2024: Domino Containers - The Next Step. News from the Domino Container commu...
EU Data Protection Regulation 26 June 2012
1. Data Mining and
European Law
Dr Chris Marsden
School of Law, University of Essex
Sidley Austin
26 June 2012
2. Internet and the University of Essex
Universities invented Internet in 1968
UK (UCL) early partner of US institutions
Though Norway was first international link
Essex 9th in UK for Research (2001-8 RAE)
Top 20 global ‘universities under 50’
With UEA, Sussex etc.
A Robbins university founded 1964
Wivenhoe just outside Colchester
Significant interaction with BT Labs (nearby)
Notably on computing, telecoms and users
5. Essex as a European University
Stansted Airport 33 miles
London by train 47 minutes
6. Fast, really fast…
Korea – HDTV testbed
• Tb/s transfers
• 1,000,000,000,000 bits per second…
EU-FiBRe
• Testbed with Brazil
• Useful for 2014 World Cup (BBC Olympic trials)
Internet2
• Essex first UK university partner
Internet Science – social science meets
Internet design
• Standards and regulation
• Privacy and trust
• Virtual communities
7. 2008 World Record
Optical transfer 16.4Tbps (terabits per
second)
• recorded over a distance of 2,550km.
• 2.05TB - about 100 HD movies – a second
2011: 186GGbps over an entire day
• could lead to 100Gbps Ethernet connections
Commercial fastest available 1.5Gbps
9. Wikileaks and the Cloud
Cuckoo in the cloud?
• Amazon web services hosted Wikileaks
• Wikileaks under Denial of Service (DOS) attacks
• Amazon terminated Wikileaks hosting agreement
• Claimed collateral damage outside Terms of Use
• Though breach of contract claim may have produced some
evidence of government inducement to breach?
• Arbitration may have been fun –US jurisdiction likely!
But DOS is insurable risk usually
• Question: DOS attacks government-supported or sponsored?
• Cyberwarfare/terrorism insurance?
12. 1995 Directive levelling playing field
• Germany/Sweden high data protection
• UK not so much
• Other countries: what problem?
• Result 1995 Directive
• USA ‘compliant’ using ‘safe harbors’
• Cybertrade wars?
• Joel Reidenberg, Eli Noam
• “That’s the way the cookie crumbles”
• Peter Harter, Netscape Communication
14. Enforcing EU Law
• PHORM etc.
• Cookie rules 2009 Directive
• 2012 UK implements changes to 1995
Directive as amended, and amended…
15. The issue: lack of UK enforcement
• UK law did not correctly implement
• confidentiality of electronic communications,
• Powers to fine by the UK Information
Commissioner’s Office inadequate under Article
28 DPD.
• supplemented by the 2004 Communication on unsolicited
commercial communications (‘spam’).
• The critical test in both E-Privacy Directive and
DPD is that
• subscribers have to opt for arrangements that may otherwise
infringe their personal privacy, and that
• sensitive data must not be passed to third parties
unless authorized and anonymized.
• Directive 2002/21/EC and COM(2004)0028.
16. EC 2010: refer the case to CJEU
Press Release IP/10/1215: UK amended
• Regulation of Investigatory Powers Act 2000 (RIPA),
• removing references to implied consent
• established sanction against unlawful interception
• Section 1A and Schedule A1 of RIPA,
• maximum monetary penalty £50,000 under the amended
legislation administered by the Interception of
Communications Commissioner (ICC)
17. EC closed infringement case 26 January 2012
• Recognition UK amended national legislation
• To properly implement EU law
• Press Release IP/12/60 ‘Digital Agenda: Commission closes
infringement case after UK correctly implements EU rules on
privacy in electronic communications’.
• Regulation of Investigatory Powers (Monetary Penalty Notices
and Consents for Interceptions) Regulations 2011, SI 2011/1340.
• Interception of Communications Commissioner,
Investigation of Unintentional Electronic Interception: Monetary
Penalty Notice, Exercise Of Powers Under Section 1a And Schedule
A1 Of The Regulation Of Investigatory Powers Act 2000, (2011) at
<http://www.intelligencecommissioners.com/docs/Interception_C
ommissioner_Guidance_RIPA.pdf>
18. Cookies no longer crumbling…
• Active consent required – new rules 2011
• Information Commissioner (May 2012)
• New EU cookie law: guidance:
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_comm
unications/the_guide/cookies.aspx
• Implements Art.2(7) Recital 66 Dir.
