ICTlogy

Communications on data protection
Chairs: Mònica Vilasau

GDPR: A European model of privacy
Ricard Martínez. Responsable del Servicio de Transparencia en la Diputació de València. Expert in privacy.

The European Union has made of data protection and privacy a solid building, with strong foundations, and ready to face the challenges of the future. Data protection has become a fundamental right and, as such, it is against such the highest level of the right that the debate and the weightings take place.

This is at odds with the practices of US firms, that are clearly threatening this fundamental principle.

General Data Protection Regulation (GDPR) is trying to fix this and to protect the citizen against all kind of threads. But it is still imperfect. If, for instance, still relies on authorisation. It is well known that the end user will accept (authorise) any kind of data usage by third parties just to be able to enter a social networking site, or to have access to social media, or to use a given digital service. The regulation should then be more proactive, and “not trust” the judgement of the citizen, and protect them despite themselves. Accountability has to be filled with content, not be a hollow recipient of wishful thinking.

The legislator must know reality, the reality of the user, the reality of technology.

There is a big problem now that technologies enable the possibility that third parties can own others’ identities, do things for them (and without them knowing), make decisions for them (and without them knoweing), etc.

General data protection regulation vs. big data regulation
Alessandro Mantelero, Polytechnic University of Turin

One of the main problems of big data is that it does not actually asks for permission, or consent. Or, indeed, most of consent was already given when the user accepted the conditions of each and every social networking site, website, online service, etc.

Regulation is clearly lagging behind the advancements of technology. This is not new —it actually is the norm— but not only the gap is widening, but the paths are divergent one from another.

Achieving anonymity on the Internet is extremely difficult. This is what we have to address. When we collect information which is non-sensitive (e.g. on mobility) it will most likely produce outputs that are relevant for privacy, that can contribute to identify or draw a profile of someone. And all this is not in the GDPR. How is GDPR addressing these new but actual challenges

We are shifting from an individual-based data protection paradigm to a new paradigm of a collective vision, where the collective shapes the identity, shapes privacy, etc.

More information: Personal data for decisional purposes in the age of analytics: From an individual to a collective dimension of data protection.

Discussion

Alessandro Mantelero: this is not a legal topic, but an economic topic. If we test prototype cars for security and do not allow them to be on the streets until they match some security issues, same should happen when designing digital services. Yes, maybe this would slow the pace of innovation. Maybe. But we have to find a balance between total flexibility in digital services design and total lack of taking into account fundamental rights that can be seriously damaged by the design of those digital services.

Communications session: Smart Cities (I)
Chairs: Álvaro Nicolás

Open smart cities: ¿whose are the data?
Julián Valero Torrijos, Juan Ramón Robles Albero

Whose are the data gathered by some smart cities initiatives? This question is especially relevant when many public services are managed by private firms. It’s interesting because these are data that are needed to provide the service, and thus private firms do need them. But, on the other hand, these data is generated by the user and thus likely to be ownership of the citizen. How do we solve this?

Our conclusion is that most data should be regulated as usual, protecting the citizen, etc. But. In some cases, especially when it deals about the know how of the private firm and how to improve the provision of the service, in some of these cases maybe data should remain property of the private firm, as it is part of their know how and own protocols and processes.

Smart mobility, data protection and social surveillance
Alessandro Mantelero

We are moving towards a pervasive data ecosystem. Big data and the Internet of Things are having an impact on individual and collective data protection, a need for balancing conflicts of interests, and have to move from a theoretical approach to an empirical approach, as the smart mobility case. We need to address open data and risk assessment, such as the factors that increase the risk of re-identification, and the different levels of access to mobility data. Examples: the London bike-sharing case or the user-centric approach adopted in the Piedmont case.

In the cases above, many data and at many levels is gathered, including personal information and travel information. Data protection is applied by design, both at the collection, storage and access and analysis of the datasets.

Conclusions: proportionality, risk-assessment, empower the citizen.

Urban governance and smart cities. The case of Barcelona
Mariona Tomàs Fornés

Since the end 0f 1980s we are facing a new concept of governance. Global governance is a process of coordination of actors, social groups, institutions to reach certain goals that have been debated and defined collectively. It implies a change in decision-making and policy-making. It includes different geographical scales, new public and private actors, etc. The hypothesis of this work is that the development of the smart city implies a shift towards the pro-growth model.

