As UK (and the rest of the world) reels from the results of the UK referendum and we find ourselves living in a world where the dystopian Faragist (yes I know he is not the only one!) rhetoric reflects the current thinking of many in the UK, we face important and serious questions about our future laws, policies, social norms and the like in the UK.
For many UK data protection lawyers, the challenge ahead is to ensure that we remain important and relevant voices both with the context of the implementation, interpretation and enforcement of the General Data Protection Regulation and the reform of UK data protection laws.
Since the Brexit outcome, the UK ICO has said that the UK will rely on
"adequacy" decisions from the press release it
seems to be more than the usual "essential adequacy". But this could
just be down to poor drafting!
However, I doubt this will be effective given that adequacy decisions
and similar mechanisms are under attack at EU level. Only BCRs are not
under attack although who knows for how long? And BCRs are not
appropriate in all cases. Since the UK ICO release, Jan Phillip Albrecht has since noted on Twitter that the an "adequacy decision" may not be sufficient given surveillance concerns. The UK will need to develop and implement effective data transfer mechanisms, which are line with the robust requirements of the GDPR and protect the fundamental
rights and freedoms of individuals. UK data protection lawyers will play key roles in ensuring that we have
the relevant data transfer mechanisms in place which will support UK/EU
data transfers, promote the growth of the data-driven economy and
protect the fundamental rights and freedoms of individuals.
This also bring us to the second task at hand for UK data protection lawyers. How will the UK amend its data
protection laws in the aftermath of Brexit? Will the principles of the European Convention of Human Rights still apply in the UK? If so, how will they be reflected in the new laws? What is the status of decades of European jurisprudence which have impacted on how we have interpreted our national data protection laws? To what extent will and should the new
the UK data protection laws include provisions which reflect the
new realities since Google Spain and Schrems cases (and others!) to enable UK/EU data
transfers.
These are some of the inital questions which UK data protection lawyers and policy- makers need to address once we have all recovered from the shock of Brexit. Anya Croops QC of 11KBW has also published interesting insights on the upcoming data protection challenges in the UK.
We need to ensure that the data-driven economy and digital innovation in the UK does not suffer because UK data protection laws cut us off from the rest of the world. This is not a small task and we all need to put our thinking hats on...fast!
7 April 2016
Data Privacy Regulation in the Context of Facebook Advertisements
The blog of the Vanderbilt Journal of Entertainment & Technology Law
recently covered my upcoming article in the John Marshall Journal of Information
Technology & Privacy Law on data privacy regulation in the context of Facebook advertisements.
You can read more about it here.
You can read more about it here.
Smart Regulation and the General Data Protection Regulation
I recently published an article on smart regulation and the General Data Protection Regulation ("GDPR") on the website of the Society of Computers and Law. The article will also feature in the next issue of Computers & Law. You can read the full text of the article below.
---------
Data protection and privacy practitioners are
waiting anxiously for the official adoption of the GDPR. The latest
indication from the European Commission is that the GDPR will officially
be adopted in June/July 2016 and in force as from June/July 2018.
Since political agreement was reached on the GDPR in December 2015,
we have a fairly good idea of some of the main aspects of the official
legislation, such as the statutory recognition of an 'accountability'
principle, a risk-based approach to data protection (eg data
protection/privacy impact assessments, privacy by design, breach
notification), and enhanced individual rights (eg new right of data
portability and right to be forgotten).
Once
the GDPR is in force, the litmus test for success will be the consistent
implementation, interpretation and enforcement of the Regulation. Many
commentators have already warned that the GDPR's promise of
harmonization may be more fiction than fact due to the vague and
ambiguous provisions of the GDPR (eg legitimate interests provision) as
well as the so-called 'open clauses'. 'Open clauses' refer to GDPR
provisions where implementation is left to the member-states.
But
looking beyond the immediate parapet of the rules, the GDPR is also
heralding a move to smart regulation. One aspect of smart regulation is
that it involves interactions between diverse stakeholders, such as
law-makers, EU DPAs, European Data Protection Board, European
Commission, data controllers, data processors, and quasi-regulators (eg
third-party certification bodies). Some of these stakeholders, such as
EU DPAs and the companies they regulate, used to interact with one
another in the pre-GDPR era. However, a move towards smart regulation
can often impact on these existing relationships.
In
this article, I explore what smart regulation may mean for the
relationships between EU DPAs and the companies they regulate. I draw on
some of the findings of my recent empirical research project,
where I have analysed how some EU DPAs are starting to embrace smart
regulation during their investigations of multinational cloud providers,
to suggest four potential key aspects of a smart regulatory
relationship between EU DPAs and their regulatees. These four points are
mere starting points when reflecting on what smart regulation may look
like for the relationships between EU DPAs and the companies they
oversee. As noted below, much more work needs to be done to flesh out
how such relationships will be developed in practice.
Active Engagement between EU DPAs and Companies
Companies
and EU DPAs will benefit from active, regular, and informal engagement
with each other from the very beginning and in any event before a data
breach is detected or reported. Opening the dialogue between the
regulator and regulatees from an early stage has three key advantages.
Firstly, it will enable both parties to build a productive rapport which
will be crucial in many cases where there will be a long-term
relationship between the regulator and the company. This will, in all
likelihood, be the case for multinational companies with a strong
European presence and the EU DPAs which will be their lead regulator for
their EU operations.
Secondly, this type of
interaction will make it possible for EU DPAs to gain an in-depth
knowledge of the processing operations and policies of the companies
which fall within their jurisdiction, long before any data breach has
been reported.
Finally, this will provide
companies with the opportunity to explain to the regulators their
offerings, business drivers, and processing operations. Such engagement
means that the regulator will have a detailed understanding of the
organisation which can often be useful during enforcement.
Organisations can also discuss with EU DPAs the data protection and
privacy issues which are potentially raised by their future products or
services and tackle such issues head on at the ideation or preliminary
design stage rather than after these products or services have been
launched. This approach can often not only be cost-effective but also
enable companies, especially multinationals, to reduce or avoid negative
media coverage which plays a pivotal role in determining the reputation
of such organisations.
This level of
engagement between EU DPAs and companies will be problematic if EU DPAs
do not develop effective and consistent strategies which will enable
them to prioritise tasks in an informed and systematic way. This will be
even more crucial for EU DPAs which have limited resources.
Unfortunately, the GDPR is silent on how EU DPAs can assess the priority
of their activities. Consequently, one of the tasks ahead before the
GDRP is in force will be to formulate consistent guidelines which EU
DPAs can use to evaluate which regulatory activity takes precedence over
others.
Compliance Attitudes of Companies
EU
DPAs will need to recognize that companies will have different, and
often complex, attitudes to compliance. Some organisations may be
largely co-operative whilst others may often be recalcitrant.
Additionally, the compliance attitudes of companies are likely to change
over time for various reasons, including media coverage, reputation,
change in management and so on. At times, an otherwise co-operative
company can start to object to some of the data protection
recommendations which an EU DPA may make. Consequently, EU DPAs need to
learn how to deal with and manage the intricate and rapidly evolving
compliance attitudes of the organisations they oversee.
Additionally,
EU DPAs may often benefit from identifying the reasons why companies
may wish to comply with the law. EU DPAs can then often use these
reasons as bargaining chips during their interactions with these
organisations in order to secure the desired data protection outcome. In
many cases, compliance can often be driven by many (rather than one),
often interconnected, reasons, such as avoiding reputational damage,
generating the trust of customers in the company, avoiding citable
binding court decisions, and moral reasons.
Dynamic Regulatory Styles
EU
DPAs may benefit from developing dynamic regulatory styles so that they
can respond effectively to the diverse and often shifting compliance
attitudes of their regulatees. In particular, in some cases it may be
appropriate for EU DPAs to adopt regulatory styles which gradually
escalate from soft strategies (eg persuasion, discussion) to harder
strategies where the regulatee objects to base line compliance (eg
threat to initiate enforcement action) to soft strategies again once the
organisation co-operates.
My recent study
highlighted that regulatory styles which can seamlessly move from one
end of the spectrum (soft) to the other (hard) and back are often the
most effective ones. Additionally, my research also showed that EU DPAs
which adopted a 'smarter' approach to regulation by (i) adopting not
only dynamic regulatory styles but also recognising the business drivers
of companies, (ii) attempting to find mutually convenient solutions,
and (iii) not relying heavily on formalistic tools often achieved better
outcomes in the longer term.
This shift in the
regulatory styles of EU DPAs will be one of the key challenges ahead
when tackling smart regulation. Some EU DPAs may be bound by procedural
rules which may prevent them from smoothly moving from soft to hard to
soft regulatory styles. Other EU DPAs may need to learn how to regulate
in this manner whilst being effective. Thus, we need to bear these
points in mind when thinking about how to develop smart regulation when
the GDPR is in force.
Regulatory Relationship Management
Smart
regulation also means that companies need to rethink how they approach
and manage their relationships with the EU DPAs. In the pre-GDPR era, the regulatory relationship often started on an ex-post
basis, for example, when a data breach was detected or when an
individual filed a complaint against the company. In many cases, the
regulatory relationship would often start on negative note with many
companies being on the defensive from the start.
In the GDPR era,
the relationships between many companies (let's say multinationals) and
their regulators, especially their lead EU DPAs, may often be from
cradle to grave. Such relationships may often start on an ex-ante basis, for example, when a multinational opens a local branch in the territory of the EU DPA.
In
order to develop healthy and productive regulatory relationships, many
organisations will have to change how they conceive and manage these
relationships. We may need to look at how regulatory relationships in
other industries are successfully built in order to learn how companies
can build effective and long-term relationships with EU DPAs.
For
example, showing the regulators that you want to co-operate (and mean
it!), knowing how to negotiate compliance effectively so as to promote
innovation whilst complying with the law, keeping the promises made to
the regulators may be fruitful ways in which companies can start
creating a positive dialogue with their regulators. We also need to
consider how SMEs and other companies with a limited budget can
cultivate this type of regulatory relationship despite their limited
resources.
Dr Asma Vranaki is an
Associate Fellow at the University of Oxford where she investigates the
regulation of computer-mediated communication technologies (eg cloud
computing, social media). She is a non-practising barrister who
specialises in the data protection and privacy law issues raised by the
Digital Age.
For more see,
Vranaki, Asma A.I., 'Cloud Investigations by European Data Protection
Authorities: An Empirical Account,' in Rothchild John A (ed), Research Handbook on Electronic Commerce Law (Edward Elgar, Forthcoming); Queen Mary School of Law Legal Studies Research Paper No. 195/2015 < http://ssrn.com/abstract=2602216>. The author conducted this research whilst working on the EC-funded 'Accountability for Cloud' research project.
25 January 2016
How are you celebrating Data Protection Day?
As we are celebrating Data Protection Day later this week and have a number of data protection events ( CPDP conference I am talking about you!), and are entering the final week of negotiations for the so-called Safe Harbour 2.0, I thought that this is an opportune time for me to devote some time to blogging.
Post-doctoral research, writing some articles, re-writing other articles, and teaching law (to name but a few!) got the best of me for most of 2015 and blogging was relegated to the 'tomorrow to-do list' which never seemed to have been tackled!
So to celebrate DPD, I am pledging to blog more this year about law, technology and of course data protection! It`s out there now so I can not backtrack!!
How will YOU be celebrating DPD? I would love to hear your plans via comment or on twitter!! Needless to say for me, this week will be full of data protection blogging, commenting on some of the CPDP sessions , and the Schrems/Wire debate!
Post-doctoral research, writing some articles, re-writing other articles, and teaching law (to name but a few!) got the best of me for most of 2015 and blogging was relegated to the 'tomorrow to-do list' which never seemed to have been tackled!
So to celebrate DPD, I am pledging to blog more this year about law, technology and of course data protection! It`s out there now so I can not backtrack!!
How will YOU be celebrating DPD? I would love to hear your plans via comment or on twitter!! Needless to say for me, this week will be full of data protection blogging, commenting on some of the CPDP sessions , and the Schrems/Wire debate!
