Complying with Privacy Legislation: From Legal Text to Implementation of Privacy-Aware Location-Based Services

An individual’s location data is very sensitive geoinformation. While its disclosure is necessary, e.g., to provide location-based services (LBS), it also facilitates deep insights into the lives of LBS users as well as various attacks on these users. Location privacy threats can be mitigated through privacy regulations such as the General Data Protection Regulation (GDPR), which was introduced recently and harmonises data privacy laws across Europe. While the GDPR is meant to protect users’ privacy, the main problem is that it does not provide explicit guidelines for designers and developers about how to build systems that comply with it. In order to bridge this gap, we systematically analysed the legal text, carried out expert interviews, and ran a nine-week-long take-home study with four developers. We particularly focused on user-facing issues, as these have received little attention compared to technical issues. Our main contributions are a list of aspects from the legal text of the GDPR that can be tackled at the user interface level and a set of guidelines on how to realise this. Our results can help service providers, designers and developers of applications dealing with location information from human users to comply with the GDPR.

Download Full-text

A Layered Approach to Jurisdiction

10.1093/oso/9780198795674.003.0010 ◽

2017 ◽

Author(s):

Dan Jerker B. Svantesson

Keyword(s):

Data Protection ◽

Data Privacy ◽

General Data Protection Regulation ◽

Legal Rules ◽

Privacy Laws ◽

Scope Of Application ◽

General Data ◽

Layered Approach ◽

Substantive Law

This chapter observes how it may be inappropriate to apply a single jurisdictional threshold to diverse instruments such as data privacy laws. In the light of this observation, a proposal is outlined for a ‘layered approach’ under which the substantive law rules of such instruments are broken up into different layers, with different jurisdictional thresholds applied to each such layer. This layered approach is discussed primarily as a technique to be utilized in legal drafting, but it may also be applied in the interpretation and application of legal rules. Article 3 of the European Union’s General Data Protection Regulation, which determines that regulation’s scope of application in a territorial sense, provides a particularly useful lens through which to approach this topic and, thus, the discussion is largely centred around that Article.

Download Full-text

Privacy vs. Reward in Indoor Location-Based Services

Proceedings on Privacy Enhancing Technologies ◽

10.1515/popets-2016-0031 ◽

2016 ◽

Vol 2016 (4) ◽

pp. 102-122 ◽

Cited By ~ 3

Author(s):

Kassem Fawaz ◽

Kyu-Han Kim ◽

Kang G. Shin

Keyword(s):

Location Privacy ◽

Indoor Localization ◽

Service Providers ◽

Location Based Services ◽

Location Information ◽

Privacy Concerns ◽

Indoor Location ◽

Location Data ◽

Personalized Services ◽

Privacy Risks

AbstractWith the advance of indoor localization technology, indoor location-based services (ILBS) are gaining popularity. They, however, accompany privacy concerns. ILBS providers track the users’ mobility to learn more about their behavior, and then provide them with improved and personalized services. Our survey of 200 individuals highlighted their concerns about this tracking for potential leakage of their personal/private traits, but also showed their willingness to accept reduced tracking for improved service. In this paper, we propose PR-LBS (Privacy vs. Reward for Location-Based Service), a system that addresses these seemingly conflicting requirements by balancing the users’ privacy concerns and the benefits of sharing location information in indoor location tracking environments. PR-LBS relies on a novel location-privacy criterion to quantify the privacy risks pertaining to sharing indoor location information. It also employs a repeated play model to ensure that the received service is proportionate to the privacy risk. We implement and evaluate PR-LBS extensively with various real-world user mobility traces. Results show that PR-LBS has low overhead, protects the users’ privacy, and makes a good tradeoff between the quality of service for the users and the utility of shared location data for service providers.

Download Full-text

Analysis of the US Privacy Model

Research Anthology on Privatizing and Securing Data ◽

10.4018/978-1-7998-8954-0.ch087 ◽

2021 ◽

pp. 1818-1825

Author(s):

Francisco García Martínez

Keyword(s):

Data Privacy ◽

Personal Information ◽

National Level ◽

The United States ◽

The European Union ◽

General Data Protection Regulation ◽

Privacy Laws ◽

The Us ◽

General Data ◽

State Of Art

The creation of the General Data Protection Regulation (GDPR) constituted an enormous advance in data privacy, empowering the online consumers, who were doomed to the complete loss of control of their personal information. Although it may first seem that it only affects companies within the European Union, the regulation clearly states that every company who has businesses in the EU must be compliant with the GDPR. Other non-EU countries, like the United States, have seen the benefits of the GDPR and are already developing their own privacy laws. In this article, the most important updates introduced by the GDPR concerning US corporations will be discussed, as well as how American companies can become compliant with the regulation. Besides, a comparison between the GDPR and the state of art of privacy in the US will be presented, highlighting similarities and disparities at the national level and in states of particular interest.

