Colette Cuijpers

Smart Metering and Privacy in Europe: Lessons from the Dutch Case

The future of energy supply lies in smart grids, which enable energy supply to and from consumers. These two-way energy networks require smart energy metering systems. The vision of smart grids will require one or more decades yet to be fully realised, but since a roll-out of smart meters is a lengthy process, countries are already starting to implement smart metering legislation, following the European legal framework on energy efficiency. Rolling out smart meters, however, requires smart legislation. The Dutch example, where the Senate blocked two smart metering bills in 2009, demonstrates that introducing smart meters can be significantly delayed if the underlying legislation is flawed. In particular, the Dutch case shows that privacy is a crucial element in smart metering legislation. Energy consumption reveals details of personal life, in the most privacy-sensitive place – the home, and therefore smart metering has to strike a careful balance between detailed energy metering and privacy protection.

The Law as a ‘Catalyst and Facilitator’ for Trust in E-Health: Challenges and Opportunities

In 2012, the World Health Organization (WHO) published a report on the state of development of legal frameworks with regard to e-health. The report is based on the findings of the WHO’s Second Global Survey on E-Health, which analysed, amongst other things, the extent to which the legal frameworks in the Member States addressed the need to protect patients’ privacy in the use of electronic healthcare applications. Based on the results obtained, the WHO stressed the fact that although in most member countries there exists a high level of legal protection of the general privacy of health-related information, this does not go beyond the common human right of privacy. There exists little specific e-health related privacy protection legislation and much remains to be explored in terms of other legal safeguards. This article intends to broaden the WHO’s analysis and go somewhat further, exploring not only the challenges and opportunities with regard to privacy protection, but also liability laws, which could have a significant impact on the use and adoption of these technology applications.

Data Protection Reform and the Internet: The Draft Data Protection Regulation

This contribution critically examines the proposal for a new General Data Protection Regulation -- both the original Commission Proposal and the amendments adopted by the Parliament. It focuses on the proposed changes to some key traditional data protection concepts: the territorial scope, consent, purpose limitation principle, and on some novelties introduced by the draft Regulation: the principle of accountability, data portability and the principles of data protection by design and by default.The efforts to reform EU data protection have shown that the very concept of data protection as a right and as a regulatory regime is in crisis. The Commission Proposal seems to accept the bankruptcy of the idea to build data protection law around individual control over what is going on with his/her personal data, while tightening the tools for monitoring and ensuring compliance.The Parliament text turned the idea of the data protection reform around by introducing -- albeit in not too explicit way -- the individual autonomy back into the data protection discussion. It remains to be seen what the consequences of inclusion of the references to the individual autonomous choices would have for interpretation of the Regulation, if those references will make it to the final text. Even more importantly, the Parliament text seems to have made an attempt to divorce itself from the traditional ‘consent versus fair use’ dichotomy that has been used to describe dominant and conflicting approaches to data protection. The Parliament text seems to craft an alternative way for data protection by introducing a risk-based approach to data protection and by differentiating between ‘regular’ personal data and pseudonymous data that receive different degrees of protection.

Privacy Challenges in Third-Party Location Services

The concern for location privacy in mobile applications is commonly motivated by a scenario in which a mobile device communicates personal location data, i.e. the device holder location, to a third party e.g. LBS provider, in exchange for some information service. We argue that this scenario offers a partial view of the actual risks for privacy, because in reality the information How can be more complex. For example, more and more often location is computed by a third party, the location provider, e.g. Google Location Service. Location providers are in the position of collecting huge amounts of location data from the users of diverse applications (e.g. Facebook and Foursquare to cite a few). This raises novel privacy concerns. In this paper, we discuss two issues related to the protection from location providers. The first focuses on the compliance of emerging location services standards with European data protection norms; the latter focuses on hard privacy solutions protecting from untrusted location providers.

Privacy-aware geolocation interfaces for volunteered geography: a case study

The standard W3C Geolocation API can significantly facilitate geospatial data collection as it provides a simple set of operations for requesting geolocation services across indoor and outdoor spaces through the Web. Importantly, this API is privacy-aware in that it provides a basic privacy mechanism for requesting the users consent to location acquisition. In this paper we address the question on whether this privacy mechanism is sufficient to conduct a project for the collection of geospatial content, in compliance with privacy laws. The question is of practical relevance as the use of geolocation standards in line with privacy regulations would make the development of volunteered geography projects easier. In this paper we present an interdisciplinary analysis spanning across technology and law, and driven by an application case. We show the limitations of this API and discuss a possible extension in line with privacy norms. Although we confine ourselves to consider European regulations, we believe that this study can be of more general concern.

