DRM and Personal Data Protection in the context of the EU law …………… Ass. Professor Lilian Mitrou University of the Aegean - Greece
DRM and Personal Data Protection in the context of the EU law Ass. Professor Lilian Mitrou University of the Aegean - Greece L.Mitrou - DRM and Data Protection
Structure of the presentation The notion of privacy and data protection Emphasis on European constitutional values EU Regulatory framework for data protection Directive 95/46/EC DRM as a privacy invasing technology Privacy issues Privacy respecting solutions L.Mitrou - DRM and Data Protection
Modern Society and Information The growth of modern civilization is connected with the development of information The twentieth century has come to a close with a veritable explosion of capabilities of data collection, storage, processing, exchanging by electronic means, deemed incredible until recently L.Mitrou - DRM and Data Protection
L.Mitrou - DRM and Data Protection Privacy Risks In the contemporary world the individual is entangled in activities which per se create the necessity to collect personal data. This concerns every sphere of situation and activity: from birth to death, from kindergarten to workplace. The issue of protection of the right to privacy, especially the protection of personal data and information-related autonomy arises, therefore, at the stage when the threat to privacy reaches a climax. L.Mitrou - DRM and Data Protection
L.Mitrou - DRM and Data Protection The notion of privacy The right to protection of private life constitutes a relatively new concept in the development of contemporary law. Privacy is much more than a “right to be left alone” and “my home is my castle”. Privacy implies a normative element: the right to exclusive control to access to private realms Where privacy is dismantled the opportunity to develop and maintain a particular style of life fade L.Mitrou - DRM and Data Protection
Privacy and Democratic Rights Unrestricted access to personal data imperils virtually every constitutionally guaranteed right. Neither freedom of speech nor freedom of association nor freedom of assembly can be fully exercised as long as it remains uncertain whether, under what circumstances and for what purposes personal information is collected and processed. In this view considerations of privacy determine the choice between a democratic and a totalitarian, an authoritarian society. Privacy should be conceived as a precondition of participation in social, political, economic life. L.Mitrou - DRM and Data Protection
Privacy and (Personal) Data Protection The concepts of privacy and data protection are not identical Data protection is narrower than privacy since privacy encompasses more than personal data Personal data are protected not only to enhance the privacy of the subject but also to guarantee other fundamental rights, such as the right not to be discriminated. L.Mitrou - DRM and Data Protection
“Personal data”and “data subject” ‘Personal data' is not only data that are conceived as “a private business” . Personal data: any information relating to an identified or identifiable natural person ('data subject'); Data Subject: an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. L.Mitrou - DRM and Data Protection
L.Mitrou - DRM and Data Protection Data Protection Law Data protection refers to a system of legal rules that structure the collection and use of personal information, the fair treatment of personal information. The elaboration of rules on the use of information refers also to the need to create and maintain a functioning democratic society as these rules concern also the transparency of the flows of information and the production and dissemination of information in the society L.Mitrou - DRM and Data Protection
Charter of Fundamental Rights of the European Union Article 7 ( Respect for private and family life) Everyone has the right to respect for his or her private and family life, home and communications. Article 8 (Protection of personal data) Everyone has the right to the protection of personal data concerning him or her. [purpose/consent/access/independent control] L.Mitrou - DRM and Data Protection
Multinational Data Protection Initiatives Enactement of data protection laws by states has been paralleled and in some cases anticipated by multinational action OECD : Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Council of Europe: Convention “for the protection of Individuals with regard to Automatic Processing of Personal Data” (Convention 108 –1981). L.Mitrou - DRM and Data Protection
EU-Data Protection Directive The Directive is extraordinarily comprehensive Broad definitions and broad exemptions Except for limited exclusions, the directive applies to all processing of personal data, either manual or automatic The directive is limited to living natural persons. The provisions of the community law are not applied to legal persons Special emphasis has been put on the object of the Directive , which is “to protect the fundamental rights and liberties of natural persons and in particular their right to privacy”. L.Mitrou - DRM and Data Protection
Approach of the EU-Directive the establishment of conditions, obligations and responsibilities for the lawful processing of personal information – the maintenance of transparent processing, based not only on the notification system but mainly on the rights of individuals the establishment of external, independent and effective oversight of the data processing activities. L.Mitrou - DRM and Data Protection
Data Protection Principles Lawful and fair processing Purpose of the processing: explicit, legitimate and determined at the time of the collection of the data. Purposes of processing: not imcompatible with the purposes as they were originally specified (finality principle). The data must be adequate, relevant and not excessive in relation to the purpose for which they are processed (proportionality principle). The data must be accurate and up to date, and not kept in a form which permits identification of the data subject for longer periods than necessary for the fulfilment of the purpose of their collection and processing. L.Mitrou - DRM and Data Protection
Legitimate processing Consent of the data subjectConclusion or performance of a contract Compliance with a legal requirement, Protection of the vital interests of the data subject, if he/she is physically or legally incapable of giving his/her consent, Performance of a task carried out in the public interest or a project carried out in the exercise of public function Nnecessary for the purposes of a legitimate interest, provided that this interest “supersede” the rights and interests of the persons to whom the data refer and that their fundamental liberties are not affected. L.Mitrou - DRM and Data Protection
Personal Data and Sensitive Data Personal data include textual information but also photographs, audiovisual images, and sound recordings of an identified or identifiable person The so-called sensitive data the Directive (Art. 8) refers to “special categories of data”, which include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, and sex life. As a special category is treated also the processing of data relating to offences, criminal convictions or security measures L.Mitrou - DRM and Data Protection
