Regulating electronic identity in the European Union: An analysis of the Lisbon Treaty’s competences and legal basis for eID

This paper discusses the feasibility of EU legal action in the field of electronic identity (eID) within the new distribution of legal competences and the provision of novel legal basis engendered by the Treaty of Lisbon. The article attempts to find a ‘legal anchor’ to the idea of a pan-European electronic identity within EU law, looking at the issues of competences and legal basis. After examining various different areas of competence and the most feasible (and probable) candidates for a legal basis supporting an EU legal framework for eID, the paper argues that the latter should be found in the combination of Article 16 TFEU (concerning the right to the protection of personal data) with Article 3 TUE, and Articles 26 and 114 TFEU (concerning the establishment and functioning of the Internal Market), which also constitute the area of competence where an eID legal initiative can be pursued.     

Integrating Europe’s PSI re-use rules - Demystifying the maze

Despite various studies evincing the huge potential locked up in public sector information (PSI), this potential is far from being fully exploited. To a large extent, this failure is caused by the immensely complex legal labyrinth surrounding PSI re-use. This complexity works in two ways: public sector bodies do not comply with the regulatory framework and re-users do not avail themselves of the legal instruments offered, resulting in unexploited economic potential. What makes the legal framework so complex is the transcending nature of PSI re-use, as it blends four areas of law - freedom of information law, ICT law, intellectual property law and competition law - that, throughout the years, have been regulated at a European, national and even at a sectoral level, but in isolation. The fundamental impact that ICT developments have on our society, subsequently also rocking the legal rules and underlying principles and axioms, makes the picture even more complicated. Taking the maximization of utility of PSI as a starting point in this article, I will anatomize each of these legal frameworks and demonstrate how they interact, culminating in a conceptual framework that may help public sector bodies and re-users, and courts where necessary, to apply and rely on the rules involved and to bring to the surface areas for policy action, both at the national and European level.     

India’s national ID system: Danger grows in a privacy vacuum

India is juggling demands and proposals for at least three national data surveillance projects of vast scope. This article focuses on the unique identification (UID) number, which it is proposed will be allocated to India’s 1.2 billion people, with 600 M UIDs to be allocated by 2015. Draft legislation to create the Authority which will administer the UID contains few protections for privacy or other liberties. They are needed because there is otherwise a privacy vacuum in Indian law. The Bill leaves most of the details of the demographic and biometric information which will be required to be included Regulations, and imposes no controls on which organisations can require UIDs, or what they can do with them. This article focuses on the planning documents for the UID, and the Bill, to argue that India may be building an identification system that puts peoples’ liberties at risk, and does so in a way which will be largely out of control of democratic or judicial restraints on such a powerful use of information technology.     

Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) devotes particular attention to the protection of personal data of children. The rationale is that children are less aware of the risks and the potential consequences of the processing of their personal data on their rights. Yet, the text of the GDPR offers little clarity as to the actual implementation and impact of a number of provisions that may significantly affect children and their rights, leading to legal uncertainty for data controllers, parents and children. This uncertainty relates for instance to the age of consent for processing children's data in relation to information society services, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required vis-à-vis children. This article aims to identify a number of key issues and questions – both theoretical and practical – that raise concerns from a multi-dimensional children's rights perspective, and to clarify remaining ambiguities in the run-up to the actual application of the GDPR from 25 May 2018 onwards.     

For privacy's sake: Consumer “opt outs” for smart meters

When balancing consumer privacy and data protection rights with the important societal benefits to be obtained from smart meters, should consumers be allowed to opt out? If so, what should a smart meter opt out mechanism look like? Further, may consumers be charged additional fees for the privilege of opting out without violating their privacy and data protection rights? The EU/U.S. comparative law analysis provided in this paper aims to help energy suppliers and regulators craft opt out mechanisms to protect individual privacy and data protection rights while also achieving important societal benefits from smart meters.     

Data security: Past,present and future

The loss by Her Majesty's Revenue and Customs (HMRC) of two CDs containing 25 million child benefit details has changed the data security landscape forever. No longer is data security the exclusive and rather arcane preserve of spotty technology professionals or data protection lawyers. HMRC has thrust data security onto the front pages of the mainstream media and brought it very suddenly to the top of the political and commercial agendas of senior politicians and boards of directors. In this article, the author will outline the reasons behind the rise of data security as a front line issue and examine the lessons to be learnt from HMRC. He will analyse the different facets of data security risk and explore ways in which organisations can go about managing it. He will outline the attitude of regulators to data security and where regulatory developments are likely to take us. The final part of the article looks into the future, with particular focus on the emergence of privacy enhancing technologies.     

Data protection: The future of privacy

The Art. 29 Working Party (hereinafter “Art. 29 WP”) is an influential body comprised of representatives from the Member State Data Protection Authorities² established under the Data Protection Directive 95/46/EC, has recently issued an opinion with the Working Party on Police and Justice. This is quite significant, since the opinion sets out some of the issues that will need to be addressed in the lead up to the revision of the Data Protection Directive 95/46/EC.³ This comes at a time, when there have been discussions on the current application of the European Data Protection Directive to the internet,⁴ (such as social networking) and the recent European Commission’s consultation on the legal framework for the fundamental right to protection of personal data. Not least, there have been a number of cases brought before the European Court of Justice dealing with the partial implementation of the Data Protection Directive 95/46/EC.⁵The aim of this paper is to consider in detail the issues set out by the Art. 29 WP and the likely challenges in revising the Data Protection Directive 95/46/EC.     

Is “Big Data” creepy?

We now live in a world of Big Data, massive repositories of structured, unstructured or semi-structured data. This is seen as a valuable resource for organisations, given the potential to analyse and exploit that data to turn it into useful information. However, the cost and risk of continuing to hold that data can also make it a burden for many organisations.     

A walk in to the cloud and cloudy it remains: The challenges and prospects of ‘processing’ and ‘transferring’ personal data

Cloud computing is an information technology technique that promises greater efficiency and reduced-cost to consumers, businesses and public institutions. However, to the extent it has brought better efficiency and minimal cost, the emergence of cloud computing has posed a significant regulatory challenge on the application of data protection rules particularly on the regime regulating cross-border data flow. The Data Protection Directive (DPD), which dates back to 1995, is at odds with some of the basic technological and business-related features of the cloud. As a result, it is claimed that the Directive hardly offers any help in using the legal bases to ‘process’ and ‘transfer’ data as well as to determine when a transfer to a third country occurs in cloud computing. Despite such assertions, the paper argues that the ECJ's Bodil Lindqvist decision can to a certain extent help to delineate circumstances where transfer should and should not occur in the cloud. Concomitantly, the paper demonstrates that controllers can still make the most of the available possibilities in justifying their ‘processing’ as well as ‘transferring’ of data to a third country in cloud arrangements. In doing so, the paper also portrays the challenges that arise down the road. All legal perspectives are largely drawn from EU level though examples are given from member states and other jurisdictions when relevant.     

An international legal framework for data protection: Issues and prospects

The processing of personal data across national borders by both governments and the private sector has increased exponentially in recent years, as has the need for legal protections for personal data. This article examines calls for a global legal framework for data protection, and in particular suggestions that have been made in this regard by the International Law Commission and various national data protection authorities. It first examines the scope of a potential legal framework, and proceeds to analyze the status of data protection in international law. The article then considers the various options through which an international framework could be enacted, before drawing some conclusions about the form and scope such a framework could take, the institutions that could coordinate the work on it, and whether the time is ripe for a multinational convention on data protection.     

Personal data protection in employment: New legal challenges for Malaysia

The purpose of this article is to discuss and apply data protection principles in the context of employment. The Personal Data Protection Act (PDPA), passed by the Malaysian Parliament in 2010, has affected many aspects of life in Malaysia, including employment. Storage of data by employers is rampant. Management, as the data user, is duty bound to safeguard the employees' data according to the PDPA. Likewise, the employees, as data subjects, enjoy some rights under the PDPA. The author also examines issues of privacy law: whether such law exists in Malaysia and, if so, whether it can be reconciled with the PDPA's principles. The author adopts legal methodology anchored in exploratory analysis, with the legislative text as the main reference point.     

Opening up personal data protection: A conceptual controversy

The existence of a fundamental right to the protection of personal data in European Union (EU) law is nowadays undisputed. Established in the EU Charter of Fundamental Rights in 2000, it is increasingly permeating EU secondary law, and is expected to play a key role in the future EU personal data protection landscape. The right's reinforced visibility has rendered manifest the co-existence of two possible and contrasting interpretations as to what it come to mean. If some envision it as a primarily permissive right, enabling the processing of such data under certain conditions, others picture it as having a prohibitive nature, implying that any processing of data is a limitation of the right, be it legitimate or illegitimate. This paper investigates existing tensions between different understandings of the right to the protection of personal data, and explores the assumptions and conceptual legacies underlying both approaches. It traces their historical lineages, and, focusing on the right to personal data protection as established by the EU Charter, analyses the different arguments that can ground contrasted readings of its Article 8. It also reviews the conceptualisations of personal data protection as present in the literature, and finally contrasts all these perspectives with the construal of the right by the EU Court of Justice.     

Towards a new generation of CCTV networks: Erosion of data protection safeguards?

CCTV networks are progressively being replaced by more flexible and adaptable video surveillance systems based on internet protocol (IP) technologies. The use of wireless IP systems allows for the emergence of flexible networks and for their customization, while at the same time video analytics is easing the retrieval of the most relevant information. These technological advances, however, bring with them threats of a new kind for fundamental freedoms that cannot always be properly assessed by current legal safeguards. This paper analyses the ability of current data protection laws in providing an adequate answer to these new risks.     

Protecting the communication: Data protection and security measures under telecommunications regulations in the digital age

This paper aims to provide a comparative overview and evaluation of various legal frameworks for electronic communications security in light of the recent developments in the electronic communications sector. The article also includes an insight on European Union and Turkish legal environment for data protection security in electronic communications sector.     

When video cameras watch and screen: Privacy implications of pattern recognition technologies

Computer vision technologies based on pattern recognition software will soon allow identifying human behaviour that deviates from a pre-defined normality. Such applications are foreseen, amongst others, to be used in public places with purposes of crime prevention, especially in the context of the fight against terrorism. This technology increases the level of automation of video surveillance, changing the main nature of surveillance. The balance of power between the citizen and the State is altered, calling for a new balancing of interests. The automation of risk detection moreover raises the issue of the protection against partially automated decision-making. This paper will deal with the challenges raised by proactive video surveillance technologies to the way how privacy and security have been balanced so far. Attention will moreover be brought to the new safeguards that should be devised to protect the citizens from increased scrutiny and growing automation of the decision-making process.     

Russian PNR system: Data protection issues and global prospects

The usage of Passenger Name Record (PNR) for security purposes is growing worldwide. At least six countries have PNR systems; over thirty are planning to introduce them. On 1 December 2013, a Russian PNR system will be implemented. But enhanced collection of personal data leads to increased surveillance and privacy concerns. Russian authorities state that passengers' rights will be respected, but a closer look at the Russian regime reveals a number of critical points. From a global perspective, the Russian regime is only one of many PNR systems, including new ones to come in the future. Apparently, for the majority of them, similar challenges and problems will apply. At the same time, for the EU, with its strict data protection requirements, PNR requests by third countries (i.e. non-EU countries) create conflicts of laws. In order to resolve them, the EU concludes bilateral PNR agreements. However, the current deals, especially the one between the EU and the USA, involve a number of weaknesses. Accepting the latter, and having a pending proposal on the EU PNR system, the EU has weakened its position in negotiations with third countries. How will the EU deal with the Russian as well as with all the future requests for PNR? This paper provides legal analysis of the Russian PNR regime, pointing out common problems and giving prognosis on the global situation.     

The Patients’ Rights Directive (2011/24/EU) – Providing (some) rights to EU residents seeking healthcare in other Member States

This article presents the main elements of Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare, commonly known as the Patient’s Rights Directive. It is the latest EU initiative with regard to European Health Care and the Single Market. The main elements of the Directive contain provisions related to the prior authorisation of health care in another Member State, the reimbursement of such health care and the removal of unjustified obstacles to achieving these aims.These provisions largely reflect the recent case law of the European Court of the Justice (ECJ). Amongst these are provisions involving the use of personal data. Such provisions will engage data protection issues and will have to be carried out according to the data protection directives. Alongside this primary aim of codifying ECJ case law the Patient’s Rights Directive also introduces novel initiatives aimed at fostering cross border cooperation between various elements of national healthcare systems.Part 1 of this contribution will describe the legal basis and the aims of the PRD, Part 2 will describe the principle obligations placed on the Member States with regard to reimbursement, Parts 3 and 4 will describe other informational and procedural requirements placed upon the Member States of Treatment and Affiliation. Finally Part 5 will outline some of the novel initiatives that have been included in the PRD.The increases in the frequency of cross border-treatment that this directive attempts to facilitate are likely to see a concurrent increase in cross-border patient information flows. Such data flows will be subject to the Union’s provisions on Data Protection. It remains uncertain whether the EU’s Data Protection regime will act as inhibitor to cross-border medical treatment or rather represent a gold standard that allows patients to engage in such activities with peace of mind. The Patient’s Rights Directive will form part of the EU’s future e-Health strategy which envisages a large increase in the fluidity of patient data. A discussion of this directive is therefore merited in this journal.     

From porn to cybersecurity passing by copyright: How mass surveillance technologies are gaining legitimacy … The case of deep packet inspection technologies

Recent coverage in the press regarding large-scale passive pervasive network monitoring by various state and government agencies has increased interest in both the legal and technical issues surrounding such operations. The monitoring may take the form of which systems (and thus potentially which people) are communicating with which other systems, commonly referred to as the metadata for a communication, or it may go further and look into the content of the traffic being exchanged over the network. In particular the monitoring may rely upon the implementation of Deep Packet Inspection (DPI) technologies. These technologies are able to make anything that happens on a network visible and recordable. While in practice the sheer volume of traffic passing through a DPI system may make it impractical to record all network data, if the system systematically records certain types of traffic, or looks for specific patterns in all traffic, the privacy concerns are highly significant. The aim of this paper is twofold: first, to show that despite the increasing public awareness in relation to the capabilities of Internet service providers (ISPs), a cross-field and comparative examination shows that DPI technologies are in fact progressively gaining legal legitimacy; second to stress the need to rethink the relationship between data protection law and the right to private life, as enshrined in Article 8 of the European Convention on human rights and Article 7 of the European Charter of fundamental rights, in order to adequately confine DPI practices. As a result, it will also appear that the principle of technical neutrality underlying ISP's liability exemptions is misleading.     

From electronic health records to personal health records: emerging legal issues in the Italian regulation of e-health

In 2012, the Italian Legislator has provided an appropriate legal framework for the realisation of the national Electronic Health Records (EHR) system, in which the patient plays a pivotal role: with the implementation of the Fascicolo sanitario elettronico (FSE), patients will have access to their EHRs through the online platform, and decide which data to share and with whom. In this perspective, one of the most interesting innovations is the so-called ‘taccuino’, a digital space of patients’ FSE in which they can autonomously record data and information relating to their health. Patients’ ability to access their own health data and EHR at any time and to enter information by themselves in a personal area is a unique form of power at a European level, but their legal consequences are still vague. The aim of this contribution is to offer a first review of the Italian e-health reform, showing the most critical aspects.