Skip to content

The search returned 21 results.

The Data-Laundromat? journal article open-access

Public-Private-Partnerships and Publicly Available Data in the Area of Law Enforcement

Thilo Gottschalk

European Data Protection Law Review, Volume 6 (2020), Issue 1, Page 21 - 40

Law enforcement increasingly relies on complex machine learning approaches to support investigations. With limited knowledge and funding LEAs often depend on opaque private-public collaborations. Failure to provide legal bases on the national level paired with shortcomings both in the GDPR and Directive EU-2016/680 (LED) result in severe risks for fundamental rights of EU citizens. To overcome these risks an interdisciplinary discussion is required. This paper hence sheds light on technical challenges and misconceptions as well as legal shortcomings to foster a common understanding of the challenges to find out how they might be addressed. To do so, the author searches for common ground of ‘public availability’ and reviews currently used technical approaches and common processing constellations. Based on the outcomes, the author proposes a change in the LED and discusses a centralised institution to govern access to novel data driven technology. Keywords: law enforcement; public-private partnership; data protection; GDPR; LED


Regulating the Dynamic Concept of Non-Personal Data in the EU: journal article

From Ownership to Portability

Laura Somaini

European Data Protection Law Review, Volume 6 (2020), Issue 1, Page 84 - 93

The article explores the dynamic concept of non-personal data and the regulatory approaches within the EU legal framework. De lege lata, this article critically assesses the issues arising from Regulation (EU) 2018/1807 on the framework on the free flow of non-personal data, focusing on the definition of non-personal data and the data porting principle. While the legislator’s shift from ownership to control is endorsed, the relevance of a framework targeting solely non-personal data is questioned in light of data protection concerns. De lege ferenda, this article submits that a comprehensive approach should broadly consider overcoming binary data categorisations. For the purposes of the FFD Regulation’s evaluation, evidence-based reflections are suggested. Keywords: non-personal data; free flow of data; GDPR; data portability; data ownership



Balancing Data Subjects’ Rights and Public Interest Research: journal article

Examining the Interplay between UK Law, EU Human Rights Law and the GDPR

Jessica Bell, Stergios Aidinlis, Hannah Smith, Miranda Mourby, Heather Gowans, Susan E Wallace, Jane Kaye

European Data Protection Law Review, Volume 5 (2019), Issue 1, Page 43 - 53

The EU General Data Protection Regulation (‘GDPR’) seeks to balance the public interest in research with privacy rights of individuals, in particular, through research exemptions and safeguards set out in Article 89. While this affords Member States limited opportunities to modify the application of the GDPR at a national level, including for data processing that is necessary for the performance of a task carried out in the public interest, it is necessary for national approaches to conform with Article 89 safeguards where appropriate. One development of interest to the research community in the UK is a statutory power for public authorities to disclose administrative data for research under the Digital Economy Act 2017 (DEA). This article uses the DEA as a case study for analysis of the GDPR provisions governing processing of data for research purposes—including de-identification—and draws on human rights norms and jurisprudence to interpret the broad requirement for ‘appropriate safeguards’ for the ‘rights and freedoms of the data subject’ under Article 89. This analysis is important for data controllers seeking to meet their obligations under the UK framework and for those in other EU Member States considering the development of similar national provisions for data processing for research purposes. Keywords: GDPR, Public Interest Research, Privacy


Key GDPR Elements in Adequacy Findings of Countries That Have Ratified Convention 108 journal article

Sara Leonor Duque de Carvalho

European Data Protection Law Review, Volume 5 (2019), Issue 1, Page 54 - 64

The article discusses the steps leading to the adoption of an adequacy decision by countries that have ratified Convention 108. Despite heading towards the GDPR standards, mere accession to Convention 108 is not enough to suggest that a country's data protection level is adequate. The article points out the difficulty of assessing adequacy, taking into account that it requires not only a common effort from different bodies, but also a deep analysis of the legal data protection framework. In fact, there are a set of data protection principles and enforcement mechanisms, which can be deemed essential when assessing adequacy. Therein lies the difficulty of agreeing on the ‘core’ elements that the European Commission should take into account when adopting this adequacy decision. In the light of the Schrems judgment, the EU adequacy standards for a third country were made significantly more onerous, requiring a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU. But what does ‘essentially equivalent’ mean? Keywords: Adequacy, Convention 108, GDPR, Third Countries, Essentially Equivalent, Core Elements


