Data protection: The future of privacy

The Art. 29 Working Party (hereinafter “Art. 29 WP”) is an influential body comprised of representatives from the Member State Data Protection Authorities² established under the Data Protection Directive 95/46/EC, has recently issued an opinion with the Working Party on Police and Justice. This is quite significant, since the opinion sets out some of the issues that will need to be addressed in the lead up to the revision of the Data Protection Directive 95/46/EC.³ This comes at a time, when there have been discussions on the current application of the European Data Protection Directive to the internet,⁴ (such as social networking) and the recent European Commission’s consultation on the legal framework for the fundamental right to protection of personal data. Not least, there have been a number of cases brought before the European Court of Justice dealing with the partial implementation of the Data Protection Directive 95/46/EC.⁵The aim of this paper is to consider in detail the issues set out by the Art. 29 WP and the likely challenges in revising the Data Protection Directive 95/46/EC.     

An international legal framework for data protection: Issues and prospects

The processing of personal data across national borders by both governments and the private sector has increased exponentially in recent years, as has the need for legal protections for personal data. This article examines calls for a global legal framework for data protection, and in particular suggestions that have been made in this regard by the International Law Commission and various national data protection authorities. It first examines the scope of a potential legal framework, and proceeds to analyze the status of data protection in international law. The article then considers the various options through which an international framework could be enacted, before drawing some conclusions about the form and scope such a framework could take, the institutions that could coordinate the work on it, and whether the time is ripe for a multinational convention on data protection.     

A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

Personal data protection in employment: New legal challenges for Malaysia

The purpose of this article is to discuss and apply data protection principles in the context of employment. The Personal Data Protection Act (PDPA), passed by the Malaysian Parliament in 2010, has affected many aspects of life in Malaysia, including employment. Storage of data by employers is rampant. Management, as the data user, is duty bound to safeguard the employees' data according to the PDPA. Likewise, the employees, as data subjects, enjoy some rights under the PDPA. The author also examines issues of privacy law: whether such law exists in Malaysia and, if so, whether it can be reconciled with the PDPA's principles. The author adopts legal methodology anchored in exploratory analysis, with the legislative text as the main reference point.     

From ugly duckling to Swan. The rise of data protection and its limits

This article considers the development of data protection laws from a position on the periphery of legal consciousness to the situation where it is the subject of intensive legal and media publicity. Focusing on the recent controversies surrounding the use of Facebook apps for political purposes, the article will consider the role and limitations of data and privacy protection laws. The question will be posed – if not answered – whether national or regional laws can be effective in what increasingly is a global information society.     

论网络时代隐私权及其法律保护

随着网络规模的爆炸性扩张,计算机网络技术已经改变了人们传统的生存和生活方式,这也使得个人隐私权的保护受到前所未有的严峻挑战。个人数据被非法收集、储存、使用和传播的现象层出不穷,网络隐私权受到多方面的侵犯。我们应综合考虑目前的立法状况和网络时代侵犯隐私权的特征,借鉴他国的先进经验并结合我国具体国情,以国家立法与行业自律相结合的方式,全面保护公民的网络隐私权。     

Citizens' perceptions of data protection and privacy in Europe

Data protection and privacy gain social importance as technology and data flows play an ever greater role in shaping social structure. Despite this, understanding of public opinion on these issues is conspicuously lacking. This article is a meta-analysis of public opinion surveys on data protection and privacy focussed on EU citizens. The article firstly considers the understanding and awareness of the legal framework for protection as a solid manifestation of the complex concepts of data protection and privacy. This is followed by a consideration of perceptions of privacy and data protection in relation to other social goals, focussing on the most visible of these contexts–the debate surrounding privacy, data protection and security. The article then considers how citizens perceive the ‘real world’ environment in which data processing takes place, before finally considering the public's perception and evaluation of the operation of framework against environment.     

