Eleni Kosta

Bringing Accountability to the Cloud: Addressing Emerging Threats and Legal Perspectives

This paper is concerned with accountability in cloud ecosystems. The separation between data and data subjects as well as the exchange of data between cloud consumers and providers increases the complexity of data governance in cloud ecosystems, a problem which is exacerbated by emerging threats and vulnerabilities. This paper discusses how accountability addresses emerging issues and legal perspectives in cloud ecosystems. In particular, it introduces an accountability model tailored to the cloud. It presents on-going work within the Cloud Accountability Project, highlighting both legal and technical aspects of accountability.

Norms and standards in modular medical architectures

Recent Internet of Things (IoT) research has been aiming at interoperability of devices and the integration of sensor networks. The Future Internet - Private Public Partnership (FI-PPP) has created a whole array of different purpose-oriented modules with defined specifications, better known as Generic Enablers. This article gives an overview of legal, ethical and technical norms and standards to be considered when planning, developing and implementing modular medical architectures, integrating the Internet of Things (IoT) and Generic Enablers (GEs) in cutting edge, latest generation medical data networks.

Peeking into the Cookie Jar: The European Approach Towards the Regulation of Cookies

Article 5(3) of the ePrivacy Directive regulates the storing of information and the gaining of access to information that is already stored in the terminal equipment of users and subscribers, which applies to the handling of cookies. The Citizens’ Rights Directive amended this provision in the frame of the review of the European electronic communications legal framework in 2009. According to the new provision, the installation of and the access to cookies is allowed only with the consent of the user or the subscriber. The introduction of a requirement for consent has sparked a fiery debate with regard to the implementation of this provision, especially as regards the practical impact it may have on the currently used practices relating to cookies. This article will study the new requirements set out in Article 5(3) of the ePrivacy Directive, as well as the background leading to their adoption. It will further discuss how the consent of the user can be given in relation to cookies in a valid way, examining among others the suggestions of the Article 29 Working Party and the European Data Protection Supervisor, as well as the UK implementation of the provision.

Data Protection Reform and the Internet: The Draft Data Protection Regulation

This contribution critically examines the proposal for a new General Data Protection Regulation -- both the original Commission Proposal and the amendments adopted by the Parliament. It focuses on the proposed changes to some key traditional data protection concepts: the territorial scope, consent, purpose limitation principle, and on some novelties introduced by the draft Regulation: the principle of accountability, data portability and the principles of data protection by design and by default.The efforts to reform EU data protection have shown that the very concept of data protection as a right and as a regulatory regime is in crisis. The Commission Proposal seems to accept the bankruptcy of the idea to build data protection law around individual control over what is going on with his/her personal data, while tightening the tools for monitoring and ensuring compliance.The Parliament text turned the idea of the data protection reform around by introducing -- albeit in not too explicit way -- the individual autonomy back into the data protection discussion. It remains to be seen what the consequences of inclusion of the references to the individual autonomous choices would have for interpretation of the Regulation, if those references will make it to the final text. Even more importantly, the Parliament text seems to have made an attempt to divorce itself from the traditional ‘consent versus fair use’ dichotomy that has been used to describe dominant and conflicting approaches to data protection. The Parliament text seems to craft an alternative way for data protection by introducing a risk-based approach to data protection and by differentiating between ‘regular’ personal data and pseudonymous data that receive different degrees of protection.

Privacy notices versus informational self-determination: Minding the gap

Privacy notices are instruments that intend to inform individuals of the processing of their personal data, their rights as data subjects, as well as any other information required by data protection or privacy laws. The goal of this paper is to clarify the current discourse regarding the (in)utility of privacy notices, particularly in the context of online transactions. The perspective is a European one, meaning that the analysis shall be geared towards the European Data protection framework, particularly the European Data Protection Directive. The paper discusses the role that privacy notices play under the European data protection framework today, summarizes the main critiques regarding the use of privacy notices in practice and develops a number of recommendations.

