Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection

Transboundary
challenges

to
privacy
protec5on

Joanna
Kulesza

University
of
Lodz

Faculty
of
Law
and
Administra5on

Department
of
Interna5onal
Law
and
Interna5onal
Rela5ons

Oxford
Internet
Ins5tute,
August
15th,
2012

scope

•  legal
tools
for
privacy
protec5on

•  privacy
as
an
unenforcable
human
right

•  European
approach
to
privacy
protec5on

•  peer-‐to-‐peer
privacy
(Web
2.0)

•  safe
harbor
agreements

•  walled
gardens
of
privacy

•  extra-‐legal
solu5on
to
the
privacy
challenge

Universal
Declara2on
of

Human
Rights
(UDHR)
1948

Ar2cle
12.
No
one
shall
be
subjected

to
arbitrary
interference
with
his

privacy,
family,
home
or

correspondence,
nor
to
aPacks

upon
his
honour
and
reputa5on.

Ar2cle
29.
(2)
In
the
exercise
of

his
rights
and
freedoms,

everyone
shall
be
subject
only

to
such
limita2ons
as
are

•  determined
by
law

•  solely
for
the
purpose
of
securing
due
recogni5on
and
respect

for
the
rights
and
freedoms
of
others
and

•  of
mee5ng
the
just
requirements
of
morality,
public
order

and
the
general
welfare
in
a
democra5c
society.

author: unknown, source: Wikipedia

Interna5onal
Covenant
on
Civil
and

Poli5cal
Rights
(ICCPR)

•  draUed:
1954

•  adopted
:
1966

•  entry
into
force:
1976
author: IdiotSavant, source: Wikipedia,

Interna2onal
Ar2cle
17

Covenant
on
1.
No
one
shall
be
subjected

Civil
and
to
arbitrary
or
unlawful

Poli2cal
Rights
interference
with
his

privacy,
family,
home
or

correspondence,
nor
to
unlawful

aPacks
on
his
honour
and

reputa5on.

UN
Human
Rights
Commi2ee
(HRC)

CCPR
General
Comment
No.
16:
Ar?cle
17
(Right
to
Privacy)

The
Right
to
Respect
of
Privacy,
Family,
Home
and

Correspondence,
and
Protec?on
of
Honour
and
Reputa?on

8
April
1988

CCPR
General
Comment
No.
16

•  States
are
required
to
adopt
measures
to
ensure
that
the

prohibi5on
against
privacy
interferences
and
aPacks
is

eﬀec5ve

•  A
posi5ve
obliga5on
of
states
to
ac5vly
protect
individual

privacy
against
interference:
„Eﬀec?ve
measures
have
to
be

taken
by
States
to
ensure
that
informa?on
concerning
a

person's
private
life
does
not
reach
the
hands
of
persons
who

are
not
authorized
by
law
to
receive,
process
and
use
it

•  Surveillance,
whether
electronic
or
otherwise,
intercep?ons
of

telephonic,
telegraphic
and
other
forms
of
communica?on,

wire-‐tapping
and
recording
of
conversa?ons
should
be

prohibited.

CCPR
General
Comment
No.
16

•  Lawfulness:
no
interference
can
take
place
„except
in
cases

envisaged
by
the
law

•  relevant
legisla5on
must
specify
in
detail
the
precise

circumstances
in
which
such
interferences
may
be
permiPed,

while:
„A
decision
to
make
use
of
such
authorized
interference

must
be
made
[…]
on
a
case-‐by-‐case
basis

•  Arbitrariness:
„even
interference
provided
for
by
law
should

be
in
accordance
with
the
provisions,
aims
and
objec?ves
of

the
Covenant
and
reasonable
in
the
par?cular
circumstances

Why
doesn t
the
ICCPR
regime
work?

World
Court
of
Human
Rights?

World
Court
of
Human
Rights?

The
establishment
of
a
World
Court
of
Human
Rights

could
help
to
bridge
the
gap
between
codiﬁed
rights

and
reality.
The
idea
of
such
a
Court
dates
back
to

1947.
Due
to
the
Cold
War,
however,
the
proposal

did
not
ﬁnd
consensus
among
States.
Thus
the
World

Court
of
Human
Rights
was
never
realised
and

remained
s?gma?sed
as
utopian.

Author: Sylvain Savolainen, source: www.udhr60.ch

Privacy
protec5on
in
Europe

Privacy
protec5on
in
Europe
(ECHR)

Conven2on
for
the
Protec2on
of
Human
Rights
and
Fundamental
Freedoms

(European
Conven5on
on
Human
Rights,
ECHR),
1953
(draUed
1950)

ECHR
jurisprudence
recognizes
the
right
to
privacy
in
its
Ar5cle
8
as
a

deriva5ve
of
the
right
to
have
one’s
private
and
family
life
respected.

Ar?cle
8

1.
Everyone
has
the
right
to
respect
for
his
private
and
family
life,
his
home

and
his
correspondence.

2.
There
shall
be
no
interference
by
a
public
authority
with
the
exercise
of
this

right
except
such
as
is
in
accordance
with
the
law
and
is
necessary
in
a

democra?c
society
in
the
interests
of
na?onal
security,
public
safety
or
the

economic
well-‐being
of
the
country,
for
the
preven?on
of
disorder
or

crime,
for
the
protec?on
of
health
or
morals,
or
for
the
protec?on
of
the

rights
and
freedoms
of
others.

à
rich
jurisprudence

Privacy
protec5on
in
Europe
(EU)

Charter
of
Fundamental
Rights
of
the
European
Union
2009
(2000)

Ar?cle
7
Respect
for
private
and
family
life

Everyone
has
the
right
to
respect
for
his
or
her
private
and
family
life,
home

and
communica5ons.

Ar?cle
8
Protec2on
of
personal
data

1.
Everyone
has
the
right
to
the
protec5on
of
personal
data
concerning
him

or
her.

2.
Such
data
must
be
processed
fairly
for
specified
purposes
and
on
the
basis

of
the
consent
of
the
person
concerned
or
some
other
legi5mate
basis
laid

down
by
law.
Everyone
has
the
right
of
access
to
data
which
has
been

collected
concerning
him
or
her,
and
the
right
to
have
it
rec5fied.

3.
Compliance
with
these
rules
shall
be
subject
to
control
by
an
independent

authority.

effec5veness
ques5oned,
esp.
with
the
Bri5sh,
Czech
and
Polish
opt-‐out
protocol

privacy
and
personal
data

Privacy
protec5on
in
Europe
(EU)

Direc5ve
95/46/EC
of
the
European
Parliament
and
of
the
Council
of
24

October
1995
on
the
protec5on
of
individuals
with
regard
to
the

processing
of
personal
data
and
on
the
free
movement
of
such
data

Ar5cle
3

Scope

2.
This
Direc5ve
shall
not
apply
to
the
processing
of
personal

data:

-‐
by
a
natural
person
in
the
course
of
a
purely
personal
or

household
ac2vity.

author/source:
promo5onal-‐items.in

„a
purely
personal
ac5vity on-‐line

ü social
networks?

ü private
pages?
weblogs?

criteria?

•  data
availability?

•  network
character?

J. Kulesza, Transboundary challenges to privacy protection

peer-‐to-‐peer
privacy

Web
2.0
challenge


J. Kulesza, Transboundary challenges to privacy protection 18

J. Kulesza, Transboundary challenges
19
to privacy protection

geolocalisa5on
data

20

social
seman5c
web


peer-‐to-‐peer
privacy

•  new
categories
of
data
(geolocalisa5on)

•  new
tools
enabling
detailed
personal
proﬁling

for
private
purposes

•  no
anonymity

•  durability
of
data
(right
to
be
forgoPen?)


Privacy
2.0

„Mash
together
these
technologies
(…)
and
it
becomes
trivial
to

receive
answers
to
ques?ons
like:
Where
was
Jonathan

Zi2rain
last
year
on
the
fourteenth
of
February?,
or,
Who

could
be
found
near
the
entrance
to
the
local
Planned

Parenthood
clinic
in
the
past
six
months?
The
answers
need

not
come
from
government
or
corporate
cameras,
which
are

at
least
par?ally
secured
against
abuse
through
well-‐
considered
privacy
policies
from
Privacy
1.0.
Instead,
the

answers
come
from
a
more
powerful,
genera?ve
source:
an

army
of
the
world’s
photographers,
including
tourists
sharing

their
photos
online
without
ﬁrm
(or
legi?mate)
expecta?ons

of
how
they
might
next
be
used
and
reused.

J.
Zi2rain,
„The
Future
of
Internet
and
How
to
Stop
It .
p.
46


Privacy
as
a
personal
right

na5onal
civil
law
challenge

Privacy
as
a
personal
right

public

sphere
(Sozial-‐/

Öﬀentlichkeitssphäre)

privacy

sphere

(Privatsphäre)

in5mate

sphere

(In5msphäre)

Privacy
as
a
personal
right

public
sphere
(Sozial-‐/

Öﬀentlichkeitssphäre)

social
sphere
(Sozialsphäre)

privacy
sphere

(Privatsphäre)

in5mate

sphere

(In5msphäre)

secret

sphere

(Sekretsphäre)

The
transatlan5c
challenge

U.S.
vs
EU
concept
of
data

protec5on

Ar5cle
25
Direc5ve
95/46/EC

1.
The
Member
States
shall
provide
that
the
transfer
to
a
third
country
of
personal

data
which
are
undergoing
processing
or
are
intended
for
processing
aUer
transfer

may
take
place
only
if
[…]
the
third
country
in
ques5on
ensures
an
adequate
level

of
protec2on.

