Global Data Law2 - intlprivacysecurityforum.com · 2.3 Protection by constitutional, copyright, competition,civil,criminal law 2.4 Data Ownership? ... dataprotection law the only

Privacy and Data Protectionas Part ofGlobal Data Law

International Privacy + Security ForumFebruary 26-27, 2018

Dr. Winfried Veil

1. What are Data Law and Data Policy?

2. German and EU Regulatory Approaches2.1 Data Protection2.2 Electronic Communication2.3 Protection by constitutional, copyright, competition, civil, criminal law2.4 Data Ownership?2.5 Data as Remuneration?2.6 European Data Economy2.7 Free Flow of Data2.8 Open Data2.9 Once Only Principle

3. Towards a Global Data Law?3.1 Regulation vs. Technology3.2 What are the possible measures of regulation?3.3 Are we aware of potential aims of regulation?3.4 What are the key features a regulation has to take into account?3.5 Are there global data law principles?


Absender | Titel


20.02.20184

Data is (you all know the metaphors) …

● the lifeblood of the information economy● a basic currency● a key asset● a central organising principle ● critical enabler for business competitiveness in today’s world● new production factor● raw material● the new oil● the gold of the 21st century● the new bacon

➤ ✷HOT✷

Absender | Titel


20.02.20185

What is lawyers‘ and politicians‘ answer to this knowledge?

They try to regulate!

Absender | Titel


20.02.20186

Surprisingly, there are no sophisticated definitions so far:

● German Data Protection Act:personal data = any information concerning the personal or material circumstancesof an identified or identifiable individual

● General Data Protection Regulation:personal data = any information relating to an identified or identifiable natural person

● e-Privacy Regulation:electronic communications data = electronic communications content and electronic communications metadata

● Personally Identifiable Information:information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in contexts

Absender | Titel


20.02.20187

Current legal status of data (Germany/EU):

● no rules regulating ownership of data● no property right in data● not protected by intellectual property rights● factual possession of data decisive● data protection law the only law regime regulating the use of data● data protection as organising principle of the economics of the internet● regulating data has strong impact on the value of data● numerous initiatives and ideas aiming at defining or re-defining rules

regarding access to data, use of data, trade in data and rights to data

Absender | Titel


20.02.20188

Nature of Data

● incorporeal● not consumable● freely replicable● usable by many persons at the same time (non-rival good)● information content of data is dependent on context● economic value of the data is dependent on context● abstract and general rules that treat all data-related issues equally?● data protection is based on the context "personal reference" or

"identifiability"

Absender | Titel


20.02.20189

And here iswhat is discussed right now

with regard to regulating datain Germany/EU

➤

10

Data

Data Protection

Free Flowof Data

Data as Intellectual

Property

Data Ownership

Data as Remuneration

Open DataOnce OnlyPrinciple

2. German and EURegulatory Approaches

2.1 Data Protection

Absender | Titel

2.1 Data Protection

20.02.201812

Regulatory GDPR Paradigms I

The whole exercise is a constitutional matter:● Constitutional right to respect for private and family life● Constitutional right to data protection [relation between both rights disputed]● Constitutional right to informational self-determination (safeguarding

individual‘s decisional authority and „a free democratic community based on itscitizens’ capacity to act and participate“) [German speciality]

● Constitutional right of trust and integrity in information systems [German speciality]

● Constitutional rights not only constraining the government („government-on-private“), but also horizontal effects („private-on-private“) [details disputed]

● Processing personal data is fully rights-based: controllers need a legal basis foreach processing („Verbot mit Erlaubnisvorbehalt“ = precautionary principle)

Absender | Titel

2.1 Data Protection

20.02.201813

Regulatory GPDR Paradigms II

● omnibus statutory law plus further specification through targeted law (with no arearemaining unregulated)

● strongly top-down approach seeking to impose regulation● legal grounds have become stricter in many respects● prohibiting certain types of processing:

- restricting consent and contract (by removing certain powers from data)- restricting processing sensitive data- restricting automated decision-making- restricting transferability and further processing

● proportionality requirement: the benefit must be achieved at the least constitutionalcosts (least-means test)

