Privacy Online Up Close And Personal

1The term ‘normative’ is used throughout the article as a synonym to ‘regulatory’, with the important emphasis on ‘regulation’ being a broader term than ‘legislation’ or ‘legally binding norms’. As many contemporary privacy issues have yet to settle in national and international consciousness and response, the word ‘normative’ is intended to underline that ‘norms’ related to privacy protection are evolving, not only as binding regulatory instruments are adopted, but, also by way of court rulings, market developments, standardization, social attitudes and non-binding normative instruments, such as policies and strategies. For a great account on norms in this respect, see Finnemore, Martha (2011) [1]

2This article makes use of the European language of personal data protection law. The European Union is currently undergoing a personal data protection reform. This article makes reference to the regulatory framework applicable as of October 1, 2016. Occasional reference shall be made to provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. These instruments shall apply as of May 2018. According to Article 2(a) of Directive 95/46/EC (Article 4 (1) of the General Data Protection Regulation) personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

3According Article 2(b) of Directive 95/46/EC (Article 4 (2) of the General Data Protection Regulation) processing refers to any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

4According to Article 15 (a) of Directive 95/46/EC Member States shall grant the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.

5See a discussion of ‘cyber’ under technological imperatives.

6See Tikk, Eneken, Zaure Agnes (eds) (2015) [3].

7This is underlined in the infamous Census ruling of the German Bundesverfassungsgericht from 1983 (BVerfG 15.12.1983. In BVerfGE 65, 1 et seq., EuGRZ 1983, 577: Urteil des Ersten Senats vom 15. Dezember 1983 auf die mündliche Verhandlung vom 18. und 19. Oktober 1983–1 BvR 209, 269, 362, 420, 440, 484/83) and explained thoroughly in the case law of the European Court of Justice and the European Court of Human Rights.

8For a thorough account, see Kloepfer, Michael (2002) [4].

9See Branscomb, Anne Wells (1994) [8].

10See, e.g. Hunton & Williams, Jay, Rosemary P. (ed.) (2012) [9].

11See “Freedom of the Net 2015 Report” [11].

12For example Russia, Federal Law No. 152-FZ on Personal Data 2006 (Personal Data Protection Act), available at /authority/p146/p164/.

13See, e.g. “Connecting_Africa: An Assessment of Progress Towards the Connect Africa Summit Goals”, African Development Bank Group (2013) [12].

14E.g. Dubai International Financial Centre Data Protection Law, available at /files/7814/5517/4119/Data_Protection_Law_DIFC_Law_No._1_of_2007.pdf; see also Rodrigues RJ, Wilson P, Schanz SJ (2001) [13].

15Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

16See Al Gore’s speech at the inauguration of ITU First World Telecommunication Development Conference – “Inauguration of the First World Telecommunication Development Conference (WTDC-94), Remarks prepared for delivery by Al Gore”, 1994, available at /dms_pub/itu-s/oth/02/01/S E05PDFE.PDF. See also the proceedings of the ITU 1998 Minneapolis Plenipotentiary, especially “ITU Efforts to Build a New Global Information Infrastructure”, available at /newsarchive/press/PP98/PressRel-Features/Feature5.html. For an analysis of relevant modi operandi, see Weaver, Catherine (2008) [14]. Brunsson, Nils (1989) [15].

17For the purpose of this article, telecommunication is understood as defined by the ITU: any transmission, emission or reception of signs, signals, writing, images and sounds or intelligence of any nature by wire, radio, optical or other electromagnetic systems. ITU; International Telecommunication Convention, 1959 [16].

18The UN Group of Governmental Experts on International Information Security convened under the aegis of the UN Disarmament and Security Committee. See the Group’s reports from 2013 and 2015 (available at ).

19Article 29 Data Protection Working Party; “Opinion 8/2014 on the on Recent Developments on the Internet of Things”, 16 September 2014, available at /justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf, page 4.

20OECD; Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, C(80)58/FINAL, 23 September 1980. CoE; Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28 January 1981. Directive 95/46 and the surrounding public debates mainly emphasized the risk of personal data resulting from government processing.

21See, e.g. ECtHR; S. and Marper v. The United Kingdom, 4 December 2008.; CJEU Judgment in Joined Cases C-293/12 and C-594/12.

22See, e.g. ECtHR; Weber and Saravia v. Germany, 9 June 2006, § 78; Kennedy v. the United Kingdom, 18 May 2010; Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, 28 June 2007; Liberty and Others v. the United Kingdom, 1 July 2008.

