master_admin

By Konstantinos Kakavoulis

Digital rights are human rights. More specifically, they are the human rights which provide persons with access to digital means of communication and the chance to use them, as well as access to computers, other electronic devices and communication networks with the respective opportunity to use them. The most significant and most well-known of these communication networks is the Internet, which, as illustrated by its name, constitutes the “network of networks”.

Which are the digital rights?

Digital rights are all the human rights, which are related to the aforementioned activities in the digital age, in which we live in. The most important digital rights, at the moment these lines are written, are the right to privacy, the personal data protection, the freedom of expression, the right to information, the right to property – material and intellectual- the right to judicial review and the prohibition of discrimination. This list is not exhaustive. The technological evolution and the pertinent extension of human activity is likely to create new digital rights.

When were digital rights created?

Digital rights are the expansion of the fundamental human rights, which were already guaranteed in the Universal Declaration of Human Rights, in international and European law, but also in the Greek Constitution. The evolution of technology and the entrance in the digital age created a new digital world, which exists in parallel with the real world. The vested rights took a new dimension, in order to regulate the new space of human activity.

Are digital rights protected?

As already mentioned, digital rights constitute the expansion of the vested fundamental human rights. Therefore, they enjoy the same protection with the vested rights. Certainly, the adoption of new legislation is imperative, in order to regulate thoroughly the particularities of the new situation.

Why are digital rights important?

All of us use the Internet and electronic devices on a regular basis: we purchase products and services, we exchange opinions and information, we get informed. It is not exaggerated to state that apart from the real world, we also live and operate in a digital one. As our real self needs to be safeguarded, so does our digital self. In order to be able to safeguard our digital rights, we must firstly get informed on them. We must learn how are personal data are used by corporations, States and other persons. We must learn where our freedom of expression in the Internet begins and where it ends. We must learn how to protect our Internet transactions. We must learn where and when is the surveillance of our actions by cameras permitted and in which cases it is not.

A brief guide explaining what to do and whom to address if you have problems with the processing of your personal data

By Lefteris Chelioudakis and Elpida Vamvaka

Having been informed about your rights in the first part of this article, it is reasonable to ask yourself how to apply them in practice.

Α Request to the Data Controller

In order to exercise any of your rights, you should submit to the Data Controller the relevant request and the Data Controller shall verify your request. Subsequently, the Data Controller has a time limit of one month from the time of the receipt of your request to answer to it. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests (this means a total of 3 months until you receive the final answer to your request). However, even in this case, the controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Any information provided and any actions to be taken by the controller shall be provided free of charge. Where your request is complicated or excessive, the controller may either charge a reasonable fee or refuse to act on your request.

Nonetheless, in such case the controller shall bear the burden of demonstrating the manifestly complicated or excessive nature of your request.

Lodge a complaint with the Supervisory  Data Protection Authority

If you consider that your rights have been infringed and the Controller or the representative (the natural or legal person processing your data according to the instructions and on behalf of the Data Controller) do not operate in compliance with the rules imposed by the law, you may, if you wish so, lodge a complaint with the Supervisory Personal Data Protection Authority. Τhis step, although not mandatory, is particularly useful. The reason is that the controllers of the Authority have the requisite knowledge and experience to evaluate the complaint and its basis.

A complaint may be lodged, at your choice, either with the Independent Authority of the Member State of your habitual residence (e.g Greece) or the Independent Authority of the Member State of EU place of work (e.g Bulgaria if you live in Greece and you cross the border to work there) or the Independent Authority of the Member State of the alleged infringement (e.g Italy if you went there for vacation and you consider that the hotel you made the reservation infringed the law in processing your personal data).

The complaint to the Authority can be submitted by electronic means completing a standardized format without excluding other means of communication. In general, the submission of the complaint shall be free of charge but where the request is manifestly ill-founded or excessive, the Authority may charge a reasonable fee based on administrative costs or refuse to act to the request. In such case, the Supervisory Authority shall bear the burden of demonstrating the manifestly ill-founded character of the request. For lodging of the complaints with the Greek Supervisory Personal Data Protection Authority, you can find here the relevant forms and other information regarding the procedure.

If the Authority decides that there has actually been an infringement of your rights, you can subsequently use this decision before the courts to have an increased chance of winning a claim for damages. However the Authority cannot, by its decision, oblige the controller or the processor to compensate you for your damage. What it can do, among other things, is to impose on them particularly high administrative fines.

In addition, the Authority may cooperate with Independent Authorities of other Member States and has the authority to conduct investigations on the application of law, to bring to the attention of the judicial authorities any infringement of law and where appropriate to commence or engage otherwise in legal proceedings in order to enforce the provisions of law.

