One of the most challenging issues facing our current information society is the accelerating accumulation of data trails in transactional and communication systems, which may be used not only to profile the behaviour of individuals for commercial, marketing and law enforcement purposes, but also to locate and follow things and actions. Data mining, convergence, interoperability, ever- increasing computer capacities and the extreme miniaturisation of the hardware are all elements which contribute to a major contemporary challenge: the profiled world. This interdisciplinary volume offers twenty contributions that delve deeper into some of the complex but urgent questions that this profiled world addresses to data protection and privacy. The chapters of this volume were all presented at the second Conference on Privacy and Data Protection (CPDP2009) held in Brussels in January 2009 (www.cpdpconferences.org). The yearly CPDP conferences aim to become Europe’s most important meeting where academics, practitioners, policy-makers and activists come together to exchange ideas and discuss emerging issues in information technology, privacy and data protection and law. This volume reflects the richness of the conference, containing chapters by leading lawyers, policymakers, computer, technology assessment and social scientists. The chapters cover generic themes such as the evolution of a new generation of data protection laws and the constitutionalisation of data protection and more specific issues like security breaches, unsolicited adjustments, social networks, surveillance and electronic voting. This book not only offers a very close and timely look on the state of data protection and privacy in our profiled world, but it also explores and invents ways to make sure this world remains a world we want to live in.
Author(s): Serge Gutwirth, Yves Poullet, Paul De Hert
Edition: 1st Edition.
Year: 2010
Language: English
Pages: 294
Cover......Page 1
ISBN-10: 9048188644......Page 2
Foreword......Page 5
Contents......Page 7
Contributors......Page 15
Part I
Generic Issues......Page 24
About the E-Privacy Directive: Towards a Third Generation of Data Protection Legislation?......Page 25
1.1 Is Personal Data the Adequate Concept?......Page 31
1.1.1 New Kinds of Sensitive Data in Our Modern Networks: Identifiers and Contact Data......Page 33
1.1.2 IP Address, Cookies, Data Generated by RFID, Always “Personal Data”? Why Regulate Them Anyway?......Page 35
1.1.3 New Data to be Protected: The Profiles......Page 38
1.2 New Objects and New Actors to be Regulated?......Page 40
1.2.1 EU Commission’s Support to PETs......Page 42
1.2.2 Towards a Liability of Terminal Equipments Producers and Information System Designers: The RFID Case......Page 43
1.2.3 Terminal Equipment as a Virtual Home?......Page 45
1.2.4 Conclusions of Sect. 1.2......Page 49
1.3 Final Conclusions......Page 50
2.2 What Is It with Profiling?......Page 53
2.3 From Measurement to Detection......Page 54
2.4 A Risky Dependence......Page 55
2.5 Privacy, Fairness (Non-discrimination) and Due Process......Page 56
2.7 Who Owns My Data; Who Authors the Profiles I Match with?......Page 57
2.9 Privacy and Data Protection......Page 58
2.10 From Data Minimisation to Minimal Knowledge Asymmetries?......Page 60
2.12 Call for Attention......Page 61
References......Page 62
3.1 The Background......Page 64
3.2 Legality, Necessity, Secrecy......Page 67
3.3 Legality: The Liberty Case......Page 68
3.4 Necessity and Proportionality: The S. and Marper Case......Page 70
3.5 Where Does It Leave Us?......Page 72
4.1 Preface......Page 74
4.2.1 A Brief Introduction to the Flow of Personal Information......Page 76
4.2.3 The Limits and Troubles of Regulating Data Analysis......Page 78
4.2.4 Regulating Profiling by Addressing Uses: Possibilities, Factors and Limits......Page 79
4.3 A Tale of Four Data Miners......Page 82
4.4 Some Conclusions and Summing Up......Page 93
References......Page 94
Part II
Specific Issues: Security Breaches,
Unsolicited Adjustments, Facebook,
Surveillance and Electronic Voting......Page 96