Data Protection in the Third Pillar: In the Aftermath of the ECJ Decision on PNR Data and the Data Retention Directive

Abstract The data protection directive regulated the issue of processing of personal data, excluding from its field of application activities that relate to police and judicial cooperation in criminal matters. The terrorist attacks of 2001 and the bombings in Madrid and London have given a new impulse to political interest in police cooperation throughout the European Union and its regulation in order to ensure greater efficiency. As a response, the European Commission presented in October 2005 a Draft Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters. Numerous drafts have been prepared thereafter, but no consensus has been yet reached (August 2007). In our paper we will present the current developments at European level for the regulation of the issue of data protection in the third pillar and we will analyse the main principles that should be applied in order to ensure a coherent data protection framework, which will pay due respect to the fundamental rights of the citizens, and especially the right to privacy and data protection on one hand, and the safeguards for an effective law enforcement system on the other.

Consent for processing children’s personal data in the EU: following in US footsteps?

ABSTRACT With the recent adoption of the General Data Protection Regulation (GDPR), the European Union (EU) assigned a prominent role to parental consent in order to protect the personal data of minors online. For the first time, the GDPR requires parental consent before information society service providers can process the personal data of children under 16 years of age. This provision is new for Europe and faces many interpretation and implementation challenges, but not for the US, which adopted detailed rules for the operators that collect personal information from children under the Children’s Online Privacy Protection Act (COPPA) almost two decades ago. The article critically assesses the provisions of the GDPR related to the consent of minors, and makes a comparative analysis with the requirements stipulated in the COPPA in order to identify pitfalls and lessons to be learnt before the new rules in the EU become applicable.

Ethical assessment in e-Health

While innovative e-Health and m-Health technologies and solutions will eventually change the way health and social care are delivered, it raises many challenges regarding what sort of ethical concerns need to be addressed in order to provide imperative regulations and guidance to healthcare professionals and developers. This paper discusses key ethical challenges identified as part of an ongoing research project funded under the European Commissions Future Internet-Private Public Partnership (FI-PPP) initiative. The Future Internet Social Technological Alignment Research project (FI-STAR) is concerned with the validation of Future Internet technology developed under earlier FI-PPP projects and involves seven early trials in the healthcare domain. The project is supported by 26 European partners with a further extension of 10 partners or so pending. The challenges discussed in this paper include ethical-legal frameworks, privacy and international harmonization. The suggestions discussed in this paper include an overarching e-Health ethical framework, an ethical impact assessment and an ethical matrix. The ethical matrix can be used as a tool to illuminate the diverse requirements among the seven uses cases and to narrow down potential strategies to address the ethical challenges.

The smart world revolution

The explosion of the phenomenon of the Internet of Things and the increasing diffusion of smart living technologies in all the layers of our society – from houses to hospitals, from cities to critical infrastructures such as energy grids – clearly demonstrates the viability and the advantages of a fully interconnected vision of a smart world. Technological advances such as the use of open data, big data, blockchain and sensor development in the Internet of Everything are rapidly changing the societal landscape, raising the question of how to guarantee, in a homogeneous way, the preservation of privacy and other human rights in a completely heterogeneous and cross-sectoral world, without impairing the potentialities of the new smart technologies such as the Internet of Things and big data. The 2017 IFIP Summer School on Privacy and Identity Management was dedicated to the exploration of technical, legal and societal issues relating to the smart revolution. This chapter provides an introduction to the exciting work presented at the summer school.

Provable network activity for protecting users against false accusation

With the proliferation of the World Wide Web, data traces that correspond to users’ network activity can be collected by several Internet actors, including (i) web sites, (ii) smartphone apps, and even (iii) Internet Service Providers. Given that the collection and storage of these data are beyond the control of the end user, these data traces can be easily manipulated, if not, tampered with. The result of such manipulated digital traces can be severe: Innocent users can be shamed or even wrongfully accused of carrying out illegal transactions.