Get Complete Project Material File(s) Now! »
The Ever-changing Legal Landscape of Personal Data
Identified versus Identifiable. Central to the legal regime governing personal data is the definition of such data. Cloud storage providers are reported to have delivered more than one Exabyte of data under contract in 2012 alone.14 However, it remains unclear as to precisely how much of the vast amount of data is personal data and how much of this data should still viewed as personal data. Whether this information becomes personal data is dependent on the decisions made throughout the data processing process in the cloud environment.15 Therefore the meaning of ‘personal data’ is fundamental to the debate on IPRs, in particular with the emphasis on the cloud. The POPI Act provides a definition of personal data as the following: ‘Personal information’ effectively stands for information connecting to an identifiable, living, natural person, and also applies to juristic persons where applicable.
The EU GDPR 2016/679 in Article 4 provides a more extensive view of the concept of personal data and states:
‘Personal data’ means, any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier. Such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
A natural person is denoted as the ‘data subject’ in both the RSA’s and EU context. The POPI Act also expands on the framework of a ‘data subject’ through numerous supplementary items about personal identification. Particular attention has been given to identification numbers as well as including other factors such as physical, psychological, mental, economic, social and cultural information. In other words, while ‘identified’ in this context refers to data being used to determine the specific identity of an individual or to distinguish the individual from other members of a group or groups, identifiable points only to the possibility of being identified.
Personal data legislation is similar in various jurisdictions, sharing the same framework for distinguishing between identified and identifiable persons. As an illustration, the Australian Privacy Act defines personal information as the following:
Information or an opinion, whether factual or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.
What is Data Anonymisation when all Data is Considered Personal?
Anonymisation is defined as:
Definitions (online 2016), Anonymization (Noun): The act or process of making secret, of hiding or disguising identity. This anonymization site is supposed to keep emails from being tracked back to you.30
The apparent assumption in excluding anonymous data from legal regulation is that data records can be irreversibly anonymous and that data subjects can be rendered non-identifiable.31 When the Article 29 Working Party (2012) gave its opinion on cloud, it placed the anonymisation of data on a disparity level with their term of erasure. Likewise, regarding security and control in the cloud environment the European Commissioner for Digital Agenda, pressed the following issue. As with any real life scenario, a user cannot assume that when presenting themselves on any net, there will be no history of their past actions existing in the net. More importantly, where there are incidences with data files, any such data records must be made irretrievably anonymous before further utilisation of the data.What is more significant in cases of data files is that such data records are made as irreversibly anonymous before further utilisation of such data.
32. Anonymisation is thought to be the perfect ‘silver bullet’ solution for the reuse of data for privacy, security, innovation and business purposes. With the continued advancement of re-identification technology and resources, however, such data is not what they say it used to be.
Anonymous versus Anonymised Data
As discussed, both Article 26 of the Directive 95/46/EC and Article 23 of the GDPR, define anonymous data as ‘data rendered anonymous in such a way that the data subject is no longer identifiable’ by all resources reasonably possible to be used either by the controller or by any other person, able to identify the individual in question.
In response to the GDPR the European Parliament has formulated another definition, taking anonymous data to be ‘personal data that has been collected, altered or otherwise processed in such a way that it can no longer stand accredited to a data subject,’34 specifically stipulating that ‘anonymous data shall not be considered personal data.’
The POPI Act shares a similar regulation regarding the data subject rights and identifying data, in so far as the data is rendered as anonymous once it is no longer identifiable to a data subject. The European Parliament has also proposed that there could be ‘alleviations’ concerning the use of pseudonymous data in Amendment 36, 61 and 77 of the prior mentioned report of which the proposed definitions were submitted.
Amendment
Proposal for a Regulation Article 4 – point 3 a (new) (3a), ‘pseudonymous data’ means, any personal data that has been collected, altered or otherwise processed so that it of itself cannot remain attributed to a data subject, without the use of additional data. Which, is subject to separate and distinct technical and organisational controls to ensure such non-attribution.
1. Introduction
-Problem Statement
-Legal Questions
-Assumptions
-Motivation
-Methodology and Approach
2. Cloud Technical Description
-Introduction
-How Cloud Computing Works
-Advantages and Benefits of the Cloud
-Obstacles in the Confidence of Cloud
-Conclusion
3. General Legal Safeguards
-Introduction
-National Information Security Directive
-Cloud Access by Foreign and National Governments
-Data Protection and Data Flows
-Intellectual Property and Related Issues
-Governing Boundaries of Cloud Contracts
-Risk Assessment and Management
-Conclusion
4. Cloud Safeguards and Legal Framework
-Introduction
-Available Regulatory Instruments
-Sector-specific Regulation
-Conclusion
5. Competition Law
-Introduction
-Market Definitions
-International Interpretation of Market Definition
-Interoperability and Data Portability
-Vertical Integration
-Restrictive Agreements
-Abusive Market Behaviour
-A South African Perspective of Abusive Market Behaviour
-Conclusion
6. Cloud Data Protection Regulation
-Introduction
-Cloud Service and Deployment Models
-Cloud Concerns for Data Protection Authorities
-General Data Protection Standards
-Cloud Business Model Challenges
-Conclusion
7. International Law and the Cloud
-Introduction
-Cloud Jurisdiction – Cloud Border-crossing
-Jurisdiction
-Private International Law
-Court of Jurisdiction
-Forum Selection
-Default Rules and Applicable Law Determination
-Conflict of the Rules of Law
-Substantive International Obligations
-Conclusion
8. Cloud Cross-border Data Flow
-Introduction
-Framework for Data Protection in the EU
-EU Personal Data Transfers
-EU Personal Data Transfers from the EU to the USA
-EU Law – Requirements for Transferring Personal Data
-Conclusion
9. Personal Data in the Cloud and Re-identification
-Introduction
-The Ever-changing Legal Landscape of Personal Data
-What is Data Anonymisation when all Data is Considered Personal?
-Anonymous versus Anonymised Data
-The Deliberation over Anonymised Data
-Data Aggregation and Combination for Re-identification
-Conclusion
10. Traversing the Cloud
-Introduction
-Innovative Methods for De-identified Personal Data
-Data Quality and Quantity
-Risk Assessment of the Disclosure and Reuse of Data
-Accountability
-Conclusion
11. Cloud Borders, Territorial Locations, and Private International Law
-Introduction
-Competent Court
-Applicable Law and Territorial Location Determination
-Territorial Location Determination – Intent Evidence
-Territorial Location Determination of Users
-Conclusion
12. Cloud Data, Ownership Rights of Information in the Cloud
-Introduction
-Ownership
-Uploading Data in the Cloud
-Data and Information Produced in the Cloud
-Cloud Information Control
-Cloud Accountability
-Cloud Communal Customs
13. Copyright in the Cloud
-Introduction
-Advantages of Cloud
-Cloud Approach and Policy in Key Countries
-Cloud User’s Copyright Liabilities
-Traditional Copyright Law and Statutory Exemption of Private Reproductions
-Exceptions under Digital Copyright Law
-Conclusion
14. Cloud Service Providers Copyright Liability
-Introduction
-What Is Safe Harbour Legislation?
-The United States Free Trade Agreement and Safe Harbour Laws
-Recent Case Law on Safe Harbour in the USA
-Safe Harbour in South Africa
-Conclusion
15. Copyright Gap
-Introduction
-Industry Concerns and the Gaps in Copyright Law
-The Fair Use Solution
-‘Fair Use’ and Why?
-Conclusion
16. License Agreements and Distribution
-Introduction
-The Frequent Challenges of Determining Terms
-Cloud Contract Terms
-Cloud License Utilisation Features
-Service Commitments
-Quality Protection of Services
-Control Rights of the Client
-Obligations Towards Legal Compliance
-Security and Data Protection
-Intellectual Property Protection
-Protection of Service Continuousness
-Term-end Protection
-Conclusion
17. Unified Global Distribution of Cloud
-Introduction
-Cloud Services and Territorial Rights
-Independence Rights
-Scope Protection and Jurisdiction
-Conclusion
18. Introduction of Territorial Restrictions and Justification
-Introduction
-Five Areas of Adjustment to Cloud
-Conclusion
19. Conclusion
-Bibliography