-
Fit for purpose? Affective Computing meets EU data protection law Int. Data Priv. Law (IF 4.162) Pub Date : 2021-03-12 Andreas Häuselmann
Key Points When it comes to online services, users have limited control over how their personal data are processed. This is partly due to the nature of the business models of those services, where data are typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data. Personal data
-
Data-driven measures to mitigate the impact of COVID-19 in South America: how do regional programmes compare to best practice? Int. Data Priv. Law (IF 4.162) Pub Date : 2021-03-01 Taís Fernanda Blauth, Oskar Josef Gstrein
• This article analyses data-driven measures used in South America to mitigate the impact of COVID-19. Based on a broad review of relevant programmes in the region three selected cases from Argentina (Cuidar App), Brazil (use of personal data by IBGE), and Chile (CoronApp) are evaluated against best regional and international practices.
-
What does it mean for a data subject to make their personal data ‘manifestly public’? An analysis of GDPR Article 9(2)(e) Int. Data Priv. Law (IF 4.162) Pub Date : 2021-02-23 Edward S Dove, Jiahong Chen
Key Points When it comes to online services, users have limited control over how their personal data are processed. This is partly due to the nature of the business models of those services, where data are typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data. Personal data
-
EU–US negotiations on law enforcement access to data: divergences, challenges and EU law procedures and options Int. Data Priv. Law (IF 4.162) Pub Date : 2021-02-12 Theodore Christakis, Fabien Terpan
Key Points When it comes to online services, users have limited control over how their personal data are processed. This is partly due to the nature of the business models of those services, where data are typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data. Personal data
-
The right to compensation of a competitor for a violation of the GDPR Int. Data Priv. Law (IF 4.162) Pub Date : 2020-12-17 Walree T, Wolters P.
Key Points Although the General Data Protection Regulation (GDPR) is primarily aimed at the protection of data subjects, competitors of the controller may also suffer damage due to an infringement. Article 82(1) of the GDPR stipulates that ‘any person’ shall have the right to receive compensation. It does not clarify whether a competitor can also invoke this right. At first sight, a right to compensation
-
Autonomous transport vehicles versus the principles of data protection law: is compatibility really an impossibility? Int. Data Priv. Law (IF 4.162) Pub Date : 2020-11-28 Salami E.
Key points Autonomous (transport) vehicles have evolved from science fiction into a feature of reality (in) which we now live. From a data protection standpoint, one of the challenges confronting the integration of autonomous vehicles into the society is the question of whether or not this disruptive technology is capable of being compliant with the principles of data protection law. The importance
-
Personal data’s ever-expanding scope in smart environments and possible path(s) for regulating emerging digital technologies Int. Data Priv. Law (IF 4.162) Pub Date : 2021-01-08 Raphaël Gellert
Key Points Data portability rights are viewed by policymakers worldwide as a significant legal innovation to stimulate competitive digital economies. These rights allow consumers and businesses to seamlessly receive and transfer data for commercialization and efficiency purposes. The newly implemented Australian Consumer Data Right (CDR) provides an illuminating example of the complex relationship
-
Decentralized data processing: personal data stores and the GDPR Int. Data Priv. Law (IF 4.162) Pub Date : 2020-12-28 Janssen H, Cobbe J, Norval C, et al.
Key Points When it comes to online services, users have limited control over how their personal data are processed. This is partly due to the nature of the business models of those services, where data are typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data. Personal data
-
How to de-identify personal data in South Korea: an evolutionary tale Int. Data Priv. Law (IF 4.162) Pub Date : 2020-11-09 Ko H, Park S.
Key Points In early 2020, South Korea’s legislature made amendments to major laws in the area of data protection in order to, among others, promote the utilization of pseudonymized personal data. With these amendments, pseudonymized personal data can be processed, without consent from data subjects, for archiving purposes, scientific research purposes, or statistical purposes. Arguably, these amendments
-
Who is responsible for data processing in smart homes? Reconsidering joint controllership and the household exemption Int. Data Priv. Law (IF 4.162) Pub Date : 2020-09-02 Chen J, Edwards L, Urquhart L, et al.
