IDP2016 (V). Data protection

Notes from the 12th Internet, Law and Politics Congress: Building a European digital space, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on 7-8 July 2016. More notes on this event: idp2016.

Communications on data protection
Chairs: Mònica Vilasau

GDPR: A European model of privacy
Ricard Martínez. Responsable del Servicio de Transparencia en la Diputació de València. Expert in privacy.

The European Union has made of data protection and privacy a solid building, with strong foundations, and ready to face the challenges of the future. Data protection has become a fundamental right and, as such, it is against such the highest level of the right that the debate and the weightings take place.

This is at odds with the practices of US firms, that are clearly threatening this fundamental principle.

General Data Protection Regulation (GDPR) is trying to fix this and to protect the citizen against all kind of threads. But it is still imperfect. If, for instance, still relies on authorisation. It is well known that the end user will accept (authorise) any kind of data usage by third parties just to be able to enter a social networking site, or to have access to social media, or to use a given digital service. The regulation should then be more proactive, and “not trust” the judgement of the citizen, and protect them despite themselves. Accountability has to be filled with content, not be a hollow recipient of wishful thinking.

The legislator must know reality, the reality of the user, the reality of technology.

There is a big problem now that technologies enable the possibility that third parties can own others’ identities, do things for them (and without them knowing), make decisions for them (and without them knoweing), etc.

General data protection regulation vs. big data regulation
Alessandro Mantelero, Polytechnic University of Turin

One of the main problems of big data is that it does not actually asks for permission, or consent. Or, indeed, most of consent was already given when the user accepted the conditions of each and every social networking site, website, online service, etc.

Regulation is clearly lagging behind the advancements of technology. This is not new —it actually is the norm— but not only the gap is widening, but the paths are divergent one from another.

Achieving anonymity on the Internet is extremely difficult. This is what we have to address. When we collect information which is non-sensitive (e.g. on mobility) it will most likely produce outputs that are relevant for privacy, that can contribute to identify or draw a profile of someone. And all this is not in the GDPR. How is GDPR addressing these new but actual challenges

We are shifting from an individual-based data protection paradigm to a new paradigm of a collective vision, where the collective shapes the identity, shapes privacy, etc.

More information: Personal data for decisional purposes in the age of analytics: From an individual to a collective dimension of data protection.

Discussion

Alessandro Mantelero: this is not a legal topic, but an economic topic. If we test prototype cars for security and do not allow them to be on the streets until they match some security issues, same should happen when designing digital services. Yes, maybe this would slow the pace of innovation. Maybe. But we have to find a balance between total flexibility in digital services design and total lack of taking into account fundamental rights that can be seriously damaged by the design of those digital services.

12th Internet, Law and Politics Conference (2016)

IDP2016 (IV). E-government

Notes from the 12th Internet, Law and Politics Congress: Building a European digital space, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on 7-8 July 2016. More notes on this event: idp2016.

Communications on E-government
Chairs: Agustí Cerrillo

Innovation management in public organizations: open data in the threshold of open government.
Adrián Vicente Paños, Diputació de València; Servicio de Transparencia y Gobierno Abierto.

In general, innovation is badly managed in European public administrations: lack of reusage, management deficits, etc.

e-Government, in many cases, has been used as a flagship for the “modernization” of public bodies. And, in particular, open data and open data portals are increasingly becoming the first stop for pubic bodies to face modernization and innovation. 84% of European countries have open data portals, although less than half of them have a certain degree of maturity.

Reuse of data vary significantly depending on the type of data and sector. Thus, finance, contracts, geospatial data and some others are by far much more used than other datasets.

There is a need to improve communication so that the end-user (e.g. the citizen) can reuse data, be more easily found, etc. Benchmarking good practices across different bodies would also have a potentially high impact.

The asymmetric regulation of third parties’ rights in the procedures of access and reuse of public information.
Leonor Rams Ramos, Profesora Contratada – Doctora de Derecho Administrativo (acreditada a Titular de Universidad) en la Universidad Rey Juan Carlos.

The new Spanish Law on Transparency (Ley 19/2013) was much needed, but has been criticised because of its wide limitations, very open cases for non-admittance, and lack of instruments for assessing its efficacy — among others.

What happens with third parties that, despite not being public bodies, they have relationships with public administrations and thus these have data that can be requested by the citizen. Can these third parties, these private bodies oppose to their data being published or given away by public administrations under the Transparency Law?

