Personal data breach notification system in the European Union: Interpretation of “without undue delay”

This is the post-print version of the Article - Copyright @ 2011 Kluwer Law InternationalThe fast-moving technologies continually challenge present rules on data-privacy protection. The expansion of computing functions, speed of processing and storage capabilities makes personal information difficult to be controlled. In the EU, the revised EC e-Privacy Directive amended by the Directive 2009/136/EC modifies existing provisions and makes new provisions to enhance privacy protection in the electronic communications sector, which includes the further development of the system of notification of the personal data breach to minimise adverse effects. This paper aims to examine and evaluate the personal data breach notification system, interpret the requirement of "without undue delay" duty and discuss the impact of the revised Directive to business organisations. It finally proposes solutions to improve the notification system to increase the efficiency of privacy protection

Location, Location, Location: Updating the Electronic Communications Privacy Act to Protect Geolocational Data

This Comment is concerned with the Electronic Communications Privacy Act’s (ECPA’s) failure to consistently protect the geolocational data associated with electronic communications. ECPA was crafted in 1986 to protect electronic communications, a fledgling technology at the time. Today, ECPA remains largely unchanged and still controls the government’s right to access individuals’ electronic communications. Senator Leahy, who originally drafted ECPA, has called for reform of the Act, stating that “today, this law is significantly outdated and out-paced by rapid changes in technology.” Senator Leahy has proposed significant changes to the Act that would eliminate many of its outmoded standards and offer increased protection of individuals’ privacy. The proposed amendments, however, fail to address one key privacy issue: how much data about a communication can be compelled from a web service provider by the government without a warrant. This ambiguity has led to the disparate treatment of different types of geolocational data in the courts. While proposed amendments to ECPA would alleviate many of the law’s inadequacies, they stop short of properly protecting geolocational data and fail to comprehensively address inconsistencies in the courts’ treatment of searches of this data. Part I of this Comment explores the importance and popularity of location-based web services. Part II discusses the different technologies that drive these services, and the services themselves. Part III explains how the law treats the disclosure of geolocational data, and examines how courts have analogized electronic communications to traditional communications, resulting in conflicting rules about the disclosure of geolocational data. Part IV argues that these rules fail to properly protect users’ reasonable expectations of privacy, and proposes that ECPA be amended to affirmatively and equally protect all types of geolocational data, regardless of the underlying technology. Finally, Part V examines technology providers’ frustration with the current state of the law

The Terrorist Threat Facing EU Member States: Time for the EU to introduce a Directive on Electronic Surveillance in Terrorism Investigations to Plug the Security Gap

The use electronic communications by terrorist groups is an international concern to many states including the EU Member States. This concern centres mainly on how communications are used to radicalise citizens resulting in them either leaving their home state to join and fight with terrorist groups in conflict zones or in encouraging citizens to take up the cause and carry out attacks in their home state. With the various forms of electronic communication used, especially the various social media sources, intelligence and counter-terrorism policing agencies are claiming they are struggling to carry out effective surveillance on targets as they try to prevent attacks from occurring. They claim this is resulting in a security gap. By looking at the terrorist threat the EU is currently facing and the clamour for wider surveillance powers, this paper considers the concerns of the surveillance society, especially following the revelations by Edward Snowden in the activities of the US’ National Security Agency (NSA) and UK’s General Communications Headquarters (GCHQ). The main concern centres on the lack of protection of rights to privacy and data protection as states attempt to protect the interests of national security. By examining the communications data that is subject of surveillance this paper looks at the surveillance legislation recently passed or is proposed in France, Canada, the UK and the US considering the similarities in the issues the legislation raises regarding plugging the security gap as well as concerns surrounding the lack of data protection contained in this legislation. This paper proposes that as rights to privacy and data protection is deeply embedded into its law, the EU is ideally placed to take the lead in gaining the co-operation of Internet and Communications Service Providers. This includes a recommendation that now is an opportunity for the EU to introduce legislation to be adopted in its twenty-eight Member States that will provide sufficient powers of surveillance in protecting the interests of national security while protecting rights to privacy and data protection. This recommendation includes an analysis of the EU’s laws on data protection including the important decision in the Digital Rights case

