Bioinformatics and genetic privacy: The impact of the Personal Data Protection Act 2010

Bioinformatics refers to the practise of creation and management of genetic data using computational and statistical techniques. In Malaysia, data obtained from genomic studies, particularly for the purpose of disease identification produces a tremendous amount of information related to molecular biology. These data are created from DNA samples obtained from diagnostic and research purposes in genomic research institutes in Malaysia. As these data are processed, stored, managed and profiled using computer applications, an issue arises as to whether the principles of personal data privacy would be applicable to these activities. This paper commences with an illustration of the salient features of the Personal Data Protection Act 2010. The second part analyses the impact of the newly passed Personal Data Protection Act 2010 on the collection of DNA sample, the processing of data obtained from it and the profiling of such data. The third part of the paper considers whether the various personal data protection principles are applicable to the act of DNA profiling and the creation of bioinformatics.     

e-Youth before its judges - Legal protection of minors in cyberspace

The present paper¹ aims both at introducing the legal aspects of the protection of minors in cyberspace and analysing and criticizing certain main features embedded in this legal approach of young people protection. After a short introduction underlining the concept of child’s rights and the reason why this right has been particularly proclaimed in the context of the cyberspace, the first section describes the new technological features of the ICT environment and linked to this evolution the increasing risks the minors are confronted with. A typology of cyber abuses is proposed on the basis of these considerations. A list of EU or Council of Europe texts directly or indirectly related to the minors’ protection into the cyberspace is provided. The second section intends to analyse certain characteristics of the legal approach as regards the ways by which that protection is conceived and effectively ensured. Different principles and methods might be considered as keywords summarizing the legal approach and to a certain extent, fixing a partition of responsibilities taking fully into account the diversity of actors might be deduced from the different regulatory documents.The third section comes back to the different complementary means by which the Law is envisaging the minors’ protection. The obligation to create awareness about the potential risks minors might incur definitively is the first one. The omnipresent reference in all the legal texts to the role of self-regulatory interventions constitutes another pillar of the protection envisaged by the Law. After having described the multiple instruments developed in the context of this self-regulation (labels, codes of conduct, hotlines, ODR…) or even co-regulation, the paper examines the conditions set by the European legislators as regards these instruments. Technology might be considered as a fourth method for protecting children. Our concern will be to see how the Law is addressing new requirements as regards the technological solutions and their implementation. The present debates about the liability of the actors involved in applications or services targeted or not vis-à-vis the minors like SNS or VSP operators are evoked. As a final point the question of the increasing competences of LEA and the reinforcement of the criminal provisions in order to fight cyber abuses against minors will be debated. In conclusion, we will address final recommendations about the way by which it would be possible to reconcile effective minors’ protection and liberties into the cyberspace.     

The Future of Consumer Web Data: A European/US Perspective

The article considers the subject of clickstream data from aEuropean/US perspective, taking into account the Data ProtectionFramework (Data Protection Directive 95/46/EC; Directive onPrivacy and Electronic Communications 2002/58/EC) and the USlegal framework and in particular, the Wiretap Act U.S.C. 2701(2004) and related statutes. It examines the extent to whichclickstream data is considered "personal data" within the DataProtection Directive and the implications to consumers and businesses.     

The EU PNR framework decision proposal: Towards completion of the PNR processing scene in Europe

The entry into force of the Lisbon Treaty has suspended discussions over the release of a EU PNR processing system. Plans to introduce an intra-EU PNR processing system initiated since 2007, although strongly supported by the Commission and the Council, did not bear fruit before the ratification of the Lisbon Treaty and the, institutional, involvement of the Parliament. While discussions have been suspended since October 2009 and most probably a new draft proposal will be produced, it is perhaps useful to present in brief the proposal currently in place so as to highlight its shortcomings for European data protection and suggest ways individual protection may be strengthened in future drafts.     

Profiling the mobile customer – Is industry self-regulation adequate to protect consumer privacy when behavioural advertisers target mobile phones? – Part II

Mobile customers are increasingly being tracked and profiled by behavioural advertisers to enhance delivery of personalized advertising. This type of profiling relies on automated processes that mine databases containing personally-identifying or anonymous consumer data, and it raises a host of significant concerns about privacy and data protection. This second article in a two part series on “Profiling the Mobile Customer” explores how to best protect consumers’ privacy and personal data through available mechanisms that include industry self-regulation, privacy-enhancing technologies and legislative reform.¹ It discusses how well privacy and personal data concerns related to consumer profiling are addressed by two leading industry self-regulatory codes from the UK and the U.S. that aim to establish fair information practices for behavioural advertising by their member companies. It also discusses the current limitations of using technology to protect consumers from privacy abuses related to profiling. Concluding that industry self-regulation and available privacy-enhancing technologies will not be adequate to close important privacy gaps related to consumer profiling without legislative reform, it offers suggestions for EU and U.S. regulators about how to do this.²     

Ownership of personal data in the Internet of Things

This article analyses, defines, and refines the concepts of ownership and personal data to explore their compatibility in the context of EU law. It critically examines the traditional dividing line between personal and non-personal data and argues for a strict conceptual separation of personal data from personal information. The article also considers whether, and to what extent, the concept of ownership can be applied to personal data in the context of the Internet of Things (IoT). This consideration is framed around two main approaches shaping all ownership theories: a bottom-up and top-down approach. Via these dual lenses, the article reviews existing debates relating to four elements supporting introduction of ownership of personal data, namely the elements of control, protection, valuation, and allocation of personal data. It then explores the explanatory advantages and disadvantages of the two approaches in relation to each of these elements as well as to ownership of personal data in IoT at large. Lastly, this article outlines a revised approach to ownership of personal data in IoT that may serve as a blueprint for future work in this area and inform regulatory and policy debates.     

Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK

There has naturally been a good deal of discussion of the forthcoming General Data Protection Regulation. One issue of interest to all data controllers, and of particular concern for researchers, is whether the GDPR expands the scope of personal data through the introduction of the term ‘pseudonymisation’ in Article 4(5). If all data which have been ‘pseudonymised’ in the conventional sense of the word (e.g. key-coded) are to be treated as personal data, this would have serious implications for research. Administrative data research, which is carried out on data routinely collected and held by public authorities, would be particularly affected as the sharing of de-identified data could constitute the unconsented disclosure of identifiable information.Instead, however, we argue that the definition of pseudonymisation in Article 4(5) GDPR will not expand the category of personal data, and that there is no intention that it should do so. The definition of pseudonymisation under the GDPR is not intended to determine whether data are personal data; indeed it is clear that all data falling within this definition are personal data. Rather, it is Recital 26 and its requirement of a ‘means reasonably likely to be used’ which remains the relevant test as to whether data are personal. This leaves open the possibility that data which have been ‘pseudonymised’ in the conventional sense of key-coding can still be rendered anonymous. There may also be circumstances in which data which have undergone pseudonymisation within one organisation could be anonymous for a third party. We explain how, with reference to the data environment factors as set out in the UK Anonymisation Network's Anonymisation Decision-Making Framework.     

The introduction of data breach notification legislation in Australia: A comparative view

This article argues that Australia's recently-passed data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), and its coming into force in 2018, makes an internationally important, yet imperfect, contribution to data breach notification law. Against the backdrop of data breach legislation in the United States and European Union, a comparative analysis is undertaken between these jurisdictions and the Australian scheme to elucidate this argument. Firstly, some context to data breach notification provisions is offered, which are designed to address some of the problems data breaches cause for data privacy and information security. There have been various prominent data breaches affecting Australians over the last few years, which have led to discussion of what can be done to deal with their negative effects. The international context of data breach notification legislation will be discussed, with a focus on the United States and European Union jurisdictions, which have already adopted similar laws. The background to the adoption of the Australia legislation will be examined, including the general context of data privacy and security protection in Australia. The reform itself will be then be considered, along with the extent to which this law is fit for purpose and some outstanding concerns about its application. While data breach notification requirements are likely to be a positive step for data security, further reform is probably necessary to ensure strong cybersecurity. However, such reform should be cognisant of the international trends towards the adoption of data security measures including data breach notification, but lack of alignment in standards, which may be burdensome for entities operating in the transnational data economy.     

Clarity,surprises, and further questions in the Article 29 Working Party draft guidance on automated decision-making and profiling

The Article 29 Data Protection Working Party's recent draft guidance on automated decision-making and profiling seeks to clarify European data protection (DP) law's little-used right to prevent automated decision-making, as well as the provisions around profiling more broadly, in the run-up to the General Data Protection Regulation. In this paper, we analyse these new guidelines in the context of recent scholarly debates and technological concerns. They foray into the less-trodden areas of bias and non-discrimination, the significance of advertising, the nature of “solely” automated decisions, impacts upon groups and the inference of special categories of data—at times, appearing more to be making or extending rules than to be interpreting them. At the same time, they provide only partial clarity – and perhaps even some extra confusion – around both the much discussed “right to an explanation” and the apparent prohibition on significant automated decisions concerning children. The Working Party appears to feel less mandated to adjudicate in these conflicts between the recitals and the enacting articles than to explore altogether new avenues. Nevertheless, the directions they choose to explore are particularly important ones for the future governance of machine learning and artificial intelligence in Europe and beyond.     

A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.