CONFERENCE

SUMMARY

CONFERENCE • 12 OCTOBER 2017

Jurisdiction, Conflict of Laws and Data Protection in Cyberspace

Report on the Conference held in Luxembourg on 12 October 2017, by Martina Mantovani, Research Fellow MPI Luxembourg, orginally posted on  conflictoflaws.net (16 November 2017)

SUMMARY

On 12 October 2017, the Brussels Privacy Hub (BPH) at the Vrije Universiteit Brussel and the Department of European and Comparative Procedural Law of the Max Planck Institute Luxembourg held a joint conference entitled “Jurisdiction, Conflicts of Law and Data Protection in Cyberspace”. The conference, which was attended by nearly 100 people, included presentations by academics from around the world, as well as from Advocate General Henrik Saugmandsgaard Øe of the Court of Justice of the European Union. The entire conference was filmed and is available for viewing on the YouTube Channel of the Max Planck Institute Luxembourg (first and second parts)

Participants were first welcomed by Prof. Dr. Burkhard Hess, Director of the MPI, and Prof. Dr. Christopher Kuner, Co-Director of the BPH. Both highlighted the importance of considering each of the discussed topics from both a European and a global perspective.

The first panel was entitled “Data Protection and Fundamental Rights Law: the example of cross-border exchanges of biomedical data – the case of the human genome”. The speaker was Dr. Fruzsina Molnár-Gábor of the Heidelberg Academy of Sciences and Humanities, who discussed the regulatory challenges arising in connection to the processing and transfer of biomedical data, including data exchanges between research hubs within the EU and to third-countries (namely the US). The need for innovative regulatory solutions, originating from a bottom-up approach, was discussed against the backdrop of the impending entry into force of the new EU General Data Protection Regulation (GDPR), whose Article 40 encourages the adoption of Codes of Conduct intended to contribute to the proper application of the Regulation in specific sectors. According to Dr. Molnár-Gábor, however, in order to establish an optimal normative framework for biomedical research, the regulatory approach should be combined with appropriate privacy-enhancing technologies and privacy-by-design solutions (such as the emerging federated clouds, the European Open Science Cloud, and data analysis frameworks bringing analysis to the data). This approach should also be paired with the development of adequate incentives prompting non-EU established companies to express binding and enforceable commitments to abide by EU-approved Codes of Conduct. Her presentation demonstrated the basic problem of data protection and data transfer: The creation of appropriate and applicable legal frameworks often lags behind the necessarily more rapid pace of data exchange seen in successful scientific research.

The second panel was entitled “Territorial Scope of Law on the Internet”. According to Prof. Dr. Dan Svantesson of Bond University in Australia, the focus on territoriality, which characterises contemporary approaches to the solution of conflicts of laws, is the result of an inherent “territorial bias” in legal reasoning. A strict application of territoriality would however be destructive when dealing with cyberspace. Here, the identification of the scope of remedial jurisdiction should follow a more nuanced approach. Prof. Svantesson specifically focused on Article 3 of the new GDPR, which he deemed “too unsophisticated” for its intended purposes as a result of its “all-or-nothing approach” In other words, either a data controller is subject to the Regulation in its entirety, or it is totally excluded from its scope of application. As an alternative, he proposed a layered approach to its interpretation, grounded in proportionality. The GDPR, he contended, should be broken down into different sets of provisions according to the objectives pursued, and each of these sets should be assigned a different extraterritorial reach. Against this backdrop, the spatial scope of the application of provisions pertaining to the “abuse prevention layer” may, and should, be different from that of the provisions pertaining to the “rights layer” or “the administrative layer”.

A response was made by Prof. Dr. Gerald Spindler of University of Göttingen, who conversely advocated the existence of an ongoing trend toward a “reterritorialization” of the Cyberspace, favoured by technological advance (geo-blocking, Internet filtering). This segmentation of the Internet is, in Prof. Spindler’s opinion, the result of a business strategy that economic operators adopt to minimise legal risks.  As specifically concerns private international law rules, however, a tendency emerges towards the abandonment of “strict territoriality” in favour of a more nuanced approach based on the so-called market principle or “targeting”, which is deemed better adapted to the more permeable borders that segment cyberspace.

The third panel was entitled “Contractual Issues in Online Social Media”. The speaker was Prof. Dr. Alex Mills of University College London. A thorough analysis of Facebook’s and Twitter’s general terms and conditions brought to light private international law issues stemming from “vertical contractual relationships” between the social media platform and final users. Professor Mills highlighted, in particular, the difficult position of social media users within the current normative framework. In light of the ECJ case-law on dual purpose contracts, in fact, a characterisation of social media users as “consumers” under the Brussels I bis and the Rome I Regulations may be difficult to support. Against this backdrop, social media users are left at the mercy of choice of court and choice of law clauses unilaterally drafted by social media providers. In spite of their (generally) weaker position vis-à-vis social media giants, European social media users will in fact be required to sue their (Ireland-based) contractual counterpart in Californian courts, which will then usually apply Californian substantive law. In addition to generating a lift-off of these transactions from EU mandatory regulation, these contractual clauses also result in an uneven level of protection of European social media users. In fact, Germany-based social media users seem to enjoy a higher level of protection than those established in other EU countries. Since the contract they conclude with the social media provider usually encompass a choice of law clause in favour of German substantive law, they may in fact benefit from the European standard of protection even before Californian courts.

Prof. Dr. Heike Schweitzer of Freie Universität Berlin, highlighted a fundamental difference between E-Commerce and social media platforms. While the former have an evident self-interest in setting up a consumer-friendly regulatory regime (e.g., by introducing cost-efficient ADR mechanisms and consumer-oriented contractual rights) so as to enhance consumer trust and attract new customers, the latter have no such incentive. In fact, competition among social media platforms is essentially based on the quality and features of the service provided rather than on the regulatory standard governing potential disputes. This entails two main consequences. On the one hand, from the standpoint of substantive contract law, “traditional” contractual rights have to adapt to accommodate the need for flexibility, which is inherent to the new “pay-with-data” transactions and vital to survival in this harshly competitive environment. On the other hand, from the standpoint of procedural law, it must be noted that within a system which has no incentive in redirecting disputes to consumer-friendly ADR mechanisms (Instagram being the only exception), private international law rules, as applied in state courts, still retain a fundamental importance.

The final roundtable dealt with “Future Challenges of Private International Law in Cyberspace”. Advocate General Saugmandsgaard Øe discussed the delicate balance between privacy and security in the light of the judgment of the Court of Justice in the case C-203/15, Tele2 Sverige, as well as the specifications brought to the protective legal regime applicable to consumers by case C-191/15, Verein für Konsumenteninformation v Amazon EU Sarl. Prof. Kevin D. Benish of New York University School of Law illustrated the US approach to extraterritoriality in the protection of privacy, having particular regard to the recent Microsoft case (the U.S. Supreme Court recently granted certiorari). Prof. Dr. Gloria Gonzalez Fuster of Vrije Universiteit Brussels pointed to a paradox of EU data protection legislation, which, on the one hand, regards the (geographic) localisation of data as irrelevant for the purpose of the applicability of the GDPR and, on the other hand, establishes a constitutive link with EU territory in regulating data transfers to third countries. Finally, Dr. Cristina Mariottini, Co-Rapporteur at the ILA Committee on the Protection of Privacy in Private International and Procedural Law, provided an overview of the European Court of Human Rights’ recent case-law on the interpretation of Article 8 ECHR. Specific attention was given to the conditions of legitimacy of data storage and use in the context of criminal justice and intelligence surveillance, namely with respect to the collection of biological samples in computerised national databases (case Aycaguer v. France), the use as evidence in judicial proceedings of video surveillance footage (Vukota-Bojic v. Switzerland) and the telecommunication service providers’ obligation to store communications data (case Breyer v. Germany and case C?alovic? v. Montenegro, concerning specifically the police’s right to access the stored data).

Overall, the conference demonstrated the growing importance of private international and procedural law for the resolution of cross-border disputes related to data protection. The more regulators permit private enforcement as a complement to the supervisory activities of national and supranational data protection authorities, the more issues of private international law become compelling. As of today, conflict of laws and jurisdictional issues related to data protection have not been sufficiently explored, as the discussion on private law issues related to the EU General Data Protection Regulation demonstrates. With this in mind, both Brussels Privacy Hub and MPI have agreed to regularly organize conferences on current developments in this expanding area of law.

ademics to representatives of the EDPS and the private sector.

The debate started with a short introduction into the field of computational genetics. It was explained that DNA as a blueprint for the development of all the cells in a living organism holds immense research potential. DNA samples can now be obtained from a wide array of sources including saliva, blood and urine. Additionally, it is now possible to sample human remains from cave sediments, reaching new conclusions about genetic ancestry. DNA collection is to be separated from DNA extraction. For this several chemical methods can be applied. The bigger the DNA sample the better the result, although there are methods to amplify an otherwise weak source. After extraction digitisation made possible the field of computational genetics. In computational genetics, the different ladders of a DNA source are converted into binary code, assuming that the human genome knows only two bases-combinations. This allows computational geneticist to code their data, which greatly streamlines the analysis of genetic data and improves its fidelity.

The legal aspects come into this process when one considers that any publication in scientific journals nowadays requires that the data sets on which the findings are based are made available so that third parties can potentially test their replicability. As a result, huge data arrays with genetic data are made available online. An example for such a data collection is the 100.000 genomes project of Healthcare England, in which data comes from participants that consented to partake in studies up to 15 years ago, when the possibilities of genetic research had completely different parameters. In this way samples of several 100.000 of participants are collected and analysed.

This presents a treasure trove for researcher especially focusing on rare diseases, since such statistical power could not be obtained previously. While all the data are anonymised and only available remotely with a secure login (no downloading) even the study organisers themselves admit that it cannot be excluded that somebody is identified by an astray researcher. Moreover, the data protection requirements applied to such databases impact research. As computational genetics is a fast-paced area, stringent data security provisions might hamper efficiency. Projects are also often multi-disciplinary, so that algorithms are not necessary developed by the scientist using them (and also not always completely understood by him or her). Such collaboration is great for science, but can be tricky for data protection. Additionally, the open access installed for many data collections may pose challenges. Another problem stems from the fact that genetic data are most useful when combined with data from other fields, e.g. a hospital file, geographic data, cultural data or linguistic data. Each additional set leads to more scientific insights but also increases the possibility of identification of the data source.

After this scientific introduction, the implications of this type of genetic research for data protection under the GDPR were explained.  Although in the past legal literature considered anonymization of genetic data sufficient to not fall under the definition of personal data, such assumption cannot be upheld when researchers have the whole genome potentially in addition with other data sets available. The increased identifiability is brought about by several reasons, including heightened computing power, the sheer amount of available data and the common (good) research practice to make the data underlying the research available so it can be double-checked by third parties. Even the organisers of the 100.000 genomes project admit that data subjects remain identifiable by their genetic data despite its anonymization, hence genetic data will almost always be personal data. Researchers working with genetic data should be made more aware of this fact, since consequently this also means the application of the GDPR. However, the main pillars of the GDPR, such as the correct legal base for processing, data processing requirements, or data subject rights, could pose difficulties for researchers.

In addition, the GDPR clearly defines genetic data as being always sensitive data. This is a change to the previous regime under Directive 95/46/EC, where this had to be established in each individual case. The blanket assumption of the GDPR that genetic data are sensitive will therefore force a change in many current research practices. While this will certainly pose an extra burden on researchers, it is also much clearer than the previous situation and therefore facilitates research planning. In general, the GDPR provides two legal bases to process genetic data: explicit consent regulated in Article 9 para 2 (a) GDPR, and an exception for processing for scientific purposes regulated in Article 9 para 2 (j) GDPR.

Explicit consent is difficult to obtain for genetic research. Such consent would need to be provided by an informed data subject. However, as the research is so complex and studies often do not know what they will find in advance, it is nearly impossible to provide appropriate information for informed consent. This issue is heightened by the multi-disciplinary methods applied, so that actually hardly any one scientist can explain the whole study. The specified legal requirements for consent can also be tricky for researchers to provide. These elements include the identity of all data controllers and processors, which can be hard in a multinational collaboration as new people might be added later. Also, the purpose of the processing is not always easily defined. As hinted at above the unknown unknowns are often the aim of genetic research. The GDPR even takes that into account and recounts these difficulties in Recital 33. Information about the research parameters poses a further challenge, as it can be impossible to provide from the start information about data storage time, or other research uses.

