30 years on - The review of the Council of Europe Data Protection Convention 108

The Council of Europe is engaging in a process of revising its Data Protection Convention (Convention 108) to meet and overcome these challenges. The Council of Europe celebrates this year the 30th Anniversary of its Data Protection Convention (usually referred to as Convention 108) which has served as the backbone of international law in over 40 European countries and has influenced policy and legislation far beyond Europe’s shores. With new data protection challenges arising every day, the Convention is revising its Data Protection Convention. Computer Law and Security Review (CLSR) together with the Intl. Association of IT Lawyers (IAITL) and ILAWS have submitted comments in response to the Expert Committee’s public consultation on this document. CLSR aims to position itself at the forefront of policy discussion drawing upon the high quality scholarly contributions from leading experts around the world.     

Privacy notices versus informational self-determination: Minding the gap

Privacy notices are instruments that intend to inform individuals of the processing of their personal data, their rights as data subjects, as well as any other information required by data protection or privacy laws. The goal of this paper is to clarify the current discourse regarding the (in)utility of privacy notices, particularly in the context of online transactions. The perspective is a European one, meaning that the analysis shall be geared towards the European Data protection framework, particularly the European Data Protection Directive. The paper discusses the role that privacy notices play under the European data protection framework today, summarizes the main critiques regarding the use of privacy notices in practice and develops a number of recommendations.     

The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals

The recent release by the European Commission of the first drafts for the amendment of the EU data protection regulatory framework is the culmination of a consulting and preparation process that lasted more than two years. At the same time, it opens up a law-making process that is intended to take at least as much time. The Commission has undertaken the herculean task to amend the whole EU data protection edifice, through the introduction of a General Data Protection Regulation, intended to replace the EU Data Protection Directive 95/46/EC, and a Police and Criminal Justice Data Protection Directive, intended to replace the Framework Decision 2008/977/JHA. This paper shall focus at the replacement of the EU Data Protection Directive by the draft General Data Protection Regulation. Due to the fact that the draft Regulation is a long (and ambitious) text, a selection has been made, with the aim of highlighting its treatment of basic data protection principles and elements, in order to identify merits and shortcomings for the general data protection purposes.     

Data protection: The future of privacy

The Art. 29 Working Party (hereinafter “Art. 29 WP”) is an influential body comprised of representatives from the Member State Data Protection Authorities² established under the Data Protection Directive 95/46/EC, has recently issued an opinion with the Working Party on Police and Justice. This is quite significant, since the opinion sets out some of the issues that will need to be addressed in the lead up to the revision of the Data Protection Directive 95/46/EC.³ This comes at a time, when there have been discussions on the current application of the European Data Protection Directive to the internet,⁴ (such as social networking) and the recent European Commission’s consultation on the legal framework for the fundamental right to protection of personal data. Not least, there have been a number of cases brought before the European Court of Justice dealing with the partial implementation of the Data Protection Directive 95/46/EC.⁵The aim of this paper is to consider in detail the issues set out by the Art. 29 WP and the likely challenges in revising the Data Protection Directive 95/46/EC.     

European Data Protection Regulation and Online New Media: Mind the Enforcement Gap

Data Protection Authorities (DPAs) play a critical role in shaping and applying the regulation applicable to online media expression within the European Economic Area. Drawing on seven ubiquitous types of online new media actors, a comprehensive survey of these authorities was undertaken. It found that European DPAs generally adopt an expansive interpretation of data protection and a constrained understanding of freedom of expression in this space. In contrast, data protection enforcement is weak and lacking in harmonization. Except for street mapping services, each type of online media actor had only faced relevant enforcement action from a minority of these agencies. DPA financial resourcing is very limited. Notwithstanding the development of DPA ‘network governance’, only DPAs with a particularly extensive interpretative stance proved likely to have engaged in extensive enforcement activity. It remains unclear what difference the General Data Protection Regulation will make to resolving this enforcement gap and its related problems.     

Spanish Supreme Court provides limited relief for data controllers

Earlier this year the Spanish Supreme Court gave judgment on an application to annul the data protection regulations set out in Royal Decree 1720/2007 and to refer the Spanish implementation of the Data Protection Directive to the European Court of Justice. The application was partially successful. Some sections of the Royal Decree have been annulled but much of it was upheld. The Supreme Court also referred the Spanish implementation of the legitimate interests processing condition (art. 7(f) of the Data Protection Directive) to the European Court of Justice. The European Court of Justice’s decision could have a material impact on data controllers in Spain. If the legitimate interest condition is finally recognised it should make data protection compliance significantly easier.     

The ‘right to be forgotten’ or the ‘principle that has been remembered’

The Court of Justice of the European Union (CJEU) has ruled on questions referred by a Spanish court relating to interpretation of the Data Protection Directive and its application to search engine activities. In a controversial judgment, the CJEU found that search engines are data controllers in respect of their search results; that European data protection law applies to their processing of the data of EU citizens, even where they process the relevant data outside the EU; and that a ‘right to be forgotten’ online applies to outdated and irrelevant data in search results unless there is a public interest in the data remaining available and even where the search results link to lawfully published content.     

Revoking consent: A ‘blind spot’ in data protection law?

The flow of personal data throughout the public and private sectors is central to the functioning of modern society. The processing of these data is, however, increasingly being viewed as a major concern, particularly in light of many recent high profile data losses. It is generally assumed that individuals have a right to withdraw, or revoke, their consent to the processing of their personal data by others; however this may not be straightforward in practice, or addressed adequately by the law. Examination of the creation of data protection legislation in Europe and the UK, and its relationship with human rights law, suggests that such a general right to withdraw consent was assumed to be inbuilt, despite the lack of express provisions in both the European Data Protection Directive and UK Data Protection Act. In this article we highlight potential shortcomings in the provisions that most closely relate to this right in the UK Act. These raise questions as to the extent of meaningful rights of revocation, and thus rights of informational privacy, afforded to individuals in a democratic society.     

“In the public interest”: The privacy implications of international business-to-business sharing of cyber-threat intelligence

This article reports on preliminary findings and recommendations of a cross-discipline project to accelerate international business-to-business automated sharing of cyber-threat intelligence, particularly IP addresses. The article outlines the project and its objectives and the importance of determining whether IP addresses can be lawfully shared as cyber threat intelligence.The goal of the project is to enhance cyber-threat intelligence sharing throughout the cyber ecosystem. The findings and recommendations from this project enable businesses to navigate the international legal environment and develop their policy and procedures to enable timely, effective and legal sharing of cyber-threat information. The project is the first of its kind in the world. It is unique in both focus and scope. Unlike the cyber-threat information sharing reviews and initiatives being developed at country and regional levels, the focus of this project and this article is on business-to-business sharing. The scope of this project in terms of the 34 jurisdictions reviewed as to their data protection requirements is more comprehensive than any similar study to date.This article focuses on the sharing of IP addresses as cyber threat intelligence in the context of the new European Union (EU) data protection initiatives agreed in December 2015 and formally adopted by the European Council and Parliament in April 2016. The new EU General Data Protection Regulation (GDPR) applies to EU member countries, a major focus of the international cyber threat sharing project. The research also reveals that EU data protection requirements, particularly the currently applicable law of the Data Protection Directive 95/46/EC (1995 Directive) (the rules of which the GDPR will replace in practice in 2018), generally form the basis of current data protection requirements in countries outside Europe. It is expected that this influence will continue and that the GDPR will shape the development of data protection internationally.In this article, the authors examine whether static and dynamic IP addresses are “personal data” as defined in the GDPR and its predecessor the 1995 Directive that is currently the model for data protection in many jurisdictions outside Europe. The authors then consider whether sharing of that data by a business without the consent of the data subject, can be justified in the public interest so as to override individual rights under Articles 7 and 8(1) of the Charter of Fundamental Rights of the European Union, which underpin EU data protection. The analysis shows that the sharing of cyber threat intelligence is in the public interest so as to override the rights of a data subject, as long as it is carried out in ways that are strictly necessary in order to achieve security objectives. The article concludes by summarizing the project findings to date, and how they inform international sharing of cyber-threat intelligence within the private sector.     

“Schrems II”: The return of the Privacy Shield

On 16 July 2020, the Grand Chamber of the European Court of Justice rendered its landmark judgment in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”). The Grand Chamber invalidated the Commission decision on the adequacy of the data protection provided by the EU-US Privacy Shield. It however considered that the decision of the Commission on standard contractual clauses (“SCCs”) issued by the Commission for the transfer of personal data to processors established in third states was legally valid.The legal effects of the judgment should first be clarified. In addition, it has far-reaching implications for companies which transfer personal data from the EU to the US. The judgment of the Grand Chamber has also far-reaching implications for transfers of personal data from the EU to other third states. Last, it has far-reaching implications for the UK in the context of Brexit.© 2020 Published by Elsevier Ltd. All rights reserved.     

