Dara Hallinan
- Published in print:
- 2021
- Published Online:
- April 2021
- ISBN:
- 9780192896476
- eISBN:
- 9780191918919
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780192896476.003.0010
- Subject:
- Law, Intellectual Property, IT, and Media Law
This chapter presents a critical analysis of the efficacy of the General Data Protection Regulation (GDPR) as a framework for the protection of genetic privacy in biobanking. In this regard, it ...
More
This chapter presents a critical analysis of the efficacy of the General Data Protection Regulation (GDPR) as a framework for the protection of genetic privacy in biobanking. In this regard, it outlines twenty-three problems concerning the standard of protection offered by the GDPR, assessing the degree to which each problem casts doubt on the efficacy of the GDPR. The chapter considers whether there are factors evident which are likely to mitigate the severity of the impact of each problem, as well as whether each problem is subject to resolution——either through the GDPR's internal interpretation and adaptation mechanisms or through external legislation operating in tandem with the GDPR. The analysis demonstrates that the great majority of problems are not as severe as they initially seem and, as a result, do not call into question the efficacy of the GDPR as a framework for the protection of genetic privacy in biobanking. It also shows that all problems which either require a solution, or would benefit from a solution, can be resolved via the GDPR's internal mechanisms or via external law operating in parallel with the GDPR, or both.Less
This chapter presents a critical analysis of the efficacy of the General Data Protection Regulation (GDPR) as a framework for the protection of genetic privacy in biobanking. In this regard, it outlines twenty-three problems concerning the standard of protection offered by the GDPR, assessing the degree to which each problem casts doubt on the efficacy of the GDPR. The chapter considers whether there are factors evident which are likely to mitigate the severity of the impact of each problem, as well as whether each problem is subject to resolution——either through the GDPR's internal interpretation and adaptation mechanisms or through external legislation operating in tandem with the GDPR. The analysis demonstrates that the great majority of problems are not as severe as they initially seem and, as a result, do not call into question the efficacy of the GDPR as a framework for the protection of genetic privacy in biobanking. It also shows that all problems which either require a solution, or would benefit from a solution, can be resolved via the GDPR's internal mechanisms or via external law operating in parallel with the GDPR, or both.
Dimitra Kamarinou, Christopher Millard, and Felicity Turton
- Published in print:
- 2021
- Published Online:
- June 2021
- ISBN:
- 9780198716662
- eISBN:
- 9780191918582
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198716662.003.0008
- Subject:
- Law, Intellectual Property, IT, and Media Law
This chapter focuses on the rights and remedies that individual users of cloud computing services may enjoy under the EU's General Data Protection Regulation (GDPR). It begins by considering the ...
More
This chapter focuses on the rights and remedies that individual users of cloud computing services may enjoy under the EU's General Data Protection Regulation (GDPR). It begins by considering the concept of the individual as 'data subject', which is inextricably linked to the concept of 'personal data'. The term 'data subject' is not defined explicitly in the GDPR. Instead, it is referenced in parenthesis within the definition of personal data. The definition of personal data is purposefully broad so as to include the vast range of information from which an individual may be identified. The chapter then explores the rights afforded to data subjects, including the right to be informed; the rights of access, rectification, and erasure; the right to data portability; the right to object to processing; and the right not to be subject to automated decision making, including profiling. Finally, it looks at the remedies and compensation available to data subjects. One of the biggest challenges to data subjects knowing and being able to exercise their rights is a potential lack of transparency with regard to how and by whom their personal data are collected and further processed in the cloud.Less
This chapter focuses on the rights and remedies that individual users of cloud computing services may enjoy under the EU's General Data Protection Regulation (GDPR). It begins by considering the concept of the individual as 'data subject', which is inextricably linked to the concept of 'personal data'. The term 'data subject' is not defined explicitly in the GDPR. Instead, it is referenced in parenthesis within the definition of personal data. The definition of personal data is purposefully broad so as to include the vast range of information from which an individual may be identified. The chapter then explores the rights afforded to data subjects, including the right to be informed; the rights of access, rectification, and erasure; the right to data portability; the right to object to processing; and the right not to be subject to automated decision making, including profiling. Finally, it looks at the remedies and compensation available to data subjects. One of the biggest challenges to data subjects knowing and being able to exercise their rights is a potential lack of transparency with regard to how and by whom their personal data are collected and further processed in the cloud.
Dara Hallinan
- Published in print:
- 2021
- Published Online:
- April 2021
- ISBN:
- 9780192896476
- eISBN:
- 9780191918919
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780192896476.003.0009
- Subject:
- Law, Intellectual Property, IT, and Media Law
This chapter explains how the General Data Protection Regulation's (GDPR) substantive provisions apply to biobanking. It breaks provisions down into seven groups—oversight, legitimate processing, ...
