With the development of automated information systems, consumers’ decisions can be made based on models of individuals’ preferences without any personal interaction. This raises serious concerns regarding data-privacy protection. Up-to-date legislation and appropriate technological measures are needed to enhance lawful access, process, and storage of sensitive personal data under automated information systems. This chapter provides the general interpretation of the requirements of security, personal data breach notification systems, and enforcement mechanisms according to the EU data privacy protection legislation. It aims to examine and evaluate whether the EC Data Protection Directive in 1995 and the new EC e-Privacy Directive amended by the Directive 2009/136/EC are sufficient to ensure the security of the future development of automated information systems that automatically capture, process, store, and analyse sensitive personal data across the EU countries. It discusses the impact of the EC directives to business organizations and proposes solutions to enhance the protection of users’/consumers’ privacy from a legal perspective.
TopIntroduction
With the advent of automated information systems, it is possible for information to be collected from individuals explicitly and implicitly with the requirement of very little human interaction from a technological perspective. That is, information such as personal data can be stored, processed, distributed or transferred automatically by the automated information systems. Such systems have been widely adopted and applied in our daily life - from online shopping platforms to social networking services and from traffic/transportation services to high frequency trading platforms. It has been a common practice for business organisations to use customers’ contact details and their preferences such as chosen products and services for targeted marketing purposes since the development of online platforms in the late 1990s.
In recent years, automated information systems have been further developed. Automated information systems can now perform as agents and make decisions for individuals based on models of individuals' preferences. Such preferences have been analysed according to a long history of individuals’ activities, behaviours and habits, which may contain personal data of increased sensitivity. For instance, the German Federal Constitutional Court in the Judgment of the First Senate of 27 February 2008 (1 BvR 370, 595/07) expressed that “the use of information technology has taken on a significance for the personality and the development of the individual which could not have been predicted. Modern information technology provides the individual with new possibilities, whilst at the same time entailing new types of endangerment of personality.” The new technologies raise serious concerns on personal data and privacy protection for information an individual provides to a system or captured by a computing program as “data provided by individual networked systems can be evaluated and the systems made to react in a certain manner” automatically (1 BvR 370, 595/07, para 109). The endangerments of users’ personability are also noted, that is:
In the context of the data processing process, information technology systems also create by themselves large quantities of further data which can be evaluated as to the user’s conduct and characteristics in the same way as data stored by the user. As a consequence, a large amount of data can be accessed in the working memory and on the storage media of such systems relating to the personal circumstances, social contacts and activities of the user. If this data is collected and evaluated by third parties, this can be highly illuminating as to the personality of the user, and may even make it possible to form a profile (1 BvR 370, 595/07, para 112).
With the ever fast-growing technology, legislation is always one step behind the latest invention of computing network services. This leads to a situation where computer scientists and entrepreneurs try to adjust or improve the application of products in order to comply with the existing law, or legislators try to amend the existing law to be compatible with the new technology in order to protect the users’ rights and enhance the public safety without jeopardising technological innovation and market development. Currently, there are two main pieces of legislation concerning data and privacy protection in the European Union (EU):
- •
One is the Directive 95/46/ EC (known as “the EC Data Protection Directive”), which has been under the review of European Commission since 2009. In 2011, the Commission will propose a new general legal framework for the protection of personal data in the EU, covering data processing operations in all sectors and policies of the EU. This framework will then be negotiated and adopted by the European Parliament and the Council.
- •
The other is the Directive 2009/136/EC which amends Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (known as “the EC e-Privacy Directive”) and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws. Member states are required to implement the new EC e-Privacy Directive by May 25, 2011.