The regulation of location-based services: challenges to the European Union data protection regime

To further the growth of location-based services (LBS), clear regulation is indispensable. The European Union (EU) legal framework includes a strict regime for the processing of personal data, location data and traffic data. After a short introduction of two core elements of European data protection legislation – the Data Protection Directive and the ePrivacy Directive – a number of technological and societal trends are described, which have made the applicability of the existing EU regulation on personal data processing in general and location data in particular more problematic. Recently, the Art. 29 Working Party released Opinion 13/2011 on geolocation services on smart mobile devices. An analysis of the Opinion reveals that it fails to clarify how the European legal framework should be applied in practice on two accounts. First, a clear separation between different actors and their roles has become unrealistic, and particularly the practical differences between telecom operators and information society service providers are quickly becoming merely theoretical. Second, location data used in LBS are increasingly the result of an amalgamation of other data, which sources cannot be practically traced anymore. Thus, the approach to apply different regimes to different types of data is increasingly less tenable. Next, two possible routes for improvement are suggested. The first opts to extend the current regime that only deals with a limited category of location data to all types of location data, thus strengthening the current ePrivacy Directive. The second chooses to abandon the current special regime for location data completely in favour of a more general protection of personal data, thus bestowing more weight to the Data Protection Directive. These suggestions provide valuable input for the current revision of the European legal framework on data protection.

Regulating Online Sexual Solicitation: Towards Evidence-Based Policy and Regulation

Even though concerns regarding the risks related to online sexual solicitation appear valid at face value, little is actually known about the consequences of online sexual solicitation or about how many children and youth actually come to harm as a result of online sexual solicitation. This means that important regulatory initiatives are developed without substantiating empirical evidence of the risk and protective factors that bear relevance to the actual conduct of victims and offenders. From a regulatory perspective, this raises several questions regarding the European regulatory strategies adopted to curtail online sexual solicitation. In this chapter we first describe the criminalisation of online sexual solicitation. Next, we present a review of recent empirical research on the prevalence and nature of online sexual solicitation and analyse what is known about the interrelationship between online sexual solicitation and psychosocial development. Subsequently, we discuss the relation between the EU legislation and the existing empirical research. On the basis of our discussion, we conclude that the sharing of knowledge between the fields of social science and law is essential to develop promising regulation strategies for protecting youth from harmful consequences of online sexual solicitation, without overly curtailing normal sexual exploration by adolescents.

Nicholas Agar, Humanity's End: Why We Should Reject Radical Enhancement

Intrigued as I am by movies and television series that depict a world in which humanity is outsmarted by superhumans, robots, or other types of beings, the title Humanity’s End made me curious. The direction of the argument in the book is revealed in the subtitle, but this does not negatively affect the expectations of a scientific approach to subject matter that is hard not to see as mere science fiction today. In fact, despite the book being illustrated by many scenes from and comparisons to science fiction books and movies, Agar is able to present human enhancement to his readers as something non-fictional. Even those who do not believe in the emergence of posthumanity might be enticed by the book to start thinking about the (possible) implications of far reaching human enhancement. The book contains much interesting material to help readers form their own opinions on how radical human enhancement may develop and change humanity. I warmly recommend this book, and it is impossible for this short review to do justice to the richness and depth of the various ideas, theories and arguments described and illustrated in Humanity’s End. In the following sections I can only briefly discuss the main insights and arguments presented by Agar. I will reflect on Agar’s findings and suggest how a legal and regulatory approach to radical human enhancement can contribute to the debate so well illustrated by Agar’s book. In this respect, I will link Agar’s book to the EU-funded Robolaw project. To structure the book review, I have used the titles of the chapters of Humanity’s End. In this way the reader is guided through all stages of Agar’s argument against radical human enhancement.

The Draft Data Protection Regulation and the Development of Data Processing Applications

Nowadays, data processing components are often part of a multitude of products and services. The current review of the European data protection framework, is proposing the replacement of the Data Protection Directive with a Regulation, which will undoubtedly impact the development of such products and services. This chapter analyses some of the critical changes proposed in the Regulation, highlighting the developments with regard to the actual scope of application of the European legal framework, the consent of the users and the particularities of processing pseudonymous data. It also critically assesses the proposed obligations relating to data security, notification of personal data breaches, the principles of data protection by design and by default, as well as data protection impact assessments. The authors conclude that these changes may actually be a step in the direction of more privacy-aware development of products and applications that entail data processing operations, if certain modalities are taken into account before the final adoption of the draft Regulation.

The Influence of ICT on Consumer Protection; Empowerment or Impairment of the Consumer?

Information and communication technologies can both strengthen and weaken the position of the parties involved in a commercial transaction. In Electronic Commerce, the phenomenon of changing bargaining powers is especially clear in view of consumers. E-consumers can, e.g., search the web for the lowest prices, no longer restricted by local boundaries, they can participate in collective-buying activities, and they can set up powerful grudge websites against a company. On the other hand, electronic transactions also pose new or greater risks for consumers. Problems can arise from e.g., foreign-language terms and conditions, unfamiliar applicable law, increasing privacy infringements, and payment in advance. This paper will give an illustration of the various technology-related shifts in the relationship between producer and consumer. These shifts can go both ways. Moreover, on the one hand they can strengthen each other while on the other hand they can counterbalance each other. In private law, the consumer is traditionally perceived as being a weak party in relation to the producer. If, because of ICT-driven shifts, the consumer’s position becomes stronger in relation to producers, the basis of consumer protection legislation might no longer be viable. However, if these shifts turn out to ultimately empower producers in relation to consumers, even stronger legal protection might need to be considered. In this respect, the following central question of research will be addressed in this paper: Need consumers still be considered to be the weak party in relation to producers, or has ICT equalized the relationship, undermining the basis of consumer protection legislation? The answer to this question will be sought with reference to the US as well as the EU legal framework regarding consumer protection.