Transatlantic Data Privacy

Curated on Posted on by Stefaan Verhulst

Paul M. Schwartz and Karl-Nikolaus Peifer in Georgetown Law Journal: “International flows of personal information are more significant than ever, but differences in transatlantic data privacy law imperil this data trade. The resulting policy debate has led the EU to set strict limits on transfers of personal data to any non-EU country—including the United States—that lacks sufficient privacy protections. Bridging the transatlantic data divide is therefore a matter of the greatest significance.

In exploring this issue, this Article analyzes the respective legal identities constructed around data privacy in the EU and the United States. It identifies profound differences in the two systems’ images of the individual as bearer of legal interests. The EU has created a privacy culture around “rights talk” that protects its “datasubjects.” In the EU, moreover, rights talk forms a critical part of the postwar European project of creating the identity of a European citizen. In the United States, in contrast, the focus is on a “marketplace discourse” about personal information and the safeguarding of “privacy consumers.” In the United States, data privacy law focuses on protecting consumers in a data marketplace.

This Article uses its models of rights talk and marketplace discourse to analyze how the EU and United States protect their respective data subjects and privacy consumers. Although the differences are great, there is still a path forward. A new set of institutions and processes can play a central role in developing mutually acceptable standards of data privacy. The key documents in this regard are the General Data Protection Regulation, an EU-wide standard that becomes binding in 2018, and the Privacy Shield, an EU–U.S. treaty signed in 2016. These legal standards require regular interactions between the EU and United States and create numerous points for harmonization, coordination, and cooperation. The GDPR and Privacy Shield also establish new kinds of governmental networks to resolve conflicts. The future of international data privacy law rests on the development of new understandings of privacy within these innovative structures….(More)”.

Understanding Corporate Data Sharing Decisions: Practices, Challenges, and Opportunities for Sharing Corporate Data with Researchers

Curated on Posted on by Stefaan Verhulst

Leslie Harris at the Future of Privacy Forum: “Data has become the currency of the modern economy. A recent study projects the global volume of data to grow from about 0.8 zettabytes (ZB) in 2009 to more than 35 ZB in 2020, most of it generated within the last two years and held by the corporate sector.

As the cost of data collection and storage becomes cheaper and computing power increases, so does the value of data to the corporate bottom line. Powerful data science techniques, including machine learning and deep learning, make it possible to search, extract and analyze enormous sets of data from many sources in order to uncover novel insights and engage in predictive analysis. Breakthrough computational techniques allow complex analysis of encrypted data, making it possible for researchers to protect individual privacy, while extracting valuable insights.

At the same time, these newfound data sources hold significant promise for advancing scholarship and shaping more impactful social policies, supporting evidence-based policymaking and more robust government statistics, and shaping more impactful social interventions. But because most of this data is held by the private sector, it is rarely available for these purposes, posing what many have argued is a serious impediment to scientific progress.

A variety of reasons have been posited for the reluctance of the corporate sector to share data for academic research. Some have suggested that the private sector doesn’t realize the value of their data for broader social and scientific advancement. Others suggest that companies have no “chief mission” or public obligation to share. But most observers describe the challenge as complex and multifaceted. Companies face a variety of commercial, legal, ethical, and reputational risks that serve as disincentives to sharing data for academic research, with privacy – particularly the risk of reidentification – an intractable concern. For companies, striking the right balance between the commercial and societal value of their data, the privacy interests of their customers, and the interests of academics presents a formidable dilemma.

To be sure, there is evidence that some companies are beginning to share for academic research. For example, a number of pharmaceutical companies are now sharing clinical trial data with researchers, and a number of individual companies have taken steps to make data available as well. What is more, companies are also increasingly providing open or shared data for other important “public good” activities, including international development, humanitarian assistance and better public decision-making. Some are contributing to data collaboratives that pool data from different sources to address societal concerns. Yet, it is still not clear whether and to what extent this “new era of data openness” will accelerate data sharing for academic research.

