8th Internet, Law and Politics Congress (X). Privacy On Line

Notes from the 8th Internet, Law and Politics Congress: Challenges and Opportunities of Online Entertainment, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on 9-10 July 2012. More notes on this event: idp2012.

Panel on Privacy On Line
Chairs: José Luis Piñar Mañas. Professor of Administrative Law. Vice-Chancellor of International Relations at CEU San-Pablo University (Madrid). Former Director, Spanish Data Protection Authority.
.

Antonio Troncoso Reigada. Professor of Constitutional Law. Former Director, Data Protection Authority of the Region of Madrid.

The Internet has a huge potential for participation, especially social media. Freedom of expression has found a perfect platform on the Internet. Thus, minors have not to have their access to the Internet or social networking sites forbidden.

The proliferation of barriers for data protection is creating too many problems for the evolution of the Internet: we need a harmonization of law, not only within the EU but worldwide. Especially now that cloud computing is becoming mainstream.

The regulation framework in the EU is becoming better, but there is a certain lack of democracy, a lack of political and public debate on the issue.

Esther Mitjans. Professor of Constitutional Law, University of Barcelona. Director of the Catalan Data Protection Authority.

In the Internet age, privacy is a very important matter, present everywhere. There is a need for risk management, as these are new territories with new practices that bring with them plenty of risks and hazards. Behaviours of people cause not only risks upon themselves but also upon third parties. Data protection is about the crossroads of all these risks and practices. And we do not have to forget that the Internet does not believe in boundaries, borders and frontiers.

María González, Head of Legal for Spain, Portugal & Greece at Google.

The problem of short-term regulation can affect innovation, economic growth and the evolution of the Internet as a communication (not only business) platform.

Concerning cookies, the industry is now trying to decide what is the best design for opting-in concerning tracing cookies, and that the user is empowered with the control of their own data and privacy.

Regulation has to be based on transparency: all practices related to data protection, public, private and corporate have to be transparent and accountable.

The “physical” location of data is totally irrelevant when they are constantly replicated and transferred. Thus, what matters is demanding liability and responsibility to the firm, but not that these data are kept on a closed box in a specific territory or jurisdiction.

8th Internet, Law and Politics Conference (2012)

7th Internet, Law and Politics Congress (IX). Internet Privacy and the Right to Be Forgotten

Notes from the 7th Internet, Law and Politics Congress: Net Neutrality and other challenges for the future of the Internet, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on 11-12 July 2011. More notes on this event: idp2011.

Panel: Internet Privacy and the Right to Be Forgotten
Chairs: Esther Mitjans, Director of the Catalan Data Protection Authority and Professor of Constitutional Law at the University of Barcelona

Norberto Nuno Gomes de Andrade, Scientific Officer at the European Commission, working at the Institute for Prospective Technological Studies (IPTS, Spain)
The Right to be Forgotten. An Identity Perspective

The right to be forgotten should be anchored to the right to identity.

The data protection – data privacy – identity triangle: the data protection directive presents and apparently harmonious and coherent articulation of the concepts of data protection, privacy and identity. Data protection protects the righ to privacy by relying upon the notion of personal identity. This assumed harmonious connection is flawed and problematic. In reality, it is much more complex and dynamic.

Data protection should be procedural right, while data privacy and identity should be substantial rights. Substantial rights are a social interest, while procedural rights set the rules, methods and conditions through which those substantive rights are effectively enforced and protected.

Right to identity is the right to be unique, the persons’ definite and inalienable interest in the uniqueness of their being. The right to identity is infringed if person A makes use of person B’s identity in a way contrary to how that person B perceives his or her identity.

Right to privacy protects the personal condition of live characterized by seclusion from, and therefore, absence of acquaintance by the public. Right to privacy is only infringed if true private facts related to a person are revealed to the public.

The right to be forgotten can be seen from an identity perspective. Reinforces the anti-essentialism view of Ientity (a narrative identity): a process of negotiation, social construct, a matter of choices; corresponds to the ever-expanding manner in which law is allowing the individual to infuence aspecte of their identity; and matches the rational of the right to identity: the right not to have one’s identity miss represented, right to new beginning, right to be different Unot only from others, but also from one self).

The right to be forgotten from an identity angle also coves the facts that are already in the public domain, public factas, and covers also the not-necessarily truthful or decontextualized information, the one that is out-dated.