More
This chapter explains how the General Data Protection Regulation's (GDPR) substantive provisions apply to biobanking. It breaks provisions down into seven groups—oversight, legitimate processing, data subject rights, data controller obligations, international transfers, sanctions, and derogations—and provides a detailed analysis of the applicability of provisions in each group in turn. The protection offered by the substantive provisions of the GDPR, however, is liable, in relation to certain types of biobanking processing, to vary between European states. Although the GDPR is, in principle, intended to be directly applicable in all states in which it applies, the law does contain several derogation possibilities relevant for biobanking—for example in relation to data subject rights. European states have already taken advantage of these possibilities to pass national laws applicable to biobanking, outlining provisions which deviate from the default standard of protection.Less
This chapter explains how the General Data Protection Regulation's (GDPR) substantive provisions apply to biobanking. It breaks provisions down into seven groups—oversight, legitimate processing, data subject rights, data controller obligations, international transfers, sanctions, and derogations—and provides a detailed analysis of the applicability of provisions in each group in turn. The protection offered by the substantive provisions of the GDPR, however, is liable, in relation to certain types of biobanking processing, to vary between European states. Although the GDPR is, in principle, intended to be directly applicable in all states in which it applies, the law does contain several derogation possibilities relevant for biobanking—for example in relation to data subject rights. European states have already taken advantage of these possibilities to pass national laws applicable to biobanking, outlining provisions which deviate from the default standard of protection.
David Erdos
- Published in print:
- 2019
- Published Online:
- March 2020
- ISBN:
- 9780198841982
- eISBN:
- 9780191878039
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198841982.003.0003
- Subject:
- Law, Intellectual Property, IT, and Media Law, EU Law
This chapter explores the development of European data protection, both as a codified form of regulation and as a human right, from its inception to the present day. In contrast to more ʻclassicalʼ ...
More
This chapter explores the development of European data protection, both as a codified form of regulation and as a human right, from its inception to the present day. In contrast to more ʻclassicalʼ rights, such as freedom of expression and even privacy, data protection only emerged as a discrete concept with the rise of computer power in the 1970s. The focus in Europe from this time has been on elaborating a progressively more detailed and harmonized regulatory code to govern the processing of personal data across the EU and wider European Economic Area (EEA). Advisory Council of Europe Resolutions in the 1970s led to a binding but optional Data Protection Convention in the 1980s, to a mandatory Data Protection Directive in the 1990s, and finally to a General Data Protection Regulation (GDPR) in the 2010s which is directly applicable across the EU. In addition, data protection has increasingly been recognized as a fundamental right and, in particular, was included within the EU Charter that was drafted in 2000 and acquired pan-EU legal status in 2009. These developments have dovetailed with the emergence of a significant body of relevant Court of Justice of the EU (CJEU) jurisprudence. However, the regulatory Data Protection Authorities (DPAs) also remain critical interpretative actors and have issued a number of important opinions including through the Article 29 Working Party that under the GDPR has become the European Data Protection Board.Less
This chapter explores the development of European data protection, both as a codified form of regulation and as a human right, from its inception to the present day. In contrast to more ʻclassicalʼ rights, such as freedom of expression and even privacy, data protection only emerged as a discrete concept with the rise of computer power in the 1970s. The focus in Europe from this time has been on elaborating a progressively more detailed and harmonized regulatory code to govern the processing of personal data across the EU and wider European Economic Area (EEA). Advisory Council of Europe Resolutions in the 1970s led to a binding but optional Data Protection Convention in the 1980s, to a mandatory Data Protection Directive in the 1990s, and finally to a General Data Protection Regulation (GDPR) in the 2010s which is directly applicable across the EU. In addition, data protection has increasingly been recognized as a fundamental right and, in particular, was included within the EU Charter that was drafted in 2000 and acquired pan-EU legal status in 2009. These developments have dovetailed with the emergence of a significant body of relevant Court of Justice of the EU (CJEU) jurisprudence. However, the regulatory Data Protection Authorities (DPAs) also remain critical interpretative actors and have issued a number of important opinions including through the Article 29 Working Party that under the GDPR has become the European Data Protection Board.
David Erdos
- Published in print:
- 2019
- Published Online:
- March 2020
- ISBN:
- 9780198841982
- eISBN:
- 9780191878039
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198841982.003.0008
- Subject:
- Law, Intellectual Property, IT, and Media Law, EU Law
This chapter explores the legislative interface between data protection and the professional journalistic media under the General Data Protection Regulation (GDPR). Like the Data Protection Directive ...
More
This chapter explores the legislative interface between data protection and the professional journalistic media under the General Data Protection Regulation (GDPR). Like the Data Protection Directive (DPD), the GDPR mandates that States adopt derogations ‘necessary’ for reconciling two competing fundamental rights. However, broadly mirroring the situation under the DPD, there remain considerable differences at local level. Northern European countries have tended to set out wide and deep derogations for journalism, whilst Southern and Eastern Europe have often stipulated that this activity adhere to strict data protection standards. These differences map on to broader cultural fissures as regards attitudes to individualism, uncertainty avoidance, and power differences in society. Nevertheless, these outcomes are slightly more balanced than under the DPD. In particular, almost half the States have set out partial statutory limits to the supervisory powers of the Data Protection Authority here. Approximately one-third of States also continue to formalize a co-regulatory connection between statutory and self-regulation. However, a widespread problem has emerged concerning the statutory treatment of media/news archiving. In sum, although the GDPR mandates derogations here, only around one-third of European Economic Area (EEA) States have explicitly provided that the journalism regime can apply to public interest archiving which is subject to its own default regime in the GDPR.Less
This chapter explores the legislative interface between data protection and the professional journalistic media under the General Data Protection Regulation (GDPR). Like the Data Protection Directive (DPD), the GDPR mandates that States adopt derogations ‘necessary’ for reconciling two competing fundamental rights. However, broadly mirroring the situation under the DPD, there remain considerable differences at local level. Northern European countries have tended to set out wide and deep derogations for journalism, whilst Southern and Eastern Europe have often stipulated that this activity adhere to strict data protection standards. These differences map on to broader cultural fissures as regards attitudes to individualism, uncertainty avoidance, and power differences in society. Nevertheless, these outcomes are slightly more balanced than under the DPD. In particular, almost half the States have set out partial statutory limits to the supervisory powers of the Data Protection Authority here. Approximately one-third of States also continue to formalize a co-regulatory connection between statutory and self-regulation. However, a widespread problem has emerged concerning the statutory treatment of media/news archiving. In sum, although the GDPR mandates derogations here, only around one-third of European Economic Area (EEA) States have explicitly provided that the journalism regime can apply to public interest archiving which is subject to its own default regime in the GDPR.
