ICTlogy

Track on the Right to be forgotten, data protection and privacy
Chairs: Mònica Vilasau Solana, Lecturer, School of Law and Political Science (UOC)

Pere Simon Castellano
The constitutional regime of the right to oblivion in the Internet

It is the principle of consent the one that gives us the legitimacy to claim for a right to privacy or data protection.

Especially related to search engines (though not only) is the legality of a given content another important factor when claiming for our privacy rights or the right to be forgotten.

Jelena Burnik
Behavioural advertising in electronic communications. A benefit to electronic communication development and an intrusion of individual’s right to privacy and data protection

Behavioural advertising tracks Internet users’ activities online and delivers only relevant advertisements, based on the data collected and analysed over a given period of time. It is normally enabled by cookies, that are placed by websites or advertisements on websites.

Behavioural advertising is defended in the name of relevance of advertisements, enhanced user experience, precise segmentation and less money spent on non-relevant audiences, support to free Internet content and a driver of innovation.

But it is a controversial practice that requires a fair balance between the interests of the industry and the rights of individuals. As cookies assign a unique ID with an IP address, there can be concerns on data protection. On the other hand, cookies are normally placed in the computer by default, while maybe a debate on opt-in vs. opt-out of cookie placing and cookie-based tracking should be considered.

A new “cookie” European directive should aim at shifting from an opt-out principle to an opt-in one, and cookies being placed only under explicit user’s concern. But how is the technological solution for an opt-in cookie principle?

In the US, though, what seems to be more acknowledged is an enhanced opt-out model.

But only true opt-in provides for transparency, and self-regulation of the industry will not suffice.

María Concepción Torres Diaz
Privacy and tracking cookies. A constitutional approach.

It is worth noting the difference between privacy, intimacy and personal data. And cookies can harm privacy. So, users should get all necessary information on cookies and tracking so they can decide whether a specific behaviour puts at stake their privacy. In case the user decides to go on, explicit consent should be provided to the service to perform its tracking activity.

We have to acknowledge that new technologies will bring with them new rights and new threats to old rights. Thus, we should be aware of the new technologies so that the law does not fall behind.

Philipp E. Fischer; Rafael Ferraz Vazquez
Data transfer from Germany or Spain to third countries – Questions of civil liability for privacy rights infringement

There are data transfers at the international level continuously. If those data got “lost”, the operator might have incurred in privacy rights infringement.

The European Directive on data transmission, it has been established that there can be data transmission within the European Union (nationally or internationally) or with 3rd countries with adequate level of data protection. There still are some issues with the US and there are other countries which are simply banned from data transmission between them and member states.

Faye Fangfei Wang
Legal Feasibility for Statistical Methods on Internet as a Source of Data Gathering in the EU

Privacy protection steps: suitable safeguards, duty to inform prior to obtaining consent (transparency), consent, and enforcement. Request for concern should be looked at as a very important step towards privacy protection. Consent must be freely given and informed.

There is an exemption clause in the UK legislation, to be used when gathering some data is strictly necessary for a service to run, or for scientific purposes, etc. But the exception clause must be used legally.

Ricardo Morte Ferrer
The ADAMS database of the Anti Doping World Agency. Data protection problems

The ADAMS database stores whereabouts, reporting where a sportsman is during 3 months, for a daily time span from 6:00 to 23:00 and including a full daily 1h detailed report of their whereabouts. Instead of presuming innocence, this database kind of presumes guiltiness.

That is a lot of information and, being the holder an international agency based in Canada, a threat on data protection as it implies a continuous traffic of personal data internationally.

Inmaculada López-Barajas Perea
Privacy in the Internet and penal research: challenges in justice in a globalized society

The possibility that personal information of citizens can be retrieved, remotely, by law enforcement institutions, is it just the digital version of the usual (and completely legal) surveillance methodologies, or is it something new and something that threatens citizens’ privacy?

More information

• Tracking without cookies, by Smári McCarthy.

Panel: Internet Privacy and the Right to Be Forgotten
Chairs: Esther Mitjans, Director of the Catalan Data Protection Authority and Professor of Constitutional Law at the University of Barcelona

Norberto Nuno Gomes de Andrade, Scientific Officer at the European Commission, working at the Institute for Prospective Technological Studies (IPTS, Spain)
The Right to be Forgotten. An Identity Perspective

The right to be forgotten should be anchored to the right to identity.

The data protection – data privacy – identity triangle: the data protection directive presents and apparently harmonious and coherent articulation of the concepts of data protection, privacy and identity. Data protection protects the righ to privacy by relying upon the notion of personal identity. This assumed harmonious connection is flawed and problematic. In reality, it is much more complex and dynamic.