The Art.19.3 LTBG makes it compulsory to notify third parties if they could be affected by a request of data, and they then become an interested party of the procedure. It is not a right to veto: it just triggers some alerts so that the data from third parties is accurately dealt with. If the data required falls within the category of personal data, the veto is automatic. If not, it has to be analyzed case by case.

The problem is that the citizen that makes the request has no voice in the whole procedure, or can argue against the decision to veto the delivery of data. Even worse, the person requesting the data does not know what the third party can do or will do to avoid the disclosure of data. And hence cannot react or anticipate any movement from the third party, which rends them defenceless.

The collaboration of the private sector in European digital public services of digital identification.
Ignacio Alamillo Domingo, Abogado y auditor. Colaborador docente de la UOC.

Digital identity has ceased to be a matter of security, circumscribed in a very tiny area, to something that is ubiquitous, spreading all over a myriad of platforms and institutions.

On the other hand, digital identity is not only a matter of cost (cost to create an identity) but also a consumer good or even a capital active, and including a social good, liked to social networking or reputation, and leading to the appearance of public providers of digital identities (e-ID).

eIDAS aims at creating a public system of digital identification within the European Union. It focuses in security and interoperability, so that national systems can interact one with each other.

What is the role of the private sector in this system? It is possible that a means of digital identification can be private. This means that the public sector admits private means of identification and uses them or interacts with them. And by doing it at a national level it is enabled that it can be done at the European level. The problem here is how to assess private eIDs and their features, or how to avoid the (explicit or tacit) creation of monopolies or monopolies of e-identification private systems.

Last, but not least, no only public bodies can use eIDs, but also private parties can benefit from eIDAS and use an kind of eID issued by public or private bodies in any member state of the EU.

Discussion

Ignacio Alamillo: it would be interesting that the public sector accepted different degrees of identification, with different levels of security, compliance, etc., in collaboration with public-private-partnerships, etc.

12th Internet, Law and Politics Conference (2016)

IDP2016 (III). Raquel Xalabarder: Copyright law for a digital single market: how far are we from achieving it?

Notes from the 12th Internet, Law and Politics Congress: Building a European digital space, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on 7-8 July 2016. More notes on this event: idp2016.

Keynote speech. Chairs: Maria Julià

Prof. Raquel Xalabarder. Professor of Intellectual Property, Law and Political Science Department, Universitat Oberta de Catalunya (UOC).
Copyright law for a digital single market: how far are we from achieving it?

Copyright law grants an exclusive right on works contained in products (tangible goods) and services which must freely circulate within the EC/EU internal market.

So far, we have a bunch of national copyright laws, with different scopes, and with a marked principle of territoriality. Can we harmonize these issues? There has to be no discrimination within the EU: what you grant to a national author, you grant it to a EU author. BUT. We had a single digital market for goods, but not for services. Once a work was embedded on a product, it fell within EU common law; but it happens otherwise with services. And here is the big deal we are facing now.

Rome EC Treaty:

  • Subsidiarity principle, only applies when objectives are better achieved by the EC than by member states individually.
  • Harmonization through directives, that need national implementation.
  • Lisbon EU Treaty Art. 118 TFEU: mandate for uniform IP rights in all EU. Need for a regulation on EU copyright?

We now have a bunch of EU directives that deal with computer software, rental and lending rights, satellite and cable communications, terms of protection, databases, copyright, resale right, enforcement, orphan works, collective management (of rights) organizations and music online, etc.

There’s a big deal trying to harmonize concepts like what is a work, what is an author, what are related rights, etc. Different directives refer to works and authors in very different ways.

Same happens with moral rights, exploitation rights, remuneration rights… Remuneration rights are especially difficult to address as they vary very much across countries, in what they cover, in the amount or kind of remuneration, its management, etc.

About communication to the public, there is no clear consensus on what the “public” is, communication, display or performance, etc.). Here the concept of linking to (protected) content becomes crucial, of course including the role of the agent that created the link.

The harmonisation of limitations to intellectual property rights are also scattered across different directives and regulations in general.

Licensing, enforcement… again matters of disagreement and lack of harmonization.

