H-Farm 2024 Fundamentals of IT Law PDF

Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Moreover, in some jurisdictions, such as the EU, additional conditions are asked to process communication contents in some particularly delicate situations (e.g. explicit authorization from Privacy Authorities, as for processing data in hospitals). Finding the right balance is not simple anyway. On one side the business sector pushes to use more personal data and information from the clients, since these communication contents mean great opportunities for them. On the other side, IT users are asking the legislators to grant an even higher level of protection of their privacy, feeling that the pervasive use of IT devices is putting in danger the confidentiality of their data (so called digitalization of privacy). But there are also cases where IT users protest against a too high level of protection than expected. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW when a user’s asked to share his personal data and information (by using an IT device), it is not clear which law regulates the protection and surveillance of shared data Every time a person, by using an IT device, is asked to communicate personal data and information it is not clear under which law the matter of protection and surveillance of the shared data and information will be governed: -the law of the place where the client is located when data and information are shared online? -the national law of the user? -the law under which the company managing the digital device “asking” for data/information is incorporated? -the law of the place where the server hosting the website is located? -an optional legislation selected during the insertion of data and information? Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Conflicting rules in different countries can create severe problems in data collection and treatment. Different legislations provide for different levels of protection and enforce different privacy policies. For the business sector these discrepancies are sometimes extremely difficult to manage due to the specific territorial scope of application of these rules. Sometimes a legislation seeks for application whenever the subject in charge with the treatment of the communication contents resides within the territory of that jurisdiction; in other cases, a legislation ask for application of its rules only if the release of the data and information occur within the territory of that legal system. The risk of legislative overlapping is very high, with even the consequence that individuals might at the end be unwilling to share personal data online if they are uncertain about the applicable rules. http://curia.europa.eu/juris/document/document.jsf?docid=152065& doclang=EN Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Many techniques have been developed and employed by the companies in order to escape data protection regulation, and particularly the two main privacy laws worldwide, the US and the EU ones. Among the most frequently used we can mention: De-identification Anonymization Pseudonymization Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Personal information contains either direct or indirect identifiers. “Direct identifiers” are data that identify a person without additional information. Examples of direct identifiers include name, telephone number, and government issued ID. “Indirect identifiers” are data that identify an individual indirectly. Examples of indirect identifiers include date of birth, gender, ethnicity, location, cookies, IP address, and license plate number. It is important to note that de-identified data meets the standards required under US privacy laws for the safeguarding of personal information while only anonymized data meets the standards required under EU laws, including the GDPR. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW “Personal data” is the material scope of data protection law: only if the data subjected to processing is “personal data” the data protection regulations will apply. only if data is “personal data”, the data protection laws are applied “Data” that is not personal data — we can call non-personal data — can be freely processed, it fall outside the scope of application of data protection laws. Under Article 2(1) of the GDPR, personal data means “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person” Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Starting with this normative definition, we learn that personal data is information about a natural person (not a legal person); it can take any form and be alphabetic, numeric, video or images; it includes both objective information (name, identification numbers, etc.) and subjective information (opinions, evaluations, etc.). The relevant element is that this information describes something about a subject that has value and meaning. Insignificant information, which has no meaning, should not be considered personal data, but new technologies have changed the way of attributing value to information because through them it is possible to collect, measure and analyze a lot of apparently ‘insignificant’ heterogeneous information that, reconnected to a person, are able to produce ‘value’. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW When an individual can be identifiable? Breyer case (Case C-582/14) European Court of Justice The Court was asked to decide whether a dynamic IP address should be considered personal data, and the conclusion was that a dynamic IP address should be considered personal data. In this case, the Court expressly stated, for the first time, that information that allows the identification of a person does not need to be in the hands of a single individual, and to determine whether a person is identifiable, ‘consideration should be given to the totality of the means likely reasonably to be used by the controller or others to identify the person’. https://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:62014CJ0582&from=EN Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW At the same time, the Court reiterates that the risk of identification appears, in reality, to be insignificant if the identification of the data subject was prohibited by law or practically impossible on the account of the fact that it requires a disproportionate effort in terms of time, cost and man-power In essence, the Court, as well as for the GDPR, admits that there can be a remaining risk of identification even in relation to ‘anonymous’ data. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW “De-identification” of data is a generic expression which refers to any process used to remove personal identifiers, both direct and indirect. De-identification is not a single technique, but rather a collection of approaches, tools, and algorithms that can be applied to different kinds of data with differing levels of effectiveness. De-identification procedure remove the individual’s name and identity details from the relevant transactional data. De-identification is especially important for government agencies, businesses, and other organizations that seek to make data available to outsiders. For example, significant medical research resulting in societal benefit is made possible by the sharing of de-identified patient information. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW “Anonymization” of personal data refers to a subcategory of de-identification whereby direct and indirect personal identifiers have been removed and technical safeguards have been implemented such that data can never be re- identified (e.g., there is zero re-identification risk). This differs from merely and generally de-identified data, which may be re-linked to individuals using a key (e.g., a code or an algorithm). Hence re-identification of anonymized data is not possible with anonymization. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW “Pseudonymization” of data refers to another subcategory of de-identification by which personal identifiers are replaced with artificial identifiers or pseudonyms. Pseudonymization can reduce risks to the data subjects concerned and help controllers and processors meet their data protection obligations. The EU data protection law defines pseudonymization as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW These concepts can be expressed in a hierarchy based on the re- identification risk associated with each concept in the following manner: Personally Identifiable Data—Data that contains personal direct and indirect identifiers (absolute or high Re-Identification Risk); De-Identified Data—Data from which direct and indirect identifiers have been just removed (undefined Re-Identification Risk); Pseudonymous Data—Data from which identifiers are replaced with artificial identifiers, or pseudonyms, that are held separately and subject to technical safeguards (remote Re-Identification Risk); Anonymous Data—De-Identified data where technical safeguards have been implemented such that data can never be re-identified (zero Re-Identification Risk). Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Have these techniques been recognized effective under US and EU privacy law? US privacy Law The Federal Trade Commission (FTC) indicated in its 2012 report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, that the FTC’s privacy framework only applies to data that is “reasonably linkable” to a consumer. The report explains that “data is not ‘reasonably linkable’ to the extent that a company: (1) takes reasonable measures to ensure that the data is de-identified; (2) publicly commits not to try to re-identify the data; and (3) contractually prohibits downstream recipients from trying to re- identify the data. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW With respect to the first aspect of the test, the FTC clarified that this “means that a company must achieve a reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, computer, or other device.” Thus, the FTC recognizes that while it may not be possible to remove the disclosure risk completely, de-identification is considered successful when there is a reasonable basis to believe that the remaining information in a particular record cannot be used to identify an individual. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW In 2010, the National Institute of Standards and Technology (NIST) identified the following five techniques that can be used to de-identify records of information with varying degrees of effectiveness: 1. Suppression: The personal identifiers are suppressed, removed, or replaced with completely random values; 2. Averaging: The personal identifiers of a selected field of data can be replaced with the average value for the entire group of data (e.g., the ages of 3, 6, and 12 are expressed as the age of 7 for every individual in the data set). Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW 3. Generalization: The personal identifiers can be reported as being within a given range or as a member of a set (e.g., names can be replaced with “PERSON NAME”). 4. Perturbation: The personal identifiers can be exchanged with other information within a defined level of variation (e.g., date of birth may be randomly adjusted –5 or +5 years). Randomly change personal identifiers within a predetermined range 5. Swapping: The personal identifiers can be replaced between records (e.g., swapping the zip codes of two unrelated records). Data sets relating to a person or object Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW EU Privacy Law The current General Data Protection Regulation - GDPR (Regulation EU/2016/679 entered into force on May 25, 2018) is clear in saying that it is not applicable to data that “does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is not or no longer identifiable.” The zero re-identification risk standard under the GDPR is a stricter criterion than the US reasonable level of justified confidence standard. Thus, the GDPR requires that a data set be anonymized, and not just de-identified, for it to fall outside the scope the Regulation. if the data has been completely anonymised, the Regulation is not applied Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW In 2014, the Article 29 Working Party (WP29) [today European Data Protection Board – EDPB] released the Opinion 05/2014 on Anonymization Techniques that examines effectiveness and limits of various anonymization techniques in relation to the legal framework of the European Union. The opinion states that anonymization results in processing personal data in a manner to “irreversibly prevent identification.” The WP29 identified the following seven techniques that can be used to anonymize records of information with varying degrees of effectiveness: Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW 1. Noise Addition: The personal identifiers are expressed imprecisely (e.g., weight is expressed inaccurately –10 or +10 pounds). 2. Substitution/Permutation: The personal identifiers are shuffled within a table or replaced with random values (e.g., a zip code of 80629 is replaced with “Goldenrod”). 3. Differential Privacy: The personal identifiers of one data set are compared to an anonymized data set held by a third party with instructions of the noise function and acceptable amount of data leakage. 4. Aggregation/K-Anonymity: The personal identifiers are generalized into a range or group (e.g., a salary of $42,000 is generalized to $35,000–$45,000). Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW 5. L-Diversity: The personal identifiers are first generalized, then each attribute within an equivalence class is made to occur at least “l” times (e.g., properties are assigned to personal identifiers, and each property is made to occur with a dataset, or partition, a minimum number of “l” times). 