De toekomst van privacybescherming

Slides:



Advertisements
Verwante presentaties
Soft Systems Methodology Een doelbewuste aanpak voor action research
Advertisements

User Centred Development
Deltion College Engels B2 Spreken/presentaties/subvaardigheid lezen [Edu/003] thema: Holland – coffee shops and euthanasia? can-do : kan een duidelijk.
English and IPC How to teach content through English.
Paragraph  People wanted to avoid war in the future.  League of Nations (1919) had failed.  In 1945: 2 nd try: United Nations.
EUROCITIES-NLAO is supported under the European Community Programme for Employment and Social Solidarity (PROGRESS ). The information contained.
Deltion College Engels B1 Gesprekken voeren [Edu/006] thema: Look, it says ‘No smoking’… can-do : kan minder routinematige zaken regelen © Anne Beeker.
Deltion College Engels B2 Schrijven [Edu/006] thema: Euromail can-do : kan in persoonlijke s nieuws en standpunten van een ander becommentariëren.
Deltion College Engels A2 Lezen [Edu/001] thema: What about smoking in this B&B? can-do : kan specifieke informatie vinden en begrijpen in eenvoudig, alledaags.
Deltion College Engels C1 Spreken [Edu/002] thema: A book that deserves to be read can-do : kan duidelijke, gedetailleerde samenvatting geven van een gelezen.
Deltion College Engels B1 En Spreken/Presentaties [Edu/006] Thema: “The radio station“ can-do : kan een publiek toespreken, kan verzonnen gebeurtenissen.
Deltion College Engels C1 Schrijven [Edu/007] thema: Mind twister or how to write an essay… can-do : kan heldere, goed gestructureerde uiteenzetting schrijven.
Nothing Is As It Seems Lesson 7 What’s the Story?.
Deltion College Engels B2 Lezen [Edu/003] thema: Topical News Lessons: The Onestop Magazine can-do: kan artikelen en rapporten begrijpen die gaan over.
Deltion College Engels B2 Spreken [Edu/001] thema: What’s in the news? can-do : kan verslag doen van een gebeurtenis en daarbij meningen met argumenten.
Deltion College Engels B1 Spreken [Edu/001] thema: song texts can-do : kan een onderwerp dat mij interesseert op een redelijk vlotte manier beschrijven.
Deltion College Engels C1 Gesprekken voeren [Edu/001]/ subvaardigheid lezen thema: What a blooper…. can-do : kan taal flexibel en effectief gebruiken voor.
Deltion College Engels B2 Lezen[Edu/001] /subvaardigheid schrijven korte samenvattingen thema: Exotic news can-do : lezen om informatie op te doen - kan.
Deltion College Engels B2 Gesprekken voeren [Edu/009] thema: ‘We’d better go to…’ can-do : kan in vertrouwde situaties actief meedoen aan discussies over.
Deltion College Engels B1 Lezen [Edu/002] thema: But I ‘ve read it in… can-do : kan hoofdthema en belangrijkste argumenten begrijpen van eenvoudige teksten.
Deltion College Engels B2 Gesprekken voeren [Edu/007] thema: ‘With this mobile you can…’ can-do : kan op betrouwbare wijze gedetailleerde informatie doorgeven.
What the #hack?! privacy Job Vos – jurist, FG en privacy-expert Kennisnet MBO Raad 22 april 2015.
Nederlandse Organisatie voor Wetenschappelijk Onderzoek Semantic Web and Library Applications Workshop Presented by Luit Gazendam.