Goals for the case of the smarty city in Barcelona: based on efficiency, sustainability and a mix of several projects of many kinds put together under the umbrella of ‘smart cities’. Many of these projects already existed and the city council just rephrases them under this common umbrella.

The city council will transform the city into a urban lab so that the city (and the citizen) can be used as a lab by technological firms so that they can test initiatives, devices, etc.

How has the urban governance of Barcelona changed after their involvement in smart city projects? The participation of the private sector in financing urban projects has definitely increased, as has been the scheduling of big international events and culture as a development strategy. Citizen participation still is important, but somehow it seems that the usual spaces of participation have not been integrated with other initiatives and spaces more related to the smart city strategy. On the other hand, there is less strategic planning and less new institutions to lead new projects: private firms do not seem to be interested in strategic planning and new institutions have been replaced by ad hoc created public-private partnerships.

Barcelona is a typical case of conceiving the smart city within the principles of the entrepreneurial city: competitiveness, growth policies, use of public-private partnerships.

Pierre (1999) proposes different models of urban governance:

• Managerial
• Participative.
• Pro-growth.
• Redistributive.

Moderator: Maria Àngels Barbarà i Fondevila. Director, Catalan Data Protection Authority

Internet social networks, non-contractual liability for infringements of data protection rights by the data controller and International Private Law
Alfonso Ortega Giménez, Profesor de Derecho internacional privado de la Universidad Miguel Hernández de Elche (Alicante)

The dramatic growth of participation in social networking sites can be approached from the international private law.

Users normally accept all the terms of conditions of social networking sites. But what law is to be applied? It depends. In these terms it is normally stated what law and what jurisdiction is to be applied. Thus, the user is not protected by the law as there is a high degree of defencelessness as they have to deal with “foreign” laws most of the times.

Big Data and Social Control In The Perspective Of Proposed EU Reform On Data Protection
Alessandro Mantelero, Polytechnic University of Turin; Giuseppe Vaciago, University of Insubria.

There is an asymmetric distribution of the control over information. Interaction between the private and the public sector is mediated by these data and this imbalance of power.

There is a political and strategical value of the European regulation on data protection, as there is a predominance of US companies in the ICT sector, which implies an influence of the US administration on national companies.

Indeed, is not only about jurisdiction in terms of what law applies, but also the fact that most data of European citizens are stored overseas (usually in the US).

An added political/strategic/security issue, then, is that the US Administration can require the firms in US soil (e.g. most of all in cloud services) to access all the data in their silos.

Data portability reduces the risk of lock in as it allows for transferring data from one place to another. In this sense, it also reduces monopolistic practices, reduces the power of the service provider and eases establishing more balanced regulation.

E-Health in the Age of Big Data: The EU Proposed Regulation on Health Data Protection
Panagiotis Kitsos, LLM, PhD. IT Law Team, Dept. of Applied Informatics. University of Macedonia, Researcher; Aikaterini Yannoukakou, Librarian MSc. IT Law Team, Dept. of Applied Informatics. University of Macedonia, PhD candidate

What are the challenges that big data poses in the field of e-Health? Many uses so far: drug data extracted from prescription records, devide data collected from implantable cardiac devices, clinical data collected form medical records and medical images, claims and financial data, patient behaviour and sentiment data, etc. All these are already transforming healthcare.

But there are many privacy concerns, most of the related to the possibility to “re-identify” patients even if their respective data has been anonymised.

Another concern is the right to be forgotten in relationship with health records.

Maybe we have to move from what to protect to how to protect.

Discussion

Barbarà: is consent enough to protect the citizen? Is it informed enough to count as valid?

Ricardo Morte: if there are issues with jurisdiction, it is very likely that the citizen cannot appeal to the Constitutional Court. Is that this way? Is there any “equivalent” at the international/European level? Ortega: the problem comes not in what falls within the framework of the (commercial) agreement, which is quite well contemplated by the current regulation, but in what falls outside of the framework of the agreement, in what is extra-contractual.