European Data Protection: In Good Health? Serge Gutwirth Ronald Leenes Paul De Hert • (cid:129) Yves Poullet Editors European Data Protection: In Good Health? 2123 Editors SergeGutwirth PaulDeHert CenterforLaw,Science,Technology CenterforLaw,Science,Technology andSocietyStudies(LSTS) andSocietyStudies(LSTS) VrijeUniversiteitBrussel(VUB) VrijeUniversiteitBrussel(VUB) Pleinlaan2,Brussels Pleinlaan2,Brussels Belgium Belgium RonaldLeenes YvesPoullet TilburgInstituteforLaw,Technology, ResearchCentreforInformation andSociety(TILT) Technology&Law TilburgUniversity UniversityofNamur Warandelaan2,ABTilburg RempartdelaVierge5,Namur TheNetherlands Belgium ISBN978-94-007-2902-5 e-ISBN978-94-007-2903-2 DOI10.1007/978-94-007-2903-2 SpringerDordrechtHeidelbergLondonNewYork LibraryofCongressControlNumber:2012931001 © SpringerScience+BusinessMediaB.V.2012 Nopartofthisworkmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorby anymeans,electronic,mechanical,photocopying,microfilming,recordingorotherwise,withoutwritten permissionfromthePublisher,withtheexceptionofanymaterialsuppliedspecificallyforthepurposeof beingenteredandexecutedonacomputersystem,forexclusiveusebythepurchaserofthework. Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface Theinformationalsocietyisinastateofconstantflux.AftertheadoptionoftheIn- ternetasaprominentchannelofinformation(websites)andcommunication(e-mail, chat, IM,VOIP), we are now witnessing a transition whereby internet infrastruc- tureisalsousedforstoringandprocessingdata.Cloudcomputingisreplacingdirect controlofdataonlocaldeviceswithflexibility,scalabilityandaccessibilityfromany- where.Cloudcomputinghoweveralsocomplicatestheprivacyanddataprotection landscape because crucial concepts such as the ‘data controller’and consequently theirresponsibilities, liabilities, duties, andthe‘purposeoftheprocessing’(which indicateswhataprocessingis),are(further)blurred. Nexttothis,wefaceanenormousgrowthoftracking,monitoringandsurveillance applications.Automatic number plate recognition is not only being used to detect passing cars that are already on black-lists, but increasingly as a blanket method of collecting the number plates of all passing cars, only to be analysed afterwards in order to detect interesting or pertinent correlations. This shift from targeted to all-round monitoring is significant because it is at odds with and undermines the constitutionalprincipleofthepresumptionofinnocence,byactuallyturningitupside down.Inthedomainofcommerce,internetusersareincreasinglytakingforgranted the free services that the internet offers, whilst ignoring the manner in which it worksfromtheperspectiveoftheserviceprovidersandthewebmasters.Thebottom line is however that if you do not pay for a service, you are not the customer, but rather the product that is actually being sold (to advertisers). The monitoring and profilingofonlinebehaviouristhedrivingforceinadvertising,eventhoughitmay be to the detriment of human rights such as autonomy, privacy, data protection, non-discrimination,dueprocessanddignity. AlthoughEuropehasasignificantlegaldataprotectionframework,builtuparound EU Directive 95/46/EC and the Charter of Fundamental Rights, the question of whetherdataprotectionanditslegalframeworkare‘ingoodhealth’isincreasingly beingposed.Advancedtechnologiesraisefundamentalissuesregardingkeyconcepts ofdataprotectionandespeciallytherelationshipbetweenthevariousstakeholders. Falling storage prices, increasing chips performance, the fact that technology is becomingincreasinglyembeddedandubiquitous, theconvergenceoftechnologies andothertechnologicaldevelopmentsarebroadeningthescopeandpossibilitiesof v vi Preface applicationsrapidly.Societyhowever,isalsochanging,affectingtheprivacyanddata