Services and Business Process Reengineering Roberto Senigaglia Claudia Irti Alessandro Bernes   Editors Privacy and Data Protection in Software Services Services and Business Process Reengineering SeriesEditors NabenduChaki,DepartmentofComputerScienceandEngineering, UniversityofCalcutta,Kolkata,India AgostinoCortesi,DAIS,Ca’FoscariUniversity,Venice,Italy The book series aims at bringing together valuable and novel scientific contribu- tions that address the critical issues of software services and business processes reengineering, providing innovative ideas, methodologies, technologies and platformsthathaveanimpactinthisdiverseandfast-changingresearchcommunity inacademiaandindustry. Theareastobecoveredare (cid:129) ServiceDesign (cid:129) DeploymentofServicesonCloudandEdgeComputingPlatform (cid:129) WebServices (cid:129) IoTServices (cid:129) RequirementsEngineeringforSoftwareServices (cid:129) PrivacyinSoftwareServices (cid:129) BusinessProcessManagement (cid:129) BusinessProcessRedesign (cid:129) SoftwareDesignandProcessAutonomy (cid:129) SecurityasaService (cid:129) IoTServicesandPrivacy (cid:129) BusinessAnalyticsandAutonomicSoftwareManagement (cid:129) ServiceReengineering (cid:129) BusinessApplicationsandServicePlanning (cid:129) PolicyBasedSoftwareDevelopment (cid:129) SoftwareAnalysisandVerification (cid:129) EnterpriseArchitecture Theseriesservesasaqualifiedrepositoryforcollectingandpromotingstate-of-the art research trends in the broad area of software services and business processes reengineering in the context of enterprise scenarios. The series will include monographs,editedvolumesandselectedproceedings. Moreinformationaboutthisseriesat http://www.springer.com/series/16135 · · Roberto Senigaglia Claudia Irti Alessandro Bernes Editors Privacy and Data Protection in Software Services Editors RobertoSenigaglia ClaudiaIrti DepartmentofEconomics DepartmentofEconomics Ca’FoscariUniversityofVenice Ca’FoscariUniversityofVenice Venice,Italy Venice,Italy AlessandroBernes DepartmentofEconomics Ca’FoscariUniversityofVenice Venice,Italy ISSN2524-5503 ISSN2524-5511 (electronic) ServicesandBusinessProcessReengineering ISBN978-981-16-3048-4 ISBN978-981-16-3049-1 (eBook) https://doi.org/10.1007/978-981-16-3049-1 ©TheEditor(s)(ifapplicable)andTheAuthor(s),underexclusivelicensetoSpringerNature SingaporePteLtd.2022 Thisworkissubjecttocopyright.AllrightsaresolelyandexclusivelylicensedbythePublisher,whether thewholeorpartofthematerialisconcerned,specificallytherightsoftranslation,reprinting,reuse ofillustrations,recitation,broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,and transmissionorinformationstorageandretrieval,electronicadaptation,computersoftware,orbysimilar ordissimilarmethodologynowknownorhereafterdeveloped. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbook arebelievedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsor theeditorsgiveawarranty,expressedorimplied,withrespecttothematerialcontainedhereinorforany errorsoromissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictional claimsinpublishedmapsandinstitutionalaffiliations. ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSingaporePteLtd. The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721, Singapore Foreword Relations (between persons, between entities and between contexts) are nowadays increasinglydigital;theydeveloponline,inacontextcharacterisedbythehegemony, nownotonlycommercial,ofonlineplatforms.Thesocial,cultural,legalandanthro- pologicalrevolutionbroughtaboutbydigitaltechnologyhastakenplaceatsucha speedthatthelawhasbeenforcedtotakeupanunequalstride.Theregulatorysector that has been able to provide an adequate and far-sighted regulation (because it is basedonthecombinationofsolidprinciplesandsomeessentialrules)isthatofdata protection.Thisdisciplineisparticularlyrelevantforthegovernance ofthedigital world as it acts on the conditions of circulation of what, like data, constitutes the primaryfactorofthedigitalecosystem,theobjectofafundamentalrightand,atthe sametime,anincreasinglyattractiveeconomicresourceforplatformcapitalism. Thisdemonstrateshow,inasubjectsuchasthis—whichisexposedtoaninces- santevolutionbothintermsofinterpretationandapplicationandtothecontinuous comparisonoftherulewithconcretecaseswhicharealwaysnewandwithunprece- dentedcharacteristics—theinterpreterhasanessentialneedforguides,toolscapable ofguidingtheanalysisandthechoiceamongtheoptionswhichareoftenpossible, among the various meanings which the same provision can support. Hence, the scholarly reflection is irreplaceable on a subject that has recently known—along- side several and important innovations of the jurisprudential formant—the ‘revo- lution’ of the GDPR and the relative national regulations of adaptation, as well as theveryimportantnoveltiesoftheDirective2016/680(so-calledLawEnforcement Directive),withtheinternaltranspositionlaw. In such a complex regulatory framework, it is therefore extremely essential to