The Cyprus and other EU court rulings on data retention: The Directive as a privacy bomb

This paper discusses the controversy surrounding the Data Retention Directive with an emphasis on the 2011 decision of the Cyprus Supreme Court which has annulled several district court orders that allowed the police access to telecommunications data relating to certain persons relevant to criminal investigations. The annulment has been on the ground that the legal provisions upon which the orders have been issued are unconstitutional. It will suggest that the decision does not entail a direct rejection of the EU Data Retention Directive and that in any event, Cyprus is not a Member State resisting the particular measure. This is because the legal provisions are deemed unconstitutional, though part of the law that has transposed the relevant Directive into national law are provisions that go beyond what the EU legislator intended to regulate through that Directive. Still, the particular Directive sits rather uneasily within the ‘human rights’ regime, in particular the one governing the individual right of privacy.     

Trust in the clouds

The “cloud” is not new, and its roots go back to the original plans for computing from the 1950s. Now that computing is moving back to the original cloud-based models that were envisioned more than 60 years ago, with it, consumers are realizing the increases in security and safety that accompany the move to centralized servers. Yet the perception of “trust” in this context is often still formed by views that people have from their use of computers over the past two decades, which is localized in nature (“if I can see it, I can control it”). This view is based on perception more than fact. Our paper discusses different views of trust in other contexts (such as banking and travel) and concludes that users of cloud computing should recast their view of trust in a similar way that consumers of banking and travel have changed their perceptions of trust in the last 100 years.     

Regulating electronic identity in the European Union: An analysis of the Lisbon Treaty’s competences and legal basis for eID

This paper discusses the feasibility of EU legal action in the field of electronic identity (eID) within the new distribution of legal competences and the provision of novel legal basis engendered by the Treaty of Lisbon. The article attempts to find a ‘legal anchor’ to the idea of a pan-European electronic identity within EU law, looking at the issues of competences and legal basis. After examining various different areas of competence and the most feasible (and probable) candidates for a legal basis supporting an EU legal framework for eID, the paper argues that the latter should be found in the combination of Article 16 TFEU (concerning the right to the protection of personal data) with Article 3 TUE, and Articles 26 and 114 TFEU (concerning the establishment and functioning of the Internal Market), which also constitute the area of competence where an eID legal initiative can be pursued.     

Data breach notification law in the EU and Australia – Where to now?

Mandatory data breach notification laws have been a significant legislative reform in response to unauthorized disclosures of personal information by public and private sector organizations. These laws originated in the state-based legislatures of the United States during the last decade and have subsequently garnered worldwide legislative interest. We contend that there are conceptual and practical concerns regarding mandatory data breach notification laws which limit the scope of their applicability, particularly in relation to existing information privacy law regimes. We outline these concerns here, in the light of recent European Union and Australian legal developments in this area.     

Allocating responsibility among controllers,processors, and “everything in between”: the definition of actors and roles in Directive 95/46/EC

In Opinion 1/2010, the Article 29 Data Protection Working Party has provided additional guidance concerning the concepts of ‘controller’ and ‘processor’ contained in Directive 95/46/EC. This guidance aims to assist practitioners in their determination of whether an entity is acting as a controller or as a processor towards a particular data processing operation. Despite the fact that this opinion is informative, the existing framework still appears to leave room for a considerable amount of legal uncertainty. This uncertainty is attributable in part to the nature of the existing concepts, but also (and perhaps to a larger extent) to their apparent misalignment with current processing realities. In this paper, the author seeks to articulate why the existing concepts often remain difficult to apply in practice, in order to enable a constructive reflection on how these issues might be addressed in the future.     

Medical data breaches: Notification delayed is notification denied

The EU and the United States have implemented data breach notification rules that cover the health sectors. Nevertheless, data breach incidents involving medical data continue to rise, especially in the US and the UK. The HITECH Act, Pub. L. 111-5 Title XIII is the first federal health breach notification law in the US to be characterized by less government intrusions, while the revised EU Privacy Directive, 2009/136/EC calls for tougher privacy protection for data held by electronic communication providers. While the EU law sets a global de facto standard, the law remains toothless without strong enforcement mechanisms.     

La protección de los derechos fundamentales del deportista en la lucha contra el dopaje. Una visión desde el ordenamiento jurídico español

Doping is addressed in this paper from two different scopes: on one hand, the legal regulations for prevention and repression are studied; on the other hand, the clash between the anti-doping control mechanism and a fundamental right such as the athlete's privacy is noted. We start from the irrefutable fact that “awareness against doping” is practically universal. The enactment of this law was a milestone in the history of the fight against doping in the Spanish regulation. However, the problem arises when the anti-doping legislation worldwide and in Spain, which enables some healthcare professionals and other people involved, to carry out several anti-doping operations that may conflict with the athlete's fundamental right to privacy, all of this in a context of strong media and social impact. For this reason, it is pertinent to raise the issue if one of these operations, such as the duty of permanent localization, is sufficiently justified in terms of protecting the sportsperson's health.     

Default entitlements in personal data in the proposed Regulation: Informational self-determination off the table … and back on again?

This paper aims to assess the proposed General Data Protection Regulation through the framework of default entitlements in personal data. The notion of default entitlements comes from economic analysis of law and provides new insights into the implications of the data protection reform. While, under the principle of informational self-determination the default entitlements should lie with the individual, the Commission is shown to assign a great deal of default rights to others, including the Information Industry. This article cautions against the possibility of reducing the European system of data protection rooted in the values of individual autonomy and informational self-determination to a mere set of administrative rules channelling the flow of personal data, yet without a clear direction.     

Rethinking the one-stop-shop mechanism: Legal certainty and legitimate expectation

This paper aims to contribute to the discussion concerning the one-stop-shop mechanism proposed in the General Data Protection Regulation (hereinafter “GDPR”). The choice of regulation as the instrument to legislate on data protection is already an unmistakable indication that unification and simplification (together with respect of data subjects' interests) shall be the guide for every legal discussion on the matter. The one-stop-shop mechanism (hereinafter “OSS”) clearly reflects the unification and simplification which the reform aims for. We believe that OSS is logically connected with the idea of one Data Protection Authority (hereinafter “DPA”) with an exclusive jurisdiction and that this can only mean that, given one controller, no other DPA can be a competent authority.² In other words, OSS implies a single and comprehensive competent authority of a given controller. In our analysis we argue that such architecture: a) works well with the “consistency mechanism”; b) provides guarantees to data subjects for a clear allocation of powers (legal certainty); and c) is not at odds with the complaint lodging procedure. Our position on fundamental questions is as follows. What is the perimeter of competence of the DPA in charge? We believe that it should have enforcement power on every issue of the controller, including issuing the fines. How to reconcile such dominant role of one DPA with the principle of co-operation among DPAs? We do not consider co-operation at odds with the rule that decisions are taken by just one single authority. Finally, we share some suggestions on how to make the jurisdiction allocation mechanism (the main establishment criterion) more straightforward.