But what happens if the authority issues a binding decision declaring that there has been no infringement  of your rights or does not examine your complaint at all or does not inform you on the progress or outcome of your complaint within three months? Then you have the right, if you wish, to bring legal proceedings against the Authority before the courts of the Member State where the authority is established.

Right to a judicial remedy against a controller or processor

Omitting the step of lodging a complaint with the authority or following that, if you consider that your rights have been infringed and you want to receive compensation, you have the right to a judicial remedy against the controller or processor. In such case you have two options: You may institute legal proceedings before the courts of the Member State where the controller or the processor is established or before the courts of the Member State where you have your habitual residence unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. In this case you may initiate proceedings in the Member State to which the public authority belongs.

How can Homo Digitalis help you?

The law gives you the right to mandate a not-for-profit body which is active in the field of the protection of personal data, such as Homo Digitalis, to lodge the complaint on your behalf with the Supervisory Personal Data Protection Authority, to institute a judicial remedy against the Supervisory Personal Data Protection Authority and to institute a judicial remedy against the controller or the processor, exercising on your behalf your right to compensation.

Although we have limited human and financial resources, you should know that we are always at your disposal. Should you want to contact us you can send us an e-mail at info@homodigitalis.gr.

A brief guide explaining what to do and whom to address if you have problems with the processing of your personal data.

By Elpida Vamvaka and Lefteris Chelioudakis

The new General Data Protection Regulation provides a range of rights to protect and exercise your fundamental right to protect your personal data. This Regulation is part of activities not related to the investigation and prevention of criminal offenses, as these activities are not covered by the new Regulation but by the Directive 2016/680.

But how can you exercise the rights granted to you by the law and whom should you contact in order to exercise them? In this article, Homo Digitalis will provide you with the necessary clarifications.

What are your rights under the provisions of the new Regulation?

Right to Transparency of Data Processing (Article 12)

You have the right to be informed by your data controller (the natural or legal person who determines the purpose and manner of processing your data) in simple, concise and comprehensible words, in writing and/or oral explanation about any rights you have under this processing, the way you may exercise these rights, the person/service you need to address, and the time limit within which you can receive the necessary answers to your requests.

Right to Information (Article 13):

What is included:

Your right to request from the processor the necessary information related to the processing of your personal data such as:

– the identity and the contact details of the controller;

– the identity and the contact details of the data protection officer, where applicable; (the existence of a data protection officer is not always required by law);

– the purpose of the processing for which the personal data are intended as well as the legal basis for the processing and the relevant clarifications related to such legal basis;

– any recipients of your data, and any intention to transfer your data outside the EU, explaining how this transfer is based, and the impact that such action will have on the level of security of your data,

– the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

– the existence of your rights to request from the controller access to or rectification or erasure of your personal data or restriction of processing concerning the data subject or to object to processing as well as your right to transfer your data  to another data controller, or withdraw your consent if the processing of your data is based on such consent (see below for more regarding all these rights);

– your right to lodge a complaint with the Supervisory Personal Data Protection Authority;

– the existence of automated decision-making based on your personal data including profiling, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for you (the rule is that you may not subject to a decision based solely on automated processing although there are some exceptions).

When can you receive the information?

When your personal data are collected from you, this information shall be obtained at the time when personal data are obtained. But when your personal data have not been obtained from you, this information shall be provided to you within one month from the collection. Particularly, if your personal data are to be used for communication with you, the information should be provided to you at the time of the first communication to you. Finally, if a disclosure of your data to another recipient is envisaged, such information shall be provided to you before such disclosure.

However, you must remember that the right to information is subject to serious restrictions as the case may be.

Right to access (Article 15):

Your right to know if a data controller processes your data.

If you receive a positive response, you will have the right of access to such data, the right to Information (as described above) as well as your right to obtain a copy of your personal data undergoing processing.

Right to rectification (Article 16)

Your right to request from the controller the rectification of personal data when there are inaccuracies or completing your incomplete data. Such rectification may take place without undue delay.

Right to erasure (known as “right to be forgotten”-Article 17)

Your right to request from the controller the erasure of your personal data without undue delay.

The grounds upon which you may exercise your right of erasure:

– where your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

– where the processing is based on the legal basis of the consent you may withdraw your consent and the controller has no other legal ground for the processing;

– in the exercise of the right of objection to the processing of your personal data (see below);

– where your personal data have been unlawfully processed;

– where your personal data have to be erased by the controller for compliance with a legal obligation in Member State or in EU law;

– where the processing is based on consent in relation to the offer of information society services to a child (e.g a child account on a social networking platform)

However the right to erasure is subject to significant restrictions. In particular, this right may not be exercised to the extent that processing is necessary:

– for exercising the right of freedom of expression and information;

– for compliance with a legal obligation which requires processing by the national or EU law to which the controller is subject to;

– to perform a task carried out in the name of public interest or in the exercise of official authority vested in the controller;

– for reasons of public interest in the area of public health;

– for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right of erasure is impossible or seriously impair the achievement of the objectives of the processing of the data;

– for the establishment, exercise or defence of legal claims.

Right to restriction of processing (Article 18)

Your right to obtain from the controller restriction of processing of your personal data where:

– you contest the accuracy of your personal data and you require the restriction for a period enabling the controller to verify the accuracy of the data;

– the processing of your personal data is unlawful and you oppose the erasure of your personal data and you request the restriction of their use instead;

– you need your data for the establishment, exercise or defence of legal claims even if the controller no longer needs the personal data for the purposes of the processing;

– you have submitted a request for exercising your right of objection to processing (see more information below) pending the verification of your request you require the restriction of processing of your personal data.

Right to data portability (Article 19)

Your right to receive your personal data and transmit those data to another controller. You may request the transmission of your personal data directly from one controller to another where technically feasible. The exercise of this right may not adversely affect the rights and freedoms of others.

When can you exercise this right?

– Where the processing is based on the legal basis of consent or on a contract and is carried out by automated means.

Exception:

The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to objection to the processing of your personal data (Article 21):

Your right to object to processing of your personal data, including profiling, at any time and for personal reasons. At the latest at the time of your first communication with the controller, your right to object shall be explicitly brought to your attention and shall be presented clearly and separately from any other information.

You may exercise this right where the processing or the profiling:

– is necessary according to law for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing, which override your grounds or the processing is necessary for the establishment, exercise or defence of legal claims.

– is necessary according to law for the purposes of legitimate interests pursued by the controller or by a third party unless the controller demonstrates compelling legitimate grounds for the processing which override your grounds or the processing is necessary for the establishment, exercise or defence of legal claims.

– refers to direct marketing purposes;

– in the context of the use of information society services, you may exercise your right to object by automated means using technical specifications;

– is necessary for scientific or historical research purposes or statistical purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Are these rights absolute?

No. As you have already understood from the above, these rights are subject to several restrictions as the case may be depending on the legal basis on which the processing of personal data is based. However, one thing to keep in mind is that the data controller is obliged to inform you accurately of your rights. Therefore, you should know at any time your rights for the processing of your personal data.

Are you wondering how you can exercise these rights in practice? Continue reading the second part of this article.

By Lefteris Chelioudakis

The right to privacy of every person and the right to the protection of its personal data are two distinct rights, according to the European Union Law. Many people confuse the two rights. This article aspires to make clear the values each of them safeguards by using simple language.

The core of the right to privacy of a person is the protection of his/her residence, his/her communications or/and his/her relationships with others, as well as his/her personality, as this is conceived in total.

This right does not apply only behind closed doors. On the contrary, it may be implemented and protected also in public spaces.

The right to personal data protection, which concern a person, refers exclusively to the processing of these data.

Its objective is the provision of legal protection against improper processing of these data.

Having read the informal definitions of these two rights, we can proceed to tracking down and analyzing their differences. In particular, it is understood that the right to privacy safeguards the residence and the communications of a person and concerns many aspects of his/her life. It is the right of everyone to choose how he/she defines his/her own existence.

The protection of this right constitutes a necessary condition for us to enjoy a series of other rights, which concern our interests, our relations, our beliefs, etc.

On the contrary, the right to personal data protection concerns solely the processing of these data. This processing may have to do with the core of the right to privacy of the data subject or not, depending on the case.

Let us try to understand the differences between these two rights through an example. We will use the case illustrated in the Handbook of European Data Protection Law, which has been published by the Fundamental Rights Agency of the European Union (FRA), the European Data Protection Supervisor (EDPS) and the Council of Europe (in collaboration with the Secretary of the European Court of Human Rights). The Handbook is available for free in electronic version in the website of FRA.

If the payroll of the company in which you work has a list with the names of the employees of the company and their respective salaries, the recording of this information can not be considered as an interference with your right to privacy. If, in the same example, the payroll chose to disclose this information to a third party, this could easily amount to an interference with your right to privacy.

The violation of the right to privacy does not necessarily equate to a violation of the right to data protection and vice versa.

Although European Union law distinguishes between the right to privacy and the right to data protection, the law of the Council of Europe adopts a different approach.

