Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection

Transboundary challenges to privacy protec5on Joanna Kulesza University of Lodz Faculty of Law and Administra5on Department of Interna5onal Law and Interna5onal Rela5ons Oxford Internet Ins5tute, August 15th, 2012

scope •  legal tools for privacy protec5on •  privacy as an unenforcable human right •  European approach to privacy protec5on •  peer-‐to-‐peer privacy (Web 2.0) •  safe harbor agreements •  walled gardens of privacy •  extra-‐legal solu5on to the privacy challenge

Universal Declara2on of Human Rights (UDHR) 1948 Ar2cle 12. No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to aPacks upon his honour and reputa5on. Ar2cle 29. (2) In the exercise of his rights and freedoms, everyone shall be subject only to such limita2ons as are •  determined by law •  solely for the purpose of securing due recogni5on and respect for the rights and freedoms of others and •  of mee5ng the just requirements of morality, public order and the general welfare in a democra5c society. author: unknown, source: Wikipedia

Interna5onal Covenant on Civil and Poli5cal Rights (ICCPR) •  draUed: 1954 •  adopted : 1966 •  entry into force: 1976 author: IdiotSavant, source: Wikipedia,

Interna2onal Ar2cle 17 Covenant on 1. No one shall be subjected Civil and to arbitrary or unlawful Poli2cal Rights interference with his privacy, family, home or correspondence, nor to unlawful aPacks on his honour and reputa5on. UN Human Rights Commi2ee (HRC) CCPR General Comment No. 16: Ar?cle 17 (Right to Privacy) The Right to Respect of Privacy, Family, Home and Correspondence, and Protec?on of Honour and Reputa?on 8 April 1988

CCPR General Comment No. 16 •  States are required to adopt measures to ensure that the prohibi5on against privacy interferences and aPacks is eﬀec5ve •  A posi5ve obliga5on of states to ac5vly protect individual privacy against interference: „Eﬀec?ve measures have to be taken by States to ensure that informa?on concerning a persons private life does not reach the hands of persons who are not authorized by law to receive, process and use it •  Surveillance, whether electronic or otherwise, intercep?ons of telephonic, telegraphic and other forms of communica?on, wire-‐tapping and recording of conversa?ons should be prohibited.

CCPR General Comment No. 16 •  Lawfulness: no interference can take place „except in cases envisaged by the law •  relevant legisla5on must specify in detail the precise circumstances in which such interferences may be permiPed, while: „A decision to make use of such authorized interference must be made […] on a case-‐by-‐case basis •  Arbitrariness: „even interference provided for by law should be in accordance with the provisions, aims and objec?ves of the Covenant and reasonable in the par?cular circumstances

Why doesn t the ICCPR regime work?

World Court of Human Rights?

World Court of Human Rights? The establishment of a World Court of Human Rights could help to bridge the gap between codiﬁed rights and reality. The idea of such a Court dates back to 1947. Due to the Cold War, however, the proposal did not ﬁnd consensus among States. Thus the World Court of Human Rights was never realised and remained s?gma?sed as utopian. Author: Sylvain Savolainen, source: www.udhr60.ch

Privacy protec5on in Europe

Privacy protec5on in Europe (ECHR) Conven2on for the Protec2on of Human Rights and Fundamental Freedoms (European Conven5on on Human Rights, ECHR), 1953 (draUed 1950) ECHR jurisprudence recognizes the right to privacy in its Ar5cle 8 as a deriva5ve of the right to have one’s private and family life respected. Ar?cle 8 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democra?c society in the interests of na?onal security, public safety or the economic well-‐being of the country, for the preven?on of disorder or crime, for the protec?on of health or morals, or for the protec?on of the rights and freedoms of others. à rich jurisprudence

Privacy protec5on in Europe (EU) Charter of Fundamental Rights of the European Union 2009 (2000) Ar?cle 7 Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communica5ons. Ar?cle 8 Protec2on of personal data 1. Everyone has the right to the protec5on of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legi5mate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rec5fied. 3. Compliance with these rules shall be subject to control by an independent authority. effec5veness ques5oned, esp. with the Bri5sh, Czech and Polish opt-‐out protocol

privacy and personal data

Privacy protec5on in Europe (EU) Direc5ve 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protec5on of individuals with regard to the processing of personal data and on the free movement of such data Ar5cle 3 Scope 2. This Direc5ve shall not apply to the processing of personal data: -‐ by a natural person in the course of a purely personal or household ac2vity. author/source: promo5onal-‐items.in

„a purely personal ac5vity on-‐line ü social networks? ü private pages? weblogs? criteria? •  data availability? •  network character? J. Kulesza, Transboundary challenges to privacy protection

peer-‐to-‐peer privacy Web 2.0 challenge J. Kulesza, Transboundary challenges to privacy protection

J. Kulesza, Transboundary challenges to privacy protection 18

J. Kulesza, Transboundary challenges 19 to privacy protection

geolocalisa5on data 20

social seman5c web J. Kulesza, Transboundary challenges to privacy protection 21

J. Kulesza, Transboundary challenges to privacy protection 22

peer-‐to-‐peer privacy •  new categories of data (geolocalisa5on) •  new tools enabling detailed personal proﬁling for private purposes •  no anonymity •  durability of data (right to be forgoPen?) J. Kulesza, Transboundary challenges to privacy protection 23

