Seminar 5 Position Statement: Grace Eden

What Difference will Regulations Make?

Grace Eden

Institute of Information Systems  University of Applied Sciences of Western Switzerland

In December 2015, the EU agreed the General Data Protection Regulation (GDPR), which is expected to be enforceable by 2018 if passed by all member states this year (Gibbs 2015). New laws that increase data protection are welcome, however as the Snowden disclosures revealed, intelligence agencies use a variety of methods to gain access to personal data. So what effect will regulations have on these practices?  The techniques used by intelligence agencies include tapping physical infrastructures such as fibre-optic cables, through programmes like TEMPORA.  It also includes harvesting data from network infrastructures where metadata and content is collected from major Internet  companies through the MARINA and PRISM programmes. Also, in many cases intelligence  agencies hack into computer systems and networks as revealed in the QUANTUM THEORY  programmes.

Most recently, in a ruling this year, the UK Investigatory Powers Tribunal determined that hacking by GCHQ  (Government Communications Headquarters) does not breach human rights (Bowcott 2016). There are two positions being taken in regards to citizens’ expectations of privacy with one set of rules for intelligence agencies and another for corporations. What can the European Commission and national institutions do to address citizens’ privacy concerns in both areas? How will different understandings of proportionality (Tranberg 2011) impact the average citizens’ rights to data privacy and security? To what extent will new regulations make a difference in both the business and government sectors?

As important as the data protection regulations themselves are – questions of how citizens develop trust that laws are actually being adhered to by corporations and governments remain. How do we ensure accountability? The development of guidelines for operationalizing law and regulation should be discussed alongside the political and legal debates. Citizens should be able to use online tools to evaluate how well web services comply with regulations in all areas including informed consent, right-to-be-forgotten and cross-border transfers of data. They should also have access to informative labelling that communicates information about product quality, in this case digital products. Labels promote consumer literacy giving citizens an opportunity to make informed choices. They should also communicate a ‘disclosure of risk’ if one decides to use a product, and expectations of personal responsibility for risk. These are currently found in the lengthy and often indecipherable Terms & Conditions. Information labelling used in combination with online tools could be an approach for operationalizing the General Data Protection Regulation (GDPR) and other data privacy and protection laws.

References

Gibbs, S. (2015). EU agrees draft text of pan-European data privacy rules. The Guardian,  http://www.theguardian.com/technology/2015/dec/16/eu-agrees-draft-text-pan-european- data-privacy-rules

Bowcott, O. (2016). GCHQ hacking does not breach human rights, security tribunal rules. The  Guardian, http://www.theguardian.com/uk-news/2016/feb/12/gchq-hacking-does-not- breach-human-rights-investigatory-powers-tribunal

Tranberg, C.B. (2011). Proportionality and data protection in the case law of the European Court of Justice.  International Data Privacy Law 1(4). pp. 239-248. doi: 10.1093/idpl/ipr015.