On defense of “ethification” of law: How ethics may improve compliance with the EU digital laws

In recent years, academics and professionals witness the rise of the “ethification” of law, specifically in the area of ICT law. Ethification shall be understood as a proliferation of moral principles and moral values in the legal discourse within the areas of research, innovation governance, or directly enforceable rules in the industry. Although the ethical considerations may seem distant from mere regulatory compliance, the opposite is true. The article focuses on the positive side of the “ethification” of digital laws through the lens of legal requirements for impact assessments pursuant to General Data Protection Regulation and conformity assessments in the proposal for the Artificial Intelligence Act. Authors argue that ethical considerations are often absent in the context of using new technologies including artificial intelligence, yet they may provide additional value for organizations and society as a whole. Additionally, carrying out ethics-based assessments is already in line with existing regulatory requirements in the fields of data protection law and proposed EU AI regulation. These arguments are reflected in the context of facial recognition technology, where both data protection impact assessment under the EU General Data Protection Regulation and conformity assessment under the proposal of the EU Artificial Intelligence Act will be mandatory. Facial recognition technology is analyzed through the ethics-based assessment involving stakeholder analysis, data flows map, and identification of risks and respective countermeasures to show additional insights that ethics provides beyond regulatory requirements.     

The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals

The recent release by the European Commission of the first drafts for the amendment of the EU data protection regulatory framework is the culmination of a consulting and preparation process that lasted more than two years. At the same time, it opens up a law-making process that is intended to take at least as much time. The Commission has undertaken the herculean task to amend the whole EU data protection edifice, through the introduction of a General Data Protection Regulation, intended to replace the EU Data Protection Directive 95/46/EC, and a Police and Criminal Justice Data Protection Directive, intended to replace the Framework Decision 2008/977/JHA. This paper shall focus at the replacement of the EU Data Protection Directive by the draft General Data Protection Regulation. Due to the fact that the draft Regulation is a long (and ambitious) text, a selection has been made, with the aim of highlighting its treatment of basic data protection principles and elements, in order to identify merits and shortcomings for the general data protection purposes.     

The General Data Protection Regulation and the rise of certification as a regulatory instrument

The endorsement of certification in Article 42 and 43 of the General Data Protection Regulation (hereinafter GDPR) extends the scope of this procedure to the enforcement of fundamental rights. The GDPR also leverages the high flexibility of this procedure to make of certification something else than a voluntary process attesting the conformity with technical standards. This paper argues that the GDPR turned certification into a new regulatory instrument in data protection, I suggest to call it monitored self-regulation, seeking to fill the gap between self-regulation and traditional regulation in order to build a regulation continuum.     

数据迁移权及其本土化路径研究--以数据竞争为视角

《欧盟一般数据保护条例》(GDPR)率先在个人数据领域赋予数据主体数据迁移权,成为全球数据保护的立法标杆。数据迁移权的诞生为企业参与数据竞争正向赋能,企业竞争中也存在诸多数据迁移障碍。本文结合欧盟数据迁移权的相关规定,以数据、数据迁移权和数据竞争三要素之间的互动关系为进路,通过剖析数据迁移对企业竞争和创新发展的双向反馈,认为我国不应急于实施数据迁移权,而是将数据迁移权定性为一种柔性权利,按照"三阶段五步骤"的路径规划,逐步建立符合我国国情的数据迁移制度。     

European Data Protection Regulation and Online New Media: Mind the Enforcement Gap

Data Protection Authorities (DPAs) play a critical role in shaping and applying the regulation applicable to online media expression within the European Economic Area. Drawing on seven ubiquitous types of online new media actors, a comprehensive survey of these authorities was undertaken. It found that European DPAs generally adopt an expansive interpretation of data protection and a constrained understanding of freedom of expression in this space. In contrast, data protection enforcement is weak and lacking in harmonization. Except for street mapping services, each type of online media actor had only faced relevant enforcement action from a minority of these agencies. DPA financial resourcing is very limited. Notwithstanding the development of DPA ‘network governance’, only DPAs with a particularly extensive interpretative stance proved likely to have engaged in extensive enforcement activity. It remains unclear what difference the General Data Protection Regulation will make to resolving this enforcement gap and its related problems.     

Building up the “Accountable Ulysses” model. The impact of GDPR and national implementations,ethics, and health-data research: Comparative remarks

The paper illustrates obligations emerging under articles 9 and 89 of the EU Reg. 2016/679 (General Data Protection Regulation, hereinafter “GDPR”) within the health-related data processing for research purposes. Furthermore, through a comparative analysis of the national implementations of the GDPR on the topic, the paper highlights few practical issues that the researcher might deal with while accomplishing the GDPR obligations and the other ethical requirements. The result of the analyses allows to build up a model to achieve an acceptable standard of accountability in health-related data research. The legal remarks are framed within the myth of Ulysses.     

Technological innovation within the Spanish tax administration and data subjects' right to access: An opportunity knocks

In this paper, we analyse the data subjects' right to access their personal data in the context of the Spanish Tax Administration and the legal consequences of the upcoming General Data Protection Regulation. The results show that there are still difficulties related to the scope of this right, the establishment of proper storage criteria, and in the procedures used by the data controllers to provide accurate information to the data subjects. This situation highlights the necessity to incorporate such technological innovation as metadata labelling and automatic computerised procedures to ensure an optimum management of the data subjects' access to their tax related personal information.     

The EU Proposal for a General Data Protection Regulation and the roots of the ‘right to be forgotten’

The EU Proposal for a General Data Protection Regulation has caused a wide debate between lawyers and legal scholars and many opinions have been voiced on the issue of the right to be forgotten. In order to analyse the relevance of the new rule provided by Article 17 of the Proposal, this paper considers the original idea of the right to be forgotten, pre-existing in both European and U.S. legal frameworks. This article focuses on the new provisions of Article 17 of the EU Proposal for a General Data Protection Regulation and evaluates its effects on court decisions. The author assumes that the new provisions do not seem to represent a revolutionary change to the existing rules with regard to the right granted to the individual, but instead have an impact on the extension of the protection of the information disseminated on-line.     

The necessity of the implementation of Privacy by Design in sectors where data protection concerns arise

This article examines the extent to which Privacy by Design can safeguard privacy and personal data within a rapidly evolving society. This paper will first briefly explain the theoretical concept and the general principles of Privacy by Design, as laid down in the General Data Protection Regulation. Then, by indicating specific examples of the implementation of the Privacy by Design approach, it will be demonstrated why the implementation of Privacy by Design is a necessity in a number of sectors where specific data protection concerns arise (biometrics, e-health and video-surveillance) and how it can be implemented.     

Cross border data transfer: Complexity of adequate protection and its exceptions

The majority of the fear that exists about the cloud arises due to the lack of transparency in the cloud. Fears have persisted in relation to how the data are frequently transferred in a cloud for various purposes which includes storing and processing. This is because the level of protection differs between countries and cloud users who belong to countries which provide a high level of protection will be less in favour of transfers that reduce the protection that was originally accorded to their data. Hence, to avoid client dissatisfaction, the Data Protection Directive has stated that such transfers are generally prohibited unless the country that data is being transferred to is able to provide ‘appropriate safeguards’. This article will discuss the position of the Data Protection Directive and how the new General Data Protection Regulation differs from this Directive. This involves the discussion of the similarity as well as the differences of the Directive and Regulation. In summary, it appears that the major principles of the cross border transfer are retained in the new regulation. Furthermore, the article discusses the exceptions that are provided in the standard contractual clause and the reason behind the transition from Safe Harbor to the new US-EU Privacy Shield. This article subsequently embarks on the concept of Binding Corporate Rule which was introduced by the working party and how the new regulation has viewed this internal rule in terms of assisting cross border data transfer. All the issues that will be discussed in this article are relevant in the understanding of cross border data transfer.     

Privacy and security by design: Comparing the EU and Israeli approaches to embedding privacy and security

Policymakers in the European Union and Israel are searching for regulatory strategies on how to best protect their citizens informational privacy. More recently, the focus has shifted towards Privacy and Security by Design as a mean to address current privacy concerns. While Privacy and Security by Design in itself is not a new idea, its implementation has taken new forms within the General Data Protection Regulation, as well as in various Israeli laws, inter alia, the Privacy Protection Regulations on Data Security. In this article we first analyse these implementations of Privacy and Security by Design and then compare the European and Israeli approaches with one another. We address the question of which approach provides more guidance to developers with respect on how to embed Privacy and Security by Design measures into new services and products. We conclude by pointing to empirical research needed to further analyse the impact of the two different regulatory strategies.     