Data protection should be procedural right, while data privacy and identity should be substantial rights. Substantial rights are a social interest, while procedural rights set the rules, methods and conditions through which those substantive rights are effectively enforced and protected.

Right to identity is the right to be unique, the persons’ definite and inalienable interest in the uniqueness of their being. The right to identity is infringed if person A makes use of person B’s identity in a way contrary to how that person B perceives his or her identity.

Right to privacy protects the personal condition of live characterized by seclusion from, and therefore, absence of acquaintance by the public. Right to privacy is only infringed if true private facts related to a person are revealed to the public.

The right to be forgotten can be seen from an identity perspective. Reinforces the anti-essentialism view of Ientity (a narrative identity): a process of negotiation, social construct, a matter of choices; corresponds to the ever-expanding manner in which law is allowing the individual to infuence aspecte of their identity; and matches the rational of the right to identity: the right not to have one’s identity miss represented, right to new beginning, right to be different Unot only from others, but also from one self).

The right to be forgotten from an identity angle also coves the facts that are already in the public domain, public factas, and covers also the not-necessarily truthful or decontextualized information, the one that is out-dated.

Milagros Pérez Oliva, Ombudsman of El País

It is worth noting that the information that appears on a newspaper is very different from the one that appears on a social networking site. In principle, all the information published in newspapers is public interest, and thus, that information should be publicly available. The problem is when (a) newspapers upload all their archives to the Internet and (b) finding out information (oftentimes serendipitously) is now easy and cheap and quick.

Historical archives cannot be modified and must be public. Period. Of course, that is not the final solution in the case of information vs. privacy, but the beginning of all problems. A first recommendation is to write new information according to some cautionary rules: avoid names (just initials) if the person is not a public celebrity, avoid contextual information that can lead to their identification, etc.

The problem comes with already published information. The suggestion could be to put out of the search engines’ reach some obsolete information. The problem comes, again, with defining what is obsolete information, or what has become non-relevant information.

Yet another problem, added to obsolete information or non-relevant, is incomplete information or plain wrong information. Those are pieces of news that were discontinued (e.g. trials) or never corrected and that pose a problem, as there are thousands of pieces of news within this category.

There is a need for a collective decision on how to add or link new information to an already published piece of news.

María González Ordóñez, Head of Legal for Spain, Portugal & Israel, Google Spain

Google’s policy is to not delete personal data from their cache if the original source has not also deleted those data. In this sense, Google is very respectful with what instructions a webmaster gives to Google (usually via robots.txt) in relationship with indexing and caching.

This policy is based in the fact that Google wants to provide what is available in the Internet. If Google erases information that still is on the net, the search engine will lose transparency and neutrality. On the other hand, there is also the fact that Google can do the very same claims of newspapers concerning the right to information and freedom of expression.

Ricard Martínez Martínez. Professor of Constitutional Law, Universitat de València

We have a dire need to balance the different rights put at stake with the digitization of our lives.

And as citizens usually cannot control their profile on the net, the responsibility to take action relies, on the one hand, on the legislator to design a legal framework, and on the other hand, on the online service and content providers.

We could try and have new tools to “prune” our public information. And those tools should be developed by the industry itself.

More information

• El olvido: El derecho a ser diferente… de uno mismo. Una reconsideración del derecho a ser olvidado, by Norberto Nuno Gomes de Andrade.
• ¿Tenemos derecho a ser olvidados en Internet? (IDP 2011), by Cristina Aced

Introduction by Esther Mitjans, Director of the Catalan Data Protection Authority and Professor of Constitutional Law at the University of Barcelona.

Three reasons why the right to forget is not already in the Law:

• We could not know.
• We did not know we were to lose all control on our own data,.
• We could not have known that segmented marketing would highly value personal data.

We face a trade-off between economic profits from data exploitation and privacy and security.

Cécile de Terwangne, Professor, Centre de recherche informatique et droit
Internet Privacy and the Right to Be Forgotten

Privacy does not mean intimacy or secrecy, but individual autonomy. In the context of the internet, it is informational self-determination, the control over one’s personal information. This personal information is made up by confidential data, but also by professional data, commercial data, published data, photos, films, sound…

In Europe, this “informational self-determination” has been recognized and protected by several norms, and the right to oblivion of the judicial/criminal past has been recognized by case law in several countries, based on the right to privacy or on personality rights.

The justification for the right to oblivion is justified by faith in human beings’ capacity of improving, the conviction that man should not be reduced to their past, the idea that once you have paid what was due, society must offer the possibility to rehabilitate.

