Presentation on theme: "American Library Association Topics in European Studies European Privacy Laws Tracy Mitrano Cornell University."— Presentation transcript:
American Library Association Topics in European Studies European Privacy Laws Tracy Mitrano Cornell University
History Matters! To understand European perspectives on privacy, theoretically or in practice, is to understand European twentieth-century history, the political climate in the aftermath of the Second World War and the reaction to the trauma the Nazi era especially.
Universal Declaration of Human Rights, 1948, Preamble The first paragraph asserts that the recognition of human dignity of all people is the foundation of justice and peace in the world. The second paragraph observes that disregard and contempt for human rights have resulted in barbarous acts which have outraged the conscience of mankind and that the four freedoms: speech, belief, from want and fear. The third paragraph establishes a rule of law as a counter to tyranny with its arbitrary and capricious and inhumane actions. The fourth paragraph promotes universal respect for and observance of human rights and fundamental freedoms.
Universal Declaration of Human Rights, 1948, Preamble The fifth paragraph links the Declaration back to the United Nations Charter which reaffirms faith in fundamental human rights and dignity and worth of the human person. The sixth paragraph notes that all members of the United Nations have pledged themselves to achieve, in cooperation with the United Nations, the promotion of universal respect for and observance of human rights and fundamental freedoms. The seventh paragraph observes a “common understanding” of rights and freedoms for the full realization of the document and its aspirations.
Concept of Privacy Explicitly Stated Article 12: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor or reputation. Everyone has the right to the protection of the law against such interference or attacks.
Data Protection Directive, 1995 Regulates the processing of personal data within the European Union Obliges the signatories to enact legislation concerning the automatic processing of personal data – "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a)
Fair Information Practices Notice—data subjects should be given notice when their data is being collected; Purpose—data should only be used for the purpose stated and not for any other purposes; Consent—data should not be disclosed without the data subject’s consent; Security—collected data should be kept secure from any potential abuses; Disclosure—data subjects should be informed as to who is collecting their data; Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principles.
E-Privacy Directives, 2002 Updates the Data Protection Directive by bringing electronic data and flow of information through data networking under the Directive’s purpose and rules. Specifically recognizes the “right to privacy in the electronic communications sector” and free movement of data, communications and services. Applies to “legal persons” (i.e. corporations) and not just “individuals” as does the Data Protection Directive.
Main Provisions Providers of electronic communications services obliged to secure the communications and notify users of threats to that security, e.g. malware attacks. – No privacy without security. Providers of electronic communications obliged to provide confidentiality; specific provisions prohibit surveillance of electronic communications – subject to exceptions such as consent and law enforcement investigation of criminal activity through due process.
Fair Information Practices in Electronic Communications Providers of communication services must: – Erase or anonymize data when no longer needed; – Retain records only for so long as needed, i.e billing; – Provide opt-out options for call identification and non- itemized billing; – Give notice for processing personal data for business purposes – Prohibit use of electronic marketing, except for opt-in provisions (subject to some exceptions such as prior business relationship)
Consent and Cookies Member states must ensure that electronic communications networks that transmit or store information about a user have provided the user with “clear and comprehensive” information about the purpose of that transmission or storage and the opportunity to opt-out of that kind of usage of their information.
Specific Concerns Regarding That Provision No clarity on exactly how a member state would ensure such activity. No regulation as to what constitutes “clear and comprehensive” guidelines. No specifications on how frequently a user must be provided the guidance. No restrictions on the substance or procedure of the opt-out provisions.
Madrid Declaration, 2009 Global Privacy Standards Affirming that privacy is a fundamental human right set out in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and other human rights instruments and national constitutions; Reminding the EU member countries of their obligations to enforce the provisions of the 1995 Data Protection Directive and the 2002 Electronic Communications Directive; Reminding the other OECD member countries of their obligations to uphold the principles set out in the 1980 OECD Privacy Guidelines; Reminding all countries of their obligations to safeguard the civil rights of their citizens and residents under the provisions of their national constitutions and laws, as well as international human rights law;
Madrid Declaration, 2009 Anticipating the entry into force of provisions strengthening the Constitutional rights to privacy and data protection in the European Union; Warning that privacy law and privacy institutions have failed to take full account of new surveillance practices, including behavioral targeting, databases of DNA and other biometric identifiers, the fusion of data between the public and private sectors, and the particular risks to vulnerable groups, including children, migrants, and minorities; Warning that the failure to safeguard privacy jeopardizes associated freedoms, including freedom of expression, freedom of assembly, freedom of access to information, nondiscrimination, and ultimately the stability of constitutional democracies;
Civil Society takes the occasion of International Conference of Privacy and Data Protection to: (1) Reaffirm support for a global framework of Fair Information Practices that places obligations on those who collect and process personal information and gives rights to those whose personal information is collected; (2) Reaffirm support for independent data protection authorities that make determinations, in the context of a legal framework, transparently and without commercial advantage or political influence; (3) Reaffirm support for genuine Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information and for meaningful Privacy Impact Assessments that require compliance with privacy standards;
Civil Society takes the occasion of International Conference of Privacy and Data Protection to: (4) Urge countries that have not ratified Council of Europe Convention 108 together with the Protocol of 2001 to do so as expeditiously as possible; (5) Urge countries that have not yet established a comprehensive framework for privacy protection and an independent data protection authority to do so as expeditiously as possible; (6) Urge those countries that have established legal frameworks for privacy protection to ensure effective implementation and enforcement, and to cooperate at the international and regional level; (7) Urge countries to ensure that individuals are promptly notified when their personal information is improperly disclosed or used in a manner inconsistent with its collection;
Civil Society takes the occasion of International Conference of Privacy and Data Protection to: (8) Recommend comprehensive research into the adequacy of techniques that deidentify data to determine whether in practice such methods safeguard privacy and anonymity; (9) Call for a moratorium on the development or implementation of new systems of mass surveillance, including facial recognition, whole body imaging, biometric identifiers, and embedded RFID tags, subject to a full and transparent evaluation by independent authorities and democratic debate; and (10) Call for the establishment of a new international framework for privacy protection with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions.
50,000 Feet Observations Europe and the United States have different historical perspectives on the concept of “data:” – Europe concerned about how data can be used against individuals or groups – U.S. neither concerned about deleterious use of data nor deterred from prolific market influence – Europe takes a comprehensive approach – U.S. a patchwork, or “sectoral” approach
Borrowing from Lessig: Four Factors that Shape the Internet Technology – Taking the lead in disrupting laws, social norms and personal expectations while providing the market with greatly enhanced opportunities Laws – Thrown for a proverbial loop, greatly in need of harmonization globally (e.g. U.S. Patriot Act impact on ECPA) Social Norms – Also in profound flux, but generationally as well as cross- culturally Market – Taking full advantage of technology, will only respond if regulated or if users/consumers make it profitable
Conclusion Different cultural perspectives and strong market influences hamper the harmonization of laws regarding privacy globally. While an international framework would facilitate international commerce and communications, those factors dominate lawmakers currently to such a degree that to affect change advocates should educate and politicize users, emphasizing that which is at stake if we remain passive: fundamental human rights.