Gabriela Zanfir

Bio: Gabriela Zanfir is an academic researcher from Future of Privacy Forum. The author has contributed to research in topics: Data Protection Act 1998 & Right to be forgotten. The author has an hindex of 3, co-authored 7 publications receiving 34 citations.

The right to Data portability in the context of the EU data protection reform

Abstract: The proposal for reform of the data protection legal framework, recently made public by the European Commission (EC), specifically enshrines a ‘right to data portability’, which is designed to reduce the difficulties for individuals to stay in control of their personal data, along with the provision of a ‘right to be forgotten’ and a ‘right to rectification’.The debates surrounding these privacy concerns, especially related to cloud computing (another ubiquitous concept), have not enjoyed a clear, unitary discourse, as IT developments have almost out-run the rhythm in which legal scholars were analysing recent threats to privacy, and especially internet privacy.This paper aims to reveal the characteristics of data portability as a legal concept in the modern world of privacy and data protection; it focuses on a few aspects of the reform proposed by the Commission, highlighting the detailed provisions of the right to data portability in the larger context of the reform.It also discusses data portability’s impact on competition and its links to international data transfers, as they will be regulated in the new EU data protection law. It concludes that data portability is a right of the data subject strongly connected with a fundamental right to the free development of human personality, and is also a function that cloud computing services worldwide will have to provide in order to increase users’, customers’ or consumers’ trust.

Tracing the Right to Be Forgotten in the Short History of Data Protection Law: The “New Clothes” of an Old Right

Abstract: When the European Commission (EC) published its draft Data Protection Regulation (DPR) in early 2012, a swirl of concern hit data controllers regarding the introduction of a sophisticated “right to be forgotten” in the proposal for the future DPR, which was considered to unprecedentedly impact the internet and its economics. Critics and advocates of the right to be forgotten engaged in consistent theoretical debates, doubled by the technical discourse about its (un)feasibility. This paper “deconstructs” the right to be forgotten into the individual prerogatives which are in fact granted to persons. It shows that those prerogatives already exist to an extended degree in EU law, and have existed in the first data protection laws enforced in Europe. In addition, the controversial obligation to inform third parties about the erasure request is a “duty of best efforts” which pertains to controllers and which is significantly different than a duty to achieve a result. Recourse will be made to private law theory to underline this difference.

The Right to the Protection of Personal Data (Dreptul la Protecţia Datelor cu Caracter Personal)

Abstract: (The article is written in Romanian)This article aims to analyze, from two perspectives, the right to the protection of personal data, a right which had maybe the most dynamic evolution in the last three decades on a very narrow niche. Firstly, we will focus on the right’s content by analyzing thoroughly the provisions which enshrine it. Secondly, we are interested to reason whether it is a new fundamental right, distinct from the right to the protection of private life or not. The right to the protection of personal data was born out of the necessity to protect the individual from the avalanche-like development of a computerized human society. Personal data have been legally defined as,"any information relating to an identified or identifiable natural person,” covering, therefore, a generous sphere of protection.Because it is a relatively new and less known right, we are interested in describing this generous sphere of protection. We will look upon the first important legal act which regulated distinctly and in detail the right to the protection of personal data – the 108 Convention of the Council of Europe from 1981 for the protection of individuals with regard to automatic processing of personal Data. Further, we will analyze Article 16 of the Treaty of Lisbon which enshrines the right to the protection of personal data. This provision was introduced for the first time in an EU treaty in Article 16, which became the central piece in the protection of personal data in the Member States of the EU. We will analyze the extent in which Article 16 may enjoy direct effect. Further we will concentrate on Article 8 of the Charter of Fundamental Rights of the European Union, which is exclusively dedicated to data protection.In the next section we will analyze the content of this right from the perspective of the provisions of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. We will look upon the criteria for making data processing legitimate, the special categories for processing and the scope of the independent supervisory authorities created in all EU Member States.In the last section we will analyze the possibility that the right to the protection of personal data is a new fundamental right from both a formal and a substantial point of view.

The hesitating steps of the romanian courts towards judicial dialogue on eu law matters

Abstract: One of the greatest challenges of Romania’s accession to the European Union was faced by the judiciary. The courts – of first instance, last instance, along with the Supreme Court and the Constitutional Court, had just started to act as European courts for the purpose of the European Convention of Human Rights’ (ECHR) application and, beginning with 1 January 2007, they had to face a completely new and different supranational legal system, which came with a bigger and a more complex set of rules than the ECHR system. Some courts realized very soon that the key for this complex system to work is judicial dialogue, and the Jipa judgment of the Court of Justice of the European Union (CJEU) is a proof of that. Their example was followed by other courts with hesitating steps, while, at the same time, the judiciary struggled to get familiarized with the principle of primacy of EU law. The study will point out the usual confusions that Romanian courts make with regard to the use of the preliminary reference procedure and the relation between national and EU law, which will be reflected by the sections dedicated to the three main legal issues that were the catalyst for the judicial dialogue between the national courts and the CJEU: the European arrest warrant, the pollution tax for second-hand vehicles and the consumers protection provisions in relation with unfair terms in contracts. The study leads to the conclusion that Romanian courts are still confused with their status in the EU law system. This paper will also show that the Romanian Constitutional Court has contributed to this confusion, firstly by making insufficient steps to guarantee that EU law, lato sensu, is properly observed in the national legal system, even challenging, in certain cases, the principle of primacy of EU law, and secondly by completely refusing to address preliminary references to the CJEU.