Deltion College Engels B2 (telefoon)gesprekken voeren[Edu/002] /subvaardigheid lezen/schrijven thema: I am so sorry for you… can-do : kan medeleven betuigen.
HOFAM vak Organisatie & Management les 10. Motivation 2 One secret for success in organizations is motivated and enthusiastic employees The challenge.
Creating local Europeana related networks Europeana taskforce Hans van der Linden 17/4/15.
GegevensAnalyse Les 2: Bouwstenen en bouwen. CUSTOMER: The Entity Class and Two Entity Instances.
2 december 2015, Privacy en de Digital Enterprise Vertrouwen in data.
Mavo 4.  Goal(s)  Letter Puzzle  Write a letter  Check the letters  Do assignments 4A, 5A, 6A & 7 in Student Book page 50  Evaluation.
OpleidingsCentrum voor Bowlers Clinic Appingedam KISS.
Hate speech (haatzaaien) binnen de Europese Unie Jongeren verzetten zich tegen hate speech Onderzoekslunch CLO 19/11/2013 Lectoraat European Integration.
Guides for gutter Text colours R 27 G 66 B 152 R 0 G 0 B 0 R 127 G 127 B 127 Background.
Erasmus Universiteit Rotterdam Het bereik van de compliance functie Inleiding Kernvraag Relevantie Context/ ‘setting the scene’ Voorgestelde aanpak en.
The Research Process: the first steps to start your reseach project. Graduation Preparation
Bart van der Sloot Cursus Internationale Veiligheid voor het Ministerie van BZK Interne veiligheidsvraagstukken.
Prof. dr. Fons Coomans UNESCO Chair ‘Human Rights and Peace’
Duurzame impact van duurzame bedrijven Sociale impact.
Gij zult openbaren: privacy en de open overheid
Overzicht Privacy: ratione personae (Privacy = recht van individu)
Key Process Indicator Sonja de Bruin
Standaarden en spelregels voor de Slimme Stad
Juridische Argumenten Concurrentievervalsing:
PILOT TOETSING PERIODE 2 LES 1: BEOORDELEN VAN GROEPSWERK
Recht om vergeten te worden
Innovatie met IBM Cloud Orchestrator.
Sector, Firm Size and ICT investments
Big Data & het recht op privacy
Privacy en Big Data Bart van der Sloot.
Joint Leiden-Delft-Erasmus project on Cyber Insurance
arbitrage in het EU-handelsbeleid - VLEVA
Presentatie titel Measurement education in the junior primary –
Werkwijze Hoe zullen we als groep docenten te werk gaan?
De taaltaak
Just Science Done Right!
<Typ titel via Beeld, Koptekst en voettekst, Koptekst>
12 maart. 12 maart Marginalised people in general do not have much power over destinies because they are often not represented in decision making or.
Crohn’s Disease and medicinal cannabis oil A WORKING PROTOCOL
Utrecht Attractive and Accessible: Focus on the User
Uitwisselen van gegevens
Rob Heyman and Ilse Mariën
The right to be let alone … by yourself
Privacy als grondrecht
Who knows something about scenarioplanning?
A National Strategy for Public Libraries in the Netherlands
UGlobe Utrecht University, 9 March 2018
Living in the Promised Land Leven in het Beloofde Land
Meaning maning by public leaders in times of crisis
LIESBETH RUOFF - VAN WELZEN CHAIR IG DIGITAL SKILLS KNVI
Leerlingen zeiden: “Je MOET hem loslaten
Moving Minds DNA.
Transcript van de presentatie:

