legal & ethical data sharing prof.dr. Ronald Leenes r.e.leenes@uvt.nl TILT - Tilburg Institute for Law, Technology, and Society

Transcription

1 legal & ethical data sharing prof.dr. Ronald Leenes TILT - Tilburg Institute for Law, Technology, and Society

2 overview the problem revisited secondary use data protection regulation Data Protection Directive 95/46/EC e-privacy Directive 2002/58/EG privacy by design (D)PIA

3 the problem revisited Lots of data pass SURFnet raw data traffic data (metadata) What can be shared with academic researchers? Under which conditions?

4 traffic data (aka meta data)

5 packet dump

6 Directive 95/46/EC (data protection directive) Wet bescherming persoonsgegevens TILT - Tilburg Institute for Law, Technology, and Society

7 data protection goals facilitate free flow of information provide minimum level of data protection TILT - Tilburg Institute for Law, Technology, and Society

8 personal data means any information relating to an identified or identifiable person (the "data subject"). art 2 (a) Data Protection Directive 95/46/EC TILT - Tilburg Institute for Law, Technology, and Society

9 identifiable every person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, mental, economic, cultural or social identity. art 2 (a) Data Protection Directive 95/46/EC TILT - Tilburg Institute for Law, Technology, and Society

10 Ronald Leenes TILT - Tilburg Institute for Law, Technology, and Society

11 TILT - Tilburg Institute for Law, Technology, and Society

12 social security # TILT - Tilburg Institute for Law, Technology, and Society

13 TILT - Tilburg Institute for Law, Technology, and Society

14 Jef Raskin, Apple Computer Inc. employee # 31 Jef Raskin died on 26 Feb 2005 TILT - Tilburg Institute for Law, Technology, and Society

15 TILT - Tilburg Institute for Law, Technology, and Society

16 TILT - Tilburg Institute for Law, Technology, and Society

17 we re often identifiable TILT - Tilburg Institute for Law, Technology, and Society

18 personal data identifiers + identifying sets of attributes name, address telephone number, student number, BSN hair color + height personal data age, name, hear color, weight, gender grades, income, buying habits TILT - Tilburg Institute for Law, Technology, and Society

19

20 extensional confusion TILT - Tilburg Institute for Law, Technology, and Society

21 named v. singled out TILT - Tilburg Institute for Law, Technology, and Society

22 IP address? TILT - Tilburg Institute for Law, Technology, and Society

23 fuzzy history Art 29 WP 1999 some IP s are personal data (static) 2000 for ISP s they are 2007 reasonable effort, but consider them personal data 2008 (search engines) IPs are pd (because of additional data) CBP 2001 (no), 2008 (yes) TILT - Tilburg Institute for Law, Technology, and Society

24 Munich case website operators are allowed to store the internet protocol (IP) addresses of their visitors without violating data protection legislation. Without additional information, IP addresses do not count as personal data, it said. TILT - Tilburg Institute for Law, Technology, and Society

25 Google: IPs are not PII (most of the time) TILT - Tilburg Institute for Law, Technology, and Society

26 "[ ] we gather certain information automatically and store it in log files. This information includes Internet Protocol (IP) addresses, browser type, Internet Service Provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information, which does not identify individual users, to analyze trends, to administer the site, to track users movements around the site and to gather demographic information about our user base as a whole." Apple.com privacy policy TILT - Tilburg Institute for Law, Technology, and Society

27 named v. singled out TILT - Tilburg Institute for Law, Technology, and Society

28 Court of Justice EU 24 Nov. 2011, case 70/10 Scarlet v. SABAM IP addresses are protected personal data "because they allow those users to be precisely identified" TILT - Tilburg Institute for Law, Technology, and Society

29 lesson IP adresses are personal data (certainly for SURFnet affiliated organizations) TILT - Tilburg Institute for Law, Technology, and Society

30 GDPR art 4 (2) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); art 4 (2a) 'pseudonymous data' means personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution; TILT - Tilburg Institute for Law, Technology, and Society

31 , but Recital (24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses, cookie identifiers and Radio Frequency Identification tags, this Regulation should be applicable to processing involving such data, unless those identifiers do not relate to an identified or identifiable natural person. TILT - Tilburg Institute for Law, Technology, and Society

32 Directive 95/46/EC (data protection directive) TILT - Tilburg Institute for Law, Technology, and Society

33 fairness rinciples fair and lawful processing finality for specific and legitimate purposes proportionality adequate, relevant and non excessive transparency inform data subject

34 rinciples confidentiality keep data under control control user involvement and control

35 data sharing

36

37 SURFnet: ata purpose + proce processing ground

38 processing ground

39 unambigiously given consent rt. 7 legi necessary for performance of contract legal obligation vital interest of data subject public interest legitimate interest of controller

40 unambigiously given consent rt. 7 legi necessary for performance of contract legal obligation vital interest of data subject public interest legitimate interest of controller

41 legitmate interest art 7 f ) DPD processing is necessary for the purposes of the legitimate interests pursued by the controller [or by the third party or parties to whom the data are disclosed], except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

