The Patients’ Rights Directive (2011/24/EU) – Providing (some) rights to EU residents seeking healthcare in other Member States

This article presents the main elements of Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare, commonly known as the Patient’s Rights Directive. It is the latest EU initiative with regard to European Health Care and the Single Market. The main elements of the Directive contain provisions related to the prior authorisation of health care in another Member State, the reimbursement of such health care and the removal of unjustified obstacles to achieving these aims.These provisions largely reflect the recent case law of the European Court of the Justice (ECJ). Amongst these are provisions involving the use of personal data. Such provisions will engage data protection issues and will have to be carried out according to the data protection directives. Alongside this primary aim of codifying ECJ case law the Patient’s Rights Directive also introduces novel initiatives aimed at fostering cross border cooperation between various elements of national healthcare systems.Part 1 of this contribution will describe the legal basis and the aims of the PRD, Part 2 will describe the principle obligations placed on the Member States with regard to reimbursement, Parts 3 and 4 will describe other informational and procedural requirements placed upon the Member States of Treatment and Affiliation. Finally Part 5 will outline some of the novel initiatives that have been included in the PRD.The increases in the frequency of cross border-treatment that this directive attempts to facilitate are likely to see a concurrent increase in cross-border patient information flows. Such data flows will be subject to the Union’s provisions on Data Protection. It remains uncertain whether the EU’s Data Protection regime will act as inhibitor to cross-border medical treatment or rather represent a gold standard that allows patients to engage in such activities with peace of mind. The Patient’s Rights Directive will form part of the EU’s future e-Health strategy which envisages a large increase in the fluidity of patient data. A discussion of this directive is therefore merited in this journal.     

The thin red line: Refocusing data protection law on ADM,a global perspective with lessons from case-law

This article explores existing data protection law provisions in the EU and in six other jurisdictions from around the world - with a focus on Latin America - that apply to at least some forms of the processing of data typically part of an Artificial Intelligence (AI) system. In particular, the article analyzes how data protection law applies to “automated decision-making” (ADM), starting from the relevant provisions of EU's General Data Protection Regulation (GDPR). Rather than being a conceptual exploration of what constitutes ADM and how “AI systems” are defined by current legislative initiatives, the article proposes a targeted approach that focuses strictly on ADM and how data protection law already applies to it in real life cases. First, the article will show how GDPR provisions have been enforced in Courts and by Data Protection Authorities (DPAs) in the EU, in numerous cases where ADM is at the core of the facts of the case considered. After showing that the safeguards in the GDPR already apply to ADM in real life cases, even where ADM does not meet the high threshold in its specialized provision in Article 22 (“solely” ADM which results in “legal or similarly significant effects” on individuals), the article includes a brief comparative law analysis of six jurisdictions that have adopted general data protection laws (Brazil, Mexico, Argentina, Colombia, China and South Africa) and that are visibly inspired by GDPR provisions or its predecessor, Directive 95/46/EC, including those that are relevant for ADM. The ultimate goal of this study is to support researchers, policymakers and lawmakers to understand how existing data protection law applies to ADM and profiling.¹     

The EU Proposal for a General Data Protection Regulation and the roots of the ‘right to be forgotten’

The EU Proposal for a General Data Protection Regulation has caused a wide debate between lawyers and legal scholars and many opinions have been voiced on the issue of the right to be forgotten. In order to analyse the relevance of the new rule provided by Article 17 of the Proposal, this paper considers the original idea of the right to be forgotten, pre-existing in both European and U.S. legal frameworks. This article focuses on the new provisions of Article 17 of the EU Proposal for a General Data Protection Regulation and evaluates its effects on court decisions. The author assumes that the new provisions do not seem to represent a revolutionary change to the existing rules with regard to the right granted to the individual, but instead have an impact on the extension of the protection of the information disseminated on-line.     

The GDPR: A game changer for electronic identification schemes? The case study of Gov.UK Verify

This article offers an interdisciplinary analysis of the General Data Protection Regulation (GDPR) in the context of electronic identification schemes. Gov.UK Verify, the UK Government's electronic identification scheme, and its compatibility with some important aspects of EU data protection law are reviewed. An in-depth examination of Gov.UK Verify's architecture and the most significant constituent elements of both the Data Protection Directive and the imminent GDPR – notably the legitimising grounds for the processing of personal data and the doctrine of joint controllership – highlight several flaws inherent in the Gov.UK Verify's development and mode of operation. This article advances the argument that Gov.UK Verify is incompatible with some major substantive provisions of the EU Data Protection Framework. It also provides some general insight as to how to interpret the requirement of a legitimate legal basis and the doctrine of joint controllership. It ultimately suggests that the choice of the appropriate legal basis should depend upon a holistic approach to the relationship between the actors involved in the processing activities.     

