Part 2: Opt-out, transparency, shared responsibility
European Parliament Committee on Civil Liberties, Justice and Home Affairs General Data Protection Regulation — an analysis[1]
1. Jurisdiction: The European Union attempts to retain jurisdiction over the personal information of European Union citizens. The data resides on Google servers in the U.S. The U.S. government demands access under the Patriot Act or other security-related statute. Does Google recognize the European Union's jurisdiction and request permission from the national data protection authority before releasing the information to the U.S. government?
Amendment 54:
Where does personal data reside once it has been collected? When is the data no longer personally identifiable? How far do the European Union's rights and protections extend? What are the rights and protections once the data has been aggregated? Do the rights and protections persist after the data has been used or sold in anonymized and non-anonymized form?
2. Erasure: Once personal data has been collected, processed, stored, and shared, it becomes difficult and perhaps impossible to "erase." It might be more accurate to request that the data be locked and the only key given to the owner. Maintenance and security of the data would be the shared responsibility of the owner and the original collector. Companies would be prevented from reusing data once it is locked, and theoretically they would be blocked from granting the government or any other party access to the information because they would not have the key.
3. Consent: Consent requires "any freely given, specific, informed and explicit indication of his/her wishes, either by a statement or by a clear affirmative action." Clicking "I agree" to a company's terms of service is freely given, specific, and explicit, but it isn't necessarily "informed."
If the industry adopted an after-the-fact approach to consent, companies would be required to send to their customers on a regular basis a copy of all the personal information they have collected, the parties they have shared the information with, and other ways they have used the information. Customers would have the option to cease collection and lock the data that has already been collected. This after-the-fact consent is more informed and is also on-going: on a regular basis, customers receive a personal-information report and the option to cease collection and lock the data that has already been collected. It is also an admission that there can be no real informed consent until you know more precisely what personal information is being collected, who it is being shared with, and how it is being used.
Article 5, paragraph 4a:
4. Profiling: When personal data is collected, the presumption is that the data will be used to create an "anonymized" profile that itself will be used to predict the person's behavior. More troubling is the sale of personally identifiable information to private people directories and other data brokers. People directories and other companies that sell personally identifiable information have to identify the source of the information, allow the information to be locked, and make it possible for the information to be corrected or otherwise amended by the owner. Maintenance and security of the information would be the shared responsibility of the information collector/reuser (service) and the information supplier (consumer).
5. Enforcement: Who pays for enforcement? What is a "data protection authority" and what are its powers? Are there alternative methods for ensuring compliance? Who pays to secure and authenticate the information?
In a transparent information marketplace, we know what personal data we are sharing, who we are sharing it with, and how the information is being used. We can bargain away a lot of our personal information, a little bit of it, or none at all. We can opt out of personal-data collection and use beyond any that is required to complete the transaction. At any time we can lock our information, revoking access and the right to use it prospectively.
Enforcement would be through existing contract and data-breach statutes. The contracts may specify grievance procedures or require arbitration.
6. Consideration: In exchange for collection and use of personal information, customers can expect some benefit. If customers refuse to allow their personal information to be collected, they surrender that benefit. The European Parliament's proposal states there is no consent "where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment." In a personal-data contract, if an individual doesn't accept the offer for any reason, the individual has no right to expect anything.
7. Consumer control: Consumers "exert... control over the personal data that are being processed [and are] granted clear and unambiguous rights to the provision of transparent, clear and easily understandable information regarding... personal data, the right of access, rectification and erasure of their personal data, the right to data portability and the right to object to profiling." This goal may be met by requiring a regular report from the company to its customers listing the data collected and how the data is being used. Opt-out is prospective: you can lock rather than erase old data.
Article 11, paragraph 2b, calls for use of an "icon-based mode of description... concerning the nature of the processing, duration of storage, transfer or erasure of data by establishing icons or other instruments in order to provide information in a standardised way." Interface decisions should be left to the designers. Icons representing abstract concepts such as processing types and storage duration may be more confusing than informative. A regular personal-data-use report sent by data collectors to data subjects may be a more effective way to inform customers about how their personal data is being used.
8. Portability: There is no such thing as "erasing" or "forgetting" online data. Online is forever. It is almost impossible to retract data. Instead, customers should be allowed to lock their data to express an intent that the data no longer be used or accessed. This also addresses personal-data portability by requiring that all your personal information — your complete profile — be exportable in a standard file format.
9. Public good: The anonymized data may be used for "historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them."
The accuracy of personal data used in the public interest may be enhanced by allowing the subjects to correct and otherwise amend the information. Public-interest use of personal information also improves transparency by notifying individuals of how their anonymized data is being used to everyone's benefit.
