Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection

Transboundary challenges to privacy protec5on

Joanna Kulesza University of Lodz

Faculty of Law and Administra5on Department of Interna5onal Law and Interna5onal Rela5ons

Oxford Internet Ins5tute, August 15th, 2012

scope •  legal tools for privacy protec5on •  privacy as an unenforcable human right •  European approach to privacy protec5on •  peer-‐to-‐peer privacy (Web 2.0) •  safe harbor agreements •  walled gardens of privacy •  extra-‐legal solu5on to the privacy challenge

Universal Declara2on of Human Rights (UDHR) 1948 Ar2cle 12. No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to aPacks upon his honour and reputa5on. Ar2cle 29. (2) In the exercise of his rights and freedoms, everyone shall be subject only to such limita2ons as are •  determined by law •  solely for the purpose of securing due recogni5on and respect

for the rights and freedoms of others and •  of mee5ng the just requirements of morality, public order

and the general welfare in a democra5c society. author: unknown, source: Wikipedia

Interna5onal Covenant on Civil and Poli5cal Rights (ICCPR)

author: IdiotSavant, source: Wikipedia,

•  draUed: 1954 •  adopted : 1966 •  entry into force: 1976

Interna2onal Covenant on Civil and Poli2cal Rights

Ar2cle 17

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful aPacks on his honour and reputa5on.

UN Human Rights Commi2ee (HRC) CCPR General Comment No. 16: Ar?cle 17 (Right to Privacy)

The Right to Respect of Privacy, Family, Home and Correspondence, and Protec?on of Honour and Reputa?on

8 April 1988

CCPR General Comment No. 16 •  States are required to adopt measures to ensure that the

prohibi5on against privacy interferences and aPacks is effec5ve

•  A posi5ve obliga5on of states to ac5vly protect individual privacy against interference: „Effec?ve measures have to be taken by States to ensure that informa?on concerning a person's private life does not reach the hands of persons who are not authorized by law to receive, process and use it”

•  Surveillance, whether electronic or otherwise, intercep?ons of telephonic, telegraphic and other forms of communica?on, wire-‐tapping and recording of conversa?ons should be prohibited.

CCPR General Comment No. 16 •  Lawfulness: no interference can take place „except in cases

envisaged by the law” •  relevant legisla5on must specify in detail the precise

circumstances in which such interferences may be permiPed, while: „A decision to make use of such authorized interference must be made […] on a case-‐by-‐case basis”

•  Arbitrariness: „even interference provided for by law should be in accordance with the provisions, aims and objec?ves of the Covenant and reasonable in the par?cular circumstances”

Why doesn’t the ICCPR regime work?

World Court of Human Rights?

World Court of Human Rights?

The establishment of a World Court of Human Rights

could help to bridge the gap between codified rights

and reality. The idea of such a Court dates back to

1947. Due to the Cold War, however, the proposal

did not find consensus among States. Thus the World

Court of Human Rights was never realised and

remained s?gma?sed as utopian.

Author: Sylvain Savolainen, source: www.udhr60.ch

Privacy protec5on in Europe

Privacy protec5on in Europe (ECHR) Conven2on for the Protec2on of Human Rights and Fundamental Freedoms

(European Conven5on on Human Rights, ECHR), 1953 (draUed 1950) ECHR jurisprudence recognizes the right to privacy in its Ar5cle 8 as a deriva5ve of the right to have one’s private and family life respected.

Ar?cle 8 1. Everyone has the right to respect for his private and family life, his home

and his correspondence. 2. There shall be no interference by a public authority with the exercise of this

right except such as is in accordance with the law and is necessary in a democra?c society in the interests of na?onal security, public safety or the economic well-‐being of the country, for the preven?on of disorder or crime, for the protec?on of health or morals, or for the protec?on of the rights and freedoms of others.

à rich jurisprudence

Privacy protec5on in Europe (EU) Charter of Fundamental Rights of the European Union 2009 (2000)

Ar?cle 7 Respect for private and family life Everyone has the right to respect for his or her private and family life, home

and communica5ons. Ar?cle 8 Protec2on of personal data 1. Everyone has the right to the protec5on of personal data concerning him

or her. 2. Such data must be processed fairly for specified purposes and on the basis

of the consent of the person concerned or some other legi5mate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rec5fied.

3. Compliance with these rules shall be subject to control by an independent authority. effec5veness ques5oned, esp. with the Bri5sh, Czech and Polish opt-‐out protocol

privacy and personal data

Privacy protec5on in Europe (EU)

Direc5ve 95/46/EC of the European Parliament and of the Council of 24

October 1995 on the protec5on of individuals with regard to the

processing of personal data and on the free movement of such data

Ar5cle 3 Scope

2. This Direc5ve shall not apply to the processing of personal data:

-‐ by a natural person in the course of a purely personal or household ac2vity.

author/source: promo5onal-‐items.in

„a purely personal ac5vity” on-‐line

ü social networks? ü private pages? weblogs? criteria? •  data availability? •  network character?

