Personal Data Protection in Virtual World

1. INTRODUCTION

In today´s world we use our personal data on the Internet on a daily basis. We leave our photo on Facebook, we use our name, address, date of birth, phone numbers without even realizing it. Our personal data are also collected from us on daily basis. When using credit card, using GPS system and walking down the street, when chatting, calling, etc. We can say there is a new generation growing up – generation of “digital natives” – the young people who grow up with the technology, with Computer, Facebook, Twitter, chatting, e-mailing, etc. We can say they are growing up in different world as we did. They are connected 24 hours per day.


2 WHAT ARE THE PERSONAL DATA?

Before we start to deal with the topic – protection of personal data, we need to understand what the personal data are. Personal data is any information relating to an identified or identifiable nature person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.  According to this definition we can assume that personal data are for example name, address, phone number, etc.


To better clarify the personal data subject I would use the case of Ms. Bodil Lindqvist . Mrs Lindqvist worked as a catechist in the parish of Alseda (Sweden). She followed a data processing course on which she had inter alia to set up a home page on the internet. When setting up internet pages at home on her personal computer in order to allow parishioners preparing for their confirmation to obtain information they might need. At her request, the administrator of the Swedish Church's website set up a link between those pages and that site. Mrs Lindqvist had not informed her colleagues of the existence of those pages or obtained their consent, nor did she notify the Datainspektionen (supervisory authority for the protection of electronically transmitted data) of her activity. She removed the pages in question as soon as she became aware that they were not appreciated by some of her colleagues. The court of Justice decided in the field of personal data protection as follows: The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes ‘the processing of personal data wholly or partly by automatic means’ within the meaning of Article 3(1) of protection directive. Exemptions available under the Directive for where data is processed for purely personal or domestic activities were ruled as not applying in this case. Relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people.

What are the risks of using personal data on Internet? I will provide some examples of abuse of personal data. The Financial Services Authority (FSA) has fined Nationwide Building society £980,000 for failing to have effective systems and controls to manage its information security risks. The failings came to light following the theft of a laptop from a Nationwide employee's home last year. “Nationwide is the UK's largest building society and holds confidential information for over 11 million customers. Nationwide's customers were entitled to rely upon it to take reasonable steps to make sure their personal information was secure.” said Margaret Cole, director of enforcement. During its investigation, the FSA found that the building society did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime. Another recent example is an information security breach of Sony Computer Entertainment America (“Sony”) which can affect more than 77 million account holders. An attacker gained illegal access to personal information stored on both the PlayStation Network and the Qriocity online music and video service, Sony announced on its blog on April 26. The information included names, addresses, log-in and password credentials, password security answers, email addresses, and birth dates. User purchase history and credit card information may also have been compromised.


3 EUROEAN LEGAL FRAMEWORK


Article 16 of the Treaty on the functioning of the European Union as a basic legal framework stipulates that everyone has the right to the protection of personal data concerning them. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.
Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms stipulates that everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Article 8 in the Charter of Fundamental Rights of the EU stipulates that everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority.
In this field a specific directive regulating such data protection was adopted - Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred as “Data Protection Directive”) . Object of this directive is to protect the fundamental rights and freedoms of natural person, and in particular their right to privacy with respect to the processing of personal data. Regulates the manner the manner in which personal data can be gathered in the EU; the rights of EU citizens with respect to their personal data and the transfer of personal data to non-EU countries. This is the main and key directive in this field. It does not apply to the processing of data: a) by a natural person in the course of purely personal or household activities; b) in the course of an activity which falls outside the scope of Union law, such as operations concerning public security, defence or State security. Every person shall have the right to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question. In addition, any person who has suffered damage as a result of the unlawful processing of their personal data is entitled to receive compensation for the damage suffered. There has been many articles dealing with this directive and clarifying its aim, purpose and content. I would like to emphasize in this article some missing points and issues in current legal framework.
Another source of legal information is the directive 2002/58/EC of The European Parliament and of The Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) . This Directive harmonises the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community. The provisions of this Directive particularise and complement data protection directive for the purposes mentioned above. Moreover, they provide for protection of the legitimate interests of subscribers who are legal persons. Information and Communication Technologies (ICTs), and in particular the Internet and electronic messaging services, call for specific requirements to ensure that users have a right to privacy. This Directive contains provisions that are crucial to ensuring that users can trust the services and technologies they use for communicating electronically. The main provisions apply to spam, ensuring the user’s prior consent ("opt-in"), and the installation of cookies.
Another directive in this field I would like to mention is Directive 2006/24/EC of the European parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (Data Retention Directive). This Directive apply to traffic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered user. It shall not apply to the content of electronic communications, including information consulted using an electronic communications network.
Regulation 45/2001/EC of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data  This Regulation aims to protect personal data within EU institutions and bodies. The text provides for rules to ensure a high level of protection for personal data processed by the Community institutions and bodies and the creation of an independent supervisory body to monitor the application of these rules.
As can we observe the legal framework of the data protection is covered by Union law widely, which shows the importance of this topic.


4 DEFICIENCIES OF CURENT LEGAL FRAMEWORK


In this part of the article I would like to focus on current virtual world issues which need to have a legal regulation.

