Please find below a summary of the lectures given on day #1 of the Interdisciplinary Summerschool on Privacy (ISP 2016), held at Berg en Dal this week. There were lectures by Eleni Kosta on the General Data Protection Regulation (GDPR) and Lilian Edwards on consent in the Internet of Things and Smart Environments.
Eleni discussed the new European General Data Protection Regulation (GDPR). In the notes below, I will not cover everything she said but only talk about things that were deemed significant or that evoked discussion with the audience.
According to Eleni, the new GDPR will have significant impact on all of us.
First some basic information about European legal instruments.
Common mistake: the GDPR only applies to natural persons (these are living people), so it does not apply to dead people, or companies.
GDPR regulates use of personal data defined as any information relating to an identified or identifiable natural person. What this means is defined by the community at large (in dialog with technical people, for example), and may change over time or context.
Processing: for a lawyer, anything you do with data is processing. So storage is processing. Even when personal data is stored on paper, it is processing, if the handling and storage of this personal data is somehow structured.
The difference between data controller and data processor. The controller decides the means and purposes of the processing of the personal data. The processor does process the data on behalf of the controller, and does so as agreed with the controller. In cloud contexts the roles get diffuse as there is typically not a single entity that controls both the purposes and the means. Usually, the means are decided on by the processors (as they control the technology).
Material scope: the regulation does not apply to e.g. purely personal or household activity, although the exact interpretation is not quite clear. Keeping a local contacts database on your mobile phone is not covered by the regulation. But collecting e.g. location data about your family members through an app may not be exempted.
Extraterritorial scope: the regulation also applies to any data subject who resides within the European Union (even an illegal immigrant), and applies to any controller or processor, even those outside of the European Union, when they offer goods and services or when they monitor data subject behaviour. (As a result, companies may force you to reveal your location; this may lead to lesser privacy protection!) Privacy Shield offers protection for data transfer (beyond companies that offer goods and services or when they monitor their behaviour).
There is a fundamental difference between the level protection offered in the US versus Europe. In Europe data protection already applies when collecting data, while in the US privacy protection only applies when data is used. The collection out of scope of any protection in the US.
Lawfulness: when data is available on the Internet, you cannot just go and use it. Processing personal data, even if it is already available online, must be based on one of the legal grounds listed by the GDPR. For example: you are not allowed to collect say millions of public tweets for research purposes.
Google has to be compliant with the GDPR, even if you agree with their privacy policies.
Consent needs to be freely given, specific, informed and unambiguous (clarifying what consent means). It can be given by a statement or a clear affirmative action (like checking a box). A controller must be able to demonstrate that consent was given. For children consent is problematic, because consent is only valid when given by someone older than 16 years of age (sometimes even older than 13 years of age). How do you know that someone is older than 16? How do you know that the person giving consent, is actually holding parental responsibility? (There is an onus on the data controller to verify this.)
Sensitive data is the area where most of the mistakes take place, because most people interpret this as data is sensitive to them personally. This incorrect: in the GDPR there are clear limitative definitions of what are (and what are not) sensitive data: data about race or ethnic origin, political opinions, religious or philosophical beliefs, and sexual orientation. The coverage is more extensive than originally offered by the (older) data protection directive. Member states may introduce further conditions on genetic data, biometric data and health data. This means we will see divergence in these areas! Processing sensitive data is allowed only in specific cases. Interestingly enough, this includes the collection of data manifestly made public by the data subject! (This is not true for ordinary, non-sensitive, data.) However, even though collection itself is allowed for sensitive data, any further processing still has to comply with the restrictions and limitations imposed by the GDPR.
For Eleni, the weirdest article the GDPR is Article 11 on processing not requiring identification. It is related to pseudonymisation, because it was introduced roughly at the same time, but it is unclear what the purpose exactly is.
There is a new data subject right of restriction of processing. This allows data subjects to mark certain stored data to be excluded from further processing. This is useful if the data cannot be erased altogether because there are other laws that require the data controller to keep the data for a certain (longer) period of time (e.g. fiscal reasons).
Also new are the right of erasure (the right to be forgotten) and the right to data portability. The latter right allows users to obtain a structured, machine readable copy of all the personal data stored by a service. For example, this gives Facebook users the right to request a full copy of their personal profile, in order for them to move their profile to a different social network, like Diaspora!
