MAPPING Managing Alternatives for Privacy, Property … · MAPPING – Managing ... •The global character of the internet complicates the protection of IPR •Within the EU, there

This project has received funding from the European Union’s Seventh Framework Programme for research, technological development and demonstration under grant agreement no 612345.

MAPPING – Managing Alternatives for Privacy, Property and Internet Governance

Nikolaus Forgó

Institute for Legal Informatics

Leibniz University Hanover

Institut für Rechtsinformatik

// Institute for Legal

Informatics

research center since1979

1983: first institute for IT law in Germany

2014: more than 50 employees

IRI – Research

Frameworks

IRI – Research Projects

IRI – Foci of Research

Telecommunications Intellectual Property Data Protection /

Data Security

IT Security

Surveillance

Law Enforcement

Intelligence

Banking

GeoData

Cloud Computing

Clinical Research / Clinical Trials

Big Data Patients Rights

Klepnutím lze upravit styl předlohy nadpisů. Klepnutím lze upravit styl

předlohy nadpisů.

THE MAPPING PROJECT

A brief outline of

MAPPING at a Glance

Project coordionator: University of Groningen

14 participating institutions

Funding: EU FP 7 – SiS – 2013 – 1

• with a total cost of € 4.642.522,20

Project duration: 01/03/2014 – 28/02/2018

Project goals

Three focus areas: IG, Privacy and IPR

Coordination and Support Action (CSA) project

with a focus on dialogue and participation

• „research meets practice“ approach

• Different events such as round tables, working groups

or conferences

• Stakeholder‘s knowledge will be utilised for research

Final goal: Provide a road map to shape the EU‘s

technological future


předlohy nadpisů.

IG, PRIVACY AND IPR

PRINCIPLE TOPICS

The focus areas:

Internet Governance (IG)

Internet Governance Stream (RUG)

Digitial transition and IG • Internet Magna Carta vs. liberal approach

Cybercrime, Cybersecurity and fundamental rights • In a globalised world, the need for security and surveillance are

similarly global

• Treaty on surveillance, such as the Convention on Cybercrime?

Parallel Internet? • A part of the Internet

• with some additional safe-guards built-in

• which is subject to the jurisdiction of the EU

• which is not subject to the jurisdiction of any security or service agencies

Privacy

Privacy

Security Economy

Privacy-Economy-Security (Research/Activities co-ordinated by IRI, LUH) Details on our work in the next part of the presentation.

Intellectual Property Rights

Dangers and risks to IPRs in the context of the digital transition • loss of control over protected works in digital environments?

Current policies of IPRs protection and the risk on chilling effects on innovation • Property logic possibly outdated?

• „Open Innovation“ as a smart and flexible alternative?

Fragmented IPR regimes and territoriality • The global character of the internet complicates the protection

of IPR

• Within the EU, there is also a fragmentation by national boundaries, harmonisation might be necessary


předlohy nadpisů.

PRIVACY, SECURITY,

ECONOMY

First Findings

The First Consultations

MAPPING Extra-ordinary Assembly (Rome

2014)

MAPPING Expert-Consultations (Focus

Groups, Hanover et. al. 2014)


EGA Statements:

Privacy - Economy

It‘s the economy, stupid

US vs. EU

4 particularly relevant fields of ecommerce:

• Search Engines

• Social Networks

• Retail

• Payment Services

Dominiation of US firms

• More liberal and harmonised framework

• Homogenous, big market

Question: • How can we maintain our standards and stay competitive?

Needs: • “Harmonised framework and application of it”

• “Enforcement also against US competitors”

• “Increase technical knowledge in regulatory bodies”

• “Not to get lost in details when creating new framework (“we are already lagging behind”)”

• “Letting go discussion on “theoretical problems” and focus an the issues relevant in practice”

• “Create harmonised approaches of different authorities in charge (e.g. finance regulation and DPA)”

• “Understand the even the EU will not be able to ban business models / technologies as long as they remain successful everywhere else”

Status-quo as seen by

invited Experts

Statements/Issues raised:

• “It is questionable whether Google’s success stems from a better legal framework alone”

• “US dominance results from a large home market leading to financial strength”

• “DPAs can significantly obstruct market entry (when focussing on issues created by an inefficient (outdated?) law)”

• “High costs for compliance can form significant obstacles for market entry of SME / start-ups”


invited Experts

Statements/Issues raised (cont’d):

• “SME need enhanced support: law shall not be misused to keep competitors out of the market”

• “Certification may be a way out”

• “Issue: lack of case law, as companies avoid to bring cases in front of court”

• “Focus will need to shift to Asia as well (not only the transatlantic relation)”

• “Data protection law is a cost-factor”:

• This is ok to achieve high standards

• But the money is not well invested, if standards practically do not rise because the law does not address the right issues


invited Experts

Statements/Issues raised(cont’d): • Advertising European standards may fail due to lack of

significance on the world market (regarding personal data)

• We should not forget: after all, users will choose the product which suits them best

• This product does not necessarily need to be the one with the highest privacy standards

• User may not be able to identify the best product in terms of privacy anyway (usability is way easier to assess then privacy standards)

• If innovation is hampered in Europe, products from outside Europe will continue to dominate the market

Reality Check

„Recent“ Development:

Upcoming legal framework

Rat, 24./25. 10. 2013

It is important to foster the trust of citizens and businesses in the digital economy. The timely adoption of a strong EU General Data Protection framework and the Cyber-security Directive is essential

for the completion of the Digital Single Market by 2015.


