Search Results

This chapter gives an introduction to the worldwide data protection regulatory landscape and the different types of regulatory systems. It provides an overview of the basic principles of the data protection directive (and the changes envisaged by the Proposed Regulation), as knowledge of these principles is required for a proper understanding of the Binding Corporate Rules regime. The APEC Privacy Framework is also discussed as a representative of a data protection system based on an organizational approach rather than a territorial approach.

This chapter examines the liability of internet intermediaries for contraventions of the data protection regime. Data protection duties, like those upholding rights of privacy and confidentiality, can impose significant burdens upon internet intermediaries. This is because much of the information in which these services deal will contain ‘personal data’, and in some cases sensitive personal data, while almost all of the activities undertaken by them will involve some form of ‘processing’ of those data.

This paper reviews the legal framework for data protection in the US and the EU and the attempts made in both jurisdictions to adapt the framework to the challenges posed by cloud computing and the evolving IT ecosystem. The two legal systems have developed widely diverging approaches to the protection of privacy. On the one hand, the US relies on a patchwork of laws (including the Electronic Communications Privacy Act, the PATRIOT Act and the FISAA and many sectoral laws) and the enforcement activity of the Federal Trade Commission under Section 5 of the FTC Act. In the EU, privacy is considered as a fundamental right, and is protected through comprehensive, cross-sectoral legislation (the Data Protection Directive, currently being updated and transformed into a Regulation). The emergence of cloud computing poses challenges for both legal systems: what seems likely is that the US will keep under-protecting privacy in the name of efficient commercial transactions (with great responsibility placed on the FTC to monitor abuses of bargaining power and other deceptive/abusive practices); whereas in the EU cloud services might end up trapped into an over-formalistic legal framework, which leaves little room for trade-offs between privacy and welfare-enhancing customized service for data subjects. The paper discusses also the future of transatlantic data transfer, with the EU-US Safe Harbour and the Binding Corporate Rules currently being re-discussed in the aftermath of the “Datagate” scandal.

This chapter explores the development of European data protection, both as a codified form of regulation and as a human right, from its inception to the present day. In contrast to more ʻclassicalʼ rights, such as freedom of expression and even privacy, data protection only emerged as a discrete concept with the rise of computer power in the 1970s. The focus in Europe from this time has been on elaborating a progressively more detailed and harmonized regulatory code to govern the processing of personal data across the EU and wider European Economic Area (EEA). Advisory Council of Europe Resolutions in the 1970s led to a binding but optional Data Protection Convention in the 1980s, to a mandatory Data Protection Directive in the 1990s, and finally to a General Data Protection Regulation (GDPR) in the 2010s which is directly applicable across the EU. In addition, data protection has increasingly been recognized as a fundamental right and, in particular, was included within the EU Charter that was drafted in 2000 and acquired pan-EU legal status in 2009. These developments have dovetailed with the emergence of a significant body of relevant Court of Justice of the EU (CJEU) jurisprudence. However, the regulatory Data Protection Authorities (DPAs) also remain critical interpretative actors and have issued a number of important opinions including through the Article 29 Working Party that under the GDPR has become the European Data Protection Board.

Chapter 2 demonstrates that data protection can be understood as command and control regulation by applying the three constitutive elements of regulation (standard setting, monitoring, behaviour control) thereto. If one wants to understand the modus operandi of newer models of regulation as applied to data protection (namely risk-based model of regulation), one must first understand the basis. That is, how data protection can be understood as regulation in the first place. This standpoint has another corollary. Since newer models of regulation are featured in contemporary statutes (with the GDPR as a prime example), an understanding of data protection as command and control regulation entails to study less contemporary statutes. The prime case study will therefore be the EU Data Protection Directive, which, even though not in force anymore is considered a suitable case for analysis as it embodies earlier models of regulation. Because this chapter is retrospective in scope (i.e. looking at previous data protection statutes in order to better understand the current ones), it often refers to historical sources of data protection (e.g. statutes and literature).

