Showing papers in "European Data Protection Law Review in 2019"
9 citations
7 citations
6 citations
5 citations
5 citations
TL;DR: The Law Enforcement Directive (LED) has been heralded for its role in building a high level of data protection in criminal law as discussed by the authors, but there is ambiguity as to how the LED should work in practice due to several conceptual issues that the LED raises.
Abstract: The Law Enforcement Directive (EU Directive 2016/680) has been heralded for its role in building a high level of data protection in criminal law. Data processed for ‘law enforcement purposes’ by ‘competent authorities’ must comply with principles of necessity, proportionality and legality, while ensuring appropriate safeguards in place for data subjects. However, there is ambiguity as to how the LED should work in practice due to several conceptual issues that the LED raises. This paper discusses three conceptual issues: consent, the categorisation of witnesses, suspects and victims, and the categorisation of facts versus opinions.
4 citations
4 citations
4 citations
TL;DR: A United Kingdom mass surveillance law, allowing for bulk interception by intelligence agencies and data sharing with foreign counterparts, violated both Article 8 and Article 10 of the EuropeanConvention onHuman Rights as discussed by the authors.
Abstract: A United Kingdom masssurveillance law, allowing for bulk interception by intelligence agencies and data sharing with foreign counterparts, violated both Article 8 and Article 10 of the EuropeanConvention onHuman Rights. The EuropeanCourt of Human Rights(ECtHR) found that, inter alia, the lack of oversight of the entire selection process and the absence of any real safeguards applicable to the selection of related communications data for the examination constitute a violation of the right to privacy. Although the ECtHR did not find a violation of Article 8 in relation to intelligence data sharing, it is important that it acknowledged for the first time its importance and stressed that the minimum requirements it has developed for gathering data also apply to sharing the data.
3 citations
3 citations
TL;DR: In this paper, the authors argue that Australia should consider establishing a privacy tort over the Internet, which will provide a higher level of control to data subjects over their personal data and deter entities from misusing that data.
Abstract: The development and evolution of data protection law is not fully realised. One challenge that has emerged is the recognition of a tort for violating a person’s personal information contrary to data protection law. The issue is that courts have found it difficult to determine and assess the harm caused to the data subject. The courts in the United Kingdom (UK) and Canada have recently developed a tort for infringing privacy in personal data. What has emerged is that courts in those two countries have begun to establish some key principles to underpin a tort violating privacy, by providing guidance on measuring the ensuing harm. That tort is also developing in the United States. This article argues that other common law jurisdictions, notably Australia, should consider going down the same pathway, by establishing a privacy tort over the Internet. Such a tort in data protection will provide a higher level of control to data subjects over their personal data and deter entities from misusing that data. However, that tort may fail to protect data subjects from the misuse of their personal data if the law requires harm to eventuate, as is required by the tradition tort of privacy. This must be considered with caution because, unlike traditional notions of a tort in privacy, a privacy violation of over the Internet may take weeks, months or years to identify. Contrarily, tort law has been effective in reducing and deterring negligence in privacy related cases, strengthening the rationale for a tort in personal data over the Internet.
TL;DR: An historical overview of the evolution of the protection of data concerning health is given, which also leads to a discussion on the current broad definition and offers possible solutions for the use of (the term) ‘data concerning health’.
Abstract: More and more, medical practitioners use modern technologies such as apps and wearables in their treatment plan. The GDPR defines these kinds of data as ‘data concerning health’. However, also the term ‘medical data’ is being used. Furthermore, the Council of Europe uses terms such as ‘personal health data’ and ‘medical welfare data’. Using all these different terms makes it difficult to understand what is protected by these terms and what is not. This article gives an historical overview of the evolution of the protection of data concerning health, which also leads to a discussion on the current broad definition and offers possible solutions for the use of (the term) ‘data concerning health’.
TL;DR: The article analyses the potential tension points between the two sets of rules, which result from the underlying policy objectives of safeguarding privacy in electronic communications and the functioning of the digital economy in the emerging era of platform governance.
Abstract: For the first time, two pieces of EU legislation will specifically target smartphone ecosystems in relation to smartphone and mobile software (eg, iOS and Android) privacy, and use and monetisation of data. And yet, both pieces of legislation approach data use and data monetisation from radically contrasting perspectives. The first is the proposed ePrivacy Regulation, which seeks to provide enhanced protection against user data monitoring and tracking in smartphones, and safeguard privacy in electronic communications. On the other hand, the recently enacted Platform-to-Business Regulation 2019, seeks to bring fairness to platform-business user relations (including app stores and app developers), and is crucially built upon the premise that the ability to access and use data, including personal data, can enable important value creation in the online platform economy. This article discusses how these two Regulations will apply to smartphone ecosystems, especially relating to user and device privacy. The article analyses the potential tension points between the two sets of rules, which result from the underlying policy objectives of safeguarding privacy in electronic communications and the functioning of the digital economy in the emerging era of platform governance. The article concludes with a discussion on how to address these issues, at the intersection of privacy and competition in the digital platform economy.
TL;DR: The DNA Act aims to increase the efficiency of arresting criminals and prevent future crimes, but also received backlash due to the violation of basic rights, such as the right to self-determination of personal information, with regards to specific details of a list of crimes where sample collection is permitted.
Abstract: The Act on Use and Protection of DNA Identification Information (DNA Act) of the Republic of Korea was legislated in January 2010, with the purpose of ‘contributing to investigations and prevention of crimes and the protection of citizens' rights and interests by providing for matters necessary for the collection, use, and protection of DNA identification information (DNA information).’ The adoption of the Act took 15 years, long enough time to witness various opinions and different versions of the bill. One of the most notable and heatedly debated issues was the ‘protection of basic rights vs. efficiency of apprehending criminals and prevention of recidivism’. The rationale behind the DNA Act is to arrest a perpetrator by quickly identifying him/her through comparison of DNA information against the registered database when a violent crime occurs, while eliminating innocent people in the early stages and ensuring the prevention of recidivism of people whose DNA information is already within the registry. In short, the Act aims to increase the efficiency of arresting criminals and prevent future crimes. However, the Act also received backlash due to the violation of basic rights, such as the right to self-determination of personal information, with regards to specific details of a list of crimes where sample collection is permitted, the scope of offenders subject to collection, the legal basis of the DNA sample collection and analysis, and the destruction of DNA samples and information. Furthermore, a more fundamental question has also been asked about the efficacy of the DNA database: does it really prevent recidivism? A look at the details of the DNA Act will help clarify these issues.
Journal Article•
TL;DR: In this paper, the authors used the Digital Economy Act 2017 (DEA) as a case study for analysis of the GDPR provisions governing processing of data for research purposes, including de-identification.
Abstract: The EU General Data Protection Regulation (‘GDPR’) seeks to balance the public interest in research with privacy rights of individuals, in particular, through research exemptions and safeguards set out in Article 89. While this affords Member States limited opportunities to modify the application of the GDPR at a national level, including for data processing that is necessary for the performance of a task carried out in the public interest, it is necessary for national approaches to conform with Article 89 safeguards where appropriate. One development of interest to the research community in the UK is a statutory power for public authorities to disclose administrative data for research under the Digital Economy Act 2017 (DEA). This article uses the DEA as a case study for analysis of the GDPR provisions governing processing of data for research purposes—including de-identification—and draws on human rights norms and jurisprudence to interpret the broad requirement for ‘appropriate safeguards’ for the ‘rights and freedoms of the data subject’ under Article 89. This analysis is important for data controllers seeking to meet their obligations under the UK framework and for those in other EU Member States considering the development of similar national provisions for data processing for research purposes.