2009/136/EU
• http://eur-lex.europa.eu/LexUriServ/
LexUriServ.do?uri=OJ:L:2009:337:0011:0036:EN:PDF
• Amending Article 13, Dir. 2002/58/EC which amended Dir. 97/66/EC
19. Do Not Track?
• Browsers required to offer data deletion
• Self-regulation via standards
• See DG CONNECT letter to W3C
»http://lists.w3.org/Archives/Public/public-tracking/2012Jun/att-
0604/Letter_to_W3C_Tracking_Protection_Working_Group.210612.pdf
20. Delete…
• Expiration date for
personal data
• Viktor Mayer-Schonberger
(2009)
• Idea dates to early 1990s
• Google, Facebook and
others forced to delete
21. Reform in progress since 2009-10
Article 29 working party advice:
1. "Future of Privacy" (2009, WP 168);
2. concepts of "controller”+“processor" (WP 169);
3. online behavioural advertising (WP 171);
4. principle of accountability (WP 173);
5. on applicable law (WP 179);
6. and on consent (WP 187)
23. Brussels 2012
• Enforcement issue but new rules in
pipeline
• Especially the new draft Regulation
• COM(2012) 11/4 Draft Proposal for a Regulation
• (General Data Protection Regulation).
• Expected to become law in 2013/14
• Monthly member state contact
committee
• Analyzing draft clause by clause
• Very poor way to design a new law…
24. Article 17 (1) Draft Regulation
“Right to be forgotten and to erasure”
Power to obtain “from the controller erasure of personal
data relating to them and abstention from further
dissemination of such data”.
Fails to distinguish 2 kinds of personal information:
1. information about the data subject which data subject herself has put on the providers’ platform
2. information about the data subject that other users have put on the providers’ platform.
• First is uncontroversial: idea of a neutral processing of user-generated data (processing
meant to satisfy users aims) entails that users should be given in principle the
possibility of withdrawing any data, they have uploaded.
• Second is controversial: and can affect commercial decisions as it affects all third party
data relevant to personal circumstances
25. Article 17(2) duty to inform 3rd parties
• “take all reasonable steps,
• including technical measures,
• to inform 3rd parties processing such data,
• that data subject requests …erase any links to,
• or copy or replication of that personal data.”
• “Where the controller has authorised a third
party publication of personal data, the
controller shall be considered responsible for
that publication.”
26. Article 79 (5): enforcement
• “a fine up to 500 000 EUR,
• or in case of an enterprise
• up to 1% of its annual worldwide turnover”.
• Article 77 (1): violator to compensate the
damage suffered by the data subject
• Chilling effect on SMEs, but also worrisome to big data enterprises –
inc. insurance companies
• But is there a liability product potential?
27. More policy references
New Challenges to Data Protection - Final Report [2010]
For DG Justice, forerunner to draft Regulation
»Douwe Korff [London Met] Ian Brown [Oxford Internet Institute]
Data Protection: The New Technical and Political Environment [2010] Brown
Computers & Law, Vol. 20, No. 6, February 2010
Using NHS Patient Data for Research Without Consent [2010]
Law, Innovation and Technology, Vol. 2, No. 2, pp. 219-258
»Ian Brown, Lindsey Brown [University of Bristol] and Douwe Korff
Communications Data Bill 2013 [Command 8359]
»http://www.official-documents.gov.uk/document/cm83/8359/8359.asp
»Subject to joint scrutiny committee and Intelligence Services Committee
Terrorism and the Proportionality of Internet Surveillance [2009]
• Brown/Korff, European Journal of Criminology, Vol.6[2] 119-134,
Government Access to Private-Sector Data in the UK [2007] - Ian Brown
»http://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=892424#show1026974
Communications Data Retention in an Evolving Internet [2010] - Ian Brown
International J. Law and Information Technology, Vol.19[2] 95-109
29. Privacy by Design: Tim
P3P
Weitzner – US White House
Privacy impact assessment – public
sector
Chief Privacy Officer – audit more than
Data Protection Officer
30.
31. Future Internet testbeds between Brazil and Europe -
FIBRE
Objective 1 – Build Future Internet experimental testbeds in Brazil
FIBRE Common Resources
RNP Ipê
OF-enabled Switch Compute Servers
GIGA
To Fibre
Partners
Kyatera
NetFPGA Servers Orbit Nodes
Site-Specific Resources
Wireless Testbeds Optical Testbeds Other Internal Testbeds
Optical Testbeds (e.g. Emulab)
Wimax
Wi-fi APs
Local testbed (nucleus and possible extras)
Locations and interconnection topology
Objective 2 – Federation of FIBRE-BR and FIBRE-EU facilities
Objective 3 – Technology pilot experiments and showcases
Seamless mobility testbed High-definition content delivery