Data protection in Europe – Some thoughts on reading the academic manifesto

The commentary by academics on the proposed European General Data Protection Regulation in [2013] 29 CLSR 180 has provoked thoughts in response. The responder strongly agrees with the doubts expressed about the definition of personal data, anonymisation and the identifiability of individuals. On the other hand, he disagrees with the views on consent and legitimacy and proposes support for a risk-based approach to data protection. He suggests that data protection does not need to be defended from the attack that it stifles business, but is justifiable for its assertion of fundamental rights. In conclusion, he shares the criticism of the European Commission's delegated and implementing powers and is concerned that the Regulation will be rushed to a conclusion for reasons of political ambition.     

The introduction of data breach notification legislation in Australia: A comparative view

This article argues that Australia's recently-passed data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), and its coming into force in 2018, makes an internationally important, yet imperfect, contribution to data breach notification law. Against the backdrop of data breach legislation in the United States and European Union, a comparative analysis is undertaken between these jurisdictions and the Australian scheme to elucidate this argument. Firstly, some context to data breach notification provisions is offered, which are designed to address some of the problems data breaches cause for data privacy and information security. There have been various prominent data breaches affecting Australians over the last few years, which have led to discussion of what can be done to deal with their negative effects. The international context of data breach notification legislation will be discussed, with a focus on the United States and European Union jurisdictions, which have already adopted similar laws. The background to the adoption of the Australia legislation will be examined, including the general context of data privacy and security protection in Australia. The reform itself will be then be considered, along with the extent to which this law is fit for purpose and some outstanding concerns about its application. While data breach notification requirements are likely to be a positive step for data security, further reform is probably necessary to ensure strong cybersecurity. However, such reform should be cognisant of the international trends towards the adoption of data security measures including data breach notification, but lack of alignment in standards, which may be burdensome for entities operating in the transnational data economy.     

EU General Data Protection Regulation: Changes and implications for personal data collecting companies

The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR's coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR's practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.     

Enter the quagmire – the complicated relationship between data protection law and consumer protection law

This article examines the complex relationship between consumer protection law and data protection law, particularly within the EU's online environment, and highlights the problems that stem from this complexity. It suggests that, while there are significant similarities between their respective sources, tools and purposes, there are also arguable differences between consumer protection law and data protection law. One such arguable difference is found in that, while consumer protection law can be seen to merely set a floor in its pursuit of a sufficiently high level of consumer protection, data protection law – due to its clearly articulated dual purposes of (a) protecting individuals with regard to the processing of personal data and (b) providing for the free movement of such data – sets both a floor and a ceiling.Having discussed the relationship between consumer protection law and data protection law in more detail, the argument is made that it seems possible to conclude that the balance struck in the Data Protection Directive, and soon in the General Data Protection Regulation, places limitations on consumer protection law. The implications of this conclusion are then examined briefly in the context of some matters currently coming before the CJEU and the contours of a framework are presented, addressing situations where a data protection-based liability claim is pursued against a third-party non-controller under consumer protection law.     

Privacy and security by design: Comparing the EU and Israeli approaches to embedding privacy and security

Policymakers in the European Union and Israel are searching for regulatory strategies on how to best protect their citizens informational privacy. More recently, the focus has shifted towards Privacy and Security by Design as a mean to address current privacy concerns. While Privacy and Security by Design in itself is not a new idea, its implementation has taken new forms within the General Data Protection Regulation, as well as in various Israeli laws, inter alia, the Privacy Protection Regulations on Data Security. In this article we first analyse these implementations of Privacy and Security by Design and then compare the European and Israeli approaches with one another. We address the question of which approach provides more guidance to developers with respect on how to embed Privacy and Security by Design measures into new services and products. We conclude by pointing to empirical research needed to further analyse the impact of the two different regulatory strategies.     

The Patients’ Rights Directive (2011/24/EU) – Providing (some) rights to EU residents seeking healthcare in other Member States

This article presents the main elements of Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare, commonly known as the Patient’s Rights Directive. It is the latest EU initiative with regard to European Health Care and the Single Market. The main elements of the Directive contain provisions related to the prior authorisation of health care in another Member State, the reimbursement of such health care and the removal of unjustified obstacles to achieving these aims.These provisions largely reflect the recent case law of the European Court of the Justice (ECJ). Amongst these are provisions involving the use of personal data. Such provisions will engage data protection issues and will have to be carried out according to the data protection directives. Alongside this primary aim of codifying ECJ case law the Patient’s Rights Directive also introduces novel initiatives aimed at fostering cross border cooperation between various elements of national healthcare systems.Part 1 of this contribution will describe the legal basis and the aims of the PRD, Part 2 will describe the principle obligations placed on the Member States with regard to reimbursement, Parts 3 and 4 will describe other informational and procedural requirements placed upon the Member States of Treatment and Affiliation. Finally Part 5 will outline some of the novel initiatives that have been included in the PRD.The increases in the frequency of cross border-treatment that this directive attempts to facilitate are likely to see a concurrent increase in cross-border patient information flows. Such data flows will be subject to the Union’s provisions on Data Protection. It remains uncertain whether the EU’s Data Protection regime will act as inhibitor to cross-border medical treatment or rather represent a gold standard that allows patients to engage in such activities with peace of mind. The Patient’s Rights Directive will form part of the EU’s future e-Health strategy which envisages a large increase in the fluidity of patient data. A discussion of this directive is therefore merited in this journal.     

UK: Trustees' obligations under the Data Protection Act 1998

The Data Protection Act 1998 (DPA) regulates the processingof personal data by data controllers. Trustees will be controllersof the personal data relating to their trust. Personal data relates to living individuals who can be identifiedfrom that data, on its own or in conjunction with other informationin (or likely to come into) the trustees’ possession. Although this covers almost any data containing an individual'sname, the Information Commissioner (IC), the UK regulatory authorityfor data protection, gives a narrower interpretation in itsguidance, which concentrates on     

Exploring data protection challenges of automated driving

With the increase in automation of vehicles and the rise of driver monitoring systems in those vehicles, data protection becomes more relevant for the automotive sector. Monitoring systems could contribute to road safety by, for instance, warning the driver if he is dozing off. However, keeping such a close eye on the user of the vehicle has legal implications. Within the European Union, the data gathered through the monitoring system, and the automated vehicle as a whole, will have to be collected and processed in conformity with the General Data Protection Regulation. By means of a use case, the different types of data collected by the automated vehicle, including health data, and the different requirements applicable to the collecting and processing of those types of data are explored. A three-step approach to ensuring data protection in automated vehicles is discussed. In addition, the possibilities to ensure data protection at a European level via the (type-) approval requirements will be explored.     

Reconsidering the Premises of Labour Law: Prolegomena to an EU Regulation on the Protection of Employees' Personal Data

With its 1985 Directive on Data Protection, the European Union highlighted its commitment to the constitutionalisation of European law and, in particular, underlined its vision of the individual European as a rights-bearing individual; empowered through 'knowledge' and thus advantaged in communicative processes of political/social/legal bargaining. As such, the move to a data protection regime founded upon notions of individual empowerment, also mirrors a recent and fundamental re‐alignment in the guiding principles of regulative labour law, which has seen the paradigm of 'collective laissez‐faire' challenged, if not superseded, by a redirected emphasis upon the communicative empowerment of the individual employee rather than the representative function of employees' representatives. Accordingly, it is less than surprising that the field of labour law has seen increasing demands placed upon the Commission to fulfil its promise in the pre-amble to the 1985 Directive, and promulgate Regulations crafted to ensure data protection in line with the specific demands of individual societal sectors. This paper is a policy statement. It re-iterates the need for a Regulation on the protection of employees' data. Building on the comparative experience of the Member States, it outlines the nature, provisions and scope which such a regulation should entail so as to reflect, both the reality of the modern employment relationship, and a new normative vision of the workplace which aims to inject such relationships with a measure of communicative participation.     

E-Government users’ privacy and security concerns and availability of laws in Dubai

The purpose of the study was to review privacy and security concerns and their impact on e-government adoption in Dubai. The research analyzed the literature on e-government, security and privacy concerns of e-government adoption and the legislative provision relating to privacy and security protection. A survey on e-government user concerns on privacy, security and ease of use was also carried out. The data for the survey in this research were collected from 190 respondents in Dubai. The results of the analysis revealed that perceived security, privacy and perceived ease of use were important constructs in e-government adoption. The analysis of legal framework showed that the Federal Constitution, the Penal Code, the new Data Protection Act and the Computer Crime Act could be used to address various privacy and security concerns. Thus, it is important that the policy makers facilitate an appropriate awareness campaign of the existence of both information privacy and security to attract more participation towards the e-government services.