You are currently viewing Introduction to data protection: state of the art of EU law and basic advices on how to protect personal data

Introduction to data protection: state of the art of EU law and basic advices on how to protect personal data

This article was first published in French on March 7th on EU-Logos Website : see « Initiation à la protection des données : état des avancées du droit de l’Union et conseils de base pour se protéger ».

 

In 2018, the number of Internet users exceeds 4 billion. It is more than 3.2 billion people that daily connect at least once a day to a social network[1]. In the European Union (EU), it is more than 90% of the population that is connected, about 450 million individuals[2], and as many potential victims of « hacking ». Society is rapidly changing, and both law and individuals must change their practices. The amount of collected personal data increases as the risk of seeing them stolen does as well. These issues call for solutions and the EU voted in 2016 a new regulation on the protection of personal data that will come into effect in May 2018.

The phenomenon of piracy is not as recent as one might think. In 1903, John Ambrose Fleming, a physicist, demonstrated the latest wireless telegraph of the Marconi Company before the Royal Institution of Great Britain. As he proceeded to his demonstration, the telegraph began to record a morse code corresponding to a poem accusing Marconi of misleading the public. The facetious instigator was none other than Nevil Maskelyne, a British magician and inventor whose creations were limited by the extensive patents of the Marconi Company. It was the first « wireless hack » in history and the very first demonstration of the insecurity of the communications (At the time Marconi Co. assured the entire safety and privacy of the communications)[3].

More than 115 years later,  the number and damage caused by hackers significantly increased. In 2017, the amount of lost data reached a new peak. Uber, the mobile platform for transport services, announced in November 2017 that the data of more than 57 million users (including European users) were stolen. The stolen information included names, email addresses, phone numbers of users but also driving license numbers[4]. More information than needed in order to steal an identity.

2017 was also the year of the misdeeds of two, particularly violent, ransomware. WannaCry and NotPetya caused serious problems for companies but also for private individuals. A ransomware is a malicious software that encrypts a computer and sometimes collects data. In order to decipher the computer, a ransom must be paid without any guarantee that the data will be recovered. WannaCry infected computers in more than 150 countries between May 12th and 13th. Servers of multiple British hospitals were affected which impeded the access to patients’ medical records[5]. NotPetya operated in June 2017. This time, the world economy was largely affected and the consequences could have been much more serious since the control systems for radioactivity in Chernobyl were affected[6]. For the sole year of 2017, 25% of companies in all 28 EU states have been subject to cyber attacks, resulting in unavailability of services, destruction/alteration or disclosure of data[7]. For some states, such as Denmark or Finland, these attacks affected nearly half of the country’s businesses. As companies are hacked, it is mainly the data of individuals that is stolen.

The theft of data should not be taken lightly and could have serious repercussion on one’s life. In some cases, this may result in identity theft, i.e. to subscribe under your identity a credit, or to damage your reputation. In particularly serious cases, it may result in stolen photos used on pornographic sites or, worse, with the recovery by sexual predators of children’s photos on Facebook, Instagram, and other networks.

The theft of data affects everyone and, through this article, we will try to raise the awareness the user of Internet and its related services. This awareness will go through an inventory of EU law on the protection of personal data. However, the protection of personal data can not a matter for experts, lawyers or computer scientists and everyone should be able to implement some tips to prevent possible hacks. (To begin, it is possible to test if an email address has been corrupted with the following website: Have I been Pwned?).

What is the General Data Protection Resolution what are its purposes?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament and of the Council, Official Journal EU, L119 of 4 May 2016) was voted in April 2016 following two particularly important decisions of the Court of Justice of the European Union (CJEU) on the protection of data. It successively convicted Google[8] and Facebook. To be simple, the Google Spain case brought the obligation for an Internet search engine to consider requests from individuals to remove links to freely accessible web pages resulting from a search on their name. The Schrems Case in 2015 is about an Austrian Law student in Austrian law arguing against Facebook that it did not offer sufficient protection against surveillance by public authorities, data transferred to [the United States] « [9]. Now more than ever the control of the processes of personal data is necessary.

The regulation defines personal data as ‘any information relating to an identified or identifiable natural person’[10], that is, any person who can be identified (directly or indirectly) with the help of an identifier. This may include, but is not limited to: the person’s name, an identification number, location data, an online identifier or elements characterizing their physical, physiological, genetic, economic, cultural or social identity.

Personal data are usually collected by companies registering on websites such as Amazon, Gmail, Facebook e.i.. They are also used for more common acts for example when you stay at the hospital (creation and update of the medical record), a university registration or the payment of a salary by the employer (all data kept by human resources for example).

