Showing papers in "European Data Protection Law Review in 2020"

Data Protection or Data Frustration? Individual Perceptions and Attitudes Towards the GDPR

Abstract: Strengthening individual rights, enhancing control over one’s data and raising awareness were among the main aims the European Commission set for the General Data Protection Regulation (GDPR). In order to assess whether these aims have been met, research into in- dividual perceptions, awareness, and understanding of the Regulation is necessary. This study thus examines individual reactions to the GDPR in order to provide insights into user agency in relation to the Regulation. More specifically, it discusses empirical data (survey with N = 1288) on individual knowledge of, reactions to, and rights exercised under the GDPR in the Netherlands. The results show high awareness of the GDPR and knowledge of individ- ual rights. At the same time, the Dutch show substantial reactance to the Regulation and doubt the effectiveness of their individual rights. These findings point to several issues ob- structing the GDPR’s effectiveness, and constitute useful signposts for policy-makers and en- forcement agencies to prioritise their strategies in achieving the original aims of the Regu- lation.

ISO/IEC 27701 Standard: Threats and Opportunities for GDPR Certification

Abstract: The paper assesses the possible consequences for Article 42/43 certification of the publication of the ISO/IEC 27701:2019 standard. This new ISO standard establishes a management system that aims to manage ‘the processes for protecting the capture, accountability, availability, integrity, and confidentiality of personal data.’ The conformity with the standard’s requirements is certifiable by the private conformity assessment bodies interested in providing this service to businesses. The paper shows that ISO/IEC 27701:2019 based certification has many assets to dominate the market of data protection certification. It offers operational advantages to businesses that are looking for a readymade solution to streamline information security and data protection. A strong uptake of ISO/IEC 27701:2019 based certification could threaten Article 42/43 certification by creating two competing approaches of data protection compliance. But it could also offer the opportunity to improve the general level of data protection and encourage the European supervisory authorities to clarify the relationships they intend to establish with ISO privacy standards.

Anonymised Data and the Rule of Law

Abstract: The scope of application of the GDPR is determined by whether data are personal data or not, hence are anonymous data. By still insisting on Opinion 5/2014 the EDPB ignores that in 2016 the CJEU gave a different test to decide whether data are anonymous or not. Our proposal with the six safes test builds on that decision and will also bring the rule of law back in another essential dimension, namely legal certainty. The factors which decide whether data are anonymous or not can be influenced by the holder of the data, while Opinion 5/2014 states that anonymous data can become personal data again because of amongst other things new statistical techniques.

The Data-Laundromat?

Abstract: Law enforcement increasingly relies on complex machine learning approaches to support investigations. With limited knowledge and funding LEAs often depend on opaque privatepublic collaborations. Failure to provide legal bases on the national level paired with shortcomings both in the GDPR and Directive EU-2016/680 (LED) result in severe risks for fundamental rights of EU citizens. To overcome these risks an interdisciplinary discussion is required. This paper hence sheds light on technical challenges and misconceptions as well as legal shortcomings to foster a common understanding of the challenges to find out how they might be addressed. To do so, the author searches for common ground of ‘public availability’ and reviews currently used technical approaches and common processing constellations. Based on the outcomes, the author proposes a change in the LED and discusses a centralised institution to govern access to novel data driven technology.