23According to the EU data protection regulation, personal data can only be transferred to countries outside the EU and the EEA when an adequate level of protection is guaranteed. The Commission has so far concluded that outside the EU and EEA, only Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey and New Zealand meet the adequacy standards (see EC; “Commission decisions on the adequacy of the protection of personal data in third countries”, available at /justice/data-protection/international-transfers/adequacy/index_en.htm). A special regime for exchange of personal data with the US has been in place (and contested). After, the Court of Justice of the European Union had declared the Commission’s 2000 Decision on EU-US Safe Harbour invalid on 6 October 2015 (CJEU, Judgment in Case C-362/14), the Commission adopted on 12 July 2016 by its decision a new set of exemption rules, The EU-U.S. Privacy Shield (see EC; “The EU-U.S. Privacy Shield”, available at /justice/data-protection/international-transfers/eu-us-privacy-shield/index_en.htm). See also Weiss, Martin A., Archick, Kristin (2016) [17].

24On June 5, 2013 the British Newspaper the Guardian published the first article in a series based on information stolen and leaked by Edward Snowden, a former NSA contractor. See Greenwald, Glenn; “NSA collecting phone records of millions of Verizon customers daily”, The Guardian, 6 June 2013, available at /world/2013/jun/06/nsa-phone-records-verizon-court-order. For the timeline and themes of Snowden revelations see Aljazeera America; “Timeline of Edward Snowden’s revelations”, available at /articles/multimedia/timeline-edward-snowden-revelations.html.

25UN Human Rights Council, A/HRC/31/64, Report of the Special Rapporteur on the right to privacy, Joseph A. Cannataci, 8 March 2016.

26See, e.g. MI5; “Director General Speaks on Terrorism, Technology and Oversight, Address by the Director General of the Security Service, Andrew Parker, to the Royal United Services Institute (RUSI) at Thames House, 8 January 2015”, available at /news/director-general-speaks-on-terrorism-technology-and-oversight. The range and severity of threats the UK has faced over the years has meant that we have needed to build substantial security and intelligence capabilities. MI5, with our close partners in GCHQ, SIS, and the police together embody an intelligence and security effort of a quality that is the envy of many partner nations. (para 34). Also see White House; “Remarks by the President on Review of Signals Intelligence”, 17 January 2014, available at /the-press-office/2014/01/17/remarks-president-review-signals-intelligence. Today, new capabilities allow intelligence agencies to track who a terrorist is in contact with, and follow the trail of his travel or his funding. New laws allow information to be collected and shared more quickly and effectively between federal agencies, and state and local law enforcement. Relationships with foreign intelligence services have expanded, and our capacity to repel cyber-attacks have been strengthened.

27U.S. Joint Chiefs of Staff; “Information Operations, Joint Publication 3–13”, 27 November 2012, renewed 20 November 2014, p. II-9, available at /doctrine/new_pubs/jp3_13.pdf. See also “Joint Publication 3–12 (R) Cyberspace Operations”, 5 February 2013, available at /doctrine/new_pubs/jp3_12R.pdf, describing cyberspace to consist of the layers of physical network, logical network, and cyber-persona, each representing a layer where cyber operations may be conducted. Yet cyber-persona may refer to a person, group or a state actor, an actor which has a distinct identity and respective cyber-technical attributes. Special Rapporteur Joseph A. Cannataci on the right to privacy, page 5, para 9. Special Rapporteur Joseph A. Cannataci on the right to privacy, page 5, para 9.

30UNGA, A/69/397, Promotion and protection of human rights and fundamental freedoms while countering terrorism, 23 September 2014, page 8.

31See, for instance, Sawers, Paul (2016) [19]. Rusli, Evelyn M. (2015) [20].

32See, e.g. ITU Backgrounders; “Connect 2020: Setting a Global Agenda for the ICT Sector”; Plenipotentiary 2014, Busan Korea, available at /en/plenipotentiary/2014/newsroom/Documents/backgrounders/pp14-backgrounder-connect-2020.pdf.

33The World Bank; “Maximizing Mobile, 2012 Information and Communications for Development”, 2012, available at /EXTINFORMATIONANDCOMMUNICATIONANDTECHNOLOGIES/Resources/IC4D-2012-Report.pdf. See also UK; “Digital Inclusion Strategy”, 4 December 2014, available at /government/publications/government-digital-inclusion-strategy/government-digital-inclusion-strategy.

34See, e.g. White House (2011) [21].