David Erdos
- Published in print:
- 2019
- Published Online:
- March 2020
- ISBN:
- 9780198841982
- eISBN:
- 9780191878039
- Item type:
- book
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198841982.001.0001
- Subject:
- Law, Intellectual Property, IT, and Media Law, EU Law
This book explores the interface between European data protection and the freedom of expression activities of traditional journalism, professional artists, and both academic and non-academic writers ...
More
This book explores the interface between European data protection and the freedom of expression activities of traditional journalism, professional artists, and both academic and non-academic writers from both an empirical and normative perspective. It draws on an exhaustive examination of both historical and contemporary public domain material and a comprehensive questionnaire of European Data Protection Authorities (DPAs). Empirically it is found that, notwithstanding an often confusing statutory landscape, DPAs have sought to develop an approach to regulating the journalistic media based on contextual rights balancing. However, they have struggled to secure a clear and specified criterion of strictness as regards standard-setting or a consistent and reliable approach to enforcement. DPAs have appeared even more confused as regards other traditional publishers, largely abstaining from regulating most professional artists and writers but attempting to subject all academic disciplines to onerous statutory restrictions established for medical, scientific, and related research. From these findings, it is argued that balancing contextual rights has value and should be both generalized across all traditional publishers and systematically and sensitively developed through structured and robust co-regulation. Such co-regulation should adopt the new code of conduct and monitoring provisions included in the General Data Protection Regulation (GDPR) as a broad guideline. DPAs should accord strong deference to any codes and monitoring bodies which verifiably meet the accredited criteria but must engage more proactively when these are absent. In any case, DPAs should also intervene directly as regards particularly serious or systematic issues and have an increasingly important role in ensuring a joined-up approach between traditional publishing and new media activity.Less
This book explores the interface between European data protection and the freedom of expression activities of traditional journalism, professional artists, and both academic and non-academic writers from both an empirical and normative perspective. It draws on an exhaustive examination of both historical and contemporary public domain material and a comprehensive questionnaire of European Data Protection Authorities (DPAs). Empirically it is found that, notwithstanding an often confusing statutory landscape, DPAs have sought to develop an approach to regulating the journalistic media based on contextual rights balancing. However, they have struggled to secure a clear and specified criterion of strictness as regards standard-setting or a consistent and reliable approach to enforcement. DPAs have appeared even more confused as regards other traditional publishers, largely abstaining from regulating most professional artists and writers but attempting to subject all academic disciplines to onerous statutory restrictions established for medical, scientific, and related research. From these findings, it is argued that balancing contextual rights has value and should be both generalized across all traditional publishers and systematically and sensitively developed through structured and robust co-regulation. Such co-regulation should adopt the new code of conduct and monitoring provisions included in the General Data Protection Regulation (GDPR) as a broad guideline. DPAs should accord strong deference to any codes and monitoring bodies which verifiably meet the accredited criteria but must engage more proactively when these are absent. In any case, DPAs should also intervene directly as regards particularly serious or systematic issues and have an increasingly important role in ensuring a joined-up approach between traditional publishing and new media activity.
Julia Hörnle
- Published in print:
- 2021
- Published Online:
- May 2021
- ISBN:
- 9780198806929
- eISBN:
- 9780191844454
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198806929.003.0007
- Subject:
- Law, Constitutional and Administrative Law, Public International Law
Chapter 7 focuses on the intriguing question of when EU law is applied to, and enforced against, foreign data controllers by data protection authorities situated in a Member State of the EU. This ...
More
Chapter 7 focuses on the intriguing question of when EU law is applied to, and enforced against, foreign data controllers by data protection authorities situated in a Member State of the EU. This chapter examines jurisdiction and applicable law in the area of data protection enforcement in the light of recent jurisprudence of the Court of Justice of the EU and Member States’ courts. Given that this caselaw relates to the “old” data protection instrument, namely the Data Protection Directive 1995/46/EC (DPD), this is contrasted with the “new” General Data Protection Regulation (GDPR), which entered into force in 2018. The comparison with the now superseded DPD is also important as it sketches the background and development of EU data protection law, which is important for the wider context and in particular for showing how difficult a coordination of national competences in this field has been. The chapter does not examine jurisdiction in civil litigation before the courts (Chapter 11), but instead focuses exclusively on administrative and regulatory competence under public law.Less
Chapter 7 focuses on the intriguing question of when EU law is applied to, and enforced against, foreign data controllers by data protection authorities situated in a Member State of the EU. This chapter examines jurisdiction and applicable law in the area of data protection enforcement in the light of recent jurisprudence of the Court of Justice of the EU and Member States’ courts. Given that this caselaw relates to the “old” data protection instrument, namely the Data Protection Directive 1995/46/EC (DPD), this is contrasted with the “new” General Data Protection Regulation (GDPR), which entered into force in 2018. The comparison with the now superseded DPD is also important as it sketches the background and development of EU data protection law, which is important for the wider context and in particular for showing how difficult a coordination of national competences in this field has been. The chapter does not examine jurisdiction in civil litigation before the courts (Chapter 11), but instead focuses exclusively on administrative and regulatory competence under public law.
