Showing papers in "International Data Privacy Law in 2019"

Bottom-up data Trusts: disturbing the ‘one size fits all’ approach to data governance

Abstract: This paper proceeds from an analysis of the very particular type of vulnerability concomitant with our ‘leaking’ data on a daily basis, to show that data ownership is both unlikely and inadequate as an answer to the problems at stake. We also argue that the current construction of top-down regulatory constraints on contractual freedom is both necessary and insufficient. To address the particular type of vulnerability at stake, bottom-up empowerment structures are needed. The latter aim to ‘give a voice’ to data subjects whose choices when it comes to data governance are often reduced to binary, ill-informed consent. While the rights granted by instruments like the GDPR can be used as tools in a bid to shape possible data-reliant futures -such as better use of natural resources, medical care etc., their exercise is both demanding and unlikely to be as impactful when leveraged individually. We argue that the power that stems from aggregated data should be returned to individuals through the legal mechanism of Trusts. Bound by a fiduciary obligation of undivided loyalty, the data trustees would exercise the data rights conferred by the GDPR (or other top-down regulation) on behalf of the Trust’s beneficiaries. The data trustees would hence be placed in a position where they can negotiate data use in conformity with the Trust’s terms, thus introducing an independent intermediary between data subjects and data collectors. Unlike the current ‘one size fits all’ approach to data governance, there should be a plurality of Trusts, allowing data subjects to choose a Trust that reflects their aspirations, and to switch Trusts when needed. Data Trusts may arise out of publicly or privately funded initiatives. By potentially facilitating access to ‘pre-authorised’, aggregated data (consent would be negotiated on a collective basis, according to the terms of each Trust), our data Trust proposal may remove key obstacles to the realisation of the potential underlying large datasets.

Know your algorithm: what media organizations need to explain to their users about news personalization

Abstract: If the right to an explanation is expected to effectively safeguard users’ rights, it must be interpreted in a manner that takes the contextual risks algorithms pose to those rights into account. This article provides a framework of transparency instruments in the context of the news personalization algorithms employed by both traditional media organizations and social media companies. Explaining the impact on a user’s news diet and the role of editorial values in the algorithm is especially important in this context. Conversely, explanations of individual decisions and counterfactual explanations face specific practical and normative barriers that limit their utility.

A right to reset your user profile and more: GDPR-rights for personalized news consumers

Abstract: News media more and more process personal data of news consumers to provide a personalized news selection on the news media home pages or in their apps. This article shows that the journalism provision in Article 85 of the EU General Data Protection Regulation (‘GDPR’) does not apply to the processing of personal data for news personalization. Therefore, the GDPR generally applies to such processing. This article further finds that through exercising their data protection rights, news consumers may stop personalization or change their profile on which the personalization is based, to change the content that they are being recommended. We argue that in the context of news personalization, the most important function of the GDPR is to enable news consumers to determine how they are profiled or ‘read’.

Smart Contracts as a Form of Solely Automated Processing Under the GDPR

Abstract: This article examines the interaction between smart contracts and Article 22 GDPR. There is currently much debate regarding the potential of smart contracts. In spite of their name, this form of computer code is however neither necessarily smart nor a contract. I argue that they are, however, a form of solely automated data processing under Article 22(1) GDPR and subsequently examine the interaction between smart contracts and the European data protection framework to highlight uncertainties regarding the interpretation of the legal regime applying to solely automated forms of data processing under the GDPR.

GDPR bypass by design? Transient processing of data under the GDPR

Abstract: Be it facial detection scanners placed in airports and supermarkets, microphones in mobile and home devices, or imaging systems in autonomous vehicles on the streets, pervasive computing technologies introduce evermore sensors into our daily environment. Simultaneously, increased awareness of data protection has led engineers to more frequently employ privacy enhancing technologies in their products. In search of privacy-friendly applications controllers are discovering that minimizing the processed data by default might not only be in compliance with the data minimization principle: depending on the concrete design of the systems it could exclude their activities from the GDPR altogether, as its scope is restricted to the processing of personal data. In this article we examine some of these “transient data processing” technologies. By doing so, we critically analyze current and upcoming technologies and their applications in light of the GDPR and discuss the legal and societal implications of their advent.