The necessity of legally compliant data management in European cloud architectures

Taking advantage of flexible resource provisions enabled by Cloud Computing, many businesses have recently migrated their IT applications and data to the Cloud, allowing them to respond to new demands and requests from customers. However, Cloud Computing also moves functions and responsibilities away from local ownership and management to a third-party provided service, and brings with it a set of associated legal issues, such as data protection, licensing, intellectual property rights and the need to comply to necessary regulation. In this paper we evaluate commonly-observed Cloud Computing use cases against the law applying to Cloud Computing to find where legal problems may arise. We derive a general architecture for Clouds and use it to illustrate common Cloud Computing usage patterns. The use cases are assessed against evaluation criteria derived from the relevant Cloud Computing law for the data processing of end-user details and materials, including roles and responsibilities necessary for legal compliance. The Data Protection Directive of the European Union has been used in this evaluation, as it is a commonly accepted and influential directive in the field of data processing legislation.     

The ‘right to be forgotten’ or the ‘principle that has been remembered’

The Court of Justice of the European Union (CJEU) has ruled on questions referred by a Spanish court relating to interpretation of the Data Protection Directive and its application to search engine activities. In a controversial judgment, the CJEU found that search engines are data controllers in respect of their search results; that European data protection law applies to their processing of the data of EU citizens, even where they process the relevant data outside the EU; and that a ‘right to be forgotten’ online applies to outdated and irrelevant data in search results unless there is a public interest in the data remaining available and even where the search results link to lawfully published content.     

Privacy,Data Retention and Domination: Digital Rights Ireland Ltd v Minister for Communications

In Digital Rights Ireland Ltd v Minister for Communications, the European Court of Justice found the EU Data Retention Directive, which required the retention of communications data for up to two years, to be incompatible with Articles 7 and 8 of the EU Charter of Fundamental Rights – the rights to privacy and to the protection of personal data. It is argued in this note that the decision ought to be taken as one that is concerned with the exercise of arbitrary power, a concern that is captured by the concept of domination.     

Using EHRs to design drug repositioning trials: A devolved approach to data protection

One area where the application of data protection law has proven complex is in relation to the secondary usage of health data in EHRs for medical research. Here the tension between the privacy interests of patients and the risk of harm if such sensitive data are compromised, and on the other side, the potential societal value of utilizing the data for the benefit of medical science, is especially striking. In this paper, we consider the applicable provisions of the EU Data Protection Directive, and outline a general approach to patient data handling for research, which we believe to be compatible with relevant legal and ethical requirements. We then illustrate and apply this by reference to a specific EU FP7 project, involving EHR data processing to select patients for clinical pharmaceutical trials. After introducing the project (PONTE), we explain the ‘devolved’ data protection architecture it employs and provide a legal evaluation.     

A walk in to the cloud and cloudy it remains: The challenges and prospects of ‘processing’ and ‘transferring’ personal data

Cloud computing is an information technology technique that promises greater efficiency and reduced-cost to consumers, businesses and public institutions. However, to the extent it has brought better efficiency and minimal cost, the emergence of cloud computing has posed a significant regulatory challenge on the application of data protection rules particularly on the regime regulating cross-border data flow. The Data Protection Directive (DPD), which dates back to 1995, is at odds with some of the basic technological and business-related features of the cloud. As a result, it is claimed that the Directive hardly offers any help in using the legal bases to ‘process’ and ‘transfer’ data as well as to determine when a transfer to a third country occurs in cloud computing. Despite such assertions, the paper argues that the ECJ's Bodil Lindqvist decision can to a certain extent help to delineate circumstances where transfer should and should not occur in the cloud. Concomitantly, the paper demonstrates that controllers can still make the most of the available possibilities in justifying their ‘processing’ as well as ‘transferring’ of data to a third country in cloud arrangements. In doing so, the paper also portrays the challenges that arise down the road. All legal perspectives are largely drawn from EU level though examples are given from member states and other jurisdictions when relevant.     

The EU Directive on Electronic Signatures--A Worldwide Model or a Fruitless Attempt to Regulate the Future?

