Data Protection Impact Assessment: A tool for accountability and the unclarified concept of ‘high risk’ in the General Data Protection Regulation

Article 35 of the GDPR introduces the legal obligation to perform DPIAs in cases where the processing operations are likely to present high risks to the rights and freedoms of natural persons. This obligation is part of a change of approach in the GDPR towards a modified compliance scheme in terms of a reinforced principle of accountability. The DPIA is a prominent example of this approach given that it has an inclusive, comprehensive and proactive nature. Its importance lies in the fact that it forces data controllers to identify, assess and ultimately manage the high risks to the rights and freedoms. However, what is first and foremost important for a meaningful performance of DPIAs, is to have a common and objective understanding of what constitutes a risk in the field of data protection and of how to assess its likelihood and severity. The legislature has approached these concepts via the method of denotation, meaning by giving examples of (highly) risky processing operations. This article suggests a complementary approach, the connotation of these concepts and explains the added value of such a method. By way of a case-study the article also demonstrates the importance of performing complete and accurate DPIAs, in terms of contributing to improving the protection of personal data.     

Data retention in the UK: Pragmatic and proportionate,or a step too far?

On 6 April 2009 new legislation came into force, for the first time putting Internet service providers' duty to retain significant amounts of data (relating to customers' email and Internet usage) on a compulsory, as opposed to a voluntary footing. It is a topic which has provoked intense protest from the privacy lobby and fuelled months of “Big Brother” headlines in the press. For the industry it raises operational challenges – how to facilitate storage and retrieval of colossal amounts of data. In this article we consider the policy background to the regime, the detail of the UK implementation and the practical implications for communications service providers. We weigh up the privacy and human rights concerns against the business case put forward by the Government. We also examine the Government's proposals – announced at the end of April – to significantly extend and “future proof” this regime in the form of its Intercept Modernisation Programme.     

Financial Torts and Investor Protection: Is the Europeanisation of Third State Cases a Viable Solution?

Due to the growing globalisation of financial markets, non-EU market operators which act outside the EU are increasingly causing direct harm to European investors. This issue, and its relevant impact on investor protection, has already been considered by the European legislature at the substantive level. This article seeks to demonstrate that, at the private international law level, the Europeanisation of third state cases would increase both the degree of investor protection and investors’ equal access to justice. Focusing exclusively on financial torts, the advantages arising from the application of Brussels I bis heads of jurisdiction to non-EU defendants are assessed with regard to insider trading and Credit Rating Agency liability cases. The paper also examines the main critical elements related to such an extension of the Brussels I bis regime, especially from a systematic perspective, and suggests possible future approaches to this issue.

     

Default entitlements in personal data in the proposed Regulation: Informational self-determination off the table … and back on again?

This paper aims to assess the proposed General Data Protection Regulation through the framework of default entitlements in personal data. The notion of default entitlements comes from economic analysis of law and provides new insights into the implications of the data protection reform. While, under the principle of informational self-determination the default entitlements should lie with the individual, the Commission is shown to assign a great deal of default rights to others, including the Information Industry. This article cautions against the possibility of reducing the European system of data protection rooted in the values of individual autonomy and informational self-determination to a mere set of administrative rules channelling the flow of personal data, yet without a clear direction.     

The economic costs and consequences of mass communications data retention: is the data retention directive a proportionate measure?

This article seeks to determine the economic costs and consequences of implementing the Data Retention Directive (Directive 2006/24/EC), an extraordinary counter terrorism measure that mandates the a priori retention of communications data on every European citizen, by drawing on the insights of economic analysis. It also explores the monetary costs of the Directive on subscribers and communications service providers of Member States within the EU. Furthermore, it examines the implications of the Directive on the economic sector of the European Union, by focusing on the Directive’s impact on EU competitiveness and other EU policies such as the Lisbon Strategy. This analysis is motivated by the following questions: what are the monetary costs of creating and maintaining the proposed database for data retention? What are the effects of these measures on individuals? What obstacles arise for the global competitiveness of EU telecommunications and electronic communications service providers as a result of these measures? Are other policies in the European Union affected by this measure? If so, which ones?     

The EU Illegal,Unreported, and Unregulated Fishing Regulation Based on Trade and Market-Related Measures: Unilateralism or a Model Law?

The problem of illegal, unreported, and unregulated fishing is well recognized, yet conventional monitoring, control, and surveillance mechanisms administered by coastal and flag states have so far achieved limited success. The EU IUU Regulation is one of the most recent instances of trade and marketplace measures being implemented at the domestic rule level to block out IUU-caught fish. It aims at preventing any harvesting, processing, and re-exporting states from the circumvention of internationally agreed fisheries management goals. The immediate question for international law is whether unilaterally created trade-restrictive measures would affect the development of a truly global strategy to combat IUU fishing as a global activity. This article responds to the inquiry by exploring the potential and legitimacy limitations for domestic trade regulation to be effective and fairly nondiscriminatory. It draws on the regime theory to provide further insights into the ways of reconciling and synergizing disparate fisheries and trade management systems.     

Smoke Free? Public Health Policy,Coercive Paternalism,and the Ethics of Long-Game Regulation

Contemporary public health advocacy promotes a ‘fifth wave of public health’: a ‘cultural’ shift wherein the public's health becomes recognized as a common good, to be realized through concerted developments in the institutional, social, and physical environments. With reference to examples from anti-tobacco policy, in this article I critically examine the fifth-wave agenda in England. I explore it as an approach that, in the face of liberal individualism, works through a ‘long-game’ method of progressive social change. Given the political context, and a predominant concern with narrow understandings of legal coercion, I explain how efforts are made to apply what are presented as less ethically contentious framings of regulatory methods, such as are provided by ‘libertarian paternalism’ (‘nudge theory’). I argue that these fail as measures of legitimacy for long-game regulation: the philosophical foundations of public health laws require a greater – and more obviously contestable, but also more ambitious – critical depth.