De toekomst van privacybescherming Bart van der Sloot Senior onderzoeker Tilburg Institute for Law, Technology, and Society (TILT) Tilburg University, Netherlands www.bartvandersloot.nl

Overzicht (1) Het recht op privacy (2) Big Data (3) Nieuwe problematiek (4) Nieuwe benadering? (5) De homo digitalis

(1) Het recht op privacy ARTIKEL 8 Recht op eerbiediging van privé-, familie- en gezinsleven 1. Een ieder heeft recht op respect voor zijn privé leven, zijn familie- en gezinsleven, zijn woning en zijn correspondentie. 2. Geen inmenging van enig openbaar gezag is toegestaan in de uitoefening van dit recht, dan voor zover bij de wet is voorzien en in een democratische samenleving noodzakelijk is in het belang van de nationale veiligheid, de openbare veiligheid of het economisch welzijn van het land, het voorkomen van wanordelijkheden en strafbare feiten, de bescherming van de gezondheid of de goede zeden of voor de bescherming van de rechten en vrijheden van anderen

(1) Het recht op privacy Aanvankelijke vragen: Moet er wel een individueel klachtrecht komen? Moet het wel om individuele belangen gaan? Moet er wel een Hof komen? Moeten er sanctiemogelijkheden komen?

(1) Het recht op privacy Twee instanties: Commissie en het Hof Twee soorten klachten: ARTIKEL 33 Interstatelijke zaken Elke Hoge Verdragsluitende Partij kan elke vermeende nietnakoming van de bepalingen van het Verdrag en de Protocollen daarbij door een andere Hoge Verdragsluitende Partij bij het Hof aanhangig maken. ARTIKEL 34 Individuele verzoekschriften Het Hof kan verzoekschriften ontvangen van ieder natuurlijk persoon, iedere niet-gouvernementele organisatie of iedere groep personen die beweert slachtoffer te zijn van een schending door een van de Hoge Verdragsluitende Partijen van de rechten die in het Verdrag of de Protocollen daarbij zijn vervat. De Hoge Verdragsluitende Partijen verplichten zich ertoe de doeltreffende uitoefening van dit recht op generlei wijze te belemmeren.

(1) Het recht op privacy

(1) Het recht op privacy Focus op positieve verplichtingen Focus op positieve rechten Uitbereiding van artikel 8 EVRM Noodzakelijkheidstoets > belangenafwegingstoets Meer nadruk op legalistische vormen van conflictbeslechting

(1) Het recht op privacy Commissie opgeheven Direct klachtrecht voor individuen Inter-Statelijke klachten worden nauwelijks gebruikt Groepen mogen niet klachten Rechtspersonen in principe ook geen klachtrecht onder artikel 8 EVRM [T]he extent to which a non-governmental organization can invoke such a right must be determined in the light of the specific nature of this right. It is true that under Article 9 of the Convention a church is capable of possessing and exercising the right to freedom of religion in its own capacity as a representative of its members and the entire functioning of churches depends on respect for this right. However, unlike Article 9, Article 8 of the Convention has more an individual than a collective character(…). ECmHR, Church of Scientology of Paris v. France, application no. 19509/92, 09 January 1995.

(1) Het recht op privacy Insofar as the applicant complains in general of the legislative situation, the Commission recalls that it must confine itself to an examination of the concrete case before it and may not review the aforesaid law in abstracto. The Commission therefore may only examine the applicant's complaints insofar as the system of which he complains has been applied against him. ECtHR, Lawlor v. The United Kingdom, application no. 12763/87, 14 July 1988.

(1) Het recht op privacy A priori claims  It can be observed from the terms ‘victim’ and ‘violation’ and from the philosophy underlying the obligation to exhaust domestic remedies provided for in Article 26 that in the system for the protection of human rights conceived by the authors of the Convention, the exercise of the right of individual petition cannot be used to prevent a potential violation of the Convention: in theory, the organs designated by Article 19 to ensure the observance of the engagements undertaken by the Contracting Parties in the Convention cannot examine - or, if applicable, find – a violation other than a posteriori, once that violation has occurred. Similarly, the award of just satisfaction, i.e. compensation, under Article 50 of the Convention is limited to cases in which the internal law allows only partial reparation to be made, not for the violation itself, but for the consequences of the decision or measure in question which has been held to breach the obligations laid down in the Convention. ECmHR, Tauira and others v. France, application no. 28204/95, 04 December 1995.

(1) Het recht op privacy Hypothetical claims Actio popularis  The Court reiterates in that connection that the Convention does not allow an actio popularis but requires as a condition for exercise of the right of individual petition that an applicant must be able to claim on arguable grounds that he himself has been a direct or indirect victim of a violation of the Convention resulting from an act or omission which can be attributed to a Contracting State. ECtHR, Asselbourg and 78 others and Greenpeace Association- Luxembourg v. Luxembourg, application no. 29121/95, 29 June 1999.

(2) Big Data

(2) Big Data

(2) Big Data

(2) Big Data

(2) Big Data

(2) Big Data Verzamelen Analyseren Gebruiken

(3) Nieuwe problematiek Biedt de AVG wel afdoende beschermingsmogelijkheden? Verzamelen van gegevens Datakwaliteit Doel en doelbinding Transparantie en informatievoorziening Beveiliging van data Controle van individuen

(3) Nieuwe problematiek Problematiek die dit oproept

(3) Nieuwe problematiek Developing a hypothesis Gathering data Categorizing data Updating data Combining data Falsification of hypothesis N > 100 Correlation ≠ causality

(3) Nieuwe problematiek Moet de juridische benadering nadruk houden? Kunnen er nog schotten worden geplaatst tussen domeinen en instanties? Wat zegt dat over doelbinding en het delen van informatie? Wat is het probleem met het openbaar maken en het hergebruik van informatie?

