Platform Privacy: The Missing Piece of Data Protection Legislation

AuthorMagnus Westerlund - Joachim Enkvist
Pages2-17
2016
Magnus Westerlund and Joachim Enkvist
2
1
Platform Privacy: The Missing Piece
of Data Protection Legislation
by Magnus Westerlund and Joachim Enkvist*
© 2016 Magnus Westerlund and Joachim Enkvis t
Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and
conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obtain ed at http://nbn-resolving.
de/urn:nbn:de:0009-dppl-v3-en8.
Recommended citation: Magnus Wes terlund and Joachim Enkvist, Pla tform Privacy : The Missing Piece of Data Protec tion
Legislation, 7 (2016) JIPITEC 2 pa ra 1.
Keywords: Platform Privacy; Data Protection; GDPR; Data Storage Solutions; Internet of Things
tection challenges with the now proposed Regula-
tion as the adoption of the “Internet of Things” con-
tinues. The findings of this paper illustrate that many
of the existing issues can be addressed through leg-
islation from a platform perspective. We conclude by
proposing three modifications to the governing ra-
tionale, which would not only improve platform pri-
vacy for the data subject, but also entrepreneurial ef-
forts in developing intelligent service platforms. The
first modification is aimed at improving service dif-
ferentiation on platforms by lessening the ability of
incumbent global actors to lock-in the user base to
their service/platform. The second modification pos-
its limiting the current unwanted tracking ability of
syndicates, by separation of authentication and data
store services from any processing entity. Thirdly, we
propose a change in terms of how security and data
protection policies are reviewed, suggesting a third
party auditing procedure.
Abstract: After years of deliberation, the EU
commission sped up the reform process of a com-
mon EU digital policy considerably in 2015 by launch-
ing the EU digital single market strategy. In particular,
two core initiatives of the strategy were agreed upon:
General Data Protection Regulation and the Network
and Information Security (NIS) Directive law texts. A
new initiative was additionally launched addressing
the role of online platforms. This paper focuses on the
platform privacy rationale behind the data protec-
tion legislation, primarily based on the proposal for a
new EU wide General Data Protection Regulation. We
analyse the legislation rationale from an Information
System perspective to understand the role user data
plays in creating platforms that we identify as “pro-
cessing silos”. Generative digital infrastructure theo-
ries are used to explain the innovative mechanisms
that are thought to govern the notion of digitalization
and successful business models that are affected by
digitalization. We foresee continued judicial data pro-
A. Introduction
1
During the last twenty years, the world has gone
through a technology era often referred to as the
Internet age. This has led to a tremendous change in
how individuals and businesses function in daily life.
Yet, across the world, privacy laws which govern the
operational modus for companies providing services
to consumers, may have been devised during a
time when the Internet was predominantly used in
research and academia. It can be argued that the
Internet was initially designed without security or
privacy in mind, but rather as a method for allowing
countless data packets and as many nodes as possible
to pass through the network unhindered. Based on
these technical design goals we can consider the
Internet a complete success as, for example, today
the data packet delivery time over large distances is
to a large extent limited by physical laws and not by
technological constraints. However, the impossible
task of foreseeing the impact of the Internet on our
social constructs, has to a large degree directed
subsequent academic research in the eld towards
trying to solve issues of security and privacy
that were omitted from the original standards.
These are considerations that the initial Internet
communication protocol did not address. One
example is that the email communication protocol
does not include an encryption policy, and as a
consequence email trafc between two organisations
is mostly transferred in a plain text format. Arguably,
Platform Privacy: The Missing Piece of Data Protection Legislation
2016
3
1
the majority of research in the area of security and
privacy is based on the assumption that anonymity
in its various forms is achievable and desired.