Today, the Future of Privacy Forum released a new study, Understanding Corporate Data Sharing Decisions: Practices, Challenges, and Opportunities for Sharing Corporate Data with ResearchersIn this report, we aim to contribute to the literature by seeking the “ground truth” from the corporate sector about the challenges they encounter when they consider making data available for academic research. We hope that the impressions and insights gained from this first look at the issue will help formulate further research questions, inform the dialogue between key stakeholders, and identify constructive next steps and areas for further action and investment….(More)”.

Ethical questions in data journalism and the power of online discussion

Curated on Posted on by Stefaan Verhulst

David Craig, Stan Ketterer and Mohammad Yousuf at Data Driven Journalism: “One common element uniting data journalism projects, across different stories and locations, is the ethical challenges they present.

As scholars and practitioners of data journalism have pointed out, main issues include flawed datamisrepresentation from a lack of context, and privacy concerns. Contributors have discussed the ethics of data journalism on this site in posts about topics such as the use of pervasive datatransparency about editorial processes in computational journalism, and best practices for doing data journalism ethically.

Our research project looked at similar ethical challenges by examining journalists’ discussion of the controversial handling of publicly accessible gun permit data in two communities in the United States. The cases are not new now, but the issues they raise persist and point to opportunities – both to learn from online discussion of ethical issues and to ask a wide range of ethical questions about data journalism

The cases

Less than two weeks after the 2012 shooting deaths of 20 children and six staff members at Sandy Hook Elementary School in Newtown, Connecticut, a journalist at The Journal News in White Plains, New York, wrote a story about the possible expansion of publicly accessible gun permit data. The article was accompanied by three online maps with the locations of gun permit holders. The clickable maps of a two-county area in the New York suburbs also included the names and addresses of the gun permit holders. The detailed maps with personal information prompted a public outcry both locally and nationally, mainly involving privacy and safety concerns, and were subsequently taken down.

Although the 2012 case prompted the greatest attention, another New York newspaper reporter’s Freedom of Information request for a gun permit database for three counties sparked an earlier public outcry in 2008. The Glen Falls Post-Star’s editor published an editorial in response. “We here at The Post-Star find ourselves in the unusual position of responding to the concerns of our readers about something that has not even been published in our newspaper or Web site,” the editorial began. The editor said the request “drew great concern from members of gun clubs and people with gun permits in general, a concern we totally understand.”

Both of these cases prompted discussion among journalists, including participants in NICAR-L, the listserv of the National Institute for Computer-Assisted Reporting, whose subscribers include data journalists from major news organizations in the United States and around the world. Our study examined the content of three discussion threads with a total of 119 posts that focused mainly on ethical issues.

Key ethical issues

Several broad ethical issues, and specific themes related to those issues, appeared in the discussion.

1. Freedom versus responsibility and journalistic purpose..

2. Privacy and verification..

3. Consequences..

….(More)”

See also: David Craig, Stan Ketterer and Mohammad Yousuf, “To Post or Not to Post: Online Discussion of Gun Permit Mapping and the Development of Ethical Standards in Data Journalism,” Journalism & Mass Communication Quarterly

Data Governance Regimes in the Digital Economy: The Example of Connected Cars

Curated on Posted on by Stefaan Verhulst

Paper by Wolfgang Kerber and Jonas Severin Frank: “The Internet of Things raises a number of so far unsolved legal and regulatory questions. Particularly important are the issues of privacy, data ownership, and data access. One particularly interesting example are connected cars with their huge amount of produced data. Also based upon the recent discussion about data ownership and data access in the context of the EU Communication “Building a European data economy” this paper has two objectives:

(1) It intends to provide a General economic theoretical framework for the analysis of data governance regimes for data in Internet of Things contexts, in which two levels of data governance are distinguished (private data governance based upon contracts and the legal and regulatory framework for markets). This framework focuses on potential market failures that can emerge in regard to data and privacy.

(2) It applies this analytical framework to the complex problem of data governance in connected cars (with its different stakeholders car manufacturers, car owners, car component suppliers, repair service providers, insurance companies, and other service providers), and identifies several potential market failure problems in regard to this specific data governance problem (esp. competition problems, information/behavioral Problems and privacy problems).

These results can be an important input for future research that focuses more on the specific policy implications for data governance in connected cars. Although the paper is primarily an economic paper, it tries to take into account important aspects of the legal discussion….(More)”.

Nobody reads privacy policies – here’s how to fix that

Curated on Posted on by Stefaan Verhulst

 at the Conversation: “…The key to turning privacy notices into something useful for consumers is to rethink their purpose. A company’s policy might show compliance with the regulations the firm is bound to follow, but remains impenetrable to a regular reader.

The starting point for developing consumer-friendly privacy notices is to make them relevant to the user’s activity, understandable and actionable. As part of the Usable Privacy Policy Project, my colleagues and I developed a way to make privacy notices more effective.

The first principle is to break up the documents into smaller chunks and deliver them at times that are appropriate for users. Right now, a single multi-page policy might have many sections and paragraphs, each relevant to different services and activities. Yet people who are just casually browsing a website need only a little bit of information about how the site handles their IP addresses, if what they look at is shared with advertisers and if they can opt out of interest-based ads. Those people doesn’t need to know about many other things listed in all-encompassing policies, like the rules associated with subscribing to the site’s email newsletter, nor how the site handles personal or financial information belonging to people who make purchases or donations on the site.

When a person does decide to sign up for email updates or pay for a service through the site, then an additional short privacy notice could tell her the additional information she needs to know. These shorter documents should also offer users meaningful choices about what they want a company to do – or not do – with their data. For instance, a new subscriber might be allowed to choose whether the company can share his email address or other contact information with outside marketing companies by clicking a check box.

Understanding users’ expectations

Notices can be made even simpler if they focus particularly on unexpected or surprising types of data collection or sharing. For instance, in another study, we learned that most people know their fitness tracker counts steps – so they didn’t really need a privacy notice to tell them that. But they did not expect their data to be collectedaggregated and shared with third parties. Customers should be asked for permission to do this, and allowed to restrict sharing or opt out entirely.

Most importantly, companies should test new privacy notices with users, to ensure final versions are understandable and not misleading, and that offered choices are meaningful….(More)”

Selected Readings on Blockchain and Identity

Curated on Posted on by Stefaan Verhulst

By Hannah Pierce and Stefaan Verhulst

The Living Library’s Selected Readings series seeks to build a knowledge base on innovative approaches for improving the effectiveness and legitimacy of governance. This curated and annotated collection of recommended works on the topic of blockchain and identity was originally published in 2017.

The potential of blockchain and other distributed ledger technologies to create positive social change has inspired enthusiasm, broad experimentation, and some skepticism. In this edition of the Selected Readings series, we explore and curate the literature on blockchain and how it impacts identity as a means to access services and rights. (In a previous edition we considered the Potential of Blockchain for Transforming Governance).

Introduction

In 2008, an unknown source calling itself Satoshi Nakamoto released a paper named Bitcoin: A Peer-to-Peer Electronic Cash System which introduced Blockchain. Blockchain is a novel technology that uses a distributed ledger to record transactions and ensure compliance. Blockchain and other Distributed Ledger technologies (DLTs) rely on an ability to act as a vast, transparent, and secure public database.

Distributed ledger technologies (DLTs) have disruptive potential beyond innovation in products, services, revenue streams and operating systems within industry. By providing transparency and accountability in new and distributed ways, DLTs have the potential to positively empower underserved populations in myriad ways, including providing a means for establishing a trusted digital identity.

Consider the potential of DLTs for 2.4 billion people worldwide, about 1.5 billion of whom are over the age of 14, who are unable to prove identity to the satisfaction of authorities and other organizations – often excluding them from property ownership, free movement, and social protection as a result. At the same time, transition to a DLT led system of ID management involves various risks, that if not understood and mitigated properly, could harm potential beneficiaries.

Annotated Selected Reading List

Governance

Cuomo, Jerry, Richard Nash, Veena Pureswaran, Alan Thurlow, Dave Zaharchuk. “Building trust in government: Exploring the potential of blockchains.” IBM Institute for Business Value. January 2017.

This paper from the IBM Institute for Business Value culls findings from surveys conducted with over 200 government leaders in 16 countries regarding their experiences and expectations for blockchain technology. The report also identifies “Trailblazers”, or governments that expect to have blockchain technology in place by the end of the year, and details the views and approaches that these early adopters are taking to ensure the success of blockchain in governance. These Trailblazers also believe that there will be high yields from utilizing blockchain in identity management and that citizen services, such as voting, tax collection and land registration, will become increasingly dependent upon decentralized and secure identity management systems. Additionally, some of the Trailblazers are exploring blockchain application in borderless services, like cross-province or state tax collection, because the technology removes the need for intermediaries like notaries or lawyers to verify identities and the authenticity of transactions.

Mattila, Juri. “The Blockchain Phenomenon: The Disruptive Potential of Distributed Consensus Architectures.” Berkeley Roundtable on the International Economy. May 2016.

This working paper gives a clear introduction to blockchain terminology, architecture, challenges, applications (including use cases), and implications for digital trust, disintermediation, democratizing the supply chain, an automated economy, and the reconfiguration of regulatory capacity. As far as identification management is concerned, Mattila argues that blockchain can remove the need to go through a trusted third party (such as a bank) to verify identity online. This could strengthen the security of personal data, as the move from a centralized intermediary to a decentralized network lowers the risk of a mass data security breach. In addition, using blockchain technology for identity verification allows for a more standardized documentation of identity which can be used across platforms and services. In light of these potential capabilities, Mattila addresses the disruptive power of blockchain technology on intermediary businesses and regulating bodies.

Identity Management Applications

Allen, Christopher.  “The Path to Self-Sovereign Identity.” Coindesk. April 27, 2016.

In this Coindesk article, author Christopher Allen lays out the history of digital identities, then explains a concept of a “self-sovereign” identity, where trust is enabled without compromising individual privacy. His ten principles for self-sovereign identity (Existence, Control, Access, Transparency, Persistence, Portability, Interoperability, Consent, Minimization, and Protection) lend themselves to blockchain technology for administration. Although there are actors making moves toward the establishment of self-sovereign identity, there are a few challenges that face the widespread implementation of these tenets, including legal risks, confidentiality issues, immature technology, and a reluctance to change established processes.

Jacobovitz, Ori. “Blockchain for Identity Management.” Department of Computer Science, Ben-Gurion University. December 11, 2016.

This technical report discusses advantages of blockchain technology in managing and authenticating identities online, such as the ability for individuals to create and manage their own online identities, which offers greater control over access to personal data. Using blockchain for identity verification can also afford the potential of “digital watermarks” that could be assigned to each of an individual’s transactions, as well as negating the creation of unique usernames and passwords online. After arguing that this decentralized model will allow individuals to manage data on their own terms, Jacobvitz provides a list of companies, projects, and movements that are using blockchain for identity management.

Mainelli, Michael. “Blockchain Will Help Us Prove Our Identities in a Digital World.” Harvard Business Review. March 16, 2017.