According to Eleni, the most breaktrough provision of the GDPR (Article 22) requires companies that do fully automated processing and decision making to have human staff available to help data subject that want to challenge the decisions made.
Article 25 on privacy by design and default creates clear obligations for technical people when designing systems.
A general problem we encounter in this space is the fact that there are huge potential societal benefits of smart environments, while there are also strong potential privacy invasions associated with this.
Care robots appear, on first look, to be great to support disabled and aging people for living at home. But isn't this in reality 24/7 surveillance, because you keep all the data possible to train the robot and make the robot better?
Driverless cars will bring improved local transportation in rural areas (as replacement for public transport), but they are also driving bugs reporting their locations (and hence of the people traveling in them) to the companies offering their services.
The Internet of Things (IoT) started with RFID. They are cheap, passive, low range. Original concerns were focused on retail use. Then it became more advanced with smart cards in transport cards or passports. Increasingly, data of these cards gets requested by law enforcement, turning these things into tracking devices too. For example, information about your Fitbit was initially posted by default on your Facebook page. This was quickly changed from opt-out to opt-in!
Ambient environments weave themselves into the fabric of everyday life, becoming indistinguishable from it. It becomes more useful, when it gets less obvious and less controlled by individual notice and choice.
How can smart cities, ambient environments be matched with the data protection ideal of privacy as individual rights to prior informed control of collection of data. If you move public/private environments (like smart cities) you don't have a contract regulating the collection and use of your personal data. The only choice you have is to withdraw from public life.
Note that many of the individual traces may be anonymous and not linked to you as a person (eg the tracking of your steps through a shopping mall), but they can easily be linked to you using secondary sources (eg through CCTV or connecting credit card use). There are ever more small devices each collecting little bits of information about your behaviour, but sharing these bits of information with each other and larger data platforms outside of the environment (your home, the shopping mall) allowing very invasive inferences about your person to be drawn.
Do IoT systems collect personal data? Personal data (in GDPR terms) must relate to a natural person. But originally the Internet of Things was about RFID tags attached to things (not persons). Many systems therefore claim that the data is anonymised - but the risk of re-identification is quite real in many cases (see above) when several data streams are combined.
Suppose IoT devices do collect personal data? Then how do you make it legal? Consent is one of the lawful grounds (but problematic in smart environments). But other grounds are also legitimate interests, necessary to execute a contract, necessary to carry out a task in public interest, or when the data is anonymised.
Companies prefer consent because of public perception: it is making them more trustful and reliable. But many objects you use, especially ones you use implicitly, don't have user interfaces that allow you to give explicit, informed, consent. Suppose a chair is collecting information about how long you were sitting on it. Then consent could (theoretically) be given by having a sign on the chair saying that by sitting down (an explicit action) you consent to this. But then the information given to you about the processing can only be very superficial and can hardly be called informed. (An approach could be to develop privacy icons that do convey most relevant information in a concise form.) And what if all objects around you become smart and require your explicit and informed consent? That would become quickly unmanageable!
Perhaps we need special rules for location data, because it is considered very sensitive. (But it is not classified as sensitive data in the GDPR, unfortunately.) There is law to regulate the use of location data collected by mobile phones (in the ePrivacy directive). But this does not regulate for example the collection of location data by Google Streetview (but this is not location data; and it is not collected by a terminal equipment of a user). In general, the ePrivacy directive was not created to protect against risks associated with the Internet of Things. But in the context of location based services, consent is required to process location data. Question is, is an RFID tag 'terminal equipment' (which would make the ePrivacy directive applicable).
Traditional forms of choice and consent is seen to be broken. How to go from here? One approach is to design systems more privacy friendly (privacy by design). Another approach is to design semi-automated ways of giving consent, e.g. using home dashboards, or pre/sticky consent by autonomous agents running on your mobile phone or being active in the network on your behalf. (They are risky, coming dangerously close to blanket consent: do you how the future will be like when you train or instruct the system to give consent for you, also in the future?) Finally, a stronger form of algorithmic transparency will help at least see what the potential impacts are.
For privacy icons we need the equivalent of the electrical spark to capture the (intangible) concept of electricity used on warning signs!