J. Kulesza, Transboundary challenges to privacy protection

peer-‐to-‐peer privacy

Web 2.0 challenge


18 J. Kulesza, Transboundary challenges to privacy protection

J. Kulesza, Transboundary challenges to privacy protection 19

20

geolocalisa5on data

social seman5c web


peer-‐to-‐peer privacy

•  new categories of data (geolocalisa5on)

•  new tools enabling detailed personal profiling for private purposes

•  no anonymity

•  durability of data (right to be forgoPen?)


Privacy 2.0 „Mash together these technologies (…) and it becomes trivial to

receive answers to ques?ons like: Where was Jonathan Zi2rain last year on the fourteenth of February?, or, Who could be found near the entrance to the local Planned

Parenthood clinic in the past six months? The answers need not come from government or corporate cameras, which are

at least par?ally secured against abuse through well-‐considered privacy policies from Privacy 1.0. Instead, the

answers come from a more powerful, genera?ve source: an army of the world’s photographers, including tourists sharing their photos online without firm (or legi?mate) expecta?ons

of how they might next be used and reused.” J. Zi2rain, „The Future of Internet and How to Stop It”. p. 46


Privacy as a personal right

na5onal civil law challenge

Privacy as a personal right public

sphere (Sozial-‐/ Öffentlichkeitssphäre) privacy sphere (Privatsphäre)

in5mate sphere (In5msphäre)

Privacy as a personal right public sphere (Sozial-‐/

Öffentlichkeitssphäre)

social sphere (Sozialsphäre)

privacy sphere (Privatsphäre)

in5mate sphere

(In5msphäre)

secret sphere

(Sekretsphäre)

The transatlan5c challenge

U.S. vs EU concept of data protec5on

Ar5cle 25 Direc5ve 95/46/EC 1. The Member States shall provide that the transfer to a third country of personal

data which are undergoing processing or are intended for processing aUer transfer may take place only if […] the third country in ques5on ensures an adequate level of protec2on.

2. The adequacy of the level of protec5on afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer opera5on or set of data transfer opera5ons; […]

3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protec5on within the meaning of paragraph 2.

4. Where the Commission finds […] that a third country does not ensure an adequate level of protec5on within the meaning of paragraph 2 of this Ar5cle, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in ques5on.

U.S. vs EU concept of data protec5on

In order to enable personal data transfer from Europe to the U.S., the Department of Commerce (DoC) coordinated the formula5on of Safe Harbor Privacy

Principles.

safe harbour agreements •  United States entrepreneurs wishing to use personal data

protected by the EU law must accept the Principles (coordinated by the U.S. DoC).

•  They need to repeatedly cer5fy that they meet the aims declared in the principles by joining one of the self-‐regula5ng programs, for example, TRUSTe or BBBOnline, verify compliance with the Safe Harbor Privacy Principles.

•  The declara5on of each company to adhere to the program includes an obliga5on to meet the seven basic aims of the Direc5ve (no5ce, choice, onward transfer, security, data integrity, access and enforcement).

safe harbour agreements •  Safe Harbor Privacy Principles are not an act of law. Their only

legal effect is to encourage voluntary corporate compliance with the principles verified by authorized organiza5ons.

•  Viola5ons of the Principles are deemed acts of unfair or decep5ve trade prac5ce by the Federal Trade Commission (FTC).

•  U.S.-‐based companies, opera5ng in Europe may be subject to European states’ jurisdic5on if they fail to meet their data protec5on obliga5ons based on na5onal personal data regula5ons.

safe harbour agreements •  The execu5on and enforcement of Safe Harbor Privacy Principles has been

subject to cri5cism, primarily because of the lack of transparency on the introduc5on and verifica5on of privacy policies.

•  The 2004 EU review of the implementa5on of the Principles included repeated concern “about the number of self-‐cer5fied organiza5ons that have not published a privacy policy or that have published a policy that is not compliant with the Principles.”

•  The crucial, prac5cal problem originated from the voluntary character of the guidelines. Since some companies did not introduce any privacy policy, the FTC had no jurisdic5on to enforce their compliance with the Principles. The Commission also depicted the lack of a proac5ve aptude in monitoring organiza5ons’ compliance with the Principles.

•  An independent 2008 review showed a growing number of false claims by U.S. organiza5ons on their Safe Harbor compliance and recognized it as a new and significant threat to consumers’ privacy.

interna5onal privacy protec5on

34

http://www.privacyinternational.org/survey/dpmap.jpg

the source of the problem

shape of law

36 http://www.jimmymack.org

author: Dmitri Krioukov, source: SDSC/CAIDA 37

shape of cyberspace

Na5onal privacy standards in cyberspace?

38 http://www.jimmymack.org author: Dmitri Krioukov, source: SDSC/CAIDA

extralegal solu5ons?


services and self-‐regula5on

services


walled gardens of privacy

simondseconoart/ sundaypearls.wordpress.com

summary

•  liPle chance for a binding and executable interna5onal treaty on privacy protec5on

•  a good chance of common business prac5ces sepng a global standard

•  alterna5ve: na5onally „secured” spaces of privacy protec5on according to na5onal laws (e.g. china)

Joanna Kulesza University of Lodz

[email protected]

Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection

Education

Transcript of Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection