Presentation is loading. Please wait.

Presentation is loading. Please wait.

Should we also regulate non-personal data?

Published byBenjamin Johnsen Modified over 4 years ago

Similar presentations

Presentation on theme: "Should we also regulate non-personal data?"— Presentation transcript:

1 Should we also regulate non-personal data?
Bart van der Sloot

2 Expanding scope Legal instruments Material scope Resolutions 1973&1974
Information relating to individuals (physical persons) Convention 1981 Information relating to an identified or identifiable individual Directive 1995 Information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; Regulation 2016 ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

3 Expanding scope Article 2 - Material scope 1.This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Article 4 – Definitions ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

4 Content data - metadata
The ECtHR suggests that the processing of content data and of metadata can be equally intrusive. Metadata, for example, “could reveal the identities and geographic location of the sender and recipient and the equipment through which the communication was transmitted. In bulk, the degree of intrusion is magnified, since the patterns that will emerge could be capable of painting an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with”.  Big Brother Watch and Others v the United Kingdom, para, 356 CJEU case law, according to which metadata “is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them … In particular, that data provides the means … of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications.” C-203/15 and C-698/15 Tele2/Watson (2016) ECLI:EU:C:2016:970, para. 99

5 Non-personal data Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union This Regulation applies to the processing of electronic data other than personal data in the Union, which is: (a) provided as a service to users residing or having an establishment in the Union, regardless of whether the service provider is established or not in the Union; or (b) carried out by a natural or legal person residing or having an establishment in the Union for its own needs. This Regulation aims to ensure the free flow of data other than personal data within the Union by laying down rules relating to data localisation requirements, the availability of data to competent authorities and the porting of data for professional users.

6 Anonymous data Not included under the GDPR
Paul Ohm: BROKEN PROMISES OF PRIVACY: RESPONDING TO THE SURPRISING FAILURE OF ANONYMIZATION

7 Combined and agregated data
In principle not covered by the GDPR A Composition Theory for Privacy Law, by John A Fluitt et al: ‘Recent data privacy attacks have successfully combined multiple releases of data in order to learn privacy-sensitive information about individuals. As one prominent example, researchers in 2018 demonstrated that it was possible to reconstruct the full database from the 2010 Decennial Census and re-identify sensitive information for a significant percentage of the US population, by combining the statistical tables published by the US Census Bureau with information from commercial databases available in This revelation has compelled the Census Bureau to adopt formal mathematical guarantees of privacy that quantitatively measure and manage cumulative privacy risk for all data publications from the 2020 Decennial Census. As the volume and complexity of data uses and publications grow exponentially across a broad range of contexts, the need to develop frameworks for addressing cumulative privacy risks is likely to become an increasingly urgent and widespread problem. This Article argues that information privacy law inadequately addresses cumulative risks from multiple data uses and releases…’

8 Static categories Personal data – non-personal data
Personal data – sensitive-personal data Anonymous data – identifying data Content data – meta data Etc.

9 Why not dissolve the difference between personal and non-personal data?
More protection, but still room for data processing Adresses current technological developments Limits endless legal discussions Limits possibilities for circumventing the data protection framework

Download ppt "Should we also regulate non-personal data?"

Similar presentations

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Legal Aspect of IPv6 and of the IPv4 to IPv6 transition Ashok.B.RADHAKISSOON Legal Adviser/Policy&Regulatory Affairs Liaison.

Legal Aspect of IPv6 and of the IPv4 to IPv6 transition Ashok.B.RADHAKISSOON Legal Adviser/Policy&Regulatory Affairs Liaison.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.

Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.
DIRECTIVE 2003/98/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 November 2003 on the re-use of public sector information (PSI directive) Theory.

DIRECTIVE 2003/98/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 November 2003 on the re-use of public sector information (PSI directive) Theory.
The Bolkestein Directive at the European Union level Marjatta Melto EI Pan-European/ETUCE Vice-President.

The Bolkestein Directive at the European Union level Marjatta Melto EI Pan-European/ETUCE Vice-President.
The application of certain restrictions on access to environmental information in accordance with AC Personal Data www.iidma.org Ana Barreira Instituto.

The application of certain restrictions on access to environmental information in accordance with AC Personal Data Ana Barreira Instituto.
Paola Lucantoni Economic and Financial Market Law.

Paola Lucantoni Economic and Financial Market Law.
ASSOC. PROF. DR. DOVILE GAILIUTE MYKOLAS ROMERIS UNIVERSITY 2015 POSITIVE OBLIGATIONS ON HOUSING RIGHTS.

ASSOC. PROF. DR. DOVILE GAILIUTE MYKOLAS ROMERIS UNIVERSITY 2015 POSITIVE OBLIGATIONS ON HOUSING RIGHTS.
Threat Prevention and Detection (within Critical Infrastructures) under EU Data Protection Legislation– Purpose Specification and Limitation. Laurens Naudts.

Threat Prevention and Detection (within Critical Infrastructures) under EU Data Protection Legislation– Purpose Specification and Limitation. Laurens Naudts.
Privacy, data protection and connected cars Lilian Edwards, Professor of Internet Law University of Strathclyde Researcher in Residence, Digital Catapult.

Privacy, data protection and connected cars Lilian Edwards, Professor of Internet Law University of Strathclyde Researcher in Residence, Digital Catapult.
František Nonnemann Skopje, 10th October 2012 JHA 48785 Data protection and re-use of PSI as a tool for public control–CZ approach.

František Nonnemann Skopje, 10th October 2012 JHA Data protection and re-use of PSI as a tool for public control–CZ approach.
Unlinking Private Data

Unlinking Private Data
Brussels Privacy Symposium on Identifiability

Brussels Privacy Symposium on Identifiability
HIPSSA Project PRESENTATION ON SADC DATA PROTECTION MODEL LAW

HIPSSA Project PRESENTATION ON SADC DATA PROTECTION MODEL LAW
Brussels Privacy Symposium on Identifiability

Brussels Privacy Symposium on Identifiability
The Citizen in the centre in EU, Bratislava November,2005

The Citizen in the centre in EU, Bratislava November,2005

Similar presentations

Ads by Google