• Save
Aleksandra kuczerawy   privacy issues in future internet - seserv se workshop june 2012
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
991
On Slideshare
644
From Embeds
347
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 347

http://mj89sp3sau2k7lj1eg3k40hkeppguj6j-a-sites-opensocial.googleusercontent.com 347

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Privacy issues in Future Internet Aleksandra Kuczerawy ICRI – KU Leuven
  • 2. SocIoS•  Exploiting the User Created Content and the Social Graph of users in Social Networks to create new services•  Provide cross-platform tools that enable to manage the dynamically generated content by building services that combine data and functionality from two or more different SNS
  • 3. Privacy and data protection issues in FutureInternet:•  Basic concepts –  Personal data –  Processing of personal data –  Legal grounds of processing –  Controller vs. processors•  Legal requirements for data processing•  Location based services•  Children and personal data•  Future and Recommendations
  • 4. Concept of ‘personal data’ (95/46) “any information relating to an identified or identifiable natural person (data subject)” -  Direct or indirect identification -  No exhaustive list -  Sensitive data: special regime applies (!)
  • 5. Processing of personal data (art. 2.b)any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as:-  Collection of profile information, tweets, …-  Subsequent profiling to determine relevancy of search results-  Storage of log information regarding account usage-  …
  • 6. Personal data on-line •  Made public on the Internet •  Does NOT mean consent for processing •  Technically available •  But legally NOT •  All rules apply for content already published online (need for a legal ground, purpose, etc…)
  • 7. Legal grounds for processing: • Main grounds:- Consent-  Legitimate interestsIn certain instances:- Performance of a contract to which the data subject is party - Compliance with a legal obligation of the controller
  • 8. Data controller or data processor?•  Controller –  determines the purposes and means of the processing of personal data –  Main responsible entity•  Processor –  Entity which processes personal data on behalf of the controller –  Not responsible for the processing => Distinction often blurry in practice, despite considerable practical implications & hurdles !
  • 9. Varying degrees of ‘control’ T. Olsen, T. Mahler, Identity management land data protection law: Risk, responsibility and compliance in ‘Circles of Trust’ – Part II, Computer aw & Security report 23 ( 2 0 0 7 )
  • 10. Data protection principles •  Fairness principle •  Finality principle •  Data minimisation principle •  Data quality principle •  Conservation principle •  Confidentiality and security •  Notification to the Supervisory Authority
  • 11. Fairness principle Processing must be fair and lawful!!! •  data subject has to be provided with certain information (transparency) •  stay in line with all types of their legal obligations
  • 12. Finality principle•  Data controllers collect data only as far as it is necessary to achieve the specified, explicit and legitimate purpose•  No further processing incompatible with the original purposes•  Further processing of data for historical, statistical or scientific purposes
  • 13. Historical, statistical or scientific purposes •  Not a primary legal ground •  Expands on finality principle •  Refers only to further processing of data •  For processing of which there is a separate legal ground •  Cannot constitute a primary basis for processing
  • 14. Data minimisation principle•  data should be adequate, relevant and not excessive•  store only a minimum of data necessary to run their services
  • 15. Data quality principle •  personal data should be accurate and kept up to date •  every reasonable step to ensure that data which are inaccurate or incomplete are either erased or rectified •  appropriate mechanism to allow data subjects updating their personal data or notifying the data controller about the incorrect information
  • 16. Location Based Services – ePrivacy Directive•  Location data - any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service•  Value added service - any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof
  • 17. Processing of location dataOnly if•  they are made anonymous, or•  with the consent of the users or subscribersInformation to the users•  the type of location data which will be processed•  the purposes and duration of the processing•  whether the data will be transmitted to a third party for the purpose of providing the value added service
  • 18. Children’s personal data•  Same rights as adults, but!•  No full legal capability•  Need a representative to exercise these rights•  Legal guardian (usually a parent)•  Should consult children, depending on their understanding/ maturity•  Processing should not be performed against child’s will•  Dynamic relation
  • 19. Future of privacy and data protection•  The draft general data protection regulation•  January 25, 2012•  One regulation for all EU Member States•  Binding and applicable without national implementation•  Current status: discussion phase•  Aims for full harmonization•  Aims to adjust legal regime to technological development
  • 20. Draft General Data Protection Regulation•  Explicit consent when required for certain types of data processing•  Reinforcement of the right to information - full understanding how personal data is handled (particularly children)•  Easy access to ones own data - what kind of information a company stores about them;•  Data portability•  ‘Right to be forgotten’•  More provisions directed to processors
  • 21. Recommendations: •  Who is the Data Controller •  Where will the data be processed, by whom •  Check national data protection legislation •  Contact local DPA •  Prepare Privacy Policy •  Caution – sensitive data! •  Caution – children’s personal data!
  • 22. Thank you for your attention. Questions?