The Protection of Data Concerning Health in Europe journal article

Trix Mulder

European Data Protection Law Review, Volume 5 (2019), Issue 2, Page 209 - 220

More and more, medical practitioners use modern technologies such as apps and wearables in their treatment plan. The GDPR defines these kinds of data as ‘data concerning health’. However, also the term ‘medical data’ is being used. Furthermore, the Council of Europe uses terms such as ‘personal health data’ and ‘medical welfare data’. Using all these different terms makes it difficult to understand what is protected by these terms and what is not. This article gives an historical overview of the evolution of the protection of data concerning health, which also leads to a discussion on the current broad definition and offers possible solutions for the use of (the term) ‘data concerning health’. Keywords: Data Concerning Health, GDPR, Data Protection, Council of Europe


Legal Issues in Regulating Observational Studies: journal article

The impact of the GDPR on Italian Biomedical Research

Paola Aurucci

European Data Protection Law Review, Volume 5 (2019), Issue 2, Page 197 - 208

This article aims to show the legal challenges rising from the use, reuse, linkage and analysis of sensitive data in observational studies. In order to spell out these challenges and a possible way of meeting them, the first section takes into account the distinctive nature of retrospective observational studies and Big Data anal. The second section shows how the General Data Protection Regulation faces the challenge of maximising the opportunities arising from these studies while protecting the privacy of individual patients through research exemptions. The last section focuses on the Italian data protection regime to show why delegation of powers back to the national legal systems of the Member States entails a number of critical drawbacks, like hampering the progress of medical research. Keywords: GDPR, Data Protection, Medical Research, Sensitive Data


Peter Nowak v Data Protection Commissioner: journal article

Potential Aftermaths Regarding Subjective Annotations in Clinical Records

Daniel Jove

European Data Protection Law Review, Volume 5 (2019), Issue 2, Page 175 - 183

On 20 December 2017 the European Court of Justice gave its judgment on the Nowak case. This ruling addresses the potential application of the General Data Protection Regulation (GDPR) to the answers and subjective comments of the examiner. The classification of this data as personal data entails, for the candidate, the possibility of using their rights of access, rectification and objection. This study analyses the Nowak ruling and reflects on the possibility of extrapolating the doctrine which it establishes to other areas. The spotlight is placed specifically on subjective comments in a medical history. The nature of this information is analysed in order to establish whether it is the patient’s personal data and also if limiting the right to access this information is compatible with the GDPR. Keywords: Data Protection, Subjective Annotations, Clinical Record, GDPR, General Data Protection Regulation, European Court of Justice


The Court of Justice as a Key Player in Privacy and Data Protection: journal article

An Overview of Recent Trends in Case Law at the Start of a New Era of Data Protection Law

Christopher Docksey, Hielke Hijmans

European Data Protection Law Review, Volume 5 (2019), Issue 3, Page 300 - 316

In this article we discuss the main trends in the recent case law of the CJEU, following the three landmark cases of Digital Rights Ireland, Google Spain, and Schrems. The CJEU has followed a broad approach to scope and a strict approach to exceptions, ensuring that where personal information is processed there will be one or more controllers who will be accountable for such processing. The Court has also recognised that data protection requires a balancing with other fundamental rights such as freedom of expression, and has followed a common sense approach that allows personal information to be processed in a proportionate manner for legitimate purposes. We conclude that the case law has had a positive impact on the data protection legal framework and that the CJEU is likely to maintain its approach in order to ensure that the GDPR is fully effective. Keywords: Case Law, CJEU, Accountability, Fundamental Rights, GDPR


Civil Liability for Processing of Personal Data in the GDPR journal article

A.B. Menezes Cordeiro

European Data Protection Law Review, Volume 5 (2019), Issue 4, Page 492 - 499

In this paper we intend to analyse all the component paragraphs of Article 82 GDPR. The first part will be devoted to exploring the three elements of civil liability: unlawfulness, damages and causal link. The second, to the persons who can make use of this mechanism and against whom it can be invoked. And lastly, in the third part, we will address some more specific issues, in particular joint and several liability and the right of recourse. A practical standpoint is adopted, focused on problems that application of the article may raise: (i) the types of acts and omissions that permit actions to be brought to enforce liability; (ii) the types of damages which are compensable; (iii) which subjects can bring actions of this kind; and (iv) the differences between the rules established for controllers and processors. Keywords: GDPR, Civil Liability, Right to Compensation