AI research and data protection: Can the same rules apply for commercial and academic research under the GDPR?

The paper examines how the EU General Data Protection Regulation (GDPR) is applied to the development of AI products and services, drawing attention to the differences between academic and commercial research. The GDPR aims to encourage innovation by providing several exemptions from its strict rules for scientific research. Still, the GDPR defines scientific research in a broad manner, which includes academic and commercial research. However, corporations conducting commercial research might not have in place a similar level of ethical and institutional safeguards as academic researchers. Furthermore, corporate secrecy and opaque algorithms in AI research might pose barriers to oversight. The aim of this paper is to stress the limits of the GDPR research exemption and to find the proper balance between privacy and innovation. The paper argues that commercial AI research should not benefit from the GDPR research exemption unless there is a public interest and has similar safeguards to academic research, such as review by research ethics committees. Since the GDPR provides this broad exemption, it is crucial to clarify the limits and requirements of scientific research, before the application of AI drastically transforms this field.     

Accountability for the use of algorithms in a big data environment

ABSTRACT

Accountability is the ability to provide good reasons in order to explain and to justify actions, decisions and policies for a (hypothetical) forum of persons or organisations. Since decision-makers, both in the private and in the public sphere, increasingly rely on algorithms operating on Big Data for their decision-making, special mechanisms of accountability concerning the making and deployment of algorithms in that setting become gradually more urgent. In the upcoming General Data Protection Regulation, the importance of accountability and closely related concepts, such as transparency, as guiding protection principles, is emphasised. Yet, the accountability mechanisms inherent in the regulation cannot be appropriately applied to algorithms operating on Big Data and their societal impact. First, algorithms are complex. Second, algorithms often operate on a random group level, which may pose additional difficulties when interpreting and articulating the risks of algorithmic decision-making processes. In light of the possible significance of the impact on human beings, the complexities and the broader scope of algorithms in a big data setting call for accountability mechanisms that transcend the mechanisms that are now inherent in the regulation.     

Data protection by design and technology neutral law

This article argues that to achieve a technology neutral law, technology specific law is sometimes required. To explain this we discriminate between three objectives, often implied in the literature on technological neutrality of law. The first we call the compensation objective, which refers to the need to have technology specific law in place whenever specific technological designs threated the substance of human rights. The second we call the innovation objective, referring to the need to prevent legal rules from privileging or discriminating specific technological designs in ways that would stifle innovation. The third we call the sustainability objective, which refers to the need to enact legislation at the right level of abstraction, to prevent the law from becoming out of date all too soon. The argument that technology neutral law requires compensation in the form of technology specific law is built on a relational conception of technology, and we explain that though technology in itself is neither good nor bad, it is never neutral. We illustrate the relevance of the three objectives with a discussion of the EU cookie Directive of 2009. Finally we explain the salience of the legal obligation of Data Protection by Design in the proposed General Data Protection Regulation and test this against the compensation, innovation and sustainability objectives.     

Do algorithms dream of ‘data’ without bodies?

ABSTRACT

The question whether algorithms dream of ‘data’ without bodies is asked with the intention of highlighting the material conditions created by wearables for fitness and health, reveal the underlying assumptions of the platform economy regarding individuals’ autonomy, identities and preferences and reflect on the justifications for intervention under the General Data Protection Regulation. The article begins by highlighting key features of platform infrastructures and wearables in the health and fitness landscape, explains the implications of algorithms automating, what can be described as ‘rituals of public and private life’ in the health and fitness domain, and proceeds to consider the strains they place on data protection law. It will be argued that technological innovation and data protection rules played a part in setting the conditions for the mediated construction of meaning from bodies of information in the platform economy.     

