Adequate Level Of Data Protection Research Articles

Are iPhones Really Better for Privacy? A Comparative Study of iOS and Android Apps

Abstract While many studies have looked at privacy properties of the Android and Google Play app ecosystem, comparatively much less is known about iOS and the Apple App Store, the most widely used ecosystem in the US. At the same time, there is increasing competition around privacy between these smartphone operating system providers. In this paper, we present a study of 24k Android and iOS apps from 2020 along several dimensions relating to user privacy. We find that third-party tracking and the sharing of unique user identifiers was widespread in apps from both ecosystems, even in apps aimed at children. In the children’s category, iOS apps tended to use fewer advertising-related tracking than their Android counterparts, but could more often access children’s location. Across all studied apps, our study highlights widespread potential violations of US, EU and UK privacy law, including 1) the use of third-party tracking without user consent, 2) the lack of parental consent before sharing personally identifiable information (PII) with third-parties in children’s apps, 3) the non-data-minimising configuration of tracking libraries, 4) the sending of personal data to countries without an adequate level of data protection, and 5) the continued absence of transparency around tracking, partly due to design decisions by Apple and Google. Overall, we find that neither platform is clearly better than the other for privacy across the dimensions we studied.

A Reality Check of the Schrems Saga

From an enforcement point of view, the revocation of the European Commission’s two adequacy decisions on the federal US system of data protection raises many questions regarding the interrelations between the EU data protection regime and the Union’s legal frameworks for data ‘transfers’. Whereas data uploaded in the Union was once upon a time wired over the Atlantic to be downloaded in the US and vice versa, data packets are nowadays often exchanged over various radio spectra. As online resources around the world can be used to store data, and the data is made available and retrieved from domains rather than ‘exported’ and ‘imported’, the idea that the EU data protection regime would no longer apply when data is ‘transferred’ from the Union easily leads astray. In fact, the location of data or data processing equipment is irrelevant for the applicability of EU law as its territorial scope is determined by the location of the data subjects or undertakings concerned. Whereas the EU legislation applies with regard to legal entities overseas with affiliated undertakings in the Union, the Union seeks to guarantee the EU data subjects an adequate level of protection also in cases of onward transfers of data to non-affiliated organisations and unwarranted interceptions. Furthermore, the European Commission promotes a level of protection in non-EU Member States that is essentially equivalent to that enjoyed under the EU data protection regime since the authorities and courts may refrain from applying EU law pursuant to private international law. However, the Cases which resulted in the revocation of the two adequacy decisions concerned an Austrian citizen filing complaints against an undertaking established in Ireland and its US parent company. Hence, it must be called into question whether the EU data protection regime should at all have been substituted by the US system irrespective of whether it provided an adequate level of data protection. An argument could be made that the adequacy decisions applied beyond the substantive scope of EU law, but that brings questions to fore about the competence of the Union to adopt such decisions. In addition, the procedural system introduced in the first Case regarding Mr. Schrems is rather problematic as it requires national authorities and courts to assess the validity of adequacy decisions. Besides the distortion of the right for national courts to request preliminary rulings into an obligation to do so, most data subject are reluctant to get involved in disputes about the entire legal regime. In many instances, the data subject may rather rely on her or his procedural rights as a consumer. In this article, a systematic analysis of these aspects of the EU privacy safeguards is provided.

Conditionality in defining the future cooperation in criminal matters between the United Kingdom and the European Union

The United Kingdom ceased to be a Member State of the European Union on February 1st, 2020, and while the Withdrawal Agreement still applies and prolongs the possibility to rely on key EU instruments, the European Union and the United Kingdom are defining the modalities of their future cooperation in various areas, including in criminal matters. This article, written as the negotiations are progressing, aims to stress the strong conditionality that underpins the possible modalities of their future cooperation. It focusses particularly on the condition of an adequate level of data protection as an essential prerequisite for police cooperation, and the protection of procedural safeguards through a continuous adherence to the European Convention on Human Rights for judicial cooperation. It concludes in stressing the importance of trust in shaping future cooperation, in criminal matters and beyond.

