Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

EU Data Protection Regulation 26 June 2012


Published on

Explaining the background to the current data protection regulation to Association of British Insurers + Sidley Austin seminar

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

EU Data Protection Regulation 26 June 2012

  1. 1. Data Mining andEuropean LawDr Chris MarsdenSchool of Law, University of EssexSidley Austin26 June 2012
  2. 2. Internet and the University of EssexUniversities invented Internet in 1968UK (UCL) early partner of US institutionsThough Norway was first international linkEssex 9th in UK for Research (2001-8 RAE)Top 20 global ‘universities under 50’ With UEA, Sussex etc.A Robbins university founded 1964Wivenhoe just outside ColchesterSignificant interaction with BT Labs (nearby)Notably on computing, telecoms and users
  3. 3. Where? Wivenhoe near Colchester
  4. 4. Wivenhoe Park painted by Constable
  5. 5. Essex as a European UniversityStansted Airport 33 milesLondon by train 47 minutes
  6. 6. Fast, really fast… Korea – HDTV testbed • Tb/s transfers • 1,000,000,000,000 bits per second… EU-FiBRe • Testbed with Brazil • Useful for 2014 World Cup (BBC Olympic trials) Internet2 • Essex first UK university partner Internet Science – social science meets Internet design • Standards and regulation • Privacy and trust • Virtual communities
  7. 7. 2008 World RecordOptical transfer 16.4Tbps (terabits persecond) • recorded over a distance of 2,550km.• 2.05TB - about 100 HD movies – a second2011: 186GGbps over an entire day• could lead to 100Gbps Ethernet connectionsCommercial fastest available 1.5Gbps
  8. 8. Legal rules help you avoid trouble
  9. 9. Wikileaks and the CloudCuckoo in the cloud?• Amazon web services hosted Wikileaks• Wikileaks under Denial of Service (DOS) attacks• Amazon terminated Wikileaks hosting agreement• Claimed collateral damage outside Terms of Use• Though breach of contract claim may have produced some evidence of government inducement to breach?• Arbitration may have been fun –US jurisdiction likely!But DOS is insurable risk usually• Question: DOS attacks government-supported or sponsored?• Cyberwarfare/terrorism insurance?
  10. 10. DDOS7/24/2012 10
  11. 11. 1995 Directive levelling playing field• Germany/Sweden high data protection• UK not so much• Other countries: what problem?• Result 1995 Directive• USA ‘compliant’ using ‘safe harbors’• Cybertrade wars? • Joel Reidenberg, Eli Noam• “That’s the way the cookie crumbles” • Peter Harter, Netscape Communication
  12. 12. Unspeakable and Unenforceable? Non-EU players low implementation
  13. 13. Enforcing EU Law• PHORM etc.• Cookie rules 2009 Directive• 2012 UK implements changes to 1995 Directive as amended, and amended…
  14. 14. The issue: lack of UK enforcement• UK law did not correctly implement• confidentiality of electronic communications,• Powers to fine by the UK Information Commissioner’s Office inadequate under Article 28 DPD.• supplemented by the 2004 Communication on unsolicited commercial communications (‘spam’).• The critical test in both E-Privacy Directive and DPD is that• subscribers have to opt for arrangements that may otherwise infringe their personal privacy, and that• sensitive data must not be passed to third parties unless authorized and anonymized. • Directive 2002/21/EC and COM(2004)0028.
  15. 15. EC 2010: refer the case to CJEUPress Release IP/10/1215: UK amended• Regulation of Investigatory Powers Act 2000 (RIPA),• removing references to implied consent• established sanction against unlawful interception • Section 1A and Schedule A1 of RIPA, • maximum monetary penalty £50,000 under the amended legislation administered by the Interception of Communications Commissioner (ICC)
  16. 16. EC closed infringement case 26 January 2012• Recognition UK amended national legislation• To properly implement EU law• Press Release IP/12/60 ‘Digital Agenda: Commission closes infringement case after UK correctly implements EU rules on privacy in electronic communications’.• Regulation of Investigatory Powers (Monetary Penalty Notices and Consents for Interceptions) Regulations 2011, SI 2011/1340.• Interception of Communications Commissioner, Investigation of Unintentional Electronic Interception: Monetary Penalty Notice, Exercise Of Powers Under Section 1a And Schedule A1 Of The Regulation Of Investigatory Powers Act 2000, (2011) at < ommissioner_Guidance_RIPA.pdf>
  17. 17. Cookies no longer crumbling… • Active consent required – new rules 2011 • Information Commissioner (May 2012) • New EU cookie law: guidance:  unications/the_guide/cookies.aspx • Implements Art.2(7) Recital 66 Dir. 2009/136/EU • • Amending Article 13, Dir. 2002/58/EC which amended Dir. 97/66/EC
