Uniformity V. Diversity of Internet Intermediaries’ Liability Regime: Where Does the ECJ Stand?

This paper seeks to determine the scope of the ECJ’s decision of 23 March 2010 and its impact upon the laws of Member state. Thereby it attempts to stress the different sources of conflicts that can arise when national judges have to deal with the tricky issue of Internet intermediaries’ liability. At the same time this paper tries to give a sense of what is the institutional function of European private law in a multilevel system of governance. Whereas the first begins with examining the means used by the Court to bring national laws closer through a uniform interpretation of key European provisions, the second part highlights the significant regulatory leeway granted to Member states. This leeway explains why horizontal and diagonal conflicts are likely to persist until a constructive inter-normative dialogue between national courts takes place, following in step with traditional top down method of harmonisation

Liability Exemptions Wanted! Internet Intermediaries’ Liability Under UK Law

On January 25, 2012, the EU Commission set forth a proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and a proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. The Draft Regulation, once approved by the European Parliament and the Council, should replace Directive 95/46/EC (the "Data Protection Directive") which has been criticized for being laden with loopholes and legal uncertainty. A stronger and more coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market as well as put individuals in better control of their own data, is intended to prevent fragmentation in the way personal data protection is implemented across the Union. The proposed regulation would essentially create a single, unified law that applies to all 27 member states. It sets forth a new legal regime which would foster protection for individuals based on a complete compliance program companies must demonstrate to fulfill.

What's in a name: the conflicting views of pseudonymisation under eIDAS and the General Data Protection Regulation

Pseudonymisation is gaining traction among modern electronic identification systems as a privacy enhancing technique that can significantly reduce risks of personal data misuse. The recently agreed General Data Protection Regulation (the GDPR) encourages the use of pseudonymisation to comply with its requirement of privacy-by-design. Art. 5 of the European Regulation on electronic identification and trust services (eIDAS) on data processing and protection simply allows the use of pseudonyms in electronic transactions although the facilitation of the implementation of the principle of privacy by design is clearly among the aims listed by Art. 12 of eIDAS. This paper examines the concept of pseudonymisation under eIDAS and the GDPR and suggests that the two Regulations employ two very different, if not incompatible, notions of pseudonymisation. It concludes that a common terminology and approach would be preferable in order to ensure consistency and legal certaint

An extended investigation of the similarity between privacy policies of social networking sites as a precursor for standardization

Privacy policies are unsatisfactory in communicating information to users. Social networking sites (SNS) exemplify this, attracting growing concerns regarding their use of personal data, whilst lacking incentives to improve their policies. Standardization addresses many of these issues, but is only possible if policies share attributes that can be standardized. This investigation assessed the similarity of two attributes (the clauses and the coverage of forty recommendations made by the UK Information Commissioner) between the privacy policies of the six most frequently visited SNS globally. Similarity was also investigated by looking at whether any recommendations were not addressed by all SNS and if there were any themes of information discussed in the policies, but not included in the ICO Code. We found that similarity in the clauses was low, yet similarity in the recommendations covered was high. This indicates that SNS use different clauses, but to convey similar information. There were a number of recommendations which none of the SNS addressed. There were also four themes of information which all six SNS addressed, which were not recommended in the ICO Code. This paper proposes the policies of SNS already share attributes, indicating the feasibility of standardization at a thematic level currently. Five recommendations are made to begin facilitating this

Observing and recommending from a social web with biases

The research question this report addresses is: how, and to what extent, those directly involved with the design, development and employment of a specific black box algorithm can be certain that it is not unlawfully discriminating (directly and/or indirectly) against particular persons with protected characteristics (e.g. gender, race and ethnicity)?Comment: Technical Report, University of Southampton, March 201

Identity assurance in the UK: technical implementations and legal implications under the eIDAS regulation

The UK Government has been designing a new Electronic Identity Management (eIDM) system that, once rolled-out, will take over how citizens authenticate against online public services. This system, Gov.UK Verify, has been promoted as a state-of-the-art privacy-preserving system, tailored to meet the requirements of UK citizens and is the first eIDM interoperability in which the government does not act as an identity provider itself, delegating the provision of identity to competing third parties. According to the recently enacted EU eIDAS Regulation, member states can allow their citizens to transact with foreign services by notifying their national eID scheme. Once a scheme is notified, all other member states are obligated to incorporate it into their electronic identification procedures. The UK Government is contemplating at the moment whether it would be beneficial to notify. This article examines Gov.UK Verify 's compliance with the requirements set forth by the Regulation and the impact on privacy and data protection. It then explores potential interoperability issues with other national eID schemes, using the German nPA, an eIDM based on national identity cards, as a reference point. The article highlights areas of attention, should the UK decide to notify Gov.UK Verify. It also contributes to relevant literature of privacy-preserving eID management by offering policy and technical recommendations for compliance with the new Regulation and an evaluation of interoperability under eIDAS between systems of different architecture

Bridging policy, regulation and practice? A techno-legal analysis of three types of data in the GDPR

The paper aims to determine how the General Data Protection Regulation (GDPR) could be read in harmony with Article 29 Working Party’s Opinion on anonymisation techniques. To this end, based on an interdisciplinary methodology, a common terminology to capture the novel elements enshrined in the GDPR is built, and, a series of key concepts (i.e. sanitisation techniques, contextual controls, local linkability, global linkability, domain linkability) followed by a set of definitions for three types of data emerging from the GDPR are introduced. Importantly, two initial assumptions are made: 1) the notion of identifiability (i.e. being identified or identifiable) is used consistently across the GDPR (e.g. Article 4 and Recital 26); 2) the Opinion on Anonymisation Techniques is still good guidance as regards the classification of re-identification risks and the description of sanitisation techniques. It is suggested that even if these two premises seem to lead to an over-restrictive approach, this holds true as long as contextual controls are not combined with sanitisation techniques. Yet, contextual controls have been conceived as complementary to sanitisation techniques by the drafters of the GDPR. The paper concludes that the GDPR is compatible with a risk-based approach when contextual controls are combined with sanitisation techniques

Work stream on data:Final report

Online platforms are intermediaries in the digital economy that enable the exchange of goods, services or information between two or more parties. They facilitate matching and make trade more efficient. The mechanisms and strategies by which these digital intermediaries provide these efficiencies universally revolve around the use of technology that intensively and extensively builds on data. The way data is generated and shared becomes a critical issue in a context where online services are increasingly diversified. Such data is the subject of this report. Data generated through or in relation to online platforms fosters innovation. Data plays an increasingly important role in business intelligence, product development, and process optimization. Data has become a new currency at times where many online services are provided for “free”, fuelled by the data provided by their users. Data is also the basis for competition and further innovation. While a number of national, EU and international reports clearly recognise the importance of data for the online platform economy, they rarely highlight the complexity and heterogeneity of data in the platform environment. This report provides a structured overview of how data is generated, collected and used in the online platform economy. It maps out the diversity and heterogeneity of data-related practices and expands on what different types of data require a careful examination in order to better understand their importance for both the platforms and their users as well as the issues and challenges arising in their interactions