Law in the Internet Society

View   r8  >  r7  >  r6  >  r5  >  r4  >  r3  ...
ClementLegrandFirstEssay 8 - 10 Jan 2017 - Main.ClementLegrand
Line: 1 to 1
 
META TOPICPARENT name="FirstEssay"

Changed:
<
<

Amending in progress Regulating Privacy: What Is the Point?

>
>

EU Regulating Privacy: What Is the Point?

 -- By ClementLegrand - 03 Nov 2016

Introduction

Changed:
<
<
On the 27th of April 2016, the European Union officially published the General Data Protection Regulation (GDPR), replacing a directive dating back from 1995. This regulation intends to regulate, as from the 25 may 2018, the processing (i.e. any operation which is performed on personal data) of personal data (i.e. any information relating to an identified or identifiable natural person) in Europe (2). The European Union opted for the approach of adopting one single normative instrument to regulate every kind of uses of personal data, including collection of data via the Internet. This approach raises several questions. Perhaps the most important one is: how does this regulation achieve its main goal: protecting privacy? The privacy is a complex notion. It protects several aspect of an individual's personality. Among these aspects, the ones most commonly invoked are the following: the autonomy, the secrecy, and the anonymity of a person. Because anonymity and secrecy are not always possible (e.g. companies often need to have a list of their employees, a list of their providers and customers, such lists include most of the time some personal data such as names, adresses for deliveries), the GDPR's main goal is to ensure the autonomy of the individuals whose personal data is being processed, through ensuring control by these individuals over their data. Under the GDPR, any natural person (i.e. excluding companies)whose personal data is being processed qualifies as "data subject", and can therefore invoke a series of rights (i.e. the right to be informed, the right to access, the right to rectify, the right to data portability and the right to be forgotten). The GDPR wants to ensure data subjects can control the use that is made of their data. To a certain extent , it also protects secrecy of the data (by regulating the data controler's disclosure of the data) and the anonymity (for example, by requiring a privacy impact assessement and by requiring data controller to ensure privacy by design). Iwill analyze one the most famous inoovation of the GDPR: the so called "right to be forgoten". I will then analyze if regulation of privacy can interfere with freedom of speech. .
>
>
On the 27th of April 2016, the European Union officially published the General Data Protection Regulation (GDPR), replacing a directive dating back from 1995. This regulation intends to regulate, as from the 25 may 2018, the processing (i.e. any operation which is performed on personal data) of personal data (i.e. any information relating to an identified or identifiable natural person) in Europe (2). The European Union opted for one single normative instrument to regulate every kind of uses of personal data. This approach raises several questions. Perhaps the most important one is: how does this regulation achieve protecting privacy?
 
Changed:
<
<

Right to be forgoten and conflict with freedom of information?

>
>

Autonomy, Right to be forgoten

 
Changed:
<
<

Right to be forgoten

The right ot be forgoten is the quintessence of the individual's autonomy in protecting their privacy. It allows individual to object to the processing of their personal data by a data controler (i.e. any entity who determines the purposes and the means of the processing of the personal data - in other words, if Columbia University decides to automatically collect the information related to my activity on its network (means), in order to ensure security (purpose), it would qualify as "data controler" under the GDPR, should it apply-)under certain circumstances. Under Google v. Costeja Gonzalez, the claimant, Consteja Gonzalez, objected to the processing of its personal data by a Spanish newspaper and by Google. The claimant objected to the fact that when an internet users enterd his name in a search engine, the results showed articles dating back from 1998 mentioning him as being subject to a public auction for the recovery of unpaid social security debts. In particular the claimant insisted that the procedure had been resolved for many years and that referencing it was now irrelevant. The Spanish data protection authority in charge rejected Costeja Gonzalez complaint against the newspapers (because it found that the newspaper was processing the information lawfully and for a legitimate purpose) but it upheld the complaint against Google. Google appealed this decision in front of the Spanish courts, and the Court referred to the European Court of Justice for a preliminary ruling. The ECJ decided that Google was responsible under the European Data protection law and that it should answer to data subjects' objections to the processing of data relating to them.
>
>