Mireille Hildebrandt
- Published in print:
- 2020
- Published Online:
- July 2020
- ISBN:
- 9780198860877
- eISBN:
- 9780191892936
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198860877.003.0005
- Subject:
- Law, Intellectual Property, IT, and Media Law
This chapter covers privacy and data protection. This entails a series of legal requirements for development and design, for the default settings, and for the employment of computer architectures. In ...
More
This chapter covers privacy and data protection. This entails a series of legal requirements for development and design, for the default settings, and for the employment of computer architectures. In addition, the chapter defines the right to privacy as a subjective right, attributed by objective law, which may be national (constitutional) law, international human rights law, or supranational law (EU fundamental rights law). The chapter first confronts the landscape of human rights law at the global, national, and EU level. It then inquires into the right of privacy, as guaranteed under the ECHR and the Charter of Fundamental Rights of the European Union (CFREU), and finally provides an extensive analysis of the new fundamental right to data protection, as guaranteed by the CFREU and protected by the General Data Protection Regulation (GDPR).Less
This chapter covers privacy and data protection. This entails a series of legal requirements for development and design, for the default settings, and for the employment of computer architectures. In addition, the chapter defines the right to privacy as a subjective right, attributed by objective law, which may be national (constitutional) law, international human rights law, or supranational law (EU fundamental rights law). The chapter first confronts the landscape of human rights law at the global, national, and EU level. It then inquires into the right of privacy, as guaranteed under the ECHR and the Charter of Fundamental Rights of the European Union (CFREU), and finally provides an extensive analysis of the new fundamental right to data protection, as guaranteed by the CFREU and protected by the General Data Protection Regulation (GDPR).
Dimitra Kamarinou, Christopher Millard, and Felicity Turton
- Published in print:
- 2021
- Published Online:
- June 2021
- ISBN:
- 9780198716662
- eISBN:
- 9780191918582
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198716662.003.0009
- Subject:
- Law, Intellectual Property, IT, and Media Law
This chapter outlines the roles and responsibilities of controllers and processors of personal data in clouds. The realisation of the rights of data subjects whose personal data are processed in ...
More
This chapter outlines the roles and responsibilities of controllers and processors of personal data in clouds. The realisation of the rights of data subjects whose personal data are processed in cloud computing environments depends, in large part, on whom they may be exercised against. The concepts of 'controller' and 'processor' play a crucial role in this respect since they determine who is responsible for compliance with the core obligations set out in the General Data Protection Regulation (GDPR). The chapter then addresses the fundamental question of what constitutes a controller or processor and looks at the circumstances in which two or more controllers may be characterised as joint controllers. It considers the contractual rights and obligations of controllers and processors. The chapter also analyses the allocation of responsibility for compliance with a range of GDPR obligations, including security, breach notification requirements, requirements relating to Data Protection Impact Assesments (DPIA), consultations with data protection regulators, record-keeping, and audits. Finally, it examines the role of Data Protection Officers (DPO) and at the role of supervisory authorities in enforcing compliance with the GDPR.Less
This chapter outlines the roles and responsibilities of controllers and processors of personal data in clouds. The realisation of the rights of data subjects whose personal data are processed in cloud computing environments depends, in large part, on whom they may be exercised against. The concepts of 'controller' and 'processor' play a crucial role in this respect since they determine who is responsible for compliance with the core obligations set out in the General Data Protection Regulation (GDPR). The chapter then addresses the fundamental question of what constitutes a controller or processor and looks at the circumstances in which two or more controllers may be characterised as joint controllers. It considers the contractual rights and obligations of controllers and processors. The chapter also analyses the allocation of responsibility for compliance with a range of GDPR obligations, including security, breach notification requirements, requirements relating to Data Protection Impact Assesments (DPIA), consultations with data protection regulators, record-keeping, and audits. Finally, it examines the role of Data Protection Officers (DPO) and at the role of supervisory authorities in enforcing compliance with the GDPR.
Lee A Bygrave
- Published in print:
- 2019
- Published Online:
- October 2019
- ISBN:
- 9780198838494
- eISBN:
- 9780191874727
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198838494.003.0011
- Subject:
- Law, Intellectual Property, IT, and Media Law
This chapter focuses on Articles 22 and 25 of the EU’s General Data Protection Regulation (Regulation 2016/679). It examines how these provisions will impact automated decisional systems. Article 22 ...
More
This chapter focuses on Articles 22 and 25 of the EU’s General Data Protection Regulation (Regulation 2016/679). It examines how these provisions will impact automated decisional systems. Article 22 gives a person a qualified right ‘not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’. Article 25 imposes a duty on controllers of personal data to implement technical and organizational measures so that the processing of the data will meet the Regulation’s requirements and otherwise ensure protection of the data subject’s rights. Both sets of rules are aimed squarely at subjecting automated decisional systems to greater accountability. The chapter argues that the rules suffer from significant weaknesses that are likely to hamper their ability to meet this aim.Less
This chapter focuses on Articles 22 and 25 of the EU’s General Data Protection Regulation (Regulation 2016/679). It examines how these provisions will impact automated decisional systems. Article 22 gives a person a qualified right ‘not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’. Article 25 imposes a duty on controllers of personal data to implement technical and organizational measures so that the processing of the data will meet the Regulation’s requirements and otherwise ensure protection of the data subject’s rights. Both sets of rules are aimed squarely at subjecting automated decisional systems to greater accountability. The chapter argues that the rules suffer from significant weaknesses that are likely to hamper their ability to meet this aim.
Dara Hallinan
- Published in print:
- 2021
- Published Online:
- April 2021
- ISBN:
- 9780192896476
- eISBN:
- 9780191918919
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780192896476.003.0007
- Subject:
- Law, Intellectual Property, IT, and Media Law
This chapter looks at when the General Data Protection Regulation (GDPR) applies, rationae materiae, to biobanking—only when the law applies to biobanking can it be expected to provide any protection ...
More
This chapter looks at when the General Data Protection Regulation (GDPR) applies, rationae materiae, to biobanking—only when the law applies to biobanking can it be expected to provide any protection for genetic privacy rights in biobanking at all. The GDPR's applicability criteria are outlined in Article 2; criteria concern both the types of processing activity covered by the GDPR and the mechanics of processing covered by the GDPR. In relation to the mechanics of biobank processing, the situation is complex. The key question which emerges is which types of biobanking substances can qualify as personal data? The concept of personal data can be usefully broken down into two aspects of any processing operation. First, the substance being processed: to qualify as personal data, a substance must be able to fulfil three criteria. A substance must be ‘information’, it must ‘relate to’ a specific person, and that person must be a ‘natural person’. In the biobanking context, health, lifestyle, and biographical information, sequenced genomic data, and individual research results certainly fulfil these criteria. Second, the link between the substance and a specific individual: to qualify as personal data, a substance must relate to an individual who is ‘identified or identifiable’. All biobanking substances processed in either linked or pseudonymised form will certainly qualify as ‘identified or identifiable’.Less
This chapter looks at when the General Data Protection Regulation (GDPR) applies, rationae materiae, to biobanking—only when the law applies to biobanking can it be expected to provide any protection for genetic privacy rights in biobanking at all. The GDPR's applicability criteria are outlined in Article 2; criteria concern both the types of processing activity covered by the GDPR and the mechanics of processing covered by the GDPR. In relation to the mechanics of biobank processing, the situation is complex. The key question which emerges is which types of biobanking substances can qualify as personal data? The concept of personal data can be usefully broken down into two aspects of any processing operation. First, the substance being processed: to qualify as personal data, a substance must be able to fulfil three criteria. A substance must be ‘information’, it must ‘relate to’ a specific person, and that person must be a ‘natural person’. In the biobanking context, health, lifestyle, and biographical information, sequenced genomic data, and individual research results certainly fulfil these criteria. Second, the link between the substance and a specific individual: to qualify as personal data, a substance must relate to an individual who is ‘identified or identifiable’. All biobanking substances processed in either linked or pseudonymised form will certainly qualify as ‘identified or identifiable’.
David Erdos
- Published in print:
- 2019
- Published Online:
- March 2020
- ISBN:
- 9780198841982
- eISBN:
- 9780191878039
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198841982.003.0009
- Subject:
- Law, Intellectual Property, IT, and Media Law, EU Law
This chapter explores the approach European Data Protection Authorities (DPAs) should take to their role vis-à-vis the professional journalistic media under the General Data Protection Regulation ...
More
This chapter explores the approach European Data Protection Authorities (DPAs) should take to their role vis-à-vis the professional journalistic media under the General Data Protection Regulation (GDPR). Such an approach must take into account the contextual trend within European Court of Human Rights case law, the growth of a stricter Court of Justice of the European Union data protection jurisprudence, and continuing severe resource constraints. In the area of standards, DPAs should endorse a broad construction of the journalistic derogation that encompasses news/media archives but should also promote a specific and structured approach to contextual balancing within this derogation. Such detailed standard-setting raises acute sensitivities. Therefore, guidance should be formulated through a co-regulatory process which adopts the GDPR’s code of conduct provisions as a broad guideline. Enforcement remains even more delicate, potentially very expensive, but nevertheless vital. A strategic co-regulatory approach is appropriate here too. DPAs should encourage self-regulatory monitoring mechanisms and, in cases where these meet the criteria laid down in the GDPR, should defer to them other than when particular systematic or serious issues arise. If such criteria are not satisfied, DPAs need to deploy their powers proactively across the board. Finally, where no self-regulatory mechanism exists, DPAs must independently ensure a proportionate response to all complaints and issues that arise. Media regulation rightly remains largely within State jurisdiction. Therefore, the European Data Protection Regulation should avoid coercive intervention here. Nevertheless, it should play a valuable ʻsoftʼ role through drafting non-binding guidance and promoting information exchange, dialogue, and cooperation.Less
This chapter explores the approach European Data Protection Authorities (DPAs) should take to their role vis-à-vis the professional journalistic media under the General Data Protection Regulation (GDPR). Such an approach must take into account the contextual trend within European Court of Human Rights case law, the growth of a stricter Court of Justice of the European Union data protection jurisprudence, and continuing severe resource constraints. In the area of standards, DPAs should endorse a broad construction of the journalistic derogation that encompasses news/media archives but should also promote a specific and structured approach to contextual balancing within this derogation. Such detailed standard-setting raises acute sensitivities. Therefore, guidance should be formulated through a co-regulatory process which adopts the GDPR’s code of conduct provisions as a broad guideline. Enforcement remains even more delicate, potentially very expensive, but nevertheless vital. A strategic co-regulatory approach is appropriate here too. DPAs should encourage self-regulatory monitoring mechanisms and, in cases where these meet the criteria laid down in the GDPR, should defer to them other than when particular systematic or serious issues arise. If such criteria are not satisfied, DPAs need to deploy their powers proactively across the board. Finally, where no self-regulatory mechanism exists, DPAs must independently ensure a proportionate response to all complaints and issues that arise. Media regulation rightly remains largely within State jurisdiction. Therefore, the European Data Protection Regulation should avoid coercive intervention here. Nevertheless, it should play a valuable ʻsoftʼ role through drafting non-binding guidance and promoting information exchange, dialogue, and cooperation.
