A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

Security policies and the weakening of personal data protection in the European Union

In recent years, the reinforcement of security policies alongside the expansion of information systems for law enforcement and crime prevention entailed growing restrictions to personal data protection principles and procedural rights in the European Union. This paper seeks to elucidate this trend, while matching it with an EU institutional discourse based on balancing and proportionality. Indeed, EU institutions regularly present security measures and fundamental rights as somewhat symmetric values to be easily conciliated through balancing and proportionality. Considering the raising of the protection of personal data to the status of a fundamental right by the Charter of Fundamental Rights, its effect on a possible rebalancing of the values at stake is discussed. Yet, we conclude, for the time being, the potential for just and democratic solutions provided by the ideas of balancing and proportionality does not appear to be properly used.     

The exploitation of Business Register data from a public sector information and data protection perspective: A case study

Business Registers (BRs) are a very important information resource for investors, creditors, financial institutions and public authorities. The possibility to aggregate and interconnect these data at a European level could enhance the transparency of companies towards those actors and add a great deal of value to the raw Business Register data. The European BRITE project intended to provide adequate tools to meet these demands. BRITE will provide easier access and cross-border interoperability of Business Register data throughout Europe. On the other hand, the processing of BR data within the BRs and BRITE triggers several important European legislations such as the Data Protection Directive and the Directive on the re-use of public sector information. In this paper, the processing of BR data will be analysed from the perspective of both data protection and public sector information laws, analysing as well the relation between both regulations. Do these regulations strike an optimal balance between the interests of private data vendors to re-use BR data and enhance business transparency and the need to protect the personal data of natural persons?     

Opening up personal data protection: A conceptual controversy

The existence of a fundamental right to the protection of personal data in European Union (EU) law is nowadays undisputed. Established in the EU Charter of Fundamental Rights in 2000, it is increasingly permeating EU secondary law, and is expected to play a key role in the future EU personal data protection landscape. The right's reinforced visibility has rendered manifest the co-existence of two possible and contrasting interpretations as to what it come to mean. If some envision it as a primarily permissive right, enabling the processing of such data under certain conditions, others picture it as having a prohibitive nature, implying that any processing of data is a limitation of the right, be it legitimate or illegitimate. This paper investigates existing tensions between different understandings of the right to the protection of personal data, and explores the assumptions and conceptual legacies underlying both approaches. It traces their historical lineages, and, focusing on the right to personal data protection as established by the EU Charter, analyses the different arguments that can ground contrasted readings of its Article 8. It also reviews the conceptualisations of personal data protection as present in the literature, and finally contrasts all these perspectives with the construal of the right by the EU Court of Justice.     

Legal protection of software—a global view from Japan

An investigation of legal measures for the protection of software reveals a number of important insights into the scope and nature of copyright. Rather than something unique for legal purposes, software and recorded media is actually familiar information. Hence, it is protectible by regular copyright. Regular copyright has two relatively distinct branches, in published and unpublished works. Despite the notion that copyright covers only mode of expression, it is actually applied to protect certain types of information content. As it is so applied, copyright in unpublished works transferred subject to restrictions on the use and disclosure of their information content is equivalent to trade secrecy in the American sense. The nature and scope of copyright is intrinsic and universal wherever it applies. It provides an ideal basis for a much needed international consensus on legal measures for protecting software program interests. It would be needlessly provocative for the USA to attempt to induce Japan or any other country to adopt trade secrecy in the American sense. Japanese support for a new program right as an alternative to copyright probably arose largely out of a lack of understanding of the scope and nature of copyright, especially in unpublished works. As it is applied, copyright generally is unfair competition law in the American sense. Applying it in that light, rather than as traditional copyright, provides wiser treatment of new phenomena that involve software programs, such as copying the structure and format of software programs.     

Encryption safe harbours and data breach notification laws

Data breach notification laws require organisations to notify affected persons or regulatory authorities when an unauthorised acquisition of personal data occurs. Most laws provide a safe harbour to this obligation if acquired data has been encrypted. There are three types of safe harbour: an exemption; a rebuttable presumption and factor-based analysis. We demonstrate, using three condition-based scenarios, that the broad formulation of most encryption safe harbours is based on the flawed assumption that encryption is the silver bullet for personal information protection. We then contend that reliance upon an encryption safe harbour should be dependent upon a rigorous and competent risk-based review that is required on a case-by-case basis. Finally, we recommend the use of both an encryption safe harbour and a notification trigger as our preferred choice for a data breach notification regulatory framework.     

South Africa's PNR regime: Privacy and data protection

There has been an increase in the collection and use of Passenger Name Record (PNR) data for security purposes globally. Though academic analysis of this trend has remained focused largely on the North American and European context, the Government of South Africa has been using PNRs since 2014 for security purposes. South Africa was the first country on the African continent to implement such a regime and is one of only thirteen states internationally to link its Advanced Passenger Information (API) and PNR systems. While there has been little attention on South Africa's use of PNRs, an inquiry into the country's PNR practices reveals striking privacy concerns, including the potential permanent retention of PNR data and a failure of the state to fully disclose if, and under what conditions, PNR data can be shared with other states. While South Africa has implemented a PNR regime that is comparable to the highest international standards, the data protection requirements appear to be far less developed. In fact, South Africa's PNR regime remains enigmatic as all indications and mention of PNR are elusive and scattered across government publications. As such, this paper aims to provide an introduction into the elements of South African PNR use, including the implications as they relate to law, data protection, and privacy.     

Perceptions of controllers on EU data protection reform: A Finnish perspective

Data protection regulations are undergoing a global reform. The European Commission proposed a reform of the EU data protection framework in 2012. One major driver for the reform has been the research on the consumer perceptions indicating that the consumers are worried about their personal privacy. However, there has been practically no research on perceptions of companies (the controllers of the personal data) and on the data protection reform. This research analyses the awareness and the willingness to act towards compliance regarding the proposed General Data Protection Regulation (GDPR) in Finland in 2013. The GDPR will replace the Finnish Personal Data Act and therefore plays a central role in the Finnish privacy regulation. This research found that the general level of awareness was low: only 43% of the controllers were aware of the forthcoming reform. The willingness to act or to take steps towards the compliance was even lower: 31% of controllers said that they are planning to act towards compliance during this year. These results indicate that the companies are quite unfamiliar with the reform that correlates with other relevant studies in Europe. Personal data are said to be the oil of the digital economy, the hottest commodity of the market today. There are companies that understand this, but the majority seems to ignore this at least what comes to their awareness regarding the reform, even the reform captures many of the best practices regarding processing of personal data.     

It depends whose data are being shared: considerations for genomic data sharing policies

There is an urgent need for consistent data sharing policies that promote the advancement of science while respecting the values and interests of those providing their genetic data for research. Responding to the article of Jalayne J. Arias, Genevieve Pham-Kanter, and Eric G. Campbell, ‘The Growth and Gaps of Genetic Data Sharing Policies in the United States’, this commentary further explores the challenges of human subjects’ protection in existing data sharing policies. We will elaborate on the need for data sharing policies to accommodate variation in individual and group preferences around data sharing and privacy concerns by comparing our previously published data on patients’ and parents’ consent to data sharing and attitudes about privacy to data from focus groups with HIV-positive, underserved individuals who were asked about their willingness to participate in genetic research and share their data broadly. These studies support the observation of Arias, Pham-Kanter, and Campbell that researchers, and funding agencies will need to balance the privacy interests of groups as well as individuals in future genomic data sharing policies.     

Dualism in data protection: Balancing the right to personal data and the data property right

This paper explores the issues surrounding the right to personal data and the data property right in the context of commercial transactions involving big data, and will thus inform the ongoing drafting process of the Chinese Civil Code and development of a commercial data market in China. The analysis herein attempts to break through the traditional concept of ‘property’ with the aim of helping China to develop a modern information society, devise a property law theory suitable for the big data era, and improve the level of protection afforded to rights and legitimate interests in data. To date, no comprehensive study has focused on developing a proper understanding of the concept of ‘data property rights’, and hence we lack the solid theoretical support needed to construct a proper protective system for such rights. This paper offers the first systematic study of the rules pertaining to data property rights, thereby enriching the theory of such rights and serving as a theoretical basis for the enactment of a civil code that protects citizens’ legal rights and interests in the information society. It also offers a thorough discussion of how to construct a data property protection system, thereby providing an ideal reference model for enactment of the Chinese Civil Code.     

Big genetic data and its big data protection challenges

The use of various forms of big data have revolutionised scientific research. This includes research in the field of genetics in areas ranging from medical research to anthropology. Developments in this area have inter alia been characterised by the ability to sequence genome wide sequences (GWS) cheaply, the ability to share and combine with other forms of complimentary data and ever more powerful processing techniques that have become possible given tremendous increases in computing power. Given that many if not most of these techniques will make use of personal data it is necessary to take into account data protection law. This article looks at challenges for researchers that will be presented by the EU's General Data Protection Regulation, which will be in effect from May 2018. The very nature of research with big data in general and genetic data in particular means that in many instances compliance will be onerous, whilst in others it may even be difficult to envisage how compliance may be possible. Compliance concerns include issues relating to ‘purpose limitation’, ‘data minimisation’ and ‘storage limitation’. Other requirements, including the need to facilitate data subject rights and potentially conduct a Data Protection Impact Assessment (DPIA) may provide further complications for researchers. Further critical issues to consider include the choice of legal base: whether to opt for what is often seen as the ‘default option’ (i.e. consent) or to process under the so called ‘scientific research exception’. Each presents its own challenges (including the likely need to gain ethical approval) and opportunities that will have to be considered according to the particular context in question.