Daniel Jove

European Data Protection Law Review, Volume 5 (2019), Issue 2, Page 175 - 183

On 20 December 2017 the European Court of Justice gave its judgment on the Nowak case. This ruling addresses the potential application of the General Data Protection Regulation (GDPR) to the answers and subjective comments of the examiner. The classification of this data as personal data entails, for the candidate, the possibility of using their rights of access, rectification and objection. This study analyses the Nowak ruling and reflects on the possibility of extrapolating the doctrine which it establishes to other areas. The spotlight is placed specifically on subjective comments in a medical history. The nature of this information is analysed in order to establish whether it is the patient’s personal data and also if limiting the right to access this information is compatible with the GDPR. Keywords: Data Protection, Subjective Annotations, Clinical Record, GDPR, General Data Protection Regulation, European Court of Justice

Matthew White

European Data Protection Law Review, Volume 5 (2019), Issue 1, Page 26 - 42

The European Union has introduced the General Data Protection Regulation to reform and update data protection laws across Member States. To comply, the United Kingdom has introduced the Data Protection Act 2018. This article focuses on one schedule of the new Act, a data protection exemption for effective immigration control purposes. Considering that the UK Parliament has not implemented the Charter of Fundamental Rights into domestic law post-Brexit, it is therefore necessary to consider this exemption under the European Convention on Human Rights. Recital 73 of the Regulation requires any restrictions on the protection of personal data to be compatible with the Convention. In concluding that the exemption is incompatible with the Convention, this will highlight that not only would the UK be failing their existing human rights obligations but also raises concerns about the UK’s adequacy status as a third country post-Brexit. Keywords: Immigration, Exemptions, Article 8 ECHR, Effective Remedy, Discrimination

Frederike Zufall

European Data Protection Law Review, Volume 5 (2019), Issue 1, Page 17 - 25

This article asks the extent to which the concept of the ‘right to be forgotten’ has been received by Japanese law – or whether, to the contrary, Japan is challenging the EU's concept. In a 2017 judgment, the Japanese Supreme Court rejected a request for injunctive relief to delete search results from the search engine Google. The decisive argument focused on the public interest around the facts concerned: a crime committed by the applicant several years earlier. The court did not just award the right to freedom of expression to Google, but centred its decision on society's right to know – thereby putting society's interest before that of the individual. In the light of the pending adoption of the EU-Japan adequacy decision, this divergence from the EU concept raises doubts as to whether 'adequacy' can be achieved between legal systems founded on cultural differences. Can we still afford to base our legal regimes on different social consciousness in the era of a borderless Internet? Keywords: Data Protection Law, Japan, Right to Be Forgotten, Adequacy Decision

Bart Custers, Helena U Vrabec, Michael Friedewald

European Data Protection Law Review, Volume 5 (2019), Issue 3, Page 317 - 337

In the data economy, many organisations, particularly SMEs may not be in a position to generate large amounts of data themselves, but may benefit from reusing data previously collected by others. Organisations that collect large amounts of data themselves may also benefit from reusing such data for other purposes than originally envisioned. However, under the current EU personal data protection legal framework, constituted by the General Data Protection Regulation, there are clear limits and restrictions to the reuse of personal data. Data can only be reused for purposes that are compatible with the original purposes for which the data were collected and processed. This is at odds with the reality of the data economy, in which there is a considerable need for data reuse. To address this issue, in this article we present the concept of a Data Reuse Impact Assessment (DRIA), which can be considered as an extension to existing Privacy and Data Protection Impact Assessments (PIAs and DPIAs). By adding new elements to these existing tools that specifically focus on the reuse of data and aspects regarding data ethics, a DRIA may typically be helpful to strike a better balance between the protection of personal data that is being reused and the need for data reuse in the data economy. Using a DRIA may contribute to increased trust among data subjects that their personal data is adequately protected. Data subjects, in turn, may then be willing to share more data, which on the long term may also be beneficial for the data economy. Keywords: Data Reuse, Data Protection, Privacy, Data Protection Impact Assessments, Privacy Impact Assessments

Paul de Hert, Juraj Sajfert

European Data Protection Law Review, Volume 5 (2019), Issue 3, Page 338 - 351

Why is Big Data absent in the recent basic data protection documents of the European Union (EU) and the Council of Europe (CoE)? Why not one single reference to Big Data practices - be it to regulate or to prohibit it - in the recent General Data Protection Regulation (EU) 2016/679, the Data Protection Law Enforcement Directive (EU) 2016/680 and the Modernised CoE Convention 108 for the Protection of Individuals with Regard to the Processing of Personal Data (Convention 108+)? Some actors in the policy field considered Big Data too dangerous and counted on existing data protection principles to tame the beast. Others simply ignored the phenomenon or were not aware of the potential benefits of Big Data for economy and governments (the rendez-vous was missed). Our discussion of no less than six recent initiatives, - standalone laws and soft law instruments - is an indication that Europe is embracing Big Data but is seemingly hesitant to confront Big Data within the classical paradigm (field) of data protection law. Concrete guidance for Big Data practices is now spread over multiple texts emanating outside the data protection field. Keywords: Big Data, Data Protection, European Commission, Institutional Actors There is no sense in studying ideas as if they floated in a kind of intellectual heaven, with no reference to the agents who produce them or, above all, to the conditions in which these agents produce them, that is, in particular to the relations of competition in which they stand towards one another.

Leon Trakman, Robert Walters, Bruno Zeller

European Data Protection Law Review, Volume 5 (2019), Issue 4, Page 500 - 519

The development and evolution of data protection law is not fully realised. One challenge that has emerged is the recognition of a tort for violating a person’s personal information contrary to data protection law. The issue is that courts have found it difficult to determine and assess the harm caused to the data subject. The courts in the United Kingdom (UK) and Canada have recently developed a tort for infringing privacy in personal data. What has emerged is that courts in those two countries have begun to establish some key principles to underpin a tort violating privacy, by providing guidance on measuring the ensuing harm. That tort is also developing in the United States. This article argues that other common law jurisdictions, notably Australia, should consider going down the same pathway, by establishing a privacy tort over the Internet. Such a tort in data protection will provide a higher level of control to data subjects over their personal data and deter entities from misusing that data. However, that tort may fail to protect data subjects from the misuse of their personal data if the law requires harm to eventuate, as is required by the tradition tort of privacy. This must be considered with caution because, unlike traditional notions of a tort in privacy, a privacy violation of over the Internet may take weeks, months or years to identify. Contrarily, tort law has been effective in reducing and deterring negligence in privacy related cases, strengthening the rationale for a tort in personal data over the Internet. Keywords: Australia, Data Protection, European Union, Personal Data, Tort, United Kingdom

Luiza Jarovsky

European Data Protection Law Review, Volume 4 (2018), Issue 4, Page 447 - 458

In this article, I argue that due to numerous shortcomings, current online consent mechanisms do not allow data subjects to think, decide and choose according to their internal beliefs, therefore impairing essential individual freedoms – or capabilities, following Martha Nussbaum’s Capabilities Approach. I identify the main shortcomings of consent in privacy as issues of cognitive limitations, information overload, information insufficiency, lack of intervenability and lack of free choice, describing the type of imbalance present in each category. Then, based on current privacy theories and focusing on the concepts of autonomy and protection – and how they can be combined and manifested in policymaking - I propose the Methodology for Autonomy-Preserving Protection (MAPP), a methodology to evaluate (old) or design (new) measures to improve consent and reinstall the freedoms of thought, decision and choice in this context. According to the MAPP, if an entity A wants to generate positive welfare to an individual B, then: 1) the intentions or goals of A must be transparent, known to B and open to legal questioning and criticism; 2) the actions of A must be transparent, non-manipulative, known to B and open to legal questioning and criticism; and 3) the actions of A must not interfere in the decision-making capacities of B, preserving her autonomy. Lastly, applying the methodology, I present a non-exhaustive list of Autonomy-Preserving Protective Measures (APPMs), showing how they can enable the three freedoms highlighted in the present work and support more effective consent mechanisms. Keywords: Information Privacy, Consent, Data Protection, Autonomy, Paternalism

Adam Panagiotopoulos

European Data Protection Law Review, Volume 4 (2018), Issue 4, Page 459 - 469

This article addresses the question of whether and under which conditions a communitarian approach could be embedded in the data protection regime, focusing on the concept and regulation of genetic data under the General Data Protection Regulation (GDPR). Reflecting on the collective and relational dimension of genetic data, this article challenges the communitarian doctrine, which underlies the relevant GDPR provisions, and suggests that the common good should not have ipso facto primacy over individual rights. The rights to data protection and privacy should be considered as individual rights, duties and shared ends. Keywords: Communitarianism, Genetic Data, Data Protection, Privacy, Public Interest

Teresa Quintel

European Data Protection Law Review, Volume 4 (2018), Issue 4, Page 505 - 514

Raphaël Gellert

European Data Protection Law Review, Volume 4 (2018), Issue 4, Page 500 - 504