mapping managing alternatives for privacy, property … · mapping – managing ... •the global...
TRANSCRIPT
This project has received funding from the European Union’s Seventh Framework Programme for research, technological development and demonstration under grant agreement no 612345.
MAPPING – Managing Alternatives for Privacy, Property and Internet Governance
Nikolaus Forgó
Institute for Legal Informatics
Leibniz University Hanover
Institut für Rechtsinformatik
// Institute for Legal
Informatics
research center since1979
1983: first institute for IT law in Germany
2014: more than 50 employees
IRI – Research
Frameworks
IRI – Research Projects
IRI – Foci of Research
Telecommunications Intellectual Property Data Protection /
Data Security
IT Security
Surveillance
Law Enforcement
Intelligence
Banking
GeoData
Cloud Computing
Clinical Research / Clinical Trials
Big Data Patients Rights
Klepnutím lze upravit styl předlohy nadpisů. Klepnutím lze upravit styl
předlohy nadpisů.
THE MAPPING PROJECT
A brief outline of
MAPPING at a Glance
Project coordionator: University of Groningen
14 participating institutions
Funding: EU FP 7 – SiS – 2013 – 1
• with a total cost of € 4.642.522,20
Project duration: 01/03/2014 – 28/02/2018
Project goals
Three focus areas: IG, Privacy and IPR
Coordination and Support Action (CSA) project
with a focus on dialogue and participation
• „research meets practice“ approach
• Different events such as round tables, working groups
or conferences
• Stakeholder‘s knowledge will be utilised for research
Final goal: Provide a road map to shape the EU‘s
technological future
Klepnutím lze upravit styl předlohy nadpisů. Klepnutím lze upravit styl
předlohy nadpisů.
IG, PRIVACY AND IPR
PRINCIPLE TOPICS
The focus areas:
Internet Governance (IG)
Internet Governance Stream (RUG)
Digitial transition and IG • Internet Magna Carta vs. liberal approach
Cybercrime, Cybersecurity and fundamental rights • In a globalised world, the need for security and surveillance are
similarly global
• Treaty on surveillance, such as the Convention on Cybercrime?
Parallel Internet? • A part of the Internet
• with some additional safe-guards built-in
• which is subject to the jurisdiction of the EU
• which is not subject to the jurisdiction of any security or service agencies
Privacy
Privacy
Security Economy
Privacy-Economy-Security (Research/Activities co-ordinated by IRI, LUH) Details on our work in the next part of the presentation.
Intellectual Property Rights
Dangers and risks to IPRs in the context of the digital transition • loss of control over protected works in digital environments?
Current policies of IPRs protection and the risk on chilling effects on innovation • Property logic possibly outdated?
• „Open Innovation“ as a smart and flexible alternative?
Fragmented IPR regimes and territoriality • The global character of the internet complicates the protection
of IPR
• Within the EU, there is also a fragmentation by national boundaries, harmonisation might be necessary
Klepnutím lze upravit styl předlohy nadpisů. Klepnutím lze upravit styl
předlohy nadpisů.
PRIVACY, SECURITY,
ECONOMY
First Findings
The First Consultations
MAPPING Extra-ordinary Assembly (Rome
2014)
MAPPING Expert-Consultations (Focus
Groups, Hanover et. al. 2014)
This project has received funding from the European Union’s Seventh Framework Programme for research, technological development and demonstration under grant agreement no 612345.
EGA Statements:
Privacy - Economy
It‘s the economy, stupid
US vs. EU
4 particularly relevant fields of ecommerce:
• Search Engines
• Social Networks
• Retail
• Payment Services
Dominiation of US firms
• More liberal and harmonised framework
• Homogenous, big market
Question: • How can we maintain our standards and stay competitive?
Needs: • “Harmonised framework and application of it”
• “Enforcement also against US competitors”
• “Increase technical knowledge in regulatory bodies”
• “Not to get lost in details when creating new framework (“we are already lagging behind”)”
• “Letting go discussion on “theoretical problems” and focus an the issues relevant in practice”
• “Create harmonised approaches of different authorities in charge (e.g. finance regulation and DPA)”
• “Understand the even the EU will not be able to ban business models / technologies as long as they remain successful everywhere else”
Status-quo as seen by
invited Experts
Statements/Issues raised:
• “It is questionable whether Google’s success stems from a better legal framework alone”
• “US dominance results from a large home market leading to financial strength”
• “DPAs can significantly obstruct market entry (when focussing on issues created by an inefficient (outdated?) law)”
• “High costs for compliance can form significant obstacles for market entry of SME / start-ups”
Status-quo as seen by
invited Experts
Statements/Issues raised (cont’d):
• “SME need enhanced support: law shall not be misused to keep competitors out of the market”
• “Certification may be a way out”
• “Issue: lack of case law, as companies avoid to bring cases in front of court”
• “Focus will need to shift to Asia as well (not only the transatlantic relation)”
• “Data protection law is a cost-factor”:
• This is ok to achieve high standards
• But the money is not well invested, if standards practically do not rise because the law does not address the right issues
Status-quo as seen by
invited Experts
Statements/Issues raised(cont’d): • Advertising European standards may fail due to lack of
significance on the world market (regarding personal data)
• We should not forget: after all, users will choose the product which suits them best
• This product does not necessarily need to be the one with the highest privacy standards
• User may not be able to identify the best product in terms of privacy anyway (usability is way easier to assess then privacy standards)
• If innovation is hampered in Europe, products from outside Europe will continue to dominate the market
Reality Check
„Recent“ Development:
Upcoming legal framework
Rat, 24./25. 10. 2013
It is important to foster the trust of citizens and businesses in the digital economy. The timely adoption of a strong EU General Data Protection framework and the Cyber-security Directive is essential
for the completion of the Digital Single Market by 2015.