The regulation applies only to personal data in the context of a professional or commercial activity and thus excludes the processing and storage of data in the context of strictly personal or domestic activities. For example, the correspondences, the holding of an address book or the use of social networks are not concerned[11].

From the beginning, the foundations of a project with laudable intentions are laid: « the processing of personal data should be designed to serve humanity »[12]. In addition to the disproportionate importance given to personal data processing, the main purpose of the text is to facilitate the circulation of data, to establish a certain uniqueness of treatment within the EU, to regulate the practice of companies in the field of data processing and finally, to reconcile these practices with a strong protection of the private life of individuals.

Facilitate the free flow of data

The Regulation ensures the free flow of personal data within the EU as well as their transfer to third countries and/or international organizations. Beyond the economic aspect of the thing as a better communication between economic actors, the interest can be in the protection and preservation of security and public order.

Concretely, the free movement of personal data would allow, for example, the transfer of a person’s medical records when he/she is abroad. Thus, if a person from the EU has to undergo a surgery for heart problems in the United States, for example, the transfer of personal data will allow the hospital in charge of the operation to obtain information more quickly, and thus ensuring better operating conditions (such as being informed about allergies to certain active ingredients or the existence of a medical history).

Ensuring coherence within the European Union

Originally, the protection of personal data in Europe was essentially based on Directive 95/46/EC of the European Parliament and of the Council[13]. However, an EU directive merely gives objectives to be fulfilled, the States must then make the necessary arrangements in their respective national laws. At present, the domain will be governed by a regulation. The point is that a regulation applies uniformly in all states, without the need for any approval by national legislative bodies.

In the past, when an appeal was lodged left to different data control authorities, the answer could be different depending on the State in which the request was made. From now on, all individuals in Europe (including non-EU citizens) will benefit from a similar protection of their data wherever they are.

Establish a pedestal of principles for business

The regulation sets out a common core of principles that all companies involved in the processing of personal data must respect[14]. This is the real strength of this text since all companies that will process the data of people in the Union will have to follow these principles. Among the most important are:

  • All treatment must be « lawful, fair and transparent », ie it must be necessary, justified and clearly agreed.
  • The purposes of this treatment must be determined, fixed, explicit and legitimate.
  • The right to privacy must be guaranteed[15]: Privacy by design: guarantee that the protection of personal data is ensured from the design of applications, websites and other IT systems and Privacy by default: guarantee provided when the security measures are integrated natively in the service.
  • The processing of data according to criteria of racial or ethnic origin, public opinion, religious or philosophical beliefs or trade union membership is prohibited[16].
  • Similarly, the processing of genetic data, biometric data, data concerning health, sexual life or sexual orientation is forbidden.
  • The data must be kept only during the treatment period.
  • The retained data must be accurate, up-to-date, adequate, relevant and limited.
  • The company must do everything in its power to protect the personal data it processes. It must be able to demonstrate it at all times (Accountability). In case of an incident, it will then have to prove that everything had been previously put in place to avoid it.
  • In the event of an incident such as a loss of data, the company must notify the supervisory authority within 72 hours to warn affected individuals as soon as possible[17].

 

Establish a protection of privacy, the right to privacy (« Right to Privacy »)

When it comes to privacy and public life, exercise is difficult. Indeed, we believe that there are as many conceptions of privacy as individuals. Each person remains sole mistress of the delimitation between his private sphere and the public sphere. Moreover, the conception of what is private evolves with time and mentalities. For example, before the bathroom could never exist: during antiquity or even under the Ancien Regime the toilet was public, whether in the central room of a house or public baths.

The EU makes a point of protecting the privacy of individuals: « Everyone has the right to respect for his private and family life, his home and his communications. « [18]. It is in this spirit that the General Regulations on Data Protection also stand by reinforcing a certain number of rights of individuals:

  • The right of rectification

It is possible to request the modification of inaccurate data with a national body, such as a wrong first name or surname.

  • The right to erasure (also called the right to be forgotten).

It is possible to request the deletion of its data if it is no longer necessary, if the consent to treatment is withdrawn (at any time [22]), if the treatment is unlawful, if the law of the Union or if the data were collected as part of an offer of service by an information society.

  • The right to limitation of treatment.

It may be requested that only part of the data be processed while the other part is removed.

  • The right of opposition :

A candidate refused to a position whose CV has been processed by an algorithm may request that there be a human intervention and the reasons for his refusal be given

  • Everyone has the right to request that their data be transferred (right to data portability).

In the case of a change of work from a company A to a company B, it is possible to ask company A to transfer all HR data (human resources) to company B, including for example number of Social Security, IBAN etc.

If « knowledge is power » (Francis Bacon), then knowing that these rights exist is to be able to protect oneself. Recall, the purpose of this article is to raise awareness about data protection. However, the use of rights is already the stage where the harm was done. In order to prevent such a situation, some basic actions may allow better data protection. This step is part of the European dynamic; the Commissioner for Security in the fight against terrorism and crime recently stated that « a cyber defense is very much dependent on people. We need to develop cybersecurity education at all levels « .

How to protect our data?

The goal is not to turn into hackers. Nevertheless, there are some basic elements, easily applicable, which can help to better protect its data.

Protect yourself from ransomware (« Ransomware »)

As mentioned at the beginning of this article, ransomware focuses as much on businesses as on individuals. The best solution to protect against these is to make regular backups. For this, it is enough of a simple external hard disk (or USB key) on which will be recorded the files. To avoid losing too much space, a backup can be performed every week and only two versions of previous backups can be kept for security. A simpler alternative is to use an encrypted « Cloud » service, that is, the data will be stored on external servers.

 

Protect against intrusions and loss of identifiers

It is sometimes difficult to remember each password used and the two easiest chosen solutions chosen are a simple password to remember or the use of the same password for all services, sometimes both. Yet neither option can protect your privacy. Yet simple solutions exist:

  • Use a password manager: you only have to retain a « master » password to access the manager while the manager will create complex and different passwords for each site.
  • Create your own « algorithm » for creating a password. This is less complex than it seems. It suffices, for example, to use the same special characters (« § » for example), an easy date to remember (« 2018 » for example) and then a name that will change each time, in which a special character can replace a letter. For example, the rules could be:
  1. Take a word related to the type of site on which you subscribe and decide that the first letter will always be capitalized;
  2. Always place the special character « $$ » before the word and « $$ » after the word;
  3. If the word includes an « e », replace it by « € », if it has an « a », replace it by « @ », if it has an « o », replace it by « 0 » ;
  4. Always end the password by the same date, known not to forget it: 1918, end of the 1st World War.

From now on my passwords will be :

For Facebook :

  • The « key » word is « Zuckerberg »
  • Apply special character : $$Zuckerberg$$
  • Replace letters : $$Zuck€rb€rg$$
  • Add the date : $$Zuck€rb€rg$$1918

My Facebook password is : « $$Zuck€rb€rg$$1918

For LinkedIn, my « key » word is « Hoffman » (co-founder of LinkedIn)

                            My password is : « $$H0ffm@n$$1918 »

For my login at the NSA, my key word is : « Snowden »

                            My password is : « $$Sn0d€n$$1918 »

As your very own algorithm is complete, you can keep in mind or on a note only the keywords that will help you to remind your password. For example, the note here will be :

Facebook : Zuckerberg

LinkedIn : Hoffman

NSA : Snowden

Beware of all received mails

After a virus has infected a computer system, the investigation proves that, in the vast majority of cases, the opening of an email is at the root of the problem. This technique is often used to recover personal data. But there are some tips for not falling into the trap. For example, a message with a questionable spelling should put the chip in the ear, just like the email address used.

Similarly, if the email contains an Internet address to go to, it is advisable to move the mouse over to look at the shape of the address before clicking. You must also pay attention to the spelling of companies that contact you: « Facebook » and not « Facebook » or « Ficebook ».

Finally, when you receive a message from the address of a person you know and it asks you something, contact him by another means before responding. An email address resells and is easily hacked.

Encrypt your data

Encryption is the means of transforming information so that it is not understood by unauthorized persons. The fundamental purpose of this is to allow two people or systems to communicate secret information in a public environment. For example, sending a message over the phone to a friend, while the line is being listened to by an intruder, or sending a message over the Internet, while it can be easily intercepted.

Data encryption is a cumbersome process and may seem difficult to implement. It does not have to be applied to all data, but only to those whose nature and importance require it. It is, therefore, necessary to prioritize the data and adapt the level of protection to the type of data.

Avoid sharing too much data on the Internet

The first rule on the Internet is that « everything that is put on the Internet stays there permanently ». Even if the « right to forget » has been dedicated and allows, theoretically, the deletion of information about you, such as the possibility to ask Google to delete his personal data. However the term « deletion » is not accurate as Google will simply « reference » your data, that is to say, to prevent access to this information.

Whenever you search, share, or comment, information will be retrieved and associated with your IP address (understand, the « name » of your computer on the Internet). « Cookies » are small files stored on your computer/smartphone/tablet, to facilitate navigation and allow certain features. They may sometimes contain residual personal information that may potentially be exploited by third parties.

Thanks to all your information retrieved by companies, they will be able to determine what are your tastes and desires, they will be able to target the « product » that will match you and thus launch targeted advertisements to tempt you with it. Of course, this is not done at the level of the individual but also at the scale of the mass, it is the « Big Data ». Also, the solution is to share as little information as possible, only those needed and only with trusted websites.

The regulation, which will come into force soon, is a very advanced and very promising protection tool. It helps to strengthen the rights of individuals and harden the conditions for data processing by companies. Nevertheless, all the texts of the world, as protective as they are, will not be able to totally protect the individuals. Vigilance and diligence must be everyone’s business. In a world where digital is becoming more important and more important in our daily lives, the issue is not to avoid technologies and to miss out on everything they have to do. offer: better health monitoring, better communication, more reasoned production, nature monitoring, etc.

It is one thing that rights exist and it is another that European citizens know about their existence. It may be regrettable, for example, the lack of communication of the EU institutions with regard to the revolutionary aspect of this text. Similarly, during the research carried out for the writing of this article, it appeared that very few articles were directly addressed to citizens to inform them that they had a certain number of rights on their personal data. Most of the articles of the specialists are directed towards the companies and the obligations to which they will have to submit.

Last but not least, once citizens know their rights, it is necessary to accompany them before the competent courts, whether national or European. Therefore, it seems important to highlight initiatives aimed at promoting the accessibility of legal expertise to European citizens. In this dynamic, Max Schrems (the young Austrian student at the origin of the setbacks of Facebook in Europe and mentioned earlier) recently launched the platform NOYB (« None Of Your Business », translatable in « It does not concern you With the help of a number of privacy activists and consumer rights groups. This platform will aim to make available to all the opportunity to effectively protect its data.

Jean-Hugues Migeon

[1] https://wearesocial.com/blog/2018/01/global-digital-report-2018

[2] Source: Eurostat: http://ec.europa.eu/eurostat/tgm/table.do?tab=table&language=en&pcode=tps00001&tableSelection=1&footnotes=yes&labeling=labels&plugin=1

[3] The hack of the Marconi telegraph in 1903 is not quite the first of its kind, since between 1834 and 1836 the Blanc brothers in France exploited a loophole in the telegraph system in order to invest in the stock market and, above all, hoping the world. The French administration then uses Chappe telegraphs to communicate across France. However, this scam was based on the exploitation of a dysfunction in the French administration as well as on the corruption of a civil servant and on the dysfunction of the device itself.

To learn more about the Blanc brothers’ scam : (in french)

https://leshistoiresdedidymus.wordpress.com/2014/05/27/bordeaux-1834-36-les-freres-blanc-telegraphes-chappe/

[4] https://www.lemonde.fr/pixels/article/2017/11/22/piratage-massif-d-uber-les-reponses-a-vos-questions_5218688_4408996.html

[5] https://www.theverge.com/2017/5/12/15630354/nhs-hospitals-ransomware-hack-wannacry-bitcoin

[6] https://www.forbes.com/sites/thomasbrewster/2017/06/27/petya-notpetya-ransomware-is-more-powerful-than-wannacry/

[7] <http://ec.europa.eu/eurostat/web/products-datasets/-/isoc_cisce_ic>

[8] Previous article on EU-Logos Website about Google Spain case : www.eu-logos.org/?p=20777

[9] See : EUJC, Press report n°117/15, 6 octobre 2015, decision C-362/14 Maximilian Schrems / Data Protection Commissioner.

[10] GDPR, Article 4 « Definitions », p.33.

[11] GDPR, Para.18, p.4.

[12] GDPR, Para.4, p.2.

[13] Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11 .1995, p.31).

[14] GDPR, Article 5, p.35.

[15] GDPR, Article 25, p.48.

[16] GDPR, Article 9, Para.1, p.38.

[17] GDPR, Article 33, p.52.

[18] EU Charter of fundamental rights, Article 7.

Adeline Silva Pereira

Après avoir effectué la deuxième année du master Sécurité Globale analyste politique trilingue à l'Université de Bordeaux, j'effectue un stage au sein d'EU Logos afin de pouvoir mettre en pratique mes compétences d'analyste concernant l'actualité européenne sur la défense, la sécurité et plus largement la coopération judiciaire et policière.

Laisser un commentaire