Robert I. Field

European Data Protection Law Review, Volume 10 (2024), Issue 1, Page 30 - 42

Two powerful new technologies enable the collection of especially intimate personal information and pose special threats to privacy. These are technologies that collect and analyse data on the genomes and brain activity of individuals. Both technologies are enabling tremendous medical advances, but they come with new kinds of risks to the individuals whose information is compiled. The United States and European Union have so far taken different paths in their approach to balancing scientific innovation and individual privacy, with important implications for these technologies. While laws in both jurisdictions leave gaps in privacy protection, those is in the United States are especially porous, particularly with regard to data amassed by private companies that collect them from customers on a direct-to-consumer basis. However, even in the EU where the General Data Protection Regulation offers a single comprehensive regulatory scheme for residents of member states, privacy protection is incomplete and will likely be reduced by a subsequent regulatory proposal, the European Health Data Space. This article describes key privacy laws in both jurisdictions concerning health-related information, explains the implications of their shortcomings for genomic and brain data, and suggests reforms to address those shortcomings. These reforms would promote closer convergence of laws in the two jurisdictions, which could provide more consistent protection for individuals and clearer compliance standards for entities that use sensitive health data to advance new technologies. Keywords: genomics; neurotechnology; privacy; GDPR; regulation

Teresa Quintel

European Data Protection Law Review, Volume 9 (2023), Issue 4, Page 418 - 429

This contribution sets out a fictitious scenario in which the Court of Justice of the European Union hands down two important judgments regarding legislative measures in the year 2033. Those legislative measures chosen for the scenario are on the one hand, an imagined Regulation on preventing and combatting child sexual abuse online and, on the other, two Regulations establishing a framework for interoperability between EU information systems. The imaginary judgments, as put in the contribution, should be seen as landmark decisions as the Court scrutinised the existence of a continuous necessity of the laws in question in light of the relevant changes that took place since their adoption. In addition, the Court’s reasoning to declare void the above legislative measures, in both judgments, relied on the same proportionality assessment formula that already served as reference for similar decisions in the recent past. This contribution will briefly highlight the relevant aspects of the laws that were struck down by the Court, summarise the main developments that had an impact on the matters regulated by those laws and reiterate the main arguments found by the Court. The conclusion emphasises the importance of balancing different fundamental rights and interests in order to achieve an equilibrium between privacy and security. Keywords: GDPR, e-Privacy Regulation, Regulation on preventing and combatting child sexual abuse online, interoperability of EU databases

Lisette Mustert

European Data Protection Law Review, Volume 9 (2023), Issue 4, Page 454 - 464

Eric Lachaud

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 194 - 210

The paper assesses the possible consequences for Article 42/43 certification of the publication of the ISO/IEC 27701:2019 standard. This new ISO standard establishes a management system that aims to manage ‘the processes for protecting the capture, accountability, availability, integrity, and confidentiality of personal data.’ The conformity with the standard’s requirements is certifiable by the private conformity assessment bodies interested in providing this service to businesses. The paper shows that ISO/IEC 27701:2019 based certification has many assets to dominate the market of data protection certification. It offers operational advantages to businesses that are looking for a readymade solution to streamline information security and data protection. A strong uptake of ISO/IEC 27701:2019 based certification could threaten Article 42/43 certification by creating two competing approaches of data protection compliance. But it could also offer the opportunity to improve the general level of data protection and encourage the European supervisory authorities to clarify the relationships they intend to establish with ISO privacy standards. Keywords: certification, privacy, ISO, self-regulation, standardisation

Carl Vander Maelen

European Data Protection Law Review, Volume 6 (2020), Issue 2, Page 231 - 242

The EU increasingly integrates alternative regulatory instruments (ARIs) in legislation, encouraging private stakeholder participation in the implementation and enforcement processes of those hard law instruments. Articles 40 and 41 GDPR are an example thereof, stipulating that bodies representing categories of controllers or processors should develop codes of conduct to specify the concrete application of the GDPR’s principles, rights and obligations. This article first analyses the legislative predecessor to these articles: Article 27 of the Data Protection Directive (DPD). Available information concludes that both the so-called ‘Community codes’ and national codes under this provision failed to make their desired impact. Second, this contribution inspects the key objectives, as well as the material and formal content of Articles 40 and 41 GDPR to identify similarities and differences between the DPD and the GDPR. Preliminary and cautious predictions are offered on whether GDPR codes of conduct will chart a more successful course. Keywords: codes of conduct, GDPR, 1995 Data Protection Directive, Articles 40-41 GDPR, co-regulation

