Is the general data protection regulation the solution?

Never has a text been received with so many requests for amendments; never has the debate around it been so huge. Some see it as a simple duplicate of the Directive 95/46; others present the GDPR, as a monster. In the context of this birthday, it cannot be a question of analyzing this text or of launching new ideas, but simply of raising two questions. I state the first as follows: "In the end, what are the major features that cross and justify this regulation? In addition, the second: "Is the regulation adequate for today's digital challenges to our societies and freedoms? The answers given in the following lines express the opinion of their author. It is just an invitation for a dialogue to go forth in this journal where so many excellent reflections have been published on Digital Law, thanks to our common friend: Steve.     

Pricing privacy – the right to know the value of your personal data

The commodification of digital identities is an emerging reality in the data-driven economy. Personal data of individuals represent monetary value in the data-driven economy and are often considered a counter performance for “free” digital services or for discounts for online products and services. Furthermore, customer data and profiling algorithms are already considered a business asset and protected through trade secrets. At the same time, individuals do not seem to be fully aware of the monetary value of their personal data and tend to underestimate their economic power within the data-driven economy and to passively succumb to the propertization of their digital identity. An effort that can increase awareness of consumers/users on their own personal information could be making them aware of the monetary value of their personal data. In other words, if individuals are shown the “price” of their personal data, they can acquire higher awareness about their power in the digital market and thus be effectively empowered for the protection of their information privacy. This paper analyzes whether consumers/users should have a right to know the value of their personal data. After analyzing how EU legislation is already developing in the direction of propertization and monetization of personal data, different models for quantifying the value of personal data are investigated. These models are discussed, not to determine the actual prices of personal data, but to show that the monetary value of personal data can be quantified, a conditio-sine-qua-non for the right to know the value of your personal data. Next, active choice models, in which users are offered the option to pay for online services, either with their personal data or with money, are discussed. It is concluded, however, that these models are incompatible with EU data protection law. Finally, practical, moral and cognitive problems of pricing privacy are discussed as an introduction to further research. We conclude that such research is needed to see to which extent these problems can be solved or mitigated. Only then, it can be determined whether the benefits of introducing a right to know the value of your personal data outweigh the problems and hurdles related to it.     

Can the AML system be evaluated without better data?

The Anti-Money Laundering regime has been important in harmonizing laws and institutions, and has received global political support. Yet there has been minimal effort at evaluation of how well any AML intervention does in achieving its goals. There are no credible estimates either of the total amount laundered (globally or nationally) nor of most of the specific serious harms that AML aims to avert. Consequently, reduction of these is not a plausible outcome measure. There have been few efforts by country evaluators in the FATF Mutual Evaluation Reports (MERs) to acquire qualitative data or seriously analyze either quantitative or qualitative data. We find that data are relatively unimportant in policy development and implementation. Moreover, the long gaps of about 8 years between evaluations mean that widely used ‘country risk’ models for AML are forced still to rely largely on the 3rd Round evaluations whose use of data was minimal and inconsistent. While the 4th round MERs (2014–2022) have made an effort to be more systematic in the collection and analysis of data, FATF has still not established procedures that provide sufficiently informative evaluations. Our analysis of five recent National Risk Assessments (a major component of the new evaluations) in major countries shows little use of data, though the UK is notably better than the others. In the absence of more consistent and systematic data analysis, claims that countries have less or more effective systems will be open to allegations of ad hoc, impressionistic or politicized judgments. This reduces their perceived legitimacy, though this does not mean that the AML efforts and the evaluation processes themselves have no effects.     

mHealth and data protection – the letter and the spirit of consent legal requirements

In this article, the role of consent is discussed in the framework of fundamental rights and in the context of mobile health technologies (mHealth), such as smart phones, mobile phones or tablet/palm-held computing devices to provide healthcare. The authors surmise how, in practice, although there will be more emphasis on informed consent formally, there will be less space for genuine individual consent. This betrays a focus more on the letter of consent rules in data protection than their spirit. This risks reducing consent to a tick box operation in a manner analogous to consumer transactions, something manifestly unsuitable for consent, even if only in informational terms, during medical procedures.     

