Updating the Data Protection

Directive

Updating the Data Protection

DirectiveDr Ian Brown

Oxford Internet Institute

Dr Ian BrownOxford Internet Institute

New challengesNew challenges

1. Explosion in storage, communications & processing

2. Risk intolerance & efficiency, personalisation/marketing

3. User-generated content4. Enforcement5. Jurisdiction

1. Explosion in storage, communications & processing

2. Risk intolerance & efficiency, personalisation/marketing

3. User-generated content4. Enforcement5. Jurisdiction

Behavioural economicsBehavioural economics

• “Contrary to the assumption … that people have stable, coherent, preferences with respect to privacy, we find that concern about privacy … is highly sensitive to contextual factors”– Privacy salience primes concerns – “People, it seems, feel more comfortable

providing personal information on unprofessional sites that are arguably particularly likely to misuse it.”

– “Covert inquiries … do not trigger concerns about privacy, and hence promote disclosure.”

• “Contrary to the assumption … that people have stable, coherent, preferences with respect to privacy, we find that concern about privacy … is highly sensitive to contextual factors”– Privacy salience primes concerns – “People, it seems, feel more comfortable

providing personal information on unprofessional sites that are arguably particularly likely to misuse it.”

– “Covert inquiries … do not trigger concerns about privacy, and hence promote disclosure.”

John, Acquisti and Loewenstein (under review)

Shift focus of regulationShift focus of regulation

• Most organisations process small amounts of personal data for commonplace purposes - Best Available Techniques?

• Privacy Impact Assessments and more prior checking for large-scale databases with potential to cause significant harm

• Most organisations process small amounts of personal data for commonplace purposes - Best Available Techniques?

• Privacy Impact Assessments and more prior checking for large-scale databases with potential to cause significant harm

Human rights standardsHuman rights standards• Interference with private life must be based

on detailed, clear, precise, foreseeable law (Copland v UK)

• Systems must limit access to data to those who have a proportionate requirement for access (I v Finland)

• Bleeding-edge states have a particular duty to consider impact of databases upon privacy (S & Marper v UK)

• Only 5 of 46 major UK government databases we reviewed met these standards

• Interference with private life must be based on detailed, clear, precise, foreseeable law (Copland v UK)

• Systems must limit access to data to those who have a proportionate requirement for access (I v Finland)

• Bleeding-edge states have a particular duty to consider impact of databases upon privacy (S & Marper v UK)

• Only 5 of 46 major UK government databases we reviewed met these standards

R Anderson, I Brown, T Dowty, P Inglesant, W Heath & A Sasse (2009) Database State, Joseph Rowntree Reform

Trust

Designing for privacyDesigning for privacy• Data minimisation key:

is your data really necessary? Limit personal data collection, storage, access and usage

• Users must also be notified and consent to the processing of data

• Data minimisation key: is your data really necessary? Limit personal data collection, storage, access and usage

• Users must also be notified and consent to the processing of data

Ade Rowbotham (2005)

Individuals ≠ data controllersIndividuals ≠ data controllers• How sustainable is

Lindqvist?• Can we widen domestic

processing exemption…• …alongside better

privacy protection by infomediaries?– Nudges?– Expedited temporary

restrictions on sharing?

• How sustainable is Lindqvist?

• Can we widen domestic processing exemption…

• …alongside better privacy protection by infomediaries?– Nudges?– Expedited temporary

restrictions on sharing?

The Commission’s viewThe Commission’s view

• Consent: EC considering “general principle of transparent processing”, “improving the modalities for the actual exercise of the rights of access, rectification”, “clarifying and strengthening the rules on consent”

• “The eternal memory of Google” vs. the “right to be forgotten”; “data portability”

• Enforcement: “general personal data breach notification”, “extending the power to bring an action before the national courts”, “strengthening the existing provisions on sanctions”

• Standards: “further promoting the use of PETs and the possibilities for the concrete implementation of the concept of ‘Privacy by Design’”, “continue to promote the development of high legal and technical standards of data protection in third countries and at international level”

• Consent: EC considering “general principle of transparent processing”, “improving the modalities for the actual exercise of the rights of access, rectification”, “clarifying and strengthening the rules on consent”

• “The eternal memory of Google” vs. the “right to be forgotten”; “data portability”

• Enforcement: “general personal data breach notification”, “extending the power to bring an action before the national courts”, “strengthening the existing provisions on sanctions”

• Standards: “further promoting the use of PETs and the possibilities for the concrete implementation of the concept of ‘Privacy by Design’”, “continue to promote the development of high legal and technical standards of data protection in third countries and at international level”

ReferencesReferences

• L. Edwards & I. Brown (2009) Data Control and Social Networking: Irreconcilable Ideas? In A. Matwyshyn (ed.) Harboring Data: Information Security, Law and the Corporation, Stanford University Press, 202-227.

• D. Korff & I. Brown (2010) New challenges to Data Protection, European Commission DG Justice

• Leslie K. John, Alessandro Acquisti and George Loewenstein (under review) The Best of Strangers: Context-dependent willingness to divulge personal information

• European Commission, A comprehensive approach on personal data protection in the European Union COM(2010) 609 final

• L. Edwards & I. Brown (2009) Data Control and Social Networking: Irreconcilable Ideas? In A. Matwyshyn (ed.) Harboring Data: Information Security, Law and the Corporation, Stanford University Press, 202-227.

• D. Korff & I. Brown (2010) New challenges to Data Protection, European Commission DG Justice

• Leslie K. John, Alessandro Acquisti and George Loewenstein (under review) The Best of Strangers: Context-dependent willingness to divulge personal information

• European Commission, A comprehensive approach on personal data protection in the European Union COM(2010) 609 final