EGA Statements:

Security - Economy

Field of tension: • Unregulated / unfiltered internet

vs.

• Higher Security Standards

Closer co-operation between authorities and ISPs needed?

Should IT security be stronger enforced by authorities? Or is that counter-productive? • this may hamper to the flow of information on incidents from

the private sector to authorities

• possible inflexibility (counter-innovative)

• lack of necessary dynamics?


invited Experts


• “lack of knowledge (no reporting obligations / too

little voluntary reports)”

• “costs”

• “Increase of political awareness needed: DDOS

rule the headlines, but cyber espionage is the true

threat that causes the immense damage”

• “Closer control of networks is needed. This must

not be confused with surveillance.”

• “European approaches are promising to be more

effective than national approaches”


invited Experts


• “Data security officers as compulsory institution

independently of (existing) data protection

officers?”

• “Highly skilled personal needed”

cost issue for SMEs


invited Experts


• “SMEs tend to lack awareness”

• “SMEs tend to avoid the costs for IT security”

• “This is likely to be a miscalculation”

• “The ‘capital’ of SMEs often is their innovative knowledge”

• “Not necessarily new technologies, but rather innovative re-

use of existing technologies and processes”

• “This in particular requires secrecy (if not patentable)”

• “Even where innovation is patentable, these patents are not

necessarily enforceable”

• ‘meta-knowledge’ (strategies, bids in tendering

procedures,…) may be as valuable as technological

innovation as such”


• “Human element is the most vulnerable element

in data security”

• This requires

• “Creating awareness through training”

• “Understanding the threats and their nature”

• “Understanding that, although hardly assessable,

financial damage (both direct and indirect) of cyber-

espionage / cyber-criminality is immense and can

threaten existence of the company itself”

Conclusion

• It is important and necessary to raise awareness

• There is a need to improve enforcement

• A homogeneous framework is required

• Certification as a solution to be discussed

• Lack of technical knowledge can be an

obstacle need for training / independent

auditors

Reality Check

Art. 30, Commission‘s

Proposal

appropriate technical and organisational measures

a level of security appropriate to the risks represented by the processing

having regard to the state of the art and the costs of their implementation

Art. 30, LIBE

taking into account the results of a data protection impact assessment pursuant to Article 33


Focus Groups Statements:

Privacy - Economy


• Social Networks

• How to create awareness?

• How to bridge possible differential

knowledge/understanding depending on

age/background/education?

• Is informed consent still the state of the art tool?

• Can large privacy policies provide the necessary

understanding?

• Alternative models? Certification?


• Principles of Data Protection Law

• is the concept of general interdiction with exceptional allowances (Verbot mit Erlaubnisvorbehalt) still meeting the social approach of the 21st century?

• Should we abandon the 1-0-approach and protect non-personal data better in certain cases?

– allegedly anonymised data may turn out to still allow “identification”

– Big Data applications may cause severe threats even though the data is used statistically (esp. in preparation of automated decision making)

– “data protection threat prevention” law needed?

– “data traffic regulations” (independently of personal data) needed?


• Principles of Data Protection Law - Possible Innovations:

• is the concept of identifiability still leading to the desired distinctions?

• should we not rather protect “identities”?

• do we need to distinguish between data processing, the result of which is perceived by humans, and such that is not?

– e.g. email in spam filter that is NOT spam and passes through (unnoticed by everybody except the legitimate recipient)

– e.g. license plates (APNR) that do NOT produce a match under the conditions of BVerfG decision 1 BvR 2074/05 und 1 BvR 1254/07

http://www.bundesverfassungsgericht.de/entscheidungen/rs20080311_1bvr207405.html








• Lack of parity in data protection environments

• lack of transparency

• lack “financial parity” of individual consumers and

companies addressing global markets (as opposed to IP

law, which has more elements of a “b2b”-law)

• lack of jurisprudence (only very few cases lead to court

decisions)

• DP authorities appear to

– lack capacities

– lack technical expertise

– lack efficient enforcement instruments


Focus Groups Statements:

Security - Economy


• “IT security is not absolutely controllable”

• it is a field of risk minimisation

• law should take that into account

• currently law resembles “strict liability”

(Gefährdungshaftung, meaning liability independent of

personal failure)

• the ideas of highly-secure fire walls (“Landesfirewall”),

as were favoured in the 1990s, have proven unrealistic:

sealing off networks tends to lead to a loss of the

desired functionality/interoperability


• Discrepancy of security needs and usuability/

“willingness”

• user tend to create work-arounds/shadow-IT

infrastructure

• BYOD

• “Decision-makers tend to propagate data security, but

fail to stick to the principles enacted if this results into

them not being able to use the tools they wish to use.”

This project has received funding

from the European Union’s

Seventh Framework Programme for research,

technological development and demonstration

under grant agreement no 612345.

Thank you for your attention!

[email protected]

MAPPING Managing Alternatives for Privacy, Property … · MAPPING – Managing ... •The global character of the internet complicates the protection of IPR •Within the EU, there

Documents