Enter the quagmire – the complicated relationship between data protection law and consumer protection law

This article examines the complex relationship between consumer protection law and data protection law, particularly within the EU's online environment, and highlights the problems that stem from this complexity. It suggests that, while there are significant similarities between their respective sources, tools and purposes, there are also arguable differences between consumer protection law and data protection law. One such arguable difference is found in that, while consumer protection law can be seen to merely set a floor in its pursuit of a sufficiently high level of consumer protection, data protection law – due to its clearly articulated dual purposes of (a) protecting individuals with regard to the processing of personal data and (b) providing for the free movement of such data – sets both a floor and a ceiling.Having discussed the relationship between consumer protection law and data protection law in more detail, the argument is made that it seems possible to conclude that the balance struck in the Data Protection Directive, and soon in the General Data Protection Regulation, places limitations on consumer protection law. The implications of this conclusion are then examined briefly in the context of some matters currently coming before the CJEU and the contours of a framework are presented, addressing situations where a data protection-based liability claim is pursued against a third-party non-controller under consumer protection law.     

Who decides on the future of data protection? Role of law firms in shaping European data protection regime

Drawing on theories of European integration and governance and sociological studies on the influence of elite law firms on rule-setting, this paper shows that law firms (a) operate in the area of data protection that is of extreme complexity and requires expert knowledge; and (b) display characteristics similar to other actors who succeeded in influencing agenda-setting and the results of policy-making despite having no formal competence to do so. This article proposes a hypothesis of the influence of elite law firms in EU data protection rule-setting. It argues that the EU data protection sector is prone to such influence as it is by definition transnational and, at some technical and some core points, inadequate to reflect the real data processing practices and therefore is entrenched with uncertainty. Therefore, the research into politics of data protection in Europe cannot disregard the role of these actors in shaping the European data protection regime.     

Sequence‐based Saudi population data for the SE33 locus

A set of 87 reference samples collected from the population of Saudi Arabia were sequenced using the ForenSeq™DNA Signature Prep Kit on a MiSeq FGx™. The FASTQ files contain the sequences of the SE33 STR, but are not reported by the ForenSeq™ Universal Analysis Software (UAS). The STRait Razor software was used to recover and to report SE33 sequence‐based data for the Saudi population. Ninety-six sequence-based alleles were recovered, most of which had previously reported motif patterns. Two unreported motif patterns found in three alleles and seven novel allele sequences were reported. We also reported a single discordance between the sequence-based data and the CE data that was due to the presence of a common TTTT deletion. SE33 had 130% more sequence-based alleles; the highest number of observed sequence variants were in alleles 27.2 and 30.2, which each had 7 sequence variants. The statistical parameters emphasize the usefulness of using the sequence-based data.     

EU GDPR or APEC CBPR? A comparative analysis of the approach of the EU and APEC to cross border data transfers and protection of personal data in the IoT era

This article examines the two major international data transfer schemes in existence today – the European Union (EU) model which at present is effectively the General Data Protection Regulation (GDPR), and the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules system (CBPR), in the context of the Internet of Things (IoT).While IoT data ostensibly relates to things i.e. products and services, it impacts individuals and their data protection and privacy rights, and raises compliance issues for corporations especially in relation to international data flows. The GDPR regulates the processing of personal data of individuals who are EU data subjects including cross border data transfers. As an EU Regulation, the GDPR applies directly as law to EU member nations. The GDPR also has extensive extraterritorial provisions that apply to processing of personal data outside the EU regardless of place of incorporation and geographical area of operation of the data controller/ processor. There are a number of ways that the GDPR enables lawful international transfer of personal data including schemes that are broadly similar to APEC CBPR.APEC CBPR is the other major regional framework regulating transfer of personal data between APEC member nations. It is essentially a voluntary accountability scheme that initially requires acceptance at country level, followed by independent certification by an accountability agent of the organization wishing to join the scheme. APEC CBPR is viewed by many in the United States of America (US) as preferable to the EU approach because CBPR is considered more conducive to business than its counterpart schemes under the GDPR, and therefore is regarded as the scheme most likely to prevail.While there are broad areas of similarity between the EU and APEC approaches to data protection in the context of cross border data transfer, there are also substantial differences. This paper considers the similarities and major differences, and the overall suitability of the two models for the era of the Internet of Things (IoT) in which large amounts of personal data are processed on an on-going basis from connected devices around the world. This is the first time the APEC and GDPR cross-border data schemes have been compared in this way. The paper concludes with the author expressing a view as to which scheme is likely to set the global standard.     

The economic costs and consequences of mass communications data retention: is the data retention directive a proportionate measure?

This article seeks to determine the economic costs and consequences of implementing the Data Retention Directive (Directive 2006/24/EC), an extraordinary counter terrorism measure that mandates the a priori retention of communications data on every European citizen, by drawing on the insights of economic analysis. It also explores the monetary costs of the Directive on subscribers and communications service providers of Member States within the EU. Furthermore, it examines the implications of the Directive on the economic sector of the European Union, by focusing on the Directive’s impact on EU competitiveness and other EU policies such as the Lisbon Strategy. This analysis is motivated by the following questions: what are the monetary costs of creating and maintaining the proposed database for data retention? What are the effects of these measures on individuals? What obstacles arise for the global competitiveness of EU telecommunications and electronic communications service providers as a result of these measures? Are other policies in the European Union affected by this measure? If so, which ones?     

Anonymisation of personal data – A missed opportunity for the European Commission

As early as the 1970's, privacy studies recognised that ‘anonymisation’ needed to be approached with caution. This caution has since been vindicated by the increasing sophistication of techniques for reidentification. Yet the courts in the UK have so far only hesitatingly grappled with the issues involved, while European courts have produced no guidance.     

Do all the pieces matter? Assessing the reliability of law enforcement data sources for the network analysis of wire taps

Law enforcement agencies rely on data collected from wire taps to construct the organisational chart of criminal enterprises. Recently, a number of academics have also begun to utilise social network analysis to describe relations among criminals and understand the internal organisation of criminal groups. However, before drawing conclusions about the structure or the organisation of criminal groups, it is important to understand the limitations that selective samples such as wire taps may have on network analysis measures. Electronic surveillance data can be found in different kinds of court records and the selection of the data source is likely to influence the amount of missing information and, consequently, the results. This article discusses the impact that the selection of a specific data source for the social network analysis of criminal groups may have on centrality measures usually adopted in organised crime research to identify key players.     

Can the GDPR make data flow for research easier? Yes it can,by differentiating! A careful reading of the GDPR shows how EU data protection law leaves open some significant flexibilities for data protection-sound research activities

Against the common perception of data protection as a road-block, we demonstrate that the GDPR can work as a research enabler. This study demonstrates that European data protection law's regulatory pillars, the first related to the protection of the fundamental right to data protection and the second regarding the promotion of the free flow of personal data, result into an architecture of layered data protection regimes, which come to tighten or relax data subjects’ rights and data protection safeguards vis à vis processing activities differently grounded in public or merely economic interests. Each of the identified data protection regimes shape different “enabling regulatory spots” for the processing of sensitive personal data for research purposes.     

Predicting the optimal STR profile amplification set up from Quantifiler™ Trio data

Samples collected for forensic case work may be of varying quality and quantity. The sample DNA is often quantified prior to short tandem repeats (STR) profile analysis with methods such as Quantifiler™Trio (QFT). The QFT measures the quantity of DNA as well as an internal PCR control (IPC) and a degradation index (DI).The aim of this study was to use IPC and DI measurements to identify samples, which would benefit from a modified PCR amplification set-up when generating the STR profiles. The sample quality of 6287 single source case work samples were categorized as 'Good’, ‘Partly degraded’, ‘Highly degraded’, ‘Inhibited’ and ‘Degraded and Inhibited’ based on the peak height ratios in the electropherogram data. The DI and IPC were correlated with the assigned quality categories of the samples. Samples categorized into the degraded and/or inhibited categories were found to have statistically significantly different DI and IPC compared to samples categorized as ‘Good’. This indicates that the additional information gained from the QFT can be useful to identify degraded and/or inhibited samples prior to the STR-profile analysis. Future work will re-evaluate the criteria of inclusion in the sample quality groups and implement multi source samples.     

MiFID II – A radical contribution to the development of data law?

Away from the hubbub about HFT (High Frequency Trading) a quiet storm is blowing in to the EU that will radically change securities trading in bonds, OTC derivatives and other asset classes. The rules, called MiFID II,² top off the alphabet soup of an extensive new rule book that, after the European Parliament's ‘Super Tuesday’ on 15 April 2014, is finally set to become law. Radical changes are afoot!     

Robots in the cloud with privacy: A new threat to data protection?

The focus of this paper is on the class of robots for personal or domestic use, which are connected to a networked repository on the internet that allows such machines to share the information required for object recognition, navigation and task completion in the real world. The aim is to shed light on how these robots will challenge current rules on data protection and privacy. On one hand, a new generation of network-centric applications could in fact collect data incessantly and in ways that are “out of control,” because such machines are increasingly “autonomous.” On the other hand, it is likely that individual interaction with personal machines, domestic robots, and so forth, will also affect what U.S. common lawyers sum up with the Katz's test as a reasonable “expectation of privacy.” Whilst lawyers continue to liken people's responsibility for the behaviour of robots to the traditional liability for harm provoked by animals, children, or employees, attention should be drawn to the different ways in which humans will treat, train, or manage their robots-in-the-cloud, and how the human–robot interaction may affect the multiple types of information that are appropriate to reveal, share, or transfer, in a given context.     

Having yes,using no? About the new legal regime for biometric data

The rise of biometric data use in personal consumer objects and governmental (surveillance) applications is irreversible. This article analyses the latest attempt by the General Data Protection Regulation (EU) 2016/679 and the Directive (EU) 2016/680 to regulate biometric data use in the European Union. We argue that the new Regulation fails to provide clear rules and protection which is much needed out of respect of fundamental rights and freedoms by making an artificial distinction between various categories of biometric data. This distinction neglects the case law of the European Court of Human Rights and serves the interests of large (governmental) databases. While we support regulating the use and the general prohibition in the GDPR of using biometric data for identification, we regret this limited subjective and use based approach. We argue that the collection, storage and retention of biometric images in databases should be tackled (objective approach). We further argue that based on the distinctions made in the GDPR, several categories of personal data relating to physical, physiological or behavioural characteristics are made to which different regimes apply. Member States are left to adopt or modify their more specific national rules which are eagerly awaited. We contend that the complex legal framework risks posing headaches to bona fide companies deploying biometric data for multifactor authentication and that the new legal regime is not reaching its goal of finding a balance between the free movement of such data and protecting citizens. Law enforcement authorities also need clear guidance. It is questioned whether Directive (EU) 2016/680 provides this.     

Do laws affect attitudes? An assessment of the Norwegian prostitution law using longitudinal data

The question of whether laws affect attitudes has inspired scholars across many disciplines, but empirical knowledge is sparse. Using longitudinal survey data from Norway and Sweden, collected before and after the implementation of a Norwegian law criminalizing the purchase of sexual services, we assess the short-run effects on attitudes using a difference-in-differences approach. In the general population, the law did not affect moral attitudes toward prostitution. However, in the Norwegian capital, where prostitution was more visible before the reform, the law made people more negative toward buying sex. This supports the claim that proximity and visibility are important factors for the internalization of legal norms.     

Are DNA data a valid source to study the spatial behavior of unknown offenders?

Studying the spatial behaviour of unknown offenders (i.e. undetected offenders) is difficult, because police recorded crime data do not contain information about these offenders. Recently, forensic DNA data has been used to study unknown offenders. However, DNA data are only a subset of the crimes committed by unknown offenders stored in police recorded crime data. To establish the suitability of DNA data for studying the spatial offending behaviour of unknown offenders, we examine the concentration and spatial similarity of detected but unsolved crimes in police recorded crime data (N?=?181,483) and DNA data (N?=?1913) over 27 Belgian judicial districts for four crime types. We established spatial similarity for certain crime types (in some districts). This offers opportunities for DNA data to be used to study unknown offenders' spatial offending behaviour. Implications for theory and research are discussed.     

GeneMarker® HID: A reliable software tool for the analysis of forensic STR data

Abstract: GeneMarker^® HID was assessed as a software tool for the analysis of forensic short tandem repeat (STR) data and as a resource for analysis of custom STR multiplexes. The software is easy to learn and use, and includes design features that have the potential to reduce user fatigue. To illustrate reliability and accuracy, STR data from both single‐source and mixture profiles were analyzed and compared to profiles interpreted with another software package. A total of 1898 STR profiles representing 28,470 loci and more than 42,000 alleles were analyzed with 100% concordance. GeneMarker HID was also used to successfully analyze data generated from a custom STR multiplex, with simplified and rapid implementation. Finally, the impact of the user‐friendly design features of the software was assessed through a time scale study. The results suggest that laboratories can reduce the time required for data analysis by at least 25% when using GeneMarker HID.     

Population genetic data for 17 non-CODIS STR loci for the Saudi Arabian population using the SureID®23comp Human Identification Kit

Our previous work focused on validation the SureID 23comp Human Identification Kit (Health Gene Technologies, China), following the minimum criteria for validation recommended by the European Network of Forensic Science Institutes (ENFSI) and the Scientific Working Group on DNA Analysis Methods (SWGDAM) using 500 samples from the population of Saudi Arabia. The kit genotypes 22 STRs, 17 of which are non-CODIS, and Amelogenin. The validation tests showed that it has the potential to increase the power of testing in complex cases.In this paper, the allele frequency data, common forensic parameters for the 17 non-CODIS STR loci are presented. We found the majority of loci had an excess of homozygosity in the data set, which is most likely explained by the relatively high levels of consanguinity in the population of Saudi Arabia.