The Emerging European Union Security Breach Legal Framework: The 2002/58 ePrivacy Directive and Beyond......Page 97
5.1.1 The EU Security Breach Legal Framework: The Background......Page 98
5.1.2 The Review of the ePrivacy Directive......Page 99
5.1.3 An Overview of the Security Breach Framework Under the Revised ePrivacy Directive......Page 100
5.2.1 Preventing and Minimising Adverse Effects for Individuals......Page 101
5.2.2 The Security Principle......Page 102
5.2.4 The Information Principle......Page 104
5.2.5 The Accountability Principle......Page 105
5.4.1 Entities Obliged to Notify: Covered Entities......Page 106
5.4.2 The Application to Information Society Services and Beyond......Page 107
5.4.3 Definition of ‘Personal Data Breach’......Page 109
5.5.1 Description of the Threshold......Page 110
5.5.2 “Likely to Adversely Affect the Personal Data and Privacy”......Page 112
5.5.3 Exceptions Relating to Technological Protection Measures and Law Enforcement......Page 113
5.6.1 Means of Providing Notice......Page 115
5.6.2 Timing of the Notification......Page 116
5.6.3 Content of the Notification......Page 117
5.7.1 Audit and Other Tools Available to the Authorities......Page 118
5.7.2 Selective to be Effective......Page 119
5.8.1 Technical Implementing Measures Through Comitology......Page 120
5.8.2 Areas/Subjects Covered by Comitology......Page 121
5.8.3 Towards the Application of a Security Breach Notification Scheme Across Sectors......Page 122
5.9 Conclusions......Page 124
6.1 Protecting the Individual in front of Technology......Page 125
6.2 The Regulation of Unsolicited Communications......Page 127
6.3 The Shift Towards Unsolicited Adjustments......Page 130
6.3.1 Upcoming Practices......Page 131
6.3.2 Present Problematic Practices......Page 132
6.3.3 The (Other) Limits of Current Legislation......Page 134
6.4 Concluding Remarks......Page 135
References......Page 136
7.1 Introduction......Page 138
7.2 The Risks of De-contextualization Deriving from Interactions on Facebook......Page 140
7.2.1 The Simplification of Social Relations on OSNS......Page 141
7.2.2 The Large Information Dissemination Implied by Interactions on Facebook......Page 142
7.2.3 The Globalization and Normalization Effects of Facebook......Page 145
7.3 Consequences of the Threat of De-contextualization on the Rights to Privacy and to Data Protection......Page 146
7.3.1 Consequences of the Threat of De-contextualization on Privacy as a Right of the Human Being......Page 147
7.3.2 Consequences of the Threat of De-contextualization on Data Protection as a Right of Data Subjects......Page 151
7.4 Conclusion......Page 154
8.1 Introduction......Page 157
8.2.1 Background of the Case......Page 158
8.2.2 Other Fundamental Rights......Page 159
8.2.3 Content of the “New” Fundamental Right......Page 160
8.2.5 Further Developments......Page 161
8.3.1 Actors and Their Knowledge......Page 162
8.3.2 Strategies Working Against Privacy and Appropriate Counterstrategies Working Towards Privacy......Page 165
8.4 The Rise of the Anti-Surveillance Movement 2.0......Page 166
8.4.1 Data Retention and the Participatory Resistance Against Surveillance......Page 167
8.4.2 From the Internet to the Streets and into Pop Culture......Page 169
8.4.3 Putting Privacy on the Political Agenda......Page 170
8.4.4 Lessons Learned......Page 172
References......Page 173
9.1 Introduction......Page 175
9.2.1 Good and Bad Trust......Page 176
9.2.2 Confidence and Trust......Page 177
9.2.3 Trust in E-voting......Page 179
9.3.1 Voter-Verifiable Elections......Page 181
9.3.2 Verifiability and Receipt-Freeness......Page 183
9.3.3 Variants of Verifiability......Page 184
9.4 Verifiability and Trust......Page 186
9.4.2 What Proof Do We Prefer?......Page 187
9.4.3 Beyond Electronic Voting......Page 189
9.5 Conclusions......Page 191
References......Page 192
10.1 Introduction......Page 194
10.2.1 Mechanical Voting Machines......Page 195
10.2.2 Direct Recording Electronic (DRE) Voting Computers......Page 196
10.2.3 Paper-Based Electronic Voting Systems......Page 197
10.2.4 Internet Voting Systems......Page 200
10.3.2 Protection Profile for the Digital Voting Pen......Page 201
