Cross border data transfer: Complexity of adequate protection and its exceptions

The majority of the fear that exists about the cloud arises due to the lack of transparency in the cloud. Fears have persisted in relation to how the data are frequently transferred in a cloud for various purposes which includes storing and processing. This is because the level of protection differs between countries and cloud users who belong to countries which provide a high level of protection will be less in favour of transfers that reduce the protection that was originally accorded to their data. Hence, to avoid client dissatisfaction, the Data Protection Directive has stated that such transfers are generally prohibited unless the country that data is being transferred to is able to provide ‘appropriate safeguards’. This article will discuss the position of the Data Protection Directive and how the new General Data Protection Regulation differs from this Directive. This involves the discussion of the similarity as well as the differences of the Directive and Regulation. In summary, it appears that the major principles of the cross border transfer are retained in the new regulation. Furthermore, the article discusses the exceptions that are provided in the standard contractual clause and the reason behind the transition from Safe Harbor to the new US-EU Privacy Shield. This article subsequently embarks on the concept of Binding Corporate Rule which was introduced by the working party and how the new regulation has viewed this internal rule in terms of assisting cross border data transfer. All the issues that will be discussed in this article are relevant in the understanding of cross border data transfer.     

Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law

‘Privacy by design’ is an increasingly popular paradigm. It is the principle or concept that privacy should be promoted as a default setting of every new ICT system and should be built into systems from the design stage. The draft General Data Protection Regulation embraces ‘privacy by design’ without detailing how it can or should be applied. This paper discusses what the proposed legal obligation for ‘privacy by design’ implies in practice for online businesses. In particular, does it entail hard-coding privacy requirements in system design? First, the ‘privacy by design’ provision in the proposed Regulation is analysed and interpreted. Next, we discuss an extreme interpretation – embedding data protection requirements in system software – and identify five complicating issues. On the basis of these complications, we conclude that ‘privacy by design’ should not be interpreted as trying to achieve rule compliance by techno-regulation. Instead, fostering the right mindset of those responsible for developing and running data processing systems may prove to be more productive. Therefore, in terms of the regulatory tool-box, privacy by design should be approached less from a ‘code’ perspective, but rather from the perspective of ‘communication’ strategies.     

Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK

There has naturally been a good deal of discussion of the forthcoming General Data Protection Regulation. One issue of interest to all data controllers, and of particular concern for researchers, is whether the GDPR expands the scope of personal data through the introduction of the term ‘pseudonymisation’ in Article 4(5). If all data which have been ‘pseudonymised’ in the conventional sense of the word (e.g. key-coded) are to be treated as personal data, this would have serious implications for research. Administrative data research, which is carried out on data routinely collected and held by public authorities, would be particularly affected as the sharing of de-identified data could constitute the unconsented disclosure of identifiable information.Instead, however, we argue that the definition of pseudonymisation in Article 4(5) GDPR will not expand the category of personal data, and that there is no intention that it should do so. The definition of pseudonymisation under the GDPR is not intended to determine whether data are personal data; indeed it is clear that all data falling within this definition are personal data. Rather, it is Recital 26 and its requirement of a ‘means reasonably likely to be used’ which remains the relevant test as to whether data are personal. This leaves open the possibility that data which have been ‘pseudonymised’ in the conventional sense of key-coding can still be rendered anonymous. There may also be circumstances in which data which have undergone pseudonymisation within one organisation could be anonymous for a third party. We explain how, with reference to the data environment factors as set out in the UK Anonymisation Network's Anonymisation Decision-Making Framework.     

Fingerprint Comparison and Adversarialism: The Scientific and Historical Evidence

This article suggests that lawyers and courts are largely oblivious to scientific insights regarding the value and limitations of latent fingerprint evidence. It proceeds through a detailed historical analysis of the way fingerprint evidence has been reported and challenged. It compares legal responses with mainstream scientific research. Our analysis shows that fingerprint evidence is routinely equated with categorical proof of identity notwithstanding scientific warnings that such an approach is ‘indefensible’. We find that legal challenges to latent fingerprint evidence have been uniformly focused on adjectival issues (e.g. compliance with enabling legislation), leaving the validity and accuracy of this subjective comparison technique virtually unexamined since its first reception at the very beginning of the twentieth century. Lack of legal engagement with validity, error and scientific research suggest that adversarial procedures have not worked effectively to secure scientifically reliable expert evidence and that legal personnel struggle with elementary scientific reasoning.     