Key Points The growing industrial and research interest in protecting privacy and fighting cyberattacks for smart homes has sparked various innovations in security- and privacy-enhancing technologies (S/PETs) powered by edge computing. The complex technical set-up has however raised a whole series of legal issues surrounding the regulation of smart home with data protection law. To determine how responsibility
-
Brendan Van Alsenoy, Data Protection Law in the EU: Roles, Responsibilities and Liability Int. Data Priv. Law (IF 4.162) Pub Date : 2020-08-26 Kamarinou D.
Van AlsenoyBrendan, Data Protection Law in the EU: Roles, Responsibilities and Liability, KU Leuven Centre for IT & IP Law Series, Cambridge: Intersentia Ltd, 2019, xxv + 694 pp, €115.00, ISBN 9781780688282.
-
The normative power of the EU: a case study of data protection laws of Turkey Int. Data Priv. Law (IF 4.162) Pub Date : 2020-08-24 Akcali Gur B.
Key Points The EU has had a normative impact on the development of personal data protection legislation in Turkey and the conditionality mechanism played a key role. For the EU, the alignment of personal data protection with the EU Acquis constitutes a fundamental rights concern that needs to be addressed for continued cooperation between the two jurisdictions, but the reforms in Turkey have been mostly
-
Australia’s Consumer Data Right and the uncertain role of information privacy law Int. Data Priv. Law (IF 4.162) Pub Date : 2020-08-24 Burdon M, Mackie T.
Key Points Data portability rights are viewed by policymakers worldwide as a significant legal innovation to stimulate competitive digital economies. These rights allow consumers and businesses to seamlessly receive and transfer data for commercialization and efficiency purposes. The newly implemented Australian Consumer Data Right (CDR) provides an illuminating example of the complex relationship
-
Governing machine-learning models: challenging the personal data presumption Int. Data Priv. Law (IF 4.162) Pub Date : 2020-08-03 Leiser M, Dechesne F.
Key Points This article confronts assertions made by Dr Michael Veale, Dr Reuben Binns, and Professor Lilian Edwards in ‘Algorithms that remember: Model Inversion Attacks and Data Protection Law’, as well as the general trend by the courts to broaden the definition of ‘personal data’ under Article 4(1) GDPR to include ‘everything data-related’. Veale and others use examples from computer science to
-
To track or not to track? Employees’ data privacy in the age of corporate wellness, mobile health, and GDPR† Int. Data Priv. Law (IF 4.162) Pub Date : 2020-04-27 Brassart Olsen C.
Key Points Employers have been increasingly offering wristbands or smartwatches, also known as ‘mHealth devices’, to their employees. The use of mHealth devices at work may come at a price for employees, who may unknowingly or unwillingly share their health information with their employer and third parties, such as mHealth providers. This could lead to data privacy breaches and discrimination in the
-
Mere access to personal data: is it processing? Int. Data Priv. Law (IF 4.162) Pub Date : 2020-03-30 Schreiber A.
Key Points There is a range of views on ‘access’ as a part of processing under the General Data Protection Regulation (GDPR). Access was not mentioned in Article 4(2) GDPR, but could fit the definition of processing, and could also be included within other forms of processing such as retrieval, storage, and transfer. Many scholars view access as central to the definition of privacy, and differentiate
-
Pitching trade against privacy: reconciling EU governance of personal data flows with external trade Int. Data Priv. Law (IF 4.162) Pub Date : 2020-03-30 Yakovleva S, Irion K.
Key Points Global data flows underpinning cross-border digital trade have moved centre stage in international trade negotiations. New trade law disciplines on the free flow of data are included in a number of international trade deals. The European Union (EU) has a key role to play in the global governance of the protection of personal data. The EU’s strict data protection regime has sometimes been
-
The layered links model: an alternative approach to international privacy regulation Int. Data Priv. Law (IF 4.162) Pub Date : 2020-03-10 Bougiakiotis E.
