Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data Protection in an Age of User-Generated Content (WYNG-Hatton Lecture 2016)


Published on

The majority personal information available online is now in some sense user-generated and most of this is subject to further processing by service providers pushing, structuring and aggregating the content. This emerging ecosystem raises unprecedented challenges for the data protection framework both as regards the safeguarding of users themselves and the allocation of responsibility between them and service providers for the protection of the rights of other individuals who may be identifiable in the published data. These slides from the WYNG-Hatton Lecture 2016 delivered at the University of Hong Kong in November 2016 look at these issues from both a historical and contemporary perspective concentrating especially on the case examples of health discussion forums, the publication of data from internet of things tracking devices and the responsibilities of search engines in the wake of the "right to be forgotten" ruling in Google Spain (2014). The video the lecture is available here:

Published in: Law
  • Be the first to comment

  • Be the first to like this

Data Protection in an Age of User-Generated Content (WYNG-Hatton Lecture 2016)

  1. 1. Dr. David Erdos University of Cambridge
  2. 2. History of Personal Data Protection (DP)  Europe the “cradle” of DP & remains strong champion.  Indirect germs of this idea long & deep roots:  Rights of personality, privacy, identity & honour.  Turn to human rights post World War II.  Direct origins are rather recent:  1973: First national law & first transnational instrument.  1980s: DP Convention & spread of laws in Europe  1990s: DP EU Directive.  2000s: DP EU fundamental right & global spread of laws  2010s: DP EU Regulation; global spread continues.
  3. 3. The Rise of Electronic Data Processing  Moore’s Law (1965): computing power will exponentially increase.  Not just a question of storage but also e.g. collection, organization, dissemination and retrieval. Oren Blomberg on Flickr
  4. 4. European Data Protection (DP): Default Scope  Personal Data:  Regulated Processing:  Purposive Scope: Luxembourg CNPD “any information relating to an identified or identifiable individual” (A. 2 (a)) “any operation”. Always regulated if even partly automated. “protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy”
  5. 5. European DP: Default Substance Personal Data Processing DP Principles • Fair & lawful, • Purpose quality & limits • Information quality & limits Legitimation Consent , necessary balance etc. Transparency & Control • Proactive Duties • Retroactive Duties • Objection rights Sensitive Data • Health life • Sex life • Racial origin • Politics • Religion etc. Discipline • Data Security • Data Management • Export Control Enforcement • Judicial remedy • DP Authority • European Supervision Derogations/exemptions to establish equilibrium with other rights and interests
  6. 6. User-Generated Content: 1980s-present  Online publication initially seen as informational:  But success generally rested on user communication:  Stress on user communication has gathered pace: “It is essential to understand that Viewdata was initially designed for the dissemination of … information.” (Fedida & Malik, 1979) “Minitel offers both information and games, but above all a forum where readers can make themselves heard.” (Marchand, 1988) “In the era of so-called web 2.0 most content available online is user- generated …interacting … unprecedented forms of collaboration.” (Cunha et. al., 2012)
  7. 7. UGC 1980s: Early Nature & Early Concern International Conference of DP Commissioners on New Media 1983 “[P]ersonal data of all kinds can be widely disseminated at small cost … [S]uppliers and subscribers are publishing sensitive data” “[M]ust not violate personal rights … … [including] legal regulations … in one country … can be circumvented in another.” Images taken at Centre for Computing History, Cambridge
  8. 8. Court of Justice of EU: Lindqvist (2003) Facts: Lindqvist published data on some 18 fellow volunteers including of leg-injury (& that on half-time work). 1. Lindqvist was not exempt from data protection: “publication … accessible to an indefinite number of people” (at [47]) 2. Lindqvist had published health/sensitive data: “all aspects, both physical and mental, of the health of an individual” (at [50]) 3. Not “artistic or literary” purpose but need for rights balance: “Lindqvist’s freedom of expression … and her freedom to carry out activities contributing to religious life have to be weighed against the protection of the private life” (at [86])
  9. 9. Health Discussion Sites: Italian DPA (2012)  Acknowledges value for scientific knowledge & mutual support.  Publication of health data on Internet posed specific risks.  Focus on proactive responsibilities of Site Manager:  Allow for & flag up possibility of pseudonymity.  Specify if published data available beyond registered users.  Specify if published data available to search engines.  Warn users to be careful regarding identifying data or images.  Warn users to be especially careful about third party identification (even indirect).  Facilitate & mention empowerment rights (updating, rectification, erasure, objection).
  10. 10. UGC & the Internet of Things  Rise of systematic recording e.g. of fitness & sleep.  Data often socially published e.g. to foster +ve competition.  Significant knowledge, wellbeing and self-creation benefits.  Serious data protection risks. EU DPA Article 29 Working Party (2014): • Default settings should ask users to review/edit/decide on information generated before publication on social platforms. • Socially published information should not be indexed by search engines by default. Mike Mozart on Flickr
  11. 11. FitBit UGC Privacy Scandal 2011
  12. 12. “Right to be Forgotten” Ruling (2014)  DP concern about searching & public content from early 1980s.  Rise of general search engines in mid-1990s was a game changer.  But, for many years often seen as “off limits” from European DP:  Transnational jurisdictional problems,  Ideology of engines as “neutral intermediary”,  Freedom of expression concerns & divergences,  Impracticability of many DP standards.  Whilst myriad issues remain, 2014 CJEU decision marked key shift.
  13. 13. Google Spain (2014): Three Key Elements “[T]he processing of personal data … search engine can be distinguished from and is additional to that carried out by publishers of websites” (at [35]) “[D]ata subject … request that the information in question not longer be made available … override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the public in finding that information upon a search relating to the data subject’s name.” (at [97]) “Article 8 of the [EU] Charter [of Fundamental Rights] expressly proclaims the right to the protection of personal data” (at [69])
  14. 14. Final Thoughts  European DP champions critical noble & “at risk” values.  European DP in many ways not in good health.  Interface with UGC epitomises many of European DP’s problems.  How can we create a legal, contextual, protective and effective framework going forward? “[D]ata protection was after all from its earliest days an impossible task.” (Prof. Spirios Simitis (Hessian DP Supervisor 1975-1991), Montreal 1997)