Download Full-text

Analysis of the US Privacy Model

International Journal of Hyperconnectivity and the Internet of Things ◽

10.4018/ijhiot.2019010103 ◽

2019 ◽

Vol 3 (1) ◽

pp. 43-52

Author(s):

Francisco García Martínez

Keyword(s):

Data Privacy ◽

Personal Information ◽

National Level ◽

The United States ◽

The European Union ◽

General Data Protection Regulation ◽

Privacy Laws ◽

The Us ◽

General Data ◽

The Eu

Download Full-text

A Tale of Two Privacy Laws: The GDPR and the International Right to Privacy

AJIL Unbound ◽

10.1017/aju.2019.79 ◽

2020 ◽

Vol 114 ◽

pp. 26-30

Author(s):

Vivek Krishnamurthy

Keyword(s):

Data Privacy ◽

Political Rights ◽

Right To Privacy ◽

General Data Protection Regulation ◽

The Right To Privacy ◽

Digital World ◽

Privacy Laws ◽

General Data ◽

The Right ◽

The Relationship

The European Union's General Data Protection Regulation (GDPR) is widely viewed as setting a new global standard for the protection of data privacy that is worthy of emulation, even though the relationship between the GDPR and existing international legal protections for the right to privacy remain unexplored. Correspondingly, this essay examines the relationship between these two bodies of law, and finds that the GDPR's provisions are neither necessary nor sufficient to protect the right to privacy as enshrined in Article 17 of the International Covenant on Civil and Political Rights (ICCPR). It argues that there are other equally valid and effective approaches that states can pursue to protect the right to privacy in an increasingly digital world, including the much-maligned American approach of regulating data privacy on a sectoral basis.

Download Full-text

Location Privacy in the Wake of the GDPR

10.20944/preprints201902.0227.v1 ◽

2019 ◽

Author(s):

Yola Georgiadou ◽

Rolf de By ◽

Ourania Kounadi

Keyword(s):

Data Protection ◽

Location Privacy ◽

Cultural Theory ◽

Personal Data ◽

The European Union ◽

General Data Protection Regulation ◽

Digital Ecosystem ◽

Protection Legislation ◽

General Data ◽

Conducting Research

The General Data Protection Regulation (GDPR) protects the personal data of natural persons and at the same time allows the free movement of such data within the European Union (EU). Hailed as majestic by admirers and dismissed as protectionist by critics, the Regulation is expected to have a profound impact around the world, including in the African Union (AU). For European–African consortia conducting research that may affect the privacy of African citizens, the question is ‘how to protect personal data of data subjects while at the same time ensuring a just distribution of the benefits of a global digital ecosystem?’ We use location privacy as a point of departure, because information about an individual’s location is different from other kinds of personally identifiable information. We analyse privacy at two levels, individual and cultural. Our perspective is interdisciplinary: we draw from computer science to describe three scenarios of transformation of volunteered/observed information to inferred information about a natural person and from cultural theory to distinguish four privacy cultures emerging within the EU in the wake of GDPR. We highlight recent data protection legislation in the AU and discuss factors that may accelerate or inhibit the alignment of data protection legislation in the AU with the GDPR.

Download Full-text

A New Spatial Transformation Scheme for Preventing Location Data Disclosure in Cloud Computing

Geospatial Research ◽

10.4018/978-1-4666-9845-1.ch084 ◽

2016 ◽

pp. 1752-1776

Author(s):

Min Yoon ◽

Hyeong-il Kim ◽

Miyoung Jang ◽

Jae-Woo Chang

Keyword(s):

Cloud Computing ◽

Performance Analysis ◽

Success Rate ◽

Data Privacy ◽

Spatial Database ◽

Data Distribution ◽

Location Based Services ◽

Spatial Transformation ◽

Location Data

Because much interest in spatial database for cloud computing has been attracted, studies on preserving location data privacy have been actively done. However, since the existing spatial transformation schemes are weak to a proximity attack, they cannot preserve the privacy of users who enjoy location-based services in the cloud computing. Therefore, a transformation scheme is required for providing a safe service to users. We, in this chapter, propose a new transformation scheme based on a line symmetric transformation (LST). The proposed scheme performs both LST-based data distribution and error injection transformation for preventing a proximity attack effectively. Finally, we show from our performance analysis that the proposed scheme greatly reduces the success rate of the proximity attack while performing the spatial transformation in an efficient way.