Key Points Currently, privacy and data protection lack international (as opposed to regional) regulation in large part because of the diverging values of various countries. Often the laws of various countries may impose conflicting obligations that so far have been addressed via ad hoc agreements. Despite calls for international convergence to avoid them, both in and out of academia, little progress
-
They who must not be identified—distinguishing personal from non-personal data under the GDPR Int. Data Priv. Law (IF 4.162) Pub Date : 2020-02-01 Michèle Finck, Frank Pallas
In this article, we examine the concept of non-personal data from a law and computer science perspective. The delineation between personal data and non-personal data is of paramount importance to determine the GDPR’s scope of application. This exercise is, however, fraught with difficulty, also when it comes to de-personalised data – that is to say data that once was personal data but has been manipulated
-
Protection of Personal Information Act 2013 and data protection for health research in South Africa Int. Data Priv. Law (IF 4.162) Pub Date : 2020-01-24 Ciara Staunton, Rachel Adams, Dominique Anderson, Talishiea Croxton, Dorcas Kamuya, Marianne Munene, Carmen Swanepoel
• The Protection of Personal Information Act (POPIA) [No.4 of 2013] is the first comprehensive data protection regulation to be passed in South Africa and it gives effect to the right to informational privacy derived from the constitutional right to privacy. • It is due to come into force in 2020, and seeks to regulate the processing of personal information in South Africa, regulate the flow of personal
-
Know your algorithm: what media organizations need to explain to their users about news personalization Int. Data Priv. Law (IF 4.162) Pub Date : 2019-08-07 M Z van Drunen, N Helberger, M Bastian
If the right to an explanation is expected to effectively safeguard users’ rights, it must be interpreted in a manner that takes the contextual risks algorithms pose to those rights into account. This article provides a framework of transparency instruments in the context of the news personalization algorithms employed by both traditional media organizations and social media companies. Explaining the
-
A right to reset your user profile and more: GDPR-rights for personalized news consumers Int. Data Priv. Law (IF 4.162) Pub Date : 2019-06-29 Sarah Eskens
News media more and more process personal data of news consumers to provide a personalized news selection on the news media home pages or in their apps. This article shows that the journalism provision in Article 85 of the EU General Data Protection Regulation (‘GDPR’) does not apply to the processing of personal data for news personalization. Therefore, the GDPR generally applies to such processing
-
International cooperation by (European) security and intelligence services: reviewing the creation of a joint database in light of data protection guarantees Int. Data Priv. Law (IF 4.162) Pub Date : 2019-02-01 Cedric M J Ryngaert, Nico A N M van Eijk
Key Points Increasing multinational cooperation between intelligence and security services, including the establishment of a joint database on (alleged) jihadists, raises legal concerns over the protection of personal data, in particular with respect to the allocation of responsibility among participating states, the geographic scope of fundamental data protection norms, and the applicable law. It
-
Is the right to be forgotten a universal, regional, or ‘glocal’ right? Int. Data Priv. Law (IF 4.162) Pub Date : 2019-01-25 Yann Padova
Introduction: the right to be forgotten entailed several legal uncertainties at inception The ‘right to be forgotten’ (RTBF), or more precisely the ‘right to suppression’ continues its judicial saga as it is being examined by the very same Court that created it, following the submission of 11 preliminary questions by the French Council of State before the Court of Justice of the European Union (CJEU)
-
Data protection and the construction of collective redress in Europe: exploring challenges and opportunities Int. Data Priv. Law (IF 4.162) Pub Date : 2018-11-16 Laima Jančiūtė
Article 80 on collective redress in the GDPR contains some of the famous circa 50 derogations that have diluted the degree of harmonisation in this EU main data protection instrument in force since May 2018. The provisions on collective action available in this framework law were not transcribed in a straightforward manner into the lex specialis to the GDPR - the proposal for the reformed e-Privacy
-
EU data transfer rules and African legal realities: is data exchange for biobank research realistic? Int. Data Priv. Law (IF 4.162) Pub Date : 2018-08-20 Santa Slokenberga, Jane Reichel, Rachel Niringiye, Talishiea Croxton, Carmen Swanepoel, June Okal
Key PointsTo effectively collaborate in biobanking and build capacity in low and middle-income countries, data transfer from European Union (EU) Member States to states in Africa is crucial.Althoug ...
