data protection in an age of user-generated content (wyng-hatton lecture 2016)
TRANSCRIPT
Data Protection in an Age of User-Generated Content
Dr. David ErdosUniversity of Cambridge
History of Personal Data Protection (DP)Europe the “cradle” of DP & remains strong
champion.Indirect germs of this idea long & deep
roots:Rights of personality, privacy, identity & honour.Turn to human rights post World War II.
Direct origins are rather recent:1973: First national law & first transnational
instrument.1980s: DP Convention & spread of laws in
Europe1990s: DP EU Directive.2000s: DP EU fundamental right & global
spread of laws2010s: DP EU Regulation; global spread
continues.
The Rise of Electronic Data Processing
Moore’s Law (1965): computing power will exponentially increase.
Not just a question of storage but also e.g. collection, organization, dissemination and retrieval.
Oren Blomberg on Flickr
European Data Protection (DP): Default Scope
Personal Data:
Regulated Processing:
Purposive Scope:
Luxembourg CNPD
“any information relating to an identified or identifiable individual” (A. 2 (a))
“any operation”. Always regulated if even partly automated.
“protect the fundamental rights and freedoms of natural persons, and in particular their right to
privacy”
European DP: Default Substance
Personal Data
Processing
DP Principles• Fair & lawful, • Purpose quality
& limits• Information quality & limits
LegitimationConsent ,
necessary balance etc.
Transparency & Control
• Proactive Duties• Retroactive
Duties• Objection rights
Sensitive Data
• Health life• Sex life• Racial origin• Politics• Religion etc.
Discipline• Data Security• Data
Management• Export Control
Enforcement• Judicial remedy • DP Authority• European
Supervision
Derogations/exemptions to establish equilibrium with other rights and interests
User-Generated Content: 1980s-presentOnline publication initially seen as
informational:
But success generally rested on user communication:
Stress on user communication has gathered pace:
“It is essential to understand that Viewdata was initially designed for the dissemination of … information.” (Fedida & Malik, 1979)
“Minitel offers both information and games, but above all a forum where readers can make themselves heard.” (Marchand, 1988)
“In the era of so-called web 2.0 most content available online is user-generated …interacting … unprecedented forms of
collaboration.” (Cunha et. al., 2012)
UGC 1980s: Early Nature & Early Concern
International Conference of DP Commissioners on New
Media 1983
“[P]ersonal data of all kinds can be widely disseminated at small
cost … [S]uppliers and subscribers are publishing
sensitive data”
“[M]ust not violate personal rights … … [including] legal
regulations … in one country … can be circumvented in another.”
Images taken at Centre for Computing History, Cambridge
Court of Justice of EU: Lindqvist (2003)Facts: Lindqvist published data on some 18 fellow volunteers including of leg-injury (& that on half-time work).
1. Lindqvist was not exempt from data protection:“publication … accessible to an indefinite number of people” (at [47])
2. Lindqvist had published health/sensitive data:“all aspects, both physical and mental, of the health of an individual” (at [50])
3. Not “artistic or literary” purpose but need for rights balance:
“Lindqvist’s freedom of expression … and her freedom to carry out activities contributing to religious life have to be weighed against the protection of the private life” (at [86])
Health Discussion Sites: Italian DPA (2012)Acknowledges value for scientific knowledge & mutual
support.Publication of health data on Internet posed specific
risks.
Focus on proactive responsibilities of Site Manager:Allow for & flag up possibility of pseudonymity.Specify if published data available beyond registered users.Specify if published data available to search engines.Warn users to be careful regarding identifying data or
images.Warn users to be especially careful about third party
identification (even indirect).Facilitate & mention empowerment rights (updating,
rectification, erasure, objection).
UGC & the Internet of ThingsRise of systematic recording e.g. of fitness & sleep.Data often socially published e.g. to foster +ve
competition.Significant knowledge, wellbeing and self-creation
benefits.Serious data protection risks.
EU DPA Article 29 Working Party (2014):• Default settings should ask users to review/edit/decide on information generated before publication on social platforms.• Socially published information should not be indexed by
search engines by default.
Mike Mozart on Flickr
FitBit UGC Privacy Scandal 2011
“Right to be Forgotten” Ruling (2014)DP concern about searching & public content from
early 1980s.
Rise of general search engines in mid-1990s was a game changer.
But, for many years often seen as “off limits” from European DP:Transnational jurisdictional problems,Ideology of engines as “neutral intermediary”,Freedom of expression concerns & divergences,Impracticability of many DP standards.
Whilst myriad issues remain, 2014 CJEU decision marked key shift.
Google Spain (2014): Three Key Elements“[T]he processing of personal data … search engine can be
distinguished from and is additional to that carried out by publishers of websites” (at [35])
“[D]ata subject … request that the information in question not longer be made available … override, as a rule, not only the
economic interest of the operator of the search engine but also the interest of the public in finding that information upon a
search relating to the data subject’s name.” (at [97])
“Article 8 of the [EU] Charter [of Fundamental Rights] expressly proclaims the right to the protection of personal data” (at [69])
Final Thoughts
European DP champions critical noble & “at risk” values.
European DP in many ways not in good health.Interface with UGC epitomises many of European DP’s
problems.How can we create a legal, contextual, protective and
effective framework going forward?
“[D]ata protection was after all from its earliest days an impossible task.”
(Prof. Spirios Simitis (Hessian DP Supervisor 1975-1991), Montreal 1997)