Protecting the Privacy of Personal Smart Spaces

The purpose of privacy protection is dual, as it aims to both prevent, as well as cure privacy breaches. The starting point to develop such a privacy protection framework is the investigation and the definition of the privacy breach concept. A widely acceptable answer to this is provided by the privacy protection regulation, which however does not provide a precise enough definition of the privacy breach concept. The most common principles of privacy protection can be summarised in the following list [1]: • Principle of fair and lawful processing (Article 6(1), letter a): “Any processing of personal data should be carried out in a fair and lawful way with respect to the data subjects.” (where a data subject is a legal or natural person to which the data refer) • Finality principle or Limitation principle (Article 6(1), letter b): “Personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes.” • Data minimisation principle or Proportionality principle (Article 6(1), letter c): “Processing of personal data should be limited to data that are adequate, relevant, and not excessive.” • Time minimization principle (Article 6(1), letter e): “Data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.” • Notification principle (Articles 10, 11): “Data controller or his representative has to identify himself to the data subject and notify data subject about the personal data being processed, stored or further disclosed to any third party.” • Principle of data subject consent (Article 2, letters a, h; Article 7, letter a; Article 8): “User consent is required for a legitimate data processing by any data controller. The user consent is defined as ‘any freely given specific and informed indication by which the data subject signifies his agreement to personal data relating to him being processed’.” • Principle of right to access personal data (Article 12): “Data subject has right to access (and rectify) the data