An overview of EU data protection rules on use of data collected online

In the third of our series of articles considering the EU’s limited harmonisation of the laws regulating the activities of businesses using the Internet, we look at EU rules on the use of data collected online. We consider the principles governing the processing of personal data collected online. We then discuss the new rules on the use of cookies and the practical difficulties facing website operators in complying with them and conclude with a brief overview of the rules governing the transfer of personal data outside the EEA.     

The canary in the data mine

The present article aims at portraying the type of profile best required to fulfil the function of a Data Protection Officer (DPO) within the EU public sector. The article proposes the idiom of the “canary in a coal mine” as best positioned to describe the multidisciplinary role of DPOs. Due to the particularity and sensitivity of their function, Data Protection Officers act as early indicators of data protection incompliance within their respective area of expertise. Only when being functionally independent, Data Protection Officers could master the role of “canaries in the data mine” thus preventing possible data protection breaches and violations.     

Privacy and the regulation of 2012

This paper explores the European Commission’s proposal for a new Regulation to update and reform data protection law in Europe. As regards the Regulation itself, without presenting an exhaustive analysis of all the provisions, this paper aims to highlight some significant changes proposed to the data protection regime by comparison between Directive 95/46 and the proposed Regulation. It takes particularly into account legislative innovation concerning data protection principles, data subjects’ rights, data controllers and data processors obligations, and the regulation of technologies. Before analyzing these innovations, it introduces some considerations about the Commission’s choice to use a Regulation instead of a Directive to harmonize national data protection regime.     

The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition

The year 2010 set an important milestone in the development of data protection law in Europe: both Europe's basic regulatory texts, the EU Data Protection Directive and the Council's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), were placed at an amendment process, having served individual data protection for many years and witnessed in the meantime technological developments that threatened to make their provisions obsolete. After briefly presenting Convention 108, the analysis that follows will highlight the Council's data protection system currently in effect as well as developments relating to the Convention's amendment so far with the aim of identifying improvements and shortcomings. While doing this two separate points of view shall be adopted: at first a micro point of view will attempt to identify improvements and shortcomings through an ‘insider’ perspective, that is, judging only the merits and difficulties of the draft text at hand. Afterwards a macroscopic view will be adopted, whereby strategic issues will be discussed pertaining to the important issue of the relationship of the suggested draft with the EU data protection system, as well as, the same draft's potential to constitute the next global information privacy standard.     

Data protection legislation: What is at stake for our society and democracy?

The author starts by questioning the main privacy challenges raised by our present and future information society viewed as a “global village”. Apart from a comparison with the traditional village of our parents, he identifies the two complementary and not dissociable facets of our privacy: the right to seclusion and the right to participate fully in our society. According to the first German Constitutional Court recognizing the right to informational self-determination as a new constitutional right, he underlines the need to analyse the data protection as a tool for ensuring both the citizens' dignity and our democracy.     

Regulating electronic identity in the European Union: An analysis of the Lisbon Treaty’s competences and legal basis for eID

This paper discusses the feasibility of EU legal action in the field of electronic identity (eID) within the new distribution of legal competences and the provision of novel legal basis engendered by the Treaty of Lisbon. The article attempts to find a ‘legal anchor’ to the idea of a pan-European electronic identity within EU law, looking at the issues of competences and legal basis. After examining various different areas of competence and the most feasible (and probable) candidates for a legal basis supporting an EU legal framework for eID, the paper argues that the latter should be found in the combination of Article 16 TFEU (concerning the right to the protection of personal data) with Article 3 TUE, and Articles 26 and 114 TFEU (concerning the establishment and functioning of the Internal Market), which also constitute the area of competence where an eID legal initiative can be pursued.     

Normative challenges of identification in the Internet of Things: Privacy,profiling, discrimination,and the GDPR

In the Internet of Things (IoT), identification and access control technologies provide essential infrastructure to link data between a user's devices with unique identities, and provide seamless and linked up services. At the same time, profiling methods based on linked records can reveal unexpected details about users' identity and private life, which can conflict with privacy rights and lead to economic, social, and other forms of discriminatory treatment. A balance must be struck between identification and access control required for the IoT to function and user rights to privacy and identity. Striking this balance is not an easy task because of weaknesses in cybersecurity and anonymisation techniques. The EU General Data Protection Regulation (GDPR), set to come into force in May 2018, may provide essential guidance to achieve a fair balance between the interests of IoT providers and users. Through a review of academic and policy literature, this paper maps the inherent tension between privacy and identifiability in the IoT. It focuses on four challenges: (1) profiling, inference, and discrimination; (2) control and context-sensitive sharing of identity; (3) consent and uncertainty; and (4) honesty, trust, and transparency. The paper will then examine the extent to which several standards defined in the GDPR will provide meaningful protection for privacy and control over identity for users of IoT. The paper concludes that in order to minimise the privacy impact of the conflicts between data protection principles and identification in the IoT, GDPR standards urgently require further specification and implementation into the design and deployment of IoT technologies.     

亲亲相隐及其在我国现代刑事法律中之活化

亲亲相隐是中国封建刑律的二项原则或制度,它在我国封建社会历朝历代的法律中都有规定.然而,令人遗憾的是,这一中华法系特有的价值理念,随着新中国的诞生,在我国现代刑事法律中却销声匿迹了.对亲亲相隐制度给予客观的评价,取其精华,去其糟粕,对完善我国现行刑事法律十分必要.     

Data protection by design and technology neutral law

This article argues that to achieve a technology neutral law, technology specific law is sometimes required. To explain this we discriminate between three objectives, often implied in the literature on technological neutrality of law. The first we call the compensation objective, which refers to the need to have technology specific law in place whenever specific technological designs threated the substance of human rights. The second we call the innovation objective, referring to the need to prevent legal rules from privileging or discriminating specific technological designs in ways that would stifle innovation. The third we call the sustainability objective, which refers to the need to enact legislation at the right level of abstraction, to prevent the law from becoming out of date all too soon. The argument that technology neutral law requires compensation in the form of technology specific law is built on a relational conception of technology, and we explain that though technology in itself is neither good nor bad, it is never neutral. We illustrate the relevance of the three objectives with a discussion of the EU cookie Directive of 2009. Finally we explain the salience of the legal obligation of Data Protection by Design in the proposed General Data Protection Regulation and test this against the compensation, innovation and sustainability objectives.     

论社会弱势群体的法律保护

弱势群体已成为当今社会的主要问题,保护弱势群体的权利是法律不可推卸的责任,在法律的各个环节都必须树立人权观念,坚持公平正义的法律价值观,解除社会危机的隐患,建立和谐、秩序的社会。     

试论《食品安全法》中关于消费者权益保护的欠缺

消费者是食品链中最大的群体。《食品安全法》的立法之本是为了保护消费者的安全,但是《食品安全法》在消费者权益保护方面却存在很多问题,比如,食品安全概念的狭隘,某些法条难以实施,与其它法律之间互相矛盾等。本文分析了《食品安全法》关于消费者权益保护的欠缺之处,并提出了修改建议。食品药品监督管理总局的成立及食品安全监管部门职能的调整改变了以前分段管理的模式,《食品安全法》要做相应的修改。希望在《食品安全法》的修订过程中可以加强对消费者权益的保护,增加该法的实用性。     

法家的法治学说以及现代借鉴意义

法家的法治学说随着秦亡而走向沉寂,但是为汉以后历代封建统治者以“阴法”的形式继承下来并揉入封建正统法律思想中支撑中华帝制长达两千余年。其中,一些合理的成分对我们现在的法治建设仍有借鉴意义。     

The necessity of the implementation of Privacy by Design in sectors where data protection concerns arise

This article examines the extent to which Privacy by Design can safeguard privacy and personal data within a rapidly evolving society. This paper will first briefly explain the theoretical concept and the general principles of Privacy by Design, as laid down in the General Data Protection Regulation. Then, by indicating specific examples of the implementation of the Privacy by Design approach, it will be demonstrated why the implementation of Privacy by Design is a necessity in a number of sectors where specific data protection concerns arise (biometrics, e-health and video-surveillance) and how it can be implemented.