Skip to content

The search returned 32 results.

Certification in Data Protection: New and Old Issues Concerning Certifiers’ Liabilities journal article

Anna Rita Popoli

European Data Protection Law Review, Volume 6 (2020), Issue 3, Page 390 - 406

The article examines the various forms of liabilities that accredited certification bodies may incur in operating in the field of data protection, while also trying to offer some suggestions to improve the harmonisation in the pathological phase of litigation in certification mechanisms. Keywords: GDPR, Data Protection, Certification, Contractual Liability, Tort Liability, ADR/ODR


Forgetful AI: AI and the Right to Erasure under the GDPR journal article

Tiago Sérgio Cabral

European Data Protection Law Review, Volume 6 (2020), Issue 3, Page 378 - 389

Artificial Intelligence and, specifically, Machine Learning, depends on data for its development and continuous evolution. Frequently, the information used to train Machine Learning algorithms is personal data and, thereby, subject to the rules contained within the GDPR. If the necessary requirements are fulfilled, Article 17 of the GDPR grants to the data subject the right to request from the controller the erasure of personal data concerning him/her. In this paper we will study the impact of the right to erasure under the GDPR in the development of Artificial Intelligence in the European Union. We will assess whether datasets, mathematical models and the results of applying such models to new data need to be erased, pursuant to a valid request from the data subject. We will also analyse the challenges created by this erasure, how they can be minimized and the most adequate legal interpretations to ensure seamless AI development that is also compatible with the principles of privacy and data protection currently in force within the European Union. Keywords: Artificial Intelligence, GDPR, Right to Erasure


Facial Detection and Smart Billboards: Analysing the ‘Identified’ Criterion of Personal Data in the GDPR journal article

Peter Alexander Earls Davis

European Data Protection Law Review, Volume 6 (2020), Issue 3, Page 365 - 377

This paper analyses the applicability of the EU GDPR to smart billboards, which are digital signs that allow their operators to target advertisements or gather analytics data based on the appearance of passers-by. Smart billboards leverage facial detection technology which, unlike facial recognition, swiftly deletes or anonymises (personal) data, making the application of data protection rules problematic. An analysis of relevant decisions, opinions and commentary is conducted, concluding that approaches taken so far to the question of GDPR do not adequately address the novel technical characteristics of smart billboards. By proposing a novel interpretation of the term ‘identified’ in GDPR Article 4(1), the paper claims that smart billboards do in fact process personal data under the GDPR. Keywords: Facial, Detection, Recognition, GDPR



The Right to Explanation under the Right of Access to Personal Data: journal article

Legal Foundations in and Beyond the GDPR

Diana Dimitrova

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 211 - 230

The present article sets out to contribute to the discussion on the right to explanation of (automated) decisions and profiles by examining it in light of the right to access to one’s personal data. To that end it explores the right of access and explanation obligations beyond the GDPR by focusing also on Directive 2016/680, the CJEU case law, CoE Convention 108+ and ECtHR case law. The paper argues that whereas the right to know the reasoning and criteria underlying a decision could be derived from the right of access, this is less explicit in the case-law of the CJEU as compared to the ECtHR and Convention 108+. The discussion also points to the necessity of clarifying the relationship between and boundaries of data protection rights and other areas of law, eg the right to effective remedy and the obligation to state reasons for decisions. Keywords: right to explanation, right of access, GDPR, data rotection


Fundamental Rights, the Normative Keystone of DPIA journal article

Dara Hallinan, Nicholas Martin

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 178 - 193

The General Data Protection Regulation mandates that data controllers conduct a Data Protection Impact Assessment (DPIA) for certain processing activities. The core of the substance of the DPIA obligation requires that data controllers engage in ‘an assessment of the risks to the rights and freedoms of data subjects [posed by the processing operation]’. A common interpretation has emerged that this obligation only requires data controllers to engage in a ‘compliance assessment’: an assessment of the risks of processing considering the concrete provisions of the GDPR. This article takes issue with this interpretation and offers an elaborated conceptual argument supporting the following, alternative, position: the obligation that the DPIA risk assessment process include ‘an assessment of the risks to the rights and freedoms of data subjects’ requires data controllers to take the complete catalogue of rights and freedoms, outlined in foundational European fundamental rights instruments, as the key normative reference point for the DPIA risk assessment process. Keywords: data protection, privacy, GDPR, data protection impact assessment, DPIA, fundamental rights


Codes of (Mis)conduct? An Appraisal of Articles 40-41 GDPR in View of the 1995 Data Protection Directive and Its Shortcomings journal article

Carl Vander Maelen

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 231 - 242

The EU increasingly integrates alternative regulatory instruments (ARIs) in legislation, encouraging private stakeholder participation in the implementation and enforcement processes of those hard law instruments. Articles 40 and 41 GDPR are an example thereof, stipulating that bodies representing categories of controllers or processors should develop codes of conduct to specify the concrete application of the GDPR’s principles, rights and obligations. This article first analyses the legislative predecessor to these articles: Article 27 of the Data Protection Directive (DPD). Available information concludes that both the so-called ‘Community codes’ and national codes under this provision failed to make their desired impact. Second, this contribution inspects the key objectives, as well as the material and formal content of Articles 40 and 41 GDPR to identify similarities and differences between the DPD and the GDPR. Preliminary and cautious predictions are offered on whether GDPR codes of conduct will chart a more successful course. Keywords: codes of conduct, GDPR, 1995 Data Protection Directive, Articles 40-41 GDPR, co-regulation


Regulating the Dynamic Concept of Non-Personal Data in the EU: journal article

From Ownership to Portability

Laura Somaini

European Data Protection Law Review, Volume 6 (2020), Issue 1, Page 84 - 93

The article explores the dynamic concept of non-personal data and the regulatory approaches within the EU legal framework. De lege lata, this article critically assesses the issues arising from Regulation (EU) 2018/1807 on the framework on the free flow of non-personal data, focusing on the definition of non-personal data and the data porting principle. While the legislator’s shift from ownership to control is endorsed, the relevance of a framework targeting solely non-personal data is questioned in light of data protection concerns. De lege ferenda, this article submits that a comprehensive approach should broadly consider overcoming binary data categorisations. For the purposes of the FFD Regulation’s evaluation, evidence-based reflections are suggested. Keywords: non-personal data; free flow of data; GDPR; data portability; data ownership