This chapter explores the interface between European data protection and academic social science and humanities publishers until the end of the Data Protection Directive (DPD) era. It begins by summarizing the ‘knowledge facilitation’ provisions which target activities such as scientific research and have been set out in formal data protection instruments at both pan-European and State level over many decades. It is found that, in contrast to most freedom of expression derogations, these restrictive provisions only established very limited exemptions from default data protection norms. The chapter then looks at Data Protection Authorities (DPA) guidance and finds that, subject to a few exceptions, this has indicated that academic expression should comply with the ‘knowledge facilitation’ restrictions. However, much of this guidance has remained very generic or has focused on discrete issues such as the use of confidential datasets provided on safeguarded terms. The chapter reports results from a DPA questionnaire on the regulation of publicly interested covert social science research, finding that many regulators construed the law here very differently to undercover journalism; half even saw this activity as being ipso facto illegal. Turning to enforcement, the chapter details the fairly extensive efforts of many regulators in this area prior to the Data Protection Directive (DPD). Under the DPD, the DPA questionnaire responses suggested that approximately 40 per cent of regulators had taken action against social scientists. However, published examples of action remained limited and, furthermore, these efforts were largely and increasingly focused on specific issues related especially to confidential datasets.

This chapter considers how restrictions on cross-border transfers of data work, or perhaps don't work, in cloud environments and how they might be improved. The concept of ‘transfer’ and the prohibition on transfers of personal data to countries that fail to provide an adequate level of protection for personal data are explained. Various exception to, and derogations from, the transfer prohibition rule are evaluated, including consent, the US Safe Harbor, model contract clauses, and Binding Corporate Rules (BCR).

This chapter explores the legislative interface between data protection and the professional journalistic media under the Data Protection Directive (DPD) and then examines the formal regulatory guidance produced by European Data Protection Authorities (DPAs) during the same period. Despite the DPD’s emphasis on ensuring a careful balancing between equally fundamental rights, statutory provisions at State level were profoundly divergent. In broad terms, Northern European States tended to grant journalism sweeping exemptions from data protection, whilst Southern and Eastern European States set down tough standards even in this sensitive area. These media system differences mapped on to broader cultural fissures concerning individualism, uncertainty avoidance, and attitudes towards power inequalities. In the great majority of cases the national DPA retained a supervisory role in this area and over 60 per cent of these bodies, as well as the Article 29 Working Party, had published some statutory guidance. However, this guidance was often confined to a brief elucidation of the importance of contextual rights balancing coupled, in a number of cases, with an emphasis on promoting a co-regulatory connection between statutory supervision and self-regulation. A minority of DPAs did produce much more extensive guidance focusing especially on children’s rights over data, image rights and visual/audio-visual content, and the right to be forgotten and digital news/media archives.

The right to privacy of communications is one of the most enduring and widely recognized of the constellation of rights known as privacy law. While privacy remains a notoriously elusive concept, our communications activities have been consistently recognized as a fundamental element of our private life, placed side-by-side with notions of family and home. While the terminology used in international instruments and national constitutions may have evolved over time to reflect changing technologies, from ‘correspondence’ to ‘communications’, the centrality of communications privacy to our private life remains undisputed.

This chapter explores both the statutory law applicable and the regulatory approach taken to the activity of professional artists and writers outside journalism under European data protection as it developed until the end of the Data Protection Directive (DPD) era. It is found that no pan-European data protection instrument prior to the DPD addressed this interface and such a lacuna was also reflected in the majority of first-generation data protection laws adopted at State-level. In contrast, the DPD provides special (but not absolute) derogations not just for ‘journalistic purposes’ but also for ‘literary and artistic expression’ and this was reflected in the second-generation laws of approximately two-thirds of European Economic Area (EEA) States. Despite falling within data protection’s scope, Data Protection Authorities (DPAs) have generally avoided addressing these actors’ positions. In the early period, the Swedish DPA proved a partial exception to this by publishing guidance on media created on CD-ROMs and even attempted to set license conditions for the use of a computer to produce a book manuscript. Under second-generation data protection, both the Italian and Maltese DPAs issued some specific guidance and the Italian and Slovenian engaged in concrete enforcement. These interventions pointed to a lack of consistency as regards applicable norms. Thus, whilst the Italian DPA crafted a deferential approach based on contextual rights balancing, the Maltese and Slovenian DPAs developed a much more peremptory and restrictive perspective at least as regards photographic images.

Data protection laws in the EU adopt a distinctive location-based approach to regulation. Jurisdiction depends either on where a controller or processor is ‘established’, in which case the relevant national law has global reach to regulate activities carried on in the course of that establishment, or the mere use of equipment located in the EU to process personal data may trigger regulation of activities of controllers with no EU establishment. This chapter looks at the international impact of European data protection legislation and consider which laws apply to personal data in clouds.

Cloud computing technologies and service models are sufficiently complex that it is often the case that a provider of the whole or part of a multi-layered cloud service will not even know whether its systems are being used to process personal data. With that in mind, this chapter seeks to identify who is regulated as a ‘data controller’ and / or as a ‘data processor’ in various situations, and how those roles might be mapped onto typical cloud computing arrangements.

This chapter considers what information in clouds is, and what should be, classified as personal data under European Union data protection laws. It is crucial to tackle this question first as the rights and obligations arising under EU national data protection laws apply only to personal data and tend to do so on an ‘all or nothing’ basis depending on whether a particular individual is identified or identifiable. The use in cloud computing of encryption, anonymisation, data fragmentation and other techniques has an impact on this threshold issue.

Chapter 3 shows that a number of the issues that data protection has encountered and which have served as the impetus for the GDPR reform process can be understood from the regulatory viewpoint. More in particular, they amount to the traditional criticism addressed against command and control rulemaking. It is possible to argue that the command and control model of regulation is based upon two assumptions. First, enforcement is operated through sanctions or the threat thereof—what is referred to as deterrencedeterrence|, and it is assumed that such deterrence always works. Second, it is assumed that the regulatory goalsregulatory goals| (and the standards and safeguards they lead to) are somewhat unproblematic. This last set of issues is multi-dimensional insofar as it affects the determination of what counts as an adequate standard and safeguard, but it also affects the implementation in practice of these standards. Just as determining what is the behaviour that will lead to the achievement of regulators is less than obvious, so is the concrete implementation and compliance with the various rules that are meant to lead to such behaviour. This is encapsulated for instance in the data controllers’ uncertainty on how exactly to apply certain data protection provisions, or in the inefficiency of a number of mechanisms such as notification obligations. Finally, due notice should be paid to technological evolutions, which can aggravate these issues.

Drawing on the results of both a questionnaire and a public domain website review, this chapter explores the enforcement stance and track record of European Data Protection Authorities (DPAs) vis-à-vis the professional journalistic media under the Data Protection Directive. Approximately 80 per cent of DPAs accepted that they possessed regulatory powers in this regard and over 60 per cent reported having undertaken some enforcement. However, the number who conceptualized their powers to be partial was far higher than that set out in statutory law and half the DPAs which did report enforcement had only intervened in relation to one or two often quite diffuse areas of data protection. The website review verified enforcement for 40 per cent of the DPAs and confirmed that activity had often focused on data linked either to specific privacy interests (especially where sensitive data was involved) and/or data whose safeguarded treatment underpinned critical socio-economic relationships (e.g. national identification numbers). In general, action had been very patchy, with a notable absence of intervention even in relation to issues that only raise limited free speech concerns such as avoiding or rectifying significant inaccuracies. This patchiness could not be fully explained by statutory law (which often remained quite prescriptive), the general need for contextual rights balancing, limited resourcing, or the need for an interface with self-regulation. Nevertheless, enforcement was strongly and positively correlated with the stringency of local law. Relationships with DPA resources were more mixed although there was a significant positive association between enforcement and the per capita human resources available to a regulator.