GDPR: Protecting the autonomy of data subjects

 
Added:
>
>
Privacy is a complex notion. It protects several aspects of an individual's personality. Among these aspects, the ones most commonly invoked are the following: the autonomy, the secrecy, and the anonymity of a person. Because anonymity and secrecy are not always possible (e.g. companies often need to have a list of their employees, a list of their providers and customers, such lists include most of the time some personal data such as names, adresses for deliveries), the GDPR's main goal is to ensure the autonomy of the individuals whose personal data is being processed, through ensuring control by these individuals over their data. Under the GDPR, any natural person (i.e. excluding companies) whose personal data is being processed qualifies as "data subject", and can therefore invoke a series of rights (e.g. the right to be informed,to access and rectify,...). One of the main tool to ensure data subjects' autonomy is the so called "right to be forgotten", that I will analyze in the next section. These rights will apply despite any contrary contractual provisions. The GDPR is not based on contractual freedom, even though it sometimes requires the consent of the data subject as a starting point. But even then, the rules continue to apply to prevent data controller from doing whatever they want with the data. Consent is merely one of the legal grounds authorizing the processing. The processing activity is then regulated and limited by other rules such as data minimization or purpose limitation (which in theory, strongly restrict the possibility to have big data).
 
Changed:
<
<

The Educational Effect

>
>

Right to be forgotten : Protecting the autonomy

 
Changed:
<
<
Under European law, data protection is not just a consumer’s right to be properly informed: it is a fundamental right, incorporated in the Charter of Fundamental Rights of the European Union. Article 8.1 of the Charter states that: “everyone has the right to the protection of personal data concerning him or her”. I think that explaining to the citizens that a violation of data protection law constitutes a violation of their fundamental rights is a powerful symbolic and educational tool. In today’s world, absent any regulations, the notion of privacy would be forgotten faster and progressively, nobody would stand for it anymore. During the recent years, some citizens have successfully invoked their rights under the directive in courts (Costeja Gonzalez, Max Schrems). The rights of the individuals have been extended under the GDPR. As an example, the right to information requires now a more detailed description of the processing activities (5). Thanks to these legal requirements, reading such privacy policy will give a lot of information to the individuals and enables people for whom privacy is a concern to know under which conditions the data relating to them will be processed, and to choose the provider that will not spy on them. Of course, you can lead a horse to water, but you cannot make it drink.
>
>
The right ot be forgotten is the quintessence of the individual's autonomy in protecting their privacy: it allows individuals to object to the processing of their personal data under certain circumstances.
 
Changed:
<
<

The Economic Risk

>
>
Under Google v. Costeja Gonzalez, the claimant, Consteja Gonzalez, objected to the processing of its personal data by a Spanish newspaper and by Google. The claimant objected to the fact that when an internet users entered his name in a search engine, the results showed articles dating back from 1998 mentioning him as being subject to a public auction for the recovery of unpaid social security debts. In particular, the claimant insisted that the procedure had been resolved for many years and that referencing it was now irrelevant. The Spanish data protection authority rejected Costeja Gonzalez's complaint against the newspaper (because it found that the newspaper was processing the information lawfully and for a legitimate purpose) but it upheld the complaint against Google. The cases ended up in front of the European Court of Justice who ruled that Google was also responsible for the processing of the data and that it could be obliged to remove links from its search engine. If this case was advertised as creating a new "right to be forgotten", it is in reality an application of the right to object, on compelling legitimate grounds relating to and individual's particular situation to the processing of data relating to him. This case was based on the current regime of data protection (i.e. the rules set out by the European directive of 1995).

As from may 2018, the GDPR will replace the directive and a new right to be forgotten will be created. Article 17 of the GDPR states that individuals shall have the right to request the erasure of their data when:

  1. the processing of the data is no longer necessary with regard to the purpose for which it was initially collected;
  2. the individual to whom the data relates withdraw his consent (if the data was initially collected based on the consent of the individual);
  3. the individual objects and there are no overriding legitimate grounds for the processing;
  4. the data has been unlawfully processed;
  5. the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; or
  6. the data has been obtained from a child in the offering of an information society services.
 
Changed:
<
<
One of the new features of the GDPR is the possibility for data protection authorities (DPA) to impose significant fines (up to EUR 20,000,000 or 4% of the global turnover of the infringer, whichever is higher) (6). Under the directive, some countries did not foresee the possibility to impose fines. Where such fines were foreseen, the amount at stake were also much lower than under the GDPR. This creates a significant economic risk for companies collecting personal data; certain practices could not be as profitable as before, should such a fine be imposed.
>
>
Whilst we do not have a lot of guidance yet as to how this article will be applied, it appears that it will ensure a strong autonomy of the individuals: they will be entitled to control their data and to decide by whome they want to be forgotten.
 
Added:
>
>

Conclusion: Conflict with freedom of speech?

 
Deleted:
<
<

Conclusion

 
Changed:
<
<
I think that the adoption of regulation is not incompatible with other ways to ensure privacy, such as promoting the use of open sources software. Even if regulation is not a perfect solution towards privacy, I think it is one step in the good direction. It gives enforceable rights to large categories of individuals against a large category of companies that collect their behaviors. As emphasized above, it also helps to raise awareness and to a certain extent, to empower the individuals. By enforcing their rights, individuals could request data protection authority to impose significant fines, thereby creating an economic risk for these companies and a potential preventive effect.
>
>
The question of the conflict of freedom of speech and freedom of information has been taken into account by the court in Costeja Gonzalez. It insisted on the fact that the data controller should balance the right of privacy of the user with the interest of the public to have access to the information. In the new article of the GDPR, it also excluded from the scope of the right to be forgotten, data processing where the controller has an overriding legitimate ground. This kind of regulation also already exist in the USA. American companies are subject to several sectorial regulations which also create restriction on the use of PII and right for the users (e.g. HIPAA, FCRA, etc.). The main difference with the European Union is tha the "centralized" approach of the EU ensure that all sectors abide with the data protection rules. I think therefore that it is not a difference of conception of the freedom of speech, but rather a question of approach towards privacy.
 


Deleted:
<
<

  1. Why do we have "data protection"? Is the point to protect data, or people? If we are protecting people, what is the harm apprehended, and how does law prevent harm?
  2. Are these rules based on contractual freedom? If so, why should we not expect them to be contracted around? If not, what is the condition of market failure or the theory of liability on which the regulation displaces private ordering?
  3. What is the point of having rules that contradict US constitutional free speech guarantees with respect to the operation of US companies? Is the EC trying to create a barrier to market entry consisting of an abandonment of free speech values, the way the Peoples' Republic of China demands censorship in return for market access? If so, is this wise long-term public policy, or just a form of pandering to younger voters, now that the most important possible issue for European regulation---the control of mobile phone roaming charges---has occurred and there is no actual encore available?


ClementLegrandFirstEssay 7 - 10 Jan 2017 - Main.ClementLegrand
Line: 1 to 1
 
META TOPICPARENT name="FirstEssay"
Line: 17 to 17
 

Right to be forgoten

Changed:
<
<
The right ot be forgoten is the quintessence of the individual's autonomy in protecting their privacy. It allows individual to object to the processing of their personal data by a data controler (i.e. any entity who determines the purposes and the means of the processing of the personal data - in other words, if Columbia University decides to automatically collect the information related to my activity on its network (means), in order to ensure security (purpose), it would qualify as "data controler" under the GDPR, should it apply-)under certain circumstances. This rights is however limited to certain circumstances.
>
>
The right ot be forgoten is the quintessence of the individual's autonomy in protecting their privacy. It allows individual to object to the processing of their personal data by a data controler (i.e. any entity who determines the purposes and the means of the processing of the personal data - in other words, if Columbia University decides to automatically collect the information related to my activity on its network (means), in order to ensure security (purpose), it would qualify as "data controler" under the GDPR, should it apply-)under certain circumstances. Under Google v. Costeja Gonzalez, the claimant, Consteja Gonzalez, objected to the processing of its personal data by a Spanish newspaper and by Google. The claimant objected to the fact that when an internet users enterd his name in a search engine, the results showed articles dating back from 1998 mentioning him as being subject to a public auction for the recovery of unpaid social security debts. In particular the claimant insisted that the procedure had been resolved for many years and that referencing it was now irrelevant. The Spanish data protection authority in charge rejected Costeja Gonzalez complaint against the newspapers (because it found that the newspaper was processing the information lawfully and for a legitimate purpose) but it upheld the complaint against Google. Google appealed this decision in front of the Spanish courts, and the Court referred to the European Court of Justice for a preliminary ruling. The ECJ decided that Google was responsible under the European Data protection law and that it should answer to data subjects' objections to the processing of data relating to them.
 