protectionlandscape.The‘demand’forfreeservices,security,convenience,gover- nance,etc.,changesthemindsetsofallthestakeholdersinvolved.Privacyisbeing proclaimeddeadoratleastworthyofdyingbythecaptainsofindustry;governments andpolicymakershavingtomanoeuvrebetweencompetingandincompatibleaims; andcitizensandcustomersareconsideredtobeindifferent. In the year in which the plans for the revision of the Data Protection Directive willberevealed,thecurrentvolumebringstogetheranumberofchaptershighlight- ingissues,describinganddiscussingpractices,andofferingconceptualanalysisof coreconceptswithinthedomainofprivacyanddataprotection.Thechapterswere writtenforandfollowinguponthe4thinternationalComputers,PrivacyandData Protection (CPDP2011) Conference: In good health?1 The CPDP-conferences are annually held in Brussels. In 2011 the venue has been Les Halles, a prestigious cultural location offering facilities for both large plenary sessions, smaller inter- activesessionsandalsosmallget-togethers.Theconferencesofferauniqueformat bringingtogetheracademics,(legal)practitioners,policy-makers,businessrepresen- tatives,dataprotectionauthorities,civilsocietyrepresentatives,activistsandartists. Theyrepresentamultidisciplinaryforumforparticipantswithbackgroundsinlaw, social sciences, technology, and humanities where the participants can exchange ideas, discuss current trends and issues regarding privacy and data protection, and (initiate)worktowardssolutions.Theconferenceiscomposedofpanels,sidetracks, andsideevents,suchasartisticdisplaysrelatedtoprivacyanddataprotection.The speakers and panellists are invited by the organisers or selected on the basis of an opencall. Selectedpapersarepublishedafterwards. Thishasalreadyresultedinto three edited volumes: Reinventing data protection? (2009), Data Protection in a profiled world (2010) and Computers, privacy and data protection: an element of choice (2011). The present volume represents the sequel of the conference held in Brussels from 25–27 January 2011, just prior to the European Privacy Day (28 January 2011). The central theme was to what extent the current regulatory framework and practices are “in good health”, and hence fit to cope with the ever changinginformationsocietyinatimewherethereviewsoftheexistinglegalframe- workbothinthevariousEUmemberstatesaswellasontheEuropeanlevelhave becomeavailableandtherenovationoftheDataProtectionDirectiveisintheworks. This book brings together a carefully selected set of papers that fit within the overalltheme.Someofthechaptershavefirstbeensubmittedasabstractsandwere peer reviewed before being presented at the “PhD evening event” of CPDP2011. Theyweresubsequentlyresubmittedasfullpapers.Furtherchapterswerealsosub- mittedbyparticipantstotheconference.Allfullpapershavebeenpeerreviewedby at least two anonymous readers, of which the comments were sent to the authors, who were required to take them into account (or reason why not). Versions were then subsequently checked for a final review. We are happy to take this opportu- nitytosincerelythankthereviewerswhoassistedusinthisprocess: PedroBueso, Jean-FrançoisBlanchette,JohannCas,CecileDeTerwangne,ElsDebusser,Simone 1FormoreinformationabouttheCPDP-conferences,seehttp://www.cpdpconferences.org. Preface vii Fischer-Huebner, Catherine Flick, Raphael Gellert, Gloria Gonzàlez-Fuster, Marit Hansen,HansHedbom,MireilleHildebrandt,SimonevanderHof,Bert-JaapKoops, Daniel Le Métayer, Leonardo Martucci, Charles Raab, Joseph Savirimuthu, Marc VanLieshoutandTalZarsky.2 Thevariouscontributionshavebeengroupedintothreethemes.Thebook’sfirst partfocusesonsurveillance,profilingandprediction.Theinformationsocietythrives on the processing