Norms for Cyber Peace: Personal Data Protection 

ICT4Peace Discussion Paper #1

Responsible behavior and expected contributions to security of information systems and services by governments, industry, information infrastructure operators and users are unclear with several international organizations due to look into the issue in 2014-2015.

The Norms for Cyber Security project is intended to look into the existing legal and policy frameworks addressing key cyber security issues based on consultations and expert input. ICT4Peace will solicit studies of the following topics in 2014: privacy and data protection (Feb-Mar), territoriality and national control over cyberspace (Apr-May), obligations to secure ICTs and infrastructure (Jun-Jul), product liability and consumer protection (Aug-Sep), international cooperation and assistance in cyber conflict resolution (Oct-Nov). For each topic, ICT4 Peace will prepare a Discussion Paper that will be shared with academics and practitioners to solicit their views, comments and recommendations on the subject. Based on the input received, ICT4Peace will identify where existing regulatory and policy frameworks fail to provide comprehensive, adequate and implementable solutions to contemporary cyber security issues.

Each study will result in recommendations on best practices, notes on implementation modalities and summary of the overall contribution by each respective legal and policy field to national and international cyber security. These studies are intended to contribute to the discussions of responsible state behavior in cyberspace and to the resolution of shared responsibilities between multiple stakeholders of cyber security. 

INTRODUCTION

The concept of control over personal data and the sufficiency and effectiveness of current data protection regulation have reappeared as a subject of international discussions as utility computing, and heightened concerns around national intelligence gathering are exposing the age, formality and complexity of the current regulations. Personal data protection concerns are equally heated by reports of cybercrime involving breaches of credentials and banking data while data protection regulations and practices across the world are witnessed to handicap law enforcement and investigation.

Just a few decades old, the legal regime of personal data protection has difficulties responding to contemporary opportunities of data processing. Existing legal frameworks worldwide often fail to provide an identifiable chain of control over processing of data by governments and industry alike. Thus, upgrades to data processing laws constitute an essential element of regional and international cyber security efforts. With ample of information in plain sight and easily accessible the question becomes if and how it should be obtained and, where it has been obtained, what rules govern its use.

I                ISSUE STATEMENT

Changes in technological capabilities are raising new questions about the privacy safeguards. Some of the liveliest discussed challenges to personal data protection derive from the popularization of utility computing, social media and corresponding challenges and opportunities for law enforcement and national security. Consideration of data protection guarantees contributes to user confidence in online services and therefore supports economic development goals that many governments have vested in ICT markets. Transparency concerns around both business and government practices in data collection and profiling have been revived in the light of media revelations about national security agencies’ data processing routines. This highlights data protection as a regulatory and policy concern both from market and economic growth perspective and for national security and situational awareness requirements of governments.

a.     CLOUD SERVICES AND SOCIAL MEDIA

As Gartner has noted, the ICT sector is poised for strong growth of cloud services[1] and according to IDC the amount of information created and stored digitally comprises 7 zettabytes[2] by 2015[3]. With countries across the world having high expectations towards cyber shares in their GDP, the questions of transparency and trustworthiness of business and service models is ever acute. Among cloud computing service providers the dominant players are the US, EU and Japan. In 2014 Western Europe is forecast to account for 29 percent of the market against the US 50%, while Japan will represent 12 percent of cloud services revenue.[4]

Cloud-related data processing practices involve data handling simultaneously in multiple locations; dispersed storage around the globe, instantaneous re-combination and cross-border transfer by individuals carrying mobile devices. Routinely, IT services require and allow organisations and individuals to access data that may be stored anywhere in the world.[5]

Advances in data processing practices and technologies have triggered extensive debate among data protection scholars and practitioners and prompted regulatory responses. Among others, International Working Group on Data Protection in Telecommunications (IWG-DPT) and EU Data Protection Working Party 29 (WP 29) have addressed the issue from regulatory and policy reform perspective.

IWG-DPT concludes that among the fundamental issues of data protection in the cloud are the lack of international agreed terminology and the progressing development of technology in this segment.[6] At the same time the popularity of cloud services combined with the business incentives involved both on provider and client side has led to a frequency and volume of transactions that call for national and international regulation at the level beyond contractual or generic protective provisions. WP29 emphasizes the numerous data protection risks triggered by wide-scale deployment of cloud computing services, mainly in the context of lack of control over the data and absence of transparency of data processing operations.[7] WP29 further lists the multiple processors in the outsourcing chain, unavailability of a common data portability framework and restrictions to cross-border transfer as key issues related to cloud computing, concluding, that the main risks associated with cloud computing derive from the (perceived) lack of control over the data and absence of transparency about the service infrastructure and providers.[8] ITU has concluded that cloud computing must not lead to a lowering of data protection standards as compared with conventional data processing.[9]

