Dara Hallinan

European Data Protection Law Review, Volume 9 (2023), Issue 3, Page 311 - 332

This article aims to introduce and describe a concept depicting a specific and novel form of constitutional right, to offer a basic theoretical proposition on – theory of – EU data protection law on the basis of this concept, and to demonstrate the theoretical worth and practical utility of this proposition. In this regard, the article introduces and describes the concept of the interface right – a specific and novel form of constitutional right which essentially functions to mitigate the consequences of uncertainty, brought about by change in social context, for the functionality of a set of substantive constitutional rights, by providing a legal infrastructure which ensures a reflexive relationship between the order of substantive rights and social context. Building on this concept, the article then offers, and demonstrates the theoretical worth of, the following basic theoretical proposition on – theory of – EU data protection law: the right to data protection can be considered as an interface right, and secondary EU data protection law represents the unfolding of this underlying interface right.To demonstrate the practical utility of the basic theoretical proposition, the article then takes four significant issues in EU data protection law and shows how analysis of these issues through the perspective of the proposition can lead to novel insights and novel lines of enquiry. These issues include: i) the values served by the right to data protection; ii) norm creation in Data Protection Impact Assessments; iii) the legal status of guidance from the European Data Protection Board; and iv) the relationship between EU data protection law and medical research ethics. The article concludes with a consideration of certain significant objections which might be put forward against the concepts and propositions offered. Keywords: theory, data protection, interface right, complexity, uncertainty

Paul M. Schwartz, Anupam Chander

European Data Protection Law Review, Volume 9 (2023), Issue 3, Page 296 - 304

The next decade will see increasing conflict between data privacy laws and international trade law. Governments are already concerned that privacy will be lost amid global data flows and have responded by enacting regulatory measures that might impede modern trade. While the European Union’s findings of ‘adequacy’ offer a potentially trade-friendly solution to cross-border data flows, fewer than a dozen countries have been found adequate. In addition, more than sixty countries have enacted laws where they too evaluate the adequacy of foreign privacy laws. This splintering of data privacy law complicates global trade as more nations review and potentially restrict outbound data flows. New solutions are needed to ensure the benefits of trade while safeguarding privacy. This paper argues that a broad international agreement is needed that sets minimum standards, develops common regulatory language, and creates binding commitments in the context of data privacy and trade law. Keywords: trade law, data protection law, World Trade Organization, adequacy finding, General Agreement on Trade in Services (GATS)

Eva Lievens, Valerie Verdoodt

European Data Protection Law Review, Volume 9 (2023), Issue 4, Page 472 - 481

Diana Dimitrova

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 211 - 230

The present article sets out to contribute to the discussion on the right to explanation of (automated) decisions and profiles by examining it in light of the right to access to one’s personal data. To that end it explores the right of access and explanation obligations beyond the GDPR by focusing also on Directive 2016/680, the CJEU case law, CoE Convention 108+ and ECtHR case law. The paper argues that whereas the right to know the reasoning and criteria underlying a decision could be derived from the right of access, this is less explicit in the case-law of the CJEU as compared to the ECtHR and Convention 108+. The discussion also points to the necessity of clarifying the relationship between and boundaries of data protection rights and other areas of law, eg the right to effective remedy and the obligation to state reasons for decisions. Keywords: right to explanation, right of access, GDPR, data rotection

Dara Hallinan, Nicholas Martin

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 178 - 193

The General Data Protection Regulation mandates that data controllers conduct a Data Protection Impact Assessment (DPIA) for certain processing activities. The core of the substance of the DPIA obligation requires that data controllers engage in ‘an assessment of the risks to the rights and freedoms of data subjects [posed by the processing operation]’. A common interpretation has emerged that this obligation only requires data controllers to engage in a ‘compliance assessment’: an assessment of the risks of processing considering the concrete provisions of the GDPR. This article takes issue with this interpretation and offers an elaborated conceptual argument supporting the following, alternative, position: the obligation that the DPIA risk assessment process include ‘an assessment of the risks to the rights and freedoms of data subjects’ requires data controllers to take the complete catalogue of rights and freedoms, outlined in foundational European fundamental rights instruments, as the key normative reference point for the DPIA risk assessment process. Keywords: data protection, privacy, GDPR, data protection impact assessment, DPIA, fundamental rights

Michael O’Flaherty

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 170 - 173

Njomëza Zejnullahu

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 308 - 313

Thilo Gottschalk

European Data Protection Law Review, Volume 6 (2020), Issue 1, Page 21 - 40

Law enforcement increasingly relies on complex machine learning approaches to support investigations. With limited knowledge and funding LEAs often depend on opaque private-public collaborations. Failure to provide legal bases on the national level paired with shortcomings both in the GDPR and Directive EU-2016/680 (LED) result in severe risks for fundamental rights of EU citizens. To overcome these risks an interdisciplinary discussion is required. This paper hence sheds light on technical challenges and misconceptions as well as legal shortcomings to foster a common understanding of the challenges to find out how they might be addressed. To do so, the author searches for common ground of ‘public availability’ and reviews currently used technical approaches and common processing constellations. Based on the outcomes, the author proposes a change in the LED and discusses a centralised institution to govern access to novel data driven technology. Keywords: law enforcement; public-private partnership; data protection; GDPR; LED

Sara Roda

European Data Protection Law Review, Volume 6 (2020), Issue 1, Page 66 - 83

By 25 May 2020, the European Commission is obliged to conduct a full review of the Passenger Name Record (PNR) Directive and provide a comprehensive report to the European Parliament and the Council on seven key aspects of the said Directive. These range from an assessment of the necessity and proportionality for collecting and processing PNR data in relation to each of the Directive’s purposes, to the length of the data retention period, and even the effectiveness of exchanging information among Member States, including statistical information on the number of passengers whose PNR data has been collected, exchanged or identified for further examination. The review could lead the European Commission to present a legislative proposal to amend the PNR Directive which could either reinforce, maintain or dilute the EU PNR system. More recently, two not-for-profit associations have legally challenged the national PNR schemes based on the PNR Directive. This paper questions the validity of certain provisions of the Directive in light of Opinion 1/15 of the Court of Justice of the European Union of 26 July 2017 concerning the EU-Canada PNR Agreement. It also calls on the European Commission, as guardian of the EU Treaties and of EU law, to conform the PNR Directive to the Luxembourg Court case-law on mass data retention schemes, taking advantage of the review momentum. Keywords: CJEU; Opinion 1/15; Directive 2016/681; data protection; PNR; law enforcement; data retention; Articles 7 and 8 of the Charter of Fundamental Rights

Carl Vander Maelen

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 231 - 242

The EU increasingly integrates alternative regulatory instruments (ARIs) in legislation, encouraging private stakeholder participation in the implementation and enforcement processes of those hard law instruments. Articles 40 and 41 GDPR are an example thereof, stipulating that bodies representing categories of controllers or processors should develop codes of conduct to specify the concrete application of the GDPR’s principles, rights and obligations. This article first analyses the legislative predecessor to these articles: Article 27 of the Data Protection Directive (DPD). Available information concludes that both the so-called ‘Community codes’ and national codes under this provision failed to make their desired impact. Second, this contribution inspects the key objectives, as well as the material and formal content of Articles 40 and 41 GDPR to identify similarities and differences between the DPD and the GDPR. Preliminary and cautious predictions are offered on whether GDPR codes of conduct will chart a more successful course. Keywords: codes of conduct, GDPR, 1995 Data Protection Directive, Articles 40-41 GDPR, co-regulation