(3) Nieuwe problematiek Kan er nog een nadruk liggen op ‘persoonsgegevens’? Kan er nog een zinnige afweging tussen belangen plaatsvinden? Gaat het nog wel om inbreuken of gaat het meer om machtsverhoudingen? Is de dataverwerking/Big Data eigenlijk wel effectief?

(3) Nieuwe problematiek Focus op individu komt onder druk te staan door: Onbekendheid Onmogelijkheid Onbestemdheid

(4) Nieuwe benadering? Deugdethiek Fuller Ontkoppeling van plichten en rechten Minimum voorwaarden Maximum voorwaarden

(4) Nieuwe benadering? Letting go of the focus on individual rights Allow in abstracto claims The current legal regime primarily focuses on in concreto judgements. It requires that the applicants must be harmed individually by the law or policy complained of. Courts then assess matters on a case by case basis, that is, on the particular circumstances of the case. However, it is often difficult to substantiate individual harm in Big Data processes. Moreover, it is increasingly difficult for individuals to uphold their individual rights in a world where data processing is so omnipresent. That is why it may be valuable to accept in abstracto claims. In such cases, laws or policies are assessed on their own merits, without it being necessary that they have been applied in practice of that they have or will have potential negative effects on the interests of the individual when applied in practice. Rather, the laws and policies are assessed in abstract terms, for example by assessing their intrinsic qualities. Allow class actions (actio popularis) The current privacy regime grants rights specifically to individuals, that is, natural persons. This also holds true for the right to data protection, because ‘personal data’ are commonly defined as data that identify a ‘natural person’. The difficulty with this approach is twofold. First, people are often simply unaware that their personal data are gathered. Secondly, there is often an inequality of arms. Big Data processes are often initiated by large multinationals such as Google, Apple and Facebook or by states’ intelligence services, police or tax authorities. Individual citizens are mostly ill-equipped and underfinanced to engage in long and difficult legal proceedings regarding highly complex, sophisticated technologies. That is why it may be valuable to allow for class actions (actio popularis). In such claims, civil society organizations and groups are allowed to submit complaints about a privacy violation. Allowing these types of claims in European case law might mean that over time, specialized organizations may be created that have as primary goal engaging in these types of class actions.

(4) Nieuwe benadering? Letting go of the focus on individual interests Focus on societal interests The current privacy paradigm is primarily, though not exclusively, focused on protecting personal interests. This is increasingly problematic in the age of Big Data, because large scale data processing practices often transcend the individual and her interests. That is why it might be valuable to also take into account general and societal interests when assessing cases regarding large data processing initiatives. Such societal interests may be linked, inter alia, to the prevention of abuse of power by states, but also to the question of whether the state is using its power optimally, for example, by creating a (technological) environment that allows for diversity, for human flourishing and for citizen empowerment. Regulate data The current legal regime differentiates between, inter alia, private and public data, content and metadata, anonymous and personal data, statistical and sensitive personal data, etc. Their protection depends on the question of whether the data can be linked to the individual, can be used to identify a person or has an impact on a natural person. There are generally two problems with this approach. First, as was stressed previously, the link to a specific individual and her interests is increasingly insufficient to address all the relevant aspects of data gathering, processing and usage. Second, distinguishing between different types and categories of data, and linking to them a specific regime of protection and of powers for data controllers, is outdated because data are increasingly going through a circular life cycle. That is why it may be valuable to introduce additional regulation of the processing of data as such, independently of whether these data can be qualified as personal, private or sensitive data. Similarly, rules could be developed for the analysis of data by computerized means.

(4) Nieuwe benadering? Letting go of the focus on balancing interests Focus on intrinsic qualities of laws and policies The current regulatory regime is primarily concerned with determining the outcome of cases and assessing the quality of laws and policies on the basis of their potential positive and negative effects. A privacy violation is primarily seen as a negative effect that may result from data processing activities, while efficiency, security or transparency are the positive effects that may result from them; while the negative effects are primarily focused on the individual level, the positive effects are mostly formulated on a societal level. The negative and positive consequences are weighed and balanced against each other. However, because both individual and societal interests in Big Data processes are increasingly abstract and vague, balancing those interests becomes increasingly difficult. That is why it may be worthwhile to focus on the minimum requirements of the law. These rule-of-law-based principles, guaranteeing the basic legitimacy and legality of laws and policies, should be respected even when no individual rights or interests are at stake. As these are minimum requirements, they should be respected at all times; no balancing exercise takes place. Focus on the aspirations of laws and policies The current legal (privacy) paradigm is primarily focused on laying down duties and minimum requirements. Because technological developments are so rapid and because the interests at stake are often abstract and societal in nature, it might be worthwhile to focus more on the aspirations of laws and policies. Seeing the legal order as a purposive enterprise allows for such an approach, as the legal order is created and designed in such a way that human freedom is respected. The natural end of a legal order is promoting human freedom to the maximum extent possible. Such aspirations could be, inter alia, promoting a society with maximum diversity, autonomy and freedom.

