Dara Hallinan, Nicholas Martin

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 178 - 193

The General Data Protection Regulation mandates that data controllers conduct a Data Protection Impact Assessment (DPIA) for certain processing activities. The core of the substance of the DPIA obligation requires that data controllers engage in ‘an assessment of the risks to the rights and freedoms of data subjects [posed by the processing operation]’. A common interpretation has emerged that this obligation only requires data controllers to engage in a ‘compliance assessment’: an assessment of the risks of processing considering the concrete provisions of the GDPR. This article takes issue with this interpretation and offers an elaborated conceptual argument supporting the following, alternative, position: the obligation that the DPIA risk assessment process include ‘an assessment of the risks to the rights and freedoms of data subjects’ requires data controllers to take the complete catalogue of rights and freedoms, outlined in foundational European fundamental rights instruments, as the key normative reference point for the DPIA risk assessment process. Keywords: data protection, privacy, GDPR, data protection impact assessment, DPIA, fundamental rights

Michael O’Flaherty

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 170 - 173

Sara Roda

European Data Protection Law Review, Volume 6 (2020), Issue 1, Page 66 - 83

By 25 May 2020, the European Commission is obliged to conduct a full review of the Passenger Name Record (PNR) Directive and provide a comprehensive report to the European Parliament and the Council on seven key aspects of the said Directive. These range from an assessment of the necessity and proportionality for collecting and processing PNR data in relation to each of the Directive’s purposes, to the length of the data retention period, and even the effectiveness of exchanging information among Member States, including statistical information on the number of passengers whose PNR data has been collected, exchanged or identified for further examination. The review could lead the European Commission to present a legislative proposal to amend the PNR Directive which could either reinforce, maintain or dilute the EU PNR system. More recently, two not-for-profit associations have legally challenged the national PNR schemes based on the PNR Directive. This paper questions the validity of certain provisions of the Directive in light of Opinion 1/15 of the Court of Justice of the European Union of 26 July 2017 concerning the EU-Canada PNR Agreement. It also calls on the European Commission, as guardian of the EU Treaties and of EU law, to conform the PNR Directive to the Luxembourg Court case-law on mass data retention schemes, taking advantage of the review momentum. Keywords: CJEU; Opinion 1/15; Directive 2016/681; data protection; PNR; law enforcement; data retention; Articles 7 and 8 of the Charter of Fundamental Rights

Paddy Leerssen, Barbara Giovanelli

European Data Protection Law Review, Volume 6 (2020), Issue 1, Page 158 - 163

Mark Leiser, Bart Custers

European Data Protection Law Review, Volume 5 (2019), Issue 3, Page 367 - 378

The Law Enforcement Directive (EU Directive 2016/680) has been heralded for its role in building a high level of data protection in criminal law. Data processed for ‘law enforcement purposes’ by ‘competent authorities’ must comply with principles of necessity, proportionality and legality, while ensuring appropriate safeguards in place for data subjects. However, there is ambiguity as to how the LED should work in practice due to several conceptual issues that the LED raises. This paper discusses three conceptual issues: consent, the categorisation of witnesses, suspects and victims, and the categorisation of facts versus opinions. Keywords: Law Enforcement Directive, Fundamental Rights, Consent, Law Enforcement Data, Directive 2016/680

Christopher Docksey, Hielke Hijmans

European Data Protection Law Review, Volume 5 (2019), Issue 3, Page 300 - 316

In this article we discuss the main trends in the recent case law of the CJEU, following the three landmark cases of Digital Rights Ireland, Google Spain, and Schrems. The CJEU has followed a broad approach to scope and a strict approach to exceptions, ensuring that where personal information is processed there will be one or more controllers who will be accountable for such processing. The Court has also recognised that data protection requires a balancing with other fundamental rights such as freedom of expression, and has followed a common sense approach that allows personal information to be processed in a proportionate manner for legitimate purposes. We conclude that the case law has had a positive impact on the data protection legal framework and that the CJEU is likely to maintain its approach in order to ensure that the GDPR is fully effective. Keywords: Case Law, CJEU, Accountability, Fundamental Rights, GDPR