-
Fairness and enforcement: bridging competition, data protection, and consumer law Int. Data Priv. Law (IF 4.162) Pub Date : 2018-08-01 Inge Graef, Damian Clifford, Peggy Valcke
• Since the notion of fairness underpins the regimes of competition, data protection and consumer law, it can act as a connecting factor to align substantive protections and enforcement mechanisms in the three fields. • While most attention has so far been devoted to how vigorous competition enforcement can render data protection rules more effective, the complementarity between the regimes also works
-
Five fears about mass predictive personalization in an age of surveillance capitalism Int. Data Priv. Law (IF 4.162) Pub Date : 2018-08-01 Karen Yeung
The starting point for this article begins from the observation that that data-driven service delivery is catalysing a change in modes of production and consumption, marked by a move away from ‘mass production’ in favour of ‘mass predictive personalisation’. Despite the portrayal of personalised as ‘empowering’ consumers, I identify five fears that the rise of mass predictive personalisation may portend
-
Convergence between competition and data protection law: a South African perspective Int. Data Priv. Law (IF 4.162) Pub Date : 2018-08-01 Pieter Koornhof, Tana Pistorius
A brief overview of the respective frameworks for competition and data protection law in South Africa is provided before providing examples of where convergence between the two occurs. An argument is made that it would be best for the competition authorities and information regulator to enter into a formal cooperation agreement in order to best manage this in order to ensure that the potential anti-competitive
-
The limits of antitrust in privacy protection Int. Data Priv. Law (IF 4.162) Pub Date : 2018-08-01 Eugene Kimmelman, Harold Feld, Agustín Rossi
In the 21st century, it has become virtually impossible to meaningfully participate in society without revealing our personal data. Many of the most necessary, entertaining, and useful internet services demand personal data that are then used for targeted advertisements as a condition of use. Service providers follow us around the Internet and across devices to show us ads and to collect more data
-
Angela Daly, Private Power, Online Information Flows and EU Law: Mind the Gap Int. Data Priv. Law (IF 4.162) Pub Date : 2018-07-27 Magali Eben
Angela Daly, Private Power, Online Information Flows and EU Law: Mind the Gap, Oxford and Portland, OR: Hart Publishing, 2016, 184 pp. £50, ISBN: 978-1-50990-063-3.
-
When data protection by design and data subject rights clash Int. Data Priv. Law (IF 4.162) Pub Date : 2018-04-04 Michael Veale, Reuben Binns, Jef Ausloos
• Data Protection by Design (DPbD), a holistic approach to embedding principles in technical and organisational measures undertaken by data controllers, building on the notion of Privacy by Design, is now a qualified duty in the GDPR. • Practitioners have seen DPbD less holistically, instead framing it through the confidentiality-focussed lens of Privacy Enhancing Technologies (PETs). • While focussing
-
Practical approaches to big data privacy over time Int. Data Priv. Law (IF 4.162) Pub Date : 2018-02-01 Micah Altman, Alexandra Wood, David R O’Brien, Urs Gasser
Increasingly, governments and businesses are collecting, analyzing, and sharing detailed information about individuals over long periods of time. Vast quantities of data from new sources and novel methods for large-scale data analysis promise to yield deeper understanding of human characteristics, behavior, and relationships and advance the state of science, public policy, and innovation. At the same
-
Shattering one-way mirrors – data subject access rights in practice Int. Data Priv. Law (IF 4.162) Pub Date : 2018-02-01 Jef Ausloos, Pierre Dewitte
The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures. It can be seen as a necessary enabler for most other data subject rights as well as an important role in monitoring operations and (en)forcing compliance. Despite some high-profile revelations regarding unsavoury data processing practices over the past few years, access rights still
-
Between the GDPR and the Police Directive: navigating through the maze of information sharing in public–private partnerships Int. Data Priv. Law (IF 4.162) Pub Date : 2018-01-23 Nadezhda Purtova
- Legitimacy of public-private partnerships for combatting cybercrime partially depends on whether or not law enforcement data processing activities are subject to the same data protection-related restrictions, whether they involve cooperation of private parties or not. - Information sharing within PPPs is a complex phenomenon with various configurations and power structures. This complexity needs
