A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

Perceptions of controllers on EU data protection reform: A Finnish perspective

Data protection regulations are undergoing a global reform. The European Commission proposed a reform of the EU data protection framework in 2012. One major driver for the reform has been the research on the consumer perceptions indicating that the consumers are worried about their personal privacy. However, there has been practically no research on perceptions of companies (the controllers of the personal data) and on the data protection reform. This research analyses the awareness and the willingness to act towards compliance regarding the proposed General Data Protection Regulation (GDPR) in Finland in 2013. The GDPR will replace the Finnish Personal Data Act and therefore plays a central role in the Finnish privacy regulation. This research found that the general level of awareness was low: only 43% of the controllers were aware of the forthcoming reform. The willingness to act or to take steps towards the compliance was even lower: 31% of controllers said that they are planning to act towards compliance during this year. These results indicate that the companies are quite unfamiliar with the reform that correlates with other relevant studies in Europe. Personal data are said to be the oil of the digital economy, the hottest commodity of the market today. There are companies that understand this, but the majority seems to ignore this at least what comes to their awareness regarding the reform, even the reform captures many of the best practices regarding processing of personal data.     

Ownership of personal data in the Internet of Things

This article analyses, defines, and refines the concepts of ownership and personal data to explore their compatibility in the context of EU law. It critically examines the traditional dividing line between personal and non-personal data and argues for a strict conceptual separation of personal data from personal information. The article also considers whether, and to what extent, the concept of ownership can be applied to personal data in the context of the Internet of Things (IoT). This consideration is framed around two main approaches shaping all ownership theories: a bottom-up and top-down approach. Via these dual lenses, the article reviews existing debates relating to four elements supporting introduction of ownership of personal data, namely the elements of control, protection, valuation, and allocation of personal data. It then explores the explanatory advantages and disadvantages of the two approaches in relation to each of these elements as well as to ownership of personal data in IoT at large. Lastly, this article outlines a revised approach to ownership of personal data in IoT that may serve as a blueprint for future work in this area and inform regulatory and policy debates.     

The exploitation of Business Register data from a public sector information and data protection perspective: A case study

Business Registers (BRs) are a very important information resource for investors, creditors, financial institutions and public authorities. The possibility to aggregate and interconnect these data at a European level could enhance the transparency of companies towards those actors and add a great deal of value to the raw Business Register data. The European BRITE project intended to provide adequate tools to meet these demands. BRITE will provide easier access and cross-border interoperability of Business Register data throughout Europe. On the other hand, the processing of BR data within the BRs and BRITE triggers several important European legislations such as the Data Protection Directive and the Directive on the re-use of public sector information. In this paper, the processing of BR data will be analysed from the perspective of both data protection and public sector information laws, analysing as well the relation between both regulations. Do these regulations strike an optimal balance between the interests of private data vendors to re-use BR data and enhance business transparency and the need to protect the personal data of natural persons?     

Medicaid program; coverage of personal care services--HCFA. Final rule

This final rule specifies the revised requirements for Medicaid coverage of personal care services furnished in a home or other location as an optional benefit, effective for services furnished on or after October 1, 1994. In particular, this final rule specifies that personal care services may be furnished in a home or other location by any individual who is qualified to do so. This rule conforms the Medicaid regulations to the provisions of section 13601(a)(5) of the Omnibus Budget Reconciliation Act of 1993, which added section 1905(a)(24) to the Social Security Act. Additionally, we are making two minor changes to the Medicaid regulations concerning home health services.     

Trust,vulnerable populations,and genetic data sharing

Recent policies and proposed regulations, including the Notice of Proposed Rulemaking for the Common Rule and the 2014 NIH Genetic Data Sharing Policy, seek to improve research subject protections. Protections for subjects whose genetic data is shared are critical to reduce risks such as loss of confidentiality, stigma, and discrimination. In the article ‘It depends whose data are being shared: considerations for genomic data sharing policies’, Robinson et al. provide a response to our article, ‘The Growth and Gaps of Genetic Data Sharing Policies’. Robinson et al. highlight the importance of individual and group preferences. In this article, we extend the conversation on models for improving protections which will mitigate consequences for individuals and groups that are vulnerable to stigma and discrimination.     

Medical devices; hearing aids; technical data amendments. Direct final rule

The Food and Drug Administration (FDA) is amending its regulations governing hearing aid labeling to reference the most recent version of the consensus standard used to determine the technical data to be included in labeling for hearing aids. We are amending the regulations to require that manufacturers may use state-of-the-art methods to provide technical data in hearing aid labeling. FDA is also amending the regulations to update an address and remove an outdated requirement. FDA is amending the regulations in accordance with its direct final rule procedures. Elsewhere in this issue of the Federal Register, we are publishing a companion proposed rule under FDA's usual procedures for notice and comment rulemaking to provide a procedural framework to finalize the rule in the event we receive a significant adverse comment and withdraw this direct final rule.     

Big genetic data and its big data protection challenges

The use of various forms of big data have revolutionised scientific research. This includes research in the field of genetics in areas ranging from medical research to anthropology. Developments in this area have inter alia been characterised by the ability to sequence genome wide sequences (GWS) cheaply, the ability to share and combine with other forms of complimentary data and ever more powerful processing techniques that have become possible given tremendous increases in computing power. Given that many if not most of these techniques will make use of personal data it is necessary to take into account data protection law. This article looks at challenges for researchers that will be presented by the EU's General Data Protection Regulation, which will be in effect from May 2018. The very nature of research with big data in general and genetic data in particular means that in many instances compliance will be onerous, whilst in others it may even be difficult to envisage how compliance may be possible. Compliance concerns include issues relating to ‘purpose limitation’, ‘data minimisation’ and ‘storage limitation’. Other requirements, including the need to facilitate data subject rights and potentially conduct a Data Protection Impact Assessment (DPIA) may provide further complications for researchers. Further critical issues to consider include the choice of legal base: whether to opt for what is often seen as the ‘default option’ (i.e. consent) or to process under the so called ‘scientific research exception’. Each presents its own challenges (including the likely need to gain ethical approval) and opportunities that will have to be considered according to the particular context in question.     

Data breaches. Interim final rule

This document establishes regulations to address data breaches regarding sensitive personal information that is processed or maintained by the Department of Veterans Affairs (VA). The regulations implement certain provisions of Title IX of the Veterans Benefits, Health Care, and Information Technology Act of 2006, which require promulgation of these regulations as an interim final rule.     

Data breaches. Final rule

This document adopts, without change, the interim final rule that was published in the Federal Register on June 22, 2007, addressing data breaches of sensitive personal information that is processed or maintained by the Department of Veterans Affairs (VA). This final rule implements certain provisions of the Veterans Benefits, Health Care, and Information Technology Act of 2006. The regulations prescribe the mechanisms for taking action in response to a data breach of sensitive personal information.     

Dissolving privacy,one merger at a time: Competition,data and third party tracking

Amid growing concern about the use and abuse of personal data over the last decade, there is an emerging suggestion that regulators may need to turn their attention towards the concentrations of power deriving from large-scale data accumulation. No longer the preserve of data protection or privacy law, personal data is receiving attention within competition and antitrust law. Recent mergers and acquisitions between large digital technology platforms have raised important questions about how these different areas intersect and how they can complement one another in order to protect consumer welfare while ensuring competitive markets.This paper draws attention to one particularly complicated kind of digital data-intensive industry: that of third party tracking, in which a firm does not (only or primarily) collect and process personal data of its own customers or users, but rather data from the users of other ‘first party’ services. Mergers and acquisitions between firms active in the third party tracking industry raise unique challenges for privacy and fundamental rights which are often missed in regulatory decisions and academic discussions of data and market concentration. In this paper, we combine empirical and normative insights to shed light on the role of competition regulators in addressing the specific challenges of mergers and acquisitions in the third party tracking industry. After critically assessing some of the US and EU case law in this area, we argue that a bolder approach is needed; one that engages in a pluralist analysis of economic and noneconomic concerns about concentrations of power and control over data.     

Vulnerable data subjects

Discussion about vulnerable individuals and communities spread from research ethics to consumer law and human rights. According to many theoreticians and practitioners, the framework of vulnerability allows formulating an alternative language to articulate problems of inequality, power imbalances and social injustice. Building on this conceptualisation, we try to understand the role and potentiality of the notion of vulnerable data subjects. The starting point for this reflection is wide-ranging development, deployment and use of data-driven technologies that may pose substantial risks to human rights, the rule of law and social justice. Implementation of such technologies can lead to discrimination systematic marginalisation of different communities and the exploitation of people in particularly sensitive life situations. Considering those problems, we recognise the special role of personal data protection and call for its vulnerability-aware interpretation. This article makes three contributions. First, we examine how the notion of vulnerability is conceptualised and used in the philosophy, human rights and European law. We then confront those findings with the presence and interpretation of vulnerability in data protection law and discourse. Second, we identify two problematic dichotomies that emerge from the theoretical and practical application of this concept in data protection. Those dichotomies reflect the tensions within the definition and manifestation of vulnerability. To overcome limitations that arose from those two dichotomies we support the idea of layered vulnerability, which seems compatible with the GDPR and the risk-based approach. Finally, we outline how the notion of vulnerability can influence the interpretation of particular provisions in the GDPR. In this process, we focus on issues of consent, Data Protection Impact Assessment, the role of Data Protection Authorities, and the participation of data subjects in the decision making about data processing.     

个人信息保护法立法模式的选择——以德国经验为视角

个人信息保护法调整范围囊括公、私两个领域,那么应当以何种立法技术来处理两套规范在同一法典中的关系？总结德国个人信息保护法的优劣得失,基于对个人信息收集基本原则及其例外在公私领域不同的适用情况,可以看出,德国的区别对待模式更加符合不同领域内个人信息保护的具体要求。     

How to attribute the right to data portability in Europe: A comparative analysis of legislations

The number of online services is constantly growing, offering numerous and unprecedented advantages for consumers. Often, the access to these services requires the disclosure of personal information. This personal data is very valuable as it concedes significant advantages over competitors, allowing better answers to the customer's needs and therefore offering services of a better quality. For some services, analysing the customers' data is at the core of their business model. Furthermore, personal data has a monetary value as it enables the service providers to pursue targeted advertising. Usually, the first companies who provide a service will benefit from large volumes of data and might create market entrance barriers for new online providers, thus preventing users from the benefits of competition. Furthermore, by holding a grip on this personal data, they are making it more expensive or burdensome for the user to shift to a new service. Because of this value, online services tend to keep collected information and impede their users to reuse the personal data they have provided. This behaviour results in the creation of a lock-in effect. Upcoming awareness for this problem has led to the demand of a right to data portability. The aim of this paper is to analyse the different legislative systems that exist or have been recently created in this regard that would grant a right to data portability. Firstly, this article draws up the framework of data portability, explaining its origin, general aspects, advantages as well as its possible downfalls. Secondly, the core of the article is approached as the different ways of granting data portability are analysed. In this regard, the possible application of European Competition Law to prohibit restrictions to data portability is examined. Afterwards, an examination of the application of U.S. Antitrust Law is made to determine whether it could be a source of inspiration for European legislators. Finally, an analysis of the new General Data Protection Regulation is made with respect to the development of data portability throughout the European legislative procedure. This article makes a cross-examination of legislations, compares them with one another in order to offer a reflection on the future of portable data in Europe, and finally attempts to identify the best approach to attribute data portability.     

Technological innovation within the Spanish tax administration and data subjects' right to access: An opportunity knocks

In this paper, we analyse the data subjects' right to access their personal data in the context of the Spanish Tax Administration and the legal consequences of the upcoming General Data Protection Regulation. The results show that there are still difficulties related to the scope of this right, the establishment of proper storage criteria, and in the procedures used by the data controllers to provide accurate information to the data subjects. This situation highlights the necessity to incorporate such technological innovation as metadata labelling and automatic computerised procedures to ensure an optimum management of the data subjects' access to their tax related personal information.     

Property rights in personal data: Learning from the American discourse

This contribution is an attempt to facilitate a meaningful European discussion on propertization of personal data by explaining the idea as it emerged in its ‘mother-jurisdiction’, the United States. The piece starts with an overview of how the current US legal system addresses the data protection problem and whether, according to the US commentators, the law does it effectively. Furthermore, the contribution presents propertization of personal information as an alternative to the existing data protection regime and one of the ways to fill in the alleged gaps in the US data protection system. The article maps the US propertization debate. Pro-propertization arguments are considered from economic perspective as well as from the perspective of the limitations of the US legal and political system. In continuation it analyses proposals on how property rights in personal data would have to be regulated, if at all, in case the idea of propertization is accepted. The main points of criticism of propertization are also sketched. The article concludes with a brief summary of the US propertization discourse and, most importantly, with a list of the lessons Europeans can learn from their American counterparts engaging in the debate in the home jurisdiction. Among the main messages is that the outcome of the debate depends on the definition of the problem propertization is called on to tackle, and that it is the substance of the actual rights with regard to personal data that matters, and not whether we label them as property rights or not.     

Encryption safe harbours and data breach notification laws

Data breach notification laws require organisations to notify affected persons or regulatory authorities when an unauthorised acquisition of personal data occurs. Most laws provide a safe harbour to this obligation if acquired data has been encrypted. There are three types of safe harbour: an exemption; a rebuttable presumption and factor-based analysis. We demonstrate, using three condition-based scenarios, that the broad formulation of most encryption safe harbours is based on the flawed assumption that encryption is the silver bullet for personal information protection. We then contend that reliance upon an encryption safe harbour should be dependent upon a rigorous and competent risk-based review that is required on a case-by-case basis. Finally, we recommend the use of both an encryption safe harbour and a notification trigger as our preferred choice for a data breach notification regulatory framework.     

Who owns our data?

The layman's answer to the question posted in the title to this paper lies in the question itself. The common understanding of people when they talk about information about themselves is that it is indeed “theirs”. Until relatively recently, the law has been content to remain agnostic on the subject. The Common Law in general and English Courts in particular have traditionally avoided philosophical debates about the nature of things, preferring to develop concepts and principles from the results of cases decided on specific facts and circumstances. This approach has been acceptable while we have been winding our way gently up the foothills of the Information Age, but now that we see the towering peak of Big Data standing before us, covered by the ubiquitous Cloud, it is necessary to make a critical examination of some of the basic assumptions which we have hitherto carried with us about the way in which the law should treat rights over personal information. This paper will argue that the correct approach which the law should adopt is a proprietary one. That is to say that the protection of the economic value inherent in personal information should be grounded in property rights acknowledged by the law.     

Security policies and the weakening of personal data protection in the European Union

In recent years, the reinforcement of security policies alongside the expansion of information systems for law enforcement and crime prevention entailed growing restrictions to personal data protection principles and procedural rights in the European Union. This paper seeks to elucidate this trend, while matching it with an EU institutional discourse based on balancing and proportionality. Indeed, EU institutions regularly present security measures and fundamental rights as somewhat symmetric values to be easily conciliated through balancing and proportionality. Considering the raising of the protection of personal data to the status of a fundamental right by the Charter of Fundamental Rights, its effect on a possible rebalancing of the values at stake is discussed. Yet, we conclude, for the time being, the potential for just and democratic solutions provided by the ideas of balancing and proportionality does not appear to be properly used.     

Opening up personal data protection: A conceptual controversy

The existence of a fundamental right to the protection of personal data in European Union (EU) law is nowadays undisputed. Established in the EU Charter of Fundamental Rights in 2000, it is increasingly permeating EU secondary law, and is expected to play a key role in the future EU personal data protection landscape. The right's reinforced visibility has rendered manifest the co-existence of two possible and contrasting interpretations as to what it come to mean. If some envision it as a primarily permissive right, enabling the processing of such data under certain conditions, others picture it as having a prohibitive nature, implying that any processing of data is a limitation of the right, be it legitimate or illegitimate. This paper investigates existing tensions between different understandings of the right to the protection of personal data, and explores the assumptions and conceptual legacies underlying both approaches. It traces their historical lineages, and, focusing on the right to personal data protection as established by the EU Charter, analyses the different arguments that can ground contrasted readings of its Article 8. It also reviews the conceptualisations of personal data protection as present in the literature, and finally contrasts all these perspectives with the construal of the right by the EU Court of Justice.