ClementLegrandFirstEssay 6 - 09 Jan 2017 - Main.ClementLegrand
Line: 1 to 1
 
META TOPICPARENT name="FirstEssay"
Line: 10 to 10
 

Introduction

Changed:
<
<
On the 27th of April 2016, the European Union officially published the General Data Protection Regulation (GDPR), replacing a directive dating back from 1995. This regulation intends to regulate, as from the 25 may 2018, the processing (i.e. any operation which is performed on personal data) of personal data (i.e. any information relating to an identified or identifiable natural person) in Europe (2). The European Union opted for the approach of adopting one single normative instrument to regulate every kind of uses of personal data, including collection of data via the Internet. This approach raises several questions. The pervasive nature of the Internet, the constant evolution of the technology, as well as the interests that the States themselves have in collecting information seem to limit the practical effect of adopting regulation in this field. In this paper, I will, shortly but non-exhaustively, develop arguments in favor and against the adoption of such kind of regulation, through examples stemming from the European approach (both under the current European data protection directive and under the GDPR).
>
>
On the 27th of April 2016, the European Union officially published the General Data Protection Regulation (GDPR), replacing a directive dating back from 1995. This regulation intends to regulate, as from the 25 may 2018, the processing (i.e. any operation which is performed on personal data) of personal data (i.e. any information relating to an identified or identifiable natural person) in Europe (2). The European Union opted for the approach of adopting one single normative instrument to regulate every kind of uses of personal data, including collection of data via the Internet. This approach raises several questions. Perhaps the most important one is: how does this regulation achieve its main goal: protecting privacy? The privacy is a complex notion. It protects several aspect of an individual's personality. Among these aspects, the ones most commonly invoked are the following: the autonomy, the secrecy, and the anonymity of a person. Because anonymity and secrecy are not always possible (e.g. companies often need to have a list of their employees, a list of their providers and customers, such lists include most of the time some personal data such as names, adresses for deliveries), the GDPR's main goal is to ensure the autonomy of the individuals whose personal data is being processed, through ensuring control by these individuals over their data. Under the GDPR, any natural person (i.e. excluding companies)whose personal data is being processed qualifies as "data subject", and can therefore invoke a series of rights (i.e. the right to be informed, the right to access, the right to rectify, the right to data portability and the right to be forgotten). The GDPR wants to ensure data subjects can control the use that is made of their data. To a certain extent , it also protects secrecy of the data (by regulating the data controler's disclosure of the data) and the anonymity (for example, by requiring a privacy impact assessement and by requiring data controller to ensure privacy by design). Iwill analyze one the most famous inoovation of the GDPR: the so called "right to be forgoten". I will then analyze if regulation of privacy can interfere with freedom of speech. .
 
Changed:
<
<

Regulation:

>
>

Right to be forgoten and conflict with freedom of information?

 
Changed:
<
<

Protecting data subject's autonomy

>
>

Right to be forgoten

 
Changed:
<
<
The privacy is a complex notion. It protects several aspect of an individual's personality. Among these aspects, the ones most commonly invoked are the following: the autonomy, the secrecy, and the anonymity of a person. Because anonymity and secrecy are not always possible (e.g. companies often need to have a list of their employees, a list of their providers and customers, such lists include most of the time some personal data such as names, adresses for deliveries), the GDPR's main goal is to ensure the autonomy of the individuals whose personal data is being processed, through ensuring control by these individuals over their data. Under the GDPR, any natural person (i.e. excluding companies)whose personal data is being processed qualifies as "data subject", and can therefore invoke a series of rights (i.e. the right to be informed, the right to access, the right to rectify, the right to data portability and the right to be forgotten). The GDPR wants to ensure data subjects can control the use that is made of their data. To a certain extent , it also protects secrecy of the data (by regulating the data controler's disclosure of the data) and the anonymity (for example, by requiring a privacy impact assessement and by requiring data controller to ensure privacy by design).
>
>
The right ot be forgoten is the quintessence of the individual's autonomy in protecting their privacy. It allows individual to object to the processing of their personal data by a data controler (i.e. any entity who determines the purposes and the means of the processing of the personal data - in other words, if Columbia University decides to automatically collect the information related to my activity on its network (means), in order to ensure security (purpose), it would qualify as "data controler" under the GDPR, should it apply-)under certain circumstances. This rights is however limited to certain circumstances.
 