Rights of the Data Subject Information of the Data Subject Access: confirmation of the existence of personal data relating to them, communication tο them of such data in an intelligible form, an indication of their source, and general information οn their use." Right to correct, erase, or block the transfer of "inaccurate or incomplete data," and the opportunity to object at any time "οn legitimate grounds" to the processing of personal data. L.Mitrou - DRM and Data Protection
Supervisory Authorities Each member state must establish an independent public authority to supervise the protection of personal data. Power to investigate data processing activities, including a right of access to the underlying data, as well as the power to intervene to order the erasure of data and the cessation of processing, and to block proposed transfer of data to third parties L.Mitrou - DRM and Data Protection
Liabilities and Remedies Civil liability against data controllers for unlawful processing activities Penal sanctions for non compliance with the national laws adopted pursuant to the directive Dissuasive penalties by the Supervisory Authority L.Mitrou - DRM and Data Protection
RESTRICTIONS ΟN TRANSBORDER DATA FLOW Prohibiting the transfer of personal data to non member states that fail to ensure an "adequate level of protection“ - Exemptions Consent Performance of a contract Transfer is legally required or necessary to serve an "important public interest“ Vital interests of the data subject;" Transfer from a "register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest." L.Mitrou - DRM and Data Protection
Digital Right Management A technology originally conceived to facilitate controlled distribution of digital information in order to combat breaches of copyright law The goal of DRM technology is distribution of digital content in a manner that protects the rights of all parties involved, including copyright owners, distributors and users. It offers a technique to control and bill for digital content usage,through persistent information protection (PIP) L.Mitrou - DRM and Data Protection
L.Mitrou - DRM and Data Protection DRM Strategies Distribute persistent complete DRM metadata with digital content: each digital work would be formatted for use only by approved application programs Tie downloaded content to a particular device or set of devices: the user would have to provide serial numbers of the devices. Tie downloaded content to the user: he has to prove that he is a legitimate user – User tracking L.Mitrou - DRM and Data Protection
DRM and risks for Privacy Necessity of implementing measures to safeguard the legitimate interests of holders of IPRs against fraud DRM measures involve the processing of personal data of individuals Internet Content Distribution and DRM can affect data protection and can lead to privacy loss. Verification of hardware/software Control of the user’s identity Tracing L.Mitrou - DRM and Data Protection
Digital Rights Management New technologies to identify and/or trace users are being established at the level of exchange of information as well as at platform level (verification of hard-software) Access to transactions on copyright protected information is submitted to preliminary control of user’s identity and tracing of the use of the information, through tags or digital watermarks Distance verification of copyright compliance of the constituents of computer platforms L.Mitrou - DRM and Data Protection
Enforcement of copyright A posteriori actions and investigations towards users suspected for infringements Research based on the collection of IP address of the users, then combined with user’s data as detained by ISPs. Direct communication of information to right holders is illegal according to US courts (Verizon case) Use of existing public registers such as “Whois” databases, which keep personal details about those who have registered a domain name L.Mitrou - DRM and Data Protection
L.Mitrou - DRM and Data Protection Applicable law The legitimate purpose followed by right holders to prevent misuse of protected information often results in the tracing/ monitoring of the users Where personal data are being processed the rules and principles of the Directive 95/46/EC shall be complied bind any right holder Directive 2004/48/EC on the enforcement of IPRs does not affect Directive 95/46/EC and the application of data protection principles (see Art. 2 (3) a ) L.Mitrou - DRM and Data Protection
Privacy Respecting Guidelines Necessity to allow for anonymous or pseudonymous transactions on the Internet (just as in the off-line world…!) DRM tools should be used to preserve the anonymity of the user Use of unique identifiers and trace a priori every user: the tagging of a document should not be linked to an individual except if necessary for the performance of the service or with the informed consent of the user Information of the data subject : the greatest possible transparency in the operation of the copyright management system L.Mitrou - DRM and Data Protection
Purpose limitation and limited storage of personal data Compliance with the purpose limitation principle: data have to be used only in compliance with the stated purpose The user should be clearly informed and be given the choice to accept/reject profiling and marketing of data (Electronic Privacy Directive – Art. 13) Limited storage: data collected at the occasion of the provision of a protected product or service should be deleted as it is no longer necessary for billing purposes L.Mitrou - DRM and Data Protection
L.Mitrou - DRM and Data Protection Investigations Actions to prosecute users suspected of copyright infringements Legal restrictions applying to the re-use of personal information Data detained by ISPs cannot be transferred to third parties such as right holders, except, in defined circumstances provided by law and to public law enforcement authorities No systematic obligation of surveillance and collaboration can be imposed on ISPs (Art. 15 of the Directive 2000/31) L.Mitrou - DRM and Data Protection
L.Mitrou - DRM and Data Protection Judicial data The Directive 2004/48/EC on the enforcement of IPRs provides for conditions in which personal data shall be requested by judicial authorities Judicial authorities may order, on justified and proportionate request, communication of information on the origin and distribution networks of the goods/services which infringe an IPR L.Mitrou - DRM and Data Protection
L.Mitrou - DRM and Data Protection Conclusion Increasing gap between the protection of individuals in the offline and online worlds Need for development of clear and detailed rules as well as notification/authorisation procedures Need for development of technical tools offering privacy compliant properties (transparent and limited use of unique identifiers – choice option) Constant review in order to adapt to technological innovation Fixed aim: freedoms, rights and democracy L.Mitrou - DRM and Data Protection