42 art 7 balance legitimate interest sees to daily operations of data processor but extends to support activities e.g. fraud detection SURFnet: network security fundamental rights interests data subject privacy security

43 The processing of traffic data to the extent strictly necessary for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data, and the security of the related services offered by, or accessible via, these networks and systems, by providers of security technologies and services when acting as data controllers is subject to Article 7(f ) of Directive 95/46/ EC. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping denial of service attacks and damage to computer and electronic communication systems. Directive 2009/136/EC - recital 53

44 art. 6 purpose, secondary use article 6 (1) Member States shall provide that personal data must be: b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. TILT - Tilburg Institute for Law, Technology, and Society

45 SURFnet: purpose To ensure the proper operation of the network and to protect its customers and users of the network.

46 SURFnet: purpose + ata processing shar ground academics: further processing compatible with purpose

47 sharing for research

48

49 research by academics?! two approaches extended networks security academics helping SURFnet limited by SURFnet s purpose specification academic research undefined function

50 3rd party controller processor data subject TILT - Tilburg Institute for Law, Technology, and Society

51 3rd party controller processor data subject TILT - Tilburg Institute for Law, Technology, and Society

52 3rd party controller processor data subject TILT - Tilburg Institute for Law, Technology, and Society

53 1. network security extending SURFnet s tasks SURFnet is controller (responsible!) academic researcher is processor (JANET model) Article Anyone acting under the authority of the responsible party or the processor, as well as the processor himself, where they have access to personal data, shall only process such data on the orders of the responsible party, except where otherwise required by law.

54 2. academic research Article 9 Wbp 1. Personal data shall not be further processed in a way incompatible with the purposes for which they have been obtained. 3. The further processing of personal data for historical, statistical or scientific purposes shall not be regarded as incompatible where the responsible party has made the necessary arrangements to ensure that the further processing is carried out solely for these specific purposes.

55 Article 10 conditions 1. Personal data shall not be kept in a form which allows the data subject to be identified for and longer than is necessary for achieving the purposes for which they were collected or subsequently processed. 2. Personal data may be kept for longer than provided under (1), where this is for scientific purposes, and where the responsible party has made the necessary arrangements to ensure that the data concerned are used solely for these specific purposes.

56 conditions Article Personal data shall only be processed where, given the purposes for which they are collected or subsequently processed, they are adequate, relevant and not excessive. 2. The responsible party shall take the necessary steps to ensure that personal data, given the purposes for which they are collected or subsequently processed, are correct and accurate.

57 general conditions

58 define research purpose adhere to this purpose general provide safeguards anonymise/pseudonymise as soon as possible delete original data keep data under control never process on an individual level never disclose data pointing to individuals never share (raw) data with 3rd parties without SURFnet approval security, security, security responsibilities: researcher -> SURFnet -> CBP

59 specific processor responsibilities: researcher -> SURFnet -> CBP do as told by SURFnet/agreed with SURFnet academic research responsibilities: researcher -> CBP do not process leading to individual effects

60 privacy by design art, not science

61 when does research pose privacy threats?

62 art. 8 legitimate ground f. the processing is necessary for upholding the legitimate interests of the responsible party or of a third party to whom the data are supplied, except where the interests or fundamental rights and freedoms of the data subject, in particular the right to protection of individual privacy, prevail.

63 legal -> privacy <- ethics

64 Ann Cavoukian proactive not reactive; preventative not remedial privacy as the default setting privacy embedded into design full functionality positive sum, not zero-sum end-to-end security full lifecycle protection visbility and transparency keep it open respect for user privacy keep it user-centric

65 Jaap- Henk Hoepman h-p://arxiv.org/pdf/ v1.pdf

66 Privacy Impact Assessment Data Protection Impact Assessment

67 purposes raising awareness/sensitizing getting clear what you re doing establishing risks mitigating risks (account for compliance)

68 DPIA proposal DPIA at least includes a list of the recipients or categories of recipients of the personal data; a list of the intended transfers of data to a third country an assessment of the context of the data processing a general indication of the time limits for erasure of the different categories of data; a systematic description of the envisaged processing operations, the purposes of the processing and, if applicable, the legitimate interests pursued by the controller, an assessment of the necessity and proportionality of the processing operations in relation to the purposes

69 DPIA at least includes DPIA proposal (cont.) an assessment of the risks to the rights and freedoms of data subjects, a description of the measures envisaged to address the risks and minimise the volume of personal data which is processed a list of safeguards, security measures and mechanisms to ensure the protection of personal data, such as pseudonymisation an explanation which data protection by design and default practices have been implemented

70 disclaimer, for what it s worth Texts, marks, logos, names, graphics, images, photographs, illustrations, artwork, audio clips, video clips, and software copyrighted by their respective owners are used on these slides for non-commercial, educational and personal purposes only. Use of any copyrighted material is not authorized without the written consent of the copyright holder. Every effort has been made to respect the copyrights of other parties. If you believe that your copyright has been misused, please direct your correspondence to: r.e.leenes@tilburguniversity.edu stating your position and I shall endeavour to correct any misuse as early as possible. thanks to Kieran O Hara for providing this template