Dara Hallinan, Nicholas Martin

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 2, Seite 178 - 193

The General Data Protection Regulation mandates that data controllers conduct a Data Protection Impact Assessment (DPIA) for certain processing activities. The core of the substance of the DPIA obligation requires that data controllers engage in ‘an assessment of the risks to the rights and freedoms of data subjects [posed by the processing operation]’. A common interpretation has emerged that this obligation only requires data controllers to engage in a ‘compliance assessment’: an assessment of the risks of processing considering the concrete provisions of the GDPR. This article takes issue with this interpretation and offers an elaborated conceptual argument supporting the following, alternative, position: the obligation that the DPIA risk assessment process include ‘an assessment of the risks to the rights and freedoms of data subjects’ requires data controllers to take the complete catalogue of rights and freedoms, outlined in foundational European fundamental rights instruments, as the key normative reference point for the DPIA risk assessment process. Keywords: data protection, privacy, GDPR, data protection impact assessment, DPIA, fundamental rights

Thilo Gottschalk

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 1, Seite 21 - 40

Law enforcement increasingly relies on complex machine learning approaches to support investigations. With limited knowledge and funding LEAs often depend on opaque private-public collaborations. Failure to provide legal bases on the national level paired with shortcomings both in the GDPR and Directive EU-2016/680 (LED) result in severe risks for fundamental rights of EU citizens. To overcome these risks an interdisciplinary discussion is required. This paper hence sheds light on technical challenges and misconceptions as well as legal shortcomings to foster a common understanding of the challenges to find out how they might be addressed. To do so, the author searches for common ground of ‘public availability’ and reviews currently used technical approaches and common processing constellations. Based on the outcomes, the author proposes a change in the LED and discusses a centralised institution to govern access to novel data driven technology. Keywords: law enforcement; public-private partnership; data protection; GDPR; LED

Laura Somaini

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 1, Seite 84 - 93

The article explores the dynamic concept of non-personal data and the regulatory approaches within the EU legal framework. De lege lata, this article critically assesses the issues arising from Regulation (EU) 2018/1807 on the framework on the free flow of non-personal data, focusing on the definition of non-personal data and the data porting principle. While the legislator’s shift from ownership to control is endorsed, the relevance of a framework targeting solely non-personal data is questioned in light of data protection concerns. De lege ferenda, this article submits that a comprehensive approach should broadly consider overcoming binary data categorisations. For the purposes of the FFD Regulation’s evaluation, evidence-based reflections are suggested. Keywords: non-personal data; free flow of data; GDPR; data portability; data ownership

Carl Vander Maelen

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 2, Seite 231 - 242

The EU increasingly integrates alternative regulatory instruments (ARIs) in legislation, encouraging private stakeholder participation in the implementation and enforcement processes of those hard law instruments. Articles 40 and 41 GDPR are an example thereof, stipulating that bodies representing categories of controllers or processors should develop codes of conduct to specify the concrete application of the GDPR’s principles, rights and obligations. This article first analyses the legislative predecessor to these articles: Article 27 of the Data Protection Directive (DPD). Available information concludes that both the so-called ‘Community codes’ and national codes under this provision failed to make their desired impact. Second, this contribution inspects the key objectives, as well as the material and formal content of Articles 40 and 41 GDPR to identify similarities and differences between the DPD and the GDPR. Preliminary and cautious predictions are offered on whether GDPR codes of conduct will chart a more successful course. Keywords: codes of conduct, GDPR, 1995 Data Protection Directive, Articles 40-41 GDPR, co-regulation

Juraj Sajfert

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 2, Seite 281 - 288

Paloma Krõõt Tupay

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 2, Seite 294 - 300

Jakub Míšek, František Kasl, Pavel Loutocký

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 2, Seite 289 - 293

Sergio Guida

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 2, Seite 262 - 264

Christina Etteldorf

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 2, Seite 265 - 280

Anna Rita Popoli

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 3, Seite 390 - 406

The article examines the various forms of liabilities that accredited certification bodies may incur in operating in the field of data protection, while also trying to offer some suggestions to improve the harmonisation in the pathological phase of litigation in certification mechanisms. Keywords: GDPR, Data Protection, Certification, Contractual Liability, Tort Liability, ADR/ODR