of (personal) data. This appears to be an open door, but what many people do not realise is that many data are processed unbeknownst to those involved.Onecanreadilyunderstandthatonlineshopsneedcertaindatatoperform contracts, but the amount of data processed prior to contracting far surpasses any need.Bymeansofprofiling,theinternetusersaredrawntowardsserviceproviders and service offers. These profiles are based on behaviour (e.g., mouse clicks on websites), ratherthanonconsciousdataentriesbythoseconcerned.What’smore, peoplearebeingmonitoredandprofiledinpublicandprivatespaces.Theresulting dataisusedfordirectinterventions, suchasstoppingindividualsdrivingcarswith licenseplatenumbersfoundinablack-listinanANPRsystem.Suchdataarealso beingusedhowevertoconstructriskprofilesusedtopredictfuturebehaviourofboth youandothers.Thissectionbothdescribespracticesinthepublicandprivatesector. The second part of the book focuses on regulation, enforcement and security. Itaddressesgovernanceissuesandlooksattheeffectivenessandcharacteristicsof various enforcement instruments, for example self regulation and data protection authorities.Italsocarvesoutthepossibilitiesanddifficultiesoflegal(law)enforce- mentincomplexenvironments,forinstancecloudcomputingandcrossborderpolice cooperation. Thethirdsectionthenturnstosomeofthefundamentalconceptsintheareaof privacyanddataprotection.Itlooksattrustinthecontextofcloudcomputing,high- lightingthatevenifthedataprotectionlegalframeworkissuitedforthisenvironment, itsopacityandcomplexityrequiresthatusersareabletotrustserviceprovidersto behave appropriately. It also addresses the concept of personal data in addition to discussingthewidelyfeltneedforreliableelectronicidentitiesandthelegalchal- lenges in this area. Furthermore, the scope of data protection rights is scrutinized withaviewofprotectingindividualsratherthanprotectingdata.Theprospectofus- ingtechnologytoenforcedataprotectionobligationsandrights(privacybydesign, privacyenhancingtechnologies)isoftencoinedasonewaytoimprovetheposition ofEuropeancitizens.Assuch,itisoneofthepillarsoftherenewaloftheDirective (COM(2010)609final).However,implementinglegalprovisionsincomputersys- temsisfarfromtrivial.Thefinalchapterisanessayonanothercrucialaspectinthe Directive’soverhaul:therighttobeforgotten. Reading the various chapters, it appears that the ‘patient’needs to be cured of quitesomeweakspots,illnessesandmalformations.Europeandataprotectionisat aturningpointandthenewchallengesarenotonlyaccentuatingtheexistingflaws 2Inrespectofthediversityofnationalities,disciplines,andperspectivesrepresentedinthisbook, theeditorsandthepublisherhaveleftthechoicesconcerningtheuseoffootnotereferencesand/or abibliographytotheauthorsofthecontributions. viii Preface andtheanticipateddifficulties,butalso,morepositively,themeritsandtheneedfor strongandaccuratedataprotectionpracticesandrulesinEurope,andelsewhere.We hopethatthepresentbookwillbeusefulandcontributetotheworkdonetorevise theEuropeanDataProtectionDirective. SergeGutwirth RonaldLeenes PaulDeHert YvesPoullet Contents PartI Surveillance,ProfilingandPrediction 1 WeAreAllConnectedtoFacebook... byFacebook! .............. 3 ArnoldRoosendaal 2 BehaviouralTrackingontheInternet:ATechnicalPerspective ..... 21 ClaudeCastelluccia 3 PrivacyforLoanApplicantsVersusPredictivePower forLoanProviders:IsItPossibletoBridgetheGap? .............. 35 CharleneJennett,MiguelMalheiros,SachaBrostoffandM.AngelaSasse 4 CookieWars: How New Data Profiling andTargetingTechniques ThreatenCitizensandConsumersinthe“BigData”Era........... 53 JeffChester 5 TheDataMiningBalancingAct ................................. 79 TalZ.Zarsky 6 ManagingSuspicionandPrivacyinPoliceInformationSystems .... 