The Right to Data Portability in the Context of the EU Data Protection Reform

Abstract: The proposal for reform of the data protection legal framework, recently made public by the European Commission (EC), specifically enshrines a ‘right to data portability’, which is designed to reduce the difficulties for individuals to stay in control of their personal data, along with the provision of a ‘right to be forgotten’ and a ‘right to rectification’.The debates surrounding these privacy concerns, especially related to cloud computing (another ubiquitous concept), have not enjoyed a clear, unitary discourse, as IT developments have almost out-run the rhythm in which legal scholars were analysing recent threats to privacy, and especially internet privacy.This paper aims to reveal the characteristics of data portability as a legal concept in the modern world of privacy and data protection; it focuses on a few aspects of the reform proposed by the Commission, highlighting the detailed provisions of the right to data portability in the larger context of the reform.It also discusses data portability’s impact on competition and its links to international data transfers, as they will be regulated in the new EU data protection law. It concludes that data portability is a right of the data subject strongly connected with a fundamental right to the free development of human personality, and is also a function that cloud computing services worldwide will have to provide in order to increase users’, customers’ or consumers’ trust.

The Legal Protection of Personal Images Shared on Social Networks in Australia

Abstract: Social networks have changed the nature of communication in the modern world: they have changed how people communicate, the frequency and mode of communication, and how people relate to those communications. Social networks have also changed the type of information that is communicated. One of the notable developments has been a proliferation of the sharing of images that people have taken themselves. From the ubiquitous selfie through to group shots, personal images are now a key part of modern social communication. A number of problems have arisen as a consequence of the rapid increase in the sharing of personal images online. This is because personal images uploaded online are, more now than ever, prone to misuse. Third parties are easily able to reuse, distort and alter images that are uploaded on social networks. As a result, people are at risk of losing control over the images that they upload online.

Blockchain Regulation and Governance in Europe

Abstract: In Blockchain Regulation and Governance in Europe, Michele Finck examines the relationship between blockchain technology and EU law and introduces the theme of blockchain governance. The book provides a general introduction to blockchains as both a regulatable and a regulatory technology and outlines the interaction between distributed ledger technology and specific areas of EU law, such as the General Data Protection Regulation. It should be read by anyone interested in EU law, the relationship between law, innovation and technology, and technology governance.

Smart Contracts and Smart Disclosure: Coding a GDPR Compliance Framework

Abstract: This chapter analyses some of the main legal requirements laid down in the new European General Data Protection Regulation (GDPR) with regard to hybrid Cloud Computing transformations. The GDPR imposes several restrictions on the storing, accessing, processing and transferring of personal data. This has generated some concerns with regard to its practicability and flexibility given the dynamic nature of the Internet. The current architecture and technical features of the Cloud do not allow adequate control for end-users. Therefore, in order for the Cloud adopters to be legally compliant, the design of Cloud Computing architectures should include additional automated capabilities and certain nudging techniques to promote better choices. This chapter explains how to fine tune and effectively embed these legal requirements at the earlier stages of the architectural design of the computer code. This automated process focuses on Smart Contracts and Service Level Agreements (SLAs) frameworks, which include selection tools that take an information schema and a pseudo-code that follows a programming logic to process information based on that schema. The pseudo-code is essentially the easiest way to write and design computer code, which can check automatically the legal compliance of the contractual framework. It contains a set of legal questions that have been specifically designed to urge Cloud providers to disclose relevant information and comply with the legal requirements established by the GDPR.

Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach

Abstract: This thesis is about the protection of individuals against the negative impact that big data may have on their private lives. Many positive and promising developments result from big data, but the massive collection and use of data also raise a host of issues. In the European Union, the rights to privacy and to data protection are the focal point in the discussion of the dark side of big data for individuals. They are perceived as being both the primary rights at risk, as well as the solution to the problems that big data creates. This thesis acknowledges the importance of the rights to privacy and data protection, but argues that this perspective is too narrow. The effects of big data on the lives of individuals transcend privacy and data protection. By conceptualising big data as a process that consists of the acquisition and analysis of (personal) data and the application of the outcomes thereof, it finds that the potential consequences may also be particularly severe for personal autonomy, freedom of expression, and non-discrimination. EU data protection law is analysed to see to what protection it offers to the rights to privacy and to data protection, and to assess the extent to which it (indirectly) protects these other individual rights and freedoms. The conclusion is that data protection law offers a high but insufficient level of protection. Many of big data’s negative consequences for individual rights and freedoms turn out to be beyond the scope of the rights to privacy and data protection. This thesis therefore concludes that to protect individuals’ rights and freedoms, it is necessary to look beyond the privacy and data protection approach. The only way to resolve the problems arising from big data is an integrated approach that consists of legal solutions that complement each other, and reflects the multi-faceted nature of the problem at hand.