The majority personal information available online is now in some sense user-generated and most of this is subject to further processing by service providers pushing, structuring and aggregating the content. This emerging ecosystem raises unprecedented challenges for the data protection framework both as regards the safeguarding of users themselves and the allocation of responsibility between them and service providers for the protection of the rights of other individuals who may be identifiable in the published data. These slides from the WYNG-Hatton Lecture 2016 delivered at the University of Hong Kong in November 2016 look at these issues from both a historical and contemporary perspective concentrating especially on the case examples of health discussion forums, the publication of data from internet of things tracking devices and the responsibilities of search engines in the wake of the "right to be forgotten" ruling in Google Spain (2014). The video the lecture is available here: https://www.youtube.com/watch?v=AHE4YHXHpYc&feature=youtu.be

1. Dr. David Erdos
University of Cambridge

2. History of Personal Data Protection (DP)
 Europe the “cradle” of DP & remains strong champion.
 Indirect germs of this idea long & deep roots:
 Rights of personality, privacy, identity & honour.
 Turn to human rights post World War II.
 Direct origins are rather recent:
 1973: First national law & first transnational instrument.
 1980s: DP Convention & spread of laws in Europe
 1990s: DP EU Directive.
 2000s: DP EU fundamental right & global spread of laws
 2010s: DP EU Regulation; global spread continues.

3. The Rise of Electronic Data Processing
 Moore’s Law (1965): computing power will exponentially increase.
 Not just a question of storage but also e.g. collection, organization,
dissemination and retrieval.
Oren Blomberg on Flickr

4. European Data Protection (DP): Default Scope
 Personal Data:
 Regulated Processing:
 Purposive Scope:
Luxembourg CNPD
“any information relating to an identified or identifiable
individual” (A. 2 (a))
“any operation”. Always regulated if even partly automated.
“protect the fundamental rights and freedoms of natural
persons, and in particular their right to privacy”

5. European DP: Default Substance
Personal
Data
Processing
DP Principles
• Fair & lawful,
• Purpose quality &
limits
• Information
quality & limits
Legitimation
Consent , necessary
balance etc.
Transparency &
Control
• Proactive Duties
• Retroactive Duties
• Objection rights
Sensitive Data
• Health life
• Sex life
• Racial origin
• Politics
• Religion etc.
Discipline
• Data Security
• Data Management
• Export Control
Enforcement
• Judicial remedy
• DP Authority
• European
Supervision
Derogations/exemptions to establish equilibrium with other rights and interests

6. User-Generated Content: 1980s-present
 Online publication initially seen as informational:
 But success generally rested on user communication:
 Stress on user communication has gathered pace:
“It is essential to understand that Viewdata was initially designed for the
dissemination of … information.” (Fedida & Malik, 1979)
“Minitel offers both information and games, but above all a forum where
readers can make themselves heard.” (Marchand, 1988)
“In the era of so-called web 2.0 most content available online is user-
generated …interacting … unprecedented forms of collaboration.” (Cunha et. al., 2012)

7. UGC 1980s: Early Nature & Early Concern
International Conference of DP
Commissioners on New Media 1983
“[P]ersonal data of all kinds can be
widely disseminated at small cost …
[S]uppliers and subscribers are
publishing sensitive data”
“[M]ust not violate personal rights … …
[including] legal regulations … in one
country … can be circumvented in
another.”
Images taken at Centre for Computing History, Cambridge

8. Court of Justice of EU: Lindqvist (2003)
Facts: Lindqvist published data on some 18 fellow volunteers including
of leg-injury (& that on half-time work).
1. Lindqvist was not exempt from data protection:
“publication … accessible to an indefinite number of people” (at [47])
2. Lindqvist had published health/sensitive data:
“all aspects, both physical and mental, of the health of an individual” (at [50])
3. Not “artistic or literary” purpose but need for rights balance:
“Lindqvist’s freedom of expression … and her freedom to carry out
activities contributing to religious life have to be weighed against the
protection of the private life” (at [86])

9. Health Discussion Sites: Italian DPA (2012)
 Acknowledges value for scientific knowledge & mutual support.
 Publication of health data on Internet posed specific risks.
 Focus on proactive responsibilities of Site Manager:
 Allow for & flag up possibility of pseudonymity.
 Specify if published data available beyond registered users.
 Specify if published data available to search engines.
 Warn users to be careful regarding identifying data or images.
 Warn users to be especially careful about third party identification (even
indirect).
 Facilitate & mention empowerment rights (updating, rectification,
erasure, objection).

10. UGC & the Internet of Things
 Rise of systematic recording e.g. of fitness & sleep.
 Data often socially published e.g. to foster +ve competition.
 Significant knowledge, wellbeing and self-creation benefits.
 Serious data protection risks.
EU DPA Article 29 Working Party (2014):
• Default settings should ask users to review/edit/decide on information
generated before publication on social platforms.
• Socially published information should not be indexed by search engines
by default.
Mike Mozart on Flickr

11. FitBit UGC Privacy Scandal 2011

12. “Right to be Forgotten” Ruling (2014)
 DP concern about searching & public content from early 1980s.
 Rise of general search engines in mid-1990s was a game changer.
 But, for many years often seen as “off limits” from European DP:
 Transnational jurisdictional problems,
 Ideology of engines as “neutral intermediary”,
 Freedom of expression concerns & divergences,
 Impracticability of many DP standards.
 Whilst myriad issues remain, 2014 CJEU decision marked key shift.

13. Google Spain (2014): Three Key Elements
“[T]he processing of personal data … search engine can be distinguished from
and is additional to that carried out by publishers of websites” (at [35])
“[D]ata subject … request that the information in question not longer be made
available … override, as a rule, not only the economic interest of the operator
of the search engine but also the interest of the public in finding that
information upon a search relating to the data subject’s name.” (at [97])
“Article 8 of the [EU] Charter [of Fundamental Rights] expressly proclaims the
right to the protection of personal data” (at [69])

14. Final Thoughts
 European DP champions critical noble & “at risk” values.
 European DP in many ways not in good health.
 Interface with UGC epitomises many of European DP’s problems.
 How can we create a legal, contextual, protective and effective
framework going forward?
“[D]ata protection was after all from its earliest days an impossible task.”
(Prof. Spirios Simitis (Hessian DP Supervisor 1975-1991), Montreal 1997)