Mireille M Caruana, Roxanne Meilak Borg

European Data Protection Law Review, Volume 10 (2024), Issue 1, Page 89 - 95

Dominika Kuźnicka-Błaszkowska

European Data Protection Law Review, Volume 10 (2024), Issue 1, Page 105 - 110

Suzanne Nusselder

European Data Protection Law Review, Volume 10 (2024), Issue 1, Page 111 - 116

Case C-340/21 VB v Natsionalna agentsia za prihodite (NAP), Judgement of the Court of Justice (Third Chamber) of 14 December 2023 In the first judgement specifically dealing with the GDPR’s security requirements, the CJEU provides clarity on the interpretation of Article 32 GDPR. The occurrence of a personal data breach does not in itself demonstrate the inappropriateness of the TOMs implemented by the data controller. Instead, the data controller bears the burden of proof for demonstrating the appropriateness of TOMs, which is to be checked in a substantive manner by national courts. Furthermore, a data subject’s fear of potential future misuse of personal data following a hacking attack can constitute non-material damage, provided it is well-founded and specific.

Niovi Vavoula, Diana Sancho

European Data Protection Law Review, Volume 10 (2024), Issue 1, Page 131 - 135

Marta Sosa Navarro

European Data Protection Law Review, Volume 10 (2024), Issue 1, Page 17 - 29

Are employers allowed under EU law to use brain data as part of the growing trend of workplace surveillance? And if so, how should this be regulated to ensure full respect of labour rights? What role does the workers’ consent play in this context? Through the examination of the legal protection offered to mental data by the GDPR and the potential of the opening clause enshrined in its Article 88 as a tool to protect workers from neurosurveillance, this paper aims to answer some of these questions. Ultimately, through the combined analysis of scholarly writings, data protection and labour legislation adopted in EU Member States and the relevant ECtHR and CJUE case-law, this work provides the basis for a broader discussion on whether the legal safeguards currently in force are sufficient to grant protection against the employers accessing workers’ mental states. Keywords: workplace surveillance; GDPR; right to privacy, freedom of thought and expression; wearable neurotechnology

Robert I. Field

European Data Protection Law Review, Volume 10 (2024), Issue 1, Page 30 - 42

Two powerful new technologies enable the collection of especially intimate personal information and pose special threats to privacy. These are technologies that collect and analyse data on the genomes and brain activity of individuals. Both technologies are enabling tremendous medical advances, but they come with new kinds of risks to the individuals whose information is compiled. The United States and European Union have so far taken different paths in their approach to balancing scientific innovation and individual privacy, with important implications for these technologies. While laws in both jurisdictions leave gaps in privacy protection, those is in the United States are especially porous, particularly with regard to data amassed by private companies that collect them from customers on a direct-to-consumer basis. However, even in the EU where the General Data Protection Regulation offers a single comprehensive regulatory scheme for residents of member states, privacy protection is incomplete and will likely be reduced by a subsequent regulatory proposal, the European Health Data Space. This article describes key privacy laws in both jurisdictions concerning health-related information, explains the implications of their shortcomings for genomic and brain data, and suggests reforms to address those shortcomings. These reforms would promote closer convergence of laws in the two jurisdictions, which could provide more consistent protection for individuals and clearer compliance standards for entities that use sensitive health data to advance new technologies. Keywords: genomics; neurotechnology; privacy; GDPR; regulation

Anu Talus

European Data Protection Law Review, Volume 9 (2023), Issue 3, Page 287 - 289

Giorgia Bincoletto

European Data Protection Law Review, Volume 9 (2023), Issue 3, Page 357 - 362

Lisette Mustert

European Data Protection Law Review, Volume 9 (2023), Issue 4, Page 454 - 464

Felix Bieker, Marit Hansen

European Data Protection Law Review, Volume 9 (2023), Issue 4, Page 399 - 408

In our exploration of the future of data protection, we begin our analysis with a look at historic patterns of discrimination in order to get a clear look at what the future might hold for data protection. As the past and present inform the future, we proceed with the current and upcoming EU legislation concerning current data practices: the GDPR, the DMA and DSA, as well as the draft AI Act, AI Liability Directive and Platform Workers Directive. We ultimately find that this regulation does not sufficiently address the market incentives underlying many of the current harmful data practices. Instead, we argue that for a better future a more systemic approach is required and that the law has to address infrastructures as well as service providers/manufacturers directly, as this is where informational power concentrates. Yet, it is also paramount to realise that the (data protection) law alone cannot fix the systemic failures created by market dynamics. In conclusion, we argue that in order to break the spiralling cycles of trying to fix harmful technologies after large players have started to gain immense profits, we need a more fundamental shift in these financial incentives. Keywords: GDPR, design justice, big tech, Fundamental Rights Impact Assessment