BŁAŻEJ MODER PRESIDENT LODZ REGIONAL DEVELOPMENT AGENCY LODZ, OCTOBER 8, 2008
Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection
-
Upload
iscienceeu -
Category
Education
-
view
2.163 -
download
0
description
Transcript of Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection
Transboundary challenges to privacy protec5on
Joanna Kulesza University of Lodz
Faculty of Law and Administra5on Department of Interna5onal Law and Interna5onal Rela5ons
Oxford Internet Ins5tute, August 15th, 2012
scope • legal tools for privacy protec5on • privacy as an unenforcable human right • European approach to privacy protec5on • peer-‐to-‐peer privacy (Web 2.0) • safe harbor agreements • walled gardens of privacy • extra-‐legal solu5on to the privacy challenge
Universal Declara2on of Human Rights (UDHR) 1948 Ar2cle 12. No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to aPacks upon his honour and reputa5on. Ar2cle 29. (2) In the exercise of his rights and freedoms, everyone shall be subject only to such limita2ons as are • determined by law • solely for the purpose of securing due recogni5on and respect
for the rights and freedoms of others and • of mee5ng the just requirements of morality, public order
and the general welfare in a democra5c society. author: unknown, source: Wikipedia
Interna5onal Covenant on Civil and Poli5cal Rights (ICCPR)
author: IdiotSavant, source: Wikipedia,
• draUed: 1954 • adopted : 1966 • entry into force: 1976
Interna2onal Covenant on Civil and Poli2cal Rights
Ar2cle 17
1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful aPacks on his honour and reputa5on.
UN Human Rights Commi2ee (HRC) CCPR General Comment No. 16: Ar?cle 17 (Right to Privacy)
The Right to Respect of Privacy, Family, Home and Correspondence, and Protec?on of Honour and Reputa?on
8 April 1988
CCPR General Comment No. 16 • States are required to adopt measures to ensure that the
prohibi5on against privacy interferences and aPacks is effec5ve
• A posi5ve obliga5on of states to ac5vly protect individual privacy against interference: „Effec?ve measures have to be taken by States to ensure that informa?on concerning a person's private life does not reach the hands of persons who are not authorized by law to receive, process and use it”
• Surveillance, whether electronic or otherwise, intercep?ons of telephonic, telegraphic and other forms of communica?on, wire-‐tapping and recording of conversa?ons should be prohibited.
CCPR General Comment No. 16 • Lawfulness: no interference can take place „except in cases
envisaged by the law” • relevant legisla5on must specify in detail the precise
circumstances in which such interferences may be permiPed, while: „A decision to make use of such authorized interference must be made […] on a case-‐by-‐case basis”
• Arbitrariness: „even interference provided for by law should be in accordance with the provisions, aims and objec?ves of the Covenant and reasonable in the par?cular circumstances”
Why doesn’t the ICCPR regime work?
World Court of Human Rights?
World Court of Human Rights?
The establishment of a World Court of Human Rights
could help to bridge the gap between codified rights
and reality. The idea of such a Court dates back to
1947. Due to the Cold War, however, the proposal
did not find consensus among States. Thus the World
Court of Human Rights was never realised and
remained s?gma?sed as utopian.
Author: Sylvain Savolainen, source: www.udhr60.ch
Privacy protec5on in Europe
Privacy protec5on in Europe (ECHR) Conven2on for the Protec2on of Human Rights and Fundamental Freedoms
(European Conven5on on Human Rights, ECHR), 1953 (draUed 1950) ECHR jurisprudence recognizes the right to privacy in its Ar5cle 8 as a deriva5ve of the right to have one’s private and family life respected.
Ar?cle 8 1. Everyone has the right to respect for his private and family life, his home
and his correspondence. 2. There shall be no interference by a public authority with the exercise of this
right except such as is in accordance with the law and is necessary in a democra?c society in the interests of na?onal security, public safety or the economic well-‐being of the country, for the preven?on of disorder or crime, for the protec?on of health or morals, or for the protec?on of the rights and freedoms of others.
à rich jurisprudence
Privacy protec5on in Europe (EU) Charter of Fundamental Rights of the European Union 2009 (2000)
Ar?cle 7 Respect for private and family life Everyone has the right to respect for his or her private and family life, home
and communica5ons. Ar?cle 8 Protec2on of personal data 1. Everyone has the right to the protec5on of personal data concerning him
or her. 2. Such data must be processed fairly for specified purposes and on the basis
of the consent of the person concerned or some other legi5mate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rec5fied.
3. Compliance with these rules shall be subject to control by an independent authority. effec5veness ques5oned, esp. with the Bri5sh, Czech and Polish opt-‐out protocol
privacy and personal data
Privacy protec5on in Europe (EU)
Direc5ve 95/46/EC of the European Parliament and of the Council of 24
October 1995 on the protec5on of individuals with regard to the
processing of personal data and on the free movement of such data
Ar5cle 3 Scope
2. This Direc5ve shall not apply to the processing of personal data:
-‐ by a natural person in the course of a purely personal or household ac2vity.
author/source: promo5onal-‐items.in
„a purely personal ac5vity” on-‐line
ü social networks? ü private pages? weblogs? criteria? • data availability? • network character?
