Key Points When it comes to online services, users have limited control over how their personal data are processed. This is partly due to the nature of the business models of those services, where data are typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data. Personal data

• This article analyses data-driven measures used in South America to mitigate the impact of COVID-19. Based on a broad review of relevant programmes in the region three selected cases from Argentina (Cuidar App), Brazil (use of personal data by IBGE), and Chile (CoronApp) are evaluated against best regional and international practices.

Key Points When it comes to online services, users have limited control over how their personal data are processed. This is partly due to the nature of the business models of those services, where data are typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data. Personal data

Key Points When it comes to online services, users have limited control over how their personal data are processed. This is partly due to the nature of the business models of those services, where data are typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data. Personal data

Key Points Although the General Data Protection Regulation (GDPR) is primarily aimed at the protection of data subjects, competitors of the controller may also suffer damage due to an infringement. Article 82(1) of the GDPR stipulates that ‘any person’ shall have the right to receive compensation. It does not clarify whether a competitor can also invoke this right. At first sight, a right to compensation

Key points Autonomous (transport) vehicles have evolved from science fiction into a feature of reality (in) which we now live. From a data protection standpoint, one of the challenges confronting the integration of autonomous vehicles into the society is the question of whether or not this disruptive technology is capable of being compliant with the principles of data protection law. The importance

Key Points Data portability rights are viewed by policymakers worldwide as a significant legal innovation to stimulate competitive digital economies. These rights allow consumers and businesses to seamlessly receive and transfer data for commercialization and efficiency purposes. The newly implemented Australian Consumer Data Right (CDR) provides an illuminating example of the complex relationship

Key Points When it comes to online services, users have limited control over how their personal data are processed. This is partly due to the nature of the business models of those services, where data are typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data. Personal data

Key Points In early 2020, South Korea’s legislature made amendments to major laws in the area of data protection in order to, among others, promote the utilization of pseudonymized personal data. With these amendments, pseudonymized personal data can be processed, without consent from data subjects, for archiving purposes, scientific research purposes, or statistical purposes. Arguably, these amendments

Key Points The growing industrial and research interest in protecting privacy and fighting cyberattacks for smart homes has sparked various innovations in security- and privacy-enhancing technologies (S/PETs) powered by edge computing. The complex technical set-up has however raised a whole series of legal issues surrounding the regulation of smart home with data protection law. To determine how responsibility

Van AlsenoyBrendan, Data Protection Law in the EU: Roles, Responsibilities and Liability, KU Leuven Centre for IT & IP Law Series, Cambridge: Intersentia Ltd, 2019, xxv + 694 pp, €115.00, ISBN 9781780688282.

Key Points The EU has had a normative impact on the development of personal data protection legislation in Turkey and the conditionality mechanism played a key role. For the EU, the alignment of personal data protection with the EU Acquis constitutes a fundamental rights concern that needs to be addressed for continued cooperation between the two jurisdictions, but the reforms in Turkey have been mostly

Key Points Data portability rights are viewed by policymakers worldwide as a significant legal innovation to stimulate competitive digital economies. These rights allow consumers and businesses to seamlessly receive and transfer data for commercialization and efficiency purposes. The newly implemented Australian Consumer Data Right (CDR) provides an illuminating example of the complex relationship

Key Points This article confronts assertions made by Dr Michael Veale, Dr Reuben Binns, and Professor Lilian Edwards in ‘Algorithms that remember: Model Inversion Attacks and Data Protection Law’, as well as the general trend by the courts to broaden the definition of ‘personal data’ under Article 4(1) GDPR to include ‘everything data-related’. Veale and others use examples from computer science to

Key Points Employers have been increasingly offering wristbands or smartwatches, also known as ‘mHealth devices’, to their employees. The use of mHealth devices at work may come at a price for employees, who may unknowingly or unwillingly share their health information with their employer and third parties, such as mHealth providers. This could lead to data privacy breaches and discrimination in the

Key Points There is a range of views on ‘access’ as a part of processing under the General Data Protection Regulation (GDPR). Access was not mentioned in Article 4(2) GDPR, but could fit the definition of processing, and could also be included within other forms of processing such as retrieval, storage, and transfer. Many scholars view access as central to the definition of privacy, and differentiate

Key Points Global data flows underpinning cross-border digital trade have moved centre stage in international trade negotiations. New trade law disciplines on the free flow of data are included in a number of international trade deals. The European Union (EU) has a key role to play in the global governance of the protection of personal data. The EU’s strict data protection regime has sometimes been

Key Points Currently, privacy and data protection lack international (as opposed to regional) regulation in large part because of the diverging values of various countries. Often the laws of various countries may impose conflicting obligations that so far have been addressed via ad hoc agreements. Despite calls for international convergence to avoid them, both in and out of academia, little progress

In this article, we examine the concept of non-personal data from a law and computer science perspective. The delineation between personal data and non-personal data is of paramount importance to determine the GDPR’s scope of application. This exercise is, however, fraught with difficulty, also when it comes to de-personalised data – that is to say data that once was personal data but has been manipulated

• The Protection of Personal Information Act (POPIA) [No.4 of 2013] is the first comprehensive data protection regulation to be passed in South Africa and it gives effect to the right to informational privacy derived from the constitutional right to privacy. • It is due to come into force in 2020, and seeks to regulate the processing of personal information in South Africa, regulate the flow of personal

If the right to an explanation is expected to effectively safeguard users’ rights, it must be interpreted in a manner that takes the contextual risks algorithms pose to those rights into account. This article provides a framework of transparency instruments in the context of the news personalization algorithms employed by both traditional media organizations and social media companies. Explaining the

News media more and more process personal data of news consumers to provide a personalized news selection on the news media home pages or in their apps. This article shows that the journalism provision in Article 85 of the EU General Data Protection Regulation (‘GDPR’) does not apply to the processing of personal data for news personalization. Therefore, the GDPR generally applies to such processing

Key Points Increasing multinational cooperation between intelligence and security services, including the establishment of a joint database on (alleged) jihadists, raises legal concerns over the protection of personal data, in particular with respect to the allocation of responsibility among participating states, the geographic scope of fundamental data protection norms, and the applicable law. It

Introduction: the right to be forgotten entailed several legal uncertainties at inception The ‘right to be forgotten’ (RTBF), or more precisely the ‘right to suppression’ continues its judicial saga as it is being examined by the very same Court that created it, following the submission of 11 preliminary questions by the French Council of State before the Court of Justice of the European Union (CJEU)

Article 80 on collective redress in the GDPR contains some of the famous circa 50 derogations that have diluted the degree of harmonisation in this EU main data protection instrument in force since May 2018. The provisions on collective action available in this framework law were not transcribed in a straightforward manner into the lex specialis to the GDPR - the proposal for the reformed e-Privacy

Key PointsTo effectively collaborate in biobanking and build capacity in low and middle-income countries, data transfer from European Union (EU) Member States to states in Africa is crucial.Althoug ...

• Since the notion of fairness underpins the regimes of competition, data protection and consumer law, it can act as a connecting factor to align substantive protections and enforcement mechanisms in the three fields. • While most attention has so far been devoted to how vigorous competition enforcement can render data protection rules more effective, the complementarity between the regimes also works

The starting point for this article begins from the observation that that data-driven service delivery is catalysing a change in modes of production and consumption, marked by a move away from ‘mass production’ in favour of ‘mass predictive personalisation’. Despite the portrayal of personalised as ‘empowering’ consumers, I identify five fears that the rise of mass predictive personalisation may portend

A brief overview of the respective frameworks for competition and data protection law in South Africa is provided before providing examples of where convergence between the two occurs. An argument is made that it would be best for the competition authorities and information regulator to enter into a formal cooperation agreement in order to best manage this in order to ensure that the potential anti-competitive

In the 21st century, it has become virtually impossible to meaningfully participate in society without revealing our personal data. Many of the most necessary, entertaining, and useful internet services demand personal data that are then used for targeted advertisements as a condition of use. Service providers follow us around the Internet and across devices to show us ads and to collect more data

Angela Daly, Private Power, Online Information Flows and EU Law: Mind the Gap, Oxford and Portland, OR: Hart Publishing, 2016, 184 pp. £50, ISBN: 978-1-50990-063-3.

• Data Protection by Design (DPbD), a holistic approach to embedding principles in technical and organisational measures undertaken by data controllers, building on the notion of Privacy by Design, is now a qualified duty in the GDPR. • Practitioners have seen DPbD less holistically, instead framing it through the confidentiality-focussed lens of Privacy Enhancing Technologies (PETs). • While focussing

Increasingly, governments and businesses are collecting, analyzing, and sharing detailed information about individuals over long periods of time. Vast quantities of data from new sources and novel methods for large-scale data analysis promise to yield deeper understanding of human characteristics, behavior, and relationships and advance the state of science, public policy, and innovation. At the same

The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures. It can be seen as a necessary enabler for most other data subject rights as well as an important role in monitoring operations and (en)forcing compliance. Despite some high-profile revelations regarding unsavoury data processing practices over the past few years, access rights still

- Legitimacy of public-private partnerships for combatting cybercrime partially depends on whether or not law enforcement data processing activities are subject to the same data protection-related restrictions, whether they involve cooperation of private parties or not. - Information sharing within PPPs is a complex phenomenon with various configurations and power structures. This complexity needs

Various smartphone apps and services are available which encourage users to report where and when they feel they are in an unsafe or threatening environment. This user generated content may be used to build datasets, which can show areas that are considered ‘bad,’ and to map out ‘safe’ routes through such neighbourhoods. Despite certain advantages, this data inherently carries the danger that streets

• The aim of this contribution is to analyse the real borderlines of the 'right to explanation' in the GDPR and to discretely distinguish between different levels of information and of consumers' awareness in the 'black box society'. In order to combine transparency and comprehensibility we propose the new concept of algorithm 'legibility'. • We argue that a systemic interpretation is needed in this

There is no single, neat statutory provision labeled the “right to explanation” in Europe’s new General Data Protection Regulation (GDPR). But nor is such a right illusory. Responding to two prominent papers that, in turn, conjure and critique the right to explanation in the context of automated decision-making, we advocate a return to the text of the GDPR. Articles 13-15 provide rights to “meaningful

This journal prides itself on taking a global and international view of data protection and privacy issues. Inevitably, much of what we publish deals with European Union (EU) data protection law, and in particular the EU General Data Protection Regulation (GDPR) that will become enforceable in May 2018. But over the years we have been proud to publish articles covering the law of countries and regions

Personal data harvested in the Internet of Things not only promises to be particularly valuable, but also particularly privacy-sensitive. Analysed with the power of specialized Artificial Intelligence, such data allows for potentially beneficial personalization of goods and services; however, it also facilitates data-driven exploitative contracting. For example, autonomous and connected vehicles (ACVs)

Changes to the UK constitutional and institutional settlement on Brexit day may affect the likelihood of the UK securing an adequacy decision under GDPR. Despite the UK Government claiming that on Brexit day, ‘it will have fully implemented EU [data] privacy rules’ it will have no equivalent of Article 8 of the EU Charter in domestic law. This may undermine efforts to achieve an adequacy ruling due

South Korea’s data privacy law has evolved rapidly despite a short history of relevant legislation and enforcement. South Korea’s data privacy law has exceedingly stringent consent requirements. In addition to consent, there are many other statutory provisions with onerous requirements, arguably making the overall data privacy law regime one of the strictest in the world. South Korea’s data privacy

Following the outcome of the historic ‘Brexit’ referendum on 23rd June 2016 in which a majority of eligible voters in the UK voted to ‘Leave,’ the United Kingdom is potentially on course to leave the European Union, but to ensure continued economic success it will seek to maintain a favourable trading relationship with the EU. This article identifies and critically evaluates the various types of trade

• Privacy and Data Protection Impact Assessments (PIAs/DPIAs) are tools for organisations to manage privacy risks. They emerged in various jurisdictions from the 1980s, initially as a purely voluntary measure. DPIAs are now set to become a mandatory requirement in certain circumstances under the European General Data Protection Regulation (GDPR). This article addresses impact assessments from the perspective

Online tracking for behavioural advertising purposes facilitates the shift from traditional marketing to web-personalization with ads tailored to Internet users’ preferences and interests. To that end, user profiles are developed based on the information collected via the use of several technologies, including cookies, web-beacons, device- and browser fingerprinting, and others. The collected information

Big data holds much potential, but it can also have a negative impact on individuals, particularly on their privacy and data protection rights. Data protection law is the point of departure in the discussion about big data; it is widely regarded as the answer to big data’s negative consequences. Yet a closer look at the criteria for applicability of EU data protection law reveals a number of weaknesses

On 6 October 2015, the European Court of Justice (CJEU) invalidated a decision from 2000, wherein the Commission had granted an exception from the general prohibition regarding transfers of personal data outside the European Economic Area (EEA) (CJEU C-362/14, Schrems v Data Protection Commissioner 6 October 2015). Companies in the EEA were permitted to transfer personal data to US companies that had

• Article 4(1)(a) of Directive 95/46/EC plays an important role in determining the applicability of EU data privacy law. However, its wording lends itself to various interpretations.• Consequently, it is unsurprising that Article 4(1)(a) has been the object of several recent CJEU judgments, and that this provision is the object of ongoing litigation.• This article seeks to analyse and predict the future

Jurisdiction based solely on the territoriality principle is becoming less evident in the digital age This article engages in a discussion with authors such as Kuner and Svantesson, that have expressed a critical view on expansive jurisdiction of the EU data protection regime in issue 4, November 2015, of this Journal. Our contribution focuses on the choices with regard to scope and jurisdiction made

It is necessary to find a balance between data protection rights and trade secret rights on customer information in the European Union (EU) framework: the right to access to personal data and the new proposed right to ‘data portability’ conflict with the interests of trade secret holders. Balancing rules in data protection law and trade secret law are vague and ambiguous. From a literal interpretation

The emergence of Big Data has amounted to the complexity of the discussion on data reuse. The benefits of Big Data lie in the possibilities to discover novel trends, patterns and relationships by combining very large amounts of data from different sources. Current personal data protection requirements like data minimization and purpose specification are potentially inimical to Big Data as they limit