Various other interesting info

> Various other interesting info

Professor Mireille Hildebrandt, from Vrije Universiteit Brussels, published open access the paper “Privacy as the Protection of the Incomputable Self: Agonistic Machine Learning“, where she argues, using law, philosophy and insights from computer science, that “in the era of big data analytics we need an understanding of privacy that is capable of protecting what is uncountable, incalculable or incomputable about individual persons”. This paper was the basis of her Keynote during the Brussels Privacy Symposium that FPF organized together with the Brussels Privacy Hub at the beginning of November.
A research report soon to be published in Computer Law and Security Review is looking at the protection of privacy and personal data in 8 EU countries: France, Germany, the UK, Ireland, Romania, Italy, Sweden and The Netherlands. The comparison, relying on empirical research, focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws, implementation of laws and supervision and enforcement. The article currently has online access under paywall.
The International Data Privacy Law published under “Advanced Access” a paper on “Why a Right to Legibility of Automated Decision-Making Exists in the General Data Protection Regulation”, by Gianclaudio Malgieri and Giovanni Comande. The paper is part of an ongoing debate in Europe on whether the GDPR enshrines “a right to explanation” of algorithms and automated decision-making or not.
Interested in how Millennials from Europe feel about the sharing economy? Here is a study conducted on 18 focus groups across six European countries (Germany, Italy, The Netherlands, Norway, Switzerland, and The United Kingdom) – “Millennials and the Sharing Economy: European Perspectives”.
Privacy engineering
If you missed the workshop in Leuven, here is a summary of the discussions, as they were live tweeted. Among other things, we found out at the workshop that the EDPS is preparing an Opinion on Data Protection by Design, to be expected at the end of December or in January. After keynotes, participants were divided into 5 working groups, focusing on specific problems raised by the GDPR, such as de-identification, consent and transparency. Each group brainstormed the most important questions related to their topic, as well as discussed the existing solutions and the desired solutions. We will prepare a report informed by all sessions, that we’ll also make available to this group.
AI and ethics
Cutting edge research from the US and Europe was presented at the Brussels Privacy Symposium on November 6. You can find here the abstracts of all papers. Mireille Hildebrandt (Research Professor Interfacing Law and Technology, Vrije Universiteit Brussel), Nozha Boujemaa (Research Director, Inria) and Julie Brill (Corporate Vice President and Deputy General Counsel, Microsoft) presented Keynotes with their latest thought leadership. See highlights here.
The EU will soon have its first EU-wide rules for commercial drones, as the Parliament and the Council adopted their compromise text on a new Regulation after trilogue. According to the informal agreement reached on Thursday morningthe design and manufacture of drones will have to comply with EU basic requirements on safety, security and personal data protection. The deal now needs to be approved by the Council of Ministers (EU Governments) and the Parliament’s Plenary before entering into force.
The UK Government announced plans to adopt a “Drone Bill” next year, which will detail how drones can be used and will also pave the way for the devices to be harnessed for a range of uses by businesses and public services.
The Netherlands Standardization Institute (NEN) and Danish Standards (DS), in collaboration with partners in the EU-funded SATORI project, created the first international pre-standard, a CEN Workshop Agreement, addressing the role and procedures of the ethics committee and ethical impact assessment of research and innovation. Read more in the press release and on the project’s website.
Data retention
The Irish Government proposed a new data retention law which will require telecommunications services to store metadata of all communications for 13 months and “within the territory of the EU”, while also creating a new scheme of prior judicial authorization for all access requests to this data by authorities.
Italy plans to extend telecoms data retention to six years. An amendment in this sense was already passed by the lower Chamber of the Parliament, with the Senate expected to vote on this issue early September. The proposed change generated a lot of debate and criticism in Italy, with the Italian DPA at the forefront – highlighting that this amendment is not in line with the case-law of the Court of Justice of the EU.
Data breaches
According to FT, Italy’s biggest bank, UniCredit, has revealed a data breach affecting 400,000 customers who suffered unauthorised access to their personal loan accounts. The Milan-based bank blamed a third party provider for the two data breaches it discovered, which it said happened between September and October 2016 and again between June and July of this year. 
The Netherlands will hold a referendum on legislation giving law enforcement authorities far-reaching surveillance powers. A range of activists, politicians and media groups oppose the law, which passed by a healthy margin in July and gives agencies the power to gather data covertly from large groups of people at once.
The annual report of the Danish Intelligence Oversight Board revealed that the Danish Security and Intelligence Service collected data of some Danish citizens without having a legal basis for it. In a sample of searches of SIGINT raw data by DDIS analysts, TET found that 12 percent of the searches unlawfully targeted Danish persons.
Data Protection laws around the world
Professor Greenleaf published an updated count of all data protection laws around the world – which are now present in 120 countries. “For the 44 years from 1973 to December 2016, 120 countries around the world have enacted new data privacy laws, at an average rate of 2.7 new countries per year”. The article contains a table showing the year-by-year development.
New EU Commissioner for the digital economy
The new commissioner for the digital economy and society, Bulgaria’s Maryia Gabriel, who will replace Germany’s Gunther Oettinger who took over the Budget portfolio, responded to MEPs questions in a hearing as part of the process of her appointment. During the hearing, she was evasive on tough questions about encryption backdoors and content filtering, preferring to highlight her experience as a compromise builder and emphasising the need for “dialogue”. 
Focus on psychographic profiling
The Guardian reported that an American citizen partly obtained a copy of the personal data that Cambridge Analytica holds on him resulting from the firms’ efforts during the presidential campaign in the US last year. Now he is asking in British Courts more information about Cambridge Analytica’s practices (CA has a headquarter in the UK). The ICO also opened an investigation on the firms’ practices  earlier this year focusing on its role in the Brexit campaign, but also extending the inquiry into how the firm processed data in political campaigns outside the EU.
BBC broadcasted a 14 minute segment on psychographic profiling used in electoral campaigns or for other political purposes, trying to discern between myths and facts. The head of the ICO is also featured in the clip, with some input about the investigation on Cambridge Analytica.
VIDEO – EU law, institutions and policymaking
For those of you who were not able to attend FPF’s event last autumn on Understanding EU law, institutions and policymaking (an advanced legal colloquium for privacy leaders), we have made the video available HERE. You can use this password to access it: eulaw1027 (the event was off the record). The speakers provided insight for a deeper understanding of the broader legal environment in Europe. Sessions focused on European law and institutions, political decision making and the legal regimes of the Benelux region, Spain, France and Germany, as well as an examination of future legal paths. 
Personal data as payment
 The research service of the European Parliament published a very useful Briefing on the future Contracts for Digital Contracts directive, with the controversy of labeling personal data as “money” in the digital arena as the central issue.
Public consultation on liability of AI
The European Parliament launched a public consultation on robots, artificial intelligence, ethics and liability, whose results will inform the initiatives of the European Parliament to issue recommendations/guide policy in this area.
Data protection and competition 
According to the Wall Street Journal, Germany’s Federal Cartel Office opened a new front against big tech firms, saying the way Facebook harvests user data constitutes “an abuse of market dominance”.
The German national competition regulator launched a series of publications to explain the connection between competition and consumer protection in the digital economy. The first publication deals with Big Data and Competition Law. published an analysis of what they called “the data showdown between tech companies and the European Commission”, providing an overview of ongoing investigations at EU level and at national level in EU Member States.
Fuel of the Future. Data is giving rise to a new economy’ is The Economist’s cover this week. The story covers also the impact of GDPR and especially data portability on competition, as well as European Commission’s practice to start considering matters of data protection as part of its competition assessments. 
This might be a case of the blockchain jumping on the GDPR bandwagon, or the other way around, but an article was recently published on “Blockchains and data protection in the European Union“.
Legalframeworks for hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices” – Report published by the Policy department of the European Parliament. 
“Germany’s Crypto Past and Hacking Future” – Germany’s latest national cyber security strategy emphasizes “security through encryption” and “security despite encryption” as the main pillars of government’s crypto policy.
TechCrunch published a report on “How Anonymous WiFi Data Can Still Be a Privacy Risk”, based on a four week trial done last year by the London transport regulator.