Popularity of social media services has also introduced controversial trends from customer and data protection perspective. While polls indicate concerns for online privacy guarantees, the number of social media users is steadily growing with an increasing amount of personal data posted by data subjects themselves or their friends, relatives and employers.[10]

Despite general public pessimism as to privacy guarantees online and reported attempts by individuals to manage their digital footprints, there is indication of low threat awareness and risk naiveté among internet users. Anonymous comments, deleting past posts and content, using fake names and giving inaccurate information about oneself are regarded as self-help remedies for being less invisible online.[11] On the other hand, reactions to revelations about data processing practices of national security authorities and statistics of cybercrime indicate that users are unaware or ignorant when it comes to privacy enhancers such as cryptography, critical scrutiny of their e-mail communications and self-restraint in their online activities.

The lines between services are blurring as many social media service providers and online merchants store their data, including uploaded photos and videos in the cloud. This makes it more difficult for users to track the terms and conditions applicable to their data and records and complicates remediation against data-related complaints.

While mazes of data and anonymous uses also intimidate law enforcement agencies and national security authorities across the world, capable of them have acknowledged the prospect of utility computing and paradoxes of social media and have developed capabilities to find needles in the haystack, or store the hays until needles may be needed to find.

b.    PERSONAL DATA AND LAW ENFORCEMENT

Law enforcement agencies have recognized the utility of publicly available personal data. Social media can also be leveraged for everything from soliciting crime tips to sharing safety-related information and improving community relations.[12] In the US, four out of five law enforcement officers use social media to trace evidence and clues to crimes. Social media monitoring constitutes a growing law enforcement practice. Geo-location and social media monitoring are but a few examples of ways to make Twitter or Facebook data actionable for law enforcement. More than three-quarters of law enforcement officers who don’t use social media now as part of their investigative tasks, plan to start using it within the next 12 months[13].

The liberty to reach out for electronic traces and evidence is not readily granted to law enforcement agencies, whose authority and approaches are contested by legislature and judicial authorities, offering favorable treatment to data subjects regardless their intentions and modi operandi and heavily scrutinizing law enforcement considerations and practices.

Effective use of social media and utility computing for law enforcement purposes requires routines, practice and transparency. While data protection regulations are seen by some as carrying an operational disadvantage for investigation and prosecution purposes, countries with established policies and regulatory frameworks for electronic communications operators, online service providers and law enforcement agencies are generally better prepared to implement efficient law enforcement in and via cyberspace. Law enforcement agencies should craft strong social media policies and procedures, including working level links to relevant private sector actors such as ISPs or website operators.

c.     DATA COLLECTION FOR NATIONAL SECURITY PURPOSES

In the face of revelations by Edward Snowden governments of technologically advanced countries have been accused of collecting vast amounts of data for vaguely defined ‘national security’ purposes. While it is difficult to judge emerging cyber intelligence practices based on media allegations, it is uncontested that NSA and its partner agencies have been running huge quantities of communications metadata through computer programs designed to identify extremely small target sets on the basis of very strict criteria.[14]

National security and intelligence matters are and likely remain opaque threads of state affairs but recent publicity around FVEY intelligence routines has identified the need for a credible narrative and backing regulatory framework for relevant practices and operations.

Public debates on matters of national security are difficult without due strategy of communication in place. Especially, policies and regulations should exhaust allegations of excess error, injustice and indiscrimination – relevant criteria to be measured against established national security priorities and practices that do not easily transfer from one jurisdiction into another, yet can be facilitated by supporting initiatives and harmonization of regional alliances.

Other considerations to be addressed in the context of national security are the true effects and cost-effectiveness of safeguarding own sensitive and critical data and services. While it is suggested that data jurisdiction choices would scrutinize undesired access to data, practitioners challenge national ambitions to keep national data in own or friendly jurisdictions due to technical complexities and capabilities as well as high costs involved. Nevertheless, defining requirements applicable to data under one’s own jurisdiction and exercising due diligence over sensitive and critical data service models reduce the risks of being put under foreign jurisdictional scrutiny.

INTERNATIONAL PERSONAL DATA PROTECTION FRAMEWORKS

Conceptual legal approaches to personal privacy emerged in the United States in the 1890s in response to concerns about emerging print media invasions of private life. Europe after the II World War saw privacy protection instruments responding to existential threats and human dignity concerns. Interest in the right to privacy amplified worldwide in the 1960s and 1970s with the advent of information technology. Today, data processing comes with a sophisticated set of legal requirements against unwarranted intrusions into private affairs, public disclosure of private facts, false publicity and identity appropriation, both offline and online.