● still containing principles of “purpose limitation” and „data minimisation“

Absender | Titel

2.1 Data Protection

20.02.201814

Regulatory GPDR Paradigms III

● broadening and strengthening information and consent rights● only few ex-ante consultation and authorisation requirements● checklist approach● prescriptive documentation requirements● requirement of “data protection by design and by default” ● guaranteed remedies for privacy harms

And on top of that the US extras:

● data breach notification● higher penalties● accountability” obligation

Absender | Titel

2.1 Data Protection

20.02.201815

Criticism to GDPR Paradigms

● practically all data are personal data● overburdening the data subject with consent requests (information overflow) <> choice

must be kept limited to maintain significance

● one size fits all does not work (big players profit)

● threat to other fundamental rights (esp. freedom of expression)

● data protection paradox: new risks because of documentation obligations

● no solutions for big data, IoT, complex networks, blockchain, social networks, internet

● incentive to require registration and log in <> anonymity

● overburdening the controllers with documentation (bureaucracy costs)

● negative impacts on useful activities and benefits for common good● economic interests in information not important

● EU data protection is a form of trade protectionism● result of misguided jealousy toward successful US Internet companies

Absender | Titel

2.1 Data Protection

20.02.201816

GDPR: NOTHING IS FIX - well, not exactly nothing, but…

● GDPR is less specific than current data protectioin law > legal uncertainty● GDPR in itself does not answer basic questions: accountability? publicly available

data? which rights are protected? online processing?● many open clauses that are open to interpretation > legal uncertainty● different data protection cultures in EU (even in basic questions) > multilingualism● harmonisation, but lots of opening clauses for MS > new fragmentation● long time until ECJ will answer open questions > legal uncertainty● many actors influencing interpretation: DPAs, DPOs, academia, MS, lawyers,

consultant, NGOs, civil society, European Commission, …● emerging new regulatory approaches and ideas

► privacy law is not the product of logic nor is it the result of the law of nature; thus, asattitudes towards privacy change, interpretation of law might change as well

2. German and EU Regulatory Approaches

2.2 Electronic Communication

Absender | Titel

2.2 Electronic Communications

20.02.201818

Proposal for a Regulation on Privacy and Electronic Communications

● Replacing current Directive● Safeguarding the right to respect for private life and communications AND the

protection of natural persons with regard to processing of personal data● Regulating electronic communications services AND over-the-top services (mail

and messenger services, VoIP, communication apps)● Regulating electronic communications content AND metadata● Regulating end-user‘s terminal equipment AND cookies and tracking● Scope is unclear: only data “in transmission“ or whole lifecycle of communication

data?● Emphasis on consent > advertising based internet is at stake● Especially relation to GDPR is very unclear

➤ A new monster on top of GDPR?


2.3 Protection by constitutional law, copyright law, competition law, civil law, criminal law

Absender | Titel

2.3 Protection by constitutional copyright, competition, civil and criminal law

20.02.201820

● Constitutional protection○ Property guarantee: - ownership of the physical disk

- Business and trade secrets○ Right to informational self-determination○ Right to guarantee the confidentiality and integrity of information

technology systems○ Telecommunications secrecy

● Civil law protection:○ No protection under property rights law○ Only the ownership of the data medium is protected○ Some see data as substantive or legal fruits of a thing○ Some see data as use advantage of a thing

Absender | Titel


20.02.201821

● Copyright protection of databases● Competition law protection of trade secrets● Criminal law protection

○ violation of private life and secrecy, e.g. - data espionage and phishing- handling stolen data

○ forgery, e.g. - forgery of evidence-relevant data- deception in legal transactions in data collection

○ damage to property: - data corruption● Data protection law: processing prohibitions and authorizations

➤ Currently, neither property rights nor quasi-property rights to data➤ For the rest: contract law!

Absender | Titel


20.02.201822

Current law partly protects ...