  18. 18. Do Not Track? • Browsers required to offer data deletion • Self-regulation via standards • See DG CONNECT letter to W3C » 0604/Letter_to_W3C_Tracking_Protection_Working_Group.210612.pdf
  19. 19. Delete…• Expiration date for personal data• Viktor Mayer-Schonberger (2009)• Idea dates to early 1990s• Google, Facebook and others forced to delete
  20. 20. Reform in progress since 2009-10Article 29 working party advice:1. "Future of Privacy" (2009, WP 168);2. concepts of "controller”+“processor" (WP 169);3. online behavioural advertising (WP 171);4. principle of accountability (WP 173);5. on applicable law (WP 179);6. and on consent (WP 187)
  21. 21. Commission asked Art.29 WP for:Three Advice Papers:• notifications,• sensitive data• practical implementation• Article 28(6) • 29/documentation/index_en.htm
  22. 22. Brussels 2012• Enforcement issue but new rules in pipeline• Especially the new draft Regulation • COM(2012) 11/4 Draft Proposal for a Regulation • (General Data Protection Regulation).• Expected to become law in 2013/14• Monthly member state contact committee• Analyzing draft clause by clause• Very poor way to design a new law…
  23. 23. Article 17 (1) Draft Regulation“Right to be forgotten and to erasure”Power to obtain “from the controller erasure of personaldata relating to them and abstention from furtherdissemination of such data”.Fails to distinguish 2 kinds of personal information:1. information about the data subject which data subject herself has put on the providers’ platform2. information about the data subject that other users have put on the providers’ platform.• First is uncontroversial: idea of a neutral processing of user-generated data (processing meant to satisfy users aims) entails that users should be given in principle the possibility of withdrawing any data, they have uploaded.• Second is controversial: and can affect commercial decisions as it affects all third party data relevant to personal circumstances
  24. 24. Article 17(2) duty to inform 3rd parties• “take all reasonable steps,• including technical measures,• to inform 3rd parties processing such data,• that data subject requests …erase any links to,• or copy or replication of that personal data.”• “Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.”
  25. 25. Article 79 (5): enforcement• “a fine up to 500 000 EUR,• or in case of an enterprise• up to 1% of its annual worldwide turnover”.• Article 77 (1): violator to compensate the damage suffered by the data subject• Chilling effect on SMEs, but also worrisome to big data enterprises – inc. insurance companies• But is there a liability product potential?
  26. 26. More policy references New Challenges to Data Protection - Final Report [2010]  For DG Justice, forerunner to draft Regulation »Douwe Korff [London Met] Ian Brown [Oxford Internet Institute] Data Protection: The New Technical and Political Environment [2010] Brown  Computers & Law, Vol. 20, No. 6, February 2010 Using NHS Patient Data for Research Without Consent [2010]  Law, Innovation and Technology, Vol. 2, No. 2, pp. 219-258 »Ian Brown, Lindsey Brown [University of Bristol] and Douwe Korff Communications Data Bill 2013 [Command 8359] » »Subject to joint scrutiny committee and Intelligence Services Committee Terrorism and the Proportionality of Internet Surveillance [2009] • Brown/Korff, European Journal of Criminology, Vol.6[2] 119-134, Government Access to Private-Sector Data in the UK [2007] - Ian Brown » Communications Data Retention in an Evolving Internet [2010] - Ian Brown  International J. Law and Information Technology, Vol.19[2] 95-109
  27. 27. Questions and discussion
  28. 28. Privacy by Design: TimP3PWeitzner – US White HousePrivacy impact assessment – publicsectorChief Privacy Officer – audit more thanData Protection Officer
  29. 29. Future Internet testbeds between Brazil and Europe - FIBREObjective 1 – Build Future Internet experimental testbeds in Brazil FIBRE Common Resources RNP Ipê OF-enabled Switch Compute Servers GIGA To Fibre Partners Kyatera NetFPGA Servers Orbit Nodes Site-Specific Resources Wireless Testbeds Optical Testbeds Other Internal Testbeds Optical Testbeds (e.g. Emulab) Wimax Wi-fi APs Local testbed (nucleus and possible extras) Locations and interconnection topology Objective 2 – Federation of FIBRE-BR and FIBRE-EU facilities Objective 3 – Technology pilot experiments and showcases Seamless mobility testbed High-definition content delivery