These notes conclude the second half of the IALS Centre for Law & Information Policy
launch on Tuesday 24th February. The theme was ‘Information flows and dams’. The first part is here
. I didn't catch verbatim the last two presentations, and happily the keynote speech 'Does Privacy Matter?' is available
online - I had another engagement!
EU Data Protection
took the enormous confusion that is European data protection and asked ‘Is a reconceptualization possible?’. He made the case for the new regulation being bureaucratic, burdensome and illogical. Starting out with the relatively simple definitions of key terms, he said that personal data is any information relating to a person, even their job titles. Sensitive personal data includes racial profile, sexual identity, political affiliation etc. Given the general ban on processing sensitive data, taken to extremes, just by stating ‘David Cameron, Prime Minister and Conservative MP is a questionable breach of data protection.
Because of these broad definitions, effective protection is limited due to widespread non-compliance.' He quoted Bert-Jaap Koops (2014) and I’ve found this
to clarify, ‘unless data protection reform starts looking in other directions — going back to basics, playing other regulatory tunes on different instruments in other legal areas, and revitalising the spirit of data protection by stimulating best practices — data protection will remain dead. Or, worse perhaps, a zombie’. He suggested some solutions:
1. There should be better definitions of the mischiefs that data protection counters.
2. There should be narrower scope and it shouldn't try to regulate everything.
3. It should acknowledge rights conflicts. Innovation shouldn’t be stifled
4. It should delineate peremptory rules
5. And it should be effectively enforced.
He outlined some historic support of narrowing the regulation’s scope. First was the Durant
case at 28 ‘.It follows from what I have said that not all information retrieved from a computer search against an individual's name or unique identifier is personal data within the Act.’ And the second was the OECD framework guidelines
1980, which were very clear on definitions and scope. However given that the regulation is the most amended piece of legislation ever
, he is pessimistic about any back tracking and/or tightening of definitions.
The second speaker from this panel – and actually the last in my notes – was Asma Vranaki
on ‘the rise of cloud investigations by European data protection authorities’. I have made liberal use of her blog post
on the same matter because this was an exceptionally technical presentation. We did have a twitter exchange on the complexity of the matter so please excuse any errors; they are mine alone.
Cloud computing is the use of the internet to run applications or store data. Until recently, we kept everything locally on our computers or on a server in our office basement. Cloud computing revolutionises this because programs and data suddenly become accessible from any device and any location. The information is accessed remotely and not stored locally. If you have ever accessed web-based email, this is cloud computing. If you’ve streamed music or videos, this is cloud computing. Apps like Dropbx, MiCoach or Evernote both rely on cloud computing. Facebook? Cloud computing. And these innovative applications and technologies are proliferating and are clearly here to stay.
Cloud computing relies on large quantities of personal data, and scholars, regulators, and lawyers are becoming increasingly concerned about data protection issues. Who owns the data and how secure is it? It is these issues that the new European data protection laws are looking to address. Many global in-house lawyers are struggling with the complex and intricate data protection issues raised by cloud computing. Many organisations, including law firms, are adopting cloud computing technologies and services because it is an efficient, flexible, and cost efficient way to work. So what are the implications and how can we find out what is happening?
Asma’s work involves looking at various data sources:
1. Audits and/or investigations of cloud providers conducted by national data protection authorities;
2. Relevant press releases and opinions;
3. Current and proposed data protection laws, and;
4. Relevant lawsuits filed against cloud providers on the grounds of breaches of data protection laws.
With this information she can assess the compliance of cloud providers with relevant data protection laws and determine whether cloud providers have breached relevant data protection laws. Her findings suggest that there have been a growing number of data audits and/or investigations of cloud providers, such as Facebook twice
by national data protection authorities. At the same time, there is less litigation being filed against such cloud providers.
This trend in my view isn’t surprising. Firstly, it is inevitable that there would be an increase in audits because there are more cloud computing providers. What is more interesting is that there have been so few reported breaches. Perhaps the complexity and the international nature of the companies providing server space is one reason for the lack of investigations –and limited litigation. So many jurisdictions can be involved, and if there is more than one service provider, who is the data controller, which jurisdictional laws apply?
She warns in-house lawyers about these audits and says that this shift indicates a significant change in the methods and processes and people involved in assessing compliance. Additionally, further research needs to be conducted into the reasons behind the so-called rise of the ‘Audit Age’.
The event raised many interesting questions around subjects which have been in the news over the last week! There was a recent parliamentary report
on drones; security around apps
; the cloud
, bio tech data