Data protection: The future of privacy

The Art. 29 Working Party (hereinafter “Art. 29 WP”) is an influential body comprised of representatives from the Member State Data Protection Authorities² established under the Data Protection Directive 95/46/EC, has recently issued an opinion with the Working Party on Police and Justice. This is quite significant, since the opinion sets out some of the issues that will need to be addressed in the lead up to the revision of the Data Protection Directive 95/46/EC.³ This comes at a time, when there have been discussions on the current application of the European Data Protection Directive to the internet,⁴ (such as social networking) and the recent European Commission’s consultation on the legal framework for the fundamental right to protection of personal data. Not least, there have been a number of cases brought before the European Court of Justice dealing with the partial implementation of the Data Protection Directive 95/46/EC.⁵The aim of this paper is to consider in detail the issues set out by the Art. 29 WP and the likely challenges in revising the Data Protection Directive 95/46/EC.     

Protecting the communication: Data protection and security measures under telecommunications regulations in the digital age

This paper aims to provide a comparative overview and evaluation of various legal frameworks for electronic communications security in light of the recent developments in the electronic communications sector. The article also includes an insight on European Union and Turkish legal environment for data protection security in electronic communications sector.     

Data protection in the Asia-Pacific region

The increasing reliance on technology as a means of conducting cross-border businesses has spurred on the development of data protection and privacy laws in many countries across the globe. In Asia, however, many countries today still have no or extremely limited data protection laws. Cultural attitudes towards the concept of autonomy and the well-established right of certain governments to monitor and scrutinise its people in certain countries have been partly to blame. However, in order to remain economically viable, the businesses and government of these countries must be able to provide protections which are at least similar to those afforded by the data protection laws of their business counterparts. This article examines the effectiveness and relevance of the APEC Privacy Framework and the state of the data protection laws in eight Asia-Pacific countries today.     

The General Data Protection Regulation and the rise of certification as a regulatory instrument

The endorsement of certification in Article 42 and 43 of the General Data Protection Regulation (hereinafter GDPR) extends the scope of this procedure to the enforcement of fundamental rights. The GDPR also leverages the high flexibility of this procedure to make of certification something else than a voluntary process attesting the conformity with technical standards. This paper argues that the GDPR turned certification into a new regulatory instrument in data protection, I suggest to call it monitored self-regulation, seeking to fill the gap between self-regulation and traditional regulation in order to build a regulation continuum.     

iCLIC Data Mining and Data Sharing workshop: The present and future of data mining and data sharing in the EU

Held at Southampton University's Highfield campus and hosted by iCLIC, an interdisciplinary core on Law, the Internet and Culture, the Data Mining and Data Sharing workshop brought together attendees and speakers from industry, government, academia and a range of disciplines alike. The workshop comprised two sessions, each with a keynote and an associated panel. The first session was chaired by Eleonora Rosati and dealt with copyright and database rights, data mining and data sharing. The second session, chaired by Sophie Stalla-Bourdillon, focussed on data protection, data mining and data sharing. The following report covers both sessions, associated panel discussions and the subsequent question and answer sessions.     

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.     

Privacy,Data Retention and Domination: Digital Rights Ireland Ltd v Minister for Communications

In Digital Rights Ireland Ltd v Minister for Communications, the European Court of Justice found the EU Data Retention Directive, which required the retention of communications data for up to two years, to be incompatible with Articles 7 and 8 of the EU Charter of Fundamental Rights – the rights to privacy and to the protection of personal data. It is argued in this note that the decision ought to be taken as one that is concerned with the exercise of arbitrary power, a concern that is captured by the concept of domination.     

The principle of security safeguards: Unauthorized activities

The principle of information security safeguards is a key information privacy principle contained in every privacy legislation measure, framework, and guideline. This principle requires data controllers to use an adequate level of safeguards before processing personal information. However, privacy literature neither explains what this adequate level is nor how to achieve it. Hence, a knowledge gap has been created between privacy advocates and data controllers who are responsible for providing adequate protection. This paper takes a step toward bridging this knowledge gap by presenting an analysis of how Data Protection and Privacy Commissioners have evaluated the adequacy level of security protection measures given to personal information in selected privacy invasive cases. This study addresses both security measures used to protect personal information against unauthorized activities and the use of personal information in authentication mechanisms. This analysis also lays a foundation for building a set of guidelines that can be used by data controllers for designing, implementing, and operating both technological and organizational measures used to protect personal information.     

Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) devotes particular attention to the protection of personal data of children. The rationale is that children are less aware of the risks and the potential consequences of the processing of their personal data on their rights. Yet, the text of the GDPR offers little clarity as to the actual implementation and impact of a number of provisions that may significantly affect children and their rights, leading to legal uncertainty for data controllers, parents and children. This uncertainty relates for instance to the age of consent for processing children's data in relation to information society services, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required vis-à-vis children. This article aims to identify a number of key issues and questions – both theoretical and practical – that raise concerns from a multi-dimensional children's rights perspective, and to clarify remaining ambiguities in the run-up to the actual application of the GDPR from 25 May 2018 onwards.     

