Bioinformatics and genetic privacy: The impact of the Personal Data Protection Act 2010

Bioinformatics refers to the practise of creation and management of genetic data using computational and statistical techniques. In Malaysia, data obtained from genomic studies, particularly for the purpose of disease identification produces a tremendous amount of information related to molecular biology. These data are created from DNA samples obtained from diagnostic and research purposes in genomic research institutes in Malaysia. As these data are processed, stored, managed and profiled using computer applications, an issue arises as to whether the principles of personal data privacy would be applicable to these activities. This paper commences with an illustration of the salient features of the Personal Data Protection Act 2010. The second part analyses the impact of the newly passed Personal Data Protection Act 2010 on the collection of DNA sample, the processing of data obtained from it and the profiling of such data. The third part of the paper considers whether the various personal data protection principles are applicable to the act of DNA profiling and the creation of bioinformatics.     

Allocating responsibility among controllers,processors, and “everything in between”: the definition of actors and roles in Directive 95/46/EC

In Opinion 1/2010, the Article 29 Data Protection Working Party has provided additional guidance concerning the concepts of ‘controller’ and ‘processor’ contained in Directive 95/46/EC. This guidance aims to assist practitioners in their determination of whether an entity is acting as a controller or as a processor towards a particular data processing operation. Despite the fact that this opinion is informative, the existing framework still appears to leave room for a considerable amount of legal uncertainty. This uncertainty is attributable in part to the nature of the existing concepts, but also (and perhaps to a larger extent) to their apparent misalignment with current processing realities. In this paper, the author seeks to articulate why the existing concepts often remain difficult to apply in practice, in order to enable a constructive reflection on how these issues might be addressed in the future.     

老年人保健品诈骗犯罪侦查研究——基于大数据背景

老年人保健品诈骗犯罪具有职业化、犯罪对象范围明确、犯罪手段多元、隐蔽且变异性强等特点。传统侦查方法面临受害人不能及时报案失去破案先机、侦查投入成本高、部门间协调机制不畅等困境。大数据技术可以满足人民群众快侦快破的新期待,在提供明确的侦查方向、实现犯罪深挖、助力控赃挽损等方面实现新突破。在大数据背景下,建立数据驱动侦查的大数据思维,加强警企合作并拓展整合数据来源,完善线上线下协同作战模式,提升民警的大数据侦查专业素养,有助于老年人保健品诈骗犯罪案件侦查机制的完善。     

The Cyprus and other EU court rulings on data retention: The Directive as a privacy bomb

This paper discusses the controversy surrounding the Data Retention Directive with an emphasis on the 2011 decision of the Cyprus Supreme Court which has annulled several district court orders that allowed the police access to telecommunications data relating to certain persons relevant to criminal investigations. The annulment has been on the ground that the legal provisions upon which the orders have been issued are unconstitutional. It will suggest that the decision does not entail a direct rejection of the EU Data Retention Directive and that in any event, Cyprus is not a Member State resisting the particular measure. This is because the legal provisions are deemed unconstitutional, though part of the law that has transposed the relevant Directive into national law are provisions that go beyond what the EU legislator intended to regulate through that Directive. Still, the particular Directive sits rather uneasily within the ‘human rights’ regime, in particular the one governing the individual right of privacy.     

Trust in the clouds

The “cloud” is not new, and its roots go back to the original plans for computing from the 1950s. Now that computing is moving back to the original cloud-based models that were envisioned more than 60 years ago, with it, consumers are realizing the increases in security and safety that accompany the move to centralized servers. Yet the perception of “trust” in this context is often still formed by views that people have from their use of computers over the past two decades, which is localized in nature (“if I can see it, I can control it”). This view is based on perception more than fact. Our paper discusses different views of trust in other contexts (such as banking and travel) and concludes that users of cloud computing should recast their view of trust in a similar way that consumers of banking and travel have changed their perceptions of trust in the last 100 years.     

Regulating electronic identity in the European Union: An analysis of the Lisbon Treaty’s competences and legal basis for eID

This paper discusses the feasibility of EU legal action in the field of electronic identity (eID) within the new distribution of legal competences and the provision of novel legal basis engendered by the Treaty of Lisbon. The article attempts to find a ‘legal anchor’ to the idea of a pan-European electronic identity within EU law, looking at the issues of competences and legal basis. After examining various different areas of competence and the most feasible (and probable) candidates for a legal basis supporting an EU legal framework for eID, the paper argues that the latter should be found in the combination of Article 16 TFEU (concerning the right to the protection of personal data) with Article 3 TUE, and Articles 26 and 114 TFEU (concerning the establishment and functioning of the Internal Market), which also constitute the area of competence where an eID legal initiative can be pursued.     

Data breach notification law in the EU and Australia – Where to now?

Mandatory data breach notification laws have been a significant legislative reform in response to unauthorized disclosures of personal information by public and private sector organizations. These laws originated in the state-based legislatures of the United States during the last decade and have subsequently garnered worldwide legislative interest. We contend that there are conceptual and practical concerns regarding mandatory data breach notification laws which limit the scope of their applicability, particularly in relation to existing information privacy law regimes. We outline these concerns here, in the light of recent European Union and Australian legal developments in this area.     

Medical data breaches: Notification delayed is notification denied

The EU and the United States have implemented data breach notification rules that cover the health sectors. Nevertheless, data breach incidents involving medical data continue to rise, especially in the US and the UK. The HITECH Act, Pub. L. 111-5 Title XIII is the first federal health breach notification law in the US to be characterized by less government intrusions, while the revised EU Privacy Directive, 2009/136/EC calls for tougher privacy protection for data held by electronic communication providers. While the EU law sets a global de facto standard, the law remains toothless without strong enforcement mechanisms.     

Default entitlements in personal data in the proposed Regulation: Informational self-determination off the table … and back on again?

This paper aims to assess the proposed General Data Protection Regulation through the framework of default entitlements in personal data. The notion of default entitlements comes from economic analysis of law and provides new insights into the implications of the data protection reform. While, under the principle of informational self-determination the default entitlements should lie with the individual, the Commission is shown to assign a great deal of default rights to others, including the Information Industry. This article cautions against the possibility of reducing the European system of data protection rooted in the values of individual autonomy and informational self-determination to a mere set of administrative rules channelling the flow of personal data, yet without a clear direction.