Analyse de politiques de vie privée pour un consentement mieux informé

Extended VersionIn this report, we present an approach to enhance informed consent for the processing of personal data. The approach relies on a privacy policy language used to express, compare and analyze privacy policies. We describe a tool that automatically reports the privacy risks associated with a given privacy policy in order to enhance data subjects' awareness and to allow them to make more informed choices. The risk analysis of privacy policies is illustrated with an IoT example.Dans ce rapport, nous décrivons une méthode d’analyse de politiques de vie privée qui a pour but d’améliorer la qualité du consentement des sujets. La démarche repose sur l’utilisation d’un langage d’expression de politiques de vie privée qui peut être utilisé pour comparer et analyser les politiques. Nous décrivons un outil qui produit automatiquement les risques associés à une politique donnée pour permettre aux sujets de prendre des décisions mieux informées. L’analyse de risques est illustrée par un exemple de l’internet des objets

A Generic Information and Consent Framework for the IoT

The Internet of Things (IoT) raises specific issues in terms of information and consent, which makes the implementation of the General Data Protection Regulation (GDPR) challenging in this context. In this report, we propose a generic framework for information and consent in the IoT which is protective both for data subjects and for data controllers. We present a high level description of the framework, illustrate its generality through several technical solutions and case studies, and sketch a prototype implementation

The control over personal data: True remedy or fairy tale ?

This research report undertakes an interdisciplinary review of the concept of "control" (i.e. the idea that people should have greater "control" over their data), proposing an analysis of this con-cept in the field of law and computer science. Despite the omnipresence of the notion of control in the EU policy documents, scholarly literature and in the press, the very meaning of this concept remains surprisingly vague and under-studied in the face of contemporary socio-technical environments and practices. Beyond the current fashionable rhetoric of empowerment of the data subject, this report attempts to reorient the scholarly debates towards a more comprehensive and refined understanding of the concept of control by questioning its legal and technical implications on data subject\^as agency

Privacy CURE: Consent Comprehension Made Easy

Although the General Data Protection Regulation (GDPR) defines several potential legal bases for personal data processing, in many cases data controllers, even when they are located outside the European Union (EU), will need to obtain consent from EU citizens for the processing of their personal data. Unfortunately, existing approaches for obtaining consent, such as pages of text followed by an agreement/disagreement mechanism, are neither specific nor informed. In order to address this challenge, we introduce our Consent reqUest useR intErface (CURE) prototype, which is based on the GDPR requirements and the interpretation of those requirements by the Article 29 Working Party (i.e., the predecessor of the European Data Protection Board). The CURE prototype provides transparency regarding personal data processing, more control via a customization, and, based on the results of our usability evaluation, improves user comprehension with respect to what data subjects actually consent to. Although the CURE prototype is based on the GDPR requirements, it could potentially be used in other jurisdictions also

Raising the visibility of protected data: A pilot data catalog project

Sharing research data that is protected for legal, regulatory, or contractual reasons can be challenging and current mechanisms for doing so may act as barriers to researchers and discourage data sharing. Additionally, the infrastructure commonly used for open data repositories does not easily support responsible sharing of protected data. This chapter presents a case study of an academic university library’s work to configure the existing institutional data repository to function as a data catalog. By engaging in this project, university librarians strive to enhance visibility and access to protected datasets produced at the institution and cultivate a data sharing culture

Challenges of web-based personal genomic data sharing

In order to study the relationship between genes and diseases, the increasing availability and sharing of phenotypic and genotypic data have been promoted as an imperative within the scientific community. In parallel with data sharing practices by clinicians and researchers, recent initiatives have been observed in which individuals are sharing personal genomic data. The involvement of individuals in such initiatives is facilitated by the increased accessibility of personal genomic data, offered by private test providers along with availability of online networks. Personal webpages and on-line data sharing platforms such as Consent to Research (Portable Legal Consent), Free the Data, and Genomes Unzipped are being utilized to host and share genotypes, electronic health records and family history uploaded by individuals. Although personal genomic data sharing initiatives vary in nature, the emphasis on the individuals’ control on their data in order to benefit research and ultimately health care has seen as a key theme across these initiatives. In line with the growing practice of personal genomic data sharing, this paper aims to shed light on the potential challenges surrounding these initiatives. As in the course of these initiatives individuals are solicited to individually balance the risks and benefits of sharing their genomic data, their awareness of the implications of personal genomic data sharing for themselves and their family members is a necessity. Furthermore, given the sensitivity of genomic data and the controversies around their complete de-identifiability, potential privacy risks and harms originating from unintended uses of data have to be taken into consideration

Online Personal Data Processing and EU Data Protection Reform. CEPS Task Force Report, April 2013

This report sheds light on the fundamental questions and underlying tensions between current policy objectives, compliance strategies and global trends in online personal data processing, assessing the existing and future framework in terms of effective regulation and public policy. Based on the discussions among the members of the CEPS Digital Forum and independent research carried out by the rapporteurs, policy conclusions are derived with the aim of making EU data protection policy more fit for purpose in today’s online technological context. This report constructively engages with the EU data protection framework, but does not provide a textual analysis of the EU data protection reform proposal as such