But the right to oblivion conflicts with the right to information.

The criterion to resolve the conflict should be time:

• If there is newsworthiness, the right to information should prevail.
• If the information is no more newsworthy, then the right to oblivion should prevail.

What do we do, though, with digital newspapers archives and case law databases, which are clearly breaking the balance that we had reached?

Related to case law databases, the solution that has been proposed is anonymization, with respect of the purpose principle — by which only relevant data in relation with the purpose may be processed — and the proportionality principle — by which no excessive data may be processed.

Related to newspapers, one thing is to restrict the dissemination of old personal data, a different one is a right to delete those data. Deleting data out of “chronicles” is tempering on one’s own history.

On the other hand, there is of course a conflict with freedom of the press, a conflict that becomes a dilemma as there is not an a priori hierarchy amongst personal rights freedom of the press or the right to information.

In general, though, legislation shows that too many definitions/thresholds are subjectively defined, like “data won’t be kept longer than necessary” or some conditions under which it is possible to anonymize or delete data.

With the pervasiveness of the Web 2.0 and cloud services, there is a claim for a new right to oblivion, due to the problem of long lasting records kept by certain Internet actors of traces unconsciously left when surfing the web. But, again, as some economic models heavily rely on those data basis, there is a trade-off between personal and corporate rights.

A first solution is having the possibility to stablish a right to have information deleted and not only rendered inaccessible.

Another solution could be based on basing the right to be forgotten on a right based on the no-collection of personal data and established by default, that is, privacy by design.

More information

• Privacidad en Internet y el derecho a ser olvidado/derecho al olvido, by Cécile de Terwangne.
• ¿Tenemos derecho a ser olvidados en Internet? (IDP 2011), by Cristina Aced

Conclusions for day 1
Javier de la Cueva, Lawyer.

First of all, it is worth noting the role of Philosophy when talking about Net Neutrality. We are indeed building a new world, and this new world is not about machines, but about people. And the question is not about Net Neutrality, but about what will be the new 4th generation fundamental rights that we want for our future.

Another important issue is the definition of jurisdiction. And this jurisdiction is not only geographical, but can also be understood all along the value chain Internet provided content and services. We can speak about the different layers that make the Internet up, of about the different ends of the service, etc. But the truth is that there are many actors on the Internet and many of them belong to different legal, technical or factual jurisdictions.

A missing point during the Congress is the asymmetry of download and upload speeds. This asymmetry makes it more difficult peer-to-peer sharing, and makes it more difficult to become a real prosumer.

Again, the important thing is what do we want. In matters of Net Neutrality, do we want Net Neutrality as a right, as a principle or as a goal.

In some way, the absence of net neutrality is like adding a layer of obscurity and unfairness amongst two layers of freedom: the layer of free software, the free code that runs the Internet; and the layer of free content, the one that is freely created by the contributing users.

Of course, we have to be aware that with great power comes great responsibility: we have to acknowledge that a lot of work has still to be done in issues like privacy, reputation and honour, security, etc. Part of the solution comes, evidently, with lawyers and policy-makers learning much more on how the Internet and technology in general work.

More information

• Relato del VII Congreso Internacional sobre Internet, Derecho y Política: Neutralidad de la red y derecho al olvido, by Javier de la Cueva

Track on fundamental rights, freedoms and liability on the Internet
Chairs: Clara Marsan Raventós. Lecturer, School of Law and Political Science (UOC)

Patricia Escribano Tortajada
Right to honour vs. freedom of expression in the Net

Defamation on the Internet has become quite an extended practice. What are the limits to freedom of expression vs. the right to honour? And what are the limits of the right to honour vs. freedom of expression?

There is a difference between illicit content — which is against the law — and harmful content, which may damage your reputation while being completely legal.

Some elements are aggravating the problem of harming one’s honour: the high volume of digital content, anonymity and trolling, advertising in websites (i.e. not requiring login for being able to post content), who can access the content, etc.

What are websites doing? Requiring authentication (at least via e-mail), terms of use, ability to edit comments, report inappropriate comments, etc. Some of them, though, are actually a potential threat against freedom of expression.

Most of the law is aimed at protecting the ISP while the citizen remains unprotected. There should be an effort in trying to define better the limits of the right to honour and freedom of expression, when and how regulation applies and, most especially, how do we protect the individual.

Primavera De Filippi, Smári McCarthy
Cloud Computing: Legal Issues in Centralized Architectures

Cloud computing has had a side effect in personal communications: when most of them used to be peer-to-peer through a decentralized service (most times a desktop and one’s own server), now many communications have shifted to public and into centralized services.

