Aleksandra Kuczerawy - Privacy Issues in Future Internet - SESERV SE Workshop June 2012

7/31/2019 Aleksandra Kuczerawy - Privacy Issues in Future Internet - SESERV SE Workshop June 2012

1/22

Privacy issues in Future

Internet

Aleksandra KuczerawyICRI KU Leuven


2/22

SocIoS

Exploiting the User Created Content and the SocialGraph of users in Social Networks to create newservices

Provide cross-platform tools that enable to managethe dynamically generated content by buildingservices that combine data and functionality from

two or more different SNS


3/22

Privacy and data protection issues in FutureInternet:

Basic concepts Personal data Processing of personal data Legal grounds of processing Controller vs. processors

Legal requirements for data processing Location based services Children and personal data Future and Recommendations


4/22

Concept of personal data (95/46)

any information relating to an identified oridentifiable natural person ('data subject')

- Direct or indirect identification- No exhaustive list- Sensitive data: special regime applies (!)


5/22

Processing of personal data (art. 2.b)

any operation or set of operations which isperformed upon personal data, whether or not by

automatic means, such as:

- Collection of profile information, tweets, - Subsequent profiling to determine relevancy of

search results

- Storage of log information regarding accountusage

-


6/22

Personal data on-line

Made public on the Internet Does NOT mean consent for processing Technically available But legally NOT All rules apply for content already published

online (need for a legal ground, purpose, etc)


7/22

Legal grounds for processing:

Main grounds:- Consent

- Legitimate interestsIn certain instances:

- Performance of a contract to which the data subject

is party

- Compliance with a legal obligation of the controller


8/22

Data controller or data processor?

Controller determines the purposes and means of the processing ofpersonal data

Main responsible entity Processor

Entity which processes personal data on behalf of the controller Not responsible for the processing=> Distinction often blurry in practice, despite considerable

practical implications & hurdles !


9/22

Varying degrees of control

T. Olsen, T. Mahler, Identity management land data protection law: Risk, responsibility andcompliance in Circles of Trust Part II, Computer aw & Security report 23 ( 2 0 0 7 )


10/22

Data protection principles

Fairness principle Finality principle Data minimisation principle Data quality principle Conservation principle Confidentiality and security Notification to the Supervisory Authority


11/22

Fairness principle

Processing must be fair and lawful!!!

data subject has to be provided with certaininformation (transparency)

stay in line with all types of their legalobligations


12/22

Finality principle

Data controllers collect data only as far as it isnecessary to achieve the specified, explicit andlegitimate purpose

No further processing incompatible with theoriginal purposes

Further processing of data for historical, statisticalor scientific purposes


13/22

Historical, statistical or scientific purposes

Not a primary legal ground Expands on finality principle Refers only to further processing of data For processing of which there is a separate

legal ground

Cannot constitute a primary basis for processing


14/22

Data minimisation principle

data should be adequate, relevant and notexcessive

store only a minimum of data necessary to runtheir services


15/22

Data quality principle

personal data should be accurate and kept up todate every reasonable step to ensure that data which

are inaccurate or incomplete are either erased

or rectified

appropriate mechanism to allow data subjectsupdating their personal data or notifying thedata controller about the incorrect information


16/22

Location Based Services ePrivacy Directive

Location data - any data processed in an electroniccommunications network or by an electronic

communications service, indicating the geographic

position of the terminal equipment of a user of a

publicly available electronic communications service

Value added service - any service which requires theprocessing of traffic data or location data other than

traffic data beyond what is necessary for thetransmission of a communication or the billing thereof


17/22

Processing of location data

Only if they are made anonymous, or with the consent of the users or subscribersInformation to the users

the type of location data which will be processed the purposes and duration of the processing whether the data will be transmitted to a third party for the

purpose of providing the value added service


18/22

Childrens personal data

Same rights as adults, but! No full legal capability Need a representative to exercise these rights

Legal guardian (usually a parent) Should consult children, depending on their

understanding/ maturity

Processing should not be performed against childswill

Dynamic relation


19/22

Future of privacy and data protection

The draft general data protection regulation January 25, 2012 One regulation for all EU Member States

Binding and applicable without nationalimplementation

Current status: discussion phase Aims for full harmonization Aims to adjust legal regime to technological

development


20/22

Draft General Data Protection Regulation

Explicit consent when required for certain types ofdata processing Reinforcement of the right to information - full

understanding how personal data is handled

(particularly children)

Easy access to one's own data - what kind ofinformation a company stores about them;

Data portability Right to be forgotten More provisions directed to processors


21/22

Recommendations:

Who is the Data Controller Where will the data be processed, by whom Check national data protection legislation Contact local DPA Prepare Privacy Policy Caution sensitive data! Caution childrens personal data!


22/22

Thank you for your attention.

Questions?

Documents

Aleksandra Kuczerawy - Privacy Issues in Future Internet - SESERV SE Workshop June 2012