26 May 2015
Our open letter to the House of Commons on the importance of respecting the democratic process as UK surveillance laws are being revised
Dear Readers,
As many of you are aware, following vairous media outlets` coverage, today we have sent an open letter to all members of the House of Commons on the importance of respecting the democratic process as UK surveillance laws are being revised.
You can find a copy of the full letter below.
---------------------
An
open letter to all members of the House of Commons,
Dear
Parliamentarian,
Ensuring the Rule of Law and the democratic
process is respected as UK surveillance law is revised
Actions Taken Under the Previous Government
During
the past two years, the United Kingdom’s surveillance laws and policies have
come under scrutiny as the increasingly expansive and intrusive powers of the
state have been revealed and questioned in the media. Such introspection is
healthy for any democracy. However, despite a need for transparency in all
areas of lawmaking, and in particular in areas of controversy, the previous Government
repeatedly resisted calls for an open and transparent assessment and critique
of UK surveillance powers. Instead, in response to legal challenges, it extended
the powers of the state in the guise of draft Codes of Practice and “clarifying
amendments.” As we welcome a new Government we expect another round of
revisions to UK surveillance laws, with the likelihood that the Queen’s Speech
will signal a revival of the Communications Data Bill. At this time we call on
the new Government, and the members of the House, to ensure that any changes in
the law, and especially any expansions of power, are fully and transparently
vetted by Parliament, and open to consultation from the public and all relevant
stakeholders.
Last
year, in response to the introduction of the Data Retention and Investigatory
Powers Bill (“DRIP”), a number of leading academics in the field – including
many of the signatories to this letter – called for full and proper
parliamentary scrutiny of the Bill to ensure Parliamentarians were not misled
as to what powers it truly contained. Our concern emanated from the Home
Secretary’s attempt to characterise the Bill, which substantially expanded
investigatory powers, as merely a re-affirmation of the pre-existing data
retention regime.[1]
Since
that letter was written, it has become apparent that the introduction of the
DRIP Bill was not the only time an expansion of surveillance powers was
presented in a way seemingly designed to stifle robust democratic
consideration. In February 2015, the Home Office published the draft Equipment
Interference Code of Practice.[2]
The draft Code was the first time the intelligence services openly sought
specific authorisation to hack computers both within and outside the UK.
Hacking is a much more intrusive form of surveillance than any previously
authorised by Parliament. It also threatens the security of all internet
services as the tools intelligence services use to hack can create or maintain
security vulnerabilities that may be used by criminals to commit criminal acts
and other governments to invade our privacy. The Government, though, sought to
authorise its hacking, not through primary legislation and full Parliamentary
consideration, but via a Code of Practice.
The
previous Government also introduced an amendment via the Serious Crimes Act
2015, described in the explanatory notes to the Bill as a ‘clarifying
amendment’.[3]
The amendment effectively exempts the police and intelligence services from
criminal liability for hacking. This has had an immediate impact on the ongoing
litigation of several organisations who are suing the Government based in part
on the law amended, the Computer Misuse Act 1990.[4]
The Way Ahead
The
new Conservative Government has announced its intention to propose new
surveillance powers through a resurrection of the Communications Data Bill.
This will require internet and mobile phone companies to keep records of customers’
browsing activity, social media use, emails, voice calls, online gaming and
text messages for a year, and to make that information available to the
government and security services. We also anticipate this Parliament will see a
review of the Regulation of Investigatory Powers Act 2000, which currently
regulates much of the Government’s surveillance powers. The Independent
Reviewer of Terrorism Legislation, David Anderson QC, has conducted an
independent review of the operation and regulation of investigatory powers,
with specific reference to the interception of communications and
communications data. The report of that review has been submitted to the Prime
Minister, but has yet to be made public: when it is made public, parliamentary
scrutiny of the report and any recommendations made following it will be
essential.
