Walter M. Tveter, USIT, University of Oslo Selected Legal Issues Related to Storage NORDUnet conference 2009

Walter M. Tveter, USIT, University of Oslo

Selected Legal Issues Related to Storage

NORDUnet conference 2009


General questions

• Who has the duty of care?

• Where are you storing it? Are there trans-border issues?

• Both the media storing the data, and the ability to extract the information later have to work for this to be meaningful


Duty of care

• Are you storing data or information?

• Who will be keeping the information readable, make

format changes etc.

• Mechanisms for authenticity

• Compliance


Charlemagne I

• In the late 8th century, most classical texts were disappearing

• The standard format was papyrus

• Papyrus is less than optimal in a European climate

• Charlemagne started to transfer classical pagan texts to parchment. Parchment lasts a long time.

• Charlemagne undertook a duty of care.


Personal Data

• In Europe, as defined by Directive 95/46/EC.– Definition of personal data given a wide scope– Precisely defines what is to be regarded as personal data– Definition of personal data given a wide scope– Consent used as a basis, not always applicable– Several “necessity-based” grounds for processing

• In the US, less centrally regulated, more sector-wide approaches

• Today's laws were conceived almost 20 years ago. They will change before another 20 years pass.


Trans-border personal-data transfer

• Transfer of data to a third country: If on the list of "adequate level of protection", its OK – the same as inside EU. If from the US, should be on the «Safe Harbour» list. http://www.export.gov/safeharbor/

• If from another «third» country, this is problematic, again consent can be key, as well as situations where it is «necessary» - similarities to the grounds for processing.


Choice of law

• General rule (from the directive) is that one has to abide by the rules of the country where the controller is located, as well as the rules in the country of the controller (if from EU countries) has an established presence.

• If no EU controller exists, he/she has to have a representative in the country where the processing will take place.


Storage models

• You could choose not to know anything about the data you store. You have less responsibility but no ability to take protective measures. Encryption.

• You could know something, more precisely a

description, metadata etc. about the data, but not have access (legally or technically) or any responsibility for the information as such

• You could know everything. You store the data, and you have the duty of care for the information stored. You also have knowledge of illegal content.


Storing personal data incl. sensitive data

• The controller bears the responsibility for the storage, if you provide a storage service, and you only act as a subcontractor to the controller (a data processor in the directive's terms).

• Even so, you do not want to be named an accomplice in event of the controller breaking the law.

• Making sure you have a written agreement where everything is lain out is neccessary.


Storing intellectual Property (IP)

• US regulations and international treaties more important then the law of individual nations.

• If you store data you have a responsibility unless an exception is provided by law.

• The clue is that law regulates the ability to produce copies, not the usage as such of IP

• Strong IP industries lobby very hard, records, films etc.

• Lately, newer giants like Google pull in the opposite direction.

• We will see new regulations in the next 20 years


Storing dangerous or illegal data

• This changes with the political situation.• Some limitations on free speech • Some limitations on technology• New limitations will come, but predicting what is

harder.

• The rules are often enforced only by governments, not by private entities.

• Whether one wishes to stand on principle and or give in to demand should be thought about on beforehand.


Legal regulations of storage models (EU) DIRECTIVE 2000/31/EC (Directive on electronic commerce). Article 14

Hosting

1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that:

(a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or

(b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.

2. Paragraph 1 shall not apply when the recipient of the service is acting under the authority or the control of the provider.

3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement, nor does it affect the possibility for Member States of establishing procedures governing the removal or disabling of access to information.


Data Ownership

• Who will you give the data to when the person who stored it is long gone?

• Would you like to be sued for not giving out data to someone, or would you prefer to be sued for giving data to someone.

• An option is to destroy the data, and then be sued for that.


Data Ownership II

• An agreement that lays down very precise rules is smart before one takes on the obligation of (long-term) storage.

• What will prompt you to give someone access to the data.

• Who has the duty of care for the data and who has the duty of care for the information.

• Are there cases when you can erase the data• Can storage of this data cause other legal obligations

or obstacles? Who will take the risk for this?


Some thoughts on long term storage

• Since we don't know the future, we don't know what data (not just information) we store today will tell the people that access them in the future.

• Unless they are aware of the history and context, they may misunderstand.

• Some misunderstanding may be fun, others may not.


Charlemagne II

• In medieval Europe, writing was less then standardized. Instead of one or two good readable standards, one had many bad unreadable ones.

• Charlemagne (via. his adviser Alcuin) changed this. They developed Carolingian Minuscule, which from about 800-1200 was an easily readable and standardized form of writing.

• Enter Gutenberg, a new standardization for writing (font) was needed. Being a fan of all things Roman, they chose Carolingian Minuscule, believing the Carolingian texts were from the Roman times, being older and different from the later Gothic text.

Documents

Walter M. Tveter, USIT, University of Oslo Selected Legal Issues Related to Storage NORDUnet conference 2009