2.
The
adequacy
of
the
level
of
protec5on
aﬀorded
by
a
third
country
shall
be

assessed
in
the
light
of
all
the
circumstances
surrounding
a
data
transfer
opera5on

or
set
of
data
transfer
opera5ons;
[…]

3.
The
Member
States
and
the
Commission
shall
inform
each
other
of
cases
where

they
consider
that
a
third
country
does
not
ensure
an
adequate
level
of
protec5on

within
the
meaning
of
paragraph
2.

4.
Where
the
Commission
ﬁnds
[…]
that
a
third
country
does
not
ensure
an
adequate

level
of
protec5on
within
the
meaning
of
paragraph
2
of
this
Ar5cle,
Member

States
shall
take
the
measures
necessary
to
prevent
any
transfer
of
data
of
the

same
type
to
the
third
country
in
ques5on.

U.S.
vs
EU
concept
of
data

protec5on

In
order
to
enable
personal
data
transfer
from
Europe
to
the
U.S.,
the
Department

of
Commerce
(DoC)
coordinated
the
formula5on
of
Safe
Harbor
Privacy

Principles.

safe
harbour
agreements

•  United
States
entrepreneurs
wishing
to
use
personal
data

protected
by
the
EU
law
must
accept
the
Principles

(coordinated
by
the
U.S.
DoC).

•  They
need
to
repeatedly
cer5fy
that
they
meet
the
aims

declared
in
the
principles
by
joining
one
of
the
self-‐regula5ng

programs,
for
example,
TRUSTe
or
BBBOnline,
verify

compliance
with
the
Safe
Harbor
Privacy
Principles.

•  The
declara5on
of
each
company
to
adhere
to
the
program

includes
an
obliga5on
to
meet
the
seven
basic
aims
of
the

Direc5ve
(no5ce,
choice,
onward
transfer,
security,
data

integrity,
access
and
enforcement).

safe
harbour
agreements

•  Safe
Harbor
Privacy
Principles
are
not
an
act
of
law.
Their
only

legal
eﬀect
is
to
encourage
voluntary
corporate
compliance

with
the
principles
veriﬁed
by
authorized
organiza5ons.

•  Viola5ons
of
the
Principles
are
deemed
acts
of
unfair
or

decep5ve
trade
prac5ce
by
the
Federal
Trade
Commission

(FTC).

•  U.S.-‐based
companies,
opera5ng
in
Europe
may
be
subject
to

European
states’
jurisdic5on
if
they
fail
to
meet
their
data

protec5on
obliga5ons
based
on
na5onal
personal
data

regula5ons.

safe
harbour
agreements

•  The
execu5on
and
enforcement
of
Safe
Harbor
Privacy
Principles
has
been

subject
to
cri5cism,
primarily
because
of
the
lack
of
transparency
on
the

introduc5on
and
verifica5on
of
privacy
policies.

•  The
2004
EU
review
of
the
implementa5on
of
the
Principles
included

repeated
concern
“about
the
number
of
self-‐cer5fied
organiza5ons
that

have
not
published
a
privacy
policy
or
that
have
published
a
policy
that
is

not
compliant
with
the
Principles.”

•  The
crucial,
prac5cal
problem
originated
from
the
voluntary
character
of

the
guidelines.
Since
some
companies
did
not
introduce
any
privacy
policy,

the
FTC
had
no
jurisdic5on
to
enforce
their
compliance
with
the
Principles.

The
Commission
also
depicted
the
lack
of
a
proac5ve
aptude
in

monitoring
organiza5ons’
compliance
with
the
Principles.

•  An
independent
2008
review
showed
a
growing
number
of
false
claims
by

U.S.
organiza5ons
on
their
Safe
Harbor
compliance
and
recognized
it
as
a

new
and
significant
threat
to
consumers’
privacy.

interna5onal
privacy
protec5on

http://www.privacyinternational.org/survey/dpmap.jpg

34

the
source
of
the
problem

shape
of
law

36
http://www.jimmymack.org

shape
of
cyberspace

37
author: Dmitri Krioukov, source: SDSC/CAIDA

Na5onal
privacy
standards
in
cyberspace?

38
author: Dmitri Krioukov, source: SDSC/CAIDA http://www.jimmymack.org

extralegal
solu5ons?

services
and
self-‐regula5on


services


walled
gardens
of
privacy

simondseconoart/ sundaypearls.wordpress.com

J. Kulesza, Transboundary challenges
42
to privacy protection

summary

•  liPle
chance
for
a
binding
and
executable

interna5onal
treaty
on
privacy
protec5on

•  a
good
chance
of
common
business
prac5ces

sepng
a
global
standard

•  alterna5ve:
na5onally
„secured
spaces
of

privacy
protec5on
according
to
na5onal
laws

(e.g.
china)

Joanna
Kulesza

University
of
Lodz

joannakulesza@gmail.com

Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (11)

Similaire à Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection

Similaire à Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection (20)

Plus de i_scienceEU

Plus de i_scienceEU (19)

Dernier

Dernier (20)

Joanna Kulesza, University of Lodz: Transboundary Challenges of Privacy Protection