Network of Excellence Internet Science Summer School. The theme of the summer school is "Internet Privacy and Identity, Trust and Reputation Mechanisms".
More information: http://www.internet-science.eu/
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection
1. Transboundary
challenges
to
privacy
protec5on
Joanna
Kulesza
University
of
Lodz
Faculty
of
Law
and
Administra5on
Department
of
Interna5onal
Law
and
Interna5onal
Rela5ons
Oxford
Internet
Ins5tute,
August
15th,
2012
2. scope
• legal
tools
for
privacy
protec5on
• privacy
as
an
unenforcable
human
right
• European
approach
to
privacy
protec5on
• peer-‐to-‐peer
privacy
(Web
2.0)
• safe
harbor
agreements
• walled
gardens
of
privacy
• extra-‐legal
solu5on
to
the
privacy
challenge
3. Universal
Declara2on
of
Human
Rights
(UDHR)
1948
Ar2cle
12.
No
one
shall
be
subjected
to
arbitrary
interference
with
his
privacy,
family,
home
or
correspondence,
nor
to
aPacks
upon
his
honour
and
reputa5on.
Ar2cle
29.
(2)
In
the
exercise
of
his
rights
and
freedoms,
everyone
shall
be
subject
only
to
such
limita2ons
as
are
• determined
by
law
• solely
for
the
purpose
of
securing
due
recogni5on
and
respect
for
the
rights
and
freedoms
of
others
and
• of
mee5ng
the
just
requirements
of
morality,
public
order
and
the
general
welfare
in
a
democra5c
society.
author: unknown, source: Wikipedia
4. Interna5onal
Covenant
on
Civil
and
Poli5cal
Rights
(ICCPR)
• draUed:
1954
• adopted
:
1966
• entry
into
force:
1976
author: IdiotSavant, source: Wikipedia,
5. Interna2onal
Ar2cle
17
Covenant
on
1.
No
one
shall
be
subjected
Civil
and
to
arbitrary
or
unlawful
Poli2cal
Rights
interference
with
his
privacy,
family,
home
or
correspondence,
nor
to
unlawful
aPacks
on
his
honour
and
reputa5on.
UN
Human
Rights
Commi2ee
(HRC)
CCPR
General
Comment
No.
16:
Ar?cle
17
(Right
to
Privacy)
The
Right
to
Respect
of
Privacy,
Family,
Home
and
Correspondence,
and
Protec?on
of
Honour
and
Reputa?on
8
April
1988
6. CCPR
General
Comment
No.
16
• States
are
required
to
adopt
measures
to
ensure
that
the
prohibi5on
against
privacy
interferences
and
aPacks
is
effec5ve
• A
posi5ve
obliga5on
of
states
to
ac5vly
protect
individual
privacy
against
interference:
„Effec?ve
measures
have
to
be
taken
by
States
to
ensure
that
informa?on
concerning
a
person's
private
life
does
not
reach
the
hands
of
persons
who
are
not
authorized
by
law
to
receive,
process
and
use
it
• Surveillance,
whether
electronic
or
otherwise,
intercep?ons
of
telephonic,
telegraphic
and
other
forms
of
communica?on,
wire-‐tapping
and
recording
of
conversa?ons
should
be
prohibited.
7. CCPR
General
Comment
No.
16
• Lawfulness:
no
interference
can
take
place
„except
in
cases
envisaged
by
the
law
• relevant
legisla5on
must
specify
in
detail
the
precise
circumstances
in
which
such
interferences
may
be
permiPed,
while:
„A
decision
to
make
use
of
such
authorized
interference
must
be
made
[…]
on
a
case-‐by-‐case
basis
• Arbitrariness:
„even
interference
provided
for
by
law
should
be
in
accordance
with
the
provisions,
aims
and
objec?ves
of
the
Covenant
and
reasonable
in
the
par?cular
circumstances
10. World
Court
of
Human
Rights?
The
establishment
of
a
World
Court
of
Human
Rights
could
help
to
bridge
the
gap
between
codified
rights
and
reality.
The
idea
of
such
a
Court
dates
back
to
1947.
Due
to
the
Cold
War,
however,
the
proposal
did
not
find
consensus
among
States.
Thus
the
World
Court
of
Human
Rights
was
never
realised
and
remained
s?gma?sed
as
utopian.
Author: Sylvain Savolainen, source: www.udhr60.ch
12. Privacy
protec5on
in
Europe
(ECHR)
Conven2on
for
the
Protec2on
of
Human
Rights
and
Fundamental
Freedoms
(European
Conven5on
on
Human
Rights,
ECHR),
1953
(draUed
1950)
ECHR
jurisprudence
recognizes
the
right
to
privacy
in
its
Ar5cle
8
as
a
deriva5ve
of
the
right
to
have
one’s
private
and
family
life
respected.