ClementLegrandFirstEssay 5 - 04 Jan 2017 - Main.ClementLegrand
Line: 1 to 1
 
META TOPICPARENT name="FirstEssay"

Changed:
<
<

Regulating Privacy: What Is the Point?

>
>

Amending in progress Regulating Privacy: What Is the Point?

 -- By ClementLegrand - 03 Nov 2016

Introduction

Changed:
<
<
On the 27th of April 2016, the European Union officially published the General Data Protection Regulation (GDPR) (1), replacing a directive dating back from 1995. This regulation is 88 pages long and intends to regulate, as from the 25 may 2018, the processing (i.e. any operation which is performed on personal data) of personal data (i.e. any information relating to an identified or identifiable natural person) in Europe (2). The European Union opted for the approach of adopting one single normative instrument to regulate every kind of uses of personal data, including collection of data via the Internet. This approach raises several questions. The pervasive nature of the Internet, the constant evolution of the technology, as well as the interests that the States themselves have in collecting information seem to limit the practical effect of adopting regulation in this field. In this paper, I will, shortly but non-exhaustively, develop arguments in favor and against the adoption of such kind of regulation, through examples stemming from the European approach (both under the current European data protection directive and under the GDPR).
>
>
On the 27th of April 2016, the European Union officially published the General Data Protection Regulation (GDPR), replacing a directive dating back from 1995. This regulation intends to regulate, as from the 25 may 2018, the processing (i.e. any operation which is performed on personal data) of personal data (i.e. any information relating to an identified or identifiable natural person) in Europe (2). The European Union opted for the approach of adopting one single normative instrument to regulate every kind of uses of personal data, including collection of data via the Internet. This approach raises several questions. The pervasive nature of the Internet, the constant evolution of the technology, as well as the interests that the States themselves have in collecting information seem to limit the practical effect of adopting regulation in this field. In this paper, I will, shortly but non-exhaustively, develop arguments in favor and against the adoption of such kind of regulation, through examples stemming from the European approach (both under the current European data protection directive and under the GDPR).
 
Changed:
<
<

Regulation: Pro and Cons

The Territorial Limitation

>
>

Regulation:

 
Added:
>
>

Protecting data subject's autonomy

 
Changed:
<
<
The cyberspace has no borders. A company located in the Silicon Valley can offer its services online to the entire world and collect all kinds of data relating to its users, without having any branch outside of the United States. On the contrary, regulations are very often bound to a specific territory. In certain cases, rules apply to categories of legal entities linked to an organization. But in any case, such limitation of the regulation’s scope to certain places or entities seems to make regulation of privacy on the Internet impossible. As a result, one could question the efficiency of a regulation, especially when it comes to the enforcement of the rights it protects on the other side of the planet. However, this limitation to a territory with respect to data protection should be nuanced. In theory, the GDPR will be applicable to all companies offering services or collecting information regarding European behaviors through a website accessible in Europe (3). In practice, under the current Directive, the European Court of Justice (ECJ) applied the European data protection law to a processing carried out by Google Inc. in California. The ECJ decided that, despite the fact that Google's Spanish entity was not involved directly in the processing of personal data by Google Inc. (the Spanish entity was only in charge of selling advertisements), such processing took place "in the framework" of an establishment of Google, located in Spain (4). Even though the global aspect of the Internet does not allow to regulate every entities processing personal data, regulation can have an extraterritorial effect.
>
>
The privacy is a complex notion. It protects several aspect of an individual's personality. Among these aspects, the ones most commonly invoked are the following: the autonomy, the secrecy, and the anonymity of a person. Because anonymity and secrecy are not always possible (e.g. companies often need to have a list of their employees, a list of their providers and customers, such lists include most of the time some personal data such as names, adresses for deliveries), the GDPR's main goal is to ensure the autonomy of the individuals whose personal data is being processed, through ensuring control by these individuals over their data. Under the GDPR, any natural person (i.e. excluding companies)whose personal data is being processed qualifies as "data subject", and can therefore invoke a series of rights (i.e. the right to be informed, the right to access, the right to rectify, the right to data portability and the right to be forgotten). The GDPR wants to ensure data subjects can control the use that is made of their data. To a certain extent , it also protects secrecy of the data (by regulating the data controler's disclosure of the data) and the anonymity (for example, by requiring a privacy impact assessement and by requiring data controller to ensure privacy by design).
 