6. Pseudonymization—Hash Functions: The personal identifiers of any size are replaced with artificial codes of a fixed size (e.g., Paris is replaced with “01”, London is replaced with “02”, and Rome is replaced with “03”). 7. Pseudonymization—Tokenization: The personal identifiers are replaced with a non-sensitive identifier that traces back to the original data, but are not mathematically derived from the original data (e.g., a credit card number is exchanged in a token vault with a randomly generated token “958392038”). Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW The case of cookies Web cookies are messages to a web browser or a web server to identify users and help customizing web pages, or speeding their uploading or saving site users’ login information. When we enter a website using cookies we are asked to release personal information (e.s. name and email address) by filling out a form. These data are packed in a cookie and sent to the web browser/server. The next time the same user will go to that website, the cookies will operate as an electronic footprint of the user (for instance, instead of seeing a generic welcome page the user might see a customized page with reference to his name). Some cookies are just “session cookies” expiring when the user closes the web browser – cookies are just stored in temporary memory and not retained after the single web session. Other cookies are “persistent cookies” not erased when the user closes the web session, although they are usually set with expiration dates. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Due to the growing trend of malicious cookies (e.s. spyware or adware) – cookies set to track users activity online and carry numbers of additional information from them – many legal systems obliged web servers to release full information to the users as for how the information are to stored in cookies and ask for explicit consent from the web users anytime cookies are used when a webpage is opened. In the EU this rule entered into force – in different times case by case - according to the Directive 2009/136/CE. In Italy it came into force in 2015. Many think that these provisions result in an overload of consent for internet users and prevent positive effects on IT users (e.g. remember shopping cart history) and the EU is now ready to introduce new more user-friendly provisions: browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers, and no consent will be necessary for non-privacy intrusive cookies improving internet experience. Giuliano Zanchi H-Farm FUNDAMENTALS OF 2024 IT LAW Essential rules and principles in EU Data protection law The type and amount of personal data a company may process depends on the reason for processing it (legal reason used) and the intended use. The company must respect several key rules: personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processed (‘lawfulness, fairness and transparency’); there must be specific purposes for processing the data and the company must indicate those purposes to individuals when collecting their personal data. A company can’t simply collect personal data for undefined purposes (‘purpose limitation’); Giuliano Zanchi H-Farm 202 FUNDAMENTALS OF IT LAW the company must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimization’); the company must ensure the personal data is accurate and up-to- date, having regard to the purposes for which it is processed, and correct it if not (‘accuracy’); the company can’t further use the personal data for other purposes that aren’t compatible with the original purpose; the company must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’); the company must install appropriate technical and organizational safeguards that ensure the security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’) Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Information to the e-customer At the time of collecting their data, the IT users must be informed clearly about at least: who the company is (the contact details, and those of the DPO if any); why the company will be using their personal data (purposes); which data the company is the categories of personal data concerned; interested in the regulation that allows the legal justification for processing their data; the company to use user’s data for how long the data will be kept; who else might receive it; Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW whether their personal data will be transferred to a recipient outside the EU; that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights); their right to lodge a complaint with a Data Protection Authority (DPA); their right to withdraw consent at any time; where applicable, the existence of automated decision- making and the logic involved, including the consequences thereof. the user has the right to know whether decisions are made by a computer system (automatically) or by human beings Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW The information may be provided by electronic communications (emails, disclaimers on a web page, link to the privacy policy page, alerts via social media, etc.). The IT company must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW EU data protection law identifies two different entities involved in data processing: data controller and data processor: titolare del trattamento The data controller determines the purposes for which and how the means by which personal data is processed. If an IT company decides ‘why’ and ‘how’ the personal data should be processed, that company is the data controller. Employees processing personal data within your organization do so to fulfil your tasks as data controller (data managers). responsabile del trattamento The data processor manages personal data on behalf of the controller. The data processor is usually a third party external to the IT company/data controller. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. We can also have the situation of joint controlling the data when more organizations determine ‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW For examples, an IT company offers babysitting services via an online platform; that company has a contract with another company allowing it to offer value-added services. Those services include the possibility for parents not only to choose the babysitter but also to rent games and DVDs that the babysitter can bring; both companies are involved in the technical set-up of the website. In that case, the two companies have decided to use the platform for both purposes (babysitting services and DVD/games rental) and will very often share clients’ names. Therefore, the two companies are joint controllers because not only they agree to offer the possibility of ‘combined services’ but they also design and use a common platform.

H-Farm 2024 Fundamentals of IT Law PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue