Upload
mgeist
View
165
Download
0
Embed Size (px)
Citation preview
Information Privacy in theDigital Age – Introduction
Spring 2016Dr. Tal Zarsky[University of Haifa – Faculty of Law]
Introduction to Introduction:
Various privacy problems addressed in the public debate and technological discourse
Strive to address both theory and practice Will map out main issues here addressed
Why Privacy is “Exploding” Now• Collection:
Omnipresent, Quantity leap, Quality leap
• Analysis:Digital environment, easy to “warehouse”
• Use: Narrowcasting, tailored content and the “feedback loop”
The Challenge of Identifying Privacy ProblemsPrivacy concerns:• Privacy is a “tricky” concept• Three “mega” problems stemming from the
collection of personal data:(1) Fear the data will be used by government, or passed on to it(2) Fear of the collection of personal data per se (collection on its own is bad enough)(3) Fear of the specific detriments stemming from the use of personal data (the “so what?” approach)
Identifying the problems – Fear of Collection per se Specific concerns:• Loss of control over data, self-
monitoring, conformity, inability to form intimacy, loss of autonomy
Overall response – social adaptation
Identifying the problems:Metaphors we live by The powerful metaphors (and the
problems they cause): “1984” Kafka (“The Trial”, “The Castle”) “Brave New World” Bentham’s “Panopticon”
Common responses to “Privacy claims” Privacy creates:• Social costs: reputation, search
expenses (waste)• Security costs (inability to track
terrorists, criminals, diseases)• Free Speech Arguments (Sorrell)
Identifying “actual” problems• Abuse• Discrimination:
(1) In general(2) Problematic Factors(3) Based on prior patterns of behavior
• Autonomy and Manipulation
Autonomy: Difficult and problematic concept “insight” into the users preferences
allows content providers to effectively manipulate them
On the other hand, autonomy possibly compromised when personal data analyzed without consent.
Overview of solutions (1) “The Right of Privacy” (1890) Torts – the Four Privacy Torts (Prosser, 1960): Intrusion,
Disclosure of Private Facts, False Light, Appropriation – garden variety of rights
The EU Directive – and overall perspective (understanding secondary sale & secondary Use; Opt In vs. Opt Out)
The Fair Information Practices – Notice, Access, Choice, Security and Enforcement In the EU – also purpose specification, minimization, proportionality.
The U.S. Patchwork – Protected realms - Health (HIPPA) Protected Subjects - Children (COPPA) Protected forms of Data (“Sensitive Data”)
Overview of solutions (2) Why Torts (usually) fail – and the realm of today’s
data collection Example: DoubleClick and “cookies”
The contractual and property perspective (for example: default and mandatory rules) The technological solution (P3P, Lessig)
The shortcoming Market failures (high information and transactional
costs) – people are happy to sell their privacy for very very cheap!
Negative externalities (inferences from one group to another, and from group to individual
Loss of Benefits (loss of subsidy to start ups, loss of data derived from analysis)
Classic Privacy Themes Theories of Privacy and their Critiques The Privacy Torts/Privacy and/in the
media Privacy and the Government
Digital Surveillance, National Security Using Private Data Sets/Data Mining
Privacy in the Commercial Realm Online Privacy/Behavioral
Marketing/Privacy by Design
Classic Privacy Themes (2) Anonymity, Pseudonymity, Identity and
Transparency Data Security, Cyber-security, Cyber Crime Social Networks and Online Social Networks
Uniqueness of exposing a social graph Medical Privacy
The curious case of genetic information Privacy in the Workplace (monitoring,
evaluating, recruiting)
Data Protection and the EU 1995 – the EU adopts the Data
Protection Directive A Directive sets a minimal standard.
Broad spectrum of levels of adoption throughout the continent.
Directive premised on FIPPs. Sets jurisdictional boundaries and relies
upon the work of DPAs.
Foundations of EU Privacy Law European member states adopt data
protection laws. EU Charter of Rights now includes
privacy and data protection. Therefore court can strike down
Directives. Digital Rights Ireland.
ECJ – relevant court Growingi set of case law.
Regulating Data Transfers Data may not be sent beyond the EU –
unless specific exceptions apply: Specific agreement (safe harbor) Adequate country (Israel, Canada). Consent Internal compliance programs.
And other options… Faces substantial challenges in the
age of cloud computing.
Next for the EU – the GDPR Regulation vs. Directive Subject to substantial lobbying
pressures. Enhanced Jurisdiction Additional provisions. Substantial fines.
Extending the EU’s Influence EU Market is substantial
Yet effects firm’s outside the EU. International firms apply a uniform
standard – the EU standard. Difficult to explain to domestic
consumers why they are worse off. A new form of colonialism?
Yet some countries push back.
US/EU Safeharbor (cancelled) U.S. received special “treatment”:
U.S. firms registered and were supervised by the FTC.
In Schrems, the agreement was struck down. Argument: insufficient redress w/r/t the
risk of government surveillance. Important lesson regarding the power of the
individual.
Shield Agreement Yet to be approved. Supplemented by laws providing
redress by EU citizens towards the USG. Main complaint against Safeharbor – too
lax enforcement by the FTC: Lack of incentives. Lack of manpower.
Discussions as to how this could be corrected.
Next Steps on the International Level GDPR compliance Agreements in Asia
Additional European Sources Council of Europe (CoE) OECD documents. ECtHR rulings (based on the HR
charter).