[MyData & Open Data] existing legal frameworks of biometrics

Walter van Holst walter.van.holst at xs4all.nl
Sat Apr 5 18:20:11 UTC 2014


On 04/04/2014 18:53, Javier Ruiz wrote:
> My take on the concepts (version 0.9 ;-):
> 
> MY DATA
> 
> I would see My data as data “generated” in my use of digital tools and
> engagement with electronic information and communications systems. My
> digital trail of gold or rubbish. 
> 
> I think this is a useful concept and different from personal data.

No, not different but a subset of. Your digital footprints,
fingerprints, shadow, you name it.

> 
> OWNERSHIP
> 
> I may or may not “own” this data depending on the tools and the
> contracts involved. 

Ownership and data are complex anyway, so this notion should be
dispensed with for the most part. Depending on the tools involved you
may be in control of this data. Most of the time you will not. The party
who gets to choose the nature, extent and means of the data is the
controller.

> Location data from my GPS DiY health sensor tracker is different from
> location data that my mobile company has on me, or location data that a
> random app collects from my smartphone under the app permissions T&Cs.
> 
> Property is a incredibly tricky thing to establish with intangible
> things such as data. There is “intellectual property”, as in copyright
> and database right. But also ownership of infrastructure and
> any contractual or licensing agreements.
> 
> Facts cannot be copyrighted. So data automatically generated - e.g.
> anything with sensors - is probably a fact. 
> 
> Nobody “owns” facts, but if I take a ton of research measurements from a
> lab, they will claim I stole “their” research data. And instinctively
> you would agree, but what is property of data?
> 
> See this for a discussion in the context of US health data (page 78)
>  http://jolt.law.harvard.edu/articles/pdf/v25/25HarvJLTech69.pdf You may
> disagree with some of the conclusions but it is quite useful, I think.
> 
> Database right in Europe protects the investment in creating databases.
> So if you are using someone else’s infrastructure it’s very possible
> they at least share the “ownership” of this exploitation right, but this
> is not exactly the same as what many people in the WG mean
> by “ownership", I believe.

You're not allowing for the spin-off doctrine, as a result of which most
data is just public domain in the sense that database rights do not
apply and that they are too factual for copyright to apply.

> 
> 
> ACCESS
> 
> Your right to “access” (subject access in EU law), as Walter explained,
> is not the same as “ownership" as in property. It means you can know
> what information is held about you by an organisation at a point in
> time, normally by getting a hard copy. 

I would also add the rights to correction and deletion in this bit.

> 
> PERSONAL DATA
> 
> My Data may or may not be “personal information” under European
> standards in terms of being enough to identify me or even single me out.
> Data need not have any personal identifiers (name, address..) to be
> personal information. 
> 
> An example of these differences can be found in the treatment of traffic
> and location data in Europe. There are regulations on these data types
> (say web history) under the EU E-privacy directive independently of
> whether this is personal under Data Protection laws. Both legal
> frameworks - data protection and the regulation of privacy in electronic
> communications - run in parallel. 
> 
> TRANSFORMED DATA
> 
> I agree this may introduce complication and we could well agree to drop
> it. But we should explore the issues behind this before we ditch it.
> 
> Pseudonymous data is about to become legally enshrined in EU law as a
> separate category.
> 
> De-identified data may not be personal any longer in the eyes of the
> law, but here are arguments on how “non-personal” can things like
> location and browsing histories ever be, despite “anonymisation” efforts. 
> 
> How do we deal with these kinds of data?

Actually, pseusonymous data is still dealt with as if it were personal
data, it just gets less legal safeguards by default.

> 
> CONTROL
> 
> Part of the spirit of the Working group is that I should be able to
> control My Data somehow. I think control has to be seen as a separate
> issue that may overlap with all of the above, but it’s not the same.
> 
> In the field of IP you have exploitation rights separate from moral
> rights. Is this applicable to data? Should I be able to object to my
> data to be used for nasty purposes such as the development of biological
> weapons? even if it is anonymised and running on someone else’s
> infrastructure?

No. On what basis would you do that? Especially after transformation not
even the already limited database rights are likely to apply.

> 
> Personally I am a bit sceptic of the individual monetisation approach,
> preferring a commons perspective, but control is important in any case.
> 
> Data protection and privacy laws may help me control My Data in some
> cases, but you may also need other things: the right infrastructure
> (VRM, Mydex..) or better contracts with cloud providers.

I'm still a bit at a loss how open data can touch personal data. As soon
as it is personal data it cannot, by definition be, open data in my
opinion. The rights of correction and deletion, the principle of
proportionality and of purpose-boundness are fundamentally incompatible
with notions of open data.

If people want me to do a workshop/barcamp-like thing on OKFestival, I'd
be delighted to. Might also be the final reason to attend.

Regards,

 Walter






More information about the mydata-open-data mailing list