Weiter zum Inhalt

Die Suche erzielte 21 Treffer.


European Union: CJEU Strikes Down CSAR and Interoperability Regulations in Two Landmark Decisions Journal Artikel

Teresa Quintel

European Data Protection Law Review, Jahrgang 9 (2023), Ausgabe 4, Seite 418 - 429

This contribution sets out a fictitious scenario in which the Court of Justice of the European Union hands down two important judgments regarding legislative measures in the year 2033. Those legislative measures chosen for the scenario are on the one hand, an imagined Regulation on preventing and combatting child sexual abuse online and, on the other, two Regulations establishing a framework for interoperability between EU information systems. The imaginary judgments, as put in the contribution, should be seen as landmark decisions as the Court scrutinised the existence of a continuous necessity of the laws in question in light of the relevant changes that took place since their adoption. In addition, the Court’s reasoning to declare void the above legislative measures, in both judgments, relied on the same proportionality assessment formula that already served as reference for similar decisions in the recent past. This contribution will briefly highlight the relevant aspects of the laws that were struck down by the Court, summarise the main developments that had an impact on the matters regulated by those laws and reiterate the main arguments found by the Court. The conclusion emphasises the importance of balancing different fundamental rights and interests in order to achieve an equilibrium between privacy and security. Keywords: GDPR, e-Privacy Regulation, Regulation on preventing and combatting child sexual abuse online, interoperability of EU databases


Margari v Greece and Negru v Republic of Moldova: A Step Towards ‘Substantive’ Interdependence? Journal Artikel

Mariavittoria Catanzariti

European Data Protection Law Review, Jahrgang 9 (2023), Ausgabe 4, Seite 482 - 488

Case Margari v Greece, Application no 36705/16, Judgment of the European Court of Human Rights (Third Section) of 20 June 2023 and Case Negru v Republic of Moldova, Application no 7336/11, Judgment of the European Court of Human Rights (Second Section) of 27 June 2023 The cases offer a significant step towards the protection of the right to privacy in the context of criminal proceedings, addressing the one the risk to jeopardise the right to reputation of accused persons during criminal proceedings, focusing the other on the potential impact of criminal records collected by State agents on the presumption of innocence. Right to information and right to access have been considered by the Strasbourg Court as the key issues for effective judicial protection, not only in the field of data protection but through data protection in all fields, above all in trial.



Two Necessary Approaches to a Privacy-Friendly 2033 Journal Artikel

Alexander Dix

European Data Protection Law Review, Jahrgang 9 (2023), Ausgabe 3, Seite 305 - 310

Niels Bohr, the Danish Nobel prize winner, is known to have said ‘Prediction is very difficult, especially if it’s about the future !’ It is therefore rather futile to try and predict the future of data and privacy protection. Instead this article puts forward two conditions (inter alia) which should be met to make sure that privacy and data protection have the same or an even better standing as at present. They are of a regulatory and a non-regulatory nature. On a regulatory level it is suggested that the responsibility for implementing existing legal rules should no longer be restricted to controllers. On a non-regulatory level the key importance of improving media literacy and raising public awareness as a condition for individual autonomy in the digital age is stressed. Keywords: artificial intelligence, informational self-determination, media literacy, privacy by design, product liability


ISO/IEC 27701 Standard: Threats and Opportunities for GDPR Certification Journal Artikel

Eric Lachaud

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 2, Seite 194 - 210

The paper assesses the possible consequences for Article 42/43 certification of the publication of the ISO/IEC 27701:2019 standard. This new ISO standard establishes a management system that aims to manage ‘the processes for protecting the capture, accountability, availability, integrity, and confidentiality of personal data.’ The conformity with the standard’s requirements is certifiable by the private conformity assessment bodies interested in providing this service to businesses. The paper shows that ISO/IEC 27701:2019 based certification has many assets to dominate the market of data protection certification. It offers operational advantages to businesses that are looking for a readymade solution to streamline information security and data protection. A strong uptake of ISO/IEC 27701:2019 based certification could threaten Article 42/43 certification by creating two competing approaches of data protection compliance. But it could also offer the opportunity to improve the general level of data protection and encourage the European supervisory authorities to clarify the relationships they intend to establish with ISO privacy standards. Keywords: certification, privacy, ISO, self-regulation, standardisation


