Between law and code: challenges and opportunities for automating privacy assessments

Android apps collecting data from users must comply with legal frameworks toensure data protection. This requirement has become even more important since the implementation of the General Data Protection Regulation (GDPR) by the European Union in 2018. Moreover, with the proposed Cyber Resilience Act on the horizon, stakeholders will soon need to assess software against even more stringent security and privacy standards. Effective privacy assessments require collaboration among groups with diverse expertise to function effectively as acohesive unit. This paper addresses the need for an automated approach to improve the understanding of data protection in Android apps and enhance communication between the various parties involved in privacy assessments. We present Assessor View, a tool designed to bridge knowledge gaps and support more effective privacy assessments of Android applications. We conducted a user study with five legal and privacy experts. In the interview part of this study, we identified key challenges in conducting privacy assessments, including knowledge gaps, poor communication between legal and technical experts, the absence of automated privacy tools, and the delayed involvement of privacy professionals. The user study results indicate that the GDPR warnings and guidance provided by Assessor View are valuable to DPOs and privacy experts, and its design is particularly well suited for these stakeholders. Our findings indicate that Assessor View represents a significant step toward improving communication between legal and technical experts and automating privacy assessments.

EU GDPR or APEC CBPR? A comparative analysis of the approach of the EU and APEC to cross border data transfers and protection of personal data in the IoT era

Neo-Liberal Business-As-Usual or Post-Surveillance Capitalism With European Characteristics? The EU’s General Data Protection Regulation in a Multi-Polar Internet

PurposeGeneral Data Protection Regulation (GDPR) of the European Union (EU) was passed to protect data privacy. Though the GDPR intended to address issues related to data privacy in the EU, it created an extra-territorial effect through Articles 3, 45 and 46. Extra-territorial effect refers to the application or the effect of local laws and regulations in another country. Lawmakers around the globe passed or intensified their efforts to pass laws to have personal data privacy covered so that they meet the adequacy requirement under Articles 45–46 of GDPR while providing comprehensive legislation locally. This study aims to analyze the Malaysian and Saudi Arabian legislation on health data privacy and their adequacy in meeting GDPR data privacy protection requirements.Design/methodology/approachThe research used a systematic literature review, legal content analysis and comparative analysis to critically analyze the health data protection in Malaysia and Saudi Arabia in comparison with GDPR and to see the adequacy of health data protection that could meet the requirement of EU data transfer requirement.FindingsThe finding suggested that the private sector is better regulated in Malaysia than the public sector. Saudi Arabia has some general laws to cover health data privacy in both public and private sector organizations until the newly passed data protection law is implemented in 2024. The finding also suggested that the Personal Data Protection Act 2010 of Malaysia and the Personal Data Protection Law 2022 of Saudi Arabia could be considered “adequate” under GDPR.Originality/valueThe research would be able to identify the key principles that could identify the adequacy of the laws about health data in Malaysia and Saudi Arabia as there is a dearth of literature in this area. This will help to propose suggestions to improve the laws concerning health data protection so that various stakeholders can benefit from it.

In Europe and indeed worldwide, the General Data Protection Regulation (GDPR) provides protection to individuals regarding their personal data in the face of new technological developments. GDPR is widely viewed as the benchmark for data protection and privacy regulations that harmonizes data privacy laws across Europe. Although the GDPR is highly beneficial to individuals, it presents significant challenges for organizations monitoring or storing personal information. Since there is currently no automated solution with broad industrial applicability, organizations have no choice but to carry out expensive manual audits to ensure GDPR compliance. In this paper, we present a complete GDPR UML model as a first step toward designing automated methods for checking GDPR compliance. Given that the practical application of the GDPR is influenced by national laws of the EU Member States, we suggest a two-tiered description of the GDPR, generic and specialized. In this paper, we provide (1) the GDPR conceptual model we developed with complete traceability from its classes to the GDPR, (2) a glossary to help understand the model, (3) the plain-English description of 35 compliance rules derived from GDPR along with their encoding in OCL and (4) the set of 20 variations points derived from GDPR to specialize the generic model. We further present the challenges we faced in our modeling endeavor, the lessons we learned from it and future directions for research.

