Tag Archives: opt-out principle

TOP5 remarks on Data Privacy by Leading EU Academics

According to leading EU Academics, proposed new EU regulation is boosting privacy industry with its start-ups that are creating out-of-the-box privacy tools, software companies that are creating anonymization, pseudonomizetion and encrypting tools and new market need for security and privacy experts and consultancies. And this is why…

Image courtesy of Feelart / FreeDigitalPhotos.net
Image courtesy of Feelart / FreeDigitalPhotos.net

More than 100 leading senior academics from across Europe, from disciplines such as Computer Science, Law, Economics and Business Administration signed a position regarding proposed European Data Protection Regulation.

Economic, administrative and social processes in Europe are starting to be influenced by invisible net of newly created value as a result of automatic processing of personal data. This is not something that is happening in EU but throughout the world.

Users are paying for nominally free cloud services by providing personal data.

Like checks, shares, bounds, bitcoins, euros or dollars so are personal data becoming generally accepted as payment for goods and services although they are lacking some of characteristics of money.

They are becoming valuable not only for marketing purposes but also for optimization of development, production and distribution of products and services. Further on for enhancing sales and search for better employees and many more things. All of that is packed in virtual databases that are like wallets of our personal identities.

Leading EU Academics stand for more robust data protection laws and are  pointing to arguments that are created by lobbyist aimed to weaken data protection in Europe. They stand for…

1. Innovation and competition are not threatened

Regulation of data protection will impact innovation and competition in positive way, not negatively as some may suggest. They say that for example regulation has promoted innovation in the areas of road safety, environmental protection, and energy.

For data protection, we already see start-ups throughout Europe that offer European citizens solutions to protect their personal data “out-of-the-box”.

Security and privacy experts are selling consulting services to companies to help them manage their IT infrastructures more securely.

For many important business processes, it is not data protection regulation that prevents companies from adopting cloud computing services; rather it is uncertainty over data protection itself.

2. On informed consent

For the last 18 years usage of personal data in the European Union has relied on the principle of informed consent and that is a practices that needs to continue.

It is true that formulating data protection terms for some is viewed as a costly exercise but it protects consumers from blindly consenting to whatever does cloud provider wants to offer, as is experienced today in the USA (opt-out principle).

But EU practice boost new business. European companies are producing technical tools that will help users manage their privacy decisions automatically or with very little effort. Furthermore, technologies are being developed that interpret privacy terms for users and summarize the terms to facilitate decision-making.

3. On ‘legitimate interest’

By proposed EU data protection regulation companies are required not only to claim a legitimate interest, but also justify it. Moreover, the draft report of the European Parliament’s rapporteur now outlines legitimate interests of citizens and it determines where the interests of citizens outweigh company interests and vice-versa.

Citizens have a legitimate interest that profiles are not created about them without their knowledge and that their data is not shared with a myriad of third parties that they do not know about.

4. When to apply the regulation? When is data ”personal“?

Although some internet companies are claiming that they are collecting a lot of user data only for statistical purposes and therefore are not engaging in any re-identification practices, realty is that can be very lucrative. And technically, re-identification is possible even with dynamic identifiers.

That’s way anonymized, pseudonomized and encrypted data are still sort of personal data. They are just processed by useful instruments for technical data protection but are not tools for permanent anonymization.

Encryption helps to keep data confidential. Pseudonyms restrict knowledge about individuals and their sensitive data like concealing of the relation between the medical data of a patient. Anonymization goes even further but complete anonymization takes all the value from the personal data and it is a big question is it ever really done.

5. Who should determine data protection requirements?

Leading EU Academics are against the plan that the European Commission establish itself as the institution that would later define details about data privacy rules through ‘delegated’ and ‘implementing’ acts.

They think that only details that are less critical from the perspective of politics and fundamental rights may be left to the Commission’s discretion. Everything else is above EC position according to European constitutional requirements and should be a responsibility of the European legislative bodies to make such decisions by themselves.