35Ibid. 1. Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs. 2. Public disclosure of embarrassing private facts about the plaintiff. 3. Publicity which places the plaintiff in a false light in the public eye. 4. Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness.

36A discussion of the US personal data protection law remains beyond the margins of this article. For a good overview, see “Data Protection and Privacy in 26 jurisdictions worldwide 2014”, available at /files/Publication/1f767bed-fe08-42bf-94e0-0bd03bf8b74b/Presentation/PublicationAttachment/b167028d a da0133/United_States_GTDT_Data_Protection_and_Privacy_2014.pdf, US pages 191–198.

37For a great overview, see Mayer-Schönberger, Viktor (1997) [23].

38Working Party 29 has released over 200 opinions since 1997. Opinions and recommendations available at /justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm.

39Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; OJ L 281, 23.11.1995.

40Directive concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, OJ L 201, 31/07/2002. As amended by Directive 2009/136/EC of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services. Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws; OJ L 337/11, 18/12/2009.

41Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC. On April 8, 2014, the Court of Justice of the European Union, the highest court of the EU, declared the data retention directive invalid. See further, CJEU; Judgment in Joined Cases C-293/12 and C-594/12, Press and Information Digital Rights Ireland and Seitlinger and Others, 8 April 2014.

42Article 29 WP set up under the Directive 95/46/EC as an independent advisory group to address acute issues of personal data protection. It is composed of representatives of the supervisory authorities designated by each EU country; representatives of the authorities established for the EU institutions and bodies; and a representative of the European Commission.

43For a full list, see WP29; Opinions and Recommendations, available at /justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm

44For a good overview of ECJ rulings related to personal data protection, see Laudati Laraine (2016) [24].

45CJEU; Case C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, 14 May 2014.

46CJEU; Joined Cases C-293 & C-594/12, 8 April 2014, Digital Rights Ir. Ltd. v. Minister for Comm. Marine & Natural Res., paras. 69–73.

47CJEU; Case C-362/14, Maximillian Schrems v. Digital Rights Ireland Ltd., 13 November 2015. European Commission decision from 12 July 2016. Privacy Shield replaces the earlier ‘Safe Harbour agreement’ invalidated by ECJ in October 2015, after it found that Safe Harbor failed to meet EU data protection standards, in large part because of the U.S. surveillance programs.

48Ibid.

49See Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

50See Article 25 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ L 119, 4.5.2016. See also, Allen & Overy (2016) [25].

51Dubai International Financial Centre Data Protection Law embodies international best practice standards in line with EU directives and OECD guidelines. See “DIFC Data Protection”, available at /laws-regulations/data-protection.

52Such as lack of review of data prior to publication and impossibility of a quality consent and grave limitations to anonymity in the context of IoT; lack of awareness about presence of data processing equipment or the identity of the data controller in case of drones; lack of effective control over data or lack of jurisdiction transparency in case of cloud computing. For a detailed discussion, see Article 29 Working Party Opinions: Opinion 8/2014 on the Recent Developments on the Internet of Things (2014), Opinion 05/2012 on Cloud Computing (2012), Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones (2015).

53According to Article 6, personal data must be (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

54EC; “Data protection Eurobarometer out today”, 24 June 2015, available at /justice/newsroom/data-protection/news/240615_en.htm.

55Ibid.

56StaySafeOnline; “Truste/National Cyber Security Alliance U.S. Consumer Privacy Index 2016 Infographic”, available at /stay-safe-online/resources/truste-national-cyber-security-alliance-us-consumer-privacy-index-2016-infographic.

57UN; International Covenant on Civil and Political Rights, adopted 1966, in force 1976, Article 17. UNGA, Resolution 217 A, The Universal Declaration of Human Rights, 1948. It provides that “no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home and correspondence, nor to unlawful attacks on his or her honour and reputation”. It further provides that “everyone has the right to the protection of the law against such interference or attacks”.

58UDHR, Art. 19. See also ICCPR, Art. 19(2); ECHR, Art. 10(1); ACHR, Art 13(1).

59See, e.g., Human Rights Council resolution 26/13, 20 June 2014; UNGA, A/RES/68/167, 21 January 2014, para. 10; Council of Europe Convention on Cybercrime, preamble, Art. 15.1; Deauville Declaration of the G8 Countries, Art. 10, 26–27 May 2011; Agreement between the Governments of the Member States of Shanghai Cooperation Organization on Cooperation in the field of International Information Security, Art. 4(1), 16 June 2009; International code of conduct for information security, A/69/723, 13 January 2015, Art. 2(1).

