Perceptions of controllers on EU data protection reform: A Finnish perspective

Data protection regulations are undergoing a global reform. The European Commission proposed a reform of the EU data protection framework in 2012. One major driver for the reform has been the research on the consumer perceptions indicating that the consumers are worried about their personal privacy. However, there has been practically no research on perceptions of companies (the controllers of the personal data) and on the data protection reform. This research analyses the awareness and the willingness to act towards compliance regarding the proposed General Data Protection Regulation (GDPR) in Finland in 2013. The GDPR will replace the Finnish Personal Data Act and therefore plays a central role in the Finnish privacy regulation. This research found that the general level of awareness was low: only 43% of the controllers were aware of the forthcoming reform. The willingness to act or to take steps towards the compliance was even lower: 31% of controllers said that they are planning to act towards compliance during this year. These results indicate that the companies are quite unfamiliar with the reform that correlates with other relevant studies in Europe. Personal data are said to be the oil of the digital economy, the hottest commodity of the market today. There are companies that understand this, but the majority seems to ignore this at least what comes to their awareness regarding the reform, even the reform captures many of the best practices regarding processing of personal data.     

The mandatory notification of data breaches: Issues arising for Australian and EU legal developments

Public and private sector organisations are now able to capture and utilise data on a vast scale, thus heightening the importance of adequate measures for protecting unauthorised disclosure of personal information. In this respect, data breach notification has emerged as an issue of increasing importance throughout the world. It has been the subject of law reform in the United States and in other jurisdictions. This article reviews US, Australian and EU legal developments regarding the mandatory notification of data breaches. The authors highlight areas of concern based on the extant US experience that require further consideration in Australia and in the EU.     

Encryption safe harbours and data breach notification laws

Data breach notification laws require organisations to notify affected persons or regulatory authorities when an unauthorised acquisition of personal data occurs. Most laws provide a safe harbour to this obligation if acquired data has been encrypted. There are three types of safe harbour: an exemption; a rebuttable presumption and factor-based analysis. We demonstrate, using three condition-based scenarios, that the broad formulation of most encryption safe harbours is based on the flawed assumption that encryption is the silver bullet for personal information protection. We then contend that reliance upon an encryption safe harbour should be dependent upon a rigorous and competent risk-based review that is required on a case-by-case basis. Finally, we recommend the use of both an encryption safe harbour and a notification trigger as our preferred choice for a data breach notification regulatory framework.     

Backups and the right to be forgotten in the GDPR: An uneasy relationship

The recent enforcement of the GDPR has put extra burdens to data controllers operating within the EU. Beyond other challenges, the exercise of the Right to be Forgotten by individuals who request erasure of their personal information has also become a thorny issue when applied to backups and archives. In this paper, we discuss the GDPR forgetting requirements in respect with their impact on the backup and archiving procedures stipulated by the modern security standards. We specifically examine the implications of erasure requests on current IT backup systems and we highlight a number of envisaged organizational, business and technical challenges pertained to the widely known backup standards, data retention policies, backup mediums, search services, and ERP systems.     

Medical data breaches: Notification delayed is notification denied

The EU and the United States have implemented data breach notification rules that cover the health sectors. Nevertheless, data breach incidents involving medical data continue to rise, especially in the US and the UK. The HITECH Act, Pub. L. 111-5 Title XIII is the first federal health breach notification law in the US to be characterized by less government intrusions, while the revised EU Privacy Directive, 2009/136/EC calls for tougher privacy protection for data held by electronic communication providers. While the EU law sets a global de facto standard, the law remains toothless without strong enforcement mechanisms.     

Comparing the access conditions for minimum income support in four EU member states for national,EU and non-EU citizens

This research analyses the conditions imposed on national, EU and non-EU citizens who wish to access minimum income (MI) benefits within four EU Member States, specifically within Finland, France, Ireland and Spain. The primary aim is to identify and compare the required MI access conditions. Furthermore, focus is given to the residence requisites, which are discussed in relation to relevant supranational regulations in order to detect possible multilevel implications. The paper concludes with the identification of different MI conditions, such as stricter age requisites in France and Spain. Moreover, the study of national cases allows for consideration of how the EU social protection floor works at the national level. In this regard, the restrictions that affect EU/EEA migrant jobseekers and economically inactive population groups who wish to access MI in Finland, France and Ireland show the limits of the EU minimum social assistance floor, only recognised for EU/EEA migrant workers. Finally, implications arise according to human rights instruments such as the European Social Charter, which demands that social assistance shall not be confined to nationals or to certain categories of foreigners, allowing for comparison between the different personal scopes of the equal treatment principle required by the distinct supranational levels.     

The introduction of data breach notification legislation in Australia: A comparative view

This article argues that Australia's recently-passed data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), and its coming into force in 2018, makes an internationally important, yet imperfect, contribution to data breach notification law. Against the backdrop of data breach legislation in the United States and European Union, a comparative analysis is undertaken between these jurisdictions and the Australian scheme to elucidate this argument. Firstly, some context to data breach notification provisions is offered, which are designed to address some of the problems data breaches cause for data privacy and information security. There have been various prominent data breaches affecting Australians over the last few years, which have led to discussion of what can be done to deal with their negative effects. The international context of data breach notification legislation will be discussed, with a focus on the United States and European Union jurisdictions, which have already adopted similar laws. The background to the adoption of the Australia legislation will be examined, including the general context of data privacy and security protection in Australia. The reform itself will be then be considered, along with the extent to which this law is fit for purpose and some outstanding concerns about its application. While data breach notification requirements are likely to be a positive step for data security, further reform is probably necessary to ensure strong cybersecurity. However, such reform should be cognisant of the international trends towards the adoption of data security measures including data breach notification, but lack of alignment in standards, which may be burdensome for entities operating in the transnational data economy.     

For privacy's sake: Consumer “opt outs” for smart meters

When balancing consumer privacy and data protection rights with the important societal benefits to be obtained from smart meters, should consumers be allowed to opt out? If so, what should a smart meter opt out mechanism look like? Further, may consumers be charged additional fees for the privilege of opting out without violating their privacy and data protection rights? The EU/U.S. comparative law analysis provided in this paper aims to help energy suppliers and regulators craft opt out mechanisms to protect individual privacy and data protection rights while also achieving important societal benefits from smart meters.     

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.     

民法典框架下个人数据财产法益的体系构建

从欧盟个人数据保护相关立法的变迁可以发现,个人数据从隐私权保护的传统模式开始出现向财产权保护模式过渡的迹象。这并不意味着数据产业界的新机会,而是调节数据主体与数据控制者之间日益失衡关系的新尝试。财产权保护模式有着隐私权保护模式无可比拟的优势,却也存在权利定性和范围界定上的困难。与非个人数据更为鲜明的财产属性不同,个人数据上的民事权益应该构建为一个以数据主体的财产利益为基础、以数据控制者对个人数据的占有利益为核心的财产法益体系。数据控制者及其义务作为个人数据财产法益体系的中心,才能在保护数据主体和发挥数据效用之间保持平衡。     

Artificial intelligence as a service: Legal responsibilities,liabilities, and policy challenges

Artificial Intelligence as a Service ('AIaaS') will play a growing role in society's technological infrastructure, enabling, facilitating, and underpinning functionality in many applications. AIaaS providers therefore hold significant power at this infrastructural level. We assess providers’ position in EU law, focusing on assignment of controllership for AIaaS processing chains in data protection law and the availability to providers of protection from liability for customers’ illegal use of AIaaS. We argue that in data protection law, according to current practice, providers are often joint controllers with customers for aspects of the AIaaS processing chain. We further argue that providers lack protection from liability for customers’ illegal activity. More fundamentally, we conclude that the role of providers in customer's application functionality – as well as the significant power asymmetries between providers and customers – challenges traditional understandings of roles and responsibilities in these complex, networked, dynamic processing environments. Finally, we set out some relevant issues for future regulation of AIaaS. In all, AIaaS requires attention from academics, policymakers, and regulators alike.     

EU General Data Protection Regulation: Changes and implications for personal data collecting companies

The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR's coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR's practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.     

Data processing by police and criminal justice authorities in Europe – The influence of the Commission's draft on the national police laws and laws of criminal procedure

The proposal for a fundamental reform of the European data protection law, published by the EU Commission on 25 January 2012 is composed of two elements. Apart from a General Data Protection Regulation, the Commission proposes a second regulatory instrument, namely a Directive with regard to data processing by police and criminal justice authorities that shall supersede the Council Framework Decision 2008/977/JHA. This paper seeks to analyse the draft Directive in the context of the entire reform approach and scrutinizes a number of specific issues in regard to the scope, the requirements of data processing, notification duties and data transfer to third countries.     

Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) devotes particular attention to the protection of personal data of children. The rationale is that children are less aware of the risks and the potential consequences of the processing of their personal data on their rights. Yet, the text of the GDPR offers little clarity as to the actual implementation and impact of a number of provisions that may significantly affect children and their rights, leading to legal uncertainty for data controllers, parents and children. This uncertainty relates for instance to the age of consent for processing children's data in relation to information society services, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required vis-à-vis children. This article aims to identify a number of key issues and questions – both theoretical and practical – that raise concerns from a multi-dimensional children's rights perspective, and to clarify remaining ambiguities in the run-up to the actual application of the GDPR from 25 May 2018 onwards.     

Privacy and the regulation of 2012

This paper explores the European Commission’s proposal for a new Regulation to update and reform data protection law in Europe. As regards the Regulation itself, without presenting an exhaustive analysis of all the provisions, this paper aims to highlight some significant changes proposed to the data protection regime by comparison between Directive 95/46 and the proposed Regulation. It takes particularly into account legislative innovation concerning data protection principles, data subjects’ rights, data controllers and data processors obligations, and the regulation of technologies. Before analyzing these innovations, it introduces some considerations about the Commission’s choice to use a Regulation instead of a Directive to harmonize national data protection regime.     

An overview of EU data protection rules on use of data collected online

In the third of our series of articles considering the EU’s limited harmonisation of the laws regulating the activities of businesses using the Internet, we look at EU rules on the use of data collected online. We consider the principles governing the processing of personal data collected online. We then discuss the new rules on the use of cookies and the practical difficulties facing website operators in complying with them and conclude with a brief overview of the rules governing the transfer of personal data outside the EEA.     

The ‘right to be forgotten’ or the ‘principle that has been remembered’

The Court of Justice of the European Union (CJEU) has ruled on questions referred by a Spanish court relating to interpretation of the Data Protection Directive and its application to search engine activities. In a controversial judgment, the CJEU found that search engines are data controllers in respect of their search results; that European data protection law applies to their processing of the data of EU citizens, even where they process the relevant data outside the EU; and that a ‘right to be forgotten’ online applies to outdated and irrelevant data in search results unless there is a public interest in the data remaining available and even where the search results link to lawfully published content.     

The impact of community notification on sex offender reintegration: a quantitative review of the research literature

The purpose of this review was to better understand the impact of community notification, known as "Megan's Law," on sex offenders' reintegration into the community. Eight quantitative studies that examined the social and psychological impact of community notification on adult sex offenders (N = 1,503) were reviewed. The pattern of results across studies showed considerable similarities despite marked variability in the populations examined, survey methods used, and response rates obtained. Sex offenders rarely reported being the target of vigilante attacks. Substantial minorities reported exclusion from residence and job loss as social consequences of being publicly identified as sex offenders in their communities. The majority of offenders reported negative psychological consequences of notification but also identified benefits of knowing that others were monitoring their behavior. More intrusive notification strategies were associated with higher rates of socially destabilizing consequences. Results are discussed in terms of their policy and research implications.     

The 2012 CLSR-LSPI seminar on privacy,data protection & cyber-security – Presented at the 7th international conference on Legal,Security and Privacy Issues in IT law (LSPI) October 2–4, 2012, Athens

This has been a big year for privacy with so much going on within the EU regarding reform of data protection. What are the implications of reform here and what are the issues that concern us about the proposed new data protection regime contained in the proposed Regulation? We hear a lot about the ‘right to be forgotten’. How is that possible in the digital age within the online world? And what can be done about the big players who stand charged with the erosion of privacy viz Facebook, Google, Skype & YouTube etc? How can the law keep up with technological change when the latter is moving so fast e.g. with RFID, Cloud and social networking? To what extent can data breach notification, net neutrality and privacy impact assessment help and how should the law approach issues of liability and criminality in relation to privacy? What is the state of play too in the relationship between privacy policy and state surveillance and, given its implications for privacy, what obligations should governments adopt in response to cybersecurity regulation and data management? Is there a place for privacy self-regulation and if so in what respects and how effective are the Information Commissioners who often complain of being under resourced? In reviewing the way privacy law has emerged do we now need a completely new approach to the whole issue? Has the law crept into its present form simply by default? Do we need some new thinking now that reflects the fact that law is only one dimension in the battle for privacy? If so what are the other factors we need to recognise?     

Data breach notification law in the EU and Australia – Where to now?

Mandatory data breach notification laws have been a significant legislative reform in response to unauthorized disclosures of personal information by public and private sector organizations. These laws originated in the state-based legislatures of the United States during the last decade and have subsequently garnered worldwide legislative interest. We contend that there are conceptual and practical concerns regarding mandatory data breach notification laws which limit the scope of their applicability, particularly in relation to existing information privacy law regimes. We outline these concerns here, in the light of recent European Union and Australian legal developments in this area.