Anna Rita Popoli

European Data Protection Law Review, Volume 6 (2020), Issue 3, Page 390 - 406

The article examines the various forms of liabilities that accredited certification bodies may incur in operating in the field of data protection, while also trying to offer some suggestions to improve the harmonisation in the pathological phase of litigation in certification mechanisms. Keywords: GDPR, Data Protection, Certification, Contractual Liability, Tort Liability, ADR/ODR

Tiago Sérgio Cabral

European Data Protection Law Review, Volume 6 (2020), Issue 3, Page 378 - 389

Artificial Intelligence and, specifically, Machine Learning, depends on data for its development and continuous evolution. Frequently, the information used to train Machine Learning algorithms is personal data and, thereby, subject to the rules contained within the GDPR. If the necessary requirements are fulfilled, Article 17 of the GDPR grants to the data subject the right to request from the controller the erasure of personal data concerning him/her. In this paper we will study the impact of the right to erasure under the GDPR in the development of Artificial Intelligence in the European Union. We will assess whether datasets, mathematical models and the results of applying such models to new data need to be erased, pursuant to a valid request from the data subject. We will also analyse the challenges created by this erasure, how they can be minimized and the most adequate legal interpretations to ensure seamless AI development that is also compatible with the principles of privacy and data protection currently in force within the European Union. Keywords: Artificial Intelligence, GDPR, Right to Erasure

Peter Alexander Earls Davis

European Data Protection Law Review, Volume 6 (2020), Issue 3, Page 365 - 377

This paper analyses the applicability of the EU GDPR to smart billboards, which are digital signs that allow their operators to target advertisements or gather analytics data based on the appearance of passers-by. Smart billboards leverage facial detection technology which, unlike facial recognition, swiftly deletes or anonymises (personal) data, making the application of data protection rules problematic. An analysis of relevant decisions, opinions and commentary is conducted, concluding that approaches taken so far to the question of GDPR do not adequately address the novel technical characteristics of smart billboards. By proposing a novel interpretation of the term ‘identified’ in GDPR Article 4(1), the paper claims that smart billboards do in fact process personal data under the GDPR. Keywords: Facial, Detection, Recognition, GDPR

A.B. Menezes Cordeiro

European Data Protection Law Review, Volume 5 (2019), Issue 4, Page 492 - 499

In this paper we intend to analyse all the component paragraphs of Article 82 GDPR. The first part will be devoted to exploring the three elements of civil liability: unlawfulness, damages and causal link. The second, to the persons who can make use of this mechanism and against whom it can be invoked. And lastly, in the third part, we will address some more specific issues, in particular joint and several liability and the right of recourse. A practical standpoint is adopted, focused on problems that application of the article may raise: (i) the types of acts and omissions that permit actions to be brought to enforce liability; (ii) the types of damages which are compensable; (iii) which subjects can bring actions of this kind; and (iv) the differences between the rules established for controllers and processors. Keywords: GDPR, Civil Liability, Right to Compensation

Jessica Bell, Stergios Aidinlis, Hannah Smith, Miranda Mourby, Heather Gowans, Susan E Wallace, Jane Kaye

European Data Protection Law Review, Volume 5 (2019), Issue 1, Page 43 - 53

The EU General Data Protection Regulation (‘GDPR’) seeks to balance the public interest in research with privacy rights of individuals, in particular, through research exemptions and safeguards set out in Article 89. While this affords Member States limited opportunities to modify the application of the GDPR at a national level, including for data processing that is necessary for the performance of a task carried out in the public interest, it is necessary for national approaches to conform with Article 89 safeguards where appropriate. One development of interest to the research community in the UK is a statutory power for public authorities to disclose administrative data for research under the Digital Economy Act 2017 (DEA). This article uses the DEA as a case study for analysis of the GDPR provisions governing processing of data for research purposes—including de-identification—and draws on human rights norms and jurisprudence to interpret the broad requirement for ‘appropriate safeguards’ for the ‘rights and freedoms of the data subject’ under Article 89. This analysis is important for data controllers seeking to meet their obligations under the UK framework and for those in other EU Member States considering the development of similar national provisions for data processing for research purposes. Keywords: GDPR, Public Interest Research, Privacy

