‘privacy thinking’, which consists not only in overly linking the rights to privacy and data protection, but also in applying the modus operandi of the former to the latter (which are different we contend). The same flawed reasoning seems to be at work in the EU Charter of Fundamental Rights. Therefore, it is crucial that the different modi operandi be acknowledged, and that any upcoming data protection instrument is accurately framed in relation with Article 8 of the Charter.     

Cloud forecasting: Legal visibility issues in saturated environments

The advent of cloud computing has brought the computing power of corporate data processing and storage centers to lightweight devices. Software-as-a-service cloud subscribers enjoy the convenience of personal devices along with the power and capability of a service. Using logical as opposed to physical partitions across cloud servers, providers supply flexible and scalable resources. Furthermore, the possibility for multitenant accounts promises considerable freedom when establishing access controls for cloud content. For forensic analysts conducting data acquisition, cloud resources present unique challenges. Inherent properties such as dynamic content, multiple sources, and nonlocal content make it difficult for a standard to be developed for evidence gathering in satisfaction of United States federal evidentiary standards in criminal litigation. Development of such standards, while essential for reliable production of evidence at trial, may not be entirely possible given the guarantees to privacy granted by the Fourth Amendment and the Electronic Communications Privacy Act. Privacy of information on a cloud is complicated because the data is stored on resources owned by a third-party provider, accessible by users of an account group, and monitored according to a service level agreement. This research constructs a balancing test for competing considerations of a forensic investigator acquiring information from a cloud.     

Five years of the APEC Privacy Framework: Failure or promise?

The APEC Privacy Framework was developed from 2003, adopted by APEC in 2004 and finalised in 2005. It was intended as a means of improving the standard of information privacy protection throughout the APEC countries of the Asia–Pacific, and of facilitating the trans-border flow of personal information between those countries. In 2007 a number of ‘Pathfinder’ projects for cross-border data transfers were launched under the Framework. In the five years since the process commenced, what has it achieved, and what is it likely to achieve? This paper argues that the APEC Privacy Framework has had many flaws from its inception, including Privacy Principles that are unnecessarily weak, and no meaningful enforcement requirements. Since its adoption in 2004, little attempt has been made to encourage its use as a minimal standard for privacy legislation in developing countries (which might have been useful), and it is having little impact on the significant number of legislative developments now taking place.