[MyData & Open Data] existing legal frameworks of biometrics

Mon Apr 7 11:29:15 UTC 2014

> The whole notion of ‘ownership’ and ‘data as property’ is knotty. See, for example, this recent UK ruling:
>   
> http://www.out-law.com/en/articles/2014/march/information-held-in-electronic-databases-not-property-which-can-be-possessed-rules-uk-court/  
>   
> I agree that control is the key issue. Which is why, for personal data, it seems a nonsense that the person is the subject not the controller.
>  
>  
>  

 One of the challenges of this group will be to build an international approach that incorporates - but it is not fully defined by - European concepts such as controller and subject.
>  
>   
> Persisting with categorisations defined in a pre-Web era is dysfunctional, even if some new(ish) developments – the only ones of which I know in any detail are Mydex and PIB-d, because I provide independent advice to both – attempt to shift the balance by working cleverly within existing frameworks. The ‘monetisation’ aspects of these are practical (how do you build and maintain an infrastructure that, whatever else it does, must compete in a world that contains Facebook and Google) but peripheral, to this discussion at least.
>  
>  
>  

Monetisation is important to discuss in many ways. It is a major driver of discussions about giving individuals control over personal data, but in its narrowest sense it could move the debate from control to fair compensation. Will Jaron Lanier’s ideas for a humanistic information economy based on commercial rights end up closer to loyalty-card discounts? The OECD’s ideas on the value on personal data look a lot more like this.

>  
>   
> Previous frameworks I may have mentioned, e.g. ‘informational privity’, were attempts to grapple with existing legal constructs such as ‘chain of contract’ (breach leading to much simpler redress) and ‘assignable rights’ (control over use). In discussion with folks, e.g. at the Law Society, it became clear we’d be talking about a whole new field of law for this – but I’m not sure we shouldn’t be considering that. Surely the outcome of an information revolution should be a settlement that redresses the balance in favour of the people, not the barons of the old information economy or the creaking institutions of the old information society?
>  
>  
>  

I think this is definitely worth considering. I had a similar discussion with researchers worried about managing ongoing consent for reusing data for new research. I think in that case some form of consent delegation could help, particularly for purposes defined in a broader sense that would not be specific enough for standalone consent in DP law, but narrow enough to hold tight.  
>  
>   
> I’m yet to be convinced that My Data as a distinct category is useful, especially if it – and others, such as pseudonymised data – leads to a mushrooming of ‘special’ categories of data about people that allow vested interests to ‘game’ what they do with it. It also starts to feel a bit like taxonomy for taxonomy’s sake.
>  
>  
>  

But there is an increasing amount of data that falls in the cracks of data protection laws through the removal of identifiers, mainly from smartphones and internet of things devices. Our current binary approach is not able to grasp this. In most cases, once you “anonymise” data that’s the end of personal protections. But as we have seen from the medical data scandals int he UK, people are concerned of the uses of that anonymised data, like in the famous actuaries report.

> Legally enshrining pseudonymised data in law is quite frankly stupid; pseudonymisation is no more than a necessary technical measure for mitigating some types of reidentification risk. It does not magically transform a bunch of personal data into some completely different thing, and it is far from sufficient in itself to make personal data non-disclosive – especially rich episodic data – as has been graphically demonstrated with linked, patient-level pseudonymised health data here in the UK:
>   
> https://medconfidential.org/2014/commercial-re-use-licences-for-hes-disappearing-webpages/ and
> http://www.theguardian.com/technology/2014/mar/17/online-tool-identify-public-figures-medical-care  
>   
> I suspect its enshrinement in EU law will say more about the relentless lobbying of vested interests and the technical ignorance of legislators – and civil society’s failure to counteract both, for which I must accept I am as much to blame as any – than any real logic or genuine protection for the individual.

I think that we need some context here.

There is a lot of resistance from privacy activists to any blurring of the lines by introducing new concepts or terminology, because as we saw with pseudonymous data we are not dealing with abstract concepts but big businesses, such as behavioural advertisers collecting IP addresses and the pharmaceuticals mentioned above by Phil.

Things that would appear common sense, such as taking a risk based approach to privacy instead of a one size fits all, are almost impossible to discuss rationally because lobbyists will use these as Trojan horses to weaken our laws.

But we need to be able to at least discuss where things are going.  

