These notes conclude the second half of the IALS Centre for Law & Information Policy launch on Tuesday 24th February. The theme was ‘Information flows and dams’. The first part is here. I didn't catch verbatim the last two presentations, and happily the keynote speech 'Does Privacy Matter?' is available online - I had another engagement!
EU Data Protection
David Erdos took the enormous confusion that is European data protection and asked ‘Is a reconceptualization possible?’. He made the case for the new regulation being bureaucratic, burdensome and illogical. Starting out with the relatively simple definitions of key terms, he said that personal data is any information relating to a person, even their job titles. Sensitive personal data includes racial profile, sexual identity, political affiliation etc. Given the general ban on processing sensitive data, taken to extremes, just by stating ‘David Cameron, Prime Minister and Conservative MP is a questionable breach of data protection.
Because of these broad definitions, effective protection is limited due to widespread non-compliance.' He quoted Bert-Jaap Koops (2014) and I’ve found this to clarify, ‘unless data protection reform starts looking in other directions — going back to basics, playing other regulatory tunes on different instruments in other legal areas, and revitalising the spirit of data protection by stimulating best practices — data protection will remain dead. Or, worse perhaps, a zombie’. He suggested some solutions:
1. There should be better definitions of the mischiefs that data protection counters.
2. There should be narrower scope and it shouldn't try to regulate everything.
3. It should acknowledge rights conflicts. Innovation shouldn’t be stifled
4. It should delineate peremptory rules
5. And it should be effectively enforced.
He outlined some historic support of narrowing the regulation’s scope. First was the Durant case at 28 ‘.It follows from what I have said that not all information retrieved from a computer search against an individual's name or unique identifier is personal data within the Act.’ And the second was the OECD framework guidelines 1980, which were very clear on definitions and scope. However given that the regulation is the most amended piece of legislation ever, he is pessimistic about any back tracking and/or tightening of definitions.
Cloud Computing
The second speaker from this panel – and actually the last in my notes – was Asma Vranaki on ‘the rise of cloud investigations by European data protection authorities’. I have made liberal use of her blog post on the same matter because this was an exceptionally technical presentation. We did have a twitter exchange on the complexity of the matter so please excuse any errors; they are mine alone.
Cloud computing is the use of the internet to run applications or store data. Until recently, we kept everything locally on our computers or on a server in our office basement. Cloud computing revolutionises this because programs and data suddenly become accessible from any device and any location. The information is accessed remotely and not stored locally. If you have ever accessed web-based email, this is cloud computing. If you’ve streamed music or videos, this is cloud computing. Apps like Dropbx, MiCoach or Evernote both rely on cloud computing. Facebook? Cloud computing. And these innovative applications and technologies are proliferating and are clearly here to stay.
Cloud computing relies on large quantities of personal data, and scholars, regulators, and lawyers are becoming increasingly concerned about data protection issues. Who owns the data and how secure is it? It is these issues that the new European data protection laws are looking to address. Many global in-house lawyers are struggling with the complex and intricate data protection issues raised by cloud computing. Many organisations, including law firms, are adopting cloud computing technologies and services because it is an efficient, flexible, and cost efficient way to work. So what are the implications and how can we find out what is happening?
Asma’s work involves looking at various data sources:
1. Audits and/or investigations of cloud providers conducted by national data protection authorities;
2. Relevant press releases and opinions;
3. Current and proposed data protection laws, and;
4. Relevant lawsuits filed against cloud providers on the grounds of breaches of data protection laws.
With this information she can assess the compliance of cloud providers with relevant data protection laws and determine whether cloud providers have breached relevant data protection laws. Her findings suggest that there have been a growing number of data audits and/or investigations of cloud providers, such as Facebook twice, Google and Whatsapp by national data protection authorities. At the same time, there is less litigation being filed against such cloud providers.
This trend in my view isn’t surprising. Firstly, it is inevitable that there would be an increase in audits because there are more cloud computing providers. What is more interesting is that there have been so few reported breaches. Perhaps the complexity and the international nature of the companies providing server space is one reason for the lack of investigations –and limited litigation. So many jurisdictions can be involved, and if there is more than one service provider, who is the data controller, which jurisdictional laws apply?
She warns in-house lawyers about these audits and says that this shift indicates a significant change in the methods and processes and people involved in assessing compliance. Additionally, further research needs to be conducted into the reasons behind the so-called rise of the ‘Audit Age’.