J. Kulesza, Transboundary challenges to privacy protection
peer-‐to-‐peer privacy
Web 2.0 challenge
J. Kulesza, Transboundary challenges to privacy protection
18 J. Kulesza, Transboundary challenges to privacy protection
J. Kulesza, Transboundary challenges to privacy protection 19
20
geolocalisa5on data
social seman5c web
21 J. Kulesza, Transboundary challenges to privacy protection
J. Kulesza, Transboundary challenges to privacy protection 22
peer-‐to-‐peer privacy
• new categories of data (geolocalisa5on)
• new tools enabling detailed personal profiling for private purposes
• no anonymity
• durability of data (right to be forgoPen?)
23 J. Kulesza, Transboundary challenges to privacy protection
Privacy 2.0 „Mash together these technologies (…) and it becomes trivial to
receive answers to ques?ons like: Where was Jonathan Zi2rain last year on the fourteenth of February?, or, Who could be found near the entrance to the local Planned
Parenthood clinic in the past six months? The answers need not come from government or corporate cameras, which are
at least par?ally secured against abuse through well-‐considered privacy policies from Privacy 1.0. Instead, the
answers come from a more powerful, genera?ve source: an army of the world’s photographers, including tourists sharing their photos online without firm (or legi?mate) expecta?ons
of how they might next be used and reused.” J. Zi2rain, „The Future of Internet and How to Stop It”. p. 46
J. Kulesza, Transboundary challenges to privacy protection
Privacy as a personal right
na5onal civil law challenge
Privacy as a personal right public
sphere (Sozial-‐/ Öffentlichkeitssphäre) privacy sphere (Privatsphäre)
in5mate sphere (In5msphäre)
Privacy as a personal right public sphere (Sozial-‐/
Öffentlichkeitssphäre)
social sphere (Sozialsphäre)
privacy sphere (Privatsphäre)
in5mate sphere
(In5msphäre)
secret sphere
(Sekretsphäre)
The transatlan5c challenge
U.S. vs EU concept of data protec5on
Ar5cle 25 Direc5ve 95/46/EC 1. The Member States shall provide that the transfer to a third country of personal
data which are undergoing processing or are intended for processing aUer transfer may take place only if […] the third country in ques5on ensures an adequate level of protec2on.
2. The adequacy of the level of protec5on afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer opera5on or set of data transfer opera5ons; […]
3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protec5on within the meaning of paragraph 2.
4. Where the Commission finds […] that a third country does not ensure an adequate level of protec5on within the meaning of paragraph 2 of this Ar5cle, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in ques5on.
U.S. vs EU concept of data protec5on
In order to enable personal data transfer from Europe to the U.S., the Department of Commerce (DoC) coordinated the formula5on of Safe Harbor Privacy
Principles.
safe harbour agreements • United States entrepreneurs wishing to use personal data
protected by the EU law must accept the Principles (coordinated by the U.S. DoC).
• They need to repeatedly cer5fy that they meet the aims declared in the principles by joining one of the self-‐regula5ng programs, for example, TRUSTe or BBBOnline, verify compliance with the Safe Harbor Privacy Principles.
• The declara5on of each company to adhere to the program includes an obliga5on to meet the seven basic aims of the Direc5ve (no5ce, choice, onward transfer, security, data integrity, access and enforcement).
safe harbour agreements • Safe Harbor Privacy Principles are not an act of law. Their only
legal effect is to encourage voluntary corporate compliance with the principles verified by authorized organiza5ons.
• Viola5ons of the Principles are deemed acts of unfair or decep5ve trade prac5ce by the Federal Trade Commission (FTC).
• U.S.-‐based companies, opera5ng in Europe may be subject to European states’ jurisdic5on if they fail to meet their data protec5on obliga5ons based on na5onal personal data regula5ons.
safe harbour agreements • The execu5on and enforcement of Safe Harbor Privacy Principles has been
subject to cri5cism, primarily because of the lack of transparency on the introduc5on and verifica5on of privacy policies.
• The 2004 EU review of the implementa5on of the Principles included repeated concern “about the number of self-‐cer5fied organiza5ons that have not published a privacy policy or that have published a policy that is not compliant with the Principles.”
• The crucial, prac5cal problem originated from the voluntary character of the guidelines. Since some companies did not introduce any privacy policy, the FTC had no jurisdic5on to enforce their compliance with the Principles. The Commission also depicted the lack of a proac5ve aptude in monitoring organiza5ons’ compliance with the Principles.
• An independent 2008 review showed a growing number of false claims by U.S. organiza5ons on their Safe Harbor compliance and recognized it as a new and significant threat to consumers’ privacy.
interna5onal privacy protec5on
34
http://www.privacyinternational.org/survey/dpmap.jpg
the source of the problem
shape of law
36 http://www.jimmymack.org
author: Dmitri Krioukov, source: SDSC/CAIDA 37
shape of cyberspace
Na5onal privacy standards in cyberspace?
38 http://www.jimmymack.org author: Dmitri Krioukov, source: SDSC/CAIDA
extralegal solu5ons?
J. Kulesza, Transboundary challenges to privacy protection
services and self-‐regula5on
services
J. Kulesza, Transboundary challenges to privacy protection 40
walled gardens of privacy
simondseconoart/ sundaypearls.wordpress.com
J. Kulesza, Transboundary challenges to privacy protection 42
summary
• liPle chance for a binding and executable interna5onal treaty on privacy protec5on
• a good chance of common business prac5ces sepng a global standard
• alterna5ve: na5onally „secured” spaces of privacy protec5on according to na5onal laws (e.g. china)