The EU PNR framework decision proposal: Towards completion of the PNR processing scene in Europe

The entry into force of the Lisbon Treaty has suspended discussions over the release of a EU PNR processing system. Plans to introduce an intra-EU PNR processing system initiated since 2007, although strongly supported by the Commission and the Council, did not bear fruit before the ratification of the Lisbon Treaty and the, institutional, involvement of the Parliament. While discussions have been suspended since October 2009 and most probably a new draft proposal will be produced, it is perhaps useful to present in brief the proposal currently in place so as to highlight its shortcomings for European data protection and suggest ways individual protection may be strengthened in future drafts.     

A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

Opening up personal data protection: A conceptual controversy

The existence of a fundamental right to the protection of personal data in European Union (EU) law is nowadays undisputed. Established in the EU Charter of Fundamental Rights in 2000, it is increasingly permeating EU secondary law, and is expected to play a key role in the future EU personal data protection landscape. The right's reinforced visibility has rendered manifest the co-existence of two possible and contrasting interpretations as to what it come to mean. If some envision it as a primarily permissive right, enabling the processing of such data under certain conditions, others picture it as having a prohibitive nature, implying that any processing of data is a limitation of the right, be it legitimate or illegitimate. This paper investigates existing tensions between different understandings of the right to the protection of personal data, and explores the assumptions and conceptual legacies underlying both approaches. It traces their historical lineages, and, focusing on the right to personal data protection as established by the EU Charter, analyses the different arguments that can ground contrasted readings of its Article 8. It also reviews the conceptualisations of personal data protection as present in the literature, and finally contrasts all these perspectives with the construal of the right by the EU Court of Justice.     

Body scanners versus privacy and data protection

In recent history, the world has experienced dramatic events which have had a substantial effect on the balance between human rights protection and security measures. Body scanners installed at airports are intended to protect our lives. But at the same time they have a serious impact on privacy and data protection. The international legislation allows limiting people’s rights and freedoms, but only if it is in accordance with the law and is proportionate and necessary for national security, public safety and for the protection of the rights and freedoms of others. Do body scanners respect these principles? The article examines the current situation, its background and future prospects. It discusses and analyzes the key terms and legal instruments, problems, disputes and proposed “safeguards”. The work concludes by pointing out the unlawfulness of current regimes and sets forth perspective on the possible solutions.     

Citizens' perceptions of data protection and privacy in Europe

Data protection and privacy gain social importance as technology and data flows play an ever greater role in shaping social structure. Despite this, understanding of public opinion on these issues is conspicuously lacking. This article is a meta-analysis of public opinion surveys on data protection and privacy focussed on EU citizens. The article firstly considers the understanding and awareness of the legal framework for protection as a solid manifestation of the complex concepts of data protection and privacy. This is followed by a consideration of perceptions of privacy and data protection in relation to other social goals, focussing on the most visible of these contexts–the debate surrounding privacy, data protection and security. The article then considers how citizens perceive the ‘real world’ environment in which data processing takes place, before finally considering the public's perception and evaluation of the operation of framework against environment.     

Data protection: The future of privacy

The Art. 29 Working Party (hereinafter “Art. 29 WP”) is an influential body comprised of representatives from the Member State Data Protection Authorities² established under the Data Protection Directive 95/46/EC, has recently issued an opinion with the Working Party on Police and Justice. This is quite significant, since the opinion sets out some of the issues that will need to be addressed in the lead up to the revision of the Data Protection Directive 95/46/EC.³ This comes at a time, when there have been discussions on the current application of the European Data Protection Directive to the internet,⁴ (such as social networking) and the recent European Commission’s consultation on the legal framework for the fundamental right to protection of personal data. Not least, there have been a number of cases brought before the European Court of Justice dealing with the partial implementation of the Data Protection Directive 95/46/EC.⁵The aim of this paper is to consider in detail the issues set out by the Art. 29 WP and the likely challenges in revising the Data Protection Directive 95/46/EC.     

Data protection in the Asia-Pacific region

The increasing reliance on technology as a means of conducting cross-border businesses has spurred on the development of data protection and privacy laws in many countries across the globe. In Asia, however, many countries today still have no or extremely limited data protection laws. Cultural attitudes towards the concept of autonomy and the well-established right of certain governments to monitor and scrutinise its people in certain countries have been partly to blame. However, in order to remain economically viable, the businesses and government of these countries must be able to provide protections which are at least similar to those afforded by the data protection laws of their business counterparts. This article examines the effectiveness and relevance of the APEC Privacy Framework and the state of the data protection laws in eight Asia-Pacific countries today.     

