Download online personal data processing and eu data protection reform PDF

Titleonline personal data processing and eu data protection reform
File Size1.5 MB
Total Pages97
Document Text Contents
Page 1



APRIL 2013

Central European University

Centre for European Policy Studies

The CEPS Digital Forum is a multi-stakeholder platform aimed at raising the level of
debate about policy challenges that follow from the European Commission’s Digital
Agenda for Europe. It brings together academics, telecommunications operators,
broadcasters, equipment manufacturers, content providers, application producers,
internet players, national regulators and European institutions to enable a
constructive dialogue on how to achieve a successful transition to an information
society for all stakeholders.


Page 2

This Final Report is the outcome of the CEPS Digital Forum on Online Data Processing and
EU Data Reform. The Task Force met four times over a concentrated period from November
2012 to January 2013. Participants included senior executives from the business and
industrial sector and other associations. Invited contributors from academia, the EU
institutions, civil society, and businesses each presented on selected issues during one of the
meetings of the Task Force.

The report is based on a synthesis of the presentations and discussions at the meetings and
on the rapporteurs’ own research and analysis. It reflects the topics and direction of the
discussion among participants and contributors, but does not represent any common
position agreed by all participants of the Task Force, nor does it necessarily represent the
views of their institutions. A list of participants appears in Annex I.

This Final Report benefited greatly from the contributions of invited guests and speakers.
Their involvement was limited to the topic of their expertise in one of the meetings. This
report does not represent the positions of contributors or the views of their institutions. All
contributors are listed in Annex II.

The report was drafted by Kristina Irion, Assistant Professor at the Department of Public
Policy and Research Director at the Center for Media and Communications Studies (CMCS)
at Central European University in Budapest, Hungary and Giacomo Luchetta, Researcher at
the Centre for European Policy Studies, Brussels.

ISBN 978-94-6138-302-0

© Copyright 2013, Centre for European Policy Studies.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or
transmitted in any form or by any means – electronic, mechanical, photocopying, recording or otherwise
– without the prior permission of the Centre for European Policy Studies.

Centre for European Policy Studies
Place du Congrès 1, B-1000 Brussels

Tel: (32.2) 229.39.11 Fax: (32.2) 219.41.51
E-mail: [email protected]


Page 48


Today’s data protection Directive (Recital 26) and the reform proposals aim to decide on the
legal nature of an online identifier by taking into account “all the means likely reasonably to
be used either by the controller or by any other person to identify the said person”.
Identification thus does not require the person to be named or correlated to an official
identifier, such as ID numbers, addresses, etc. Second best to the WP29’s interpretation of
‘singling out’ is the proposal to take the intention of the controller and processor into account
(in quoting the UK ICO 201223 and also Traple Konarski Podrecki and Partners and European
Legal Studies Institute, 2012, p. 48). In both cases, processing information in connection with
online identifiers is going to be regarded as personal data – a regulatory decision that is
appropriate in most situations.

 The anonymity frontier

Neither anonymous nor anonymised data fall under the scope of data protection regulation
because anonymous data does not relate to an individual; while anonymised data becomes
anonymous because the individual is no longer identifiable (WP29, 2007, p. 21; 2012, p. 1).
The challenge is establishing if digital data are (still) anonymous because technical and
methodological advancements continue to push back the anonymity frontier (see, generally,
Ohm, 2010). Anonymity is an important concept because it is one of the best (technical)
strategies to privacy and data protection.

In principle, many purposes for which data processing is deployed can be achieved by using
anonymous data, e.g. audience measuring tools could rely on collecting aggregate data of
page views24 (WP29, 2012, p.10). This should create a strong incentive to use anonymised
data whenever possible, but controllers can face a trade-off between privacy and utility (BCG,
2012, p.16). Although techniques that are more efficient in this trade-off, i.e. sacrifice less
utility for more privacy, have been developed, anonymisation necessarily implies a loss of
information. Research disagrees on the utility of anonymised datasets (sufficient according to:
Aggarwal & Yu, 2008, p. 25; Novotny & Spiekermann, 2012, p. 11; insufficient: Ohm, 2010,
pp. 1753ff), but this can hardly be generalised as it depends on the context and purpose of the
data processing in question.

With the concept of real anonymity becoming increasingly contested, EU data protection
regulation already supports a relative notion according to which “account should be taken of
all the means likely reasonably to be used to identify an individual” (data protection
Directive, Recital 26). This would require a better definition of anonymous data25 and

23 As proposed by the UK ICO (2012, p. 5): “Where IP addresses or similar identifiers are processed with the
intention of targeting particular content at an individual, or otherwise treating one person differently from
another, then the identifier will be personal data and, as far as is possible, the rules of data protection will apply.”
24 After a cookie has been installed on the end-user terminal, for details see WP29, 2012, p.10).
25 As foreseen in the draft report of the LIBE Committee, European Parliament, by Albrecht (2012): “This
Regulation should not apply to anonymous data, meaning any data that cannot be related, directly or indirectly,
alone or in combination with associated data, to a natural person or where establishing such a relation would
require a disproportionate amount of time, expense, and effort, taking into account the state of the art in

Page 49


possibly a technical implementation guidance clarifying a threshold, in terms of statistical
probability of re-identification, under which a dataset can be considered sufficiently
anonymous. This should be flanked with a prohibition to intentionally break the anonymity
barrier, which would also trigger obligations incumbent on data controllers.

