Data Protection Impact Assessment: A tool for accountability and the unclarified concept of ‘high risk’ in the General Data Protection Regulation

Article 35 of the GDPR introduces the legal obligation to perform DPIAs in cases where the processing operations are likely to present high risks to the rights and freedoms of natural persons. This obligation is part of a change of approach in the GDPR towards a modified compliance scheme in terms of a reinforced principle of accountability. The DPIA is a prominent example of this approach given that it has an inclusive, comprehensive and proactive nature. Its importance lies in the fact that it forces data controllers to identify, assess and ultimately manage the high risks to the rights and freedoms. However, what is first and foremost important for a meaningful performance of DPIAs, is to have a common and objective understanding of what constitutes a risk in the field of data protection and of how to assess its likelihood and severity. The legislature has approached these concepts via the method of denotation, meaning by giving examples of (highly) risky processing operations. This article suggests a complementary approach, the connotation of these concepts and explains the added value of such a method. By way of a case-study the article also demonstrates the importance of performing complete and accurate DPIAs, in terms of contributing to improving the protection of personal data.     

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.     

Big genetic data and its big data protection challenges

The use of various forms of big data have revolutionised scientific research. This includes research in the field of genetics in areas ranging from medical research to anthropology. Developments in this area have inter alia been characterised by the ability to sequence genome wide sequences (GWS) cheaply, the ability to share and combine with other forms of complimentary data and ever more powerful processing techniques that have become possible given tremendous increases in computing power. Given that many if not most of these techniques will make use of personal data it is necessary to take into account data protection law. This article looks at challenges for researchers that will be presented by the EU's General Data Protection Regulation, which will be in effect from May 2018. The very nature of research with big data in general and genetic data in particular means that in many instances compliance will be onerous, whilst in others it may even be difficult to envisage how compliance may be possible. Compliance concerns include issues relating to ‘purpose limitation’, ‘data minimisation’ and ‘storage limitation’. Other requirements, including the need to facilitate data subject rights and potentially conduct a Data Protection Impact Assessment (DPIA) may provide further complications for researchers. Further critical issues to consider include the choice of legal base: whether to opt for what is often seen as the ‘default option’ (i.e. consent) or to process under the so called ‘scientific research exception’. Each presents its own challenges (including the likely need to gain ethical approval) and opportunities that will have to be considered according to the particular context in question.     

European national news

This article tracks developments at the national level in key European countries in the area of IT and communications and provides a concise alerting service of important national developments. It is co-ordinated by Herbert Smith Freehills LLP and contributed to by firms across Europe. This column provides a concise alerting service of important national developments in key European countries. Part of its purpose is to complement the Journal's feature articles and briefing notes by keeping readers abreast of what is currently happening ``on the ground'' at a national level in implementing EU level legislation and international conventions and treaties. Where an item of European National News is of particular significance, CLSR may also cover it in more detail in the current or a subsequent edition.     

The canary in the data mine

The present article aims at portraying the type of profile best required to fulfil the function of a Data Protection Officer (DPO) within the EU public sector. The article proposes the idiom of the “canary in a coal mine” as best positioned to describe the multidisciplinary role of DPOs. Due to the particularity and sensitivity of their function, Data Protection Officers act as early indicators of data protection incompliance within their respective area of expertise. Only when being functionally independent, Data Protection Officers could master the role of “canaries in the data mine” thus preventing possible data protection breaches and violations.     

Guidelines for the responsible application of data analytics

The vague but vogue notion of ‘big data’ is enjoying a prolonged honeymoon. Well-funded, ambitious projects are reaching fruition, and inferences are being drawn from inadequate data processed by inadequately understood and often inappropriate data analytic techniques. As decisions are made and actions taken on the basis of those inferences, harm will arise to external stakeholders, and, over time, to internal stakeholders as well. A set of Guidelines is presented, whose purpose is to intercept ill-advised uses of data and analytical tools, prevent harm to important values, and assist organisations to extract the achievable benefits from data, rather than dreaming dangerous dreams.     

基于数据仓库的决策支持系统

数据仓库技术是在充分地开发信息资源的迫切要求下产生并迅速发展起来的一个国际前沿研究新领域。本文分析了传统决策支持系统开发中存在的问题,介绍了数据仓库、数据挖掘、联机分析处理技术。以及它们在决策支持系统中的应用,同时给出了基于数据仓库技术的决策支持系统的基本框架。     

An international legal framework for data protection: Issues and prospects

The processing of personal data across national borders by both governments and the private sector has increased exponentially in recent years, as has the need for legal protections for personal data. This article examines calls for a global legal framework for data protection, and in particular suggestions that have been made in this regard by the International Law Commission and various national data protection authorities. It first examines the scope of a potential legal framework, and proceeds to analyze the status of data protection in international law. The article then considers the various options through which an international framework could be enacted, before drawing some conclusions about the form and scope such a framework could take, the institutions that could coordinate the work on it, and whether the time is ripe for a multinational convention on data protection.     

Privacy,trust and policy-making: Challenges and responses

The authors contend that the emerging ubiquitous Information Society (aka ambient intelligence, pervasive computing, ubiquitous networking and so on) will raise many privacy and trust issues that are context dependent. These issues will pose many challenges for policy-makers and stakeholders because people's notions of privacy and trust are different and shifting. People's attitudes towards privacy and protecting their personal data can vary significantly according to differing circumstances. In addition, notions of privacy and trust are changing over time. The authors provide numerous examples of the challenges facing policy-makers and identify some possible responses, but they see a need for improvements in the policy-making process in order to deal more effectively with varying contexts. They also identify some useful policy-making tools. They conclude that the broad brush policies of the past are not likely to be adequate to deal with the new challenges and that we are probably entering an era that will require development of “micro-policies”. While the new technologies will pose many challenges, perhaps the biggest challenge of all will be to ensure coherence of these micro-policies.     

Data protection in the Asia-Pacific region

The increasing reliance on technology as a means of conducting cross-border businesses has spurred on the development of data protection and privacy laws in many countries across the globe. In Asia, however, many countries today still have no or extremely limited data protection laws. Cultural attitudes towards the concept of autonomy and the well-established right of certain governments to monitor and scrutinise its people in certain countries have been partly to blame. However, in order to remain economically viable, the businesses and government of these countries must be able to provide protections which are at least similar to those afforded by the data protection laws of their business counterparts. This article examines the effectiveness and relevance of the APEC Privacy Framework and the state of the data protection laws in eight Asia-Pacific countries today.