2
The European Data Protection Directive
1
(95/46/EC)
adopted in 1995 and subsequently enacted in national
legislation in the separate member states, was based
on the premise of the right to respect one’s “private
and family life, his home and his correspondence”
Rights2 (Article 8, CETS No.: 005, 1950). The
subsequent point in Article 8 states: “There shall
be no interference by a public authority with the
exercise of this right except such as is in accordance
with the law and is necessary in a democratic society
in the interests of national security, public safety
or the economic well-being of the country, for the
prevention of disorder or crime, for the protection
of health or morals, or for the protection of the
rights and freedoms of others.”. In the context of the
business-consumer relationship, the Data Protection
Directive has consequently been interpreted that
information pertaining to identifying a physical
individual can only be stored and processed with the
consent of the data subject. Data processing should
also be proportionate in relation to the legitimate
purpose pursued. The proportionality measure
refers to what the minimum extent is for delivering
the expected service to the data subject.3
3
Considering that the most dominant Internet-related
service providers are often non-EU based companies
(mostly US companies) and that countries such
as the US have no encompassing data protection
law, the enforcement of EU law for the benet of
its citizens and companies has been challenging. A
recent example of such a dispute was a call from the
EU Parliament to “unbundle search engines from
other commercial services”.4 This stems from a fear
of anti-competitive practices related to a search
engine provider that has well over a 90% market
share in many European member states. This can
be considered a realization on behalf of the EU
authorities that the data of European consumers
1 European Commission (28 January 2015). Data Protection
Day 2015: Concluding the EU Data Protection Reform es-
sential for the Digital Single Market. Accessed 18.10.2015:
http://europa.eu/rapid/press-release_MEMO-15-3802_
en.htm.
005, Accessed 18.10.2015: http://conventions.coe.int/
Treaty/Commun/QueVoulezVous.asp?NT=005&CM=8&D-
F=17/02/2015&CL=ENG.
3 CAHDATA (2014) RAP03Abr, AD HOC COMMITTEE ON DATA
PROTECTION. Accessed 17.2.2015: http://www.coe.int/t/
dghl/standardsetting/dataprotection/TPD_documents/
CAHDATA-RAP03Abr_En.pdf.
4 European Parliament, MEPs zero in on Internet search com-
panies and clouds, REF. : 20141125IPR80501, 2014. Accessed
17.2.2015: http://www.europarl.europa.eu/news/en/news-
room/content/20141125IPR80501/.
have aided in creating a situation where the search
engine provider can “[commercialise] secondary
exploitation of obtained information”. This has
an implication on the competitiveness of other
companies such as EU start-ups, which then may
have a competitive disadvantage compared to the
incumbent US provider with access to user data on
a massive scale. The EU Parliament’s statement is
focused on a search provider, but it uses a language
that is certainly generalizable in its relevance to
other areas as well, such as social networks. As “all
internet trafc should be treated equally, without
discrimination, restriction or interference” and “to
prevent any abuse in the marketing of interlinked
services by operators”. Since the US have adopted
what is often referred to as a sectorial approach
legislation,5 as well as a lack of laws governing data
protection particularly for search engines, this can
be seen as contributing to a potential abuse of a
dominant market position. The balance between
fostering a positive self-enforcing environment
for innovation within Information Technology
enabled sectors and difculty regarding preserving
the rights of a consumer. Whilst the US believes
in self-regulation by the companies, the EU has
taken the opposite view and enacted what can be
viewed as strong consumer protection laws. In an
effort to modernize and unify data protection laws
for all conditions involving a natural person in the
Union, an EU Commission proposal was given for a
new General Data Protection Regulation (GDPR or
Regulation). We hereafter refer to the preliminary
consolidated Regulation proposal text (also
referred to as the outcome of the inter-institutional
negotiations) on the protection of individuals with
regard to the processing of personal data and on the
free movement of such data (ST 5455/2016).6
4
Today the Internet has become a global platform for
commerce and communication. It is predictable that
within the coming decades this will extend to include
many other areas as well, e.g. personal healthcare
and home automation. These new areas will
introduce a myriad of highly sensitive information
sources; information that must be processed and
also often stored for an indenite and sometimes
innite period of time in order to be able to digitalize
these areas. By embedding information-sharing
electronics into everyday physical objects, we will
create a “global cyberphysical infrastructure”.7 The
term often used for describing this future Internet
5 Corbet, R. (2013). “EU v US data protection - exploring the
similarities.” Privacy & Data Protection, 13(6), pp. 3-4.
6 ST 5455 2016 INIT - 2012/011 (OLP), Proposal for an EU Gen-
eral Data Protection Regulation (2016). Accessed 02.02.2016:
http://eur-lex.europa.eu/legal-content/EN/TXT/?-
qid=1454437448923&uri=CONSIL:ST_5455_2016_INIT.
7 Miorandi, Sicari, De Pellegrini and Chlamtac (2012). Internet
of things: Vision, applications and research challenges, Ad
Hoc Network.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT