Key Points The European Data Protection Board's opinion on the interplay between the General Data Protection Regulation and the Clinical Trials Regulation (CTR) contains logical fallacies. The European Data Protection Board (EDPB) argues that consent is generally not an appropriate legal basis for the processing of personal data for primary research purposes in clinical trials due to a presumed imbalance

• The application of artificial intelligence (AI) has transformed the existing notion of the health care system. The concept of AI is not new, but increasing computational power and big data, the Internet of Things, and advanced analytical power ushers in new opportunities to realize the full potential of AI. Recently, there has been an increased application of AI in the health care system, potentially

Key Points Compliance with data protection legislation shall be subject to control by an independent authority, also for the judiciary. However, in order to safeguard the independence of the judiciary, both the General Data Protection Regulation and the Law Enforcement Directive explicitly state that national Data Protection Authorities are not competent to supervise courts ‘when acting in their judicial

• The number of smart home devices is increasing. They are used by vulnerable people regardless of whether they are designed specifically for them or for the general population (eg, smart door locks, smart alarms, or voice assistants). • This article focuses on children and inherently vulnerable adults, and analyses how to comply with the General Data Protection Regulation (GDPR) when the latter use

Key Points In the past two decades, the unprecedented incursion of technology into the economic and socio-cultural activities in Nigeria increasingly posed many unanswered questions on data protection and privacy. Consequently, this led to the country’s numerous attempts to enact a principal data protection legislation in addition to the existing sectoral laws on the subject. Despite its ratification

Key Points This commentary ties in with an emerging field in privacy scholarship that focuses on collective rather than individualistic viewpoints: recent debates address privacy in digital markets in terms of individual rights to choose between different options, such as between Facebook, Instagram, Snapchat, or Twitter, while users of digital platforms try to make sense of who they are and how they

Engineering and Physical Sciences Research Council (EPSRC)EP/S035362/1Digital Charter Fellowship from the Alan Turing Institute and Department for Digital

International Data Privacy Law 2021. doi: 10.1093/idpl/ipab018

Key Points The UK’s exit from the European Union redefined the relationship between the two of them, including with respect to data protection. It affected stakeholders operating in the area and caused uncertainty in the conduct of previously streamlined business practices and exchanges under the harmonized regime of the GDPR. This article examines the framework for personal data protection agreed

Key Points Geo-location technology enables internet content providers to identify the location of users, allowing them to give effect to national laws which restrict access to content without needing to apply those laws in other jurisdictions. While geo-location technology can be circumvented, restricting access to online content is not an area of absolutes; the rights which justify restricting access

Article 4(7) of the General Data Protection Regulation11 (‘GDPR’) defines the data controller as the natural or legal person that determines the purposes (the ‘why’) and the means (the ‘how’) of personal data processing.22 Article 24 provides that ‘[w]here two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers’. These legislative definitions

Key Points This article seeks to explore one of the recent controversial EU debates related to political micro-targeting (PMT): is the practice of PMT compliant with the EU’s General Data Protection Regulation (GDPR)? After examining the two most relevant ad targeting tools used for PMT, this article examines how PMT raises several questions related to (i) some of the principles listed in Article 5

Opening remarks given at the online conference on the GDPR and international organizations held on 26 February 2021:11

Key Points EU data protection law uses a ‘controller-based responsibility system’, wherein responsibility is primarily attributed to the ‘controller’ of the processing of personal data. This article argues that the EU’s controller-based responsibility system suffers from a number of problems, including problems arising from Court of Justice of the European Union (CJEU) case law, as well as problems

Key Points The GDPR deploys various notions to describe the standard(s) of protection required for international transfers of personal data depending on the basis on which the transfer is carried out. However, in Schrems II the Court has established that one single standard of protection should be achieved for all types of transfers, namely the ‘essentially equivalent standard of protection’. This

Key Points In this article, the basic concepts determining the territorial scope of the General Data Protection Regulation (GDPR) are analysed in the context of constitutional EU law. Proposals made by the European Data Protection Board (EDPB) in the guidelines on Article 3 of the GDPR are critically reviewed in the light of the ‘methodological source code’ of the European unification program enshrined

Key Points Countries around the world are confronted with an unprecedented health crisis, raising complex social, economical, and ethical challenges. To mitigate the spread of COVID-19, and as a way to transition out of complete lockdown, several Latin American countries have deployed or are considering deploying digital contact tracing applications. However, worldwide concerns have been raised over

The current SARS-CoV-2 pandemic has wreaked havoc across the globe and exposed the vulnerabilities, weaknesses, and unpreparedness of our societies. The pandemic is a global phenomenon, and several global trends can be inferred, regarding the economic, technological, and psychological impact it has generated.

Key Points This article aims to discuss transparency and privacy on COVID-19 public data. The Brazilian context was chosen as a case study to understand how to implement transparent COVID-19 government databases while respecting data protection. The article intends to answer the question: which technical approach could be implemented to publish transparent data on COVID-19 infections while respecting

Key Points It is essential for data and biosamples to be available and accessible in biomedical and translational research. This is because their reuse and repurposing by the wider research community can maximize their value and accelerate discovery. However, sharing human-related data is complicated by ethical, legal, and social sensitivities. It is noted that there are benefits to data sharing and

Key Points Machine learning (ML) algorithms can improve the fight against anti-money laundering and countering financing of terrorism (AML/CFT) by better detecting suspicious activities by bank customers and improving the handling of AML/CFT alerts by human compliance teams. However, the introduction of ML in AML/CFT monitoring systems will require a careful review of their compatibility with European

Key Points Australian government has emphasized contact tracing and the voluntary use of a contact tracing app, namely the ‘COVIDSafe app’, as core measures in the fight against the spread of COVID-19 (the ‘ticket to a COVID-safe Australia’). To gain the public trust necessary for uptake of voluntary app, the government passed unusual legislation, the ‘COVIDSafe Act’ (technically, an amendment to the

Key Points Affective Computing creates a new class of data (‘emotional data’) that is personal, sensitive, and intimate by nature, but not necessarily considered personal or sensitive from the legal point of view. The information duties as set out in the GDPR do not oblige controllers to inform data subjects what specific emotions they have detected about them. Affective Computing creates tension with

Key points This article investigates an under-discussed and potentially significant provision in the EU General Data Protection Regulation (GDPR), namely Article 9(2)(e), which permits processing of special category personal data if the ‘processing relates to personal data which are manifestly made public by the data subject’. This provision may be of increasing interest to data controllers in a variety

Key Points The EU and the US kicked off negotiations in September 2019 for the conclusion of a very important agreement on Law Enforcement Agents’ (LEA) access to data. This is the first article to present the context of these negotiations and the numerous challenges surrounding them. There are strong divergences between the EU and the US about what the scope and the architecture of this agreement

Key Points In this article, the authors make a quantitative and qualitative study of all the Executive regulations issued during the State of Emergency in Peru, that may have impacted the fundamental rights of privacy, personal data protection, and freedom of expression. Peru represents an emblematic case study. It adopted one of the earliest, lengthiest and most severe lockdowns in the world, together

Key Points Although the General Data Protection Regulation (GDPR) is primarily aimed at the protection of data subjects, competitors of the controller may also suffer damage due to an infringement. Article 82(1) of the GDPR stipulates that ‘any person’ shall have the right to receive compensation. It does not clarify whether a competitor can also invoke this right. At first sight, a right to compensation

Key points Autonomous (transport) vehicles have evolved from science fiction into a feature of reality (in) which we now live. From a data protection standpoint, one of the challenges confronting the integration of autonomous vehicles into the society is the question of whether or not this disruptive technology is capable of being compliant with the principles of data protection law. The importance

Key Points Ongoing research projects, among them the Brazilian SPIRA and SoundCov initiatives, seek to diagnose Covid-19 and severe respiratory insufficiency through the analysis of voice recordings. The voice recordings may also be used to infer information about various personal traits, including some considered as sensitive by data protection law. The deployment of such apps may promote significant

Ethics is seen as a critical resource for data law. But beyond this almost slogan-like truism, the exact functions which ethics might play in data law are often left unclear. This contribution clarifies the ways in which data ethics and data law are intertwined and, on this basis, offers guidelines for practitioners in terms of interpreting the GDPR. Two types of norms allow for modulation between

Key Points This article provides a critical analysis of Article 22(1) of the European Union’s General Data Protection Regulation (‘GDPR’). In particular, the article examines whether, as a matter of lex lata, the enigmatic ‘right not to be subject to a decision based solely on automated processing’ provided for in Article 22(1) should be interpreted as a general prohibition or a right to be exercised

Since May 2018, the European Commission (Commission) has the exclusive competence not only to assess third countries for an adequacy decision authorizing the international transfer of personal data to third countries or international organizations in relation to the General Data Protection Regulation (GDPR)1 but also for law enforcement purposes under the Law Enforcement Directive (LED).2 So far, no

Key Points Data portability rights are viewed by policymakers worldwide as a significant legal innovation to stimulate competitive digital economies. These rights allow consumers and businesses to seamlessly receive and transfer data for commercialization and efficiency purposes. The newly implemented Australian Consumer Data Right (CDR) provides an illuminating example of the complex relationship

• This article analyses data-driven measures used in South America to mitigate the impact of COVID-19. Based on a broad review of relevant programmes in the region three selected cases from Argentina (Cuidar App), Brazil (use of personal data by IBGE), and Chile (CoronApp) are evaluated against best regional and international practices. • Our findings suggest that programmes in South America mirror

Key Points When it comes to online services, users have limited control over how their personal data are processed. This is partly due to the nature of the business models of those services, where data are typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data. Personal data

Key Points Policymakers, scholars, and commentators are increasingly concerned with the risks of using algorithms for profiling and automated decision-making. This article addresses how a Data Protection Impact Assessment (DPIA), applied as an algorithmic impact assessment (AIA), links the two faces of the General Data Protection Regulation (GDPR) approach to algorithmic accountability: individual

Key Points In early 2020, South Korea’s legislature made amendments to major laws in the area of data protection in order to, among others, promote the utilization of pseudonymized personal data. With these amendments, pseudonymized personal data can be processed, without consent from data subjects, for archiving purposes, scientific research purposes, or statistical purposes. Arguably, these amendments

Key Points EU data protection laws requires notification of personal data breaches to data subjects if they present a high risk of harm, and define personal data breaches as breaches of security leading to a compromise of personal data. However, these laws offer no comprehensive definition of a breach of security. And the current definition of a personal data breach leaves out a ‘breach of security’

The growing industrial and research interest in protecting privacy and fighting cyberattacks for smart homes has sparked various innovations in security- and privacy-enhancing technologies (S/PETs) powered by edge computing. The complex technical set-up has however raised a whole series of legal issues surrounding the regulation of smart home with data protection law. To determine how responsibility

Van AlsenoyBrendan, Data Protection Law in the EU: Roles, Responsibilities and Liability, KU Leuven Centre for IT & IP Law Series, Cambridge: Intersentia Ltd, 2019, xxv + 694 pp, €115.00, ISBN 9781780688282.

Key Points The EU has had a normative impact on the development of personal data protection legislation in Turkey and the conditionality mechanism played a key role. For the EU, the alignment of personal data protection with the EU Acquis constitutes a fundamental rights concern that needs to be addressed for continued cooperation between the two jurisdictions, but the reforms in Turkey have been mostly

Key Points This article confronts assertions made by Dr Michael Veale, Dr Reuben Binns, and Professor Lilian Edwards in ‘Algorithms that remember: Model Inversion Attacks and Data Protection Law’, as well as the general trend by the courts to broaden the definition of ‘personal data’ under Article 4(1) GDPR to include ‘everything data-related’. Veale and others use examples from computer science to

Data portability rights are viewed by policymakers worldwide as a significant legal innovation to stimulate competitive digital economies. These rights allow consumers and businesses to seamlessly receive and transfer data for commercialization and efficiency purposes. The newly implemented Australian Consumer Data Right (CDR) provides an illuminating example of the complex relationship between information

Key Points Employers have been increasingly offering wristbands or smartwatches, also known as ‘mHealth devices’, to their employees. The use of mHealth devices at work may come at a price for employees, who may unknowingly or unwillingly share their health information with their employer and third parties, such as mHealth providers. This could lead to data privacy breaches and discrimination in the

Key Points There is a range of views on ‘access’ as a part of processing under the General Data Protection Regulation (GDPR). Access was not mentioned in Article 4(2) GDPR, but could fit the definition of processing, and could also be included within other forms of processing such as retrieval, storage, and transfer. Many scholars view access as central to the definition of privacy, and differentiate

Key Points: * Global data flows underpinning cross-border digital trade have moved centre stage in international trade negotiations. New trade law disciplines on the free flow of data are included in a number of international trade deals. * The European Union (EU) has a key role to play in the global governance of the protection of personal data. The EU’s strict data protection regime has sometimes

Key Points Currently, privacy and data protection lack international (as opposed to regional) regulation in large part because of the diverging values of various countries. Often the laws of various countries may impose conflicting obligations that so far have been addressed via ad hoc agreements. Despite calls for international convergence to avoid them, both in and out of academia, little progress

In this article, we examine the concept of non-personal data from a law and computer science perspective. The delineation between personal data and non-personal data is of paramount importance to determine the GDPR’s scope of application. This exercise is, however, fraught with difficulty, also when it comes to de-personalised data – that is to say data that once was personal data but has been manipulated

- The GDPR contains an accuracy principle, as most data privacy laws in the world do. In principle, data controllers must ensure that personal data they use are accurate. - Some have argued that the accuracy principle does not apply to personal data in the form of opinions about data subjects. - We argue, however, from a positive law perspective, that the accuracy principle does apply to opinions.

• The Protection of Personal Information Act (POPIA) [No.4 of 2013] is the first comprehensive data protection regulation to be passed in South Africa and it gives effect to the right to informational privacy derived from the constitutional right to privacy. • It is due to come into force in 2020, and seeks to regulate the processing of personal information in South Africa, regulate the flow of personal

If the right to an explanation is expected to effectively safeguard users’ rights, it must be interpreted in a manner that takes the contextual risks algorithms pose to those rights into account. This article provides a framework of transparency instruments in the context of the news personalization algorithms employed by both traditional media organizations and social media companies. Explaining the

News media more and more process personal data of news consumers to provide a personalized news selection on the news media home pages or in their apps. This article shows that the journalism provision in Article 85 of the EU General Data Protection Regulation (‘GDPR’) does not apply to the processing of personal data for news personalization. Therefore, the GDPR generally applies to such processing

Key Points Increasing multinational cooperation between intelligence and security services, including the establishment of a joint database on (alleged) jihadists, raises legal concerns over the protection of personal data, in particular with respect to the allocation of responsibility among participating states, the geographic scope of fundamental data protection norms, and the applicable law. It

Introduction: the right to be forgotten entailed several legal uncertainties at inception The ‘right to be forgotten’ (RTBF), or more precisely the ‘right to suppression’ continues its judicial saga as it is being examined by the very same Court that created it, following the submission of 11 preliminary questions by the French Council of State before the Court of Justice of the European Union (CJEU)

Article 80 on collective redress in the GDPR contains some of the famous circa 50 derogations that have diluted the degree of harmonisation in this EU main data protection instrument in force since May 2018. The provisions on collective action available in this framework law were not transcribed in a straightforward manner into the lex specialis to the GDPR - the proposal for the reformed e-Privacy

Key PointsTo effectively collaborate in biobanking and build capacity in low and middle-income countries, data transfer from European Union (EU) Member States to states in Africa is crucial.Althoug ...

• Since the notion of fairness underpins the regimes of competition, data protection and consumer law, it can act as a connecting factor to align substantive protections and enforcement mechanisms in the three fields. • While most attention has so far been devoted to how vigorous competition enforcement can render data protection rules more effective, the complementarity between the regimes also works

The starting point for this article begins from the observation that that data-driven service delivery is catalysing a change in modes of production and consumption, marked by a move away from ‘mass production’ in favour of ‘mass predictive personalisation’. Despite the portrayal of personalised as ‘empowering’ consumers, I identify five fears that the rise of mass predictive personalisation may portend

A brief overview of the respective frameworks for competition and data protection law in South Africa is provided before providing examples of where convergence between the two occurs. An argument is made that it would be best for the competition authorities and information regulator to enter into a formal cooperation agreement in order to best manage this in order to ensure that the potential anti-competitive

In the 21st century, it has become virtually impossible to meaningfully participate in society without revealing our personal data. Many of the most necessary, entertaining, and useful internet services demand personal data that are then used for targeted advertisements as a condition of use. Service providers follow us around the Internet and across devices to show us ads and to collect more data