Skip to content

The search returned 16 results.

ISO/IEC 27701 Standard: Threats and Opportunities for GDPR Certification journal article

Eric Lachaud

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 194 - 210

The paper assesses the possible consequences for Article 42/43 certification of the publication of the ISO/IEC 27701:2019 standard. This new ISO standard establishes a management system that aims to manage ‘the processes for protecting the capture, accountability, availability, integrity, and confidentiality of personal data.’ The conformity with the standard’s requirements is certifiable by the private conformity assessment bodies interested in providing this service to businesses. The paper shows that ISO/IEC 27701:2019 based certification has many assets to dominate the market of data protection certification. It offers operational advantages to businesses that are looking for a readymade solution to streamline information security and data protection. A strong uptake of ISO/IEC 27701:2019 based certification could threaten Article 42/43 certification by creating two competing approaches of data protection compliance. But it could also offer the opportunity to improve the general level of data protection and encourage the European supervisory authorities to clarify the relationships they intend to establish with ISO privacy standards. Keywords: certification, privacy, ISO, self-regulation, standardisation


Fundamental Rights, the Normative Keystone of DPIA journal article

Dara Hallinan, Nicholas Martin

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 178 - 193

The General Data Protection Regulation mandates that data controllers conduct a Data Protection Impact Assessment (DPIA) for certain processing activities. The core of the substance of the DPIA obligation requires that data controllers engage in ‘an assessment of the risks to the rights and freedoms of data subjects [posed by the processing operation]’. A common interpretation has emerged that this obligation only requires data controllers to engage in a ‘compliance assessment’: an assessment of the risks of processing considering the concrete provisions of the GDPR. This article takes issue with this interpretation and offers an elaborated conceptual argument supporting the following, alternative, position: the obligation that the DPIA risk assessment process include ‘an assessment of the risks to the rights and freedoms of data subjects’ requires data controllers to take the complete catalogue of rights and freedoms, outlined in foundational European fundamental rights instruments, as the key normative reference point for the DPIA risk assessment process. Keywords: data protection, privacy, GDPR, data protection impact assessment, DPIA, fundamental rights


Planet49: Pre-Ticked Checkboxes Are Not Sufficient to Convey User’s Consent to the Storage of Cookies (C-673/17 Planet49) journal article

Agnieszka Jabłonowska, Adrianna Michałowicz

European Data Protection Law Review, Volume 6 (2020), Issue 1, Page 137 - 142

Case C-673/17 Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V. v Planet49 GmbH, Judgment of the Court (Grand Chamber) of 1 October 2019 Consent of a website user, required for the lawful storage of information or access to information already stored, in the form of cookies, in his or her terminal equipment is not validly constituted by way of a pre-ticked checkbox, which the user must deselect to refuse consent. Conditions for the lawful storage and access are not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment qualifies as personal data. Information that the service provider must provide to a website user, prior to the storage of information in his or her terminal equipment, includes information on the duration of the operation of cookies and whether or not third parties may have access to it. Articles 2(f) and 5(3) of Directive 2002/58/EC – Articles 2(h) and 10 of Directive 95/46/EC – Articles 4(11) and 13 of Regulation (EU) 2016/679


Sparkling Lights in the Going Dark: journal article

Legal Safeguards for Law Enforcement’s Encryption Circumvention Measures

Thiago Moraes

European Data Protection Law Review, Volume 6 (2020), Issue 1, Page 41 - 55

This article discusses legal safeguards that could be in place in the European jurisdictions when law enforcement authorities conducting investigations of criminal offenses implement circumvention measures to bypass encryption technologies designed to protect the right to privacy of users of electronic communication services and equipment. The analysis is structured in three parts: first, two encryption technologies used by communication applications and devices are explained: end-to-end encryption and full disk encryption. Second, two encryption circumvention measures are discussed: government hacking and unlock orders. This study discusses their effectiveness against those encryption techniques, as well as their degree of invasiveness and potential harm to individuals’ rights to privacy and concludes with a list of possible legal safeguards that could be considered when implementing them. These safeguards are defined and discussed, based on European case law and national legislations analysis. Keywords: encryption; right to privacy; surveillance; going dark


Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems: AG Discusses the Validity of Standard Contractual Clauses and Raises Concerns Over Privacy Shield (C-311/18 Schrems II, Opinion of AG Saugmandsgaard Øe) journal article

