Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Aleksandra kuczerawy privacy issues in future internet - seserv se workshop june 2012


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Aleksandra kuczerawy privacy issues in future internet - seserv se workshop june 2012

  1. 1. Privacy issues in Future Internet Aleksandra Kuczerawy ICRI – KU Leuven
  2. 2. SocIoS•  Exploiting the User Created Content and the Social Graph of users in Social Networks to create new services•  Provide cross-platform tools that enable to manage the dynamically generated content by building services that combine data and functionality from two or more different SNS
  3. 3. Privacy and data protection issues in FutureInternet:•  Basic concepts –  Personal data –  Processing of personal data –  Legal grounds of processing –  Controller vs. processors•  Legal requirements for data processing•  Location based services•  Children and personal data•  Future and Recommendations
  4. 4. Concept of ‘personal data’ (95/46) “any information relating to an identified or identifiable natural person (data subject)” -  Direct or indirect identification -  No exhaustive list -  Sensitive data: special regime applies (!)
  5. 5. Processing of personal data (art. 2.b)any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as:-  Collection of profile information, tweets, …-  Subsequent profiling to determine relevancy of search results-  Storage of log information regarding account usage-  …
  6. 6. Personal data on-line •  Made public on the Internet •  Does NOT mean consent for processing •  Technically available •  But legally NOT •  All rules apply for content already published online (need for a legal ground, purpose, etc…)
  7. 7. Legal grounds for processing: • Main grounds:- Consent-  Legitimate interestsIn certain instances:- Performance of a contract to which the data subject is party - Compliance with a legal obligation of the controller
  8. 8. Data controller or data processor?•  Controller –  determines the purposes and means of the processing of personal data –  Main responsible entity•  Processor –  Entity which processes personal data on behalf of the controller –  Not responsible for the processing => Distinction often blurry in practice, despite considerable practical implications & hurdles !
  9. 9. Varying degrees of ‘control’ T. Olsen, T. Mahler, Identity management land data protection law: Risk, responsibility and compliance in ‘Circles of Trust’ – Part II, Computer aw & Security report 23 ( 2 0 0 7 )
  10. 10. Data protection principles •  Fairness principle •  Finality principle •  Data minimisation principle •  Data quality principle •  Conservation principle •  Confidentiality and security •  Notification to the Supervisory Authority
  11. 11. Fairness principle Processing must be fair and lawful!!! •  data subject has to be provided with certain information (transparency) •  stay in line with all types of their legal obligations
  12. 12. Finality principle•  Data controllers collect data only as far as it is necessary to achieve the specified, explicit and legitimate purpose•  No further processing incompatible with the original purposes•  Further processing of data for historical, statistical or scientific purposes
  13. 13. Historical, statistical or scientific purposes •  Not a primary legal ground •  Expands on finality principle •  Refers only to further processing of data •  For processing of which there is a separate legal ground •  Cannot constitute a primary basis for processing
  14. 14. Data minimisation principle•  data should be adequate, relevant and not excessive•  store only a minimum of data necessary to run their services
  15. 15. Data quality principle •  personal data should be accurate and kept up to date •  every reasonable step to ensure that data which are inaccurate or incomplete are either erased or rectified •  appropriate mechanism to allow data subjects updating their personal data or notifying the data controller about the incorrect information
  16. 16. Location Based Services – ePrivacy Directive•  Location data - any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service•  Value added service - any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof
  17. 17. Processing of location dataOnly if•  they are made anonymous, or•  with the consent of the users or subscribersInformation to the users•  the type of location data which will be processed•  the purposes and duration of the processing•  whether the data will be transmitted to a third party for the purpose of providing the value added service
  18. 18. Children’s personal data•  Same rights as adults, but!•  No full legal capability•  Need a representative to exercise these rights•  Legal guardian (usually a parent)•  Should consult children, depending on their understanding/ maturity•  Processing should not be performed against child’s will•  Dynamic relation
  19. 19. Future of privacy and data protection•  The draft general data protection regulation•  January 25, 2012•  One regulation for all EU Member States•  Binding and applicable without national implementation•  Current status: discussion phase•  Aims for full harmonization•  Aims to adjust legal regime to technological development
  20. 20. Draft General Data Protection Regulation•  Explicit consent when required for certain types of data processing•  Reinforcement of the right to information - full understanding how personal data is handled (particularly children)•  Easy access to ones own data - what kind of information a company stores about them;•  Data portability•  ‘Right to be forgotten’•  More provisions directed to processors
  21. 21. Recommendations: •  Who is the Data Controller •  Where will the data be processed, by whom •  Check national data protection legislation •  Contact local DPA •  Prepare Privacy Policy •  Caution – sensitive data! •  Caution – children’s personal data!
  22. 22. Thank you for your attention. Questions?