4.1.2 Principles relating to data quality

The data protection Directive formulates five broad principles relating to data quality (Art.
6(1); see box in section 2.2.1): In short, there are 1) fairness and lawfulness, 2) purpose
specification, 3) collection limitation, 4) data quality and 5) use limitation.26 Collection
limitation and use limitation are also combined in the principle of data minimisation. The
principles’ combined purpose is to narrowly frame the processing of personal data. It is a
perceived strength of the principles-based framework that it permits flexibility (RAND, 2009,
p. 24) while at the same time operationalising at a high level the correct input of personal data
in relation to a given processing activity (or purpose) and how data should be treated.

It would appear, however, that a few of these principles are increasingly contested by
economic developments and social practices. Most obviously data minimisation seems at odds
with an information-rich society (see e.g. Novotny & Spiekermann, 2012, p. 3). Under the
current rules “[c]ollecting data because they might prove useful in the future would be in
breach of both the purpose limitation principle and the data minimisation principle” (Van der
Sloot & Borgesius, 2012, p. 92). However, this is exactly what many companies are doing and
hoping to exploit in the near future (De Hert & Papakonstantinou, 2012, p.135). This
perception was shared by many Task Force participants who call for more flexibility when it
comes to potential uses of personal data held by these companies.

Conversely, it can be argued that:

Data minimisation, i.e. processing and storing only those personal data that are necessary
for a legitimate purpose, is becoming more and more important when technical
limitations to storage, processing and transfer capacity are quickly disappearing, and
when at the same time security risks and data breaches are becoming more prevalent
(European Commission, 2012b, p. 96).

Data minimisation should remain a central descriptor of data quality, not least because it is
backed by good practices from information assurance, management and security. Overall, one
Task Force contributor maintains that the principles governing data quality have been very

technology at the time of the processing and the possibilities for development during the period for which the
data will be processed.”
26 These principles build conceptually on two international standard-setting instruments: the non-binding 1980
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the Council of
Europe’s (CoE) Convention for the Protection of Individuals with regard to Automatic Processing of Personal
Data from 1981.

Page 96


Annex III


AFSJ Area of Freedom, Security and Justice

API Application Programming Interface

BCR Binding Corporate Rule

CFR Charter of Fundamental Rights of the European Union

CJEU Court of Justice of the European Union

CoE Council of Europe

DNT Do Not Track (Standard)

DPIA Data Protection Impact Assessment

DPO Data Protection Officer

ECHR European Convention on Human Rights

ECtHR European Court of Human Rights

EDPS European Data Protection Supervisor

ENISA European Network and Information Security Agency

FRA Fundamental Rights Agency

ICT Information and Communication Technologies

IaaS Infrastructure as a Service

MEP Member of the European Parliament

MSME Micro-,Small- and Medium-sized Enterprises

OBA Online Behavioural Advertising

OTT Over-The-Top (Players)

PaaS Platform as a Service

PET Privacy Enhancing Technologies

SaaS Software as a Service

TEU Treaty on European Union

TFEU Treaty on the Functioning of the European Union

Page 97

CENTRE FOR EUROPEAN POLICY STUDIES, Place du Congrès 1, B‐1000 Brussels, Belgium  
Tel: 32 (0)2 229 39 11 • Fax: 32 (0)2 219 41 51 • • VAT: BE 0424.123.986 

Founded in Brussels in 1983, the Centre for European Policy Studies (CEPS) is widely recognised as
the most experienced and authoritative think tank operating in the European Union today. CEPS
acts as a leading forum for debate on EU affairs, distinguished by its strong in-house research
capacity, complemented by an extensive network of partner institutes throughout the world.

• Carry out state-of-the-art policy research leading to innovative solutions to the challenges

facing Europe today,
• Maintain the highest standards of academic excellence and unqualified independence
• Act as a forum for discussion among all stakeholders in the European policy process, and
• Provide a regular flow of authoritative publications offering policy analysis and


• Multidisciplinary, multinational & multicultural research team of knowledgeable analysts,
• Participation in several research networks, comprising other highly reputable research

institutes from throughout Europe, to complement and consolidate CEPS’ research expertise
and to extend its outreach,

• An extensive membership base of some 132 Corporate Members and 118 Institutional
Members, which provide expertise and practical experience and act as a sounding board for
the feasibility of CEPS policy proposals.

Programme Structure
In-house Research Programmes
Economic and Social Welfare Policies

Financial Institutions and Markets
Energy and Climate Change

EU Foreign, Security and Neighbourhood Policy
Justice and Home Affairs
Politics and Institutions

Regulatory Affairs
Agricultural and Rural Policy

Independent Research Institutes managed by CEPS
European Capital Markets Institute (ECMI)
European Credit Research Institute (ECRI)

Research Networks organised by CEPS
European Climate Platform (ECP)

European Network for Better Regulation (ENBR)
European Network of Economic Policy

Research Institutes (ENEPRI)
European Policy Institutes Network (EPIN)

Similer Documents