10. Privacy by default: Initiating services at the most-secure level may discourage new customers and increase the training and user maintenance required to operate the services. New users of a software program or Web service are often given the option of a typical installation or a custom installation. Similarly, new users could be presented with options such as "share the minimum," "share a little," and "share a lot." The value of the products and services they receive in return would reflect the value of the personal information customers provide about themselves.
11. Prohibitions: Third countries or territories/organizations within third countries may fail to offer an "adequate level of data protection [therefore] the transfer of personal data to that third country should be prohibited." Enforcing such prohibitions could be expensive. Are there less-expensive alternatives? Perhaps it would be more effective to apply economic pressures on such entities, their allies, or their customers.
Article 9, paragraph 1:
This prohibition would be nearly impossible to enforce. It raises First Amendment Free Speech questions. Perhaps only the unauthorized disclosure or use of such personal data rather than the "processing" of such data should be prohibited.
12. Personal-data contract: Contract law would apply to protect the rights and interests and enforce the promises and duties of parties. Personal information is offered in exchange for consideration in the form of a useful service, such as search, email, or social networking. The following two paragraphs represent the interests of the two contracting parties.
Article 5, paragraph 1b:
"The legitimate interests of the controller [data collector] override the interests or fundamental rights and freedoms of the data subject, as a rule, if:
Article 5, paragraph 1c:
"The interests or fundamental rights and freedoms of the data subject... override the legitimate interest of the controller, as a rule, if:
Article 12 states that "[w]here requests [from customers for information] are manifestly excessive, in particular because of their repetitive character, the controller may charge a reasonable fee for providing the information or taking the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request."
Article 15, paragraph 1:
"The data subject shall have the right to obtain from the controller at any time, on request, in clear and plain language, confirmation as to whether or not personal data relating to the data subject are being processed, and as to the existence of profiling and measures based on profiling in respect of the data subject the controller shall provide the following information:
Article 15, paragraph 2a:
13. Exemptions: "[R]econcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information... in particular to processing of personal data in the audiovisual field and in news archives and press libraries."
Article 10:
14. Personhood: A data subject is "an identified natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to a unique identifier, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, social or gender identity or sexual orientation of that person."
1) An individual as defined by law[2] 2) the data being collected pertains to the individual 3) the individual is able to enter into a legally binding contract.
"'[P]seudonym' means a unique identifier which is specific to one given context and which does not permit the direct identification of a natural person, but allows the singling out of a data subject."
"'[T]ransfer' means any communication of personal data, actively made available to a limited number of identified parties, with the knowledge or intention of the sender to give the recipient access to the personal data."
[1] European Parliament, Committee on Civil Liberties, Justice, and Home Affairs, General Data Protection Regulation working documents, draft reports, and amendments.
[2] Black's Law Dictionary: As a noun, this term denotes a single person as distinguished from a group or class, and also, very commonly, a private or natural person as distinguished from a partnership, corporation, or association ; but it is said that this restrictive signification is not necessarily inherent in the word, and that it may, in proper cases, include artificial persons. See Bank of U. S. v. State, 12 Smedes & M. (Miss.) 400; State v. Bell Telephone Co.. 30 Ohio St. 310, 38 Am. Rep. 583; Pennsylvania it. Co. v. Canal Com’rs, 21 Pa. 20. As an adjective, “individual” means pertaining or belonging to, or characteristic of, one single person, either in opposition to a firm, association, or corporation, or considered in his relation thereto.
Part 3: Establishing the personal-information contract
1. Jurisdiction: The European Union attempts to retain jurisdiction over the personal information of European Union citizens. The data resides on Google servers in the U.S. The U.S. government demands access under the Patriot Act or other security-related statute. Does Google recognize the European Union's jurisdiction and request permission from the national data protection authority before releasing the information to the U.S. government?
Amendment 54:
- "[P]rovide data subjects with a legally binding guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred [including] financial indemnification in cases of loss or unauthorised access or processing of the data and an obligation, regardless of national legislation, to provide full details of all access to the data by public authorities in the third country."
Where does personal data reside once it has been collected? When is the data no longer personally identifiable? How far do the European Union's rights and protections extend? What are the rights and protections once the data has been aggregated? Do the rights and protections persist after the data has been used or sold in anonymized and non-anonymized form?
2. Erasure: Once personal data has been collected, processed, stored, and shared, it becomes difficult and perhaps impossible to "erase." It might be more accurate to request that the data be locked and the only key given to the owner. Maintenance and security of the data would be the shared responsibility of the owner and the original collector. Companies would be prevented from reusing data once it is locked, and theoretically they would be blocked from granting the government or any other party access to the information because they would not have the key.
3. Consent: Consent requires "any freely given, specific, informed and explicit indication of his/her wishes, either by a statement or by a clear affirmative action." Clicking "I agree" to a company's terms of service is freely given, specific, and explicit, but it isn't necessarily "informed."