Most users do not know how to read the terms of service or would just not read them. Thus, they think they are getting services for free while they are giving away many of their rights.

Another side effect is the lock-in that happens once you’ve got your data and content out in the cloud, and can but just manage it remotely, not massively and with serious concerns whether this content still is your property.

We cannot only rely on national law when it comes to the Internet, but international agreements do not seem to do better. So, what should be done?

Anne W. Salisbury
Anonymity, Trash Talk and Cyber-Smearing on the Internet

The first thing that one has to demonstrate defamation is that the statement made is opinion and not fact, and that is has been exaggerated.

But on the Internet it also depends on other aspects. For instance, the blog were the statement is made and the use of the language (i.e. some words do not any more refer to the original definition of that word, but have become slang with different meanings).

So, many supposed libels or defamations are not such when looked under a different glass.

Indeed, disclosing the anonymity of the “defamators” can sometimes be much more harming that the supposed defamation they committed.

Mª Dolores Palacios González
The stress between impunity in the Net and limiting freedom of expression

There are many examples where anonymous contributors to blogs or forums insult third parties, including individuals, governments and firms. ISPs usually have the safe harbour that most Internet laws provide according to which they have no liability on such harmful comments and statements in general. Though the problem still exist: there are harmful comments on many websites.

But some exceptions should be made, or at least some issues taken into consideration.

For instance, if there is comment moderation, the act of editing and/or approving the comment with defaming statements should not be protected with the safe harbour for ISPs.

Alicia Chicharro
The space of freedom, security and justice and cybercrime in the European Union

The Lisboa treaty shifts “upwards” many of the decisions related to crime and cyberlaw, resulting in a top-down approach to penal law in the member states. There is, though, the right to veto a directive, and also the principle of subsidiarity. Cybercrime is included within this new framework.

Track on Intellectual Property Rights on the Internet
Chairs: Blanca Torrubia Chalmeta. Lecturer, School of Law and Political Science (UOC)

Monica Horten
Copyright at a Policy Cross-Roads – Online Enforcement, the Telecoms Package and the Digital Economy Act

What is copyright enforcement? Enforcement is about punishment, about forcing people to do things under penalty of being punished otherwise. That is usually done through courts, and can be written down in obligations (law, regulations, etc.) or even contracts (e.g. contractsthat users sign with service providers).

Sometimes enforcement will also imply a diminution of certain levels of privacy.

What the ‘Telecoms Package’ and the ‘Digital Directive’ tell us is that the fight to enforce copyright law is directly affecting mostly privacy issues and other fundamental rights.

Evi Werkers
Intermediaries in the eye of the copyright storm: A comparative analysis of the three strike approach within the European Union

File sharing still is increasing and becoming pervasive in all activities and strata of the society. And most measures to fight ‘piracy’ have failed. The safe harbour that was build for ISPs is, nevertheless, not unlimited.

Indeed, the enormous complexity of services provided by some operators have made it more difficult to tell whether an ISP is such, whether it is a content or a service provider, etc.

And we are still to find failures in terms of legality (of laws), proportionality, respect to fundamental rights, exemption of liability, etc. There is also a concern on how active preventive measures can still be neutral, or how traffic can be (fairly) managed.

Qian Tao
“Neutrality” Test on web 2.0 Platform for its intermediary liability in China and in Europe

The Tort Liability Law 2010 and the Regulation for the Protectoin of Information Network Dissemination rights are the framework for Internet regulation in China. They provide, like other laws, the safe harbour for web 2.0 service providers.

In order to harmonize different opinions in different courts, the Higher Court of Beijing issued a guide to help the courts take the correct decisions. For instance, the “No direct financial benefit” guideline: even if there are ads, if there are no charges to download/see the video, there is no infringement.

Those guidelines, though, are just guidelines, thus are not compulsory and only apply for the Beijing region.

Benjamin Farrand
‘Piracy. It’s a Crime.’ – The criminalisation process of digital copyright infringement

The criminal enforcement directive seemed to be dead, but the Pirate Bay case sort of brought it back to life. Piracy is increasingly linked to theft, to organised crime, to terrorism. Notwithstanding, research shows that online piracy is not likely to be linked with organised crime or terrorism. We cannot even find what is the methodology used to calculate the (real) losses for the industry of counterfeit material or how damaging is piracy in general.

There is a need for re-assessment, and law-making on the basis of empirical evidence and concrete studies – not industry lobbying. The Hargreaves Review (2011) states that in the case of copyright policy, there is no doubt that the persuasive powers of celebrities and important UK creative companies have distorted policy outcomes.