Dara Hallinan
- Published in print:
- 2021
- Published Online:
- April 2021
- ISBN:
- 9780192896476
- eISBN:
- 9780191918919
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780192896476.003.0006
- Subject:
- Law, Intellectual Property, IT, and Media Law
This chapter assesses whether there is any need to consider European data protection law as a framework for the protection of genetic privacy in biobanking in Europe at all. To answer the question, ...
More
This chapter assesses whether there is any need to consider European data protection law as a framework for the protection of genetic privacy in biobanking in Europe at all. To answer the question, the chapter conducts a thought experiment and examines what the standard of protection in Europe would look like if one were to exclude data protection law from consideration. This is merely a thought experiment, as data protection already plays, and will continue to play, a significant role in the protection of genetic privacy in biobanking in Europe. The exercise is enlightening, however, in showing the extent of flaws in protection in European legal systems stripped of data protection. In this regard, the chapter then maps the protection provided to genetic privacy in biobanking by the EU's, and three European states'—Estonia, Germany, and the UK—legal systems. It then engages in a critical analysis, highlighting the significant inadequacy of the protection provided by these systems excluding data protection law. Finally, the chapter shows why, generally, European data protection law under the General Data Protection Regulation (GDPR) looks a viable solution to address the problems displayed by other approaches.Less
This chapter assesses whether there is any need to consider European data protection law as a framework for the protection of genetic privacy in biobanking in Europe at all. To answer the question, the chapter conducts a thought experiment and examines what the standard of protection in Europe would look like if one were to exclude data protection law from consideration. This is merely a thought experiment, as data protection already plays, and will continue to play, a significant role in the protection of genetic privacy in biobanking in Europe. The exercise is enlightening, however, in showing the extent of flaws in protection in European legal systems stripped of data protection. In this regard, the chapter then maps the protection provided to genetic privacy in biobanking by the EU's, and three European states'—Estonia, Germany, and the UK—legal systems. It then engages in a critical analysis, highlighting the significant inadequacy of the protection provided by these systems excluding data protection law. Finally, the chapter shows why, generally, European data protection law under the General Data Protection Regulation (GDPR) looks a viable solution to address the problems displayed by other approaches.
David Erdos
- Published in print:
- 2019
- Published Online:
- March 2020
- ISBN:
- 9780198841982
- eISBN:
- 9780191878039
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198841982.003.0012
- Subject:
- Law, Intellectual Property, IT, and Media Law, EU Law
This chapter explores the interface between data protection and professional artists and (academic and non-academic) writers both in the formal law under the General Data Protection Regulation (GDPR) ...
More
This chapter explores the interface between data protection and professional artists and (academic and non-academic) writers both in the formal law under the General Data Protection Regulation (GDPR) and in terms of the approach that should be adopted by Data Protection Authorities (DPAs) here. The GDPR mandates that States set down derogations as are ‘necessary’ to reconcile data protection with not only journalism but other special forms of expression, namely artistic, literary, and (in a new departure) academic expression. Moreover, with a few exceptions, States grant all these forms of expression comparable shields within their statutory laws. However, contrary to the GDPR itself, most do not expressly extend these shields to ‘knowledge facilitation’ activities such as scientific research. This could undermine protections for academic expression. It is, therefore, imperative that DPAs adopt a purposive interpretation which ensures that all processing orientated towards contributing to public knowledge or discourse can benefit from these shields even if the activity could also be conceptualized as, for example, scientific research. Nevertheless, DPAs should develop specific standards and an enforcement strategy that recognizes that these shields are qualified. Both should foster co-regulatory engagement. However, co-regulation remains challenging here as a result of the entirely informal nature of norms amongst non-academic artists and writers and the dominance of a biomedical approach within many academic institutions which is alien to the much of the work in the social sciences and the humanities. DPAs will, therefore, need to be proactive rather than reactive in this area.Less
This chapter explores the interface between data protection and professional artists and (academic and non-academic) writers both in the formal law under the General Data Protection Regulation (GDPR) and in terms of the approach that should be adopted by Data Protection Authorities (DPAs) here. The GDPR mandates that States set down derogations as are ‘necessary’ to reconcile data protection with not only journalism but other special forms of expression, namely artistic, literary, and (in a new departure) academic expression. Moreover, with a few exceptions, States grant all these forms of expression comparable shields within their statutory laws. However, contrary to the GDPR itself, most do not expressly extend these shields to ‘knowledge facilitation’ activities such as scientific research. This could undermine protections for academic expression. It is, therefore, imperative that DPAs adopt a purposive interpretation which ensures that all processing orientated towards contributing to public knowledge or discourse can benefit from these shields even if the activity could also be conceptualized as, for example, scientific research. Nevertheless, DPAs should develop specific standards and an enforcement strategy that recognizes that these shields are qualified. Both should foster co-regulatory engagement. However, co-regulation remains challenging here as a result of the entirely informal nature of norms amongst non-academic artists and writers and the dominance of a biomedical approach within many academic institutions which is alien to the much of the work in the social sciences and the humanities. DPAs will, therefore, need to be proactive rather than reactive in this area.