The close of the 1970s saw an energetic effort in a number of international organisations studying the proliferation of data protection and data privacy issues and relevant regulatory responses, seeking to define certain basic rules that can be used as a benchmark for national privacy legislation. First data protection regulations and policies were introduced at the international level in the early1980s with the OECD, Council of Europe and the European Union being the first to implement a harmonized set of legal requirements in the field.

 

Year 1980 met the adoption of first international instrument to address privacy online. In response to danger that disparities in national legislations could hamper the free flow of personal data across frontiers, OECD adopted Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines) on 23 September 1980. This instrument was an invitation to member states to harmonize their domestic legislation in the field in order to guarantee that appropriate steps are taken by their national entities to safeguard personal information.

When the OECD Guidelines were drafted, data flows largely constituted discrete point-to-point transmissions between businesses or governments. Even though not legally binding, OECD guidelines set first minimum standards of privacy protection measures for its constituency. Serving as foundation of privacy regulations in over 30 countries, the OECD Guidelines are still frequently suggested as one of the most appropriate sets of principles for implementation and enforcement of privacy online in the US.[15] The OECD Guidelines propose eight basic data protection principles to be applied to the protection of privacy in all kinds of information systems as well as any other information technology. Several other international instruments, including the COE Convention and the EU Data Protection Directive, echo all of several of these principles.

Also in September 1980, the Council of Europe (COE) Committee of Ministers adopted the COE Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (COE Convention). Unlike the OSCE instrument, the COE Data Protection Convention was legally binding, although it did not come into force until a year later. The text of the COE 1981 convention was elaborated in close cooperation with the OECD and with participation by observers from Australia, Canada, Japan and the US.[16]

The COE Data Protection Convention first extended international legally binding protections to increasing cross-border movement of personal data. Compared to the OSCE document, it puts special emphasis on the requirement for privacy in the context of economic development. COE Data Protection Convention does not contain the openness principle, yet specifies the other seven principles and criteria

for their implementation. The Convention provides considerable detail on the procedures for cooperation between. Like the Cybercrime convention is the only international binding instrument addressing substantive and procedural criminal law in the field, the COE 1981 convention is the only international agreement specifically devoted to privacy protection in the context of uses of ICTs.

However, neither of these two instruments is self-executing as they both require transposition into national legislation. Their goal of encouraging countries to develop and adopt legislation in the field is further achieved via numerous non-binding instruments and regional initiatives of model legislation, such as Commonwealth Secretariat Draft Model Law on the Protection of Personal Information[17].

Building on the initiatives of the Council of Europe and OECD, the UN adopted Guidelines for the Regulation of Computerized Personal Data Files (UN Guidelines) in 1990[18], thereby emphasizing the importance of data protection not only in the industrialized countries, but also in the whole global community. Resolution 45/95 called for national implementation of established data protection principles like lawfulness, fairness, accuracy, purpose-specification, interested-person access, non-discrimination and security. Despite the efforts of several international organizations, data protection movements did not emerge in Russia, Middle East and Africa until mid-2000s. Part of the issue had to do with the non-binding nature of the UN guidelines – these serve as mere recommendations to national authorities.

EU APPROACH TO PERSONAL DATA PROTECTION

In the EU, where data protection regulation has been greatly influenced by the German example, individual’s dignity forms the core of informational self-determination. In the European Union, the primary instruments addressing data privacy are the Personal Data Protection Directive[19], E-Privacy Directive[20] and Data Retention Directive[21].

As data protection laws proliferated across Europe during the 1980s, there were significant divergences among those laws and harmonization became an important goal for Europe.In 1995, following the Maastricht Treaty of European Union, the European Union adopted Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data[22] to harmonize the existing national laws within the European Union. The Directive sought to assure that all Member States provided satisfactory privacy protection and to assure the free flow of personal information across Europe through the respect of basic, standardized protections.[23] The Directive created an obligation on each Member State to enact national legislation implementing standards to protect all information about an identified or identifiable individual whether or not the data is publicly available. The Directive requires that an individual’s consent be obtained prior to processing personal information in private data protection affairs. The Directive restricts the collection and use of personal information not relevant for the stated purpose of processing. It provided that processing of personal information must be transparent with thorough information provided to individuals about details of processing of their personal information. Organizations processing personal information must provide the data subjects with access to their personal information and must correct errors.[24]

One of the key provisions in the European Data Protection Directive is Article 25 restricting that transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer. Transfers from the EU may take place only if the third country in question ensures an adequate level of protection.[25] This requirement constitutes a practical consideration for countries interested in economic exchange with the European Union. The European Commission has so far recognized Andorra, Argentina, Australia, Canada (commercial organisations), Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Uruguay and the US Department of Commerce’s Safe Harbour Privacy Principles as providing adequate protection.[26] Directive 2002/58/EC addresses the right to privacy with respect to the processing of personal data in the electronic communication sector.