As the
law requires that surveillance powers must be employed proportionate to any harm
to privacy caused (as required by Article 8 of the European Convention on Human
Rights and Article 12 of the Universal Declaration of Human Rights) we believe
that any expansion or change to the UK’s surveillance powers should be proposed
in primary legislation and clearly and accurately described in the explanatory
notes of any Bill. The Bill and its consequences must then be fully and frankly
debated in Parliament. When reaching an assessment of the proportionality, of
any measure that restricts rights, both our domestic courts and the European
Court of Human Rights place great stock on the degree and quality of
Parliamentary involvement prior to any measure being adopted. If the matter
ever came to before the courts one issue examined would be the nature of any
“exacting review” undertaken by MPs into the necessity of extending these
powers. The Government should not be permitted to surreptitiously change the
law whenever it so desires, especially where such changes put our privacy and
security at risk.
This
letter has been prepared and signed by 38 academic researchers. We are
comprised of people from both sides of this issue - those who believe that
increased powers are a reasonable response to an emerging threat, and those who
think them an unjustified extension of state interference. Our common goal is
to see the Rule of Law applied and Parliamentary oversight reasserted. We are
calling on all members of the House of Commons, new and returning, and of all
political persuasions to support us in this by ensuring Parliamentary scrutiny
is applied to all developments in UK surveillance laws and powers as proposed
by the current Government.
Signatories
|
Andrew Murray (contact signatory)
|
Paul
Bernal (contact signatory)
|
|
Professor of Law
London School of Economics
|
Lecturer in Information Technology, Intellectual Property
and Media Law University of East Anglia
|
|
Anne Barron
Associate Professor of Law
London School of Economics
|
Subhajit Basu
Associate Professor of Law
University of Leeds
|
|
Sally Broughton Micova
Deputy Director LSE Media Policy Project, Department of
Media and Communications
London School of Economics
|
Abbe E.L. Brown
Senior Lecturer
School of Law
University of Aberdeen
|
|
Ian Brown
Professor of Information Security and Privacy
Oxford Internet Institute
|
Ray Corrigan
Senior Lecturer in Maths, Computing and Technology
Open University
|
|
Angela Daly
Postdoctoral Research Fellow
Swinburne Institute for Social Research
Swinburne University of Technology
|
Richard Danbury
Postdoctoral Research Fellow
Faculty of Law
University of Cambridge
|
|
Catherine Easton
Lecturer in Law
Lancaster University School of Law
|
Lilian Edwards
Professor of E-Governance
Strathclyde University
|
|
Andres Guadamuz
Senior Lecturer in Intellectual Property Law
University of Sussex
|
Edina Harbinja
Lecturer in Law
University of Hertfordshire
|
|
Julia Hörnle
Professor in Internet Law
Queen Mary University of London
|
Argyro P Karanasiou
Senior Lecturer in Law
Centre for Intellectual Property, Policy & Management
(CIPPM)
Bournemouth University
|
|
Theodore Konstadinides
Senior Lecturer in Law
University of Surrey
|
Douwe Korff
Emeritus Professor of International Law
London Metropolitan University
Associate of the Oxford Martin School, University of
Oxford
|
|
Mark Leiser
Postgraduate Researcher
Strathclyde University
|
Orla Lynskey
Assistant Professor of Law
London School of Economics
|
|
David Mead
Professor of UK Human Rights Law
UEA Law School
University of East Anglia
|
Robin Mansell
Professor, Department of Media and Communication
London School of Economics
|
|
Chris Marsden
Professor of Law
University of Sussex
|
Steve Peers
Professor of Law
University of Essex
|
|
Gavin Phillipson
Professor, Law School
University of Durham
|
Julia Powles
Researcher
Faculty of Law
University of Cambridge
|
|
Andrew Puddephatt
Executive Director
Global Partners Digital
|
Judith Rauhofer
Lecturer in IT Law
University of Edinburgh
|
|
Chris Reed
Professor of Electronic Commerce Law
Queen Mary University of London
|
Felipe
Romero-Moreno
Lecturer in Law
University of Hertfordshire
|
|
Burkhard Schafer
Professor of Computational Legal Theory
University of Edinburgh
|
Joseph Savirimuthu
Senior Lecturer in Law
University of Liverpool
|
|
Andrew Scott
Associate Professor of Law
London School of Economics
|
Peter Sommer
Visiting Professor
Cyber Security Centre, De Montfort University
|
|
Gavin Sutter
Senior Lecturer in Media Law
Queen Mary University of London
|
Judith Townend
Director of the Centre for Law and Information Policy
Institute of Advanced Legal Studies
University of London
|
|
Asma
Vranaki
Post-Doctoral Researcher in Cloud Computing
Queen Mary University of London
|
Lorna Woods
Professor of Law
University of Essex
|
14 May 2015
Dear Google: open letter from 80 academics on 'right to be forgotten'
Our open letter to Google published in today`s Guardian seeking the disclosure of compliance data in relation to its implementation of the right to be forgotten.