Ar?cle
8
1.
Everyone
has
the
right
to
respect
for
his
private
and
family
life,
his
home
and
his
correspondence.
2.
There
shall
be
no
interference
by
a
public
authority
with
the
exercise
of
this
right
except
such
as
is
in
accordance
with
the
law
and
is
necessary
in
a
democra?c
society
in
the
interests
of
na?onal
security,
public
safety
or
the
economic
well-‐being
of
the
country,
for
the
preven?on
of
disorder
or
crime,
for
the
protec?on
of
health
or
morals,
or
for
the
protec?on
of
the
rights
and
freedoms
of
others.
à
rich
jurisprudence
13. Privacy
protec5on
in
Europe
(EU)
Charter
of
Fundamental
Rights
of
the
European
Union
2009
(2000)
Ar?cle
7
Respect
for
private
and
family
life
Everyone
has
the
right
to
respect
for
his
or
her
private
and
family
life,
home
and
communica5ons.
Ar?cle
8
Protec2on
of
personal
data
1.
Everyone
has
the
right
to
the
protec5on
of
personal
data
concerning
him
or
her.
2.
Such
data
must
be
processed
fairly
for
specified
purposes
and
on
the
basis
of
the
consent
of
the
person
concerned
or
some
other
legi5mate
basis
laid
down
by
law.
Everyone
has
the
right
of
access
to
data
which
has
been
collected
concerning
him
or
her,
and
the
right
to
have
it
rec5fied.
3.
Compliance
with
these
rules
shall
be
subject
to
control
by
an
independent
authority.
effec5veness
ques5oned,
esp.
with
the
Bri5sh,
Czech
and
Polish
opt-‐out
protocol
15. Privacy
protec5on
in
Europe
(EU)
Direc5ve
95/46/EC
of
the
European
Parliament
and
of
the
Council
of
24
October
1995
on
the
protec5on
of
individuals
with
regard
to
the
processing
of
personal
data
and
on
the
free
movement
of
such
data
Ar5cle
3
Scope
2.
This
Direc5ve
shall
not
apply
to
the
processing
of
personal
data:
-‐
by
a
natural
person
in
the
course
of
a
purely
personal
or
household
ac2vity.
author/source:
promo5onal-‐items.in
16. „a
purely
personal
ac5vity on-‐line
ü social
networks?
ü private
pages?
weblogs?
criteria?
• data
availability?
• network
character?
J. Kulesza, Transboundary challenges to privacy protection
17. peer-‐to-‐peer
privacy
Web
2.0
challenge
J. Kulesza, Transboundary challenges to privacy protection
23. peer-‐to-‐peer
privacy
• new
categories
of
data
(geolocalisa5on)
• new
tools
enabling
detailed
personal
profiling
for
private
purposes
• no
anonymity
• durability
of
data
(right
to
be
forgoPen?)
J. Kulesza, Transboundary challenges to privacy protection 23
24. Privacy
2.0
„Mash
together
these
technologies
(…)
and
it
becomes
trivial
to
receive
answers
to
ques?ons
like:
Where
was
Jonathan
Zi2rain
last
year
on
the
fourteenth
of
February?,
or,
Who
could
be
found
near
the
entrance
to
the
local
Planned
Parenthood
clinic
in
the
past
six
months?
The
answers
need
not
come
from
government
or
corporate
cameras,
which
are
at
least
par?ally
secured
against
abuse
through
well-‐
considered
privacy
policies
from
Privacy
1.0.
Instead,
the
answers
come
from
a
more
powerful,
genera?ve
source:
an
army
of
the
world’s
photographers,
including
tourists
sharing
their
photos
online
without
firm
(or
legi?mate)
expecta?ons
of
how
they
might
next
be
used
and
reused.
J.
Zi2rain,
„The
Future
of
Internet
and
How
to
Stop
It .
p.
46
J. Kulesza, Transboundary challenges to privacy protection
25. Privacy
as
a
personal
right
na5onal
civil
law
challenge
26. Privacy
as
a
personal
right
public
sphere
(Sozial-‐/
Öffentlichkeitssphäre)
privacy
sphere
(Privatsphäre)
in5mate
sphere
(In5msphäre)
27. Privacy
as
a
personal
right
public
sphere
(Sozial-‐/
Öffentlichkeitssphäre)
social
sphere
(Sozialsphäre)
privacy
sphere
(Privatsphäre)
in5mate
sphere
(In5msphäre)
secret
sphere
(Sekretsphäre)
29. U.S.
vs
EU
concept
of
data
protec5on
Ar5cle
25
Direc5ve
95/46/EC
1.