In this Harvard Business Review article, author Michael Mainelli highlights a solution to identity problems for rich and poor alike–mutual distributed ledgers (MDLs), or blockchain technology. These multi-organizational data bases with unalterable ledgers and a “super audit trail” have three parties that deal with digital document exchanges: subjects are individuals or assets, certifiers are are organizations that verify identity, and inquisitors are entities that conducts know-your-customer (KYC) checks on the subject. This system will allow for a low-cost, secure, and global method of proving identity. After outlining some of the other benefits that this technology may have in creating secure and easily auditable digital documents, such as greater tolerance that comes from viewing widely public ledgers, Mainelli questions if these capabilities will turn out to be a boon or a burden to bureaucracy and societal behavior.

Personal Data Security Applications

Banafa, Ahmed. “How to Secure the Internet of Things (IoT) with Blockchain.” Datafloq. August 15, 2016.

This article details the data security risks that are coming up as the Internet of Things continues to expand, and how using blockchain technology can protect the personal data and identity information that is exchanged between devices. Banafa argues that, as the creation and collection of data is central to the functions of Internet of Things devices, there is an increasing need to better secure data that largely confidential and often personally identifiable. Decentralizing IoT networks, then securing their communications with blockchain can allow to remain scalable, private, and reliable. Enabling blockchain’s peer-to-peer, trustless communication may also enable smart devices to initiate personal data exchanges like financial transactions, as centralized authorities or intermediaries will not be necessary.

Shrier, David, Weige Wu and Alex Pentland. “Blockchain & Infrastructure (Identity, Data Security).” Massachusetts Institute of Technology. May 17, 2016.

This paper, the third of a four-part series on potential blockchain applications, covers the potential of blockchains to change the status quo of identity authentication systems, privacy protection, transaction monitoring, ownership rights, and data security. The paper also posits that, as personal data becomes more and more valuable, that we should move towards a “New Deal on Data” which provides individuals data protection–through blockchain technology– and the option to contribute their data to aggregates that work towards the common good. In order to achieve this New Deal on Data, robust regulatory standards and financial incentives must be provided to entice individuals to share their data to benefit society.

A Better Way to Trace Scattered Refugees

Curated on Posted on by Stefaan Verhulst

Tina Rosenberg in The New York Times: “…No one knew where his family had gone. Then an African refugee in Ottawa told him about Refunite. He went on its website and opened an account. He gave his name, phone number and place of origin, and listed family members he was searching for.

Three-quarters of a century ago, while World War II still raged, the Allies created the International Tracing Service to help the millions who had fled their homes. Its central name index grew to 50 million cards, with information on 17.5 million individuals. The index still exists — and still gets queries — today.

Index cards have become digital databases, of course. And some agencies have brought tracing into the digital age in other ways. Unicef, for example, equips staff during humanitarian emergencies with a software called Primero, which helps them get children food, medical care and other help — and register information about unaccompanied children. A parent searching for a child can register as well. An algorithm makes the connection — “like a date-finder or matchmaker,” said Robert MacTavish, who leads the Primero project.

Most United Nations agencies rely for family tracing on the International Committee of the Red Cross, the global network of national Red Cross and Red Crescent societies. Florence Anselmo, who directs the I.C.R.C.’s Central Tracing Agency, said that the I.C.R.C. and United Nations agencies can’t look in one another’s databases. That’s necessary for privacy reasons, but it’s an obstacle to family tracing.

Another problem: Online databases allow the displaced to do their own searches. But the I.C.R.C. has these for only a few emergency situations. Anselmo said that most tracing is done by the staff of national Red Cross societies, who respond to requests from other countries. But there is no global database, so people looking for loved ones must guess which countries to search.

The organization is working on developing an algorithm for matching, but for now, the search engines are human. “When we talk about tracing, it’s not only about data matching,” Anselmo said. “There’s a whole part about accompanying families: the human aspect, professionals as well as volunteers who are able to look for people — even go house to house if needed.”

This is the mom-and-pop general store model of tracing: The customer makes a request at the counter, then a shopkeeper with knowledge of her goods and a kind smile goes to the back and brings it out, throwing in a lollipop. But the world has 65 million forcibly displaced people, a record number. Personalized help to choose from limited stock is appropriate in many cases. But it cannot possibly be enough.

