Ronald Leenes, Tilburg University

advertisement
legal & ethical
data sharing
prof.dr. Ronald Leenes
[email protected]
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
overview
• the problem revisited
• secondary use
• data protection regulation
• Data Protection Directive 95/46/EC
• e-Privacy Directive 2002/58/EG
• privacy by design
• (D)PIA
zaterdag 29 november 14
the problem revisited
• Lots of data pass SURFnet
• raw data
• traffic data (metadata)
• What can be shared with academic
researchers?
• Under which conditions?
zaterdag 29 november 14
traffic data (aka meta data)
zaterdag 29 november 14
packet dump
zaterdag 29 november 14
Directive 95/46/EC
(data protection directive)
Wet bescherming persoonsgegevens
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
data protection goals
facilitate
free flow of information
provide
minimum level of data protection
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
personal data
… means any information relating
to an identified or identifiable
person (the "data subject").
art 2 (a) Data Protection Directive 95/46/EC
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
identifiable
every person who can be
identified, directly or indirectly, in
particular by reference to an
identification number or to one or
more factors specific to his
physical, mental, economic,
cultural or social identity.
art 2 (a) Data Protection Directive 95/46/EC
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
Ronald Leenes
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
social security #
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
Jef Raskin, Apple Computer Inc.
employee # 31
Jef Raskin died on 26 Feb 2005
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
we’re often
identifiable
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
personal data
identifiers + identifying sets of attributes
name, address
telephone number, student number, BSN
hair color + height
personal data
age, name, hear color, weight, gender
grades, income, buying habits
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
zaterdag 29 november 14
extensional confusion
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
‘named’
v.
singled out
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
IP address?
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
fuzzy history
Art 29 WP
1999 – some IP’s are personal data (static)
2000 – for ISP’s they are
2007 – reasonable effort, but consider them
personal data
2008 (search engines) – IPs are pd (because of
additional data)
CBP
2001 (no), 2008 (yes)
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
Munich case
website operators are allowed to store
the internet protocol (IP) addresses of
their visitors without violating data
protection legislation.
Without additional information, IP
addresses do not count as personal
data, it said.
http://www.theregister.co.uk/2008/10/15/ip_address_personal_data_ruling/
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
Google:
IPs are not PII (most of the time)
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
"[…] we gather certain information automatically
and store it in log files. This information includes
Internet Protocol (IP) addresses, browser type,
Internet Service Provider (ISP), referring/exit
pages, operating system, date/time stamp, and
clickstream data.
We use this information, which does not identify
individual users, to analyze trends, to administer
the site, to track users’ movements around the
site and to gather demographic information
about our user base as a whole."
Apple.com privacy policy
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
‘named’
v.
singled out
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
Court of Justice EU
24 Nov. 2011, case 70/10 Scarlet v.
SABAM
IP addresses are protected personal data
"because they allow those users to be precisely
identified"
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
n
o
s
s
e
l
IP adresses are personal data
(certainly for SURFnet affiliated organizations)
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
GDPR …
art 4 (2) 'personal data' means any
information relating to an identified or
identifiable natural person ('data subject');
art 4 (2a) 'pseudonymous data' means
personal data that cannot be attributed to a
specific data subject without the use of
additional information, as long as such
additional information is kept separately
and subject to technical and organisational
measures to ensure non-attribution;
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
… , but
Recital (24) When using online services,
individuals may be associated with online
identifiers provided by their devices,
applications, tools and protocols, such as
Internet Protocol addresses, cookie
identifiers and Radio Frequency
Identification tags, this Regulation should
be applicable to processing involving such
data, unless those identifiers do not relate
to an identified or identifiable natural
person.
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
Directive 95/46/EC
(data protection directive)
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
fairness
fair and lawful processing
principles
finality
for specific and legitimate purposes
proportionality
adequate, relevant and non excessive
transparency
inform data subject
zaterdag 29 november 14
principles
confidentiality
keep data under control
control
user involvement and control
zaterdag 29 november 14
data sharing
zaterdag 29 november 14
zaterdag 29 november 14
SURFnet:
purpose +
processing ground
…
data proce
zaterdag 29 november 14
processing ground
zaterdag 29 november 14
unambigiously given consent
necessary for performance of contract
legal obligation
vital interest of data subject
public interest
legitimate interest of controller
art. 7 legi
zaterdag 29 november 14
unambigiously given consent
necessary for performance of contract
legal obligation
vital interest of data subject
public interest
legitimate interest of controller
art. 7 legi
zaterdag 29 november 14
legitmate interest
art 7 f ) DPD
processing is necessary for the purposes of
the legitimate interests pursued by the
controller [or by the third party or parties to
whom the data are disclosed], except where
such interests are overridden by the interests
for fundamental rights and freedoms of the
data subject which require protection under
Article 1 (1).
zaterdag 29 november 14
art 7 balance
• legitimate interest sees to daily operations of
data processor
• but extends to ‘support activities’
e.g. fraud detection
• SURFnet: network security
√
• fundamental rights interests data subject
• privacy
• security
zaterdag 29 november 14
“The processing of traffic data to the extent strictly necessary
for the purposes of ensuring network and information
security, i.e. the ability of a network or an information system
to resist, at a given level of confidence, accidental events or
unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or
transmitted data, and the security of the related services
offered by, or accessible via, these networks and systems, by
providers of security technologies and services when acting as
data controllers is subject to Article 7(f ) of Directive 95/46/
EC. This could, for example, include preventing unauthorised
access to electronic communications networks and malicious
code distribution and stopping ‘denial of service’ attacks and
damage to computer and electronic communication systems.”
Directive 2009/136/EC - recital 53
zaterdag 29 november 14
art. 6 – purpose, secondary use
article 6
(1) Member States shall provide that
personal data must be:
…
b) collected for specified, explicit and
legitimate purposes and not further
processed in a way incompatible with
those purposes.
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
SURFnet: purpose
To ensure the proper operation of the
network and to protect its customers
and users of the network.
zaterdag 29 november 14
SURFnet:
purpose +
processing ground
data shar
academics:
further processing
compatible with purpose
zaterdag 29 november 14
sharing for research
zaterdag 29 november 14
zaterdag 29 november 14
research by academics?!
two approaches
•
•
•
•
extended networks security
academics helping SURFnet limited by
SURFnet’s purpose specification
academic research
undefined function
zaterdag 29 november 14
3rd party
controller
processor
data subject
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
3rd party
controller
processor
data subject
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
3rd party
controller
processor
data subject
TILT - Tilburg Institute for Law, Technology, and Society
zaterdag 29 november 14
1.
network security
extending SURFnet’s tasks
•
•
•
SURFnet is controller (responsible!)
academic researcher is processor
(JANET model)
Article 12
1. Anyone acting under the authority of the responsible party or the processor,
as well as the processor himself, where they have access to personal data,
shall only process such data on the orders of the responsible party, except
where otherwise required by law.
zaterdag 29 november 14
2.
•
academic research
Article 9 Wbp
1. Personal data shall not be further processed in
a way incompatible with the purposes for which
they have been obtained.
3. The further processing of personal data for
historical, statistical or scientific purposes shall
not be regarded as incompatible where the
responsible party has made the necessary
arrangements to ensure that the further
processing is carried out solely for these specific
purposes.
zaterdag 29 november 14
• Article 10
conditions
1. Personal data shall not be kept in a form
which allows the data subject to be identified
for and longer than is necessary for achieving
the purposes for which they were collected or
subsequently processed.
2. Personal data may be kept for longer than
provided under (1), where this is for …
scientific purposes, and where the responsible
party has made the necessary arrangements to
ensure that the data concerned are used solely
for these specific purposes.
zaterdag 29 november 14
conditions
• Article 11
1. Personal data shall only be processed
where, given the purposes for which they are
collected or subsequently processed, they are
adequate, relevant and not excessive.
2. The responsible party shall take the
necessary steps to ensure that personal data,
given the purposes for which they are
collected or subsequently processed, are
correct and accurate.
zaterdag 29 november 14
general conditions
zaterdag 29 november 14
• define research purpose
• adhere to this purpose
general
• provide safeguards
• anonymise/pseudonymise as soon as possible
• delete original data
• keep data under control
• never process on an individual level
• never disclose data pointing to individuals
• never share (raw) data with 3rd parties without
SURFnet approval
• security, security, security
• responsibilities: researcher -> SURFnet -> CBP
zaterdag 29 november 14
specific
• processor
• responsibilities: researcher -> SURFnet -> CBP
• do as told by SURFnet/agreed with SURFnet
•
academic research
• responsibilities: researcher -> CBP
• do not process leading to individual effects
zaterdag 29 november 14
privacy by design
art, not science
zaterdag 29 november 14
when does research
pose privacy threats?
zaterdag 29 november 14
art. 8 legitimate ground
f. the processing is necessary for
upholding the legitimate interests of
the responsible party or of a third party
to whom the data are supplied, except
where the interests or fundamental
rights and freedoms of the data subject,
in particular the right to protection of
individual privacy, prevail.
zaterdag 29 november 14
legal -> privacy <- ethics
zaterdag 29 november 14
Ann Cavoukian
• proactive not reactive; preventative not remedial
• privacy as the default setting
• privacy embedded into design
• full functionality – positive sum, not zero-sum
• end-to-end security – full lifecycle protection
• visbility and transparency – keep it open
• respect for user privacy – keep it user-centric
zaterdag 29 november 14
Jaap-­‐Henk Hoepman h-p://arxiv.org/pdf/1210.6621v1.pdf
zaterdag 29 november 14
Privacy Impact Assessment
Data Protection Impact Assessment
zaterdag 29 november 14
purposes
• raising awareness/sensitizing
• getting clear what you’re doing
• establishing risks
• mitigating risks
• (account for compliance)
zaterdag 29 november 14
DPIA proposal
DPIA at least includes
•
a list of the recipients or categories of recipients of the
personal data;
•
•
•
a list of the intended transfers of data to a third country
•
a systematic description of the envisaged processing
operations, the purposes of the processing and, if applicable,
the legitimate interests pursued by the controller,
•
an assessment of the necessity and proportionality of the
processing operations in relation to the purposes
an assessment of the context of the data processing
a general indication of the time limits for erasure of the
different categories of data;
zaterdag 29 november 14
DPIA proposal (cont.)
DPIA at least includes
•
an assessment of the risks to the rights and freedoms of data
subjects,
•
a description of the measures envisaged to address the risks
and minimise the volume of personal data which is processed
•
a list of safeguards, security measures and mechanisms to
ensure the protection of personal data, such as
pseudonymisation
•
an explanation which data protection by design and default
practices have been implemented
zaterdag 29 november 14
disclaimer, for what it’s worth
Texts, marks, logos, names, graphics, images,
photographs, illustrations, artwork, audio clips, video
clips, and software copyrighted by their respective owners
are used on these slides for non-commercial, educational
and personal purposes only. Use of any copyrighted
material is not authorized without the written consent of
the copyright holder. Every effort has been made to
respect the copyrights of other parties. If you believe that
your copyright has been misused, please direct your
correspondence to: [email protected]
stating your position and I shall endeavour to correct any
misuse as early as possible.
thanks to Kieran O’Hara for providing this template
zaterdag 29 november 14
Download
Related flashcards
Create Flashcards