The
Member
States
shall
provide
that
the
transfer
to
a
third
country
of
personal
data
which
are
undergoing
processing
or
are
intended
for
processing
aUer
transfer
may
take
place
only
if
[…]
the
third
country
in
ques5on
ensures
an
adequate
level
of
protec2on.
2.
The
adequacy
of
the
level
of
protec5on
afforded
by
a
third
country
shall
be
assessed
in
the
light
of
all
the
circumstances
surrounding
a
data
transfer
opera5on
or
set
of
data
transfer
opera5ons;
[…]
3.
The
Member
States
and
the
Commission
shall
inform
each
other
of
cases
where
they
consider
that
a
third
country
does
not
ensure
an
adequate
level
of
protec5on
within
the
meaning
of
paragraph
2.
4.
Where
the
Commission
finds
[…]
that
a
third
country
does
not
ensure
an
adequate
level
of
protec5on
within
the
meaning
of
paragraph
2
of
this
Ar5cle,
Member
States
shall
take
the
measures
necessary
to
prevent
any
transfer
of
data
of
the
same
type
to
the
third
country
in
ques5on.
30. U.S.
vs
EU
concept
of
data
protec5on
In
order
to
enable
personal
data
transfer
from
Europe
to
the
U.S.,
the
Department
of
Commerce
(DoC)
coordinated
the
formula5on
of
Safe
Harbor
Privacy
Principles.
31. safe
harbour
agreements
• United
States
entrepreneurs
wishing
to
use
personal
data
protected
by
the
EU
law
must
accept
the
Principles
(coordinated
by
the
U.S.
DoC).
• They
need
to
repeatedly
cer5fy
that
they
meet
the
aims
declared
in
the
principles
by
joining
one
of
the
self-‐regula5ng
programs,
for
example,
TRUSTe
or
BBBOnline,
verify
compliance
with
the
Safe
Harbor
Privacy
Principles.
• The
declara5on
of
each
company
to
adhere
to
the
program
includes
an
obliga5on
to
meet
the
seven
basic
aims
of
the
Direc5ve
(no5ce,
choice,
onward
transfer,
security,
data
integrity,
access
and
enforcement).
32. safe
harbour
agreements
• Safe
Harbor
Privacy
Principles
are
not
an
act
of
law.
Their
only
legal
effect
is
to
encourage
voluntary
corporate
compliance
with
the
principles
verified
by
authorized
organiza5ons.
• Viola5ons
of
the
Principles
are
deemed
acts
of
unfair
or
decep5ve
trade
prac5ce
by
the
Federal
Trade
Commission
(FTC).
• U.S.-‐based
companies,
opera5ng
in
Europe
may
be
subject
to
European
states’
jurisdic5on
if
they
fail
to
meet
their
data
protec5on
obliga5ons
based
on
na5onal
personal
data
regula5ons.
33. safe
harbour
agreements
• The
execu5on
and
enforcement
of
Safe
Harbor
Privacy
Principles
has
been
subject
to
cri5cism,
primarily
because
of
the
lack
of
transparency
on
the
introduc5on
and
verifica5on
of
privacy
policies.
• The
2004
EU
review
of
the
implementa5on
of
the
Principles
included
repeated
concern
“about
the
number
of
self-‐cer5fied
organiza5ons
that
have
not
published
a
privacy
policy
or
that
have
published
a
policy
that
is
not
compliant
with
the
Principles.”
• The
crucial,
prac5cal
problem
originated
from
the
voluntary
character
of
the
guidelines.
Since
some
companies
did
not
introduce
any
privacy
policy,
the
FTC
had
no
jurisdic5on
to
enforce
their
compliance
with
the
Principles.
The
Commission
also
depicted
the
lack
of
a
proac5ve
aptude
in
monitoring
organiza5ons’
compliance
with
the
Principles.
• An
independent
2008
review
showed
a
growing
number
of
false
claims
by
U.S.
organiza5ons
on
their
Safe
Harbor
compliance
and
recognized
it
as
a
new
and
significant
threat
to
consumers’
privacy.
43. summary
• liPle
chance
for
a
binding
and
executable
interna5onal
treaty
on
privacy
protec5on
• a
good
chance
of
common
business
prac5ces
sepng
a
global
standard
• alterna5ve:
na5onally
„secured
spaces
of
privacy
protec5on
according
to
na5onal
laws
(e.g.
china)
44. Joanna
Kulesza
University
of
Lodz
joannakulesza@gmail.com