>  
>   
> Phil
>  
>   
> From: mydata-open-data [mailto:mydata-open-data-bounces at lists.okfn.org] On Behalf Of Javier Ruiz
> Sent: 04 April 2014 17:54
> To: Walter van Holst
> Cc: mydata-open-data at lists.okfn.org (mailto:mydata-open-data at lists.okfn.org)
> Subject: Re: [MyData & Open Data] existing legal frameworks of biometrics
>   
> My take on the concepts (version 0.9 ;-):
>  
>   
>  
> MY DATA
>  
>   
>  
> I would see My data as data “generated” in my use of digital tools and engagement with electronic information and communications systems. My digital trail of gold or rubbish.  
>  
>   
>  
> I think this is a useful concept and different from personal data.
>  
>   
>  
> OWNERSHIP
>  
>   
>  
> I may or may not “own” this data depending on the tools and the contracts involved.  
>  
>   
>  
> Location data from my GPS DiY health sensor tracker is different from location data that my mobile company has on me, or location data that a random app collects from my smartphone under the app permissions T&Cs.
>  
>   
>  
> Property is a incredibly tricky thing to establish with intangible things such as data. There is “intellectual property”, as in copyright and database right. But also ownership of infrastructure and any contractual or licensing agreements.
>  
>   
>  
> Facts cannot be copyrighted. So data automatically generated - e.g. anything with sensors - is probably a fact.  
>  
>   
>  
> Nobody “owns” facts, but if I take a ton of research measurements from a lab, they will claim I stole “their” research data. And instinctively you would agree, but what is property of data?
>  
>   
>  
> See this for a discussion in the context of US health data (page 78)  http://jolt.law.harvard.edu/articles/pdf/v25/25HarvJLTech69.pdf You may disagree with some of the conclusions but it is quite useful, I think.
>  
>   
>  
> Database right in Europe protects the investment in creating databases. So if you are using someone else’s infrastructure it’s very possible they at least share the “ownership” of this exploitation right, but this is not exactly the same as what many people in the WG mean by “ownership", I believe.
>  
>  
>   
>  
>   
>  
> ACCESS
>  
>   
>  
> Your right to “access” (subject access in EU law), as Walter explained, is not the same as “ownership" as in property. It means you can know what information is held about you by an organisation at a point in time, normally by getting a hard copy.  
>  
>   
>  
> PERSONAL DATA
>  
>   
>  
> My Data may or may not be “personal information” under European standards in terms of being enough to identify me or even single me out. Data need not have any personal identifiers (name, address..) to be personal information.  
>  
>   
>  
> An example of these differences can be found in the treatment of traffic and location data in Europe. There are regulations on these data types (say web history) under the EU E-privacy directive independently of whether this is personal under Data Protection laws. Both legal frameworks - data protection and the regulation of privacy in electronic communications - run in parallel.  
>  
>   
>  
> TRANSFORMED DATA
>  
>   
>  
> I agree this may introduce complication and we could well agree to drop it. But we should explore the issues behind this before we ditch it.
>  
>   
>  
> Pseudonymous data is about to become legally enshrined in EU law as a separate category.
>  
>   
>  
> De-identified data may not be personal any longer in the eyes of the law, but here are arguments on how “non-personal” can things like location and browsing histories ever be, despite “anonymisation” efforts.  
>  
>   
>  
> How do we deal with these kinds of data?
>  
>   
>  
> CONTROL
>  
>   
>  
> Part of the spirit of the Working group is that I should be able to control My Data somehow. I think control has to be seen as a separate issue that may overlap with all of the above, but it’s not the same.
>  
>   
>  
> In the field of IP you have exploitation rights separate from moral rights. Is this applicable to data? Should I be able to object to my data to be used for nasty purposes such as the development of biological weapons? even if it is anonymised and running on someone else’s infrastructure?
>  
>   
>  
> Personally I am a bit sceptic of the individual monetisation approach, preferring a commons perspective, but control is important in any case.
>  
>   
>  
> Data protection and privacy laws may help me control My Data in some cases, but you may also need other things: the right infrastructure (VRM, Mydex..) or better contracts with cloud providers.
>  
>  
>   
>  
>   
>  
>   
>  
>   
>  
>   
>  
> --  
> Javier Ruiz
> javier at openrightsgroup.org (mailto:javier at openrightsgroup.org)
> +44(0)7877 911 412
>  
> @javierruiz
>  
> www.OpenRightsGroup.org (http://www.OpenRightsGroup.org)
>  
>   
>  
>  
> On Friday, 4 April 2014 at 16:24, Walter van Holst wrote:
> > On 04/04/2014 17:12, Antti Jogi Poikola wrote:
> >  
> > >   
> > >  
> > > Suggestion: My data is a subset of personal data - the term My Data
> > >  
> > > underlines ownership or at least access to my personal data.
> > >  
> > >   
> > >  
> > > In all cases of personal data this ownership question is not clear
> > >  
> > > (i.e. the photo example), but in many cases data subjects should have
> > >  
> > > access / ownership to their personal data in machine readable form and
> > >  
> > > My Data term underlines that cause.
> > >  
> > >  
> >  
> >   
> >  
> > I'm sorry. The ownership of data bears zero relevance to your right to
> >  
> > access to your personal data. The latter is not unqualified in that it
> >  
> > is not an absolute one, but under the Data Protection Directive you have
> >  
> > it as a default rule.
> >  
> >   
> >  
> > Moreover, it is property rights on data that is an unclear territory in
> >  
> > law compared to access rights to personal data. Your position only
> >  
> > underlines that concepts of ownership makes it all murkier, not clearer.
> >  
> >   
> >  
> > Regards,
> >  
> >   
> >  
> > Walter
> >  
> > _______________________________________________
> >  
> > mydata-open-data mailing list
> >  
> > mydata-open-data at lists.okfn.org (mailto:mydata-open-data at lists.okfn.org)
> >  
> > https://lists.okfn.org/mailman/listinfo/mydata-open-data
> >  
> >  
> >  
>  
>   
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/mydata-open-data/attachments/20140407/ac05d257/attachment-0003.html>