If the industry adopted an after-the-fact approach to consent, companies would be required to send to their customers on a regular basis a copy of all the personal information they have collected, the parties they have shared the information with, and other ways they have used the information. Customers would have the option to cease collection and lock the data that has already been collected. This after-the-fact consent is more informed and is also on-going: on a regular basis, customers receive a personal-information report and the option to cease collection and lock the data that has already been collected. It is also an admission that there can be no real informed consent until you know more precisely what personal information is being collected, who it is being shared with, and how it is being used.
Article 5, paragraph 4a:
- "Consent loses its effectiveness as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were collected."
4. Profiling: When personal data is collected, the presumption is that the data will be used to create an "anonymized" profile that itself will be used to predict the person's behavior. More troubling is the sale of personally identifiable information to private people directories and other data brokers. People directories and other companies that sell personally identifiable information have to identify the source of the information, allow the information to be locked, and make it possible for the information to be corrected or otherwise amended by the owner. Maintenance and security of the information would be the shared responsibility of the information collector/reuser (service) and the information supplier (consumer).
5. Enforcement: Who pays for enforcement? What is a "data protection authority" and what are its powers? Are there alternative methods for ensuring compliance? Who pays to secure and authenticate the information?
In a transparent information marketplace, we know what personal data we are sharing, who we are sharing it with, and how the information is being used. We can bargain away a lot of our personal information, a little bit of it, or none at all. We can opt out of personal-data collection and use beyond any that is required to complete the transaction. At any time we can lock our information, revoking access and the right to use it prospectively.
Enforcement would be through existing contract and data-breach statutes. The contracts may specify grievance procedures or require arbitration.
6. Consideration: In exchange for collection and use of personal information, customers can expect some benefit. If customers refuse to allow their personal information to be collected, they surrender that benefit. The European Parliament's proposal states there is no consent "where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment." In a personal-data contract, if an individual doesn't accept the offer for any reason, the individual has no right to expect anything.
7. Consumer control: Consumers "exert... control over the personal data that are being processed [and are] granted clear and unambiguous rights to the provision of transparent, clear and easily understandable information regarding... personal data, the right of access, rectification and erasure of their personal data, the right to data portability and the right to object to profiling." This goal may be met by requiring a regular report from the company to its customers listing the data collected and how the data is being used. Opt-out is prospective: you can lock rather than erase old data.
Article 11, paragraph 2b, calls for use of an "icon-based mode of description... concerning the nature of the processing, duration of storage, transfer or erasure of data by establishing icons or other instruments in order to provide information in a standardised way." Interface decisions should be left to the designers. Icons representing abstract concepts such as processing types and storage duration may be more confusing than informative. A regular personal-data-use report sent by data collectors to data subjects may be a more effective way to inform customers about how their personal data is being used.
8. Portability: There is no such thing as "erasing" or "forgetting" online data. Online is forever. It is almost impossible to retract data. Instead, customers should be allowed to lock their data to express an intent that the data no longer be used or accessed. This also addresses personal-data portability by requiring that all your personal information — your complete profile — be exportable in a standard file format.
9. Public good: The anonymized data may be used for "historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them."
The accuracy of personal data used in the public interest may be enhanced by allowing the subjects to correct and otherwise amend the information. Public-interest use of personal information also improves transparency by notifying individuals of how their anonymized data is being used to everyone's benefit.
10. Privacy by default: Initiating services at the most-secure level may discourage new customers and increase the training and user maintenance required to operate the services. New users of a software program or Web service are often given the option of a typical installation or a custom installation. Similarly, new users could be presented with options such as "share the minimum," "share a little," and "share a lot." The value of the products and services they receive in return would reflect the value of the personal information customers provide about themselves.
11. Prohibitions: Third countries or territories/organizations within third countries may fail to offer an "adequate level of data protection [therefore] the transfer of personal data to that third country should be prohibited." Enforcing such prohibitions could be expensive. Are there less-expensive alternatives? Perhaps it would be more effective to apply economic pressures on such entities, their allies, or their customers.
Article 9, paragraph 1:
- "The processing of personal data, revealing race or ethnic origin, political opinions, religion or philosophical beliefs, sexual orientation or gender identity,trade-union membership and activities, and the processing of genetic data or data concerning health or sex life or criminal convictions, or related security measures shall be prohibited."
This prohibition would be nearly impossible to enforce. It raises First Amendment Free Speech questions. Perhaps only the unauthorized disclosure or use of such personal data rather than the "processing" of such data should be prohibited.
12. Personal-data contract: Contract law would apply to protect the rights and interests and enforce the promises and duties of parties. Personal information is offered in exchange for consideration in the form of a useful service, such as search, email, or social networking. The following two paragraphs represent the interests of the two contracting parties.
Article 5, paragraph 1b:
"The legitimate interests of the controller [data collector] override the interests or fundamental rights and freedoms of the data subject, as a rule, if:
- (a) processing of personal data takes place as part of the exercise of the right to freedom of expression, the media and the arts, within the limits of Union or national law;
- (b) processing of personal data is necessary for the enforcement of the legal claims of the data controller or of third parties on behalf of whom the data controller is acting in relation to a specific identified data subject, or for preventing or limiting damage by the data subject to the controller;
- (c) the data subject has provided personal data to the data controller on the legal ground referred to in point (b) of paragraph 1 [collected for a limited purpose], and the personal data are used for direct marketing for its own and similar products and services and are not transferred, and the data controller is clearly identified to the data subject [existing business relationship];
- (d) processing of personal data takes place in the context of professional business-to-business relationships and the data were collected from the data subject for that purpose;
- (e) processing of personal data is necessary for registered non-profit associations, foundations and charities, recognised as acting in the public interest under Union or national law, for the sole purpose of collecting donations."
Article 5, paragraph 1c:
"The interests or fundamental rights and freedoms of the data subject... override the legitimate interest of the controller, as a rule, if:
- (a) the processing causes a serious risk of damage to the data subject;
- (b) special categories of data as referred to in [Article 9, paragraph 1, supra], location data, or biometric data are processed;
- (c) the data subject can reasonably expect, on the basis of the context of the processing, that his or her personal data will only be processed for a specific purpose or treated confidentially, unless the data subject concerned has been informed specifically and separately about the use of his or her personal data for purposes other than the performance of the service;
- (d) personal data are processed in the context of profiling;
- (e) personal data is made accessible for a large number of persons or large amounts of personal data about the data subject are processed or combined with other data;
- (f) the processing of personal data may adversely affect the data subject, in particular because it can lead to defamation or discrimination; or
- (g) the data subject is a child."
Article 12 states that "[w]here requests [from customers for information] are manifestly excessive, in particular because of their repetitive character, the controller may charge a reasonable fee for providing the information or taking the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request."
Article 15, paragraph 1:
"The data subject shall have the right to obtain from the controller at any time, on request, in clear and plain language, confirmation as to whether or not personal data relating to the data subject are being processed, and as to the existence of profiling and measures based on profiling in respect of the data subject the controller shall provide the following information:
- (c) the recipients to whom the personal data are to be or have been disclosed, including to recipients in third countries;
- (h) the envisaged consequences of profiling and of measures based on profiling;
- (ha) intelligible information about the logic involved in any automated processing;
- (hb) in the event of disclosure of personal data to a public authority as a result of a public authority request, confirmation of the fact that such a request has been made, information about whether or not the request has been fully or partly complied with and an overview of the data that were requested or disclosed."
Article 15, paragraph 2a:
- [transportability] "Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data, where technically feasible and appropriate, and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn."
13. Exemptions: "[R]econcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information... in particular to processing of personal data in the audiovisual field and in news archives and press libraries."
Article 10:
- "If the data processed by a controller do not permit the controller to identify or single out a natural person, or consist only of data relating to pseudonyms, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation."
14. Personhood: A data subject is "an identified natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to a unique identifier, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, social or gender identity or sexual orientation of that person."
1) An individual as defined by law[2] 2) the data being collected pertains to the individual 3) the individual is able to enter into a legally binding contract.
"'[P]seudonym' means a unique identifier which is specific to one given context and which does not permit the direct identification of a natural person, but allows the singling out of a data subject."
"'[T]ransfer' means any communication of personal data, actively made available to a limited number of identified parties, with the knowledge or intention of the sender to give the recipient access to the personal data."
[1] European Parliament, Committee on Civil Liberties, Justice, and Home Affairs, General Data Protection Regulation working documents, draft reports, and amendments.
[2] Black's Law Dictionary: As a noun, this term denotes a single person as distinguished from a group or class, and also, very commonly, a private or natural person as distinguished from a partnership, corporation, or association ; but it is said that this restrictive signification is not necessarily inherent in the word, and that it may, in proper cases, include artificial persons. See Bank of U. S. v. State, 12 Smedes & M. (Miss.) 400; State v. Bell Telephone Co.. 30 Ohio St. 310, 38 Am. Rep. 583; Pennsylvania it. Co. v. Canal Com’rs, 21 Pa. 20. As an adjective, “individual” means pertaining or belonging to, or characteristic of, one single person, either in opposition to a firm, association, or corporation, or considered in his relation thereto.
Part 3: Establishing the personal-information contract
Copyright 2014-2015 by Dennis O'Reilly/Rag Hall -- All rights reserved.