Specifically, the law of the Council of Europe perceives personal data protection as a reflection of the right to privacy, when these personal data are somehow related to the personal life of a person.

The Greek Constitution distinguishes between the two rights; the right to personal data protection is recognized under Article 9A (Personal Data Protection), while the various manifestations of the right to privacy are recognized under Article 9 (Asylum of the residence), Article 19 (Confidentiality of mail, correspondence & communication) and Article 21 (Protection of family, marriage, motherhood and childhood, disabled persons’ rights).

Therefore, it can be understood that the Greek Constitution distinguishes between the two rights, while it notably provides for distinct independent administrative authorities, which safeguard the distinct legal rights.

In particular, the Personal Data Protection Authority safeguards personal data protection, while the Confidentiality of Telecommunications Authority safeguards the confidentiality of mail and free correspondence and communication.

In any case, what the reader should bear in mind is that both the right to personal data protection and the right to privacy constitute fundamental rights, enjoyed by everyone and protected against arbitrary actions of the State or third persons.

By Lefteris Chelioudakis

The Cambridge Analytica case (CA) started being discussed in March 2018 and illustrated how the personal data you share on Facebook can be used by advertising companies and data brokers to manipulate your choices as a consumer, but also as a voter.

This article is not a commentary on the CA case. On the contrary, our goal is to help you adjust your Facebook settings to raise your control on the personal data you share. Before we present to you the simple steps you must follow, we will shortly describe the facts of this case. in 2014, Dr. Aleksandr Kogan, then researcher in the Psychology Department of Cambridge University, created a psychometric test for Facebook users for academic purposes.

Subsequently, this test was converted and used for commercial purposes by Dr. Kogan’s company Global Science Research (GSR). One of the companies which worked with GSR was Strategic Communication Laboratories (SCL), parent company of CA. Through this test, CA managed to gain access to more than 50 million profiles of Americans other Facebook users. This access was granted by the users themselves or by their Facebook friends. Every time that a Facebook user chose to do the impugned test, the test requested access to personal data the user shared on Facebook, as well as personal data his/her friends had publicly shared. In this way, if I had given my consent to do the test, I would have shared with the company which had created the test all the personal data it requested, including the public profile of my friends.

In this manner, CA managed to classify all the users, who had granted their consent, as well as their Facebook friends, based on their psychological profiles. This knowledge was used by CA as a basis for sending targeted political messages to the users in question, which influenced their choices during the US presidential elections in 2016, and possibly during the Brexit referendum during the same year.

Leaving the CA case aside, today, all the well-known social media platforms, such as Facebook, Instagram, Twitter, etc., use the so-called “Application Programming Interface” (API). Using interface tools, various applications can share your personal data, subsequent to you granting your consent, in order to offer to you services and products. Thus, you can permit to other applications to interact with your Facebook account and share with them your profile information, such as your friends list, your date of birth, your timeline posts, the place you live in, your education and working experience, etc.

It is quite likely that at some point you gave your consent for gaming applications, quiz or test applications or other types of applications to have access to your personal data. At that point you might not have been cautious regarding the content you would be sharing with these platforms. For instance, why should a quiz which will offer you several moments of laugh, have unlimited access to your profile photos, the place you work in or you live in, your friends list or your interests? Did you consider which data broker company might be behind this “innocent” test and for which purposes it will use your data in the future?

In order for you to reconsider the choices you made in the past, you must visit the Settings page of the platform you are using.

Furthermore, you must be very cautious regarding all the applications, which ask you to type the word “BFF” or other such words to check if your account is secure or not. These publications do not aim at nothing else but the pages, which host them, to get more popular, through the comments, likes and shares. The acronym “BFF” refers to the term “Best Friends Forever” and is accompanied by vivid colours, simply because it constitutes one of the keywords, which Facebook has chosen to accompany with graphics.

You can find more keywords like this in this link.

If you wish to learn more on whether your personal data have been used by CA through your Facebook account, you can visit the following section created by Facebook here.

In any case, before you decide to use a social media platform or share your personal data with other applications, you must always read carefully their privacy policies. In this way, you will be able to get informed on how, with who and for how long will your personal data be used. These privacy policies are required not to be extensive or illegible and are also required to explain with simple words what is happening with your personal data.

So, next time, before you start using a platform, devote some minutes of your time to learn what will you be sharing with this platform and under which terms and conditions.

Homo Digitalis signs the open letter to the European Commission on Artificial Intelligence and Robotics

Artificial Intelligence and robotics constitute an ever-increasing part of our everyday lives. It seems that robots or robotic applications will be used in many aspects of our lives in the near future. Therefore, it crucial that an adequate legislative framework is created, regulating their activity, safeguarding the principles of democracy and human rights. This framework should not only be examined from an economic and legal perspective, but there must be a holistic approach to it, which will include sociological, psychological and ethical aspects.

In this context, the European Parliament with a resolution proposed to the European Commission:

“the adoption of a legal instrument on robotics in the long term, so that at least the most hi-tech, autonomous robots are recognized as electronic persons, having liability for any damage they cause and potentially implementation of this electronic personality in cases in which robots decide autonomously or interact independently in any other way with third parties”.

Scientists and manufacturers specializing in Artificial Intelligence and Robotics, law professionals, health scientists, university professors in the related fields, as well as organizations operating in the aforementioned fields, as well as ethics, address the European Commission through an open letter regarding the proposal by the European Parliament.

Their purpose is to support the drafting of a legal instrument in the European plane, which will regulate robots’ activities, safeguarding human rights and limiting the risks, which may be caused by their acts. They believe that the European Commission should create a feasible legislative instrument for innovative and responsible progress in Artificial Intelligence and Robotics, resulting in the enjoyment of even more benefits for European citizens and the European single market.

However, the experts underline that:

• It is necessary to adopt a holistic approach for the creation of the regulatory framework.
• From an ethical and legal aspect, it is impossible to create a legal personality for robots, which will be based on any existing law system.

Homo Digitalis is one of the signatories of this open letter, represented by its President, Ms. Elpida Vamvaka.

If you belong to the persons or organizations,which can and wish to sign the letter, thus adding to the endeavour being made before the European Commission, you can do so following the link:

https://www.robotics-openletter.eu/

On 30 May 2018, Homo Digitalis submitted a letter to the Greek Parliament, addressing all the political parties and the independent Members of the Parliament, regarding the reinforcement of the Personal Data Protection Authority and the Authority for the Confidentiality of Communications with adequate human, technical and economic means, in order for their objectives to be successfully carried out.

The letter was also communicated to the two Authorities and particularly to their Presidents, Mr. Menoudakos and Mr. Zampiras respectively.

You can read the letter in Greek here.

In May 2018, Homo Digitalis signed the Toronto Declaration on the protection of the rights to equality and non-discrimination in machine learning systems. This Declaration is an initiative by the international non-governmental organizations Access Now and Amnesty International and has been adopted by many other prominent international organizations such as Human Rights Watch and Wikimedia Foundation.

Machine learning systems may be used in various sectors, such as health, social welfare, education or police surveillance. Their use offers unlimited opportunities, but also many challenges. This declaration aims at establishing values in the international plane, which will safeguard the protection of the rights to equality and non-discrimination during the use of machine learning systems.

The data on which a machine learning system bases its analysis, may be biased. Therefore, the results or the decisions of this system will also be biased and partial. The use of new technologies of any nature should aim at eliminating discrimination and inequality and not their perpetuation or their expansion.

Signing this Declaration, Homo Digitalis recognizes the necessity to establish values in the international plane, which will safeguard the principle of equality and equal treatment during machine learning use.

We must also note that machine learning systems are linked to important challenges not only for the rights of equality and non-discriminatory treatment, but also for a series of other human rights, such as equity before the law, the right to privacy, the protection of personal data, freedom of expression and information, children’s rights and the right to fair trial.

The citizens of the EU Member States enjoy the highest level of protection of human rights globally. The provisions of the EU Fundamental Rights Chapter, as well as the jurisprudence of the Court of the European Union and the European Court of Human Rights, establish a legal context with high level safeguards.

This context should be globally extended, so that new technologies serve our legal and ethical values and not assist the ones who aspire for their infringement.

Letter by Homo Digitalis to the Greek Parliament, suggesting an amendment to the draft law on Personal Data Protection, implementing the EU Regulation 2016/679 and transposing EU Directive 2016/680

On 24 April 2018, Homo Digitalis addressed all the Members of the Greek Parliament through a letter. Homo Digitalis proposed to the Members of the Parliament to promote the adoption of a provision in Article 67 of the Draft Law on the Protection of Personal Data, which would state the following:

“Non-Governmental institutions, organizations, lawfully established unions, the constitutional objects of which include the protection of rights and freedoms of the data subjects in relation to the protection of personal data shall have the right, regardless of the assignment by the data subject, to request judicial remedy from the data controller or the processor”.

This proposal complies fully with the provisions of General Data Protection Regulation (GDPR) Article 80, paragraph 1.

The letter was also communicated to the Greek Personal Data Protection Authority and the Greek Authority for the Confidentiality of Communications.