Information Technology Reference
In-Depth Information
and specificity requirements of data protection regulation, which prohibit the process-
ing of personal data for the sole purpose of providing a future speculative data re-
source [8].
On of the most controversial issues was the use of cookies (characterized as “pri-
vacy killing technologies” [4]), which is generally invisible to the user. Cookies are
principally not compatible with the principles of fair and lawful collecting of data,
laid down in all international instruments in the field of data protection. Precisely they
are an intrusion of the virtual right to be left alone and the right to communicate freely
and anonymously without — even indirect — external “surveillance”. The new Direc-
tive adopted a “balanced” approach. By recognising that these devices “can be a le-
gitimate and useful tool… for legitimate purposes such as the provision of informa-
tion society services”, the Directive legitimises this use, although it is highly
disputable, whether “analysing the effectiveness of web-site design and advertising”
(Recital 25) could be considered as a purpose equivalent to the protection of privacy.
In our opinion the user should always be given the option to accept or reject the send-
ing or storage of a cookie as a whole. Also the user should be given options to deter-
mine which pieces of information should be kept or removed from a cookie, depend-
ing on e.g. the period of validity of the cookie or the sending and receiving Web sites.
Moreover, cookies should be stored in a standardized way and be easily and selec-
tively erasable at the user's computer.
The European regulator lays emphasis on the information and relies on “user em-
powerment” and “self-determination”. Although there are benefits to user empower-
ment, as they know their privacy preferences better than companies do, the “right to
refuse to have a cookie or a similar device stored” does not constitute itself an ade-
quately protective instrument. It is common practice of electronic companies to offer
downgraded functionality of their web services to users that do not accept their cook-
ies. Cookies management features, based on platform for P3P, have improved cook-
ies' transparency. Serious problems remain however unsolved. Privacy protection
cannot be conditional on the choice of particular browser that may include advanced
cookie management tools. Rather this would violate the principle of technology neu-
trality. But the main objection to relying on user empowerment is simply, that PET's
as a tool to fend for himself/herself are often and simply difficult to use. Furthermore,
there are also many products offered by industry, which are rather privacy invasive,
facilitating data sharing, than privacy protective. Hardly some of them satisfy the
criteria of fair and lawful processing [6].
The new Directive imposes obligation to service providers to offer “appropriate”
security measures to protect personal data. This provision reflects a “culture of secu-
rity” [7] and establishes — even indirectly — a “right to security”, which refers to
user's claim to be given the right and the technical means to communicate his con-
tents confidentially by using suitable security methods. However security measures
are not identified with privacy protective and enhancing measures. The conceptual
separation between secrecy and privacy is depicted in the design of security tools.
Most of them have been designed without built — in privacy principles in mind. In
order to achieve and assure a high level of protection an additional tool should be
performed: a privacy impact assessment for the application of new technologies or the
introduction of new services, which has good potential for raising privacy alarm at an
early stage [5]. In the sequence, a privacy risk analysis should be conducted and pri-
vacy measures should be enforced.
Search WWH ::




Custom Search