Milagros Pérez Oliva, Ombudsman of El País

It is worth noting that the information that appears on a newspaper is very different from the one that appears on a social networking site. In principle, all the information published in newspapers is public interest, and thus, that information should be publicly available. The problem is when (a) newspapers upload all their archives to the Internet and (b) finding out information (oftentimes serendipitously) is now easy and cheap and quick.

Historical archives cannot be modified and must be public. Period. Of course, that is not the final solution in the case of information vs. privacy, but the beginning of all problems. A first recommendation is to write new information according to some cautionary rules: avoid names (just initials) if the person is not a public celebrity, avoid contextual information that can lead to their identification, etc.

The problem comes with already published information. The suggestion could be to put out of the search engines’ reach some obsolete information. The problem comes, again, with defining what is obsolete information, or what has become non-relevant information.

Yet another problem, added to obsolete information or non-relevant, is incomplete information or plain wrong information. Those are pieces of news that were discontinued (e.g. trials) or never corrected and that pose a problem, as there are thousands of pieces of news within this category.

There is a need for a collective decision on how to add or link new information to an already published piece of news.

María González Ordóñez, Head of Legal for Spain, Portugal & Israel, Google Spain

Google’s policy is to not delete personal data from their cache if the original source has not also deleted those data. In this sense, Google is very respectful with what instructions a webmaster gives to Google (usually via robots.txt) in relationship with indexing and caching.

This policy is based in the fact that Google wants to provide what is available in the Internet. If Google erases information that still is on the net, the search engine will lose transparency and neutrality. On the other hand, there is also the fact that Google can do the very same claims of newspapers concerning the right to information and freedom of expression.

Ricard Martínez Martínez. Professor of Constitutional Law, Universitat de València

We have a dire need to balance the different rights put at stake with the digitization of our lives.

And as citizens usually cannot control their profile on the net, the responsibility to take action relies, on the one hand, on the legislator to design a legal framework, and on the other hand, on the online service and content providers.

We could try and have new tools to “prune” our public information. And those tools should be developed by the industry itself.

More information

7th Internet, Law and Politics Conference (2011)

5th Internet, Law and Politics Conference (III). Data protection and Social Networking Sites

Notes from the 5th Internet, Law and Politics Conference: The Pros and Cons of Social Networking Sites, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on July 6th and 7th, 2009. More notes on this event: idp2009.

Data protection and Social Networking Sites
Chaired by Mònica Vilassau

Spain has circa 8,000,000 SNS users that usually set by default the lowest levels of data protection. It’s difficult to find out who’s the owner of data and who’s reliable of data protection. And it’s usual to find use of third parties’ data not only without their consent but without their knowledge.

Esther Mitjans, Director, Catalan Data Protection Agency

Embedded video at http://ictlogy.net/?p=2399

There’s an urgent need to raise awareness about the privacy risks of using social networking sites and being on the Net.

Parents letting their kids freely browse SNS is like letting them go outside and play on the street unsupervised and unaware of some basic issues.

On the other hand, be have also to build confidence in the digital environment, and Law should have a role in trying to bring back (or build) confidence on the system.

There are shared risks where one’s actions have impact on third parties. What happens when data usage goes beyond the household or domestic arena? It’s known that increasingly SNS users use data for commercial purposes or, to say the least, not for strictly personal reasons.

But who’s liable for data protection infringement in SNS? If there’s been a data mining process for commercial uses, liability is easy to track back. But if the origin is a misuse coming from a particular individual, liability becomes not that easy to stablish.

SNS management is an approach to risk management. We should minimize risks for those acting legally, while prosecuting those who act illegally.

Pablo Pérez San-José, Gerente del Observatorio de la Seguridad de la Información Instituto Nacional de Tecnologías de la Comunicación (INTECO)

Embedded video at http://ictlogy.net/?p=2399

The Observatorio de la Seguridad de la Información [Observatory for the Information Security] is aimed towards monitoring and promoting policies for the security of data and information.

Hugh success of SNS at the kids and youngsters level. 43% kids using Tuenti, 80% using YouTube. Attractive because of the online-offline combination.