The event raised many interesting questions around subjects which have been in the news over the last week! There was a recent parliamentary report on drones; security around apps; the cloud, bio tech data...
A blog to explore the interests of an original renaissance woman; arts, sciences, poetry, librarianship and everything in between.
Showing posts with label data protection. Show all posts
Showing posts with label data protection. Show all posts
Monday, 9 March 2015
Thursday, 19 February 2015
Don’t Free Citizens Need The Right To Be Forgotten?
Last night saw the inaugural debate of the new Legal Debate Series organised by Thomson Reuters. It was a timely discussion around the highly contentious issue of an individual's right to control their own digital footprint and legacy. On May 13 2014 the ECJ backed the 'Right to be forgotten' and ruled that individuals can request that Google and other search engines remove links to 'inadequate, irrelevant, or no longer relevant personal data'. The blurb continued, 'the implications for search engines, social media operators and in fact, any business with EU operations are huge'. Having already written about litigation and data protection, I was interested to hear if anything new could be brought to the debate.
Wednesday, 21 January 2015
Data Protection and Access to Information: An IALS Lecture
I attended the Institute of Advanced Legal Studies 'Data Protection Act 1984, Freedom of Information Act 2000: thirty and fifteen years on – perspectives on the past and prospects for the future' yesterday evening. The talk, as you'd expect from a university event, was quite academic. I'm used to library/legal events where lawyers/PSLs offer practical solutions to difficult legislation, but it was interesting to hear a different take.
This lecture acknowledged the awkwardness of the various conventions, directives, acts etc., which go to make up the legislative framework of data protection/access to information. There were some interesting insights simply because (shock horror) I'm not aware of the history of data protection, and I had never thought about why 'freedom of information' was actually a complete misnomer. It should be 'a right to access administrative documents' legislation.
Thursday, 6 November 2014
Wearable Technology: The Impact on Society and Privacy
What do I know about wearable tech? What do I know about my own privacy settings on the tech that I carry about with me? How much of my personal data am I unwittingly giving away to large corporations through apps, GPS, internet searches? With these questions in mind I attended the panel discussion organised by the Halsbury Law Exchange. I was there in a couple of capacities; partly as representative of my firm and partly as an interested consumer.
Wednesday, 29 October 2014
Data Protection: A Litigation View
Data protection is normally presented from a risk/compliance point of view and, indeed, it is an essential part of a firm's responsibility to their clients. Information professionals should be involved with these compliance duties and be familiar with processes and principles. However, what about the litigation point of view? Yesterday David Glen of 1 Brick Court took us though some recent legal developments but any errors in law or omissions in sense are all mine!
Background
The Data Protection Act 1998 was formed out of the EU Data Protection Directive (also known as Directive 95/46/EC). For the first decade of its existence, it caused a stir as a new area of law but then, litigation-wise, essentially discarded. Data protection has been seen as a secondary cause, offering a peripheral remedy after remedies that libel and misuse of information offer. Background
David believed that this is shifting and we will be seeing a change in the future. He suggested that people are far more aware of their personal data protection rights because of increased discussion in the press. The increased willingness of the judiciary to apply the data protection thresholds is also key; Tugendhat J. has turned it into a radical issue. The final case (below) that he discussed applies the DPA's already broad issue of fairness in an even wider way.
Friday, 4 April 2014
CLIG Seminar: Employment law and socia media
These notes come out of a CLIG seminar I attended on 18 March 2014 - the excellent and extremely thorough speaker was Alexandra Mizzi. Apologies for any omissions or mistakes, which are entirely mine and certainly not her fault.
Social media is being tackled piecemeal in the courts and some of these interesting cases are discussed below. It is a tricky area due to increasingly blurred lines between personal and private lives. Creating a successful social media brand is personality driven, so a personal/professional clash is inevitable.
The seminar covered the following areas: the perils of online selection, screening and recruitment; employee misconduct online looking at both company reputation and employer liability; and finally the tricky issue of social media contacts ownership.
Social media is being tackled piecemeal in the courts and some of these interesting cases are discussed below. It is a tricky area due to increasingly blurred lines between personal and private lives. Creating a successful social media brand is personality driven, so a personal/professional clash is inevitable.
The seminar covered the following areas: the perils of online selection, screening and recruitment; employee misconduct online looking at both company reputation and employer liability; and finally the tricky issue of social media contacts ownership.
Subscribe to:
Posts (Atom)