Presentation on theme: "Walter M. Tveter, USIT, University of Oslo Selected Legal Issues Related to Storage NORDUnet conference 2009."— Presentation transcript:
Walter M. Tveter, USIT, University of Oslo Selected Legal Issues Related to Storage NORDUnet conference 2009
Walter M. Tveter, USIT, University of Oslo General questions Who has the duty of care? Where are you storing it? Are there trans-border issues? Both the media storing the data, and the ability to extract the information later have to work for this to be meaningful
Walter M. Tveter, USIT, University of Oslo Duty of care Are you storing data or information? Who will be keeping the information readable, make format changes etc. Mechanisms for authenticity Compliance
Walter M. Tveter, USIT, University of Oslo Charlemagne I In the late 8 th century, most classical texts were disappearing The standard format was papyrus Papyrus is less than optimal in a European climate Charlemagne started to transfer classical pagan texts to parchment. Parchment lasts a long time. Charlemagne undertook a duty of care.
Walter M. Tveter, USIT, University of Oslo Personal Data In Europe, as defined by Directive 95/46/EC. –Definition of personal data given a wide scope –Precisely defines what is to be regarded as personal data –Definition of personal data given a wide scope –Consent used as a basis, not always applicable –Several necessity-based grounds for processing In the US, less centrally regulated, more sector-wide approaches Today's laws were conceived almost 20 years ago. They will change before another 20 years pass.
Walter M. Tveter, USIT, University of Oslo Trans-border personal-data transfer Transfer of data to a third country: If on the list of "adequate level of protection", its OK – the same as inside EU. If from the US, should be on the «Safe Harbour» list. If from another «third» country, this is problematic, again consent can be key, as well as situations where it is «necessary» - similarities to the grounds for processing.
Walter M. Tveter, USIT, University of Oslo Choice of law General rule (from the directive) is that one has to abide by the rules of the country where the controller is located, as well as the rules in the country of the controller (if from EU countries) has an established presence. If no EU controller exists, he/she has to have a representative in the country where the processing will take place.
Walter M. Tveter, USIT, University of Oslo Storage models You could choose not to know anything about the data you store. You have less responsibility but no ability to take protective measures. Encryption. You could know something, more precisely a description, metadata etc. about the data, but not have access (legally or technically) or any responsibility for the information as such You could know everything. You store the data, and you have the duty of care for the information stored. You also have knowledge of illegal content.
Walter M. Tveter, USIT, University of Oslo Storing personal data incl. sensitive data The controller bears the responsibility for the storage, if you provide a storage service, and you only act as a subcontractor to the controller (a data processor in the directive's terms). Even so, you do not want to be named an accomplice in event of the controller breaking the law. Making sure you have a written agreement where everything is lain out is neccessary.
Walter M. Tveter, USIT, University of Oslo Storing intellectual Property (IP) US regulations and international treaties more important then the law of individual nations. If you store data you have a responsibility unless an exception is provided by law. The clue is that law regulates the ability to produce copies, not the usage as such of IP Strong IP industries lobby very hard, records, films etc. Lately, newer giants like Google pull in the opposite direction. We will see new regulations in the next 20 years
Walter M. Tveter, USIT, University of Oslo Storing dangerous or illegal data This changes with the political situation. Some limitations on free speech Some limitations on technology New limitations will come, but predicting what is harder. The rules are often enforced only by governments, not by private entities. Whether one wishes to stand on principle and or give in to demand should be thought about on beforehand.
Walter M. Tveter, USIT, University of Oslo Legal regulations of storage models (EU) DIRECTIVE 2000/31/EC (Directive on electronic commerce). Article 14 Hosting 1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that: (a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or (b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information. 2. Paragraph 1 shall not apply when the recipient of the service is acting under the authority or the control of the provider. 3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement, nor does it affect the possibility for Member States of establishing procedures governing the removal or disabling of access to information.
Walter M. Tveter, USIT, University of Oslo Data Ownership Who will you give the data to when the person who stored it is long gone? Would you like to be sued for not giving out data to someone, or would you prefer to be sued for giving data to someone. An option is to destroy the data, and then be sued for that.
Walter M. Tveter, USIT, University of Oslo Data Ownership II An agreement that lays down very precise rules is smart before one takes on the obligation of (long- term) storage. What will prompt you to give someone access to the data. Who has the duty of care for the data and who has the duty of care for the information. Are there cases when you can erase the data Can storage of this data cause other legal obligations or obstacles? Who will take the risk for this?
Walter M. Tveter, USIT, University of Oslo Some thoughts on long term storage Since we don't know the future, we don't know what data (not just information) we store today will tell the people that access them in the future. Unless they are aware of the history and context, they may misunderstand. Some misunderstanding may be fun, others may not.
Walter M. Tveter, USIT, University of Oslo Charlemagne II In medieval Europe, writing was less then standardized. Instead of one or two good readable standards, one had many bad unreadable ones. Charlemagne (via. his adviser Alcuin) changed this. They developed Carolingian Minuscule, which from about was an easily readable and standardized form of writing. Enter Gutenberg, a new standardization for writing (font) was needed. Being a fan of all things Roman, they chose Carolingian Minuscule, believing the Carolingian texts were from the Roman times, being older and different from the later Gothic text.