You are on page 1of 22

Privacy issues in Future Internet

Aleksandra Kuczerawy ICRI KU Leuven

SocIoS
Exploiting the User Created Content and the Social Graph of users in Social Networks to create new services Provide cross-platform tools that enable to manage the dynamically generated content by building services that combine data and functionality from two or more different SNS

Privacy and data protection issues in Future Internet:


Basic concepts
Personal data Processing of personal data Legal grounds of processing Controller vs. processors

Legal requirements for data processing Location based services Children and personal data Future and Recommendations

Concept of personal data (95/46)


any information relating to an identified or identifiable natural person ('data subject') - Direct or indirect identification - No exhaustive list - Sensitive data: special regime applies (!)

Processing of personal data (art. 2.b)


any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as: - Collection of profile information, tweets, - Subsequent profiling to determine relevancy of search results - Storage of log information regarding account usage -

Personal data on-line


Made public on the Internet Does NOT mean consent for processing Technically available But legally NOT All rules apply for content already published online (need for a legal ground, purpose, etc)

Legal grounds for processing:


Main grounds:
- Consent - Legitimate interests

In certain instances: - Performance of a contract to which the data subject is party - Compliance with a legal obligation of the controller

Data controller or data processor?


Controller
determines the purposes and means of the processing of personal data Main responsible entity Processor
Entity which processes personal data on behalf of the controller Not responsible for the processing

=> Distinction often blurry in practice, despite considerable practical implications & hurdles !

Varying degrees of control

T. Olsen, T. Mahler, Identity management land data protection law: Risk, responsibility and compliance in Circles of Trust Part II, Computer aw & Security report 23 ( 2 0 0 7 )

Data protection principles


Fairness principle Finality principle Data minimisation principle Data quality principle Conservation principle Confidentiality and security Notification to the Supervisory Authority

Fairness principle
Processing must be fair and lawful!!! data subject has to be provided with certain information (transparency) stay in line with all types of their legal obligations

Finality principle
Data controllers collect data only as far as it is necessary to achieve the specified, explicit and legitimate purpose No further processing incompatible with the original purposes Further processing of data for historical, statistical or scientific purposes

Historical, statistical or scientific purposes


Not a primary legal ground Expands on finality principle Refers only to further processing of data For processing of which there is a separate legal ground Cannot constitute a primary basis for processing

Data minimisation principle


data should be adequate, relevant and not excessive store only a minimum of data necessary to run their services

Data quality principle


personal data should be accurate and kept up to date every reasonable step to ensure that data which are inaccurate or incomplete are either erased or rectified appropriate mechanism to allow data subjects updating their personal data or notifying the data controller about the incorrect information

Location Based Services ePrivacy Directive


Location data - any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service Value added service - any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof

Processing of location data


Only if they are made anonymous, or with the consent of the users or subscribers Information to the users
the type of location data which will be processed the purposes and duration of the processing whether the data will be transmitted to a third party for the purpose of providing the value added service

Childrens personal data


Same rights as adults, but! No full legal capability Need a representative to exercise these rights Legal guardian (usually a parent) Should consult children, depending on their understanding/ maturity Processing should not be performed against childs will Dynamic relation

Future of privacy and data protection


The draft general data protection regulation January 25, 2012 One regulation for all EU Member States Binding and applicable without national implementation Current status: discussion phase Aims for full harmonization Aims to adjust legal regime to technological development

Draft General Data Protection Regulation


Explicit consent when required for certain types of data processing Reinforcement of the right to information - full understanding how personal data is handled (particularly children) Easy access to one's own data - what kind of information a company stores about them; Data portability Right to be forgotten More provisions directed to processors

Recommendations:
Who is the Data Controller Where will the data be processed, by whom Check national data protection legislation Contact local DPA Prepare Privacy Policy Caution sensitive data! Caution childrens personal data!

Thank you for your attention. Questions?