And Google`s response. Let`s see how this balancing exercise translates in practice and what concrete outputs are circulated.
And Google`s response. Let`s see how this balancing exercise translates in practice and what concrete outputs are circulated.
12 May 2015
Cloud Investigations by European Data Protection Authorities
You can find the recent draft of my book chapter entitled 'Cloud Investigations by European Data Protection Authorities: An Empirical View' on SSRN.
The full citation for the chapter is:
Vranaki, Asma A.I., Cloud Investigations by European Data Protection Authorities: An Empirical Account (March 31, 2015). Vranaki Asma, 'Cloud Investigations by European Data Protection Authorities: An Empirical Account,' in Rothchild John A (ed), Research Handbook on Electronic Commerce Law (Edward Elgar, 2016). Available at SSRN: http://ssrn.com/abstract=2602216
Let me know your thoughts!
The full citation for the chapter is:
Vranaki, Asma A.I., Cloud Investigations by European Data Protection Authorities: An Empirical Account (March 31, 2015). Vranaki Asma, 'Cloud Investigations by European Data Protection Authorities: An Empirical Account,' in Rothchild John A (ed), Research Handbook on Electronic Commerce Law (Edward Elgar, 2016). Available at SSRN: http://ssrn.com/abstract=2602216
Let me know your thoughts!
30 March 2015
Cloud Investigations by EU Data Protection Authorities
I was delighted to present part of my current research on the cloud
investigations conducted by European data protection authorities at the
recent launch of the Centre for Law and Information Policy at the
Institute of Advanced Legal Studies.
My current research forms part of the 'Accountability for Cloud' research project which is a major European research project. I have designed and conducted a qualitative socio-legal research project which investigates how and why investigations of companies offering cloud computing technologies or services ('Cloud Providers') are being conducted by European data protection authorities.
You can find a copy of my slides here.
My current research forms part of the 'Accountability for Cloud' research project which is a major European research project. I have designed and conducted a qualitative socio-legal research project which investigates how and why investigations of companies offering cloud computing technologies or services ('Cloud Providers') are being conducted by European data protection authorities.
You can find a copy of my slides here.
9 January 2015
Programme for the Workshop entitled 'Balancing Business Innovation with Data Protection? Regulating the Digital Age' (University of Oxford)
Dear Readers
I am pleased to invite you to attend our forthcoming workshop entitled 'Balancing Business Innovation with Data Protection? Regulating the Digital Age' which will be held at the University of Oxford on 26 January 2015 at 14:00. The workshop is organised by the Regulation Discussion Group of the Centre for Socio-Legal Studies of the University of Oxford.
Our detailed programme is pasted below.
If you wish to attend, please email me at asma.vranaki@qmul.ac.uk.
Balancing Business Innovation with Data
Protection? Regulating the Digital Age
First Technology Regulation Workshop
Haldane
Room, Wolfson College, 26 January 2015
In recent years, there has been a rapid proliferation of a diverse range of information communication technologies, such as online social networking sites, cloud computing technologies, and, messaging applications. Hardly a day goes by without a new information communication technology being rolled out. As the world of Snapchat, Amazon Web Services, and the likes become firmly entrenched in modern society, new questions are being raised by regulators, scholars, and technologists about the risks such information communication technologies pose to the protection of ‘personal data.’ By ‘personal data’, we mean any information which relates to an individual, who is or can be identified from the data, such as an individual’s internet protocol address, cookies, characteristics or electronic mail address.