Stefano Fantin

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 325 - 331

Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, Opinion of the Advocate General Henrik Saugmandsgaard Øe of the Court of Justice of the European Union of 19 December 2019 The fact that personal data transferred for commercial purposes to the US under standard contractual clauses may later be accessed by US security services does not render the whole legal framework invalid per se. Under such schemes, a case-by-case approach is to be adopted, whereby appropriate data protection safeguards are expected to be monitored ex-ante by data controllers and ex-post by national data protection authorities. Conversely, transfers carried out under the Privacy Shield unveil questions on the effectiveness of the scheme to offset deficiencies of the US framework regulating foreign intelligence activities, with respect to the protection of European citizens’ fundamental rights. Articles 2(2), 45, 46 and 58(2) of the General Data Protection Regulation Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council OJ L 39 Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union OJ C 326


European Regulation of Smartphone Ecosystems journal article

Ronan Ó Fathaigh, Joris van Hoboken

European Data Protection Law Review, Volume 5 (2019), Issue 4, Page 476 - 491

For the first time, two pieces of EU legislation will specifically target smartphone ecosystems in relation to smartphone and mobile software (eg, iOS and Android) privacy, and use and monetisation of data. And yet, both pieces of legislation approach data use and data monetisation from radically contrasting perspectives. The first is the proposed ePrivacy Regulation, which seeks to provide enhanced protection against user data monitoring and tracking in smartphones, and safeguard privacy in electronic communications. On the other hand, the recently enacted Platform-to-Business Regulation 2019, seeks to bring fairness to platform-business user relations (including app stores and app developers), and is crucially built upon the premise that the ability to access and use data, including personal data, can enable important value creation in the online platform economy. This article discusses how these two Regulations will apply to smartphone ecosystems, especially relating to user and device privacy. The article analyses the potential tension points between the two sets of rules, which result from the underlying policy objectives of safeguarding privacy in electronic communications and the functioning of the digital economy in the emerging era of platform governance. The article concludes with a discussion on how to address these issues, at the intersection of privacy and competition in the digital platform economy. Keywords: Privacy, Smartphones, Platforms, Governance


Differential Privacy and the GDPR journal article

Julian Hölzel

European Data Protection Law Review, Volume 5 (2019), Issue 2, Page 184 - 196

Under the European General Data Protection Regulation, anonymisation of personal data may not only provide a legal loophole for controllers to escape their regulatory burden. Considering specific circumstances, it can even be a legal duty for controllers to anonymise their personal data. Differential privacy has been proposed as a new approach to the problem of anonymisation. This article aims to assess the appropriateness of this approach with regards to the legal problem of anonymisation. Keywords: Anonymisation, Differential Privacy, Privacy Model, Model Comparison, Anonymisation Techniques


Balancing Data Subjects’ Rights and Public Interest Research: journal article

Examining the Interplay between UK Law, EU Human Rights Law and the GDPR

Jessica Bell, Stergios Aidinlis, Hannah Smith, Miranda Mourby, Heather Gowans, Susan E Wallace, Jane Kaye

European Data Protection Law Review, Volume 5 (2019), Issue 1, Page 43 - 53

The EU General Data Protection Regulation (‘GDPR’) seeks to balance the public interest in research with privacy rights of individuals, in particular, through research exemptions and safeguards set out in Article 89. While this affords Member States limited opportunities to modify the application of the GDPR at a national level, including for data processing that is necessary for the performance of a task carried out in the public interest, it is necessary for national approaches to conform with Article 89 safeguards where appropriate. One development of interest to the research community in the UK is a statutory power for public authorities to disclose administrative data for research under the Digital Economy Act 2017 (DEA). This article uses the DEA as a case study for analysis of the GDPR provisions governing processing of data for research purposes—including de-identification—and draws on human rights norms and jurisprudence to interpret the broad requirement for ‘appropriate safeguards’ for the ‘rights and freedoms of the data subject’ under Article 89. This analysis is important for data controllers seeking to meet their obligations under the UK framework and for those in other EU Member States considering the development of similar national provisions for data processing for research purposes. Keywords: GDPR, Public Interest Research, Privacy


Privacy Nudges: journal article

An Alternative Regulatory Mechanism to ‘Informed Consent’ for Online Data Protection Behaviour

Sheng Yin Soh

European Data Protection Law Review, Volume 5 (2019), Issue 1, Page 65 - 74

The informed consent paradigm of data protection law in the EU has failed to foster privacy-protective behaviour online, due to findings from behavioural science such as bounded rationality and asymmetric information. Hence, this article proposes a soft paternalistic approach through the use of ‘privacy nudges’ as an alternative regulatory tool to informed consent to nudge users towards more optimal privacy protection decisions. This article also discusses the potential benefits of privacy nudges, some of the main critiques of nudging and future directions for improvement. Keywords: Privacy Nudge, Informed Consent, Behavioural Economics