Post on 05-Dec-2014
description
transcript
Updating the Data Protection
Directive
Updating the Data Protection
DirectiveDr Ian Brown
Oxford Internet Institute
Dr Ian BrownOxford Internet Institute
New challengesNew challenges
1. Explosion in storage, communications & processing
2. Risk intolerance & efficiency, personalisation/marketing
3. User-generated content4. Enforcement5. Jurisdiction
1. Explosion in storage, communications & processing
2. Risk intolerance & efficiency, personalisation/marketing
3. User-generated content4. Enforcement5. Jurisdiction
Behavioural economicsBehavioural economics
• “Contrary to the assumption … that people have stable, coherent, preferences with respect to privacy, we find that concern about privacy … is highly sensitive to contextual factors”– Privacy salience primes concerns – “People, it seems, feel more comfortable
providing personal information on unprofessional sites that are arguably particularly likely to misuse it.”
– “Covert inquiries … do not trigger concerns about privacy, and hence promote disclosure.”
• “Contrary to the assumption … that people have stable, coherent, preferences with respect to privacy, we find that concern about privacy … is highly sensitive to contextual factors”– Privacy salience primes concerns – “People, it seems, feel more comfortable
providing personal information on unprofessional sites that are arguably particularly likely to misuse it.”
– “Covert inquiries … do not trigger concerns about privacy, and hence promote disclosure.”
John, Acquisti and Loewenstein (under review)
Shift focus of regulationShift focus of regulation
• Most organisations process small amounts of personal data for commonplace purposes - Best Available Techniques?
• Privacy Impact Assessments and more prior checking for large-scale databases with potential to cause significant harm
• Most organisations process small amounts of personal data for commonplace purposes - Best Available Techniques?
• Privacy Impact Assessments and more prior checking for large-scale databases with potential to cause significant harm
Human rights standardsHuman rights standards• Interference with private life must be based
on detailed, clear, precise, foreseeable law (Copland v UK)
• Systems must limit access to data to those who have a proportionate requirement for access (I v Finland)
• Bleeding-edge states have a particular duty to consider impact of databases upon privacy (S & Marper v UK)
• Only 5 of 46 major UK government databases we reviewed met these standards
• Interference with private life must be based on detailed, clear, precise, foreseeable law (Copland v UK)
• Systems must limit access to data to those who have a proportionate requirement for access (I v Finland)
• Bleeding-edge states have a particular duty to consider impact of databases upon privacy (S & Marper v UK)
• Only 5 of 46 major UK government databases we reviewed met these standards
R Anderson, I Brown, T Dowty, P Inglesant, W Heath & A Sasse (2009) Database State, Joseph Rowntree Reform
Trust
Designing for privacyDesigning for privacy• Data minimisation key:
is your data really necessary? Limit personal data collection, storage, access and usage
• Users must also be notified and consent to the processing of data
• Data minimisation key: is your data really necessary? Limit personal data collection, storage, access and usage
• Users must also be notified and consent to the processing of data
Ade Rowbotham (2005)
Individuals ≠ data controllersIndividuals ≠ data controllers• How sustainable is
Lindqvist?• Can we widen domestic
processing exemption…• …alongside better
privacy protection by infomediaries?– Nudges?– Expedited temporary
restrictions on sharing?
• How sustainable is Lindqvist?
• Can we widen domestic processing exemption…
• …alongside better privacy protection by infomediaries?– Nudges?– Expedited temporary
restrictions on sharing?
The Commission’s viewThe Commission’s view
• Consent: EC considering “general principle of transparent processing”, “improving the modalities for the actual exercise of the rights of access, rectification”, “clarifying and strengthening the rules on consent”
• “The eternal memory of Google” vs. the “right to be forgotten”; “data portability”
• Enforcement: “general personal data breach notification”, “extending the power to bring an action before the national courts”, “strengthening the existing provisions on sanctions”
• Standards: “further promoting the use of PETs and the possibilities for the concrete implementation of the concept of ‘Privacy by Design’”, “continue to promote the development of high legal and technical standards of data protection in third countries and at international level”
• Consent: EC considering “general principle of transparent processing”, “improving the modalities for the actual exercise of the rights of access, rectification”, “clarifying and strengthening the rules on consent”
• “The eternal memory of Google” vs. the “right to be forgotten”; “data portability”
• Enforcement: “general personal data breach notification”, “extending the power to bring an action before the national courts”, “strengthening the existing provisions on sanctions”
• Standards: “further promoting the use of PETs and the possibilities for the concrete implementation of the concept of ‘Privacy by Design’”, “continue to promote the development of high legal and technical standards of data protection in third countries and at international level”
ReferencesReferences
• L. Edwards & I. Brown (2009) Data Control and Social Networking: Irreconcilable Ideas? In A. Matwyshyn (ed.) Harboring Data: Information Security, Law and the Corporation, Stanford University Press, 202-227.
• D. Korff & I. Brown (2010) New challenges to Data Protection, European Commission DG Justice
• Leslie K. John, Alessandro Acquisti and George Loewenstein (under review) The Best of Strangers: Context-dependent willingness to divulge personal information
• European Commission, A comprehensive approach on personal data protection in the European Union COM(2010) 609 final
• L. Edwards & I. Brown (2009) Data Control and Social Networking: Irreconcilable Ideas? In A. Matwyshyn (ed.) Harboring Data: Information Security, Law and the Corporation, Stanford University Press, 202-227.
• D. Korff & I. Brown (2010) New challenges to Data Protection, European Commission DG Justice
• Leslie K. John, Alessandro Acquisti and George Loewenstein (under review) The Best of Strangers: Context-dependent willingness to divulge personal information
• European Commission, A comprehensive approach on personal data protection in the European Union COM(2010) 609 final