● the personal spiritual creation● the non-creative personal achievement● the creative selection and arrangement of data● the secrecy of the data● the de-facto confidentiality


● against betrayal, industrial espionage, stolen goods● against duplication, distribution, publication of data● against compromising the integrity of data● against data usage by third parties

Absender | Titel


20.02.201823


● the „skribent" (who has saved or created data himself)● the author of a work (who has provided the creative work)● the manufacturer of a database (who bears the investment risk)● the company (who has factual knowledge of the know-how and the will to

secrecy based on economic interests)● the data subject (who is identifiable by the data)● the owner (of the disk or volume)


2.4 Data Ownership?

Absender | Titel

2.4 Data Ownership?

20.02.201825

Vivid discussion especially in Germany

● Analogy to the ownership of things:○ Some argue that an analogy to the right of things has to be done○ Assignment by the "skripturakt" (i.e. the technical production of the data)

● Analogy to the Rights of use according to copyright model:○ Personal data as intellectual property○ Similar to the name right and the right of one's own image which might in some

cases be used as assets, be commercialized and are inheritable○ Opening a market for data trading○ Grant of rights of use with real effect through license agreements○ Contract management by data trustee

● Data as remuneration

Absender | Titel

2.4 Data Ownership?

20.02.201826

Ownership of personal data?

● Overregulation● Exploitation of property rights demands a homo oeconomicus● No solution for "multi data subject" issues (e.g., group photos)● Any use by third parties or the state would be an expropriation requiring dispensation >

danger to public interest● Incentive for data disclosure > "sale of privacy"● Only the rich can afford privacy > "prosperity bias"● Risk of strengthening already powerful market players● Restriction of the fundamental rights of other parties (eg freedom of expression,

information, science, art)● Danger to economic/social order based on freedom & competition● Rights to privacy and informational self-determination

○ are not boundless but contextual,○ are limited by the common good,○ find their limit where third-party rights begin.

Absender | Titel

2.4 Data Ownership?

20.02.201827

Ownership of non-personal data?

● Additional incentives for data generation required?

● Existence of a market failure? Trading of virtually exclusive access rights also takes place without data ownership

● Benefits can be assigned according to interests through contractual solutions

● Risk of monopolizing data access and the emergence of data silos

● Risk of overregulation

● High transaction costs and time-consuming contract management

● Risk of lengthy legal disputes

Absender | Titel

2.4 Data Ownership?

20.02.201828

Federal Constitutional Court (Census Judgement):“The guarantee of this right to 'informational self-determination‘ is not entirely unrestricted. Individuals have no right in the sense of absolute, unrestricted control over their data; they are after all human persons who develop within the social communityand are dependent upon communication. Information, even if related to individual persons, represents a reflection of societal reality that cannot be exclusively assigned solely to the parties affected. The Basic Law […] embodies in negotiating the tension between the individual and the Community a decision in favour of civic participation and civic responsibility. Individuals must therefore in principle accept restrictions on their right to informational self-determination in the overriding general public interest.”

European Court of Justice:“The right to the protection of personal data is not, however, an absolute right, but must be considered in relation to its function in society.”


2.5 Data as Remuneration?

Absender | Titel


20.02.201830

Proposal for a directive concerning contracts for supply of digital content

● COM proposal dealing with consumer rights in digital content contracts, in particular:○ right to supplementary performance○ right to security updates○ termination right○ consideration in the form of personal or other data

● Art. 3 (1): “This Directive shall apply to any contract where the supplier supplies digital content to the consumer […] and, in exchange, a price is to be paid or the consumer actively provides counter-performance other than money in the form of personal data or any other data.”

● Art. 3 (4): “This Directive shall not apply to digital content provided against counter-performance other than money to the extent the supplier requests the consumer to provide personal data the processing of which is strictly necessary for the performance of the contract or for meeting legal requirements […].”

Absender | Titel


20.02.201831

(Potential) scope of application:

● download of music, movies, photos, games, software● access to information (news, search engine, etc)● streaming music, movies, porn, etc.● price comparison sites● dissemination of music, movies on CDs and DVDs● use of services on platforms (Uber, AirBnB)● email services● provision of storage space by cloud providers (dropbox)● software licenses● social media channels (Youtube, forums, chat portals, etc)● facebook● location-based services (Yelp, Foursquare, Tripadvisor)

Absender | Titel


20.02.201832

Legal issues

● Once „data as remuneration“ is acknowledged by law, data ownership might not be far away.

● If the the consumer is not obliged to provide personal data: is it a contract?● What is the consideration? Provision of data by the consumer or he/she

consenting to be shown personalised advertising?● What is the provider‘s performance? Improvement of service or security?

Personalised Services? Advertising?● “Koppelungsverbot” = prohibition to couple service offer with consent● Is withdrawal of consent a malfunction of the contract?● The aim of data protection to set incentives for data minimisation is thwarted● Is there "other data" than personal data?● Can a fundamental right be the subject of a commercial transaction?


2.6 European Data Economy

Absender | Titel

2.6 European Data Economy

20.02.201834

● part of EU’s Digital Single Market Strategy

● aims at fostering the best possible use of the potential of digital data to

benefit the economy and society

● addresses the barriers that impede the free flow of data across borders,

sectors and disciplines

● draft regulation on free flow of non-personal data (in negotiation)

● initiative on accessibility and re-use of public and publicly funded data

(foreseen for spring 2018)

● liability

● portability

● interoperability

● standardisation


2.7 Free Flow of Data

Absender | Titel

2.7 Free Flow of Data (FFOD)

20.02.201836

Proposal for a Regulation on a framework for free flow of non-personal data in the EU

● Prohibition of national data localisation requirements with regard to non-personal data, insofar as they relate to storage or other data processing that is(a) provided as a service to users residing or having an establishment in the EU,

regardless of whether the provider is established or not in EU or(b) carried out by a natural or legal person residing or having an establishment in the

Union for its own needs● Data Localization Requirement = any requirement that is contained in the laws or

regulations of the MS and that makes it mandatory that the place of data storage or other data processing is located in the territory of a particular Member State

● FFOD is NOT counterbalancing data protection; the principle is only applicable if all data protection requirements are fulfilled

● FFOD is directed against Member States’ provisions● FFOD is a hot topic in free trade agreements as well


2.8 Open Data

Absender | Titel

2.8 Open Data

20.02.201838

● Open Data = a resource that generates added value, esp. through widespread use● Open Data may be used, re-used, and distributed by anyone without restriction of

access, if there are no opposing rights of third parties● German Open Data Act concerns federal administration authorities‘ data● Open Government/Administration: offering impulses to participate in political-

administrative decision-making processes and for new business models● Open by Default● Provision has to be free of charge and has to be done in an unprocessed, machine-

readable format● Discoverability requires publishing of metadata● Legal obligation to provide, but no subjective right● Numerous exceptions● Publishing should be considered early on when implementing electronic

administrative processes ("open-by-design")


2.9 Once Only Principle

Absender | Titel

2.9 Once Only Principle

20.02.201840

● Idea: citizens should for the purpose of administrative services provide data to

the State only once in their lifetime

● Administrative authorities are obliged to use and exchange those data they have

in order to deliver their services without having to collect citizen‘s data again

● Advantages: time-efficient for citizens, saving bureaucracy costs for the state

● Technically challenging: data silos, interoperability issues, data security, …

● Competence conflicts especially in federal states

● Potential conflict with data protection principles: purpose limitation, data

minimisation, data retention, …

● Large projects on national and EU level: „Bürgerportal“ (= Citizens Portal) in

Germany, Single Digital Gateway within the EU, X-Road in Estonia, …

3. Towards a Global Data Law?


3.1 Regulation vs. Technology

Absender | Titel


20.02.201843

1. Regulation vs. Technology?Technology’s transformative power lies in the way it changes economic trade-offs which influence, often without our awareness, the many small and large decisions.● “Like a force of nature, the digital age cannot be denied or stopped.”

(Nicholas Negroponte, Being Digital, 1995)● „We shape our tools and thereafter they shape us.“

(John Culkin, 1967)● „Technology shapes economics and economics shapes society.“

(Nicolas Carr, The Big Switch, 2013)● “Regulators having to regulate emerging technologies face a double-bind problem: the effects of

new technology cannot be easily predicted until the technology is extensively deployed. Yet once deployed they become entrenched and are then difficult to change.”(David Collingridge, The Social Control of Technology, 1980)

● The regulator’s enemies: efficiency, convenience, speed of technological development● Flexibility, decentralisation, openness and internationalism regulation


3.2 What are the possible measures of regulation?

Absender | Titel


20.02.201845

What are the possible measures of regulation?

● Rely on market mechanisms to check inappropriate processing activities ◄►governments’ duty to protect its citizens

● Leave it to technology (solution of IT is in the IT)● Prohibition: precautionary principle● Fines, Control and Supervision● Promote self-regulation● Oblige controllers to technical and organisational measures● Transparency requirements for choices made and meaningful access● Leave it to the courts● Practical reality is more complex than legal theory: is the checklist approach that

underlies the GDPR effective?