Russian PNR system: Data protection issues and global prospects

The usage of Passenger Name Record (PNR) for security purposes is growing worldwide. At least six countries have PNR systems; over thirty are planning to introduce them. On 1 December 2013, a Russian PNR system will be implemented. But enhanced collection of personal data leads to increased surveillance and privacy concerns. Russian authorities state that passengers' rights will be respected, but a closer look at the Russian regime reveals a number of critical points. From a global perspective, the Russian regime is only one of many PNR systems, including new ones to come in the future. Apparently, for the majority of them, similar challenges and problems will apply. At the same time, for the EU, with its strict data protection requirements, PNR requests by third countries (i.e. non-EU countries) create conflicts of laws. In order to resolve them, the EU concludes bilateral PNR agreements. However, the current deals, especially the one between the EU and the USA, involve a number of weaknesses. Accepting the latter, and having a pending proposal on the EU PNR system, the EU has weakened its position in negotiations with third countries. How will the EU deal with the Russian as well as with all the future requests for PNR? This paper provides legal analysis of the Russian PNR regime, pointing out common problems and giving prognosis on the global situation.     

The Swedish mental health system. Past, present, and future

In sum, the evolution, strengths, and weaknesses of the Swedish mental health system are quite similar to mental health systems in other Western countries; early reliance on stand-alone, state psychiatric hospitals, followed by deinstitutionalization and development of largely ambulatory, community mental health care. This evolution has been complicated in Sweden by the multiple levels and system components, the state, the county councils and the municipalities. Unlike the United States, but similar to Britain, community mental health care in Sweden is provided by two systems; treatment (and forensic services) by the county councils' mental health providers, and generic services by the municipalities' social welfare system. The resulting division of roles and responsibilities creates a strong need for collaboration and coordination of activities on behalf of consumers. It can also have the unintended disincentives to serving more difficult consumers. All these difficulties not withstanding, the Swedish mental health system has made major stride in providing quality, appropriate care.     

An international legal framework for data protection: Issues and prospects

The processing of personal data across national borders by both governments and the private sector has increased exponentially in recent years, as has the need for legal protections for personal data. This article examines calls for a global legal framework for data protection, and in particular suggestions that have been made in this regard by the International Law Commission and various national data protection authorities. It first examines the scope of a potential legal framework, and proceeds to analyze the status of data protection in international law. The article then considers the various options through which an international framework could be enacted, before drawing some conclusions about the form and scope such a framework could take, the institutions that could coordinate the work on it, and whether the time is ripe for a multinational convention on data protection.     

When video cameras watch and screen: Privacy implications of pattern recognition technologies

Computer vision technologies based on pattern recognition software will soon allow identifying human behaviour that deviates from a pre-defined normality. Such applications are foreseen, amongst others, to be used in public places with purposes of crime prevention, especially in the context of the fight against terrorism. This technology increases the level of automation of video surveillance, changing the main nature of surveillance. The balance of power between the citizen and the State is altered, calling for a new balancing of interests. The automation of risk detection moreover raises the issue of the protection against partially automated decision-making. This paper will deal with the challenges raised by proactive video surveillance technologies to the way how privacy and security have been balanced so far. Attention will moreover be brought to the new safeguards that should be devised to protect the citizens from increased scrutiny and growing automation of the decision-making process.     

From ugly duckling to Swan. The rise of data protection and its limits

This article considers the development of data protection laws from a position on the periphery of legal consciousness to the situation where it is the subject of intensive legal and media publicity. Focusing on the recent controversies surrounding the use of Facebook apps for political purposes, the article will consider the role and limitations of data and privacy protection laws. The question will be posed – if not answered – whether national or regional laws can be effective in what increasingly is a global information society.     

A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

Legal aspects of cloud security

Enterprise (large organisation) computing workloads are moving from ‘on-prem’ to ‘in-cloud’ increasingly quickly, and the cloud is forecast to account for almost half of enterprise IT by 2026, up from 10% today. But the benefits of the enterprise cloud need to be weighed against increasingly burdensome duties around cloud and data security. This comment piece provides a checklist of the sources of enterprise cloud security duties and a checklist of best practices to manage them.     

Balancing data protection and privacy – The case of information security sensor systems

This article analyses government deployment of information security sensor systems from primarily a European human rights perspective. Sensor systems are designed to detect attacks against information networks by analysing network traffic and comparing this traffic to known attack-vectors, suspicious traffic profiles or content, while also recording attacks and providing information for the prevention of future attacks. The article examines how these sensor systems may be one way of ensuring the necessary protection of personal data stored in government IT-systems, helping governments fulfil positive obligations with regards to data protection under the European Convention on Human Rights (ECHR), the EU Charter of Fundamental Rights (The Charter), as well as data protection and IT-security requirements established in EU-secondary law. It concludes that the implementation of sensor systems illustrates the need to balance data protection against the negative privacy obligations of the state under the ECHR and the Charter and the accompanying need to ensure that surveillance of communications and associated metadata reach established principles of legality and proportionality. The article highlights the difficulty in balancing these positive and negative obligations, makes recommendations on the scope of such sensor systems and the legal safeguards surrounding them to ensure compliance with European human rights law and concludes that there is a risk of privatised policymaking in this field barring further guidance in EU-secondary law or case law.