A famous example of these issues can be found in a case against Arizona State University. Researchers of this case obtained consent of Native American participants to analyse their data for a diabetes study. During the study researchers also found indicators for schizophrenia in the samples and included those results in the publication. The participants found such results stigmatising and sued as schizophrenia was never mentioned when consent was originally obtained. They won their case and trust between the native community and university research in Arizona has not yet been restored. Even if such research studies use rather detailed consent forms, as demonstrated by a consent form for a project involving Aboriginals in Australia, language can pose an understanding issue especially for vulnerable participants. In addition, measures proposed in such forms such as prevention of open access, can actually be a barrier to science.

Consent is however only one issue posed by the principles of the GDPR. The purpose limitation principle is the most obvious problematic. Researchers usually cannot define their purpose from the outset. The principle of data minimisation is counter-intuitive to genetic science, as researchers actually need to analyse as many whole genomes as possible to reach statistically sound results. They need the haystack to find a needle. Similar problems are created by the principle of storage limitation stating that data should be destroyed as soon as possible. However, genetic markers are often only found comparing samples over a long period of time. For frontotemporal dementia, a rare neurodegenerative disease, the relevant marker could only be found comparing data of one family, where it was especially prevalent, reaching back to the 1870ies.   

Arguably more problems arise though, if consent is used as a legal basis for processing. Considering data subject rights – more information needs to be provided if consent is the legal basis. The right of data portability only applies where a person provided data itself, so mainly when they consented to the processing, and does not need to apply to genetic analysis if the other legal basis is used. Additionally, the GDPR allows Member States to limit data subject rights e.g. the right to access and to rectify data, if the legal basis is the exception for scientific processing.

Finally, the presenters observed that the exception for scientific research of Article 9 para 2 (j) GDPR is more suitable for genetic research than explicit consent. This preference can be explained not just with the practical difficulties involved in obtaining informed consent, but also with the facilitation with data subject rights explained previously. There are many cases, where it is neither practical nor possible to use informed consent for genetic data due to the specific nature of this type of research. To base genetic data processing on the exception for scientific purposes also allows for reuse of data, and poses less strict requirement for storage. However, using this exception for genetic data processing does not provide a blank cheque for processing. As Article 89 GDPR specifies, there are certain conditions to be followed, including a necessity and a proportionality test, and the need for a specific legal basis created by the Member States. Placing genetic data processing within these rules will be more reasonable in most cases, but of course there are still instances, where explicit consent should be required.

Ethics bodies dealing with such questions so far stated a clear preference for basing genetic data processing on explicit consent. This aligns with their general support for using consent, whenever possible, since this has many ethical advantages. They also usually prefer consent for the processing of anonymised data. It is the opinion of the presenters that this push in favour of consent, could be considered abuse of that legal basis and is not appropriate for certain occasions.

Another issue independent from the legal basis question that requires further examination is the potential need for a data protection impact assessment of Article 35 GDPR. Such assessment is required according to the GDPR if there is a wide-spread processing of sensitive data. Arguably for computational genetics a single genome can be big data and hence represent a case of wide-spread processing of sensitive data. This rings especially true, when one considers the mentioned tendency of researchers to combine many different data sets. In a data protection impact assessment, the potential risks to the freedom of the data subjects would need to be considered. This could prove to be problematic – the amount of potential issues would be enormous and touch upon many areas. For research centres, it might mean the necessity to hire external expertise which then could lead to budgetary constraints. A potential solution for the institutional level would be to develop expertise for this kind of impact assessment within the different research groups. Individuals with expertise could assess the risks involved. This analysis would need to go beyond the purely legal domain and also consider social issues such as stigmatisation or discrimination.

Concluding, the presenters stated that genetic data are more often than not personal data. If they are personal data, they are also automatically sensitive data. Explicit consent is pushed as a legal basis for such genetic data processing, although it is often not suitable. The presenters suggested that more use should be made of the exception for processing related to scientific purposes, which can provide a more satisfactory solution to many of the issues connected with processing genetic data.

The presentation was followed by a lively debate with the participants about possible implications for cross-border research projects, scientific data transfers between countries, the extent of protection the GDPR requires for sensitive data, the possibility of differing application of the scientific purpose exception, the feasibility of European ethical standards for genetic data processing, and the role of data protection officers (DPO) in data protection impact assessments.