In 2006 the EU adopted the Data Retention Directive[27], whereby providers of publicly available electronic communications services or of public communications networks were required to retain traffic and location for the purposes of the investigation, detection and prosecution of serious crime.

In November 2012 the European Commission initiated a comprehensive reform of the EU’s data protection rules due to technological progress and globalization and in the face of divergence in implementation and enforcement of the 1995 directive in the 27 EU Member States. As part of a rather ambitious regulatory reform, the following additional privacy data guarantees have been proposed.

  • a single set of rules on data protection, valid across the EU;
  • simplified procedures for remedies and information for data subjects
  • applicability of EU data protection rules to personal data processed abroad, making  companies outside the EU subject to EU data protection regulation if they offer goods or services in the EU;
  • ‘right to be forgotten’ to help manage data protection risks related to social media and data copied between databases;
  • Stricter requirements on acquiring and documenting consent where consent is required for data processing;
  • easier access to data and guarantees for personal data transfer from one service provider to another;
  • duty of breach notification.[28]

In most European countries, data protection is consolidated into one general data protection instrument that is then complemented with sector-specific provisions (e.g. data protection in law enforcement, banking, and telecommunications). The European Union approach to personal data protection has been the most comprehensive and detailed one, centring on the fundamental right of informational self-determination.

The examples of EU regulatory leadership in the fields of personal data protection, e-commerce and e-services and cyber crime are remarkable. Possibly not transferable to other regions word-by-word, the efforts of Working Party 29[29] and the collective experience feeding into the revisions of the personal data protection directive[30] and the upcoming Directive on attacks against information systems[31] are significant.

Another success story to copy from the EU is their progress with CERT cooperation and, indeed, the rise of ENISA as a true clearinghouse of network and information security expertise. As CERTs are an operational cornerstone of successful cyber security, EU lessons of establishing, maintaining and upgrading a regional organization to coordinate NIS are difficult to beat.

EU lessons are valuable in terms of creating a single market among relatively homogeneous group of countries but do not provide a workable solution in and on itself. The EU model is observed to lack consistency of implementation, comes with relatively high implementation costs especially for small and middle size enterprises and has not taken into account acute issues of situational awareness and information exchange (including between CERTs) for cyber security purposes, notably regarding IP addresses as personal data and imposing a very high burden of compliance for data exchange. While the EU priority setting and characteristics of success and failure may be not transferable one-on-one, they provide useful models for thought and decision-making. Also, engaging in capacity building programs helps avoiding duplication of regional and national efforts as it facilitates clearinghouse processes for certain capacity areas, especially online markets and rule of law.

ITU and UN emphasize the need to improve data protection requirements in the light of personal rights, ICT share in economic growth and improved cyber security. A consensus document of 50 governments adopted in November 2009 outlined a set of uniform principles of personal data processing and proposed a resolution on International Standards of Privacy.[32]

Global surveillance concerns have caused reflections in international privacy law. Brazil and Germany have promoted protecting online privacy by tabling a proposal that led to reaffirmation by the UN of the basic principle that human rights apply online as they do offline, a principle earlier highlighted by the Human Rights Commission. On 18 December 2013 the UN General Assembly adopted a resolution tabled by Germany and Brazil on protecting online privacy.[33]

Table 1: International and Regional Instruments on Personal Data Processing

 

 

1980

OECD

Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data

1981

COE

Convention nr 108 The Protection of Individuals with Regard to Automatic Processing of Personal Data

1990

UN

Guidelines for the Regulation of Computerized Personal Data Files

1995

EU

Dir 95-46-EC Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data

 

EU

Res 96-C 329-01 on the Lawful Interception of Telecommunication

2001

COE

Additional Protocol to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data regarding Supervisory Authorities

2002

EU

Dir 2002-58-EC Directive Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector

2006

EU

Dir 2006-24-EC Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public

2009

EU

Dir 2009-140-EC Electronic Communications, Networks and Service

2012

UN

The Promotion, Protection and Enjoyment of Human Rights on the Internet

2013

UN

The Right to Privacy in the Digital Age

 

 

SELECTED NATIONAL APPROACHES TO DATA PROTECTION

Canada introduced the Personal Information Protection and Electronic Documents Act (“PIPEDA”) in the late 1990s with special emphasis on promoting consumer trust in electronic commerce. The act has been reformed over time to respond to developments in the field of electronic exchange, containing various provisions to facilitate the use of electronic documents. Other FVEY countries have also been assessed as implementing an adequate level of protection. Canada has presented a model where organizations implementing a higher standard of privacy protection are accepted to exchange personal data with the EU. The Canadian approach reinforces the ‘Dubai Model’ whereby organizations such as the Dubai Financial Centre implement a set of data privacy regulations that correspond to their business purposes.