Privacy 2.0 „Mash together these technologies (…) and it becomes trivial to receive answers to ques?ons like: Where was Jonathan Zi2rain last year on the fourteenth of February?, or, Who could be found near the entrance to the local Planned Parenthood clinic in the past six months? The answers need not come from government or corporate cameras, which are at least par?ally secured against abuse through well-‐ considered privacy policies from Privacy 1.0. Instead, the answers come from a more powerful, genera?ve source: an army of the world’s photographers, including tourists sharing their photos online without ﬁrm (or legi?mate) expecta?ons of how they might next be used and reused. J. Zi2rain, „The Future of Internet and How to Stop It . p. 46 J. Kulesza, Transboundary challenges to privacy protection

Privacy as a personal right na5onal civil law challenge

Privacy as a personal right public sphere (Sozial-‐/ Öﬀentlichkeitssphäre) privacy sphere (Privatsphäre) in5mate sphere (In5msphäre)

Privacy as a personal right public sphere (Sozial-‐/ Öﬀentlichkeitssphäre) social sphere (Sozialsphäre) privacy sphere (Privatsphäre) in5mate sphere (In5msphäre) secret sphere (Sekretsphäre)

The transatlan5c challenge

U.S. vs EU concept of data protec5on Ar5cle 25 Direc5ve 95/46/EC 1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing aUer transfer may take place only if […] the third country in ques5on ensures an adequate level of protec2on. 2. The adequacy of the level of protec5on aﬀorded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer opera5on or set of data transfer opera5ons; […] 3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protec5on within the meaning of paragraph 2. 4. Where the Commission ﬁnds […] that a third country does not ensure an adequate level of protec5on within the meaning of paragraph 2 of this Ar5cle, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in ques5on.

U.S. vs EU concept of data protec5on In order to enable personal data transfer from Europe to the U.S., the Department of Commerce (DoC) coordinated the formula5on of Safe Harbor Privacy Principles.

safe harbour agreements •  United States entrepreneurs wishing to use personal data protected by the EU law must accept the Principles (coordinated by the U.S. DoC). •  They need to repeatedly cer5fy that they meet the aims declared in the principles by joining one of the self-‐regula5ng programs, for example, TRUSTe or BBBOnline, verify compliance with the Safe Harbor Privacy Principles. •  The declara5on of each company to adhere to the program includes an obliga5on to meet the seven basic aims of the Direc5ve (no5ce, choice, onward transfer, security, data integrity, access and enforcement).

safe harbour agreements •  Safe Harbor Privacy Principles are not an act of law. Their only legal eﬀect is to encourage voluntary corporate compliance with the principles veriﬁed by authorized organiza5ons. •  Viola5ons of the Principles are deemed acts of unfair or decep5ve trade prac5ce by the Federal Trade Commission (FTC). •  U.S.-‐based companies, opera5ng in Europe may be subject to European states’ jurisdic5on if they fail to meet their data protec5on obliga5ons based on na5onal personal data regula5ons.

safe harbour agreements •  The execu5on and enforcement of Safe Harbor Privacy Principles has been subject to cri5cism, primarily because of the lack of transparency on the introduc5on and verifica5on of privacy policies. •  The 2004 EU review of the implementa5on of the Principles included repeated concern “about the number of self-‐cer5fied organiza5ons that have not published a privacy policy or that have published a policy that is not compliant with the Principles.” •  The crucial, prac5cal problem originated from the voluntary character of the guidelines. Since some companies did not introduce any privacy policy, the FTC had no jurisdic5on to enforce their compliance with the Principles. The Commission also depicted the lack of a proac5ve aptude in monitoring organiza5ons’ compliance with the Principles. •  An independent 2008 review showed a growing number of false claims by U.S. organiza5ons on their Safe Harbor compliance and recognized it as a new and significant threat to consumers’ privacy.

interna5onal privacy protec5on http://www.privacyinternational.org/survey/dpmap.jpg 34

the source of the problem

shape of law 36 http://www.jimmymack.org

shape of cyberspace 37 author: Dmitri Krioukov, source: SDSC/CAIDA

Na5onal privacy standards in cyberspace? 38 author: Dmitri Krioukov, source: SDSC/CAIDA http://www.jimmymack.org

extralegal solu5ons? services and self-‐regula5on J. Kulesza, Transboundary challenges to privacy protection

services J. Kulesza, Transboundary challenges to privacy protection 40

walled gardens of privacy simondseconoart/ sundaypearls.wordpress.com

J. Kulesza, Transboundary challenges 42 to privacy protection

summary •  liPle chance for a binding and executable interna5onal treaty on privacy protec5on •  a good chance of common business prac5ces sepng a global standard •  alterna5ve: na5onally „secured spaces of privacy protec5on according to na5onal laws (e.g. china)

Joanna Kulesza University of Lodz joannakulesza@gmail.com

http://www.internet-science.eu	556
http://internet-science.eu	16
http://webcache.googleusercontent.com	1
http://www.slashdocs.com	1

Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection

by i_scienceEU on Aug 16, 2012

Accessibility

Categories

Upload Details

Usage Rights

4 Embeds 574

Statistics

Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection Presentation Transcript