Refunite seeks to become the eBay of family tracing….(More)”

Are countries with a poor democratic record more likely to mandate an Aadhaar-like ID?

Curated on Posted on by Stefaan Verhulst

 at the Centre for Communication Governance: “Can a country’s democratic record indicate whether it is likely to mandate a national biometric identity? Research by scholars at the National Law University, Delhi suggests there may be some correlation, at least to indicate that robust democracies have been more cautious about adopting biometric identity systems.

The Supreme Court’s decision last month upholding a fundamental Right to Privacy for all Indians has put a renewed focus on Aadhaar, India’s 12-digit biometric identity programme that has been criticised for not only violating privacy but also lacking sufficient data protection safeguards. Challenges to the Aadhaar project, in fact, prompted the Supreme Court to take up the question of a Right to Privacy, and the apex court will hear petitions against the unique identity initiative later this year.

Ahead of those hearings, researchers from the Centre for Communication Governance at the National Law University, Delhi sought to look at the adoption of biometric identity systems by countries across the world. While examining whether countries were instituting these Aadhaar-like systems, researchers from the Centre noticed a trend wherein nations with strong biometric identity systems were less likely to have robust democratic governments.

“As we gathered and analysed the data, we noticed an interesting trend where many countries that had strong biometric ID systems, also did not have strong democratic governments,” the researchers said.

So they sought to map out their research, based on data collected primarily from countries within the Commonwealth, measured against their positions on Freedom House’s Freedom in the World index and the Economist Intelligence Unit’s Democracy index. The results show a cluster of nations with less freedoms also instituting a biometric system, while others higher up the democracy index do not have similar identity programmes….(More)”.

Cape Town as a Smart and Safe City: Implications for Governance and Data Privacy

Curated on Posted on by Stefaan Verhulst

Nora Ni Loideain at the Journal of International Data Privacy Law: “Promises abound that ‘smart city’ technologies could play a major role in developing safer, more sustainable, and equitable cities, creating paragons of democracy. However, there are concerns that governance led by ‘Big Data’ processes marks the beginning of a trend of encroachment on the individual’s liberty and privacy, even if such technologies are employed legitimately for the public’s safety and security. There are many ways in which personal data processing for law enforcement and public safety purposes may pose a threat to the privacy and data protection rights of individuals. Furthermore, the risk of such powers being misused is increased by the covert nature of the processing, and the ever-increasing capacity, and pervasiveness, of the retention, sharing, and monitoring of personal data by public authorities and business. The focus of this article concerns the use of these smart city technologies for the purposes of countering crime and ensuring public safety. Specifically, this research examines these policy-making developments, and the key initiatives to date, undertaken by the municipal authorities within the city of Cape Town. Subsequently, the examination then explores the implications of these policies and initiatives for governance, and compliance with the right to data privacy, as guaranteed under international human rights law, the Constitution of South Africa, and the national statutory framework governing data protection. In conclusion, the discussion provides reflections on the findings from this analysis, including some policy recommendations….(More)”.

Privacy and Outrage

Curated on Posted on by Stefaan Verhulst

Paper by Jordan M. Blanke: “Technology has dramatically altered virtually every aspect of our life in recent years. While technology has always driven change, it seems that these changes are occurring more rapidly and more extensively than ever before. Society and its laws will evolve; but it is not always an easy process. Privacy has changed dramatically in our data-driven world – and continues to change daily. It has always been difficult to define exactly what privacy is, and therefore, it is even more difficult to propose what it should become. As the meaning of privacy often varies from person to person, it is difficult to establish a one-size-fits-all concept. This paper explores some of the historical, legal and ethical development of privacy, discusses how some of the normative values of privacy may survive or change, and examines how outrage has been – and will continue to be – a driver of such change….(More)”.