Three main key points concerning security hazards in SNSs:

  • Creation of profile: terms of service not clear. TOS should be written in plain English. Quite often, users are asked to fill in lots of data that are legally very sensible. Even if these data are not compulsory, they appear on the sign up form and people normally fill them in. User age verification should be more effective (in Spain, you need parental consent to share data if you’re under 14 y.o.). Default privacy settings are very low, allowing maximum visibility.
  • Participation in the SNS: excessive personal information made public on your profile. Non-authorized indexation by search engines. Installation and generic usage of cookies without the user’s knowledge. Reception of hipercontextualized advertising. Giving away intellectual property rights. Malware, phishing, pharming, etc. that use the information available on SNSs to customize to a higher degree attacks to other users. Spam based on false profiles. Sensitive and inappropriate content for minors. Cyberbulling, grooming.
  • Signing off: impossibility to completely and definitely erase your profile. Information that remains on third parties’ profiles.

Recommendations:

  • Be proactive following the law
  • Better age verification
  • Appropriate content (depending on environment and target) and well tagged
  • Awareness raising
  • Fostering secure environments, good practices, and a harmonized international law, while enabling the enforcement of law

Facebook and risks to de-contextualization of personal information
Franck Dumortier, Researcher, Centre de recherches informatique et droit (FUNDP-CRID)

Embedded video at http://ictlogy.net/?p=2399

Facebook’s model is based on the presentation of the users’ profiles, the visualization of the network of relation to others, and, most important, use real-world identification signs, including real names and real places.

When is there de-contextualization?

  • Behaviours and information used in another context from that for which they were intended
  • Violation of contextual norms of appropriateness or distribution

While on the real world anyone more distant than the friend of a friend is a stranger, on Facebook anyone you don’t actively hate is a friend. This enables wider dissemination of sensitive and decontextualized content. The driver being the presence of a visible network, tagging, pressure to join the network, etc.

Privacy is a human right, and is normally treated as a data-subject. But he is also a contextual-human, so privacy should also be seen as a right to contextual integrity, and as a right to self-emancipation from one’s own context.

Facebook as a Foucault’s heterotopia: a place that includes all other places, including its relationships.

In this sense, dealing with the “data subject” (identifying someone by reference to one or more factors specific to one aspect of his identity) is a partial approach, and the right to protect data is the right provided to “dividuals” (as divided individuals, parts of individuals).

A prime effect of Facebook, as an heterotopical environment, is to artificially recompose individuals.

De-contextualization threatens data protection rights.

Proposals:

  • Define higher data-privacy compliant default settings
  • Raise awareness
  • Increasing liability of SNS operators is useless

Data protection in Google
Bárbara Navarro, European director of Institutional Relations of Google in Spain and Portugal.

Embedded video at http://ictlogy.net/?p=2399

Businesses are increasingly aware that data protection and privacy are important issues that need being addressed. There is a general claim that demands privacity on demand: I want to upload everything and then be able to manage my own privacy — and the SNS provider respect and protect it.

Some questions on Google and privacy: excessive data retention; Google Street View and Google Earth and their photos; contextual advertising: is it good or bad; cloud computing and jurisdiction; health records; etc.

In most cases, the user can opt-out (temporal or permanent) on specific aspects: ask the deletion of a photo, stop receiving contextualized advertising, etc. Google’s commitment is that the user is the owner of its own information and the things Google does with it.

Three axes of action:

  • Education
  • Collaboration
  • Regulation

Q&A

Q: Should the government rank and publish what SNS is more data privacy compliant? A: The government should enforce the law but, as it happens with any kind of crime, most information cannot be made public.

James Grimmelmann: If we prohibit sites like Facebook, is there a threat from behaving as more integrated individuals? If it is our will not to be “dividuals”, is there a threat against us if we ban heterotopies like Facebook? Franck Dumortier: Constituting a unique space is wrong because contexts might not fit, because different dimensions of the self might not be overlapping.

Q: How is it that there’s that much content on YouTube from TV channels? Bárbara Navarro: normally it’s individuals who upload videos on YouTube and TV Channels the ones that have to ask for this content to be retired. On the other hand, Google has created a scanning device that can identify protected content and not permit it being uploaded. It is also true, nevertheless, that most channels have their own YouTube channel and they normally allow protected content to be uploaded by individuals as it provides publicity.

Q: Imagine a user that joins a SNS focusing on a specific disease or illness, he then recovers and wants to quit the network and erase all data. How to? Esther Mitjans: The user made an cost-benefit analysis before joining and decided that it was worth joining the network, we should not forget about this. Notwithstanding, they should be following the requisites of the SNS to delete all their traces.

More Information

5th Internet, Law and Politics Conference (2009)