The US has left the protection of privacy to markets rather than regulation. Europe treats privacy as a political imperative anchored in fundamental human rights and approaches privacy from the perspective of social protection.[34] European data protection regime grants each individual (data subject) basic legal right to informational self-determination, understood as control over collection and use of personal data. In contrast, the US approach to privacy protection derives from the context of intellectual property protection. In effect, Europe was displacing the role that the United States had held since the famous Warren and Brandeis article[35] in setting the global privacy agenda.

The US regulation in the field is divided between instruments of common law, federal legislation, the Constitution, state law.[36] While the US regulatory model is hardly one to copy, it provides valuable insight into some practical concern areas. In the US, privacy protection has been motivated by liberty and historically restricted by its respect for market. Legal guarantees to privacy are less predictable and straightforward in the common law system than in countries with continental legal systems. It is believed that landmark court cases will incentivize fair practices by data processors, while audits and reviews upgrade data protection practices in the public sector. The American approach to data protection has been criticized numerous times as opaque, fragmented and falling short of the adequacy required for personal privacy guarantees in the Information Age. Despite internal and external criticism, the US approach to data protection represents a case study of strong national security interests and their pursuit on the international data protection landscape. Tailor-made solutions like the Safe Harbor Agreement and PNR Arrangement testify strong international posture and diplomatic skill that complement national policy and regulatory frameworks. Still, the 1974 Privacy Act[37], US PATRIOT ACT[38] and FISMA[39] all contain samples of problem-specific solutions. Overall, the US model has resulted in implementation issues with different interest groups often having strong deviating views on priorities and implementation modalities. It has been assessed that the US data protection approach is not best suitable for ICT market growth.

Privacy laws have emerged in the Asia-Pacific region, mainly due to the acknowledgment of data protection guarantees as a booster of economic development. Singapore presents an example of modern data protection law favouring commercial flexibility and a business-friendly approach.  Prior to 2012, Singapore did not have overarching legislation on data protection.  On October 15, 2012, the Singapore Parliament passed the Personal Data Protection Act 2012 (PDPA).  The PDPA has two objectives:  (i) to enhance an individual’s control over his or her personal data, defined as “information about an identified or identifiable individual”; and (ii) to enhance Singapore’s competitiveness and strengthen its position as a trusted business hub.  Unlike the EU laws, the PDPA does not reference a fundamental right of privacy and it greatly exempts government agencies as norm addressees. The Singaporean approach to personal data protection is worth noting as it represents a recent approach with prime emphasis on ICT markets. The Singaporean act leaves government institutions largely uncovered, which, again, when left unattended, can cause excess security flaws.

LEGAL PRACTICES AND UNRESOLVED ISSUES

To be invited:

  • Dutch input about handling the BredoLab Botnet;
  • National discussions on data protection in Brazil and Germany;
  • Court cases in the US;
  • NSA reform;

[2] 1 zettabyte equals 1 billion terabyte.

[6] Sopot Memorandum, page 2.

[7] WP 29 Opinion 2012

[8] Wp 29, page 1

[9] Sopot Memorandum, page 3.

[15] Rotenberg 1993, 64; Madsen 1992, 195; Tuerkheimer 1993, 71

[16] Hondius Data Law in Europe, 16 Stan. J. Int’l L. 87 1980, 109

[17] REF NEEDED!

[18] General Assembly resolution 45/95 of 14 December 1990

[22] 1995 O.J. (L281) 31 (Nov. 23, 1995)

[29] The Article 29 Data Protection Working Party was set up under the Directive 95/46/EC (see fn 4). In its advisory status it has delivered dozens of opinions elaborating on aspects of data protection regulation development and implementation.

[30] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

[35] Samuel Warren & Louis Brandeis, The Right of Privacy, 4 Harv. L. Rev. 193 (1890)

[36] Avner Levin and Mary Jo Nicholson, Privacy Law in the United States, the Eu and Canada: The Allure of the Middle Ground, page 360.