An international legal framework for data protection: Issues and prospects

The processing of personal data across national borders by both governments and the private sector has increased exponentially in recent years, as has the need for legal protections for personal data. This article examines calls for a global legal framework for data protection, and in particular suggestions that have been made in this regard by the International Law Commission and various national data protection authorities. It first examines the scope of a potential legal framework, and proceeds to analyze the status of data protection in international law. The article then considers the various options through which an international framework could be enacted, before drawing some conclusions about the form and scope such a framework could take, the institutions that could coordinate the work on it, and whether the time is ripe for a multinational convention on data protection.     

Protecting the communication: Data protection and security measures under telecommunications regulations in the digital age

This paper aims to provide a comparative overview and evaluation of various legal frameworks for electronic communications security in light of the recent developments in the electronic communications sector. The article also includes an insight on European Union and Turkish legal environment for data protection security in electronic communications sector.     

Perceptions of controllers on EU data protection reform: A Finnish perspective

Data protection regulations are undergoing a global reform. The European Commission proposed a reform of the EU data protection framework in 2012. One major driver for the reform has been the research on the consumer perceptions indicating that the consumers are worried about their personal privacy. However, there has been practically no research on perceptions of companies (the controllers of the personal data) and on the data protection reform. This research analyses the awareness and the willingness to act towards compliance regarding the proposed General Data Protection Regulation (GDPR) in Finland in 2013. The GDPR will replace the Finnish Personal Data Act and therefore plays a central role in the Finnish privacy regulation. This research found that the general level of awareness was low: only 43% of the controllers were aware of the forthcoming reform. The willingness to act or to take steps towards the compliance was even lower: 31% of controllers said that they are planning to act towards compliance during this year. These results indicate that the companies are quite unfamiliar with the reform that correlates with other relevant studies in Europe. Personal data are said to be the oil of the digital economy, the hottest commodity of the market today. There are companies that understand this, but the majority seems to ignore this at least what comes to their awareness regarding the reform, even the reform captures many of the best practices regarding processing of personal data.     

Data security: Past,present and future

The loss by Her Majesty's Revenue and Customs (HMRC) of two CDs containing 25 million child benefit details has changed the data security landscape forever. No longer is data security the exclusive and rather arcane preserve of spotty technology professionals or data protection lawyers. HMRC has thrust data security onto the front pages of the mainstream media and brought it very suddenly to the top of the political and commercial agendas of senior politicians and boards of directors. In this article, the author will outline the reasons behind the rise of data security as a front line issue and examine the lessons to be learnt from HMRC. He will analyse the different facets of data security risk and explore ways in which organisations can go about managing it. He will outline the attitude of regulators to data security and where regulatory developments are likely to take us. The final part of the article looks into the future, with particular focus on the emergence of privacy enhancing technologies.     

Data protection 1998–2008

This article reviews key developments in data protection legislation, case law and practice between 1998 and 2008. Over this time data protection has become a mainstream compliance topic for business and government alike. Having started in 1998 as a specialist area of limited general application, over the decade this area of law has been widely applied to access rights, international transfers of information and data losses. We are now seeing major changes in enforcement of data protection legislation (including the power to fine and increased use of audits) which will continue the focus on compliance.     

论网络时代隐私权及其法律保护

随着网络规模的爆炸性扩张,计算机网络技术已经改变了人们传统的生存和生活方式,这也使得个人隐私权的保护受到前所未有的严峻挑战。个人数据被非法收集、储存、使用和传播的现象层出不穷,网络隐私权受到多方面的侵犯。我们应综合考虑目前的立法状况和网络时代侵犯隐私权的特征,借鉴他国的先进经验并结合我国具体国情,以国家立法与行业自律相结合的方式,全面保护公民的网络隐私权。     

The General Data Protection Regulation and the rise of certification as a regulatory instrument

The endorsement of certification in Article 42 and 43 of the General Data Protection Regulation (hereinafter GDPR) extends the scope of this procedure to the enforcement of fundamental rights. The GDPR also leverages the high flexibility of this procedure to make of certification something else than a voluntary process attesting the conformity with technical standards. This paper argues that the GDPR turned certification into a new regulatory instrument in data protection, I suggest to call it monitored self-regulation, seeking to fill the gap between self-regulation and traditional regulation in order to build a regulation continuum.     

The legal construction of privacy and data protection

In this contribution, the authors explore the differences and interplays between the rights to privacy and data protection. They describe the two rights and come to the conclusion that they differ both formally and substantially, though overlaps are not to be excluded. Given these different yet not mutually exclusive scopes they then apply the rights to three case-studies (body-scanners, human enhancement technologies, genome sequencing), highlighting in each case potential legal differences concerning the scope of the rights, the role of consent, and the meaning of the proportionality test. Finally, and on the basis of these cases, the authors propose paths for articulating the two rights using the qualitative and quantitative thresholds of the two rights, which leads them to rethink the relationship between privacy and data protection, and ultimately, the status of data protection as a fundamental right.     

Data protection by design and technology neutral law

This article argues that to achieve a technology neutral law, technology specific law is sometimes required. To explain this we discriminate between three objectives, often implied in the literature on technological neutrality of law. The first we call the compensation objective, which refers to the need to have technology specific law in place whenever specific technological designs threated the substance of human rights. The second we call the innovation objective, referring to the need to prevent legal rules from privileging or discriminating specific technological designs in ways that would stifle innovation. The third we call the sustainability objective, which refers to the need to enact legislation at the right level of abstraction, to prevent the law from becoming out of date all too soon. The argument that technology neutral law requires compensation in the form of technology specific law is built on a relational conception of technology, and we explain that though technology in itself is neither good nor bad, it is never neutral. We illustrate the relevance of the three objectives with a discussion of the EU cookie Directive of 2009. Finally we explain the salience of the legal obligation of Data Protection by Design in the proposed General Data Protection Regulation and test this against the compensation, innovation and sustainability objectives.     

Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) devotes particular attention to the protection of personal data of children. The rationale is that children are less aware of the risks and the potential consequences of the processing of their personal data on their rights. Yet, the text of the GDPR offers little clarity as to the actual implementation and impact of a number of provisions that may significantly affect children and their rights, leading to legal uncertainty for data controllers, parents and children. This uncertainty relates for instance to the age of consent for processing children's data in relation to information society services, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required vis-à-vis children. This article aims to identify a number of key issues and questions – both theoretical and practical – that raise concerns from a multi-dimensional children's rights perspective, and to clarify remaining ambiguities in the run-up to the actual application of the GDPR from 25 May 2018 onwards.     

The exploitation of Business Register data from a public sector information and data protection perspective: A case study

Business Registers (BRs) are a very important information resource for investors, creditors, financial institutions and public authorities. The possibility to aggregate and interconnect these data at a European level could enhance the transparency of companies towards those actors and add a great deal of value to the raw Business Register data. The European BRITE project intended to provide adequate tools to meet these demands. BRITE will provide easier access and cross-border interoperability of Business Register data throughout Europe. On the other hand, the processing of BR data within the BRs and BRITE triggers several important European legislations such as the Data Protection Directive and the Directive on the re-use of public sector information. In this paper, the processing of BR data will be analysed from the perspective of both data protection and public sector information laws, analysing as well the relation between both regulations. Do these regulations strike an optimal balance between the interests of private data vendors to re-use BR data and enhance business transparency and the need to protect the personal data of natural persons?     

From ugly duckling to Swan. The rise of data protection and its limits

This article considers the development of data protection laws from a position on the periphery of legal consciousness to the situation where it is the subject of intensive legal and media publicity. Focusing on the recent controversies surrounding the use of Facebook apps for political purposes, the article will consider the role and limitations of data and privacy protection laws. The question will be posed – if not answered – whether national or regional laws can be effective in what increasingly is a global information society.     

Privacy and the regulation of 2012

This paper explores the European Commission’s proposal for a new Regulation to update and reform data protection law in Europe. As regards the Regulation itself, without presenting an exhaustive analysis of all the provisions, this paper aims to highlight some significant changes proposed to the data protection regime by comparison between Directive 95/46 and the proposed Regulation. It takes particularly into account legislative innovation concerning data protection principles, data subjects’ rights, data controllers and data processors obligations, and the regulation of technologies. Before analyzing these innovations, it introduces some considerations about the Commission’s choice to use a Regulation instead of a Directive to harmonize national data protection regime.