The new EU cybersecurity framework: The NIS Directive,ENISA's role and the General Data Protection Regulation

The NIS Directive is the first horizontal legislation undertaken at EU level for the protection of network and information systems across the Union. During the last decades e-services, new technologies, information systems and networks have become embedded in our daily lives. It is by now common knowledge that deliberate incidents causing disruption of IT services and critical infrastructures constitute a serious threat to their operation and consequently to the functioning of the Internal Market and the Union. This paper first discusses the Directive's addressees particularly with regard to their compliance obligations as well as Member States’ obligations as regards their respective national strategies and cooperation at EU level. Subsequently, the critical role of ENISA in implementing the Directive, as reinforced by the proposal for a new Regulation on ENISA (the EU Cybersecurity Act), is brought forward, before elaborating upon the, inevitable, relationship of the NIS Directive with EU's General Data Protection Regulation.     

Will the European Commission be able to standardise legal technology design without a legal method?

Privacy by Design (PbD) is a kind of precautionary legal technology design. It takes opportunities for fundamental rights without creating risks for them. Now the EU Commission “promised” to implement PbD with Art. 23(4) of its proposal of a General Data Protection Regulation. It suggests setting up a committee that can define technical standards for PbD. However the Commission did not keep its promise. Should it be left to the IT security experts who sit in the committee but do not have the legal expertise, to decide on our privacy or, by using overly detailed specifications, to prevent businesses from marketing innovative products? This paper asserts that the Commission's implementation of PbD is not acceptable as it stands and makes positive contributions for the work of a future PbD committee so that the Commission can keep its promise to introduce precautionary legal technology design.     

The right to data portability in the GDPR: Towards user-centric interoperability of digital services

The right to data portability is one of the most important novelties within the EU General Data Protection Regulation, both in terms of warranting control rights to data subjects and in terms of being found at the intersection between data protection and other fields of law (competition law, intellectual property, consumer protection, etc.). It constitutes, thus, a valuable case of development and diffusion of effective user-centric privacy enhancing technologies and a first tool to allow individuals to enjoy the immaterial wealth of their personal data in the data economy. Indeed, a free portability of personal data from one controller to another can be a strong tool for data subjects in order to foster competition of digital services and interoperability of platforms and in order to enhance controllership of individuals on their own data. However, the adopted formulation of the right to data portability in the GDPR could benefit from further clarification: several interpretations are possible, particularly with regard to the object of the right and its interrelation with other rights, potentially leading to additional challenges within its technical implementation. The aim of this article is to propose a first systematic interpretation of this new right, by suggesting a pragmatic and extensive approach, particularly taking advantage as much as possible of the interrelationship that this new legal provision can have with regard to the Digital Single Market and the fundamental rights of digital users. In sum, the right to data portability can be approximated under two different perspectives: the minimalist approach (the adieu scenario) and the empowering approach (the fusing scenario), which the authors consider highly preferable.     

Data processing by police and criminal justice authorities in Europe – The influence of the Commission's draft on the national police laws and laws of criminal procedure

The proposal for a fundamental reform of the European data protection law, published by the EU Commission on 25 January 2012 is composed of two elements. Apart from a General Data Protection Regulation, the Commission proposes a second regulatory instrument, namely a Directive with regard to data processing by police and criminal justice authorities that shall supersede the Council Framework Decision 2008/977/JHA. This paper seeks to analyse the draft Directive in the context of the entire reform approach and scrutinizes a number of specific issues in regard to the scope, the requirements of data processing, notification duties and data transfer to third countries.     

Perceptions of controllers on EU data protection reform: A Finnish perspective

Data protection regulations are undergoing a global reform. The European Commission proposed a reform of the EU data protection framework in 2012. One major driver for the reform has been the research on the consumer perceptions indicating that the consumers are worried about their personal privacy. However, there has been practically no research on perceptions of companies (the controllers of the personal data) and on the data protection reform. This research analyses the awareness and the willingness to act towards compliance regarding the proposed General Data Protection Regulation (GDPR) in Finland in 2013. The GDPR will replace the Finnish Personal Data Act and therefore plays a central role in the Finnish privacy regulation. This research found that the general level of awareness was low: only 43% of the controllers were aware of the forthcoming reform. The willingness to act or to take steps towards the compliance was even lower: 31% of controllers said that they are planning to act towards compliance during this year. These results indicate that the companies are quite unfamiliar with the reform that correlates with other relevant studies in Europe. Personal data are said to be the oil of the digital economy, the hottest commodity of the market today. There are companies that understand this, but the majority seems to ignore this at least what comes to their awareness regarding the reform, even the reform captures many of the best practices regarding processing of personal data.