3.3 Are we aware of potential aims of regulation?

Absender | Titel


20.02.201847

Are we aware of the potential aims of regulation?

○ Protect human dignity and liberty or protect data as such?○ Protect the right to respect for his or her private and family life, home and communications○ Protect the right to informational self-determination○ Provide for data quality/accuracy○ Provide for non-discrimination and mon-stigmatization○ Fight power of US companies and fight trade barriers○ Prevent conformist behavioral adjustment against surveillance ○ Prevent crimes like identity theft, fraud, cyber attacks○ Prevent disappointment of individual‘s reasonable expectations○ Prevent reputational damage○ Secure contextual integrity○ Produce consumer trust ○ Fight informational power asymmetry○ Promote added value and common good of data usage○ …

➤ Concentrate on these aims instead of trying to „regulate data“?


3.4 What are the key features a regulation hasto take into accout?

Absender | Titel


20.02.201849

To be discussed: What are the key features a regulation has to take into accout?

Key features of digital data processing must be taken into account. Thus, dataregulation…

● should neither be based on a single piece of data nor treat data as objects● should clarify responsibilities in complex networks of stakeholders (e.g. the Internet

of Things, cloud computing, blockchain)● must consider that data are no longer saved in centralized systems● must consider that data often come from heterogeneous sources and vary in quality● must consider the pace of data processing (e.g. in real time)● must consider that the purpose of data processing is not always clear from the very

beginning● must be internationally agreeable● must be enforceabe


3.5 Are there Global Data Law Principles?

Absender | Titel


20.02.201851

To be discussed: Global Data Protection Principles (more from an EU point of view) I

● Responsibility: The controller shall be responsible for purposes and means of of processing personal data

● Risk-based approach: The controller shall take into account the risks for data subject’s privacy (and other rights and freedoms?)

● Purpose limitation: Processing only for specified, explicit, and legitimate purposes● Further Processing: Compatibility check or balancing test● Context: Processing of personal data shall take into account the context of collection and data

subject’s expectations● Balancing of interests: Controller shall find an adequate balance between his and the data

subject’s interests● Consent: Where appropriate, information and consent are necessary● Pseudonymization: Where appropriate, the means of pseudonymization and anonymization

shall be used● TOM: Controller shall use technical and organizational measures to ensure compliance with data

protection principles

Absender | Titel


20.02.201852

To be discussed: Global Data Protection Principles (more from an EU point of view) II

● Security: Controller shall use measures against loss or unauthorized access, destruction, use, modification, disclosure of data or other misuses

● Data subject’s rights: Data subjects have a right to information, correction, erasuse, object, unless public interest, controller’s rights or third person’s rights override data subject’s rights

● Privacy by design and by default● Compensation: Any person who has suffered material or immaterial damage as a

result of a processing operation should have the right to receive compensation from the controller

● Supervisory Authority: The controller is subject to the supervision of the competent supervisory authority

● Certification: The controller can demonstrate his compliance with the principles by providing approved certification

● Judicial Remedy: Without prejudice to any available administrative or non-judicial remedy, data subjects have the right to an effective judicial remedy

Absender | Titel


20.02.201853

To be discussed: More general global data law principles

● Concentrate more on the protection aims and less on data.● 4 basic rules: data security, right to information, right to correct, right to object● Define legitimate data uses that are allowed and make special rules for high risk data

processing● Extend the “legitimate interest ground” to the processing of all categories of data and

further to all phases of the life-cycle of data● Accountability for the whole life cycle of data● Technology Impact Assessments rather than a Data Protection Impact Assessment● Common sense rule - deriving from German Road Traffic Act (exchanging „road traffic“ by

„data traffic“ ):(1) Participation in data traffic demands permanent attention and respect for others.(2) Each participant has to behave in a way that no other is harmed, endangered or, more

than according to the circumstances inevitable, restrained or harrassed.

Documents

Global Data Law2 - intlprivacysecurityforum.com · 2.3 Protection by constitutional, copyright, competition,civil,criminal law 2.4 Data Ownership? ... dataprotection law the only