The General Data Protection Regulation (GDPR) is applicable as of May 25, 2018 in all member states to harmonize data privacy laws across Europe. GDPR impacts also on medical data research. Non-interventional studies (NIS) in hospital are an important part of health services research and might need to be assessed by the local data protection officer. This study investigates all NIS (in house or sponsored) initiated between April 1, 2017 and July 31, 2018 in Nuremberg Hospital and their methods dealing with the GDPR. All studies in Nuremberg Hospital have to be reported to the study center of Nuremberg Hospital. We implemented some actions to fullfill GDPR, e. g. checklist for GDPR, quality circle, and all studies were assigned to a data protection officer specialized in scientific and clinical studies. We analyzed in each study the kind of data encryption (e. g., pseudonymous vs. anonymous), the need for approval from the official ethics commitee according to §15BO, and the need for approval from the hospital data protection officer. The data was analyzed using descriptive statistics. After GDPR came into effect, more NIS were started (n=77 vs. n=59), especially investigator-initiated NIS increased significantly (+84%, p<0.01). The majority of inhouse studies were dealing with absolute anonymous data (before GDPR: n=28 anonymous vs. n=4 pseudonymous; after R: 51 vs.7; n.s.). 22 studies, mostly IITs (86%), needed a statement of the local data protection officer and used a patient's information. After GDPR 19% of in-house NIS showed the need for a statement of approval from the ethics committee (accordingly to §15BO) (before GDPR 12.5%; n.s.). One year after GDPR was implemented, the average processing time of the data protection officer for an NIS was 10.5 work days. Investigator-initiated NIS are an important part of scientific research at Nuremberg Hospital. After GDPR, there was an increase in the number of self-initiated studies. Standardized procedures and simple actions help implement GDPR in medical research without critical delays at the start of study.

Purpose This article aims to examine the tension between freedom of expression and personal data protection, focusing on criminal conviction and offence data under the General Data Protection Regulation (GDPR). It analyses how legal frameworks, particularly Article 85 of the GDPR, attempt to reconcile public access to information with individual data privacy rights harmoniously. Design/methodology/approach Using a legal doctrinal approach primarily, this study examines GDPR provisions, especially Article 85, alongside relevant case law. The principle of proportionality serves as a key analytical tool to assess the necessity and justification of legal restrictions on data processing. Findings The research underscores the delicate balance between freedom of expression and data protection concerning criminal records. Article 85 plays a crucial role in establishing journalistic exemptions while ensuring data privacy. The principle of proportionality is vital in preventing disproportionate restrictions, requiring case-by-case evaluations. The study highlights the evolving nature of privacy-publicity conflicts, with the right to be forgotten serving as a safeguard against undue harm from outdated or minor convictions. Research limitations/implications This study has limitations, including its reliance on case-specific analyses, which overlook the broader impacts of the evolving digital media landscape, particularly social media and user-generated content. The focus on European legal frameworks (e.g. GDPR) restricts generalisability to non-EU jurisdictions with differing standards. Additionally, the analysis emphasises journalistic exemptions, neglecting other forms of expression – such as academic, artistic and literary – that also require balancing against personal data protection rights. Practical implications The research provides practical guidance for balancing data protection and freedom of expression, particularly under GDPR Article 85. It underscores the need for case-by-case assessments, ensuring proportionality and necessity when handling criminal conviction data. Policymakers and legal practitioners can use these insights to refine journalistic exemptions and prevent data misuse, especially in digital media contexts. Organisations, including media platforms, are encouraged to adopt responsible data-handling practices to safeguard privacy while enabling public interest reporting. Finally, the findings stress the importance of dynamic frameworks that adapt to evolving societal and technological contexts, supporting fair outcomes for both data protection and expression rights. Social implications This research highlights the delicate balance between individual data protection rights and freedom of expression, particularly regarding criminal conviction data. Its implications extend to societal concerns over data privacy, the potential misuse of personal information and the long-term impact on individuals, especially those with minor or outdated offences. As digital media evolves, these issues become more pressing, with the rise of social media and user-generated content complicating the legal landscape. Ensuring that privacy is upheld without stifling public access to essential information is crucial for maintaining both rights and societal transparency in an increasingly interconnected world. Originality/value This study enriches the debate on data protection and freedom of expression in crime-related data processing. By addressing journalistic exemptions and the evolving media landscape, it provides a nuanced perspective on safeguarding privacy while maintaining transparency in an era of digital accessibility.

This article uses the sociolegal perspective to address current problems surrounding data protection and the experimental use of automated decision-making systems. This article outlines and discusses the hard laws regarding national adaptations of the European General Data Protection Regulation and other regulations as well as the use of automated decision-making in the public sector in six European countries (Denmark, Sweden, Germany, Finland, France, and the Netherlands). Despite its limitations, the General Data Protection Regulation has impacted the geopolitics of the global data market by empowering citizens and data protection authorities to voice their complaints and conduct investigations regarding data breaches. We draw on the Esping-Andersen welfare state typology to advance our understanding of the different approaches of states to citizens’ data protection and data use for automated decision-making between countries in the Nordic regime and the Conservative-Corporatist regime. Our study clearly indicates a need for additional legislation regarding the use of citizens’ data for automated decision-making and regulation of automated decision-making. Our results also indicate that legislation in Finland, Sweden, and Denmark draws upon the mutual trust between public administrations and citizens and thus offers only general guarantees regarding the use of citizens’ data. In contrast, Germany, France, and the Netherlands have enacted a combination of general and sectoral regulations to protect and restrict citizens’ rights. We also identify some problematic national policy responses to the General Data Protection Regulation that empower governments and related institutions to make citizens accountable to states’ stricter obligations and tougher sanctions. The article contributes to the discussion on the current phase of the developing digital welfare state in Europe and the role of new technologies (i.e., automated decision-making) in this phase. We argue that states and public institutions should play a central role in strengthening the social norms associated with data privacy and protection as well as citizens’ right to social security.

