Data Protection and Privacy: (In)visibilities and Infrastructures

The European Union, in its texts and communications, has mostly avoided using the terms ‘natural rights’ and ‘human rights’, instead adopting the phrase ‘fundamental rights’. The question is, however, what this concept actually entails and whether, and if so, how it differs from the more classic understanding of human rights. This question is important because data protection has been disconnected from the right to privacy in EU legislation and has been coined a fundamental right itself. The Charter of Fundamental Rights of the European Union grants citizens the right to privacy in Article 7 and the right to data protection in Article 8. The question is what this means and whether protecting personal data should in fact be qualified as ‘fundamental’.

More and more offline devices are weaved into the Internet of Things. Besides beneficial effects, the ubiquitous digitization also poses substantial risks for users’ privacy and self-determination. In this paper, we discuss whether a right to offline alternatives, hence to lead a non-digital life, might be a reasonable demand to counter such worries. In the search for answers, we investigate the – possible – societal utility and reasonability of such an ambition, as well as potential damages individuals or even the society might suffer, if such a right would be established. Furthermore, relevant aspects of the current legal framework are presented, followed by an analysis of former and ongoing Internet of Things regulation initiatives, asking whether the right to offline alternatives may have already been recognized and part of regulatory balancing processes.

The Internet of Things (IoT) creates an intelligent, invisible network fabric that can be sensed, controlled and programmed, in ways that enable artefacts to communicate, directly or indirectly, with each other and the internet. This network is rapidly and increasingly evolving into the networked connection of people, processes, data and things (i.e., the web of “everything”). While the latter promises to improve our lives, by anticipating our preferences, optimizing our choices and taking care of many daily habits, the evolution of IoT is likely to raise new legal and technological challenges. This paper examines four challenges in the fields of privacy and data protection. Drawing on today’s debate on the architecture, standards, and design of IoT, these challenges concern: (i) the realignment of traditional matters of privacy and data protection brought on by structural data sharing and new levels and layers of connectivity and communication; (ii) collective, rather than individual, data protection; (iii) technological convergence, e.g. robotics and other forms of artificial agency, that may impact some further pillars of the field, such as data controllers; and, (iv) the relation between technological standards and legal standards. Since, properly speaking, we still do not have a universal IoT, current debate represents an opportunity to take these legal challenges seriously, and envisage what new environment we may wish.

mHealth has the potential to transform health care by providing more timely and universal access to patients’ and users’ data. However, the potential for continuous patient monitoring and the ubiquitous exchange of sensitive health information, raise important questions about privacy and security. A recent development in the ongoing debate about privacy and mHealth is the Draft Code of Conduct on privacy for mobile health applications. Developed by mHealth industry organisations and facilitated by the European Commission, the Code is expected to foster trust amongst users of mobile applications processing data concerning health (at least where the developers of an mHealth app abide by the Code). This chapter’s aim is to present the Code, and, on this basis, analyse the EU’s legal framework on mobile technologies processing personal data, including health data.

Particular applications of Privacy by Design (PbD) have proven to be valuable tools to protect privacy in many technological applications. However, PbD is not as promising when applied to technologies used for surveillance. After specifying how surveillance and privacy are understood in this paper, I will highlight the shortcomings of PbD when applied to surveillance, using a web-scanning system for counter-terrorism purposes as an example. I then suggest reworking PbD into a different approach: the Minimum Harm by Design (MHbD) model. MHbD differs from PbD principally in that it acknowledges that the potential harms of surveillance bear not only upon privacy but also values that define the very constitution of a society and its political character. MHbD aims to identify and systematise the different categories of such harms and links them to current theories on surveillance on the one hand and on possible design measures on the other.

Tomorrow, the rise of the Internet of Things will allow us to collect and process a growing amount of real-time data related to our body. This phenomenon will unlock new opportunities both in health- and non-health-related sectors but also challenge the frontiers of what we used to consider private. Beyond these frontiers, not all data is created with the same level of sensitivity and risk, and we propose a new taxonomy based on purpose rather than anticipated sensitivity of the personal data collected. We believe this new taxonomy can help companies govern data flows in a way that strikes a better balance between the protection of personal data, drawing examples from both the European Union and the United States regulatory context, and research and innovation opportunities as well as incentivizes them to develop more user-centric business models. In the end, a better governance of personal data can help citizens become more responsible for the choices they make.

This paper describes a privacy engineering framework for the Internet of Things (IoT). It shows how existing work and research on IoT privacy and on privacy engineering can be integrated into a set of foundational concepts that will help practice privacy engineering in the IoT. These concepts include privacy engineering objectives, privacy protection properties, privacy engineering principles, elicitation of requirements for privacy and design of associated features. The resulting framework makes the key difference between privacy engineering for IoT systems targeting data controllers, data processors and associated integrators, and privacy engineering for IoT subsystems, targeting suppliers.

Despite the continuing rise of data breaches in the United Kingdom’s health sector there remains little evidence or understanding of the key causal factors leading to the misuse of health data and therefore uncertainty remains as to the best means of prevention and mitigation. Furthermore, in light of the forthcoming General Data Protection Regulation, the stakes are higher and pressure will continue to increase for organisations to adopt more robust approaches to information governance. This chapter builds upon the authors’ 2014 report commissioned by the United Kingdom’s Nuffield Council on Bioethics and Wellcome Trust’s Expert Advisory Group on Data Access, which uncovered evidence of harm from the processing of health and biomedical data. One of the review’s key findings was identifying maladministration (characterised as the epitome of poor information governance practices) as the number one cause for data breach incidents. The chapter uses a case study approach to extend the work and provide novel analysis of maladministration and its role as a leading cause of data breaches. Through these analyses we examine the extent of avoidability of such incidents and the crucial role of good governance in the prevention of data breaches. The findings suggest a refocus of attention on insider behaviours is required, as opposed to, but not excluding, the dominant conceptualisations of data misuse characterised by more publicised (and sensationalised) incidents involving third-party hackers.

It seems generally accepted that the major threat for company security occurs from within the organisation itself. Given the potential threats for the value attached to information resources, companies are increasing their efforts to counteract these risks, introduced by employees. Many company security technologies are strongly focused on analysing employee behaviour. An example of such a monitoring tool is MUSES (Multiplatform Usable Endpoint Security). MUSES is a user-centric security system that aims to enhance company security by reducing security risks introduced by user behaviour. However, even though the monitoring of employees may be beneficial to secure company data assets, the monitoring of employees is restricted by privacy and data protection regulation. In this paper, we use one MUSES component, namely the Real-Time Risk and Trust Analysis Engine (MUSES RT2AE), as a use case to study in which way privacy and data protection legislation limits the monitoring of employees through company security technologies.

Modern information systems reach a degree of complexity which is inscrutable for citizens. The transparency regulations of data protection law try to counteract this. However, it is unknown how effective these regulations are. To our knowledge, there is no convincing study on the state of corporate compliance with transparency regulations available. We set up a quantitative and qualitative study with a sample of 612 representative companies. We evaluated the transfer of personal data, the compliance with transparency requirements on commercial e-mails, and the compliance with requirements derived from the right of access. In the process, we took advantage of automated analysis with e-mail honeypots but used also individual assessments of information provided by companies. We found out that most companies do not transfer personal data without consent. Requirements on commercial e-mails are fulfilled as well. However, the situation of the right of access is much worse. Most information provided by companies is insufficient.

Starting on Tuesday with a clash of lightsabres between Peter Swire and Max Schrems and