Dr Ian Brown, Oxford Internet Institute Where next for European data protection law?

New challenges and potential responses Explosion in storage, comms & processing Risk intolerance & efficiency, personalisation Jurisdiction Enforcement Web 2.0 Streamline and move forward focus of regulation Privacy by design Couple wider exemptions for individuals with intermediary protections

Explosion in storage, comms & processing

Risk intolerance & efficiency, personalisation

Jurisdiction

Enforcement

Web 2.0

Streamline and move forward focus of regulation

Privacy by design

Couple wider exemptions for individuals with intermediary protections

Shift focus of regulation Most organisations process small amounts of personal data for commonplace purposes - Best Available Techniques? Privacy Impact Assessments and more prior checking for large-scale databases with potential to cause significant harm

Most organisations process small amounts of personal data for commonplace purposes - Best Available Techniques?

Privacy Impact Assessments and more prior checking for large-scale databases with potential to cause significant harm

Human rights standards Interference with private life must be based on detailed, clear, precise, foreseeable law ( Copland v UK ) Systems must limit access to data to those who have a proportionate requirement for access ( I v Finland ) Bleeding-edge states have a particular duty to consider impact of databases upon privacy ( S & Marper v UK ) Only 5 of 46 major UK government databases we reviewed met these standards R Anderson, I Brown, T Dowty, P Inglesant, W Heath & A Sasse (2009) Database State , Joseph Rowntree Reform Trust

Interference with private life must be based on detailed, clear, precise, foreseeable law ( Copland v UK )

Systems must limit access to data to those who have a proportionate requirement for access ( I v Finland )

Bleeding-edge states have a particular duty to consider impact of databases upon privacy ( S & Marper v UK )

Only 5 of 46 major UK government databases we reviewed met these standards

Designing for privacy Data minimisation key: is your data really necessary? Limit personal data collection, storage, access and usage Users must also be notified and consent to the processing of data Ade Rowbotham (2005)

Data minimisation key: is your data really necessary? Limit personal data collection, storage, access and usage

Users must also be notified and consent to the processing of data

Individuals ≠ data controllers How sustainable is Lindqvist? Can we widen domestic processing exemption… … alongside better privacy protection by infomediaries? Nudges? Expedited temporary restrictions on sharing? L Edwards & I Brown (2009) Data Control and Social Networking: Irreconcilable Ideas? In Matwyshyn, A. (ed.) Harboring Data: Information Security, Law and the Corporation, Stanford University Press

How sustainable is Lindqvist?

Can we widen domestic processing exemption…

… alongside better privacy protection by infomediaries?

Nudges?

Expedited temporary restrictions on sharing?