The
challenges which information communication technologies pose to the protection of
personal data have been one of the major drivers for reforming the regulation
of personal data, including the current reform of the EU data protection
package. How to strike a balance between
the protection of personal data and the promotion of the European Union as a
world leader in the digital economy is at the heart of the current European reform
exercise. For example, the recent ruling
of the European Court of Justice in the Google Spain case has raised
perplexing, pressing, and practical questions about how companies, such as
Google, will deal with the additional regulatory burdens which are now placed on them whilst continuing
to drive innovation in the field of information communication technologies.
Google reportedly received over 12,000 requests from individuals to remove
information relating to them from the results of Google search engine within 24
hours of the Google Spain ruling.
This
workshop will investigate whether it is possible for regulators and companies to
strike a balance between business innovation and data protection in the Digital
Age. This and many more questions will be explored during this workshop by academics,
regulators, and practitioners from a range of disciplinary perspectives.
1. What are the major patterns of data
use in the digital advertising economy and what are the implications of these
for regulation?
2. In what ways can the so-called
‘co-regulation model’ empower and protect consumers?
3. Is ‘co-regulation’ a viable option
or will it lead to regulatory capture?
4. Can privacy-enhancing technologies improve
the accountability and transparency of companies’ practices in the context of
self-regulation?
Programme
14:00 – 14:10
Opening remarks from the co-convenor of the
Regulation Discussion Group
Dr Bettina Lange
Associate
Professor in Law and Regulation
Centre for
Socio-Legal Studies, University of Oxford
KEYNOTE SPEECH
14:10- 14:40
Transborder Data Flow in Competing Regulatory
Frameworks: The EU Perspective
Dr
Christopher Kuner
Associate
Professor, University of Copenhagen
PANEL ONE
RETHINKING THE USE AND REGULATION OF PERSONAL
DATA
DATA
14:40-15:40
Regulation by Privacy Seals and Certification
Steve Wood,
Head of Policy Delivery
ICO
Review of the Practices of Self-Regulation in
Digital Advertising in the UK: Innovation and Data Use
Nick
Stringer, Director of Regulatory Affairs
UK Internet
Advertising Bureau
Reflecting on the Distinction between Data Processors and Data Controllers: A View from Practice
Ronnie
Preiskel, Partner
Preiskel
& Co LLP
15:40 -16:00
Panel discussion
Moderator: Dr Bettina Lange
16:00 -16:20 
Coffee break
Coffee break
PANEL TWO CO-REGULATION AND SELF-REGULATION:
BALANCING
INNOVATION AND DATA PROTECTION
INNOVATION AND DATA PROTECTION
16:20 -17:20
Data Sovereignty, Data Flow, and International
Jurisdiction in Cloud Computing
Christopher
Millard, Professor of Privacy and Information Law
Queen Mary,
University of London
Net Neutrality and Personal Data Protection:
Towards a Co-regulatory Solution
Christopher
T. Marsden, Professor of Internet and Media Law
University
of Sussex
Cloud Computing: Technical Protections and
Directions
Dr Jatinder
Singh, Senior Research Associate
Computer Laboratory, University of Cambridge
Computer Laboratory, University of Cambridge
17:20-17:40
Panel discussion
Moderator: Dr Asma Vranaki, Post-Doctoral
Researcher in Cloud Computing, Queen Mary, University of London
Drinks
Organising Committee
Dr Bettina
Lange, Associate Professor in Law & Regulation (University of Oxford)
Dr Asma Vranaki,
Post-Doctoral Researcher in Cloud Computing (QMUL)
Janet Hui
Xue, PhD Candidate in Internet Regulation (Macquarie University)
We gratefully
acknowledge the contributions of Macquarie University and the Oxford Regulation
Discussion Group for this workshop.
For further
details, please email Dr Asma Vranaki at asma.vranaki@qmul.ac.uk
Subscribe to:
Posts (Atom)