adopt—asthisbookdoes—asynopticperspective,whichconstantlyreferstoevery single provision within the broader context in which it is placed. Above all, the ability to grasp the social function of this extraordinary right—which has never beena‘tyrant’—inthebalancewithotherrelevantlegalinterests,recallingthatthe processing—liketheGDPRstates—shouldbedesignedtoservemankind. Thisbookillustratesimportantaspectsofthedataprotectiondiscipline,something profoundly innovated, first and foremost, by the choice of the European legislator toreplaceaharmonisationinstrumentsuchasthedirectivewithaninstrumentsuch as the regulation, which is also applicable to the processing of personal data by a v vi Foreword controllerorprocessornotestablishedintheEU,wheretheprocessingactivitiesare relatedtoanofferofgoodsorservicestodatasubjectsinEuropeorthemonitoring oftheirbehaviour. Allthisisbeingpursuedinaframeworkthatconstitutesanewchallengeforall operatorsinvolved,startingwiththecontroller.Thelatterisgivennewpossibilities to use data, in the sharing economy, with a much more dynamic and articulated relationship between consumer and business. Equally significant, as underlined in severalpassagesofthebook,isthestrengtheningoftherightsofthedatasubject,with new implications such as data portability—which makes it possible to reassemble thepiecesofthemosaicofourdigitalself,whilealsoprotectingcompetitionfrom lock-inphenomena—andtherighttoerasure. Therights-orientedapproachonwhichtheGDPRisbasedalsoimpliesashiftfrom mainlyremedialprotection,i.e.atalaterstage,toessentiallypreventiveprotection, withasimultaneousstrengtheningoftherightsofthedatasubject.Thisprotectionis particularlyrelevantbecauseoftheriskthattraditionalsafeguards,suchasconsent andinformation,becomerelativeinthecontextoftheIoT(asitiswellunderlined) andofmassivedatacollections,whichareoftenbeyondindividualcontrolduetothe fragmentationofthedatamanagementprocessalongachainwithmultiplelinks. Butperhapsthemostsignificantexpressionofthepreventiveapproachconcerns the overall responsibilities of the controller, towards the adoption of a business strategy founded on data protection. This also considers that the same violation oftheprincipleofaccountabilityintegrates,likethenon-compliancewiththeother principles, the extremes of an autonomous infringement. On this aspect, the book offerssomepointsofnotableinterestandparticularhelpfortheinterpreter,which willbepreciousalsointheapplicativephase,plumbingthevariousdeclinationsof data protection in the most varied sectors: from the app economy to the power of onlineplatforms,fromtheprotectionofminorstotheIoTandfromtherelationship betweenprivacyandpublichealthtocybersecurity. It also correctly underlines the European dimension in which data protection lives,asaresultoftheCourtofJustice’scaselawandoftheimportanceofcooper- ationprocedures,whichareperhapsthemosteloquentexpressionsoftheEuropean aspirationtoachieve‘onecontinent,onelaw’. The distinctive feature of the book, which makes it even more appreciable, is its integration, with continuous cross-references, of the ‘operational’ and concrete dimensionwiththetheoreticalperspectiveandthenormativeanalysis,enrichedby thecomparisonwiththejurisprudentialsolutionsthathavemostlycharacterisedthe dataprotectiondisciplineanditsprinciplesinthelivinglaw. In this sense, for example, the reflections on location data and tracing apps are valuable,especiallyinlightofthedevelopmenttheyhavehadforepidemiological purposesduringthepandemic. AlsoimportantarethereflectionsonAI-basedbusinessdecisionsandblockchain, whichwillincreasinglyrepresentafundamentalcomponentofourfuture. Thecontributiononpersonaldataasacounter-performanceisalsoveryimportant, as it represents a challenging issue on which Europe can really provide a guide to Foreword vii preventthemerelogicofprofitfromprevailingovertheprotectionoffundamental rights. Additionally, the reflection on the legal effects of the digital divide, which is todaythemodernversionofinequalityandrepresentstheareainwhichtrulysocial democraticpublicpoliciesshouldinvesttheirbestresources,isimportant. Thedataprotectionregulationis,therefore,agreatstepforwardinthedirectionof balancedgovernanceofthetechnologicalinnovationsthathaveprofoundlychanged oursociety.However,thesuccessofthis‘gamble’willdependonitssocialstability, onitsabilitytobecometheformandruleofactionforcitizensandprivateandpublic entities.Paperslikethisoneareanimportantstepinthatdirection. Solopaca,Italy PasqualeStanzione PresidentoftheItalianDataProtectionAuthority About This Book Intheworldoftoday,ithasstartedtobecomedifficulttodistinguishadata-driven economyfromthesocialsystemasawhole,aswellasthereal-lifeofanaturalperson fromitsvirtuality.Individualinterests,choicesanddatahavealreadybeenusedby software services not only for commercial purposes across the digital landscape butalsoforhelpingusers,consumersandcitizenstoobtaindigitalproductsandto accessdailyservicesmoreeasily,aswellasmakingpeoplestayconnectedonsocial