Search Results

Cloud computing technologies and service models are sufficiently complex that it is often the case that a provider of the whole or part of a multi-layered cloud service will not even know whether its systems are being used to process personal data. With that in mind, this chapter seeks to identify who is regulated as a ‘data controller’ and / or as a ‘data processor’ in various situations, and how those roles might be mapped onto typical cloud computing arrangements.

The first part of Chapter 10 sets out the origins of, and background to, the Data Protection Act 1998 and provides a glossary of idiosyncratic language. It runs through its main provisions: definitions; the rights of individuals to access data relating to themselves, and, if necessary, have it corrected or erased; rights to prevent processing likely to cause damage and distress, or use for direct marketing purposes; data controllers; control of data users; registration and enforcement; the data protection principles; and the powers of the Information Commissioner and the tribunal. The second part of the chapter deals with the interface between the Data Protection Act 1998 and the Freedom of Information Act 2000 and the effect of section 40(1) and (2) of the 2000 Act.

This chapter explains how the General Data Protection Regulation's (GDPR) substantive provisions apply to biobanking. It breaks provisions down into seven groups—oversight, legitimate processing, data subject rights, data controller obligations, international transfers, sanctions, and derogations—and provides a detailed analysis of the applicability of provisions in each group in turn. The protection offered by the substantive provisions of the GDPR, however, is liable, in relation to certain types of biobanking processing, to vary between European states. Although the GDPR is, in principle, intended to be directly applicable in all states in which it applies, the law does contain several derogation possibilities relevant for biobanking—for example in relation to data subject rights. European states have already taken advantage of these possibilities to pass national laws applicable to biobanking, outlining provisions which deviate from the default standard of protection.

Chapter 5 studies in depth the risk-based approach to data protection, including its rationale and its scope. It shows that it is only a partial implementation of meta regulation. Contrary to meta regulation, it refrains from delegating the regulatory function of standard setting to the regulatees. Instead of addressing all of the issues associated with the “diagnosis-prescription”diagnosis-prescription| flaw associated with command and” control (ie the selection of standards that will lead to satisfactory regulatory outcomes, and the adequate implementation/compliance with the latter), it only focuses on the better implementation of the data protection provisions. In any case, it is also predicated upon the responsibilisation, and hence, the risk transformation of data controllers’ activities. Such responsibilisation is to be found in the modern principle of accountability. Beyond the GDPR, many contemporary statutes have adopted a similar risk-based approach (even though not explicitly named as such). These include Canada’s PIPEDAPIPEDA|, Council of Europe Convention 108+Convention 108+|, etc. These various statutes are discussed and contrasted. Key to the discussion are issues such as the safeguards and type of regulatory collaboration these statutes provide for (eg data protection impact assessment), or how the risk management obligations fare in comparison to the ISO 31000 risk management StandardISO:31000 risk management Standard 2009|, which can be considered the canon in this matter. Finally, this chapter also examines a number of policy proposals that featured a different type of risk-based approach. Namely, one that espouses meta regulation’s delegation of the standard setting function to the regulatees.

Chapter 7 focuses on the intriguing question of when EU law is applied to, and enforced against, foreign data controllers by data protection authorities situated in a Member State of the EU. This chapter examines jurisdiction and applicable law in the area of data protection enforcement in the light of recent jurisprudence of the Court of Justice of the EU and Member States’ courts. Given that this caselaw relates to the “old” data protection instrument, namely the Data Protection Directive 1995/46/EC (DPD), this is contrasted with the “new” General Data Protection Regulation (GDPR), which entered into force in 2018. The comparison with the now superseded DPD is also important as it sketches the background and development of EU data protection law, which is important for the wider context and in particular for showing how difficult a coordination of national competences in this field has been. The chapter does not examine jurisdiction in civil litigation before the courts (Chapter 11), but instead focuses exclusively on administrative and regulatory competence under public law.

This chapter addresses how the biobanking process—in the instances in which it falls within the scope of the General Data Protection Regulation (GDPR)—is classified under the GDPR's classification systems. These classification systems do not, themselves, constitute substantive provisions; they do not consist of rights or obligations. They are, however, key in determining the types of actors to whom substantive provisions apply and the way in which substantive provisions apply. The chapter begins with a detailed elaboration of the GDPR's two key classification systems: the actor classification system and the personal data classification system. It then describes how the actor classification system applies to actors involved in the biobanking process, focusing on the applicability of the concepts of ‘data subject’, ‘data controller’, and ‘data processor’. Finally, the chapter considers how the personal data classification system applies to personal data processed in biobanking, looking, in particular, at the applicability of the concepts of ‘genetic data’ and ‘data concerning health’.