Sara Leonor Duque de Carvalho

European Data Protection Law Review, Volume 5 (2019), Issue 1, Page 54 - 64

The article discusses the steps leading to the adoption of an adequacy decision by countries that have ratified Convention 108. Despite heading towards the GDPR standards, mere accession to Convention 108 is not enough to suggest that a country's data protection level is adequate. The article points out the difficulty of assessing adequacy, taking into account that it requires not only a common effort from different bodies, but also a deep analysis of the legal data protection framework. In fact, there are a set of data protection principles and enforcement mechanisms, which can be deemed essential when assessing adequacy. Therein lies the difficulty of agreeing on the ‘core’ elements that the European Commission should take into account when adopting this adequacy decision. In the light of the Schrems judgment, the EU adequacy standards for a third country were made significantly more onerous, requiring a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU. But what does ‘essentially equivalent’ mean? Keywords: Adequacy, Convention 108, GDPR, Third Countries, Essentially Equivalent, Core Elements

Trix Mulder

European Data Protection Law Review, Volume 5 (2019), Issue 2, Page 209 - 220

More and more, medical practitioners use modern technologies such as apps and wearables in their treatment plan. The GDPR defines these kinds of data as ‘data concerning health’. However, also the term ‘medical data’ is being used. Furthermore, the Council of Europe uses terms such as ‘personal health data’ and ‘medical welfare data’. Using all these different terms makes it difficult to understand what is protected by these terms and what is not. This article gives an historical overview of the evolution of the protection of data concerning health, which also leads to a discussion on the current broad definition and offers possible solutions for the use of (the term) ‘data concerning health’. Keywords: Data Concerning Health, GDPR, Data Protection, Council of Europe

Paola Aurucci

European Data Protection Law Review, Volume 5 (2019), Issue 2, Page 197 - 208

This article aims to show the legal challenges rising from the use, reuse, linkage and analysis of sensitive data in observational studies. In order to spell out these challenges and a possible way of meeting them, the first section takes into account the distinctive nature of retrospective observational studies and Big Data anal. The second section shows how the General Data Protection Regulation faces the challenge of maximising the opportunities arising from these studies while protecting the privacy of individual patients through research exemptions. The last section focuses on the Italian data protection regime to show why delegation of powers back to the national legal systems of the Member States entails a number of critical drawbacks, like hampering the progress of medical research. Keywords: GDPR, Data Protection, Medical Research, Sensitive Data

Daniel Jove

European Data Protection Law Review, Volume 5 (2019), Issue 2, Page 175 - 183

On 20 December 2017 the European Court of Justice gave its judgment on the Nowak case. This ruling addresses the potential application of the General Data Protection Regulation (GDPR) to the answers and subjective comments of the examiner. The classification of this data as personal data entails, for the candidate, the possibility of using their rights of access, rectification and objection. This study analyses the Nowak ruling and reflects on the possibility of extrapolating the doctrine which it establishes to other areas. The spotlight is placed specifically on subjective comments in a medical history. The nature of this information is analysed in order to establish whether it is the patient’s personal data and also if limiting the right to access this information is compatible with the GDPR. Keywords: Data Protection, Subjective Annotations, Clinical Record, GDPR, General Data Protection Regulation, European Court of Justice

Christopher Docksey, Hielke Hijmans

European Data Protection Law Review, Volume 5 (2019), Issue 3, Page 300 - 316

In this article we discuss the main trends in the recent case law of the CJEU, following the three landmark cases of Digital Rights Ireland, Google Spain, and Schrems. The CJEU has followed a broad approach to scope and a strict approach to exceptions, ensuring that where personal information is processed there will be one or more controllers who will be accountable for such processing. The Court has also recognised that data protection requires a balancing with other fundamental rights such as freedom of expression, and has followed a common sense approach that allows personal information to be processed in a proportionate manner for legitimate purposes. We conclude that the case law has had a positive impact on the data protection legal framework and that the CJEU is likely to maintain its approach in order to ensure that the GDPR is fully effective. Keywords: Case Law, CJEU, Accountability, Fundamental Rights, GDPR