Download Full-text

Privacy Preserving Spatio-Temporal Databases Based on k-Anonymity

Science & Technology Development Journal - Engineering and Technology ◽

10.32508/stdjet.v3isi1.517 ◽

2020 ◽

Vol 3 (SI1) ◽

pp. SI82-SI94

Author(s):

Anh Tuan Truong

Keyword(s):

Data Mining ◽

Privacy Protection ◽

Location Privacy ◽

Location Based Services ◽

Sensitive Information ◽

User Privacy ◽

Location Data ◽

Related Information ◽

Spatio Temporal ◽

Location Privacy Protection

The development of location-based services and mobile devices has lead to an increase in the location data. Through the data mining process, some valuable information can be discovered from location data. In the other words, an attacker may also extract some private (sensitive) information of the user and this may make threats against the user privacy. Therefore, location privacy protection becomes an important requirement to the success in the development of location-based services. In this paper, we propose a grid-based approach as well as an algorithm to guarantee k-anonymity, a well-known privacy protection approach, in a location database. The proposed approach considers only the information that has significance for the data mining process while ignoring the un-related information. The experiment results show the effectiveness of the proposed approach in comparison with the literature ones.

Download Full-text

Delegation-Based Personal Data Processing Request Notarization Framework for GDPR Based on Private Blockchain

Applied Sciences ◽

10.3390/app112210574 ◽

2021 ◽

Vol 11 (22) ◽

pp. 10574

Author(s):

Sung-Soo Jung ◽

Sang-Joon Lee ◽

Ieck-Chae Euom

Keyword(s):

Data Processing ◽

Data Protection ◽

Data Privacy ◽

Personal Data ◽

General Data Protection Regulation ◽

Personal Data Protection ◽

Compliance Audit ◽

General Data ◽

Data Controller ◽

Data Subject

With the growing awareness regarding the importance of personal data protection, many countries have established laws and regulations to ensure data privacy and are supervising managements to comply with them. Although various studies have suggested compliance methods of the general data protection regulation (GDPR) for personal data, no method exists that can ensure the reliability and integrity of the personal data processing request records of a data subject to enable its utilization as a GDPR compliance audit proof for an auditor. In this paper, we propose a delegation-based personal data processing request notarization framework for GDPR using a private blockchain. The proposed notarization framework allows the data subject to delegate requests to process of personal data; the framework makes the requests to the data controller, which performs the processing. The generated data processing request and processing result data are stored in the blockchain ledger and notarized via a trusted institution of the blockchain network. The Hypderledger Fabric implementation of the framework demonstrates the fulfillment of system requirements and feasibility of implementing a GDPR compliance audit for the processing of personal data. The analysis results with comparisons among the related works indicate that the proposed framework provides better reliability and feasibility for the GDPR audit of personal data processing request than extant methods.

Download Full-text

Moving beyond consent in data privacy law. An effective privacy management system for Internet services

10.26686/wgtn.17068490.v1 ◽

2021 ◽

Author(s):

◽

Marcin Betkier

Keyword(s):

Data Privacy ◽

Service Providers ◽

Personal Information ◽

Continuous Process ◽

Careful Examination ◽

Privacy Management ◽

Online Service ◽

Online Services ◽

General Data Protection Regulation ◽

Online Service Providers

<p>This thesis looks for a way to overcome the failure of consent as a means of addressing privacy problems associated with online services. It argues that consent to collection and use of personal data is an imperfect mechanism for individual authorisation because data privacy in relation to online services is a dynamic, continuous process. If people are to have autonomous choice in respect of their privacy processes, then they need to be able to manage these processes themselves. After careful examination of online services which pinpoints both the privacy problems caused by online service providers and the particular features of the online environment, the thesis devises a set of measures to enable individuals to manage these processes. The tool for achieving this is a Privacy Management Model (PMM) which consists of three interlocking functions: controlling (which consent may be a part of), organising, and planning. The thesis then proposes a way of implementing these functions in the context of online services. This requires a mix of regulatory tools: a particular business model in which individuals are supported by third parties (Personal Information Administrators), a set of technical/architectural tools to manage data within the ICT systems of the online service providers, and laws capable of supporting all these elements. The proposed legal measures aim to overcome the shortcomings of procedural principles by implementing a comprehensive model in which substantive legal principle underpins a bundle of statutory-level laws which enable privacy management functions. Those are explained against the background of the General Data Protection Regulation. All of this is designed to change the way decision-makers think about Internet privacy and form the theoretical backbone of the next generation of privacy laws.</p>

Download Full-text