60UDHR Art. 19; ICCPR Art. 19(2); ECHR Art. 10; ACHR, Art. 13; ACHPR Art. 9. See also Human Rights Committee, General Comment No. 34, para. 12 (Nov. 2, 1999); Report on the right to freedom of opinion and expression, 2011, paras. 20–22; Report on the right to freedom of opinion and expression, 2015, para. 11; EU Human Rights Guidelines on Freedom of Expression Online and Offline, para. 16, 18, May 12, 2014.

61See UDHR Art. 12; ICCPR Art. 17; CRC, Art. 16; CRPD, Art. 22; Convention on the Protection of the Rights of All Migrant Workers and Members of Their Families, Art. 14. See also ECHR Art. 8; ACHR Art. 11. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, CETS No. 108, 1 October 1985; UNHRC, A/HRC/23/40, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, 17 April 2013, paras. 11, 79; UNHRC; A/HRC/27/37, The right to privacy in the digital age – Report of the Office of the United Nations High Commissioner for Human Rights, 30 June 2014, para. 14. Council of Europe, Declaration on Freedom of Communication on the Internet, Principle 7 (2003); R v. Spencer, 2014 SCC 43 para. 62 (2014); Totalise Plc v. The Motley Fool Ltd. & Anor EWHC 706 (QB) (19 February 2001); Sheffield Wednesday Football Club Ltd. and others v. Hargreaves EWHC 2375 (QB); Oberlandesgericht Hamm, Case No. I-3 U 196/10 (3 October 2011).

62UDHR, Art. 1; ICCPR, Art. 19(1).

63Various assessments and tools are out there to assess and examine national practice and performance in development and use of ICTs. See, for instance The Cyber Readiness Index (available at /images/CRIndex2.0.pdf), ICT Development Index (available at /net4/ITU-D/idi/2015/), Global Cybersecurity Index (available at /dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf), Freedom of the Net index (available at /report/freedom-net/freedom-net-2015), UN E-Government Survey (available at /egovkb/en-us/Reports/UN-E-Government-Survey-2016), Networked Readiness Index (available at /global-information-technology-report-2015/network-readiness-index/), Index on Digital Life (available at ) as well as regional comparative assessments (Cyber Maturity in Asia-Pacific Region, available at /publications/cyber-maturity-in-the-asia-pacific-region-2015/Cyber-Maturity-2015.pdf and OAS Cybersecurity Report available at ).

64This instrument was co-sponsored by 57 Member States and adopted without a vote.

65See, e.g., European Commission (2015) [28].

66See, for instance the US view on the implementation of the ICCPR: States Party to the Covenant should wherever possible refrain from imposing any restrictions or limitations on the exercise of the rights recognized and protected by the Covenant, even when such restrictions and limitations are permissible under the terms of the Covenant. See, U.S. reservations, declarations, and understandings, International Covenant on Civil and Political Rights, 138 Cong. Rec. S4781–01, daily ed., April 2, 1992. In contrast, Russia has emphasized that the exercise of rights and freedom in information space is contingent of relevant national laws and regulations. See, Draft International Code of Conduct for Information Security submitted to the United Nations on September 12, 2011 by China, Russia, Tajikistan and Uzbekistan.

67See also Working Party 29; Opinion 15/2011 on the definition of consent, 13 July 2011, available at /justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp187_en.pdf.

68See, e.g. VincosBlog; “World Map of Social Networks”, January 2016, available at /world-map-of-social-networks/.

69On the impact of networks see for example Slaughter, Anne-Marie (2004) [29]. On the possibility cosmopolitan community Bull, Hedley (1977) [30]. On virtual identities Rosen, Christine (2007) [31]. as well as Holt, Douglas (2016) [32].

70See Brown, Aaron, “Police say YOU should avoid THIS Facebook feature”, Express, 13 May 2016, available at /life-style/science-technology/670120/Facebook-Police-Emoji-Reactions-Like-Button. Griffin, Andrew; “Facebook Reactions: Belgian police warn citizens not to react to posts on social media”, Independent, 13 May 2016, available at /life-style/gadgets-and-tech/news/facebook-reactions-belgian-police-warn-citizens-not-to-react-to-posts-on-social-media-a .html.

71For a discussion how privacy, freedom of information and expression, national security and International stability interact, see See Tikk, Eneken, Zaure Agnes (eds) [3].

72Paraphrasing the notion of military and industrial complex President Eisenhower coined in his farewell address.

This article is part of the Topical collection on Privacy and Security of Medical Information