-
Mobile devices as stigmatizing security sensors: the GDPR and a future of crowdsourced ‘broken windows’ Int. Data Priv. Law (IF 4.162) Pub Date : 2017-12-19 Oskar Josef Gstrein, Gerard Jan Ritsema van Eck
Various smartphone apps and services are available which encourage users to report where and when they feel they are in an unsafe or threatening environment. This user generated content may be used to build datasets, which can show areas that are considered ‘bad,’ and to map out ‘safe’ routes through such neighbourhoods. Despite certain advantages, this data inherently carries the danger that streets
-
Why a Right to Legibility of Automated Decision-Making Exists in the General Data Protection Regulation Int. Data Priv. Law (IF 4.162) Pub Date : 2017-11-01 Gianclaudio Malgieri, Giovanni Comandé
• The aim of this contribution is to analyse the real borderlines of the 'right to explanation' in the GDPR and to discretely distinguish between different levels of information and of consumers' awareness in the 'black box society'. In order to combine transparency and comprehensibility we propose the new concept of algorithm 'legibility'. • We argue that a systemic interpretation is needed in this
-
Meaningful information and the right to explanation Int. Data Priv. Law (IF 4.162) Pub Date : 2017-11-01 Andrew D Selbst, Julia Powles
There is no single, neat statutory provision labeled the “right to explanation” in Europe’s new General Data Protection Regulation (GDPR). But nor is such a right illusory. Responding to two prominent papers that, in turn, conjure and critique the right to explanation in the context of automated decision-making, we advocate a return to the text of the GDPR. Articles 13-15 provide rights to “meaningful
-
The GDPR as a chance to break down borders Int. Data Priv. Law (IF 4.162) Pub Date : 2017-11-01 Christopher Kuner, Dan Jerker, B Svantesson, Fred H Cate, Orla Lynskey, Christopher Millard, Nora Ni Loideain
This journal prides itself on taking a global and international view of data protection and privacy issues. Inevitably, much of what we publish deals with European Union (EU) data protection law, and in particular the EU General Data Protection Regulation (GDPR) that will become enforceable in May 2018. But over the years we have been proud to publish articles covering the law of countries and regions
-
Personal data, exploitative contracts, and algorithmic fairness: autonomous vehicles meet the internet of things Int. Data Priv. Law (IF 4.162) Pub Date : 2017-09-01 Philipp Hacker
Personal data harvested in the Internet of Things not only promises to be particularly valuable, but also particularly privacy-sensitive. Analysed with the power of specialized Artificial Intelligence, such data allows for potentially beneficial personalization of goods and services; however, it also facilitates data-driven exploitative contracting. For example, autonomous and connected vehicles (ACVs)
-
Data transfers between the EU and UK post Brexit? Int. Data Priv. Law (IF 4.162) Pub Date : 2017-08-01 Andrew D. Murray
Changes to the UK constitutional and institutional settlement on Brexit day may affect the likelihood of the UK securing an adequacy decision under GDPR. Despite the UK Government claiming that on Brexit day, ‘it will have fully implemented EU [data] privacy rules’ it will have no equivalent of Article 8 of the EU Charter in domestic law. This may undermine efforts to achieve an adequacy ruling due
-
Structure and enforcement of data privacy law in South Korea Int. Data Priv. Law (IF 4.162) Pub Date : 2017-04-24 Haksoo Ko, John Leitner, Eunsoo Kim, Jonggu Jeong
South Korea’s data privacy law has evolved rapidly despite a short history of relevant legislation and enforcement. South Korea’s data privacy law has exceedingly stringent consent requirements. In addition to consent, there are many other statutory provisions with onerous requirements, arguably making the overall data privacy law regime one of the strictest in the world. South Korea’s data privacy
-
Brexit: potential trade and data implications for digital and ‘f intech’ industries Int. Data Priv. Law (IF 4.162) Pub Date : 2017-02-01 Karen McCullagh
Following the outcome of the historic ‘Brexit’ referendum on 23rd June 2016 in which a majority of eligible voters in the UK voted to ‘Leave,’ the United Kingdom is potentially on course to leave the European Union, but to ensure continued economic success it will seek to maintain a favourable trading relationship with the EU. This article identifies and critically evaluates the various types of trade
-
Data protection impact assessments: a meta-regulatory approach Int. Data Priv. Law (IF 4.162) Pub Date : 2017-02-01 Reuben Binns
• Privacy and Data Protection Impact Assessments (PIAs/DPIAs) are tools for organisations to manage privacy risks. They emerged in various jurisdictions from the 1980s, initially as a purely voluntary measure. DPIAs are now set to become a mandatory requirement in certain circumstances under the European General Data Protection Regulation (GDPR). This article addresses impact assessments from the perspective
-
Do Not Track initiatives: regaining the lost user control Int. Data Priv. Law (IF 4.162) Pub Date : 2016-10-28 Irene Kamara, Eleni Kosta
Online tracking for behavioural advertising purposes facilitates the shift from traditional marketing to web-personalization with ads tailored to Internet users’ preferences and interests. To that end, user profiles are developed based on the information collected via the use of several technologies, including cookies, web-beacons, device- and browser fingerprinting, and others. The collected information
-
Identifiability and the applicability of data protection to big data Int. Data Priv. Law (IF 4.162) Pub Date : 2016-09-07 Manon Oostveen
Big data holds much potential, but it can also have a negative impact on individuals, particularly on their privacy and data protection rights. Data protection law is the point of departure in the discussion about big data; it is widely regarded as the answer to big data’s negative consequences. Yet a closer look at the criteria for applicability of EU data protection law reveals a number of weaknesses
-
Adequacy of data protection in the USA: myths and facts Int. Data Priv. Law (IF 4.162) Pub Date : 2016-08-01 Lothar Determann
On 6 October 2015, the European Court of Justice (CJEU) invalidated a decision from 2000, wherein the Commission had granted an exception from the general prohibition regarding transfers of personal data outside the European Economic Area (EEA) (CJEU C-362/14, Schrems v Data Protection Commissioner 6 October 2015). Companies in the EEA were permitted to transfer personal data to US companies that had
-
Article 4(1)(a) ‘establishment of the controller’ in EU data privacy law—time to rein in this expanding concept? Int. Data Priv. Law (IF 4.162) Pub Date : 2016-08-01 Dan Jerker B. Svantesson
• Article 4(1)(a) of Directive 95/46/EC plays an important role in determining the applicability of EU data privacy law. However, its wording lends itself to various interpretations.• Consequently, it is unsurprising that Article 4(1)(a) has been the object of several recent CJEU judgments, and that this provision is the object of ongoing litigation.• This article seeks to analyse and predict the future
-
Expanding the European data protection scope beyond territory: Article 3 of the General Data Protection Regulation in its wider context Int. Data Priv. Law (IF 4.162) Pub Date : 2016-07-13 Paul de Hert, Michal Czerniawski
Jurisdiction based solely on the territoriality principle is becoming less evident in the digital age This article engages in a discussion with authors such as Kuner and Svantesson, that have expressed a critical view on expansive jurisdiction of the EU data protection regime in issue 4, November 2015, of this Journal. Our contribution focuses on the choices with regard to scope and jurisdiction made
-
Trade Secrets v Personal Data: a possible solution for balancing rights Int. Data Priv. Law (IF 4.162) Pub Date : 2016-01-29 Gianclaudio Malgieri
It is necessary to find a balance between data protection rights and trade secret rights on customer information in the European Union (EU) framework: the right to access to personal data and the new proposed right to ‘data portability’ conflict with the interests of trade secret holders. Balancing rules in data protection law and trade secret law are vague and ambiguous. From a literal interpretation
-
Big data and data reuse: a taxonomy of data reuse for balancing big data benefits and personal data protection Int. Data Priv. Law (IF 4.162) Pub Date : 2016-01-07 Bart Custers, Helena Uršič
The emergence of Big Data has amounted to the complexity of the discussion on data reuse. The benefits of Big Data lie in the possibilities to discover novel trends, patterns and relationships by combining very large amounts of data from different sources. Current personal data protection requirements like data minimization and purpose specification are potentially inimical to Big Data as they limit
Contents have been reproduced by permission of the publishers.