EU data transfer rules and African legal realities: is data exchange for biobank research realistic?

Abstract: Key PointsTo effectively collaborate in biobanking and build capacity in low and middle-income countries, data transfer from European Union (EU) Member States to states in Africa is crucial.Althoug ...

Is the right to be forgotten a universal, regional, or ‘glocal’ right?

Abstract: Introduction: the right to be forgotten entailed several legal uncertainties at inception The ‘right to be forgotten’ (RTBF), or more precisely the ‘right to suppression’ continues its judicial saga as it is being examined by the very same Court that created it, following the submission of 11 preliminary questions by the French Council of State before the Court of Justice of the European Union (CJEU). Created by the CJEU in its Google Spain judgment on 13 May 2014, the right to be deindexed has been seen as ‘triply audacious’ with regard to its legal implications. First, it includes in the territorial scope of Directive 95/46 the search engine activity performed by Google Inc. from the USA. To this end, the Court first established that, although it had only a technical role in the processing of the search engine’s data, Google Inc.’s Spanish subsidiary had a business of selling advertising spaces intended for the Spanish market in order to make the service offered by Google Inc. profitable. Key Points

International cooperation by (European) security and intelligence services: reviewing the creation of a joint database in light of data protection guarantees

Abstract: Key Points Increasing multinational cooperation between intelligence and security services, including the establishment of a joint database on (alleged) jihadists, raises legal concerns over the protection of personal data, in particular with respect to the allocation of responsibility among participating states, the geographic scope of fundamental data protection norms, and the applicable law. It is argued that states participating in multinational cooperative efforts may share responsibility, eg in relation to a shared database. However, for reasons of proximity, the host state of the server has heightened duties of care. It is also argued that where a participating state, in particular the host state, exercises virtual control (jurisdiction) over an individual person’s data, such a state has data protection obligations towards that person, regardless of the latter’s location. Participating states, and again in particular the host state, are under an obligation to put in place adequate control systems, including with a view to preventing the transfer of data that have been gathered by states in breach of data protection guarantees. If systemic failures in the multilateral system are identified, states are barred from transferring data to the system, unless they can obtain credible guarantees that data will be adequately protected. General principles of data protection law, derived from case law as well as general or sector-specific regulations, govern the processing and transfer of data in the context of multinational intelligence cooperation, including the management of a joint database. There is no reason not to apply them in the context of national security.

Data protection and the construction of collective redress in Europe: exploring challenges and opportunities

Abstract: Article 80 on collective redress in the GDPR contains some of the famous circa 50 derogations that have diluted the degree of harmonisation in this EU main data protection instrument in force since May 2018. The provisions on collective action available in this framework law were not transcribed in a straightforward manner into the lex specialis to the GDPR - the proposal for the reformed e-Privacy Directive (redesigned as an e-Privacy Regulation) - and have required the co-legislators’ intervention to make them more explicit. The efforts required to bring collective redress dimension into the enforcement of the rights to privacy and data protection in the EU can be better understood if discussed in the context of the overall development of this type of remedy here. The process has been fragmented whilst a binding horizontal EU-wide measure is yet to be stipulated. In the meantime, as showcased by the recent CJEU decision in Schrems v Facebook, there are important and urgent questions such as the cross-border element that need to be answered both in terms of the real exercise of access to justice in enacting data protection as well as for consumer rights more broadly. The provisions on collective redress in the new EU data protection legislation have been bold steps in strengthening fundamental rights, but their real impact will depend on other processes developing in parallel, such as the national collective redress schemes, the horizontal EU-level instruments and the case law of the CJEU and national courts.