Global Convergence of Data Privacy Standards and Laws: Speaking Notes for the European Commission Events on the Launch of the General Data Protection Regulation (GDPR) in Brussels &amp; New Delhi, 25 May 2018

The General Data Protection Regulation (GDPR), enacted in the European Union in 2018, has significantly transformed the landscape of personal data management and protection. This article provides an overview of GDPR's impact, focusing on its applicability, fundamental principles and influence on data management practices, particularly within the European Society of Thoracic Surgeons (ESTS) database. GDPR's reach extends to all entities collecting and processing personal data of European Union residents, regardless of their location. It encompasses various data types, emphasizing meticulous handling and protection of identifiable information. Special categories of data, such as health and sensitive attributes, require even more stringent protection. The regulation sets legal, fair and transparent data processing principles, emphasizing accuracy, purpose limitation and data minimization. It also stresses accountability, leading to the appointment of Data Protection Officers and significant penalties for non-compliance. The ESTS database, designed to enhance thoracic surgical research and care, collects data on European procedures. It follows GDPR principles by pseudonymizing data, ensuring secure data transmission and providing clear instructions for data submission. The database contributes to research, policymaking and practice improvement in thoracic surgery by offering a comprehensive dataset for analysis. Here, we aim to shed light on the complexities of GDPR implementation and emphasize the need for comprehensive data management strategies to ensure compliance and enhance privacy protection with the contribution to the ESTS database. GDPR compliance comes with challenges, including potential human dignity and privacy rights violations. Data breaches can result in unauthorized disclosures, and non-compliance can lead to substantial fines and reputational damage. The implementation of GDPR encourages organizations to prioritize ethical data practices, security measures and transparent data handling. In conclusion, GDPR has revolutionized personal data protection by emphasizing accountability, transparency and individual rights. It has impacted organizations globally, promoting responsible data management practices. Adhering to GDPR ensures privacy protection, trust-building and overall enhancement of data management in today's data-driven environment.

Healthy Data Protection

The General Data Protection Regulation (GDPR) was widely seen as a significant step towards enhancing data protection and privacy. Unlike previous legislation, adherence to GDPR required organizations to assume greater responsibility for cybersecurity with respect to data processing. This shift represented a profound transformation in how businesses retain, use, manage, and protect data. However, despite these innovative aspects, the actual implementation of the GDPR security side poses some challenges. This paper attempts to identify positive and negative aspects of GDPR requirements and presents a new framework for analyzing them from a security point of view. Firstly, it provides an overview of the most significant scholarly perspectives on GDPR and cybersecurity. Secondly, it presents a systematic roadmap analysis and discussion of the requirements of GDPR in relation to cybersecurity. Results show that some of the GDPR security controls, such as the Data Protection Impact Assessments (DPIA), records on processing, and the appointment of a Data Protection Officer (DPO), are some of the most critical from a security viewpoint. Finally, it provides recommendations for tackling these challenges in the evolving compliance landscape.

Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics

The increasing digitization of human resource (HR) functions has led to the massive collection and processing of employee data, intensifying concerns about data privacy and protection. In this context, the General Data Protection Regulation (GDPR) introduced by the European Union represents a pivotal legal framework guiding the secure handling of personal data. This paper explores the strategic partnership between HR departments and GDPR compliance mechanisms to ensure the lawful, transparent, and ethical management of employee data. It highlights how HR professionals must adapt their policies, procedures, and technologies to align with GDPR principles such as data minimization, informed consent, right to access, and the right to be forgotten. The study investigates key areas where HR and data protection responsibilities intersect, including recruitment, employee monitoring, performance evaluation, and records retention. By analyzing real-world compliance practices and data breach case studies, the paper illustrates the risks of non-compliance and the benefits of proactive data governance in HR. Moreover, the research underscores the critical role of HR in cultivating a data-conscious culture, promoting employee trust, and acting as a liaison between legal, IT, and compliance teams. The findings suggest that GDPR should not be viewed solely as a legal obligation but as an opportunity for HR to champion ethical data stewardship, enhance organizational resilience, and contribute to long-term sustainability. As data privacy expectations continue to evolve, HR-GDPR collaboration becomes not only a regulatory necessity but also a competitive advantage in attracting and retaining talent in the digital age.

Viewing the GDPR through a De-Identification Lens: A Tool for Clarification and Compliance