Felix Bieker, Marit Hansen

European Data Protection Law Review, Jahrgang 9 (2023), Ausgabe 4, Seite 399 - 408

In our exploration of the future of data protection, we begin our analysis with a look at historic patterns of discrimination in order to get a clear look at what the future might hold for data protection. As the past and present inform the future, we proceed with the current and upcoming EU legislation concerning current data practices: the GDPR, the DMA and DSA, as well as the draft AI Act, AI Liability Directive and Platform Workers Directive. We ultimately find that this regulation does not sufficiently address the market incentives underlying many of the current harmful data practices. Instead, we argue that for a better future a more systemic approach is required and that the law has to address infrastructures as well as service providers/manufacturers directly, as this is where informational power concentrates. Yet, it is also paramount to realise that the (data protection) law alone cannot fix the systemic failures created by market dynamics. In conclusion, we argue that in order to break the spiralling cycles of trying to fix harmful technologies after large players have started to gain immense profits, we need a more fundamental shift in these financial incentives. Keywords: GDPR, design justice, big tech, Fundamental Rights Impact Assessment

Blessing Mutiro

European Data Protection Law Review, Jahrgang 9 (2023), Ausgabe 4, Seite 409 - 417

The article discusses the future of European Union (EU) data protection law following its fifth anniversary in May 2023. It argues for the expansion of the concept of personal data to cater for collectives and not just the individual. It discusses the interests of collectives in data protection that are overlooked by current laws and highlights the importance of extending data protection to collectives. In this regard, the article argues that EU data protection law should undergo a reverse Brussels effect which allows the EU to look outward and learn from cultures that privilege communities and groups to identify a collective cultural value that can inform a theoretical framework that recognises collective rights. It proposes Ubuntu as one such value that the EU can learn from and transpose into the current data protection system without making drastic changes. It proposes an Ubuntu Framework and the principles accompanying such framework that can be incorporated into the GDPR. Keywords: collectives, legal persons, groups, ubuntu, GDPR, collective identity, Brussels effect

Paul de Hert, Vagelis Papakonstantinou

European Data Protection Law Review, Jahrgang 9 (2023), Ausgabe 4, Seite 393 - 398

The digital world occupying large swathes of individuals’ lives in a trend that shows no signs of abating any time soon, the perennial question in human rights protection has been brought once again, forcefully, to the fore: do we need new human rights to deal with new societal and technological developments? Or are the ones already in place enough, complemented by recourse to the general principles of human rights, specifically to that of proportionality? Making use of the GDPR as a case-study in this regard, this paper elaborates upon the two, foreseeable, answers to this question. The first, within a digital constitutionalism context, suggests the introduction of new rights that will be suitable to protect individuals within the digital world. The second suggests that no new rights are necessary and that recourse should be made to the principle of proportionality instead. The choice by policy-makers between these two options will decide the future for the protection of individual rights in Europe. Keywords: GDPR, digital constitutionalism, principle of proportionality

Teresa Quintel

European Data Protection Law Review, Jahrgang 9 (2023), Ausgabe 4, Seite 418 - 429

This contribution sets out a fictitious scenario in which the Court of Justice of the European Union hands down two important judgments regarding legislative measures in the year 2033. Those legislative measures chosen for the scenario are on the one hand, an imagined Regulation on preventing and combatting child sexual abuse online and, on the other, two Regulations establishing a framework for interoperability between EU information systems. The imaginary judgments, as put in the contribution, should be seen as landmark decisions as the Court scrutinised the existence of a continuous necessity of the laws in question in light of the relevant changes that took place since their adoption. In addition, the Court’s reasoning to declare void the above legislative measures, in both judgments, relied on the same proportionality assessment formula that already served as reference for similar decisions in the recent past. This contribution will briefly highlight the relevant aspects of the laws that were struck down by the Court, summarise the main developments that had an impact on the matters regulated by those laws and reiterate the main arguments found by the Court. The conclusion emphasises the importance of balancing different fundamental rights and interests in order to achieve an equilibrium between privacy and security. Keywords: GDPR, e-Privacy Regulation, Regulation on preventing and combatting child sexual abuse online, interoperability of EU databases

Lisette Mustert

European Data Protection Law Review, Jahrgang 9 (2023), Ausgabe 4, Seite 454 - 464

Eva Lievens, Valerie Verdoodt

European Data Protection Law Review, Jahrgang 9 (2023), Ausgabe 4, Seite 472 - 481

Katharina Kollmann

European Data Protection Law Review, Jahrgang 9 (2023), Ausgabe 4, Seite 465 - 471

Anu Talus

European Data Protection Law Review, Jahrgang 9 (2023), Ausgabe 3, Seite 287 - 289

Giorgia Bincoletto

European Data Protection Law Review, Jahrgang 9 (2023), Ausgabe 3, Seite 357 - 362

Dara Hallinan, Nicholas Martin

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 2, Seite 178 - 193

The General Data Protection Regulation mandates that data controllers conduct a Data Protection Impact Assessment (DPIA) for certain processing activities. The core of the substance of the DPIA obligation requires that data controllers engage in ‘an assessment of the risks to the rights and freedoms of data subjects [posed by the processing operation]’. A common interpretation has emerged that this obligation only requires data controllers to engage in a ‘compliance assessment’: an assessment of the risks of processing considering the concrete provisions of the GDPR. This article takes issue with this interpretation and offers an elaborated conceptual argument supporting the following, alternative, position: the obligation that the DPIA risk assessment process include ‘an assessment of the risks to the rights and freedoms of data subjects’ requires data controllers to take the complete catalogue of rights and freedoms, outlined in foundational European fundamental rights instruments, as the key normative reference point for the DPIA risk assessment process. Keywords: data protection, privacy, GDPR, data protection impact assessment, DPIA, fundamental rights