Subject RE: Privacy Self-Management and the Consent Dilemma
From Andrew Cormack <Andrew.Cormack@xxxxxx>
Date Mon, 17 Jun 2013 09:11:59 +0000

> -----Original Message-----
> From: Jaime Pérez Crespo [mailto:jaime.perez@xxxxxxxxxx]
> Sent: 17 June 2013 09:35
> To: REFeds
> Cc: Tom Scavo; Andrew Cormack
> Subject: Re: [refeds] Privacy Self-Management and the Consent Dilemma
> On Jun 17, 2013, at 09:03 AM, Andrew Cormack <Andrew.Cormack@xxxxxx>
> wrote:
> 	Tom
> 	Interesting paper, thanks.
> Indeed. Thanks Tom!
> 	I wonder whether the cleanest approach would be to end up with
> four different classes of processing:
> 	*) processing that's never allowed
> 	*) processing that's allowed if the individual consents
> 	*) processing that's allowed unless the individual objects
> 	*) processing that's allowed because the benefits to society
> override any small risk to individuals
> That'd be a very nice way to categorize the different uses of data and
> alleviate a bit the load on the citizens. But the problem as I see it,
> is first of all how to apply the categories (is there a way to describe
> them so precisely that there's no room for personal interpretation?)

If you insist on "no" room for personal interpretation, no, but I think it would be possible to get a reasonably clear picture. For example in the telecoms privacy directive (2002/58/EC) location data is opt-in but directories are opt-out.

> and more importantly, how to deal with changes, like data aggregation.
> The paper states that one of the main problems of basing everything on
> consent is that people is unable to foresee the consequences of the
> release of different pieces of data at different points in time, to
> different processors. And I agree and go even further, as I think it's
> almost impossible to handle, not only by people.

You left in the "almost", which is good :) And I deliberately said "processing", which covers a lot more than collection. Aggregation would be an additional processing step, with a possibly separate category of approval/disapproval. E.g. at the moment the UK transposition brings in a different legal regime if you aggregate pseudonyms with naming information. Other European countries treat both the same, which seems to me to be privacy-harming.

> 	If those four categories were created by law then the job of
> regulators would be to provide guidance/rulings on which of the four
> any new form of processing falls into.
> 	Unfortunately the debate over the new EU data protection law
> seems to be becoming increasingly polarised, rather than converging to
> any sort of consensus, so I fear the result is more likely to be
> determined by politics than reasoned argument :(
> Is there anything in the EU that does not end up being like that? :-)

This is far worse than most :( See Simon Davies's blog post

> --
> Jaime Pérez
> UNINETT / Feide
> mail: jaime.perez@xxxxxxxxxx
> xmpp: jaime@xxxxxxxxxxxxxxxxx
> "Two roads diverged in a wood, and I, I took the one less traveled by,
> and that has made all the difference."
> - Robert Frost

Ahhh. The first poem I ever memorised :-)

Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238