Line: 43 to 42
 


Deleted:
<
<
(1) Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

(2) Article 4 (1) and 4(2) of the GDPR.

(3) Article 3.2 of the GDPR.

(4) ECJ, Google Spain v. Costeja Gonzalez, C-131/12 (May 13, 2014).

(5) Article 12-14 of the GDPR.

(6) Article 83.5 of the GDPR.

Why use this endnote approach in writing for the web? Make useful links here, so the reader can go directly from your sentence to the relevant provision, substantiating what you are saying and dealing with the text itself rather than paraphrase.


 

Deleted:
<
<
The question with which you title the essay is a good one, but it was never even slightly answered. Instead we have only a paraphrase of statutory material never actually used or discussed, and a series of lightly-expressed policy arguments that don't tell us what the point is. So, in the next draft, let's try to find out what is the point:
 
  1. Why do we have "data protection"? Is the point to protect data, or people? If we are protecting people, what is the harm apprehended, and how does law prevent harm?
  2. Are these rules based on contractual freedom? If so, why should we not expect them to be contracted around? If not, what is the condition of market failure or the theory of liability on which the regulation displaces private ordering?

ClementLegrandFirstEssay 4 - 27 Nov 2016 - Main.EbenMoglen
Line: 1 to 1
 
META TOPICPARENT name="FirstEssay"
Line: 54 to 54
 (5) Article 12-14 of the GDPR.

(6) Article 83.5 of the GDPR.

Added:
>
>

Why use this endnote approach in writing for the web? Make useful links here, so the reader can go directly from your sentence to the relevant provision, substantiating what you are saying and dealing with the text itself rather than paraphrase.


The question with which you title the essay is a good one, but it was never even slightly answered. Instead we have only a paraphrase of statutory material never actually used or discussed, and a series of lightly-expressed policy arguments that don't tell us what the point is. So, in the next draft, let's try to find out what is the point:

  1. Why do we have "data protection"? Is the point to protect data, or people? If we are protecting people, what is the harm apprehended, and how does law prevent harm?
  2. Are these rules based on contractual freedom? If so, why should we not expect them to be contracted around? If not, what is the condition of market failure or the theory of liability on which the regulation displaces private ordering?
  3. What is the point of having rules that contradict US constitutional free speech guarantees with respect to the operation of US companies? Is the EC trying to create a barrier to market entry consisting of an abandonment of free speech values, the way the Peoples' Republic of China demands censorship in return for market access? If so, is this wise long-term public policy, or just a form of pandering to younger voters, now that the most important possible issue for European regulation---the control of mobile phone roaming charges---has occurred and there is no actual encore available?

 \ No newline at end of file

Revision 8r8 - 10 Jan 2017 - 15:49:03 - ClementLegrand
Revision 7r7 - 10 Jan 2017 - 01:06:03 - ClementLegrand
Revision 6r6 - 09 Jan 2017 - 17:24:40 - ClementLegrand
Revision 5r5 - 04 Jan 2017 - 22:07:30 - ClementLegrand
Revision 4r4 - 27 Nov 2016 - 14:24:39 - EbenMoglen
Revision 3r3 - 04 Nov 2016 - 14:13:50 - ClementLegrand
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM