The future of consumer data protection in the E.U. Re-thinking the “notice and consent” paradigm in the new era of predictive analytics

The new E.U. proposal for a general data protection regulation has been introduced to give an answer to the challenges of the evolving digital environment. In some cases, these expectations could be disappointed, since the proposal is still based on the traditional main pillars of the last generation of data protection laws. In the field of consumer data protection, these pillars are the purpose specification principle, the use limitation principle and the “notice and consent” model. Nevertheless, the complexity of data processing, the power of modern analytics and the “transformative” use of personal information drastically limit the awareness of consumers, their capability to evaluate the various consequences of their choices and to give a free and informed consent.     

Privacy,trust and policy-making: Challenges and responses

The authors contend that the emerging ubiquitous Information Society (aka ambient intelligence, pervasive computing, ubiquitous networking and so on) will raise many privacy and trust issues that are context dependent. These issues will pose many challenges for policy-makers and stakeholders because people's notions of privacy and trust are different and shifting. People's attitudes towards privacy and protecting their personal data can vary significantly according to differing circumstances. In addition, notions of privacy and trust are changing over time. The authors provide numerous examples of the challenges facing policy-makers and identify some possible responses, but they see a need for improvements in the policy-making process in order to deal more effectively with varying contexts. They also identify some useful policy-making tools. They conclude that the broad brush policies of the past are not likely to be adequate to deal with the new challenges and that we are probably entering an era that will require development of “micro-policies”. While the new technologies will pose many challenges, perhaps the biggest challenge of all will be to ensure coherence of these micro-policies.     

Singapore's Personal Data Protection legislation: Business perspectives

As global digitalisation of information and interconnecting technologies along with new marketing practices and business processes vastly increase the opportunities for data collection, storage, usage and delivery, there is a corresponding increase in consumer expectations of data privacy. These expectations must be met if business organisations are to promote consumer trust and confidence and maintain their overall competitiveness in a global market. It goes without saying that information is the most valuable business asset and “privacy is good business and information can be the basis of bigger business”. The need to protect data privacy has long been recognised and implemented by major trading nations. Surprisingly, Singapore as a financial centre and nation aspiring to be a trusted data hosting hub has been slow in enacting specific data protection laws. The first piece of legislation that has emerged is a light-touch baseline framework applicable to all organisations except the public sector. This article considers the new legislation from the business perspective and the implications for private sector business organisations facing the challenges of compliance.     

Cursing the Cloud (or) Controlling the Cloud?

Inspired by the cloud computing hypes, this paper responds to some of the hypes, but not to all. The hype in this paper refers to the level of the adequacy of data protection and privacy in a cloud computing (the Cloud) environment. Paradoxically, this paper proffers observational insights that surround the Cloud from the perspectives of data protection and privacy. It examines briefly the efforts of January 2010 led by Microsoft and anticipating “liability” scenarios. The liability rhetorically refers to the illegal access in the Cloud. This paper does not focus entirely on the technology sophistication; however, it analyses two scenarios of illegal access. To mitigate the liability, it suggests a “Cloud Compliant Strategy (CCS)” being a proposed model to control the Cloud. The observational insights of this paper have also intertwined with the adequacy of data protection from the lenses of the European Union (EU) Data Protection Directive 95/46/EC (DPD) and Safe Harbor provisions (SH).     

Profiling the mobile customer – Privacy concerns when behavioural advertisers target mobile phones – Part I

Mobile customers are being tracked and profiled by behavioural advertisers to be able to send them personalized advertising. This process involves data mining consumer databases containing personally-identifying or anonymous data and it raises a host of important privacy concerns. This article, the first in a two part series on consumer information privacy issues on Profiling the Mobile Customer, addresses the questions: “What is profiling in the context of behavioural advertising?” and “How will consumer profiling impact the privacy of mobile customers?” The article examines the EU and U.S. regulatory frameworks for protecting privacy and personal data in regards to profiling by behavioural advertisers that targets mobile customers. It identifies potential harms to privacy and personal data related to profiling for behavioural advertising. It evaluates the extent to which the existing regulatory frameworks in the EU and the U.S. provide an adequate level of privacy protection and identifies key privacy gaps that the behavioural advertising industry and regulators will need to address to adequately protect mobile consumers from profiling by marketers. The upcoming second article in this series will discuss whether industry self-regulation or privacy-enhancing technologies will be adequate to address these privacy gaps and makes suggestions for principles to guide this process.¹     

A walk in to the cloud and cloudy it remains: The challenges and prospects of ‘processing’ and ‘transferring’ personal data

Cloud computing is an information technology technique that promises greater efficiency and reduced-cost to consumers, businesses and public institutions. However, to the extent it has brought better efficiency and minimal cost, the emergence of cloud computing has posed a significant regulatory challenge on the application of data protection rules particularly on the regime regulating cross-border data flow. The Data Protection Directive (DPD), which dates back to 1995, is at odds with some of the basic technological and business-related features of the cloud. As a result, it is claimed that the Directive hardly offers any help in using the legal bases to ‘process’ and ‘transfer’ data as well as to determine when a transfer to a third country occurs in cloud computing. Despite such assertions, the paper argues that the ECJ's Bodil Lindqvist decision can to a certain extent help to delineate circumstances where transfer should and should not occur in the cloud. Concomitantly, the paper demonstrates that controllers can still make the most of the available possibilities in justifying their ‘processing’ as well as ‘transferring’ of data to a third country in cloud arrangements. In doing so, the paper also portrays the challenges that arise down the road. All legal perspectives are largely drawn from EU level though examples are given from member states and other jurisdictions when relevant.     

Robots in the cloud with privacy: A new threat to data protection?

The focus of this paper is on the class of robots for personal or domestic use, which are connected to a networked repository on the internet that allows such machines to share the information required for object recognition, navigation and task completion in the real world. The aim is to shed light on how these robots will challenge current rules on data protection and privacy. On one hand, a new generation of network-centric applications could in fact collect data incessantly and in ways that are “out of control,” because such machines are increasingly “autonomous.” On the other hand, it is likely that individual interaction with personal machines, domestic robots, and so forth, will also affect what U.S. common lawyers sum up with the Katz's test as a reasonable “expectation of privacy.” Whilst lawyers continue to liken people's responsibility for the behaviour of robots to the traditional liability for harm provoked by animals, children, or employees, attention should be drawn to the different ways in which humans will treat, train, or manage their robots-in-the-cloud, and how the human–robot interaction may affect the multiple types of information that are appropriate to reveal, share, or transfer, in a given context.     

The View from the Hill: Legislative Perceptions Of the District

This article addresses legislative perceptions of constituents' interests and develops a theory of perception that highlights the role of information accessibility in the formation of legislative offices' views of their districts. I used original data regarding health policy in the U.S. House to analyze perceptions of constituents' interests. I found that legislators do not see all constituents in their district, nor do they see the largest constituencies. Rather, legislators are more likely to see active and resource‐rich constituents. These findings provide unique evidence of the influence of money in Congress and suggest that legislative misperception is both common and systematically biased.     

Legal aspects of text mining

“Text mining” covers a range of techniques that allow software to extract information from text documents. It is not a new technology, but it has recently received spotlight attention due to the emergence of Big Data. The applications of text mining are very diverse and span multiple disciplines, ranging from biomedicine to legal, business intelligence and security. From a legal perspective, text mining touches upon several areas of law, including contract law, copyright law and database law. This contribution discusses the legal issues encountered during the assembly of texts into so-called “corpora”, as well as the use of such corpora.     

Trust in the proposed EU regulation on trust services?

A few months after ICRI's 20th anniversary conference the European Commission adopted on 4 June 2012 a draft regulation “on electronic identification and trusted services for electronic transactions in the internal market”. The proposed legal framework is intended to give legal effect and mutual recognition to trust services including enhancing current rules on e-signatures and providing a legal framework for electronic seals, time stamping, electronic document acceptability, electronic delivery and website authentication. Yet, this draft Regulation provokes many questions with regard to the implicit “trust” concept on which it is based. Starting from their experience in the EU FP7 uTRUSTit project (Usable Trust in the Internet of Things: www.utrustit.eu) and in other ICRI research projects, Jos Dumortier and Niels Vandezande have analyzed the proposed legislative text of the European Commission and wrote a few critical observations. Although obviously not presented at the conference in November 2011, it seemed worthwhile to add this contribution to its proceedings.     

“Opt in” and “opt out” mechanisms in the internet era – towards a common theory

In order to provide for adequate legal protection mainly in mass-transactions on the internet, both the legislature and private parties increasingly, resort to so-called “opt in” and “opt out” mechanisms. Whether or not an “opt in” or an “opt out” mechanism is used is often decided on a case-by-case basis. The same is true regarding the circumstances under which private parties are or should be allowed to resort to “opt out” mechanisms, and if so, what restrictions should safeguard the free will of the addressees of such mechanisms. This paper argues that the existing “opt in” and “opt out” schemes should not be regarded and discussed as isolated phenomena. Rather, they should be analyzed from the viewpoint of a common underlying legal theory which builds on the common character of the underlying regulatory structure of all “opt in” and “opt out” schemes. This requires a complex matrix which comprises not only the opposites of “in” and “out”, but also of “active” and “inactive”, of “preference” and “non-preference” for the respective default rules, as well as of “ex ante” and “ex post” enforcement of the law. It also involves normative, economic, psychological and, last but not least, technical issues.     

A comparison of proposed legislative data privacy protections in the United States

The use of online consumer tracking methods has raised significant privacy concerns for consumers and policymakers for decades. Advertisers using these methods analyze web-viewing habits to predict consumer preferences and actions. The advertising industry in the United States has promoted self-regulatory principles to respond to these concerns. However, in December 2010, the U.S. Federal Trade Commission reported that these efforts “have been too slow and up to now have failed to provide adequate and meaningful protection.” President Barack Obama's administration has supported broader legislation for comprehensive protection of individuals' private data. The leading model for data privacy protection is the 1980 Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This article examines two leading legislative privacy proposals in the context of the OECD principles. This examination concludes that, although the proposals do not provide sufficient comprehensive privacy protections, they do fill significant gaps in current U.S. privacy laws.     

The sins of the father: The destruction of the Republican family in Franco's Spain

The postwar years in Spain were little more than the perpetuation of the Civil War on an ideological terrain, as the Franco Regime consistently vilified the memory of the Second Republic and remorselessly persecuted the defeated Republicans. In fact, nationalist diatribes against communism and its attendant ills of separatism and laicism were invariably expounded in medical terminology, referring as they did to the “cancer” and “virus” which had devastated the nation during the Civil War. This empirically unverifiable theory sustained that a large scale extermination (the Civil War) had to be carried out to rid Spain of this “virus” thus preempt the contagion of this fervently Catholic and patriotic nation. Horkheimer affirms that the family is the microcosm of the fascist state, as the relationship between siblings and parents replicates the obedience of the citizen to the fascist state. As Republican traits were at antipodes to the prescribed national attributes, the Francoist State sought to destroy the Republican family by a myriad of measures such as the inculcation of a zealous National Catholicism in their children, which in turn precipitated both selfhatred and the children's outright rejection of their parents. However, the social persecution of the defeated transcended indoctrination: in the postwar years, the horrendousness of life for the Republicans was compounded by the State's quasi reconversion policy, which resulted in Republican children being forcibly removed from their homes, and been adopted by pro-Francoist families, or in many cases, rehoused by religious orders which, within a decade, witnessed a huge increase in the number of supposed orphans becoming seminarists. In this article, I intend to elaborate on both the means by which the Francoist State eradicated the Republican family, and its long-term consequences.     

The Singapore Personal Data Protection Act and an assessment of future trends in data privacy reform

In the first part of this paper, I will present and explain the Singapore Personal Data Protection Act (“PDPA”) in the context of legislative developments in the Asian region and against the well-established international baseline privacy standards. In the course of the above evaluation, reference will be made to the national laws and policy on data privacy prior to the enactment of the PDPA as well as current social and market practices in relation to personal data. In the second part of this paper, I will decipher and assess the future trends in data privacy reform and the future development of the privacy regime in Singapore and beyond. In the course of this analysis, international standards, technological trends and recent legal developments in other jurisdictions will be considered.     

US war on terror EU SWIFT(ly) signs blank cheque on EU data

The EU and the United States signed the Terrorist Finance Tracking Program (also known as SWIFT Agreement) agreement giving the US authorities access to bulk data containing the millions of records in the EU to enable the US authorities to trace financial transactions related to suspected terrorist activity (or to put it bluntly, against US interest). The SWIFT Agreement added some data protection safeguards, but the United States has been found to circumvent the agreement with the aid of the Europol. The EU Commission and the Europol have classified all documents concerning the SWIFT Agreement as secret. EU citizens confront a dark future where unelected EU bureaucrats continue to betray the trust of the people handing out bulk data to “counter terrorism” but at the same time undermining cherished values and violating human right standards and principles.     

The most ambitious plan in 26 years of telecoms market reform? No way!

The European Commission's claim that their proposed new telecoms regulation² constitutes “the most ambitious plan in 26 years of telecoms market reform” is preposterous. That honour must belong to the set of new European directives in 2002 which transformed the structure of telecoms regulation and facilitated competition throughout Europe. Instead the plans make great play of a number of actually pretty minor changes and, the Body for European Regulators for Electronic Communications (“BEREC”) has been particularly critical that the proposals will create unnecessary complexity and uncertainty and limit innovation and competition.     

Some technological implications for ascertaining the contents of contracts in web-based transactions

This paper points out some unexpected relationships between specific aspects of contract law and specific Internet-related technologies. The discussion is not about the interplay between “Law” and “Technology,” or the “Law” and the “Internet.” The aim is modest: to identify some theoretical chokepoints created by the technologies involved in web-based commerce and to point out the legal uncertainties persisting in this area. The analysis is confined to the process of contract formation, not to matters of substantive law. It is during this process that parties assume their contractual obligations and the contents of a contract crystallize.     

Independence of data privacy authorities (Part II): Asia-Pacific experience

Part I of this article in [2012] 28 CLSR 3-13 analysed the views of learned commentators on what constitutes the ‘independence’ of data protection authorities (DPAs). It concluded that a more satisfactory answer needed to be found in the international instruments on data privacy and on human rights bodies, their implementation and judicial interpretation, and in the standards that have been proposed and implemented by DPAs themselves. It found that only the OECD and APEC privacy agreements did not require a DPA (and therefore had no standards for its independence). Thirteen factors were identified as elements of ‘independence’ across these instruments and standards, five of which were more commonly found than others.