platforms. Nevertheless,personaldatahavebeenconsideredthe‘newoil’ofpresenttimes. Huge amounts of data are increasingly accumulated by Tech Giants—and public governments—in the globalised world. Digital companies are currently able to analyse (Big) data in order to anticipate granular decisions and target end-users withpersonalisedadvertisements.Thelattertaskbelongsnottohumanbeings,but itiscarriedoutbyArtificialIntelligencemeans,algorithmsandmachinelearning, which are designed for executing thousands of operations in one second. In this respect, data mining and personal information flow have given rise to a new era, betterknownastheageofinformationeconomy,whosedegenerations,intermsof nudgingindividuals,leadto‘surveillancecapitalism’. A concrete example of the above-mentioned portrait can be seen in the reengi- neeringprocessofstandardsoftwarecodinganddevelopmentinthefieldofmobile applications(so-called‘apps’).Appsseektoappearmoreuser-friendlyfortheirusers, upuntilthepointthattheyarecapableofclinchinganagreementsimplywithafew touches. The associated business model involves not only the e-commerce sector butcanbeseenasastandardofmanyotherinformationsocietyservices,inwhich individualsactuallydeveloptheirownpersonalityandhavesocialinteractions,for obtainingever-greaterdatafromtheirusers(e.g.socialnetworks). Allthosesolutionsusuallyrelyondigitalidentitiesanduseraccounts,whichare basedupon‘informationrelatingtoanidentifiedoridentifiablenaturalperson’,under the Regulation (EU) 2016/679—General Data Protection Regulation (GDPR)— whichdefinestheconceptofpersonaldata. Efficiency and wealth should not have the upper hand over individuals’ funda- mental rights and freedoms, taking into particular account human dignity. In this direction,theEUlawapproachismovingtowardsaproactivemanagementstrategy. ix x AboutThisBook In essence, it is strongly required to make previous risk assessments and harsh controls for better evaluating the forthcoming data usage in online systems and web apps. The data controller is asked to implement appropriate technical and organisational measures, as well as security tools for the processing of personal data,whichhavetobedesignedtobetterenforcedataminimisation,cybersecurity, systemresilience,etc.,followingtheprincipleoftransparencyandthemultiplechal- lengesledbynewtechnologies(e.g.blockchain).Accordingly,arenovatedapproach concerningtechnicalmeanstobeadoptedmustbecarriedoutbydevelopingprivacy- friendlyandtrustedsoftwareproductsfromtheverybeginning,inaccordancewith dataprotectionbydesignandbydefaultsettings. Building up such a pre-set data management system is still far from increasing citizens’awarenessonwhichdataarecollected,forwhatpurposesandsoon,since thedataflowisfarfrombeingatleastpotentiallyunderstoodbydatasubjects,further enablingthemtofullyexercisetheirrights(righttodataaccess,righttoerasure,right todataportability,etc.). Intheageofdatafication,anybreachoftherighttoprivacyanddataprotection isperceivedbyindividualsaslessrelevantthanotherrestrictionsofpersonalfree- doms.Forexample,whenthetradersuppliesdigitalcontentsordigitalservices,the consumerusuallypaysmoreattentiontothepricethantopersonaldata—notstrictly functional for the performance of a contract—provided to the trader (although the respectoffundamentalvalues,suchaspersonalidentity,wishestonotconsiderdata as a mere commodity). Besides, cookies, which also serve to track online users’ behaviour,areoftenconsideredannoyingpop-upadswhichhavetobeclosedimme- diately.Mostoftheseaspectsintensifytheproblem,suchasinthecaseofchildren whohaveeasyaccesstotheNetandwhosettleeverydaytransactionswithoutadult supervision. Following this heuristic perspective, this book is structured in three sections: ‘Problems’ (Part I), ‘Perspectives’ (Part II) and ‘Applicable Solutions’ (Part III). PartIidentifiesthecurrentdiscussionsabouttheissuesthattheregulationofInfor- mationandCommunicationTechnologies(ICT)posestothedominantdatafication process,especiallyfortheprocessingofpersonaldatacarriedoutbydigitalservice providers. Part II identifies several points of view that each actor who deals with dataprotectionintheonlineenvironmenthastofacenotonlyintheabstractbutalso inthecontext,bycoveringthewholesoftwaredevelopmentlife-cycle.InPartIII,a specialfocusisgiventotheuseofcertaintechnologies,whichmaycertainlyleadto enormousbenefitsforbothend-usersanddigitalcompanies,ifcorrectlysetupfrom boththelegalandtechnicalsides. Thepassage,fromaformalisticvisionandadefensiveapproachofinformation privacytoafactualapproachandsubsequentriskassessment,surelyrequiresachange ofparadigm.Itneedstoexperienceanewoperationalapproachamidtechnological developmentandindividuals’fundamentalrightsandfreedoms,byplacinghuman beingsatthecentreofthediscourse.Accordingly,theaimofthisbookistocreatea bridgebetweentwo‘lands’thatareusuallykeptseparate:technicaltoolsandlegal rules, instead, they should be bound together for moulding a special ‘toolbox’ to solve present and future issues. The following pages are intended to contribute to