You can find a summary of the state of play regarding anonymisation and pseudonymisation on our website. The summary refers to the exceptional papers presented and discussed at the De-identification workshop organised at the end of 2016 in Brussels by the Future of Privacy Forum and the Brussels Privacy Hub.
Encryption backdoors
The European Commission will propose new measures in June to make it easier for police to access data on internet messaging apps like WhatsApp, EU Justice Commissioner Věra Jourová said yesterday (28 March), heeding calls from national interior ministers. (Read more here and here)
Legislative developments 
The EDPS published this week his Opinion on the Proposal for a Regulation establishing a single digital gateway and the “once-only” principle, which is aimed at ensuring that citizens and businesses are requested to supply the same information only once to a public administration, which can then re-use the information they already have.
EDPS issued an Opinion on the Proposal for a Directive on contracts for supplying digital content, which, among other provisions, takes into account that personal data is used as currency for paying for digital content. According to EDPS, “one aspect of the Proposal is problematic, since it will be applicable (…) also where digital content is supplied in exchange for a counter-performance other than money in the form of personal data or any other data. The EDPS warns against any new provision introducing the idea that people can pay with their data the same way as they do with money“. EDPS also warned that the new rules could overlap with the GDPR and the future ePrivacy Regulation: “Overlapping initiatives could inadvertently put at risk the coherence of the Digital Single Market, resulting in regulatory fragmentation and legal uncertainty. The EDPS recommends that the EU apply the GDPR as the means for regulating use of personal data in the digital economy”. One aspect of the Opinion – comparing data with kidneys, made some waves on social media. Follow the legislative process for this Proposal here.
Connected cars
Insurers in Europe launched a public campaign hoping to convince the European Commission to act with regard to ownership of data gathered by manufacturers through connected cars. Their angle is to convince drivers that it would be more difficult to grant other service providers access to their data, limiting thus their access to “competitively priced services”. This is probably a hard sell to both the Commission and drivers, given the right to access and the right to data portability provided for by the GDPR.
While waiting for the official CNIL translation of the guidance on connected cars, here is a good summary in English.
A team of security researchers presented at the DefCamp Conference in Bucharest, last week, their findings on vulnerabilities of Infotainment systems of smart vehicles. They managed to access contacts, call logs, text messages and other information from phones that were previously paired with the cars.
The Article 29 Working Party adopted Opinion 3/2017 on Processing Personal Data in the Context of Cooperative Intelligent Transport Systems (C-ITS). The DPAs commented on a document drafted by the Data Protection and Privacy Working Group of the Cooperative Intelligent Transport Systems (C-ITS) platform, which is an initiative of the Directorate for Transport and Mobility of the European Commission. The Opinion provides insight into how EU DPAs view the principles of data protection applied to processing of personal data by connected vehicles.
Germany is preparing legislation on driverless cars, proposing that protecting people rather than property or animals must be the priority. The transport ministry announced that the rules are drawn-up by a government appointed committee comprising experts in ethics, law and technology.
Here is a link to a comprehensive analysis of “What EU legislation says about car data”. The study was commissioned by FIA, a consumer advocacy group, and was published in May this year.
EU and EEA Member States sign up for cross border experiments on cooperative, connected and automated mobility. 29 European countries, Members of the European Union and of the European Economic Area, have signed a Letter of Intent to intensify cooperation on testing of automated road transport in cross border test sites. This initiative drives forward the plans of the Commission’s strategy to build a European Data Economy announced in January 2017. Read more.

Conference of German Data Protection Authorities releases statement on draft Act on automated driving (DE). Via Andreas Splittberger.
Student privacy
The Danish ministry of Education announced a new set of rules (a draft law) that would allow schools to do background checks on students’ search history and social media activity, according to a report from The Next Web. It would also encourage students to grant schools access to their personal laptops. The draft law already drew criticism from the Danish High School Association and from privacy experts and academics.
Open data
The Research Service of the European Parliament published an analysis on “Data flows – future scenarios“, that examines the current state of play in the open data market and the legal framework in the EU for open data.

If you want to receive weekly updates on developments in EU data protection law and policy, contact Gabriela Zanfir-Fortuna at [email protected].