The Directive on a Community Framework for Electronic Signatures is an essential and important new legal standard for the regulation of electronic signatures. The following article describes this Directive and assesses whether this new legal framework will be an effective and successful worldwide model or whether it will be rather fruitless. While doing this, I will consider the implementation of the Directive into UK and German law. This will also reveal some possibilities of how the legal status of electronic signatures can or cannot and should or should not be regulated. Furthermore, I will refer to other acts, for example, the UCITA and UETA of the US and the Model Law on Electronic Commerce and Draft Uniform Rules on Electronic Signatures of the UNCITRAL. My result is that the EU Directive is to be approved in general. Only if one said that in an ever-changing world every law was premature or even that in an imperfect world every law was either insufficient or unnecessary, would it be consequent to decline regulation of electronic signatures completely. However, regarding the details, some provisions, for example, the possibility of introducing a voluntary accreditation scheme, are open to criticism.     

The Distance Selling Directive: Points for Future Revision

The EU Distance Selling Directive that was implemented in UK law in the Consumer Protection (Distance Selling) Regulations 2000 has provided guidelines for the protection of consumers undertaking distance transactions. The following paper discusses the provisions of the Directive with particular reference to e-commerce via the Internet, highlighting some possible areas for further consideration. Articles within the Distance Selling Directive are examined for problems of legal interpretation and implementation. There is discussion of: Article 2 (Definitions) and difficulties with its fundamental concepts of 'supplier' and 'consumer'; unnecessary exemptions in Article 3 (Exemptions); the 'local taxes' headache (and others) in Article 4 (Prior Information) and using e-mail under Article 5 (Written Confirmation of Contract). Under Article 6 (Right of Withdrawal), the 'cooling off period', exempted goods and services, refunds and reclaiming goods, and for Article 7 (Performance) substitute goods and contract law implications, are investigated. Finally Article 8 (Payment by Card) looks at protection against fraudulent card use.     

The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals

The recent release by the European Commission of the first drafts for the amendment of the EU data protection regulatory framework is the culmination of a consulting and preparation process that lasted more than two years. At the same time, it opens up a law-making process that is intended to take at least as much time. The Commission has undertaken the herculean task to amend the whole EU data protection edifice, through the introduction of a General Data Protection Regulation, intended to replace the EU Data Protection Directive 95/46/EC, and a Police and Criminal Justice Data Protection Directive, intended to replace the Framework Decision 2008/977/JHA. This paper shall focus at the replacement of the EU Data Protection Directive by the draft General Data Protection Regulation. Due to the fact that the draft Regulation is a long (and ambitious) text, a selection has been made, with the aim of highlighting its treatment of basic data protection principles and elements, in order to identify merits and shortcomings for the general data protection purposes.     

The ITS Directive: More than a timeframe with privacy concerns and a means for access to public data for digital road maps?

Roads are ever more congested, pollution keeps rising and traffic-related deaths remain at unacceptable levels. It is clear that society’s needs with regard to transportation and mobility have become unsustainable. Intelligent Transport Systems (ITS) are often heralded as a potential solution to this problem, yet have still to yield tangible results. The EU has, however, adopted the ITS Directive, aiming for an EU-wide implementation of ITS solutions. Three questions are raised. First, can the ITS Directive really provide for the required substantial provisions in this field? Second, as ITS solutions are often deemed to be pervasive and intrusive, how does the ITS Directive interact with the EU legal framework on privacy and data protection? Third, given the involvement of private commercial entities in the field of providing road, traffic and travel data, can a public–private partnership be found to allow for the re-use of both public and private sector data in ITS solutions?     

Having yes,using no? About the new legal regime for biometric data

The rise of biometric data use in personal consumer objects and governmental (surveillance) applications is irreversible. This article analyses the latest attempt by the General Data Protection Regulation (EU) 2016/679 and the Directive (EU) 2016/680 to regulate biometric data use in the European Union. We argue that the new Regulation fails to provide clear rules and protection which is much needed out of respect of fundamental rights and freedoms by making an artificial distinction between various categories of biometric data. This distinction neglects the case law of the European Court of Human Rights and serves the interests of large (governmental) databases. While we support regulating the use and the general prohibition in the GDPR of using biometric data for identification, we regret this limited subjective and use based approach. We argue that the collection, storage and retention of biometric images in databases should be tackled (objective approach). We further argue that based on the distinctions made in the GDPR, several categories of personal data relating to physical, physiological or behavioural characteristics are made to which different regimes apply. Member States are left to adopt or modify their more specific national rules which are eagerly awaited. We contend that the complex legal framework risks posing headaches to bona fide companies deploying biometric data for multifactor authentication and that the new legal regime is not reaching its goal of finding a balance between the free movement of such data and protecting citizens. Law enforcement authorities also need clear guidance. It is questioned whether Directive (EU) 2016/680 provides this.     