A Check-in on Privacy after United States v. Jones: Current Fourth Amendment Jurisprudence in the Context of Location-Based Applications and Services

This note will discuss whether current Fourth Amendment jurisprudence adequately protects user location information obtained from location-based services ( LBS ), and if not, what changes can be made to ensure our right to privacy in this digital information. In Part I, the concept of LBS and a technical description of how it works is discussed. Part II summarizes the Supreme Court\u27s recent decision in United States v. Jones on warrantless prolonged use of a GPS tracking device and will outline the Fourth Amendment jurisprudence underpinning the Court\u27s logic. Part III delivers an in-depth description of federal statutory law that applies to the seizure of electronic information. Part IV debates whether and to what extent LBS user location data is protected under applicable federal statutes and will analogize to current case law on similar electronic communications. Part V surveys recently proposed reforms to the Electronic Communications Privacy Act of 1986 ( ECPA ). This note concludes that LBS user location information-and electronic communications generally-must receive Fourth Amendment protection, despite the fact that they are transmitted through intermediaries and their content is possibly shared with more than one person. The law changes incrementally, while technology does not. Technological change is disruptive. Current Fourth Amendment jurisprudence is outdated and will soon be overwhelmed, structurally unable to bear the wave of new LBS on the horizon. As information technology continues to reshape American life, we need clear and strong rules to protect the privacy of our electronic communications. The goal of this note is to emphasize the importance of treating electronic communications, including LBS user location information, with the restraint dictated by the Fourth Amendment

Analysis of processing electronic communication data on the basis on consent in the light of Council's e-privacy regulation proposal

The article reviews the changes proposed by the European Commission in the field of e-privacy, i.e. the proposal of regulation on the processing of personal data and privacy in the electronic communications sector, which is expected to replace the existing legislation, with particular regard to the conditions for consent, as the basis for the processing of electronic communications data. The article analyzes among other things: the matter of the relationship between the already existing legal acts and the draft e-privacy regulation regarding the consent, contemplates the potential scope of application of the new regulation and the entities which shall be the subject to protection of their data of electronic communication, resulting from the project. The article’s analysis concerns the issue of consent, its scope, entities obliged to receive it, as well as the doubts arising from the provisions on obtaining consent, and also the provisions of the proposal on information obligations prior to obtaining consent. In addition, attention has also been drawn to the possibility for service providers to use terminal services and the restrictions imposed therein, the problem of default settings for obtaining the consent, as well as for modified rules for transmission for direct marketing purposes, or concerning creating publicly available directories

From Dataveillance to Data Economy: Firm View on Data Protection

The increasing availability of electronic records and the expanded reliance on online communications and services have made available a huge amount of data about people’s behaviours, characteristics, and preferences. Advancements in data processing technology, known as big data, offer opportunities to increase organisational efficiency and competitiveness. Analytically sophisticated companies excel in their ability to extract value from the analysis of digital data. However, in order to exploit the potential economic benefits produced by big data and analytics, issues of data privacy and information security need to be addressed. In Europe, organisations processing personal data are being required to implement basic data protection principles, which are considered difficult to implement in big data environments. Little is known in the privacy studies literature about how companies manage the trade-off between data usage and data protection. This study contributes to explore the corporate data privacy environment, by focusing on the interrelationship between the data protection legal regime, the application of big data analytics to achieve corporate objectives, and the creation of an organisational privacy culture. It also draws insights from surveillance studies, particularly the idea of dataveillance, to identify potential limitations of the current legal privacy regime. The findings from the analysis of survey data show that big data and data protection support each other, but also that some frictions can emerge around data collection and data fusion. The demand for the integration of different data sources poses challenges to the implementation of data protection principles. However, this study finds no evidence that data protection laws prevent data gathering. Implications relevant for the debate on the reform of European data protection law are also drawn from these findings

Information privacy in audiovisual services from the perspective of the new EU regulations (GDPR and EPR)

Artykuł stanowi próbę odpowiedzi na pytanie, czy nowe i planowane rozwiązania w zakresie ochrony danych osobowych i prywatności są komplementarne z obecnymi produktami i usługami medialnymi. Analizie został poddany zakładany zakres ochrony danych w komunikacji elektronicznej i na tym tle autonomia informacyjna i prywatność informacyjna. W badanym systemie ram regulacyjnych są objęte ochroną m.in. elektroniczne komunikaty niezależnie od tego, czy dotyczą one osób fizycznych czy prawnych; każde przetwarzanie danych w łączności elektronicznej będzie podlegało ochronie prawnej.This article attempts to answer the question whether new and planned solutions for the protection of personal data and privacy are complementary to current media products and services. The analysis covers the approved scope of data protection in electronic communications and, in that context, information autonomy and information privacy. In the examined system of regulatory framework, i.a. electronic messages are protected, regardless of whether they relate to natural or legal persons, and any processing of electronic communications data will be subject to legal protection.

The Need for Revisions to the Law of Wiretapping and Interception of Email

I argue that a person\u27s privacy interest in his email is the same as his privacy interest in a telephone conversation. Moreover, the privacy interest in email remains unchanged regardless of whether it is intercepted in transmission or covertly accessed from the recipient\u27s mailbox. If one accepts this assumption, it follows that the level of protection against surveillance by law enforcement officers should be the same[...] As technology continues to blur the distinction between wire and electronic communication, it becomes apparent that a new methodology must be developed in order to provide logical and consistent protection to private communications. The statutes must be revised so as to protect the privacy of communications while also providing a means by which law enforcement officers can obtain judicial approval to eavesdrop when necessary. Otherwise, increasing integration between data and voice communications will render the current statutory scheme arbitrary and impractical. By way of background, this article will discuss the law governing mail searches as well as the law of covert searches generally. This article will go on to discuss the regulation of pen registers, and will then trace the evolution of the relevant federal statutory and constitutional protections afforded to telephone conversations. Next, this article will discuss the statutory protections and the emerging case law addressing the privacy of email and other communication via computer. Particular emphasis will be placed on several recent federal court decisions that illustrate the problems arising from the current statutory scheme. Lastly, this article will discuss the controversial implementation of the FBI\u27s Carnivore software for the purpose of surreptitiously intercepting email, and the recent deployment of a keystroke-logging device as another means of learning the contents of private electronic communications. This article asserts that the Fourth Amendment protections applicable to telephone conversations set out by Katz v. United States and Berger v. New York (subsequently codified and expanded by the Federal Wiretap Act) should be implemented more broadly to encompass the surreptitious surveillance of postal mail, email, and other promising forms of electronic communication. This article argues in favor of more uniform regulation of covert surveillance of private communications regardless of the choice of technology employed to convey the message

The Problems of Implementing the ePrivacy Directive and Their Solutions in ePrivacy Regulation

In the recent years, the entry into force of the General Data Protection Regulation (GDPR) has caused a great deal of fuss, in particular regarding the possibility of hefty fines and a promised breakthrough in the protection of personal data. In the light of all this preparation for the implementation of the GDPR, another European Union regulation has been developed which has the potential to have no less of an impact on the market for electronic communications services – the Regulation on Privacy and Electronic Communications, which is being negotiated in the European Commission and Member States.Even though aim of the ePrivacy Directive was to harmonize national rules on confidentiality of communications, its application faced challenges, and, in reality, the situation seems far from harmonized, with different implementation occurring in the Member States and seemingly ineffective protection and enforcement of citizens’ rights.The ePrivacy Directive does not cover the technological changes that have occurred in telecommunications and digital technologies over the last 15 years (electronic communications are no longer largely restricted to traditional telecommunication services such as GSM calls or SMS), and the next generation (when compared to GSM and SMS) OTT (Over-the-Top) services (e.g. Viber, Whatsapp, Netflix, etc.) are not covered at all by the current European Union electronic communications system, including the ePrivacy Directive.This article presents the author’s assessment of the problems identified in the application of the ePrivacy Directive and the solving thereof in the ePrivacy Regulation. The paper concludes that there is a need for special rules that provide additional and GDPR-supplementing legal protection, due to the peculiarities of electronic communications services. According to the author, the draft ePrivacy Regulation introduces updated rules that take into account the technological developments of the last decade and the expectations of users regarding the protection of their privacy in when using electronic communications services. Although the draft of ePrivacy Regulation can be subject to criticism, it is likely that some of the problems of the ePrivacy Directive will be resolved by the new regulation