Kenneth Hamer
- Published in print:
- 2019
- Published Online:
- March 2021
- ISBN:
- 9780198817246
- eISBN:
- 9780191932212
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198817246.003.0020
- Subject:
- Law, Legal Profession and Ethics
The appellant was charged with an inappropriate and improper examination of Ms B, alleged to have taken place at a consultation on 20 August 1997. On the first morning of the hearing, a photocopy ...
More
The appellant was charged with an inappropriate and improper examination of Ms B, alleged to have taken place at a consultation on 20 August 1997. On the first morning of the hearing, a photocopy of Ms B’s diary for the entry of 20 August was produced, which referred to a consultation with the appellant at 3.40 p.m. The appellant’s case was that his surgery did not open until 4.30 p.m. on that day, and his first appointment was at 5 p.m. At the hearing before the Professional Conduct Committee (PCC), the charge was proved and the appellant’s name was ordered to be erased from the medical register. On appeal to the Privy Council, it was submitted that Ms B’s diary should have been disclosed to the appellant prior to the date of the hearing.
Less
The appellant was charged with an inappropriate and improper examination of Ms B, alleged to have taken place at a consultation on 20 August 1997. On the first morning of the hearing, a photocopy of Ms B’s diary for the entry of 20 August was produced, which referred to a consultation with the appellant at 3.40 p.m. The appellant’s case was that his surgery did not open until 4.30 p.m. on that day, and his first appointment was at 5 p.m. At the hearing before the Professional Conduct Committee (PCC), the charge was proved and the appellant’s name was ordered to be erased from the medical register. On appeal to the Privy Council, it was submitted that Ms B’s diary should have been disclosed to the appellant prior to the date of the hearing.
Ulrich Wuermeling and Isabella Oldani
- Published in print:
- 2021
- Published Online:
- June 2021
- ISBN:
- 9780198716662
- eISBN:
- 9780191918582
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198716662.003.0010
- Subject:
- Law, Intellectual Property, IT, and Media Law
This chapter studies the regulation of international data transfers in clouds. The General Data Protection Regulation (GDPR) stipulates that any transfer of personal data from the European Union (EU) ...
More
This chapter studies the regulation of international data transfers in clouds. The General Data Protection Regulation (GDPR) stipulates that any transfer of personal data from the European Union (EU) (as well as other European Economic Area (EEA) countries) to a third country or an international organisation is subject to restrictions to ensure that the level of protection provided by the GDPR is not undermined. The GDPR requires either adequate protection or appropriate safeguards for transfers of personal data to third countries. When assessing a data transfer to a third country, a number of factors must be considered. First, it is necessary to establish whether the processing of personal data falls within the scope of the GDPR. Second, the GDPR may apply either to the cloud provider or its customer, or to both. Third, it is necessary to establish when a 'transfer' of personal data from an EU Member State to a third country is taking place and how the protection of the data can be ensured. Fourth, in some circumstances, there may be an exception to the requirement to ensure continued protection following a data transfer.Less
This chapter studies the regulation of international data transfers in clouds. The General Data Protection Regulation (GDPR) stipulates that any transfer of personal data from the European Union (EU) (as well as other European Economic Area (EEA) countries) to a third country or an international organisation is subject to restrictions to ensure that the level of protection provided by the GDPR is not undermined. The GDPR requires either adequate protection or appropriate safeguards for transfers of personal data to third countries. When assessing a data transfer to a third country, a number of factors must be considered. First, it is necessary to establish whether the processing of personal data falls within the scope of the GDPR. Second, the GDPR may apply either to the cloud provider or its customer, or to both. Third, it is necessary to establish when a 'transfer' of personal data from an EU Member State to a third country is taking place and how the protection of the data can be ensured. Fourth, in some circumstances, there may be an exception to the requirement to ensure continued protection following a data transfer.
W Kuan Hon, Christopher Millard, Ian Walden, and Conor Ward
- Published in print:
- 2021
- Published Online:
- June 2021
- ISBN:
- 9780198716662
- eISBN:
- 9780191918582
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198716662.003.0004
- Subject:
- Law, Intellectual Property, IT, and Media Law
This chapter examines negotiated contracts for cloud services. Given that the use of cloud services has now become widely accepted and in light of the fact that providers' standard contract terms ...
More
This chapter examines negotiated contracts for cloud services. Given that the use of cloud services has now become widely accepted and in light of the fact that providers' standard contract terms have evolved if not improved, do customers still deem it necessary to seek to negotiate contracts and if so, which issues are typically focused on? Are providers willing to negotiate or have they hardened their attitudes to negotiation? The chapter outlines providers' perspectives on cloud contract terms and customers' perspectives on cloud contracts including the role of integrators. It looks at the factors that customers take into account when considering specific terms, including whether or not to negotiate the terms in question or look at other methods of risk mitigation. The fact that data breach response and liability for data breaches tops the list of most-negotiated terms suggests that cloud providers and customers are still grappling with the General Data Protection Regulation's (GDPR) requirements and trying to come up with terms that will satisfy both customers' and providers' needs.Less
This chapter examines negotiated contracts for cloud services. Given that the use of cloud services has now become widely accepted and in light of the fact that providers' standard contract terms have evolved if not improved, do customers still deem it necessary to seek to negotiate contracts and if so, which issues are typically focused on? Are providers willing to negotiate or have they hardened their attitudes to negotiation? The chapter outlines providers' perspectives on cloud contract terms and customers' perspectives on cloud contracts including the role of integrators. It looks at the factors that customers take into account when considering specific terms, including whether or not to negotiate the terms in question or look at other methods of risk mitigation. The fact that data breach response and liability for data breaches tops the list of most-negotiated terms suggests that cloud providers and customers are still grappling with the General Data Protection Regulation's (GDPR) requirements and trying to come up with terms that will satisfy both customers' and providers' needs.
Dara Hallinan
- Published in print:
- 2021
- Published Online:
- April 2021
- ISBN:
- 9780192896476
- eISBN:
- 9780191918919
- Item type:
- book
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780192896476.001.0001
- Subject:
- Law, Intellectual Property, IT, and Media Law
Biobanks are critical infrastructure for medical research. Biobanks, however, are also the subject of considerable ethical and legal uncertainty. Given that biobanks process large quantities of ...
More
Biobanks are critical infrastructure for medical research. Biobanks, however, are also the subject of considerable ethical and legal uncertainty. Given that biobanks process large quantities of genomic data, questions have emerged as to how genetic privacy should be protected. What types of genetic privacy rights and rights holders should be protected and to what extent? Since 25 May 2018, the General Data Protection Regulation (GDPR) has applied and now occupies a key position in the European legal framework for the regulation of biobanking. This book takes an in-depth look at the function, problems, and opportunities presented by European data protection law under the GDPR as a framework for the protection of genetic privacy in biobanking. It argues that the substantive framework presented by the GDPR already offers an admirable baseline level of protection for the range of genetic privacy rights engaged by biobanking. The book further contends that while numerous problems with this standard of protection are indeed identifiable, the GDPR offers the flexibility to accommodate solutions to these problems, as well as the procedural mechanisms to realise these solutions.Less
Biobanks are critical infrastructure for medical research. Biobanks, however, are also the subject of considerable ethical and legal uncertainty. Given that biobanks process large quantities of genomic data, questions have emerged as to how genetic privacy should be protected. What types of genetic privacy rights and rights holders should be protected and to what extent? Since 25 May 2018, the General Data Protection Regulation (GDPR) has applied and now occupies a key position in the European legal framework for the regulation of biobanking. This book takes an in-depth look at the function, problems, and opportunities presented by European data protection law under the GDPR as a framework for the protection of genetic privacy in biobanking. It argues that the substantive framework presented by the GDPR already offers an admirable baseline level of protection for the range of genetic privacy rights engaged by biobanking. The book further contends that while numerous problems with this standard of protection are indeed identifiable, the GDPR offers the flexibility to accommodate solutions to these problems, as well as the procedural mechanisms to realise these solutions.
Marcus Klamert
- Published in print:
- 2019
- Published Online:
- March 2021
- ISBN:
- 9780198794561
- eISBN:
- 9780191927874
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780198759393.003.88
- Subject:
- Law, EU Law
Article 286 EC Everyone has the right to the protection of personal data concerning them.
Article 286 EC Everyone has the right to the protection of personal data concerning them.
Dara Hallinan
- Published in print:
- 2021
- Published Online:
- April 2021
- ISBN:
- 9780192896476
- eISBN:
- 9780191918919
- Item type:
- chapter
- Publisher:
- Oxford University Press
- DOI:
- 10.1093/oso/9780192896476.003.0001
- Subject:
- Law, Intellectual Property, IT, and Media Law
This introductory chapter provides an overview of the protection of genetic privacy in biobanking. The fact that genomic research relies on the processing of large quantities of individuals' genomic ...
More
This introductory chapter provides an overview of the protection of genetic privacy in biobanking. The fact that genomic research relies on the processing of large quantities of individuals' genomic data has raised new questions as to which forms of privacy right are engaged by research, and as to which privacy rights holders are engaged by research: questions of genetic privacy. Ordinarily, one might look to the law to provide some clue, or image, as to which genetic privacy rights are worthy of protection and as to what an effective and proportionate approach to their protection should look like. In this regard, a brief look at the legal landscape relevant to biobanking in Europe reveals a great quantity of legislation apparently relevant for the protection of genetic privacy in biobanking. This book then takes an in-depth look at the function, problems, and opportunities presented by the General Data Protection Regulation (GDPR) as a framework for the protection of genetic privacy in biobanking in Europe.Less
This introductory chapter provides an overview of the protection of genetic privacy in biobanking. The fact that genomic research relies on the processing of large quantities of individuals' genomic data has raised new questions as to which forms of privacy right are engaged by research, and as to which privacy rights holders are engaged by research: questions of genetic privacy. Ordinarily, one might look to the law to provide some clue, or image, as to which genetic privacy rights are worthy of protection and as to what an effective and proportionate approach to their protection should look like. In this regard, a brief look at the legal landscape relevant to biobanking in Europe reveals a great quantity of legislation apparently relevant for the protection of genetic privacy in biobanking. This book then takes an in-depth look at the function, problems, and opportunities presented by the General Data Protection Regulation (GDPR) as a framework for the protection of genetic privacy in biobanking in Europe.
