Rebecca Wong

Data Protection Directive 95/46/EC

This chapter will consider the background of the Data Protection Directive what it provides in the context of data security breaches. As data security breaches are covered under Art.17 of the Data Protection Directive, the provision will be considered in more detail with reference to recent examples involving data security breaches.

The Data Protection Directive 95/46/EC: Idealisms and realisms

Following proposals to consider revising the Data Protection Directive 95/46/EC (DPD) in 2011, have the changes addressed the main areas of concern that have been the focus of much discussion? The areas of concern include the application of the Directive in the online age, particularly to social networking sites and cloud computing; the minimum/maximum standard approach by the EU Member States to data protection; the relevance and application of the data protection principles. These are some of the issues that were considered in the recent Art. 29 Working Partys Opinion on the Future of Privacy. The article will use this as a starting point of discussion to identify the extent to which impending proposals to revise the Data Protection Directive are closely aligned with the Opinion and consider the recent European Commission Communication (6/2010) on the comprehensive approach to personal data protection in the European Union. According to the Art. 29 Working Party, the level of data protection in the EU can benefit from a better application of the existing data protection principles in practice. This paper will attempt to address some of the difficult questions and consider the challenges to implementing the changes introduced by forthcoming revisions to the DPD.

The Future of Consumer Web Data: A European/US Perspective

The article considers the subject of clickstream data from a European/ US perspective, taking into account the Data Protection Framework (Data Protection Directive 95/46/EC; Directive on Privacy and Electronic Communications 2002/58/EC) and the US legal framework and in particular, the Wiretap Act U.S.C. § 2701 (2004) and related statutes. It examines the extent to which clickstream data is considered “personal data” within the Data Protection Directive and the implications to consumers and businesses. 1 Daniel B. Garrie, Esq. is the CEO of LegalTech Group LLC. Mr. Garrie has received his J.D. from Rutgers University School of Law, and has penned several law review articles on a variety of technology and legal issues. Mr. Garrie holds an M.A. and B.A. in computer science from Brandeis University. Mr. Garrie has worked around the world with the various Government agencies and corporations as a Senior Consultant and is an Attorney admitted to both New York and the New Jersey Bar. Mr. Garrie currently resides in New York City. Mr. Garrie can be reached at Daniel.Garrie@gmail.com . 2 Rebecca Wong is Senior Lecturer in Law at Nottingham Law School, Nottingham Trent University. Her main areas of specialism are in data protection and privacy. She holds an LLB (1998), MSc (2000), LLM (2001) and has recently completed her PhD in Data Protection (University of Sheffi eld). Her corresponding address is r.wong@ntu.ac.uk. Daniel B. Garrie would like to thank his mother Erica Garrie and Dean Camille Andrews at Rutgers School of Law for her support and guidance. Rebecca Wong would like to dedicate this article to Professor Deryck Beyleveld at Durham University and Professor Roger Browsword at Kings College, London for their support and guidance. Any errors are entirely the authors. Many thanks also to Ryan Lewis for his assistance with this article; Mr. Lewis graduated from Brown University with Honors and is currently working in New York City in the fi eld of technology compliant solutions for major corporations. at U niersity of ow SC L 126I on M ay 6, 2015 http://ijlirdjournals.org/ D ow nladed from THE FUTURE OF CONSUMER WEB DATA 130

The Amended Directive on Privacy and Electronic Communications

This chapter will take a detailed analysis into the amended Directive on Privacy and Electronic Communications, the changes introduced in 2009 and the Data Breach Notification Regulation 611/2013 that was passed in June 2013. The Directive on Privacy and Electronic Communications complements the existing Data Protection Directive and applies data protection rules to public communication providers. This chapter will consider in brief, the notion of “security” under Article 4.2 and what is meant by “personal data breach” within the Directive. This will be further supplemented by an analysis into the Commission Regulation 611/2013 which puts on a legal footing data breach notifications and harmonises data security breach notifications within the EU.

Proposed Data Protection Regulation 2012: Data Security Breach Notifications

This chapter will consider the proposed Data Protection Regulation introduced in January 2012 and in particular, data breach notifications under Articles 32 and 32. Under Article 31, there would be a duty to notify data breaches within 24 h to the Data Protection Authority, but the time frame is still under consideration by the European Parliament. The nature and form of data security breaches will also be considered under the Data Protection Regulation.

Framework Decision 2005/222/JHA and the Directive Against Information Systems

This chapter will consider the Framework Decision 2005/222/JHA, its background and the forthcoming changes introduced by the Directive against Information Systems which will replace the Framework Decision. The latter was recently passed in 2013 following major amendments introduced by the European Parliament by 541 votes to 91 votes. The main changes under the Directive would be its breadth by covering attacks against Information Systems using botnets and DOS attacks and provide minimum rules for the definition of criminal offences and sanctions in the area of attacks against Information Systems.

Cybersecurity Directive 2013

This chapter will consider the Cybersecurity Directive introduced by the European Commission with the aim of dealing with cybersecurity breaches and disruptions to cyber networks. In a recent 2012 survey, the Eurobrometer on Cybersecurity found that 38 % of EU Internet users were concerned with the safety of online payments. The Directive also aims to create Computer Emergency Response Teams (known as “CERTS”) on handling the number of data security breaches. It will consider what its role will be as provided by the Directive and consider shortcomings of CERT as recently highlighted by ENISA.

European Commission Communication Opinion 2010

This chapter will consider a brief introduction to the European Commission Communication Opinion which was published in 2010. The European Commission sets out its aim when reviewing the changes to the Data Protection Directive in its “Comprehensive approach on personal data protection in the European Union”. It should be considered in brief in the context of “information security” since there are several issues that the Opinion considers. It will provide a backdrop to the forthcoming Data Protection Regulation.

Article 29 Working Party: Future of Privacy

This chapter reviews the recent opinion by the Article 29 Working Party on the Future of Privacy. In particular, the role that privacy enhancing technologies (often known as “PETS”) play in the context of information security and the accountability principle on which security breach notifications is based that will be introduced in the forthcoming Data Protection Regulation.

Criticism of the Cybersecurity Directive

This chapter argues that the Cybersecurity Directive will be unworkable in practice and considers the reasons and shortcomings of this Directive. In particular, the definition of “market operators” is very broad to include search engines and social media. Sanctions for non-compliance will apply. A further criticism is that there is no obligation to notify citizens of data security breaches within the Directive, but rather the obligation is placed on market operators to notify and make data breaches public. There is a further scepticism over how the Cybersecurity Directive will be put into practice.