10.3.5 GI/BSI/DFKI Protection Profile......Page 202
10.5 The Federal Constitutional Court Judgment......Page 203
10.6 Future of Electronic Voting in Germany......Page 204
References......Page 205
Part III
Third Pillar Issues......Page 207
11.1 Introduction......Page 208
11.2.1 Preservation of the Specificity of the Eurojust Data Protection Regime......Page 210
11.2.3 Extension of the Categories of Personal Data Which Eurojust May Legally Process......Page 211
11.2.4 Improvement of the Information Provision from Member States......Page 213
11.2.5 CMS-Related Issues and Secure Communication with Member States......Page 215
11.2.6 Time Limits......Page 218
11.2.7 Relations with Third Parties......Page 220
11.3 Amendments with Relevance to the Joint Supervisory Body of Eurojust (JSB)......Page 223
11.4 Concluding Remarks......Page 225
12.1 Introduction......Page 226
12.2 Towards a “Prüm Model”?......Page 227
12.3 Context: Transitional Periods?......Page 228
12.4 Contents and Core Provisions. Which Core? Which Provisions?......Page 230
12.5 Memberships and Actors......Page 231
12.6 Divergences Among Provisions of Prüm Instruments......Page 233
12.7 Resistance to the “Prüm Model”?......Page 235
12.8 Final Considerations......Page 237
References......Page 238
13.1 Introduction......Page 242
13.2 Background......Page 243
13.3 Substantive Law......Page 247
13.4 German Hegemony & Democratic Deficit......Page 248
13.5 Innocent ‘Lambs for Slaughter’......Page 251
13.6 Data Protection......Page 253
13.7 Conclusion......Page 255
References......Page 256
Part IV
Technology Assessment Views......Page 259
14.1 Introduction......Page 260
14.2 About EPTA......Page 261
14.3 ICT and Privacy in Europe: The First Common EPTA Project......Page 262
14.3.1 Methodology of the Project......Page 263
14.3.2 Outcome......Page 264
14.3.3 Some Findings......Page 265
14.3.4 The Challenges: and How to Deal with Them......Page 266
References......Page 267
15.1 Introduction......Page 270
15.2 Background and Objectives of PRISE......Page 271
15.3 Project Methods......Page 272
15.5 Criteria for Privacy Enhancing Security Technologies......Page 273
15.6 Next Steps and Continuative Recommendations......Page 274
References......Page 275
Part V
Legal Practitioner’s Views......Page 276
16.1.1 Legal Practice......Page 277
16.2 The Challenges of Practicing Data Protection Law......Page 279
16.3 Outlook for Data Protection Law Practice......Page 280
16.4 Conclusions......Page 281
17.1 Introduction......Page 283
17.2 International Data Flows: The Issue of Transfer......Page 284
17.2.1 Unambiguous Consent: A Subsidiary Solution?......Page 285
17.2.2 Standard Contractual Clauses: A Solution to be Further Harmonised......Page 286
17.2.3 Binding Corporate Rules: The Way Forward......Page 287
17.3 Big Brother Is Watching You: the Issue of Monitoring......Page 289
17.3.1 Monitoring by Private Companies......Page 290
17.3.2 Monitoring by Public Authorities......Page 295
17.4 Conclusion......Page 297
Part VI
Technologist’s Views......Page 299
18.1 Architectural Issues......Page 300
18.2 What Went Wrong: Smart Cards in Public Transport......Page 302
18.3 What Can Still Go Right: Road Pricing......Page 306
18.4 Privacy and Trust for Business......Page 308
References......Page 309
19.1 Introduction......Page 311
19.2.1 Personal Data as the Focus of PETs......Page 313
19.2.2 Anonymity as a Privacy Enhancing Mechanism......Page 315
19.2.3 Anonymity and Confidentiality in the Internet: Assumptions of PETs......Page 316
19.3.1 The Daily Perspective on Surveillance......Page 318
19.3.3 The Political Perspective on Surveillance......Page 319
19.3.4 The Performative Perspective on Surveillance......Page 320
19.4 The Information Perspective on Surveillance......Page 321
19.5 Revisiting the Assumptions......Page 323
19.6 Conclusion......Page 326
References......Page 329
20.2 What Do We Mean by Privacy by Design?......Page 332
20.3 A Matter of Choice......Page 335
20.4 From a Vicious Cycle to a Virtuous Cycle......Page 337
20.4.1 Lawyers and Legislators......Page 338
20.4.2 Computer Scientists......Page 340
References......Page 341