The thin red line: Refocusing data protection law on ADM,a global perspective with lessons from case-law

This article explores existing data protection law provisions in the EU and in six other jurisdictions from around the world - with a focus on Latin America - that apply to at least some forms of the processing of data typically part of an Artificial Intelligence (AI) system. In particular, the article analyzes how data protection law applies to “automated decision-making” (ADM), starting from the relevant provisions of EU's General Data Protection Regulation (GDPR). Rather than being a conceptual exploration of what constitutes ADM and how “AI systems” are defined by current legislative initiatives, the article proposes a targeted approach that focuses strictly on ADM and how data protection law already applies to it in real life cases. First, the article will show how GDPR provisions have been enforced in Courts and by Data Protection Authorities (DPAs) in the EU, in numerous cases where ADM is at the core of the facts of the case considered. After showing that the safeguards in the GDPR already apply to ADM in real life cases, even where ADM does not meet the high threshold in its specialized provision in Article 22 (“solely” ADM which results in “legal or similarly significant effects” on individuals), the article includes a brief comparative law analysis of six jurisdictions that have adopted general data protection laws (Brazil, Mexico, Argentina, Colombia, China and South Africa) and that are visibly inspired by GDPR provisions or its predecessor, Directive 95/46/EC, including those that are relevant for ADM. The ultimate goal of this study is to support researchers, policymakers and lawmakers to understand how existing data protection law applies to ADM and profiling.¹     

The Cyprus and other EU court rulings on data retention: The Directive as a privacy bomb

This paper discusses the controversy surrounding the Data Retention Directive with an emphasis on the 2011 decision of the Cyprus Supreme Court which has annulled several district court orders that allowed the police access to telecommunications data relating to certain persons relevant to criminal investigations. The annulment has been on the ground that the legal provisions upon which the orders have been issued are unconstitutional. It will suggest that the decision does not entail a direct rejection of the EU Data Retention Directive and that in any event, Cyprus is not a Member State resisting the particular measure. This is because the legal provisions are deemed unconstitutional, though part of the law that has transposed the relevant Directive into national law are provisions that go beyond what the EU legislator intended to regulate through that Directive. Still, the particular Directive sits rather uneasily within the ‘human rights’ regime, in particular the one governing the individual right of privacy.     

Regulating electronic identity in the European Union: An analysis of the Lisbon Treaty’s competences and legal basis for eID

This paper discusses the feasibility of EU legal action in the field of electronic identity (eID) within the new distribution of legal competences and the provision of novel legal basis engendered by the Treaty of Lisbon. The article attempts to find a ‘legal anchor’ to the idea of a pan-European electronic identity within EU law, looking at the issues of competences and legal basis. After examining various different areas of competence and the most feasible (and probable) candidates for a legal basis supporting an EU legal framework for eID, the paper argues that the latter should be found in the combination of Article 16 TFEU (concerning the right to the protection of personal data) with Article 3 TUE, and Articles 26 and 114 TFEU (concerning the establishment and functioning of the Internal Market), which also constitute the area of competence where an eID legal initiative can be pursued.     

On defense of “ethification” of law: How ethics may improve compliance with the EU digital laws

In recent years, academics and professionals witness the rise of the “ethification” of law, specifically in the area of ICT law. Ethification shall be understood as a proliferation of moral principles and moral values in the legal discourse within the areas of research, innovation governance, or directly enforceable rules in the industry. Although the ethical considerations may seem distant from mere regulatory compliance, the opposite is true. The article focuses on the positive side of the “ethification” of digital laws through the lens of legal requirements for impact assessments pursuant to General Data Protection Regulation and conformity assessments in the proposal for the Artificial Intelligence Act. Authors argue that ethical considerations are often absent in the context of using new technologies including artificial intelligence, yet they may provide additional value for organizations and society as a whole. Additionally, carrying out ethics-based assessments is already in line with existing regulatory requirements in the fields of data protection law and proposed EU AI regulation. These arguments are reflected in the context of facial recognition technology, where both data protection impact assessment under the EU General Data Protection Regulation and conformity assessment under the proposal of the EU Artificial Intelligence Act will be mandatory. Facial recognition technology is analyzed through the ethics-based assessment involving stakeholder analysis, data flows map, and identification of risks and respective countermeasures to show additional insights that ethics provides beyond regulatory requirements.     

The law and practice of international organizations’ interactions with personal data protection domestic regulation: At the crossroads between the international and domestic legal orders

The development and overlap of legal frameworks on personal data protection, on the one hand, by states and regional frameworks like the EU General Data Protection Regulation, and on the other hand, by International Organizations, raises fundamental questions about their coexistence and interaction, including questions concerning the interaction between the domestic and the international legal orders.This article considers how these different legal frameworks come into interaction and tension with each other, as well as how these tensions are addressed in the law and practice of International Organizations and in domestic laws.It reveals the pragmatism of a resulting approach which seeks to ensure effective protection of the fundamental right to personal data protection while respecting the need for IOs to be able to perform their mandate under international law in full independence.     

The Proposed ‘Common European Sales Law’: Legal Framework and the Agreement of the Parties

The European Commission's Proposal for a Regulation on a Common European Sales Law (‘CESL’) seeks to create a European scheme of contract law available for parties to choose to govern cross‐border contracts for the sale of goods, supply of ‘digital content,’ and for the supply of related services. This article explains the background to the Proposal, sketches out the purposes and scope of the CESL, and considers and criticises its legal framework (and in particular its relationship with private international law) and the key requirement of the parties’ agreement. In the author's view, the CESL scheme remains an unconvincing basis for the achievement of its economic purposes and, as regards consumer contracts, puts too much reliance on the agreement of the consumer as a justification for the loss of their existing protection under EU private international law rules.     

Clarity,surprises, and further questions in the Article 29 Working Party draft guidance on automated decision-making and profiling

The Article 29 Data Protection Working Party's recent draft guidance on automated decision-making and profiling seeks to clarify European data protection (DP) law's little-used right to prevent automated decision-making, as well as the provisions around profiling more broadly, in the run-up to the General Data Protection Regulation. In this paper, we analyse these new guidelines in the context of recent scholarly debates and technological concerns. They foray into the less-trodden areas of bias and non-discrimination, the significance of advertising, the nature of “solely” automated decisions, impacts upon groups and the inference of special categories of data—at times, appearing more to be making or extending rules than to be interpreting them. At the same time, they provide only partial clarity – and perhaps even some extra confusion – around both the much discussed “right to an explanation” and the apparent prohibition on significant automated decisions concerning children. The Working Party appears to feel less mandated to adjudicate in these conflicts between the recitals and the enacting articles than to explore altogether new avenues. Nevertheless, the directions they choose to explore are particularly important ones for the future governance of machine learning and artificial intelligence in Europe and beyond.     

The GDPR: A game changer for electronic identification schemes? The case study of Gov.UK Verify

This article offers an interdisciplinary analysis of the General Data Protection Regulation (GDPR) in the context of electronic identification schemes. Gov.UK Verify, the UK Government's electronic identification scheme, and its compatibility with some important aspects of EU data protection law are reviewed. An in-depth examination of Gov.UK Verify's architecture and the most significant constituent elements of both the Data Protection Directive and the imminent GDPR – notably the legitimising grounds for the processing of personal data and the doctrine of joint controllership – highlight several flaws inherent in the Gov.UK Verify's development and mode of operation. This article advances the argument that Gov.UK Verify is incompatible with some major substantive provisions of the EU Data Protection Framework. It also provides some general insight as to how to interpret the requirement of a legitimate legal basis and the doctrine of joint controllership. It ultimately suggests that the choice of the appropriate legal basis should depend upon a holistic approach to the relationship between the actors involved in the processing activities.     

论《涉外民事关系法律适用法》与《民法通则》的关系

《涉外民事关系法律适用法》与《民法通则》之间的关系,涉及到我国上位法与下位法的关系、特别法与一般法的关系、新法与旧法的关系等一系列法理;也涉及到了我国宪法和《立法法》的规定。《涉外民事关系法律适用法》第二条的"特别规定"规定导致该法成为一般法,《民法通则》的一些规定成为特别法的倒置现象。而第五十一条前款的规定则是以作为普通法律的《涉外民事关系适用法》排除了作为基本法律的《民法通则》条文的适用。为了解决二者之间的法律竞合,可以有三种办法:启动修改法律的程序;启动立法解释的程序;提升《涉外民事关系法律适用法》为基本法律。     

The future of privacy certification in Europe: an exploration of options under article 42 of the GDPR

The EU faces substantive legislative reform in data protection, specifically in the form of the General Data Protection Regulation (GDPR). One of the new elements in the GDPR is its call to establish data protection certification mechanisms, data protection seals and marks to help enhance transparency and compliance with the Regulation and allow data subjects to quickly assess the level of data protection of relevant products and services. To this effect, it is necessary to review privacy and data protection seals afresh and determine how data protection certification mechanisms, seals or marks might work given the role they will be called to play, particularly in Europe, in facilitating data protection. This article reviews the current state of play of privacy seals, the EU policy and regulatory thrusts for privacy and data protection certification, and the GDPR provisions on certification of the processing of personal data. The GDPR leaves substantial room for various options on data protection certification, which might play out in various ways, some of which are explored in this article.     

被遗忘权立法的美国模式及其立法启示——以加州被遗忘权立法为研究背景

“被遗忘权”是大数据时代个人信息删除制度的立法新发展。美国并不赞同欧盟模式的被遗忘权。加利福尼亚州立足美国法制传统构建了一个体现美国利益需求的被遗忘权。加州立法从维护个人发展权意义上建构未成年人的被遗忘权,以数据最小化原则为基础,建构适用于消费者与企业之间数据处理的被遗忘权,赋予个人删除本人发布的个人信息的权利,同时规定了一系列删除信息的例外,较好地协调了被遗忘权与言论自由和信息经济发展的矛盾。加州立法已成为美国个人信息保护立法的典范。未来,美国可能以加州模式为模板构建媲美欧盟被遗忘权的个人信息删除制度。加州对被遗忘权制度的取舍对我国《个人信息保护法》第47条的理解与适用具有启示意义。     

Having yes,using no? About the new legal regime for biometric data

The rise of biometric data use in personal consumer objects and governmental (surveillance) applications is irreversible. This article analyses the latest attempt by the General Data Protection Regulation (EU) 2016/679 and the Directive (EU) 2016/680 to regulate biometric data use in the European Union. We argue that the new Regulation fails to provide clear rules and protection which is much needed out of respect of fundamental rights and freedoms by making an artificial distinction between various categories of biometric data. This distinction neglects the case law of the European Court of Human Rights and serves the interests of large (governmental) databases. While we support regulating the use and the general prohibition in the GDPR of using biometric data for identification, we regret this limited subjective and use based approach. We argue that the collection, storage and retention of biometric images in databases should be tackled (objective approach). We further argue that based on the distinctions made in the GDPR, several categories of personal data relating to physical, physiological or behavioural characteristics are made to which different regimes apply. Member States are left to adopt or modify their more specific national rules which are eagerly awaited. We contend that the complex legal framework risks posing headaches to bona fide companies deploying biometric data for multifactor authentication and that the new legal regime is not reaching its goal of finding a balance between the free movement of such data and protecting citizens. Law enforcement authorities also need clear guidance. It is questioned whether Directive (EU) 2016/680 provides this.     

论《欧盟运行条约》第102条在知识产权领域的扩大适用——以阿斯利康公司诉欧盟委员会一案为视角

自由竞争和知识产权保护是现代国家建立和完善市场经济制度,保护消费者利益的两把利剑。以往判例所确立的原则是欧盟竞争法在特殊情形下被有限的适用于知识产权行使过程中的某些行为,竞争法的适用通常要满足非常严格的条件。而在新近作出的一份判决中,欧盟普通法院首次将《欧盟运行条约》第102条①适用于知识产权的申请行为,而且在适用过程中,明显放宽适用条件。这种在知识产权领域扩大适用竞争规则的行为有损知识产权法律体系的独立性,而且在今后类似案件中也不具有较强的可操作性,其仅具有特例性,而非普遍意义。     

Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) devotes particular attention to the protection of personal data of children. The rationale is that children are less aware of the risks and the potential consequences of the processing of their personal data on their rights. Yet, the text of the GDPR offers little clarity as to the actual implementation and impact of a number of provisions that may significantly affect children and their rights, leading to legal uncertainty for data controllers, parents and children. This uncertainty relates for instance to the age of consent for processing children's data in relation to information society services, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required vis-à-vis children. This article aims to identify a number of key issues and questions – both theoretical and practical – that raise concerns from a multi-dimensional children's rights perspective, and to clarify remaining ambiguities in the run-up to the actual application of the GDPR from 25 May 2018 onwards.     

数据跨境流动规制中的“长臂管辖”——对欧盟GDPR的原旨主义考察

欧盟《一般数据保护条例》是个人数据保护的重要立法之一,而其中的“长臂管辖”条款是最有特色并颇受争议的规则。从内在视角来看,欧盟语境下个人数据的特殊含义和重要地位,是“长臂管辖”的正当性基础。而其在制度上形成内外联动的局面,是因为欧盟想扭转其在全球互联网和信息产业的劣势地位,并增强其在全球数据保护立法的话语权,同时更好地保护个人数据和国家安全。对此,中国未来的数据保护立法应结合自身数据产业的特点,明确立法旨意,形成内外联动,在国际互联网和数据治理中采取积极有为的态度,掌握该领域的话语权。     

The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals

The recent release by the European Commission of the first drafts for the amendment of the EU data protection regulatory framework is the culmination of a consulting and preparation process that lasted more than two years. At the same time, it opens up a law-making process that is intended to take at least as much time. The Commission has undertaken the herculean task to amend the whole EU data protection edifice, through the introduction of a General Data Protection Regulation, intended to replace the EU Data Protection Directive 95/46/EC, and a Police and Criminal Justice Data Protection Directive, intended to replace the Framework Decision 2008/977/JHA. This paper shall focus at the replacement of the EU Data Protection Directive by the draft General Data Protection Regulation. Due to the fact that the draft Regulation is a long (and ambitious) text, a selection has been made, with the aim of highlighting its treatment of basic data protection principles and elements, in order to identify merits and shortcomings for the general data protection purposes.     

法人依瑕疵决议所为行为之效力

决议不成立、无效或被撤销,无法完全适用民法总则第157条关于法律行为无效之后果规定。民法总则第85条、第94条以及“公司法解释四”第6条设定的善意相对人保护规则,过于简单和武断,需区分决议主体、决议内容、瑕疵事由而类型化地认定法人依瑕疵决议所为行为之效力。在法人内部,瑕疵决议溯及无效,但需依裁量驳回制度认定后续决议之效力,并适用法律行为相对无效理念保护第三人利益。就外部行为,决议无效导致行为违法,应依民法总则第153条认定行为效力。决议不成立或被撤销,则仅在法律设有强制决议规则之前提下方才导致行为欠缺法定要件,从而影响外部行为效力。因不同强制决议规则所欲保护的成员利益不同、所涉第三人利益不同,需区分营利法人与非营利法人、交易行为与组织行为,认定此种情形下外部行为之效力。有别于交易行为的相对性、独立性,组织行为具有涉他性、持续性之特征,需设立特别的公司组织行为效力诉讼规则,方可解决这一组织法问题。     

The right to data portability in the GDPR: Towards user-centric interoperability of digital services

The right to data portability is one of the most important novelties within the EU General Data Protection Regulation, both in terms of warranting control rights to data subjects and in terms of being found at the intersection between data protection and other fields of law (competition law, intellectual property, consumer protection, etc.). It constitutes, thus, a valuable case of development and diffusion of effective user-centric privacy enhancing technologies and a first tool to allow individuals to enjoy the immaterial wealth of their personal data in the data economy. Indeed, a free portability of personal data from one controller to another can be a strong tool for data subjects in order to foster competition of digital services and interoperability of platforms and in order to enhance controllership of individuals on their own data. However, the adopted formulation of the right to data portability in the GDPR could benefit from further clarification: several interpretations are possible, particularly with regard to the object of the right and its interrelation with other rights, potentially leading to additional challenges within its technical implementation. The aim of this article is to propose a first systematic interpretation of this new right, by suggesting a pragmatic and extensive approach, particularly taking advantage as much as possible of the interrelationship that this new legal provision can have with regard to the Digital Single Market and the fundamental rights of digital users. In sum, the right to data portability can be approximated under two different perspectives: the minimalist approach (the adieu scenario) and the empowering approach (the fusing scenario), which the authors consider highly preferable.     

数据迁移权及其本土化路径研究--以数据竞争为视角

《欧盟一般数据保护条例》(GDPR)率先在个人数据领域赋予数据主体数据迁移权,成为全球数据保护的立法标杆。数据迁移权的诞生为企业参与数据竞争正向赋能,企业竞争中也存在诸多数据迁移障碍。本文结合欧盟数据迁移权的相关规定,以数据、数据迁移权和数据竞争三要素之间的互动关系为进路,通过剖析数据迁移对企业竞争和创新发展的双向反馈,认为我国不应急于实施数据迁移权,而是将数据迁移权定性为一种柔性权利,按照"三阶段五步骤"的路径规划,逐步建立符合我国国情的数据迁移制度。     

The Cat and Dog Fur Regulation: A Case Study on the European Union’s Approach to Animal Welfare

The Cat and Dog Fur Regulation, which bans the importation and exportation of real cat and dog fur, has been in force since 2008. The Regulation was a welcome development, however, a recent investigation carried out by the Humane Society International/UK and Sky News uncovered the sale of items of clothing containing real cat fur on the British high-street. This discovery, coupled with a recent report by the European Commission on the application of the Cat and Dog Fur Regulation, has undermined the efficacy of the Regulation. It raises questions as to the enforcement of the Regulation, and indeed the enforcement of EU animal welfare protection and legislation in general. The Cat and Dog Fur Regulation is but one piece of legislation, however, using this Regulation on a micro-level, helps understand the EU’s approach on a macro-level. The Cat and Dog Fur Regulation typifies the supineness of the EU when it comes to dealing with ethical issues. The European Commission needs to ensure that Member States are fulfilling their obligations under the Regulation and EU animal welfare provisions in general, by adopting a more forceful approach, which may necessitate it taking infringement proceedings under Article 258 TFEU. There is a need for Member States to carry out DNA testing for real cat and dog fur on goods purchased online, especially those coming from outside the EU. There is a dearth of academic commentary on the Cat and Dog Fur Regulation. The lack of discussion undermines the importance of this piece of legislation. Brexit also has implications for EU animal welfare. UK had already banned fur farming before the Regulation, thus the ban on the importation and exportation of fur should remain under domestic law.