Ve COMPUTERS ON WHEELS WHO OWNS WHICH DATA? Prof. Niko Härting Berlin, January, 19th, 2017
3 Connected Cars
5 DATA OWNERSHIP PRESENT HURDLES Ownership: Data on a hard disk is owned by the owener of the hard disk But ownership of hard disk does not protect against copying Copyright protects software and databases. It does not, however protect (raw) data and/or information. Data can be protected as (part of) trade secret. This does, however, not mean ownership of data. Criminal law (sect. 303 a German Penal Code) protects data against manipulation and involuntary loss. But is it upto criminal law to define who owns data?
6 DATA OWNERSHIP FUTURE OBSTACLES Ownership: Data only becomes valuable when data becomes information. But do we want new exlusive rights on information? Most data is, at least potentially, personal. And the owner of data can but does not need to be identical with the data subject. What is ownership of data worth when data protection law applies? Ownership of data provides an incentive to monetarize data. The exact opposite is the case in data protection law (principle of data minimisation ). And do we want citizens on small incomes to have an incentive to sell their data?
7 Privacy (GDPR) will kill ownership.
10 DATA PROTECTION: WHEN IS DATA PERSONAL? Art. 4 No. 1 GDPR personal data means any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
11 Germans like to share
15 Data required
16 NECESSARY DATA Where is the car? Location data How long was the trip? Exact start time Exact end time
The processing of data is verboten 17
18 BUNDESDATENSCHUTZGESETZ Section 4 Admissibility of data collection, processing and use (1) The collection, processing and use of personal data shall be admissible only if permitted or prescribed by this Act or any other legal provision or if the data subject has consented.
19 DATA PROTECTION LAW: THE BASICS Location data and usage data is personal identifiable information (PII). Processing of PII is not allowed unless explicitly covered by consent or some statutory exception. Consent is only valid when voluntary and informed.
Consent? 20
21 BDSG ON CONSENT Section 4a Consent (1) Consent shall be effective only when based on the data subject's free decision. Data subjects shall be informed of the purpose of collection, processing or use and, in so far as the circumstances of the individual case dictate or upon request, of the consequences of withholding consent. Consent shall be given in writing unless special circumstances warrant any other form. If consent is to be given together with other written declarations, it shall be made distinguishable in its appearance.
22 CONSENT VIA TOUCHSCREEN Consent would normally require a written document. Is consent still voluntary when the user has already buckled up? How can you make sure the user is informed when his foot is already on the clutch?
GDPR: any hope? 23
24 GDPR: CONSENT REQUIREMENTS Consent does not need to be in writing. It only needs to be unambiguous. Consent still needs to be both informed and voluntary. Contractual consent is as a rule invalid when consent covers data not necessary for carrying out the contract. Consent is invalid when there is a clear imbalance between controller and data subject.
Contract? 25
26 BUNDESDATENSCHUTZGESETZ Section 28 Collection and storage of data for own commercial purposes (1) The collection, storage, modification or transfer of personal data or their use as a means of fulfilling one s own business purposes shall be admissible 1. when needed to create, carry out or terminate a legal obligation or quasi-legal obligation with the data subject, 2. in so far as this is necessary to safeguard justified interests of the controller of the filing system and there is no reason to assume that the data subject has an overriding legitimate interest in his data being excluded from processing or use, 3. if the data are generally accessible or the controller of the filing system would be entitled to publish them, unless the data subject's legitimate interest in his data being excluded from processing or use clearly outweighs the justified interest of the controller of the filing system.
GDPR: any hope? 27
28 GDPR: CONTRACTS PROVISION Article 6 Lawfulness of processing 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies: (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
29 USAGE DATA Start time and end time necessary for calculating the price. Storage time: deletion necessary as soon as (irrevocable) payment has been made.
Legitmate interest? 30
31 BUNDESDATENSCHUTZGESETZ Section 28 Collection and storage of data for own commercial purposes (1) The collection, storage, modification or transfer of personal data or their use as a means of fulfilling one s own business purposes shall be admissible 1. when needed to create, carry out or terminate a legal obligation or quasi-legal obligation with the data subject, 2. in so far as this is necessary to safeguard justified interests of the controller of the filing system and there is no reason to assume that the data subject has an overriding legitimate interest in his data being excluded from processing or use, 3. if the data are generally accessible or the controller of the filing system would be entitled to publish them, unless the data subject's legitimate interest in his data being excluded from processing or use clearly outweighs the justified interest of the controller of the filing system.
32 LOCATION DATA Location data only partially needed for showing available cars on app. Establishment or defence of legal claims in case of accidents or damage to the car. Storage allowed for only 7 days (unless there actual was an accident or damage).
GDPR? 33
34 GDPR: LEGITIMATE INTERESTS AND PROFILING Art. 4 No. 4: profiling' means any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; Art. 6 (f): legitimate interests: necessary? Art. 20 (1): The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling based on these provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
36 Prof. Niko Härting twitter.com/nhaerting HÄRTING Rechtsanwälte Chausseestraße 13, 10115 Berlin Tel. +49 30 28 30 57 40 Fax. +49 30 28 30 57 44 www.haerting.de