This project has received funding from the European Union’s Seventh Framework Programme for research, technological development and demonstration under grant agreement no 612345.
EGA Statements:
Security - Economy
Field of tension: • Unregulated / unfiltered internet
vs.
• Higher Security Standards
Closer co-operation between authorities and ISPs needed?
Should IT security be stronger enforced by authorities? Or is that counter-productive? • this may hamper to the flow of information on incidents from
the private sector to authorities
• possible inflexibility (counter-innovative)
• lack of necessary dynamics?
Status-quo as seen by
invited Experts
Statements/Issues raised:
• “lack of knowledge (no reporting obligations / too
little voluntary reports)”
• “costs”
• “Increase of political awareness needed: DDOS
rule the headlines, but cyber espionage is the true
threat that causes the immense damage”
• “Closer control of networks is needed. This must
not be confused with surveillance.”
• “European approaches are promising to be more
effective than national approaches”
Status-quo as seen by
invited Experts
Statements/Issues raised (cont’d):
• “Data security officers as compulsory institution
independently of (existing) data protection
officers?”
• “Highly skilled personal needed”
cost issue for SMEs
Status-quo as seen by
invited Experts
Statements/Issues raised (cont’d):
• “SMEs tend to lack awareness”
• “SMEs tend to avoid the costs for IT security”
• “This is likely to be a miscalculation”
• “The ‘capital’ of SMEs often is their innovative knowledge”
• “Not necessarily new technologies, but rather innovative re-
use of existing technologies and processes”
• “This in particular requires secrecy (if not patentable)”
• “Even where innovation is patentable, these patents are not
necessarily enforceable”
• ‘meta-knowledge’ (strategies, bids in tendering
procedures,…) may be as valuable as technological
innovation as such”
Statements/Issues raised (cont’d):
• “Human element is the most vulnerable element
in data security”
• This requires
• “Creating awareness through training”
• “Understanding the threats and their nature”
• “Understanding that, although hardly assessable,
financial damage (both direct and indirect) of cyber-
espionage / cyber-criminality is immense and can
threaten existence of the company itself”
Conclusion
• It is important and necessary to raise awareness
• There is a need to improve enforcement
• A homogeneous framework is required
• Certification as a solution to be discussed
• Lack of technical knowledge can be an
obstacle need for training / independent
auditors
Reality Check
Art. 30, Commission‘s
Proposal
appropriate technical and organisational measures
a level of security appropriate to the risks represented by the processing
having regard to the state of the art and the costs of their implementation
Art. 30, LIBE
taking into account the results of a data protection impact assessment pursuant to Article 33
This project has received funding from the European Union’s Seventh Framework Programme for research, technological development and demonstration under grant agreement no 612345.
Focus Groups Statements:
Privacy - Economy
Statements/Issues raised:
• Social Networks
• How to create awareness?
• How to bridge possible differential
knowledge/understanding depending on
age/background/education?
• Is informed consent still the state of the art tool?
• Can large privacy policies provide the necessary
understanding?
• Alternative models? Certification?
Statements/Issues raised (cont’d):
• Principles of Data Protection Law
• is the concept of general interdiction with exceptional allowances (Verbot mit Erlaubnisvorbehalt) still meeting the social approach of the 21st century?
• Should we abandon the 1-0-approach and protect non-personal data better in certain cases?
– allegedly anonymised data may turn out to still allow “identification”
– Big Data applications may cause severe threats even though the data is used statistically (esp. in preparation of automated decision making)
– “data protection threat prevention” law needed?
– “data traffic regulations” (independently of personal data) needed?
Statements/Issues raised (cont’d):
• Principles of Data Protection Law - Possible Innovations:
• is the concept of identifiability still leading to the desired distinctions?
• should we not rather protect “identities”?
• do we need to distinguish between data processing, the result of which is perceived by humans, and such that is not?
– e.g. email in spam filter that is NOT spam and passes through (unnoticed by everybody except the legitimate recipient)
– e.g. license plates (APNR) that do NOT produce a match under the conditions of BVerfG decision 1 BvR 2074/05 und 1 BvR 1254/07
Statements/Issues raised (cont’d):
• Lack of parity in data protection environments
• lack of transparency
• lack “financial parity” of individual consumers and
companies addressing global markets (as opposed to IP
law, which has more elements of a “b2b”-law)
• lack of jurisprudence (only very few cases lead to court
decisions)
• DP authorities appear to
– lack capacities
– lack technical expertise
– lack efficient enforcement instruments
This project has received funding from the European Union’s Seventh Framework Programme for research, technological development and demonstration under grant agreement no 612345.
Focus Groups Statements:
Security - Economy
Statements/Issues raised:
• “IT security is not absolutely controllable”
• it is a field of risk minimisation
• law should take that into account
• currently law resembles “strict liability”
(Gefährdungshaftung, meaning liability independent of
personal failure)
• the ideas of highly-secure fire walls (“Landesfirewall”),
as were favoured in the 1990s, have proven unrealistic:
sealing off networks tends to lead to a loss of the
desired functionality/interoperability
Statements/Issues raised:
• Discrepancy of security needs and usuability/
“willingness”
• user tend to create work-arounds/shadow-IT
infrastructure
• BYOD
• “Decision-makers tend to propagate data security, but
fail to stick to the principles enacted if this results into
them not being able to use the tools they wish to use.”
This project has received funding
from the European Union’s
Seventh Framework Programme for research,
technological development and demonstration
under grant agreement no 612345.
Thank you for your attention!