Privacy issues in Future        Internet      Aleksandra Kuczerawy        ICRI – KU Leuven
SocIoS•  Exploiting the User Created Content and the Social   Graph of users in Social Networks to create new   services• ...
Privacy and data protection issues in FutureInternet:•  Basic concepts     –    Personal data     –    Processing of perso...
Concept of ‘personal data’ (95/46)  “any information relating to an identified or    identifiable natural person (data sub...
Processing of personal data (art. 2.b)any operation or set of operations which is  performed upon personal data, whether o...
Personal data on-line  •    Made public on the Internet  •    Does NOT mean consent for processing  •    Technically avail...
Legal grounds for processing: • Main grounds:- Consent-  Legitimate interestsIn certain instances:- Performance of a contr...
Data controller or data processor?•  Controller   –  determines the purposes and means of the processing of      personal ...
Varying degrees of ‘control’              T. Olsen, T. Mahler, Identity management land data protection law: Risk, respons...
Data protection principles  •    Fairness principle  •    Finality principle  •    Data minimisation principle  •    Data ...
Fairness principle        Processing must be fair and lawful!!!  •  data subject has to be provided with certain     infor...
Finality principle•  Data controllers collect data only as far as it is   necessary to achieve the specified, explicit and...
Historical, statistical or scientific purposes  •  Not a primary legal ground  •  Expands on finality principle  •  Refers...
Data minimisation principle•  data should be adequate, relevant and not   excessive•  store only a minimum of data necessa...
Data quality principle •  personal data should be accurate and kept up to    date •  every reasonable step to ensure that ...
Location Based Services – ePrivacy Directive•  Location data - any data processed in an electronic   communications networ...
Processing of location dataOnly if•  they are made anonymous, or•  with the consent of the users or subscribersInformation...
Children’s personal data•  Same rights as adults, but!•  No full legal capability•  Need a representative to exercise thes...
Future of privacy and data protection•  The draft general data protection regulation•  January 25, 2012•  One regulation f...
Draft General Data Protection Regulation•  Explicit consent when required for certain types of   data processing•  Reinfor...
Recommendations:  •    Who is the Data Controller  •    Where will the data be processed, by whom  •    Check national dat...
Thank you for your attention.      Questions?
Upcoming SlideShare
Loading in...5
×

Aleksandra kuczerawy privacy issues in future internet - seserv se workshop june 2012

782

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
782
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Aleksandra kuczerawy privacy issues in future internet - seserv se workshop june 2012

  1. 1. Privacy issues in Future Internet Aleksandra Kuczerawy ICRI – KU Leuven
  2. 2. SocIoS•  Exploiting the User Created Content and the Social Graph of users in Social Networks to create new services•  Provide cross-platform tools that enable to manage the dynamically generated content by building services that combine data and functionality from two or more different SNS
  3. 3. Privacy and data protection issues in FutureInternet:•  Basic concepts –  Personal data –  Processing of personal data –  Legal grounds of processing –  Controller vs. processors•  Legal requirements for data processing•  Location based services•  Children and personal data•  Future and Recommendations
  4. 4. Concept of ‘personal data’ (95/46) “any information relating to an identified or identifiable natural person (data subject)” -  Direct or indirect identification -  No exhaustive list -  Sensitive data: special regime applies (!)
  5. 5. Processing of personal data (art. 2.b)any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as:-  Collection of profile information, tweets, …-  Subsequent profiling to determine relevancy of search results-  Storage of log information regarding account usage-  …
  6. 6. Personal data on-line •  Made public on the Internet •  Does NOT mean consent for processing •  Technically available •  But legally NOT •  All rules apply for content already published online (need for a legal ground, purpose, etc…)
  7. 7. Legal grounds for processing: • Main grounds:- Consent-  Legitimate interestsIn certain instances:- Performance of a contract to which the data subject is party - Compliance with a legal obligation of the controller
  8. 8. Data controller or data processor?•  Controller –  determines the purposes and means of the processing of personal data –  Main responsible entity•  Processor –  Entity which processes personal data on behalf of the controller –  Not responsible for the processing => Distinction often blurry in practice, despite considerable practical implications & hurdles !
  9. 9. Varying degrees of ‘control’ T. Olsen, T. Mahler, Identity management land data protection law: Risk, responsibility and compliance in ‘Circles of Trust’ – Part II, Computer aw & Security report 23 ( 2 0 0 7 )
  10. 10. Data protection principles •  Fairness principle •  Finality principle •  Data minimisation principle •  Data quality principle •  Conservation principle •  Confidentiality and security •  Notification to the Supervisory Authority
  11. 11. Fairness principle Processing must be fair and lawful!!! •  data subject has to be provided with certain information (transparency) •  stay in line with all types of their legal obligations
  12. 12. Finality principle•  Data controllers collect data only as far as it is necessary to achieve the specified, explicit and legitimate purpose•  No further processing incompatible with the original purposes•  Further processing of data for historical, statistical or scientific purposes
  13. 13. Historical, statistical or scientific purposes •  Not a primary legal ground •  Expands on finality principle •  Refers only to further processing of data •  For processing of which there is a separate legal ground •  Cannot constitute a primary basis for processing
  14. 14. Data minimisation principle•  data should be adequate, relevant and not excessive•  store only a minimum of data necessary to run their services
  15. 15. Data quality principle •  personal data should be accurate and kept up to date •  every reasonable step to ensure that data which are inaccurate or incomplete are either erased or rectified •  appropriate mechanism to allow data subjects updating their personal data or notifying the data controller about the incorrect information
  16. 16. Location Based Services – ePrivacy Directive•  Location data - any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service•  Value added service - any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof
  17. 17. Processing of location dataOnly if•  they are made anonymous, or•  with the consent of the users or subscribersInformation to the users•  the type of location data which will be processed•  the purposes and duration of the processing•  whether the data will be transmitted to a third party for the purpose of providing the value added service
  18. 18. Children’s personal data•  Same rights as adults, but!•  No full legal capability•  Need a representative to exercise these rights•  Legal guardian (usually a parent)•  Should consult children, depending on their understanding/ maturity•  Processing should not be performed against child’s will•  Dynamic relation
  19. 19. Future of privacy and data protection•  The draft general data protection regulation•  January 25, 2012•  One regulation for all EU Member States•  Binding and applicable without national implementation•  Current status: discussion phase•  Aims for full harmonization•  Aims to adjust legal regime to technological development
  20. 20. Draft General Data Protection Regulation•  Explicit consent when required for certain types of data processing•  Reinforcement of the right to information - full understanding how personal data is handled (particularly children)•  Easy access to ones own data - what kind of information a company stores about them;•  Data portability•  ‘Right to be forgotten’•  More provisions directed to processors
  21. 21. Recommendations: •  Who is the Data Controller •  Where will the data be processed, by whom •  Check national data protection legislation •  Contact local DPA •  Prepare Privacy Policy •  Caution – sensitive data! •  Caution – children’s personal data!
  22. 22. Thank you for your attention. Questions?

×