Discussion

Wouter Tebbens: copyleft software heavily relies on copyright, and the design and the product are very much the same. But what happens with copyleft hardware, where the design and the product are much different? Xalabarder: it is uncertain. It depends on whether you just protect the design, and then the product is not affected, or if you take into account the design embedded in the product. It is difficult to tell.

Some conclusions?

  • Fragmented harmonization of some issues: work, author, rights, limitations…
  • Court of Justice of the European Union (CJEU) role is paramount.
  • Territorial licensing allowed (for services) as “original sin”.
  • Member states “reception” of EU copyright law and caselaw?
  • Subsidiarity principle.
  • Time for a copyright unitary title?

12th Internet, Law and Politics Conference (2016)

IDP2016 (II). Digital Single Market and e-Commerce

Notes from the 12th Internet, Law and Politics Congress: Building a European digital space, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on 7-8 July 2016. More notes on this event: idp2016.

Communications on Digital Single Market and e-Commerce
Chairs: Blanca Torrubia

The role of geoblocking in the internet legal landscape.
Marketa Trimble, Samuel S. Lionel Professor of Intellectual Property Law at William S. Boyd School of Law, University of Nevada, Las Vegas.

Geoblocking: blocking depending on place and depending on content.

Geoblocking breaks the ubiquity of the Internet and users’ expectations of a territorially-unlimited Internet. On the other hand, geoblocking is a way to try to accommodate Internet content to the territorial restraint of national jurisdiction.

Opposition to geoblocking:

  • Contrary to the original architecture of the internet.
  • It’s imperfect, leaving lots of room for spillovers.
  • Has uncertain legality.
  • Is associated with not insignifiat implementation costs.
  • May have an impact on freee speech.

The EU proposes a campaign against geoblocking, though proposing a new regulation to address geoblocking and other forms of discrimination based on customers’ nationality.

Some positive ends of geoblocking:

  • Contributes to the diversity of content on the Internet.
  • Geoblocking allows for content to be made available where it is legal.
  • A territorial partitioning of the Internet is inevitable as long as countries have strong national public policies that shape at least some of their laws.
  • Online gambling and other sensitive areas of regulation will provoke countries’ strong policy stances, for which geoblocking on the Internet offers a workable modus operandi.

Hardwiring Privacy in the European Digital Space.
Lee Bygrave, Professor, Norwegian Research Center for Computers and Law.

Information systems architecture has the ability to shape behaviour beyond what legislation allows.

There are explicit attempts to change system architectures to force changes in law or to put in practice de facto “regulations”, especially in the field of data protection and privacy.

Some of these hardwiring attempts to change regulation may have an impact in homeland security, on privacy guarantees, etc.

The exclusive right of the author to control publicity and sale offers of their work. Impact in the building of a single digital space.
Antoni Rubí Puig, Profesor de Derecho Civil de la Universitat Pompeu Fabra.

Can we buy in third countries’ websites goods that are subject to intellectual property rights that apply in our country but not in the third country? Can we do that without incurring in an IP illegality? Probably not. The right to distribute works is exclusive of the author’s.

There are several points in the whole process of publishing, offering, selling and delivering goods where the author has their say according to their intellectual property rights.

The proposals of the European Commission about contract rules in the supply of digital content and online sales: conformity, remedies and exercise of remedies
Rosa Milà Rafel, Investigadora Juan de la Cierva-Incorporación de la Universidad de Castilla-La Mancha Centro de Estudios de Consumo.

Proposal of EU directive of online sales. Goal: to eliminate one of the main barriers against international e-commerce in Europe.

Problem: if it is approved, it will indeed increase the fragmentation of actual regulation.

Proposal of EU directive of supply of digital content.

It includes a wide range of digital content, such as cloud computing services and social networking services.

Unlike the former one, this directive is likely to reduce fragmentation of existing regulation.

12th Internet, Law and Politics Conference (2016)

IDP2016 (I). Hugh Beale: The future of European Contract Law in the light of the European Commission’s proposals for Directives on digital content and on-line sales

Notes from the 12th Internet, Law and Politics Congress: Building a European digital space, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on 7-8 July 2016. More notes on this event: idp2016.

Keynote speech. Chairs: Miquel Peguera.

Prof. Hugh Beale. QC FBA, Professor of Law, University of Warwick; Visiting Professor and Senior Research Fellow at Harris Manchester College, Oxford.
The future of European Contract Law in the light of the European Commission’s proposals for Directives on digital content and on-line sales

The main goal of the European directive was to increase consumer confidence, that consumers were given a minimum of rights wherever they did their purchases.