Perceptions of controllers on EU data protection reform: A Finnish perspective

Data protection regulations are undergoing a global reform. The European Commission proposed a reform of the EU data protection framework in 2012. One major driver for the reform has been the research on the consumer perceptions indicating that the consumers are worried about their personal privacy. However, there has been practically no research on perceptions of companies (the controllers of the personal data) and on the data protection reform. This research analyses the awareness and the willingness to act towards compliance regarding the proposed General Data Protection Regulation (GDPR) in Finland in 2013. The GDPR will replace the Finnish Personal Data Act and therefore plays a central role in the Finnish privacy regulation. This research found that the general level of awareness was low: only 43% of the controllers were aware of the forthcoming reform. The willingness to act or to take steps towards the compliance was even lower: 31% of controllers said that they are planning to act towards compliance during this year. These results indicate that the companies are quite unfamiliar with the reform that correlates with other relevant studies in Europe. Personal data are said to be the oil of the digital economy, the hottest commodity of the market today. There are companies that understand this, but the majority seems to ignore this at least what comes to their awareness regarding the reform, even the reform captures many of the best practices regarding processing of personal data.     

Dualism in data protection: Balancing the right to personal data and the data property right

This paper explores the issues surrounding the right to personal data and the data property right in the context of commercial transactions involving big data, and will thus inform the ongoing drafting process of the Chinese Civil Code and development of a commercial data market in China. The analysis herein attempts to break through the traditional concept of ‘property’ with the aim of helping China to develop a modern information society, devise a property law theory suitable for the big data era, and improve the level of protection afforded to rights and legitimate interests in data. To date, no comprehensive study has focused on developing a proper understanding of the concept of ‘data property rights’, and hence we lack the solid theoretical support needed to construct a proper protective system for such rights. This paper offers the first systematic study of the rules pertaining to data property rights, thereby enriching the theory of such rights and serving as a theoretical basis for the enactment of a civil code that protects citizens’ legal rights and interests in the information society. It also offers a thorough discussion of how to construct a data property protection system, thereby providing an ideal reference model for enactment of the Chinese Civil Code.     

Data protection: The future of privacy

The Art. 29 Working Party (hereinafter “Art. 29 WP”) is an influential body comprised of representatives from the Member State Data Protection Authorities² established under the Data Protection Directive 95/46/EC, has recently issued an opinion with the Working Party on Police and Justice. This is quite significant, since the opinion sets out some of the issues that will need to be addressed in the lead up to the revision of the Data Protection Directive 95/46/EC.³ This comes at a time, when there have been discussions on the current application of the European Data Protection Directive to the internet,⁴ (such as social networking) and the recent European Commission’s consultation on the legal framework for the fundamental right to protection of personal data. Not least, there have been a number of cases brought before the European Court of Justice dealing with the partial implementation of the Data Protection Directive 95/46/EC.⁵The aim of this paper is to consider in detail the issues set out by the Art. 29 WP and the likely challenges in revising the Data Protection Directive 95/46/EC.     

UK further education sector journey to compliance with the general data protection regulation and the data protection act 2018

The Further Education sector provides training and qualifications to 2.2million young people and adults annually and in the process collect a wealth of data which must be properly managed to ensure it is processed in a fair and transparent manner, maintaining compliance with good information governance and data protection legislation. This article shares the findings of a study which explored the content of General Data Protection Regulation action plans, first hand accounts from data practitioners and the views of students as provides embraced the new legislation.The article demonstrates how a sector which fills the void between schools and universities is unique in the challenges they face when ensuring compliance with data protection laws. These challenges include the application of legislation, noting key differences between the nations of the United Kingdom, and the moral duties placed upon the provider by parents who expect open dialogue with the education provider, consistent as happened with lower levels of education. This must be balanced with the student's right to data privacy and control over who can access their educational records .     

The growth and gaps of genetic data sharing policies in the United States

The 1996 Bermuda Principles launched a new era in data sharing, reflecting a growing belief that the rapid public dissemination of research data was crucial to scientific progress in genetics. A historical review of data sharing policies in the field of genetics and genomics reflects changing scientific norms and evolving views of genomic data, particularly related to human subjects’ protections and privacy concerns. The 2013 NIH Draft Genomic Data Sharing (GDS) Policy incorporates the most significant protections and guidelines to date. The GDS Policy, however, will face difficult challenges ahead as geneticists seek to balance the very real concerns of research participants and the scientific norms that propel research forward. This article provides a novel evaluation of genetic and GDS policies’ treatment of human subjects’ protections. The article examines not only the policies, but also some of the most pertinent scientific, legal, and regulatory developments that occurred alongside data sharing policies. This historical perspective highlights the challenges that future data sharing policies, including the recently disseminated NIH GDS Draft Policy, will encounter.     

Using EHRs to design drug repositioning trials: A devolved approach to data protection

One area where the application of data protection law has proven complex is in relation to the secondary usage of health data in EHRs for medical research. Here the tension between the privacy interests of patients and the risk of harm if such sensitive data are compromised, and on the other side, the potential societal value of utilizing the data for the benefit of medical science, is especially striking. In this paper, we consider the applicable provisions of the EU Data Protection Directive, and outline a general approach to patient data handling for research, which we believe to be compatible with relevant legal and ethical requirements. We then illustrate and apply this by reference to a specific EU FP7 project, involving EHR data processing to select patients for clinical pharmaceutical trials. After introducing the project (PONTE), we explain the ‘devolved’ data protection architecture it employs and provide a legal evaluation.     

Free Vote Patterns in the New South Wales State Parliament

This research note examines patterns of MPs’ voting behaviour during ‘conscience’ or ‘free’ votes on three ‘morality politics’ issues in the lower house of the New South Wales state parliament in Australia: adoption rights for gay couples; scientists’ use of therapeutic cloning; and the status of the Sydney Medically Supervised Injection Centre. First, the research note reviews the literature on conscience voting and hypothesises that party will be the main predictor of voting patterns, but also establishes that previous studies have almost exclusively focused on national legislatures. Next the research note discusses methodological issues. Third, it presents the analysis of free vote patterns in the New South Wales parliament on the three ‘morality politics’ issues, along four key variables: party; sex; social ideology; and religion. The analysis of voting in the New South Wales parliament challenges existing explanations of free voting, where party is the key predictor of voting patterns. Intra-party unity figures show that party membership is a weaker predictor of voting behaviour in the two main political parties in New South Wales than in either the Australian parliament or in overseas parliaments. It is argued that at the subnational level other factors are more important in explanations of free vote patterns.     

EU General Data Protection Regulation: Changes and implications for personal data collecting companies

The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR's coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR's practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.     

AI research and data protection: Can the same rules apply for commercial and academic research under the GDPR?

The paper examines how the EU General Data Protection Regulation (GDPR) is applied to the development of AI products and services, drawing attention to the differences between academic and commercial research. The GDPR aims to encourage innovation by providing several exemptions from its strict rules for scientific research. Still, the GDPR defines scientific research in a broad manner, which includes academic and commercial research. However, corporations conducting commercial research might not have in place a similar level of ethical and institutional safeguards as academic researchers. Furthermore, corporate secrecy and opaque algorithms in AI research might pose barriers to oversight. The aim of this paper is to stress the limits of the GDPR research exemption and to find the proper balance between privacy and innovation. The paper argues that commercial AI research should not benefit from the GDPR research exemption unless there is a public interest and has similar safeguards to academic research, such as review by research ethics committees. Since the GDPR provides this broad exemption, it is crucial to clarify the limits and requirements of scientific research, before the application of AI drastically transforms this field.     

Investigating the legal protection of data,information and knowledge under the EU data protection regime

Information science distinguishes between the semantic forms/intangibles of data, information and knowledge. Data (e.g. an attribute of a data record in a relational database) does not have any meaning by itself. Information is data brought into context (e.g. data related to its primary key), and knowledge is the collection of information for useful intent (e.g. a database). This paper investigates the mapping of semantic forms in information science (i.e. data, information, knowledge) to correlative concepts in information law (primarily data protection legislation) with a view to investigating how such semantic forms are legally protected. The paper first proposes a data, information, knowledge, rules (DIKR) hierarchy in the context of relational database theory, and interprets this hierarchy with respect to data protection concepts. The paper then gives an in-depth discussion of the elements of the DIKR hierarchy (data, information, knowledge, deduced knowledge, induced knowledge) and how they relate to the EU Data Protection Directive 95/46/EC. These relationships are summarized in the form of a two dimensional correlation matrix. Finally the paper discusses how the semantic forms identified are protected under the EU Data Protection Directive, and gives insightful observations about the connection between information law and information science.     

The thin red line: Refocusing data protection law on ADM,a global perspective with lessons from case-law

This article explores existing data protection law provisions in the EU and in six other jurisdictions from around the world - with a focus on Latin America - that apply to at least some forms of the processing of data typically part of an Artificial Intelligence (AI) system. In particular, the article analyzes how data protection law applies to “automated decision-making” (ADM), starting from the relevant provisions of EU's General Data Protection Regulation (GDPR). Rather than being a conceptual exploration of what constitutes ADM and how “AI systems” are defined by current legislative initiatives, the article proposes a targeted approach that focuses strictly on ADM and how data protection law already applies to it in real life cases. First, the article will show how GDPR provisions have been enforced in Courts and by Data Protection Authorities (DPAs) in the EU, in numerous cases where ADM is at the core of the facts of the case considered. After showing that the safeguards in the GDPR already apply to ADM in real life cases, even where ADM does not meet the high threshold in its specialized provision in Article 22 (“solely” ADM which results in “legal or similarly significant effects” on individuals), the article includes a brief comparative law analysis of six jurisdictions that have adopted general data protection laws (Brazil, Mexico, Argentina, Colombia, China and South Africa) and that are visibly inspired by GDPR provisions or its predecessor, Directive 95/46/EC, including those that are relevant for ADM. The ultimate goal of this study is to support researchers, policymakers and lawmakers to understand how existing data protection law applies to ADM and profiling.¹     

Do algorithms dream of ‘data’ without bodies?

ABSTRACT

The question whether algorithms dream of ‘data’ without bodies is asked with the intention of highlighting the material conditions created by wearables for fitness and health, reveal the underlying assumptions of the platform economy regarding individuals’ autonomy, identities and preferences and reflect on the justifications for intervention under the General Data Protection Regulation. The article begins by highlighting key features of platform infrastructures and wearables in the health and fitness landscape, explains the implications of algorithms automating, what can be described as ‘rituals of public and private life’ in the health and fitness domain, and proceeds to consider the strains they place on data protection law. It will be argued that technological innovation and data protection rules played a part in setting the conditions for the mediated construction of meaning from bodies of information in the platform economy.     

It depends whose data are being shared: considerations for genomic data sharing policies

There is an urgent need for consistent data sharing policies that promote the advancement of science while respecting the values and interests of those providing their genetic data for research. Responding to the article of Jalayne J. Arias, Genevieve Pham-Kanter, and Eric G. Campbell, ‘The Growth and Gaps of Genetic Data Sharing Policies in the United States’, this commentary further explores the challenges of human subjects’ protection in existing data sharing policies. We will elaborate on the need for data sharing policies to accommodate variation in individual and group preferences around data sharing and privacy concerns by comparing our previously published data on patients’ and parents’ consent to data sharing and attitudes about privacy to data from focus groups with HIV-positive, underserved individuals who were asked about their willingness to participate in genetic research and share their data broadly. These studies support the observation of Arias, Pham-Kanter, and Campbell that researchers, and funding agencies will need to balance the privacy interests of groups as well as individuals in future genomic data sharing policies.     

Technologies, Security, and Privacy in the Post-9/11 European Information Society

Since 11 September 2001, many 'hard' and 'soft' security strategies have been introduced to enable more intensive surveillance and control of the movement of `suspect populations'. Suicide bombings have since generated a step-change in asymmetric threat analysis and public perceptions of risk. This article reviews how post-9/11 'security' issues intersect with existing and emerging technologies, particularly those relating to identity, location, home, and work that will form the backbone of the European Information Society. The article explores the complexities generated by the way that these technologies work, sites of nationalist resistance, and formal bureaucratic roles. Many of the planned surveillance methods and technologies are convergence technologies aiming to bring together new and existing data sources, but are unable to do so because of poor data quality and the difficulty of using the integrated data to reduce serious crime risks. The delay may enable legal compliance models to be developed in order to protect the principles of privacy that are set out in the ECHR and the EC Data Protection Directive. Though (moral) panics produce changes in law, the article emphasizes the constraining effects of law.     

Bitcoin and the GDPR: Allocating responsibility in distributed networks

This article uses the example of the cryptocurrency Bitcoin and the General Data Protection Regulation (GDPR) to show how distributed networks challenge existing legal mechanisms of allocating responsibility. The Bitcoin network stores personal data by automated means. Furthermore, full nodes qualify as establishments and the network offers a service to citizens in the EU. The data processing within the Bitcoin network therefore falls into the material and territorial scope of the GDPR. To protect data subjects, the GDPR allocates responsibility to the controller, who determines the ‘how’ and the ‘why’ of the data processing. However, the distributed structure of the Bitcoin network blurs the lines between actors who are responsible and actors who are worth protecting. Neither the Bitcoin users running lightweight nodes or full nodes nor the miners determine the ‘how’ and the ‘why’ of the data processing. They carry out their network activities according to the Bitcoin protocol, which can only be adopted and enforced by a collective of full nodes and miners. Members of this collective are joint controllers under Article 26 GDPR, which obliges them to clearly and transparently determine their respective responsibilities for compliance with the GDPR. However, this mechanism fails because of the very structure it aims to eliminate. Therefore, a solution to allocating responsibility for data protection in distributed networks lies outside the GDPR.     

A Decade of Europe? Some Reflections on an Aspiration

This article suggests that Europe faces four primary challenges today. The first relates to democracy, as all the anxieties about the ‘democratic deficit’ in Community are writ even larger in the Union. A second issue is that of liberal legalism. Lawyers have long presumed that the ‘new’ Europe has been integrated ‘through’ law. This article suggests that the role of law is of far less importance to the future of the Union. A third problem, perhaps the most pressing, relates to enlargement. Is the ‘new’ Europe fully prepared for the inevitable shock that will follow the much‐vaunted ‘big bang’? Finally, there is the overarching problem of a continuing lack of ethos, or public philosophy, underpinning public life in the ‘new’ Europe.