The overview of interesting Data & IT Law articles and news in January 2015!
Cloud computing contracts – traps to avoid
The article deals with legal traps to avoid, when contracting a cloud provider. The author suggests to ask these questions:
- “How long ago was your last independent audit against the latest [relevant] regulatory protocols?
- It’s relatively easy to comply with a single nation’s data protection laws. Complying with all nations’ data protection laws, however, can be tricky. One solution to this cloud problem, strangely enough, is: More cloud. Highly scaled-up enterprise cloud platforms can conveniently shuffle data such that all data privacy needs can be met internationally.
- cloud customers who don’t insist upon controlling their encryption key place their data, their clients, and themselves at risk
- it is important for cloud provider and cloud customer alike to include in the contract an affirmative negation of third-party rights. Otherwise, the cloud contract might inadvertently create liability where none existed before (for instance, to a cloud customer’s own customers in the event of a data breach).”
Discrimination by data – getting more interest
In January, many authors wrote about the topic of discrimination and inequality, resulting from data analysis (read also articles at data & it law about the issue)
First article dealt with the inequality in the area of credit-scoring. The authors use a simple example to demonstrate their point: “person A and person B both earn $100,000 a year. However, person A lives in a in a neighborhood that is predominantly lower income. The other person lives in a neighborhood where the average homeowner there has a higher income of $100,000. This can have the effect of steering homeowners into unfavorable mortgages based on where they live, which has a disparate impact on communities of color.”
The article by prof. Ferguson was published in University of Pennsylvania Law Review. He deals with the use of data analysis for crime prediction. “(Using various data sources) (t)he police now have particularized, individualized suspicion about a man who is not doing anything overtly criminal. Or perhaps predictive software has already identified the man as a potential reoffender for this particular type of crime.” Professor asks, to what extent are individual rights violated by this methodology.
Finally, an article deals with an area of HR and the screening of potential candidates using social media. “The three main areas of concern are: It may disadvantage candidates who do not have access to / don’t use, social media, it may invade the candidate’s privacy and it may give rise to possible discrimination.”
Anonymized Data and Shopping Habits
Data anonymization is one of the methods, how to avoid the use of data protection legislation. However, it is not always 100 percent safe.
The article deals with cases, in which it is possible to de-anonymize data. “Details about where and when you use your credit card could help reveal your identity to data thieves—even if they don’t know your name, address and other personal information.” The authors describe the process of de-identification and refer to a number of ways, how to perform it. In an experiment, “Using both the credit card and transaction information the researchers identified 90 percent of the individuals in the data set.”
For more information about anonymization of data, read data & it law articles.
The legality of web scraping – European Court of Justice decision
“Is it stealing to take data without permission from a public website, or is it simply making use of resources that are made available to you?” The European Court of Justice in its recent decision analysed intellectual property issues with web scraping – extracting data from public websites.
The case was about Ryanair suing the website PR Aviation for an infringement of database rights under the Database Directive 96/9/EC and violation of Ryanair’s website terms and conditions. It held that Articles of the Database Directive “do not preclude a website operator from laying down contractual limits on the use of a database, without prejudice to applicable national law.”
Therefore, according to the decision, “where a website operator cannot establish intellectual property rights in its database, an operator may still be able to rely on its website terms and conditions to prohibit scraping”.
Data protection impact assessment – will it be obligatory in EU?
The proposal of EU General Data Protection Regulation features a change of the voluntary nature of a data protection impact assessment. It is “used by organisations to identify, understand and address any privacy issues that might arise when developing new products and services or undertaking any other new activities that involve the processing of personal data.”
Based on the proposal, “businesses would have to conduct (an assessment) before proceeding with ‘risky’ personal data processing activities (…) Specifically, the Commission said a data protection impact assessment would need to be carried out by data controllers, or processors acting on their behalf, “where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes”. The assessment would need to look into “the impact of the envisaged processing operations on the protection of personal data”.
For further details, read this article.