1. Privacy issues in Future
Internet
Aleksandra Kuczerawy
ICRI – KU Leuven

2. SocIoS
• Exploiting the User Created Content and the Social
Graph of users in Social Networks to create new
services
• Provide cross-platform tools that enable to manage
the dynamically generated content by building
services that combine data and functionality from
two or more different SNS

3. Privacy and data protection issues in Future
Internet:
• Basic concepts
– Personal data
– Processing of personal data
– Legal grounds of processing
– Controller vs. processors
• Legal requirements for data processing
• Location based services
• Children and personal data
• Future and Recommendations

4. Concept of ‘personal data’ (95/46)
“any information relating to an identified or
identifiable natural person ('data subject')”
- Direct or indirect identification
- No exhaustive list
- Sensitive data: special regime applies (!)

5. Processing of personal data (art. 2.b)
any operation or set of operations which is
performed upon personal data, whether or not by
automatic means, such as:
- Collection of profile information, tweets, …
- Subsequent profiling to determine relevancy of
search results
- Storage of log information regarding account
usage
- …

6. Personal data on-line
• Made public on the Internet
• Does NOT mean consent for processing
• Technically available
• But legally NOT
• All rules apply for content already published
online (need for a legal ground, purpose, etc…)

7. Legal grounds for processing:
• Main grounds:
- Consent
- Legitimate interests
In certain instances:
- Performance of a contract to which the data subject
is party
- Compliance with a legal obligation of the controller

8. Data controller or data processor?
• Controller
– determines the purposes and means of the processing of
personal data
– Main responsible entity
• Processor
– Entity which processes personal data on behalf of the controller
– Not responsible for the processing
=> Distinction often blurry in practice, despite considerable
practical implications & hurdles !

9. Varying degrees of ‘control’
T. Olsen, T. Mahler, Identity management land data protection law: Risk, responsibility and
compliance in ‘Circles of Trust’ – Part II, Computer aw & Security report 23 ( 2 0 0 7 )

10. Data protection principles
• Fairness principle
• Finality principle
• Data minimisation principle
• Data quality principle
• Conservation principle
• Confidentiality and security
• Notification to the Supervisory Authority

11. Fairness principle
Processing must be fair and lawful!!!
• data subject has to be provided with certain
information (transparency)
• stay in line with all types of their legal
obligations

12. Finality principle
• Data controllers collect data only as far as it is
necessary to achieve the specified, explicit and
legitimate purpose
• No further processing incompatible with the
original purposes
• Further processing of data for historical, statistical
or scientific purposes

13. Historical, statistical or scientific purposes
• Not a primary legal ground
• Expands on finality principle
• Refers only to further processing of data
• For processing of which there is a separate
legal ground
• Cannot constitute a primary basis for processing

14. Data minimisation principle
• data should be adequate, relevant and not
excessive
• store only a minimum of data necessary to run
their services

15. Data quality principle
• personal data should be accurate and kept up to
date
• every reasonable step to ensure that data which
are inaccurate or incomplete are either erased
or rectified
• appropriate mechanism to allow data subjects
updating their personal data or notifying the
data controller about the incorrect information

16. Location Based Services – ePrivacy Directive
• Location data - any data processed in an electronic
communications network or by an electronic
communications service, indicating the geographic
position of the terminal equipment of a user of a
publicly available electronic communications service
• Value added service - any service which requires the
processing of traffic data or location data other than
traffic data beyond what is necessary for the
transmission of a communication or the billing thereof

17. Processing of location data
Only if
• they are made anonymous, or
• with the consent of the users or subscribers
Information to the users
• the type of location data which will be processed
• the purposes and duration of the processing
• whether the data will be transmitted to a third party for the
purpose of providing the value added service

18. Children’s personal data
• Same rights as adults, but!
• No full legal capability
• Need a representative to exercise these rights
• Legal guardian (usually a parent)
• Should consult children, depending on their
understanding/ maturity
• Processing should not be performed against child’s
will
• Dynamic relation

19. Future of privacy and data protection
• The draft general data protection regulation
• January 25, 2012
• One regulation for all EU Member States
• Binding and applicable without national
implementation
• Current status: discussion phase
• Aims for full harmonization
• Aims to adjust legal regime to technological
development

20. Draft General Data Protection Regulation
• Explicit consent when required for certain types of
data processing
• Reinforcement of the right to information - full
understanding how personal data is handled
(particularly children)
• Easy access to one's own data - what kind of
information a company stores about them;
• Data portability
• ‘Right to be forgotten’
• More provisions directed to processors

21. Recommendations:
• Who is the Data Controller
• Where will the data be processed, by whom
• Check national data protection legislation
• Contact local DPA
• Prepare Privacy Policy
• Caution – sensitive data!
• Caution – children’s personal data!

22. Thank you for your attention.
Questions?