Leanne Cochrane, Lina Jasmontaite-Zaniewicz, David Barnard-Wills

European Data Protection Law Review, Volume 6 (2020), Issue 3, Page 352 - 364

In this paper we explore EU data protection authorities’ (DPAs) role as leaders and educators, particularly in relation to awareness-raising efforts with Small and Medium-sized Enterprises (SMEs). The GDPR made awareness raising duties of DPAs explicit whilst SMEs face challenges complying with data protection law. We posit that DPAS should make better strategic use of collaboration with SME Associations as intermediaries to better access and understand the needs of SMEs. This collaboration could facilitate dissemination of guidance and information addressed to SMEs. It could also help to overcome concerns expressed by SME representatives about the existing guidance provided by DPAs as being overly generic, focused on legal theory, and in some states arriving too late for implementation. We suggest that by working together SME Associations and DPAs could increase their own working efficiency as well as the one of SMEs. We build our arguments on the findings of an online survey of 52-60 SMEs representatives and semi-structured qualitative interviews with 18 DPAs, 22 SME Association representatives and 11 SME representatives. Keywords: Awareness Raising, Compliance, Data Protection Authorities, Deterrence, Enforcement Strategies, General Data Protection Regulation

Joanna Strycharz, Jef Ausloos, Natali Helberger

European Data Protection Law Review, Volume 6 (2020), Issue 3, Page 407 - 421

Strengthening individual rights, enhancing control over one’s data and raising awareness were among the main aims the European Commission set for the General Data Protection Regulation (GDPR). In order to assess whether these aims have been met, research into individual perceptions, awareness, and understanding of the Regulation is necessary. This study thus examines individual reactions to the GDPR in order to provide insights into user agency in relation to the Regulation. More specifically, it discusses empirical data (survey with N = 1288) on individual knowledge of, reactions to, and rights exercised under the GDPR in the Netherlands. The results show high awareness of the GDPR and knowledge of individual rights. At the same time, the Dutch show substantial reactance to the Regulation and doubt the effectiveness of their individual rights. These findings point to several issues obstructing the GDPR’s effectiveness, and constitute useful signposts for policy-makers and enforcement agencies to prioritise their strategies in achieving the original aims of the Regulation. Keywords: General Data Protection Regulation, Individual Perceptions, Reactance to Law, User Agency, User Empowerment

Daniel Jove

European Data Protection Law Review, Volume 5 (2019), Issue 2, Page 175 - 183

On 20 December 2017 the European Court of Justice gave its judgment on the Nowak case. This ruling addresses the potential application of the General Data Protection Regulation (GDPR) to the answers and subjective comments of the examiner. The classification of this data as personal data entails, for the candidate, the possibility of using their rights of access, rectification and objection. This study analyses the Nowak ruling and reflects on the possibility of extrapolating the doctrine which it establishes to other areas. The spotlight is placed specifically on subjective comments in a medical history. The nature of this information is analysed in order to establish whether it is the patient’s personal data and also if limiting the right to access this information is compatible with the GDPR. Keywords: Data Protection, Subjective Annotations, Clinical Record, GDPR, General Data Protection Regulation, European Court of Justice

Emre Bayamlioglu

European Data Protection Law Review, Volume 4 (2018), Issue 4, Page 433 - 446

This paper identifies the essentials of a ‘transparency model’ which aims to scrutinise automated data-driven decision-making systems not by the mechanisms of their operation but rather by the normativity embedded in their behaviour/action. First, transparency-related concerns and challenges inherent in machine learning are conceptualised as ‘informational asymmetries’, concluding that the transparency requirements for the effective contestation of automated decisions go far beyond the mere disclosure of algorithms. Next, essential components of a rule-based ‘transparency model’ are described as: i) the data as ‘decisional input’, ii) the ‘normativities’ contained by the system both at the inference and decision (rule-making) level, iii) the context and further implications of the decision, and iv) the accountable actors. Keywords: Algorithmic Transparency, Automated Decisions, GDPR Article 22