Genetic Data and the Data Protection Regulation: Anonymity,multiple subjects,sensitivity and a prohibitionary logic regarding genetic data?

Owing to the unique qualities of genetic data, there have been numerous criticisms of the current data protection framework's ability to protect genetic data. It has been suggested that the Directive did not recognise the sensitivity of genetic data and that it ignored a number of legitimate interests in this data (in particular interests which multiple data subjects may have and those which may remain in anonymous data). In 2012, the first results of a reform process of EU data protection law were released. These results included a draft Regulation (to replace the Directive) which introduced a new framework for the protection of genetic data. This Article considers whether the innovative approach to genetic data in the Regulation will provide a more adequate framework for the protection of genetic data. It concludes that the Regulation has rectified the lack of recognition of sensitivity, but still stutters in recognising a number of legitimate interests.     

The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition

The year 2010 set an important milestone in the development of data protection law in Europe: both Europe's basic regulatory texts, the EU Data Protection Directive and the Council's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), were placed at an amendment process, having served individual data protection for many years and witnessed in the meantime technological developments that threatened to make their provisions obsolete. After briefly presenting Convention 108, the analysis that follows will highlight the Council's data protection system currently in effect as well as developments relating to the Convention's amendment so far with the aim of identifying improvements and shortcomings. While doing this two separate points of view shall be adopted: at first a micro point of view will attempt to identify improvements and shortcomings through an ‘insider’ perspective, that is, judging only the merits and difficulties of the draft text at hand. Afterwards a macroscopic view will be adopted, whereby strategic issues will be discussed pertaining to the important issue of the relationship of the suggested draft with the EU data protection system, as well as, the same draft's potential to constitute the next global information privacy standard.     

The public interest dimension of the single market for data: Public undertakings as a model for regulating private data sharing

Data plays a crucial role for society. Accordingly, building a ‘single market for data’ by increasing the availability of public and private data ranks high on the EU policy agenda. But when advancing legal data sharing regimes, there is an inevitable need to balance public and private interests. While the European Commission continues to push for more binding rules on data sharing between private businesses, public undertakings are already covered by mandatory rules. Exploring how the law addresses their data offers valuable lessons on the reconciliation of market reasoning with the public interest. In particular, this article inquires into the recast Open Data and Public Sector Information Directive, the Data Governance Act, and different national rules which regulate access to and re-use of public undertakings' data. It identifies five striking characteristics and discusses their potential and limitations for regulating data sharing by private undertakings. The implications serve as a guidepost for advancing the wider debate on building a single market for data in the EU. Some of them are already reflected in the upcoming EU Data Act.     

Taking a sledgehammer to crack the nut: The EU Enforcement Directive

In April 2004 the EU passed the Directive on Enforcement of Intellectual Property Rights amidst charges of “conflicting interest” and heavy-handed influence of the American entertainment industry. The Directive has received widespread condemnation from various sectors of the society for supporting private interest at the expense of public interest through the impositions of Mareva injunctions and Anton Piller Orders, even in instances of accidental and non-commercial infringements of the intellectual property right [Meller P. EU backs deal on copyright piracy. International Herald Tribune, NY; 2004]. This paper will examine the provisions of the Directive and determine its implications, in particular, as to whether they balance or not the rights of the right holders and public interest.     

The Attorney: Profession and Professional Ethics in Everyday Conceptions

The Constitutional Court of Ukraine (CCU) decision has made approximately forty laws not in conformity with the constitution. The total number of acts that have been made unconstitutional immediately is still not possible to count. What has to be done to ensure that the return to the former wording of the constitution does not lead to legal chaos? We asked this question of well-known specialists in the field of law.     

Free movement of patients: Directive 2011/24 on the application of patients' rights in cross-border healthcare

This contribution comments on Directive 2011/24, providing a legal framework for cross border healthcare 13 years after the famous Kohll and Decker case law. The Directive contains provisions concerning the reimbursement of costs, the responsibilities of the Member States and their mutual cooperation in healthcare. Analysing the (potential) impact of the Directive 2011/24 on EU healthcare systems, patients and healthcare providers, it becomes clear that the impact of the Directives reaches far beyond patient mobility. The Directive creates patients' rights, pays attention to the quality and safety of healthcare services and creates an excessive structure of cooperation in the field of healthcare. The European Union seems ready to use its economies of scale to improve healthcare for all European patients.