But it was also about reducing traders’ costs, as differences in contract law creates costs. After 2003, the European Commission has been working to remove barriers to trade, and not only in B2C contracts, but also in B2B contracts.

In general, Rome I art 6(2) says that consumers are entitled to mandatory rules of Law of State of habitual residence. Which is a major problem for sellers who have to know the applicable law for every consumer. A full harmonization seems highly desirable. But this may cause withdrawal of rights to consumers in some given states, which most will just not accept.

The Digital Content Directive applies to the trade of digital content: stream, download, etc. digital content. But is this like buying something that you then own? Or is it more like hiring someone’s services? The directive applies to both, as a one time delivery or as something that stands for a period of time. And it includes exchanges of digital goods or services for a price or in exchange of personal data. Last, rights apply to whether you are buying a physical support (e.g. DVD) or not (e.g. downloads).

DCD Art 18 implies that any individual can initiate an action against terms that they may find abusive. And, accordingly, the EC and/or the Member State has to enforce the regarding of the law. This can have a potential huge impact on the compliance with the directive.

What will the impact of the directive be? Probably small, because:

  • It only includes a very narrow set of goods and services.
  • It leaves out everything related to B2B, and SMEs would benefit much from it.

Discussion

Blanca Torrubia: how are differences between property rights dealt with in the directive? Beale: it seems that the big differences in how to understand property rights are between the EU and the US, more than within member states.

12th Internet, Law and Politics Conference (2016)

IDP2015 (IX). Multidisciplinary debate on the challenges of smart cities

Notes from the 11th Internet, Law and Politics Congress: Regulating Smart Cities, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on 2-3 July 2015. More notes on this event: idp2015.

Multidisciplinary debate on the challenges of smart cities
Chairs: Marta Continente

Pilar Conesa. Founder and director of Anteverti.

Increasing concentration of people living in urban areas. Areas which are becoming totally saturated and ask for new ways or urban planning. This includes not only transportation, but also public services like education, healthcare, etc. The 19th century was a century of empires, the 20th century was a century of nation states, the 21st century will be a century of cities, Wellington E. Webb.

If we want to develop new cities, new smart cities, we need to know and share the approach behind. This is not trivial and it will determine the model of smart city that will be put into practice.

There is no smart city without a smart government.

Oriol Torruella. Director of the Legal Consultancy Department, CESICAT, Information Security Center of Catalonia

Smart city: improve the efficiency and efficacy of the management of the city, by means of an intensive usage of ICTs.

There are, though, some risks: the vulnerabilities of both software and hardware; the management of the citizen identity; treatment of personal data; affectation to the availability and security of critical infrastructures, etc.

It is crucial that citizens become smart citizens too if they are to be part of a smart city. They have to be aware of all risks of cibersecurity, what are the laws that apply to certain practices and activities, etc.

Ricard Faura. Head of Knowledge Society, Generalitat de Catalunya

The citizen in the smart city, sensor or actor? (Pisani, Datopolis o Particopolis?)

We have to foster some elements through ICTs: participation, organization and collaboration.

For the smart city to be useful for the citizens, one needs to empower the citizens themselves, so that they can be active and critical. But ICTs have to be empowering, not barriers.

Main duties of the government: diffusion, information, awareness raising, training.

The city has to be a real lab where everything is possible and everything can be analysed and improved, and especially fitting the particular needs of the different communities that one finds within the city or across cities.

Discussion

José Luis Rubiés: Is there a risk of an illustrated despotism from the one that manages all these data? Who is the curator of the big data coming from smart cities? Ricard Faura: yes, this is a huge risk. Oriol Torruella: we are just at the dawn of smart cities and, as usually Humanity has done in the past, we work on a trial and error basis: we implement things, realize the risks, try to correct them, and on and on. Little by little we will learn to design better, to avoid risks before we implement, etc.

Q: can we extrapolate initiatives from one place to the other so that we do not have to reinvent the wheel? Marta Continente: yes and no. Yes, one can adapt what worked elsewhere. But the important thing is that ICTs, or whatever initiative on smart cities, are just a toolbox. And, as such, its application or usage will strongly depend on the realities found in each specific city.

11th Internet, Law and Politics Conference (2015)