Fundamental Rights, the Normative Keystone of DPIA Journal Artikel

Dara Hallinan, Nicholas Martin

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 2, Seite 178 - 193

The General Data Protection Regulation mandates that data controllers conduct a Data Protection Impact Assessment (DPIA) for certain processing activities. The core of the substance of the DPIA obligation requires that data controllers engage in ‘an assessment of the risks to the rights and freedoms of data subjects [posed by the processing operation]’. A common interpretation has emerged that this obligation only requires data controllers to engage in a ‘compliance assessment’: an assessment of the risks of processing considering the concrete provisions of the GDPR. This article takes issue with this interpretation and offers an elaborated conceptual argument supporting the following, alternative, position: the obligation that the DPIA risk assessment process include ‘an assessment of the risks to the rights and freedoms of data subjects’ requires data controllers to take the complete catalogue of rights and freedoms, outlined in foundational European fundamental rights instruments, as the key normative reference point for the DPIA risk assessment process. Keywords: data protection, privacy, GDPR, data protection impact assessment, DPIA, fundamental rights


Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems: AG Discusses the Validity of Standard Contractual Clauses and Raises Concerns Over Privacy Shield (C-311/18 Schrems II, Opinion of AG Saugmandsgaard Øe) Journal Artikel

Stefano Fantin

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 2, Seite 325 - 331

Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, Opinion of the Advocate General Henrik Saugmandsgaard Øe of the Court of Justice of the European Union of 19 December 2019 The fact that personal data transferred for commercial purposes to the US under standard contractual clauses may later be accessed by US security services does not render the whole legal framework invalid per se. Under such schemes, a case-by-case approach is to be adopted, whereby appropriate data protection safeguards are expected to be monitored ex-ante by data controllers and ex-post by national data protection authorities. Conversely, transfers carried out under the Privacy Shield unveil questions on the effectiveness of the scheme to offset deficiencies of the US framework regulating foreign intelligence activities, with respect to the protection of European citizens’ fundamental rights. Articles 2(2), 45, 46 and 58(2) of the General Data Protection Regulation Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council OJ L 39 Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union OJ C 326


Sparkling Lights in the Going Dark: Journal Artikel

Legal Safeguards for Law Enforcement’s Encryption Circumvention Measures

Thiago Moraes

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 1, Seite 41 - 55

This article discusses legal safeguards that could be in place in the European jurisdictions when law enforcement authorities conducting investigations of criminal offenses implement circumvention measures to bypass encryption technologies designed to protect the right to privacy of users of electronic communication services and equipment. The analysis is structured in three parts: first, two encryption technologies used by communication applications and devices are explained: end-to-end encryption and full disk encryption. Second, two encryption circumvention measures are discussed: government hacking and unlock orders. This study discusses their effectiveness against those encryption techniques, as well as their degree of invasiveness and potential harm to individuals’ rights to privacy and concludes with a list of possible legal safeguards that could be considered when implementing them. These safeguards are defined and discussed, based on European case law and national legislations analysis. Keywords: encryption; right to privacy; surveillance; going dark


Planet49: Pre-Ticked Checkboxes Are Not Sufficient to Convey User’s Consent to the Storage of Cookies (C-673/17 Planet49) Journal Artikel

Agnieszka Jabłonowska, Adrianna Michałowicz

European Data Protection Law Review, Jahrgang 6 (2020), Ausgabe 1, Seite 137 - 142

Case C-673/17 Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V. v Planet49 GmbH, Judgment of the Court (Grand Chamber) of 1 October 2019 Consent of a website user, required for the lawful storage of information or access to information already stored, in the form of cookies, in his or her terminal equipment is not validly constituted by way of a pre-ticked checkbox, which the user must deselect to refuse consent. Conditions for the lawful storage and access are not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment qualifies as personal data. Information that the service provider must provide to a website user, prior to the storage of information in his or her terminal equipment, includes information on the duration of the operation of cookies and whether or not third parties may have access to it. Articles 2(f) and 5(3) of Directive 2002/58/EC – Articles 2(h) and 10 of Directive 95/46/EC – Articles 4(11) and 13 of Regulation (EU) 2016/679


Aktuelle Ausgabe