Firstly I would like to mention cloud computing. This is a new type of storing personal data. Personal data are somewhere in the “clouds” and not at a server of one party. Personal data stored in cloud need a special protection. There is also an issue of the location of the cloud – which legislation shall apply
Another issue is social networks. Does EU data protection legislation apply or we need another legal regulation for this kind of sharing personal data. I would like to use as an example social network Facebook.  As you might experience anybody can place a picture of you and tag you on the picture. Than everybody who sees this picture knows what were you doing and with whom. You do not even know that someone tagged you in a picture and you cannot influence who will see this picture. But there are other question relating to the social network data protection. Who is controller? Establishment? Obligations? 
Because of all these and also other hot issues in January 2012 a reforms of data protection law was announced by the European Commission. This reform should bring businesses certainty with one hand while handing them a major headache with the other. The change that ought to please businesses most is that one law will apply across the whole of the EU which will make doing business across Europe much easier from a data protection perspective. On 25th January 2012 a proposal for a regulation of the European parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) was presented . The proposal provides welcome consistency for businesses. The Commission has proposed replacing a Directive, which each country must turn into its own law, with a Regulation. Instead of 27 confusing, sometimes conflicting implementations of a Directive, organizations will be faced with a single law that applies across the whole single market. Vivian Reding’s (one of the Commissioner´s proposing the new law) view is that “this allows for major cost savings and process improvements for organizations that process personal data in the course of their activities in Europe. They would be able to set their policies, process data and deal with data protection problems in a single way across the entire EU. This is a major improvement.” There are problems for businesses with the proposal, though. Some affect large organizations and some affect small ones, but the overall picture is the same: the law is being introduced in part for the purpose of “increasing the effectiveness of the fundamental right to data protection and putting individuals in control of their data”, as the proposal makes clear, and organizations face potentially significant costs and other challenges implementing the new measures. One area of the proposal that certainly is not going to be welcome to any organization is the sanctions regime. In the case of companies the sanctions are potentially levied by reference to global annual turnover in a way similar to the regime in place for competition law offences. It appears that Reding has made some concessions on the issue, however. Whilst the potential size of the fines, which could reach 2% of turnover for businesses and €1 million for public bodies, will alarm organizations across the sectors, it represents a climb-down from the proposed 5% figure contained in an earlier leaked draft that was under consideration. Calculation of fines in competition cases is a well-developed science, and national data protection regulators will have some catching up to do to administer these sanctions proportionately and wisely.
Another area of the proposal that has been the subject of much discussion ever since it was dropped from the ePrivacy Directive, where it only applies to organizations in the telecoms sector, is the data breach notification requirement. This requires the data controller to report a breach in data security to its national supervisory authority not later than 24 hours after having become aware of it, where feasible. Under the proposed new law, where the breach is likely adversely to affect individuals the controller must also communicate the breach to the data subject “without undue delay”. Finally, processors must alert the controller on whose behalf they are handling data “immediately” after the establishment of a personal data breach. These timescales will be challenging for some organizations, because there is a lot more to do than simply notify the supervisory authority and individuals, or the controller. Not every organization will have a clear view itself of exactly what has happened and how serious the problem is within 24 hours nor, within that timescale, what measures to recommend to mitigate the adverse consequences. As for processors, who have to notify the controller “immediately”, they first have to work out when the breach has been “established”, which is a new concept. It is in everyone's interests that organizations act quickly, but it will be counterproductive if affected individuals are left either indifferent or confused about what practical steps they need to take following notification that their data is no longer secure. Certainly the experience of consumers in the US, where most states now have data breach laws, has been mixed in this regard.

The problem with notifications is that they can desensitise the public and organizations to the seriousness of data protection issues. If every breach is reported and nothing terrible seems to happen, the impression can be given that data breaches are not that big a problem. Medium sized companies will balk at the requirement that every organization with 250 or more employees should have a data protection officer. This will be the case even if they do not process very much personal data. All public bodies will have to have a DP officer. It is right that organizations take responsibility for the way they handle data, but any requirement that imposes a fixed cost in this broad way is disproportionate.
One part of the proposed law that is certain to cause yet more debate is the 'right to be forgotten'. According to this proposal people will be able to delete information about them held by others that they had supplied in the first place. This idea is highly controversial. The impact of the right to be forgotten on the big internet platform businesses, such as Facebook, LinkedIn and Twitter, has of course received a lot of attention and will rightly continue to do so. But the right imposes obligations on all sorts of publishing businesses, and other sectors too.
The draft Regulation provides that the right is a 'qualified' right and that it applies only where certain grounds have been met, such as where the data is no longer necessary for the original purpose of collection or the individual has withdrawn consent or objected to the processing. Objections must be upheld unless the controller demonstrates "compelling legitimate grounds" for the processing.
The Regulation is full of 'implementing acts' and 'delegated acts'. These acts give the Commission the power to specify detail about how a particular article of the Regulation should work. How it uses this power must be closely scrutinised.


5 CONCLUSION

The virtual world is still developing and the law has to respond on this development. There are a lot of issues not covered by current Union law in the field of personal data protection. The Commission has already reacted on some “hot issues” (such as social networks, cloud computing, etc.) in the virtual world and has presented a proposal solving these issues and regulating them.

By: Daniela Ježová, lawyer in Slovakia

Contact us