(4) Nieuwe benadering? Letting go of the focus on black letter law Focus on ethical rules The current paradigm places its bets mainly on the legal regulation of rights and obligations – black letter law. Yet it is increasingly questionable whether and to what extent this form of regulation still suffices in the Big Data era. That has to do with a number of issues. First, data processing is increasingly transnational. This implies that more and more agreements need to be made between different states and organizations in different jurisdictions. Hard legal rules are often difficult to agree upon due to the difference in traditions and legal systems. Furthermore, rapidly changing technology has the effect that specific legal provisions can easily be circumvented and that unforeseen problems and challenges may arise. And, as discussed, many of the problems arising from Big Data practices are social and societal. It is questionable whether those concerns should be dealt in full within the juridical discourse. It could be promising to regulate Big Data processes additionally through forms of soft law and ethical standards, such as duties of care and codes of conduct. The underlying normative principles and values to be guaranteed in Big Data processes remain relatively stable. One could also look to other sectors for inspiration, for example the idea of installing ethical oversight committees, such as is a common practice in the medical sector. An interdisciplinary group of experts, consisting for instance of lawyers, ethicists, engineers and practitioners, could assess specific plans, policies and experiments. Adopt a more hybrid approach The current regulatory regime is based on numerous categorizations, labels and distinctions. For example, distinctions can be made between the offline and online, between the analog and digital environment, between the protection of privacy in the private and in the public domain, between different nations and jurisdictions, between times of war and times of peace, between the powers and capacities of organizations in the private sector and in the public sector, and between different organizations in the public sector (for example in relation to which data they may gather, how they might use them and for what purposes; the intelligence agencies have broader powers to process data than the police, and the police has broader powers than the social services). In the Big Data era, however, the world is becoming increasingly fluid. Although the rights of citizens are currently linked mainly to physical objects such as the body and the home, and certain forms of communication such as the secrecy of correspondence, the Big Data era requires that one’s digital identity, internet communications and privacy in the public domain be protected equally. Likewise, in Big Data processes, data streams increasingly circulate between the private and the public sector and between different governmental agencies. Future regulation will need to standardize the rules applicable to those different sectors.

(5) De homo digitalis (1) Niet doel maar belang (2) Belangenafwegingstoets (3) Alle gegevensverwerkingsprincipes vallen daaronder

(5) De homo digitalis (1) Is Big Data werkelijk zo revolutionair? (2) Waarom zal de Algemene Verordening Gegevensbescherming niet slagen? (3) Waarom volstaan minder radicale voorstellen niet? (4) Waarom moet het Gegevensbeschermingsrecht ook voor small data worden herzien? (5) Is het voorstel wel voldoende kaderstellend voor de private sector?

(5) De homo digitalis (6) Zijn niet alle juridische regels zowel over- als onderinclusief? (7) Wordt de rechtspositie van de burger daadwerkelijk versterkt? (8) Wordt het gegevensbeschermingsrecht inderdaad minder complex voor bedrijven? (9) Wie bepaalt de uitkomst van de belangenafwegingstoets en hoe? (10) Is het voorstel wel een oplossing voor het probleem?

(5) De homo digitalis (11) Wordt met het voorsstel het verzamelen van persoonsgegevens vrijgegeven? (12) Hoe verhouden de verschillende arugementen zich tot elkaar? (13) Zijn de data inderdaad een doel op zich en kunnen bedrijven niet zonder data? (14) Is informed consent wel de hoesteen van het huidige gegevensbeschermingsrecht? (15) Kiezen Moerel en Prins voor een vorm van handelings-utilisme?

(4) Nieuwe benadering?