“Whither data protection in a world of global data flows?”

Lilian EdwardsProfessor of Internet Law

Sheffield Law SchoolPangloss;

http://www.blogscript.blogspot.com

SIBLENovember 2009

‘

Orientation Not a medical or biotechnology researcher

but an Internet lawyer; more interested in protecting DS, than enabling free use of personal data by data controllers

Longstanding DP work on best solution to problem of transnational data flows, but mainly in commercial/consumer world

Problems inherently in DP since applying rules conceived for mainframe world to globalised, digitised, Internet/Web 2.0 world

What scientists/researchers ask me

Legal issues? Who owns the data? IP (copyright, database right (EC only),

license terms, open data) Who is the data controller at any time? (DP law, IF “personal

data” involved - is data adequately anonymised? See Source Informatics))

Are there subject access rights? How can data be used? (DP, contractual terms, breach of

confidence) License issues; how do you want your data to be re-used? What if public and private data are mashed up? FOI, PSI and

IP implications – is the data now part of the “public domain”? Eg PSI re-use rules in EC. Policy issues, eg should Ordnance Survey in UK license its geospatial data for free, as in USA?

What if data is exported from EC? (DP, Arts 25, 26)

Problems with DP in cyberspace

Globalisation Internet/digitisation allows rapid global spread,

sharing, mirroring of data Data export key part of corporate & multinational

strategy – out sourcing, M & A, data as capital Modern systems make situs of data non- transparent,

and also sometimes the data controller (“Software As A Service”) – the “cloud” - not just corporate users, eg Gmail, Sheffield Uni!

Now also becoming key part of large db research => Legal problems: What is the point of protection

of personal data within EU if protection lost when exported to a country where no or different protection?

EC DP terminology “Data controller”: a person or company who determines

the purpose and manner of the data processing. “Data processor” is the person who processes the data

on behalf of the data controller. Cf SWIFT case. “Data subject” is the person who is the subject of the

personal data. “Personal Data” is data which relates to a living

individual who can be identified from that data, or with other data likely to be held by data controller (UK DPA98) Cf DPD Art 2: personal data is “information relating to

an identified or identifiable natural person”

EC regime : DP Principles (DPD art 6; UK DPA 98, Sched 1)

1. Personal Data shall be processed lawfully and fairly.

2. Personal Data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in a manner incompatible with those purposes (“purpose limitation”).

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it was processed

4. Personal data shall be accurate and kept to date if necessary (“integrity”).

DP Principles (cont.)5. Personal data shall not be kept for a longer

time than it is necessary for its purpose. (“Retention”)

6. Personal data can only be processed in accordance with the rights of the data subjects (“transparency”)

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing (“security”).

8. Restriction on transferring personal data to countries that do not provide adequate data protection.

“International” DP - Principle 8 This principle has opened an

important debate about extraterritoriality of the DPA and the European Directive. “Personal Data shall not be transferred to

a country outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data subjects in relation to the processing of personal data”.

Minimum European requirements for adequacy (DPD, Art 25(2))

Law (or “soft” law) of importing country must contain: Purpose limitation principle. Data quality and proportionality principle. Transparency principle. Security principle. Rights of access, rectification and opposition. Restrictions on onward transfers.Only Hungary, Canada, Switzerland, Argentina &

Australia have been accredited as having adequate protection.

Practical issues for science/research community

Distributed data, dist’d processing. Trends in this direction – XML, Semantic Web, Grid, cloud computing - locus of processing and who is DC at any given time may not be transparent.

Eg International research project, large dbs held at Stanford, Sheffield, Mumbai. What if US researcher uses data from all sources and combines? Likely to involve export of the UK data. UK researchers will have to find legal basis IF PD.

Data may be anonymised. But what if new data created in process from 2 anonymised sources => identifiable data? See DPD and UK definitions of PD.

National/EC project? - but mirror site abroad may be used at high volume times; or back up abroad (or in “the cloud”)

The future? Semantic Web – data held wherever , tagged for possible use in processing by any data controller, anywhere, anytime?

Issues for individuals? 1. Research: May help process other’s PD as in

decentralised SETI @ Home type project (5.2m people involved)

?Data controllers => Duties of notification, security, subject access? – or mere data processors?

2. Private DCs? Suppose everyone tags own PD for Semantic Web (etc) use – and PD of others? (cf FB photos)

What if other individuals (eg outside EU) then process to create new web based mash ups?

See Lindqvist – ECJ – merely making personal data available to world on website (photos) was processing but NOT data export outside EU by a DC? But here more active tagging?

Did not fall into domestic purposes exception

“Get out of jail free” cards – art 26 DPD, Sched 4, DPA98

Unambiguous consent of data subject to transfer Note, purpose/scope? Expiry? Will db owner get this consent?

Transfer necessary for conclusion of contract between DS and DC (usually commercial)

Transfer necessary for “substantial public interest” (usually, criminal enforcement)

Model contractual clauses agreed with EUComm which provide adequate safeguards for rts & freedoms of DS – NOT needed if export only to “data processor”

EU/US “safe harbor” – special regime for USA companies – dead letter?

Binding corporate rules (last resort) Health/Research exemptions – see Taylor talk Suspect main get-out used is anonymisation?

Do any of these represent a solution for science/R&D community?

Not easily – DP not meant to be about broad, vague consent - Purpose limitation principle mitigates against (and retention)

Nb consent of DS needed – not of db owner Could “substantial public interest” be expanded?? Standard contract clauses between eg Sheff and Stanford

could only operate where contract entered into “at request of DS” or is “in interests of data subject”??

Could we re-invent “standard research data export clauses”? Or a “safe harbor” for accredited academic instns? Or ”binding research instn rules”?

How would audit/enforcement/rules on onward transfer work? Is it in DS’s interests?

Some alternative ideas DPD coming up for revision.. Abandon one size fits all : replace DP export (etc) controls for

public/R&D sector with more prior privacy impact assessment and privacy engineered in ("privacy by design)?

Reduce effect of Lindqvist, wider exemptions for “domestic” users?

Clarify what constitutes anonymisation? Increasingly possible to de-anonymise. Profiled data: “nymity” is not the point, identifiability is

Replace notification with expanded subject access rights, on-line by default, where data use can be tracked and DS can opt out at any time? Could Semantic Web help here?

Scrap DP export controls altogether? The business choice