Do deficiencies in data privacy threaten our autonomy and, if so, can informational privacy rights meet this threat?

Bernal, Paul Alexander

January 2011

This thesis sets out a model to examine how the internet functions. 'The symbiotic web' suggests a symbiotic relationship between corporations that have built business models dependent upon the gathering of personal data from people, and the individuals themselves who have begun to rely on apparently 'free' services (from search to email, social networking to YouTube). Having set out the model, the thesis looks at its implications: how it has contributed to many, both the positive and negative, developments on the internet in recent years, but also driven the mass gathering, use and holding of personal data. The symbiotic web is currently essentially beneficial to both businesses and individuals, but there are significant risks attached - risks associated with the accumulation of data and risks that the symbiotic relationship could become negative and parasitic, putting individuals' privacy and autonomy at risk. The implications of this model are examined through the use of case studies: the dispute between Google and the Article 29 Working Party over data retention, Phorm's 'Webwise' behavioural targeting system, and a number of smaller case studies about data vulnerability from the HMRC data disc loss to the ACS:Law hack/leak. The thesis suggests the development and use of specific rights designed for the internet to address the associated risks: a 'right to roam the internet with privacy', a right to monitor those who monitor us, and a 'right to delete data'. These rights would be set out as principles rather than enacted and enforced as laws, and brought into play through Murray's model of symbiotic regulation. These rights would support the positive development of the web symbiosis and encourage and shape new business models that are more supportive of individual autonomy and privacy.

005.8

Protection of Personal Data, a Power Struggle between the EU and the US: What implications might be facing the transfer of personal data from the EU to the US after the CJEU’s Safe Harbour ruling?

Strindberg, Mona

January 2016

Since the US National Security Agency’s former contractor Edward Snowden exposed the Agency’s mass surveillance, the EU has been making a series of attempts toward a more safeguarded and stricter path concerning its data privacy protection. On 8 April 2014, the Court of Justice of the European Union (the CJEU) invalidated the EU Data Retention Directive 2006/24/EC on the basis of incompatibility with the Charter of Fundamental Rights of the European Union (the Charter). After this judgment, the CJEU examined the legality of the Safe Harbour Agreement, which had been the main legal basis for transfers of personal data from the EU to the US under Decision 2000/520/EC. Subsequently, on 6 October 2015, in the case of Schrems v Data Protection Commissioner, the CJEU declared the Safe Harbour Decision invalid. The ground for the Court’s judgment was the fact that the Decision enabled interference, by US public authorities, with the fundamental rights to privacy and personal data protection under Article 7 and 8 of the Charter, when processing the personal data of EU citizens. According to the judgment, this interference has been beyond what is strictly necessary and proportionate to the protection of national security and the persons concerned were not offered any administrative or judicial means of redress enabling the data relating to them to be accessed, rectified or erased. The Court’s analysis of the Safe Harbour was borne out of the EU Commission’s own previous assessments. Consequently, since the transfers of personal data between the EU and the US can no longer be carried out through the Safe Harbour, the EU legislature is left with the task to create a safer option, which will guarantee that the fundamental rights to privacy and protection of personal data of the EU citizens will be respected. However, although the EU is the party dictating the terms for these transatlantic transfers of personal data, the current provisions of the US law are able to provide for derogations from every possible renewed agreement unless they become compatible with the EU data privacy law. Moreover, as much business is at stake and prominent US companies are involved in this battle, the pressure toward the US is not only coming from the EU, but some American companies are also taking the fight for EU citizens’ right to privacy and protection of their personal data.

EU

EU Law

US Privacy Law

Safe Harbour

Safe Harbor

Data Protection

Personal Data transfer

Facebook

Articles 7

8 and 47 of the Charter

Article 16(1) of the TFEU

Article 8 ECHR

EDPS

Decision 2000/520/EC

Directive 95/46/EC

Personal Integrity

Right to Privacy

Right to Private Life

Data Retention

Surveillance

IT Law

Article 29 Working Party

EU-rätt

EU-stadgan

datalagring

datalagringsdirektivet

personlig integritet

dataskydd

grundläggande rättigheter

proportionalitetsprincipen