103 VladNiculescu-Dinca PartII Regulation,EnforcementandSecurity 7 The Set Up of Data ProtectionAuthorities as a New Regulatory Approach..................................................... 125 PhilipSchütz 8 InformationSharingintheAreaofFreedom,Security andJustice—TowardsaCommonStandardforDataExchange BetweenAgenciesandEUInformationSystems................... 143 FranziskaBoehm ix x Contents 9 TheAdequacyofanEU-USPartnership ......................... 185 ElsDeBusser 10 Law Enforcement in the Clouds: Is the EU Data Protection Legal FrameworkuptotheTask?..................................... 203 MariaGraziaPorcedda 11 PrivacySelf-regulationThroughAwareness? ..................... 233 CarlaIlten,DanielGuagninandLeonHempel PartIII ConceptsandProspection 12 PrivacyPenetrationTesting:HowtoEstablishTrust inYourCloudProvider ........................................ 251 ChristianW.Probst,M.AngelaSasse,WolterPieters,TrajceDimkov, ErikLuysterborgandMichelArnaud 13 ReviewoftheDataProtectionDirective:IsThereNeed(andRoom) ForaNewConceptofPersonalData?............................ 267 MarioVioladeAzevedoCunha 14 TowardsaEuropeaneIDRegulatoryFramework ................. 285 NorbertoNunoGomesdeAndrade 15 FromtheProtectionofDatatotheProtectionofIndividuals: ExtendingtheApplicationofNon-discriminationPrinciples ........ 315 DanielLeMétayerandJulienLeClainche 16 OnthePrincipleofPrivacybyDesignanditsLimits:Technology, EthicsandtheRuleofLaw ..................................... 331 UgoPagallo 17 TheRighttoForget,theRighttobeForgotten .................... 347 IvanSzekely About the Authors MichelArnaud is a professor in information and communication sciences at the UniversityofParisOuestNanterrelaDéfense,whereheleadstheresearchonusages ofICTtoolsforonlinelearning.SpecificdomainsofMichel’sinterestcoverpublic accesstoInternetandstandardsfore-learning.Besides,hehasworkedonstudieson privacyandpersonaldataprotectioninseveralFrenchandEuropeanprojects. FranziskaBoehm isaresearchassistantattheUniversityofLuxembourgwhereshe isalsopreparingherPhDthesisontheinformationsharingintheAreaofFreedom, SecurityandJustice.AfterhavingobtainedtheLicenceenDroitin2003(University of Nice, France) and the German state exam in law in 2006, she specialized in EuropeandataprotectionlawandobtainedaMasterinthisfieldin2007(Universityof Gießen,Germany).Herresearchfocusesonthedataprotectionrightsofindividuals, inparticularinalawenforcementcontext. Sacha Brostoff is a ResearchAssociate currently working on the PVNets project in the Information Security Research Group at the Department of Computer Sci- ence, University College London, UK.An Ergonomist by training, he specialised to HCI research, gaining his Ph.D. in the late 90s in the usability of password mechanismsunderthesupervisionofProf.Sasse.Hecontinuestoworkontheusabil- ityofauthenticationmechanisms,andanti-phishing/anti-counterfeiting.Homepage: http://sec.cs.ucl.ac.uk/people/sacha_brostoff/. ClaudeCastelluccia isseniorresearcher(directeurderecherché)atINRIA(French NationalResearchCenterinComputerScience)inFrancewhereheleadsaresearch grouponcomputerandnetworksecurity/privacy.Hehasspent15yearsinacademic research in several well-known research institutes (such as INRIA, Stanford Uni- versityandUniversityofCalifornia,Irvine).Hisspecificareaofexpertiseincludes networkingsecurityandprivacy. JeffChester istheexecutivedirectoroftheCenterforDigitalDemocracy(CDD), a Washington, D.C. non-profit. CDD’s mission is to foster democratic expression andconsumerprotectioninthedigitalmediaera.Aformerjournalistandfilmmaker, hisworkhasappearedinmanypublicationsandonPBSandNPR.Heco-founded and was the executive director of the Center for Media Education, a leading force xi