The impact of the general data protection regulation of the european union on the legal regime of international transfers of personal data

International data transfers involve a flow of personal data from Spanish territory to recipients established in countries outside the European Economic Area. It is the European Commission that decides, with effects for the whole Union, that a third country, a territory or a specific sector of a third country, or an international organisation offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union with regard to the third country or international organisation.

Personal Data Protection in New Zealand: Lessons for South Africa?

In 1995 the European Union adopted a Directive on data protection. Article 25 of this Directive compels all EU member countries to adopt data protection legislation and to prevent the transfer of personal data to non-EU member countries (“third countries”) that do not provide an adequate level of data protection. Article 25 results in the Directive having extra-territorial effect and exerting an influence in countries outside the EU. Like South Africa, New Zealand is a “third” country in terms of the EU Directive on data protection. New Zealand recognised the need for data protection and adopted a data protection Act over 15 years ago. The focus of this article is on the data protection provisions in New Zealand law with a view to establishing whether South Africa can learn any lessons from them. In general, it can be said that although New Zealand law does not expressly recognise a right to privacy, it has a data protection regime that functions well and that goes a long way to providing adequate data protection as required by the EU Directive on data protection. Nevertheless, the EU has not made a finding to that effect as yet. The New Zealand data protection act requires a couple of amendments before New Zealand might be adjudged ‘adequate’. South Africa’s protection of the right to privacy and identity is better developed and more extensive than that of New Zealand. Privacy is recognised and protected in the law of delict and by the South African Constitution. Despite South Africa’s apparently high regard for the individual’s right to privacy and identity and our well-developed common and constitutional law of privacy, South Africa does not meet the adequacy requirement of the EU Directive, because we do not have a data protection Act. This means that South African participants in the information technology arena are at a constant disadvantage. It is argued that South Africa should follow New Zealand’s example and adopt a data protection law as soon as possible.

Reality and Illusion in EU Data Transfer Regulation PostSchrems

The judgment of the Court of Justice of the European Union inSchrems v. Data Protection Commissioner, in which the Court invalidated the EU-US Safe Harbour arrangement, is a landmark in EU data protection law. The judgment affirms the fundamental right to data protection in the context of international data transfers, defines an adequate level of data protection, and illustrates how data protection rights under EU law can apply to data processing in third countries. It also raises questions about the status of other legal bases for international data transfers under EU law, and shows that many legal disputes concerning data transfers are essentially political arguments in disguise. TheSchremsjudgment illustrates the tendency of EU data protection law to focus on legalistic mechanisms to protect data transfers rather than on protection in practice. The EU and the US have since agreed on a replacement for the Safe Harbour (the EU-US Privacy Shield), the validity of which will likely be tested in the Court of Justice. Regulation of data transfers needs to go beyond formalistic measures and legal fictions, in order to move from illusion to reality.

Reality and Illusion in EU Data Transfer Regulation Post Schrems

In Schrems v. Data Protection Commissioner, the Court of Justice of the European Union invalidated the EU-US Safe Harbour arrangement allowing personal data to be transferred to the US. The judgment affirms the fundamental right to data protection, defines an adequate level of data protection for international data transfers under EU law, and extends data protection rights to third countries, all based on the EU Charter of Fundamental Rights. The judgment is a landmark in the Court’s data protection case law, and illustrates the tension between the high level of legal protection for data transfers in EU law and the illusion of protection in practice. The judgment has undermined the logical consistency of the other legal bases for data transfer besides the Safe Harbour, and reactions to it have largely been based on formalism or data localization measures that are unlikely to provide real protection. Schrems also illustrates how many legal disagreements concerning data transfers are essentially political arguments in disguise. The EU and the US have since agreed on a replacement for the Safe Harbour (the EU-US Privacy Shield), the validity of which will likely be tested in the Court. It is crucial for data transfer regulation to go beyond formalistic measures and legal fictions, in order to move regulation of data transfers in EU law from illusion to reality.

”Cloud computing” : cláusulas contractuales y reglas corporativas vinculantes

Los artículos 25 y 26 de la Directiva 95/46/CE prevén la libre circulación de datos personales a países situados fuera del EEE sólo si el país en cuestión garantiza un nivel adecuado de protección de datos. De otro modo, el responsable del tratamiento y sus corresponsables o encargados deberán establecer garantías específicas. En el caso de la computación en nube es muy frecuente que los datos se ubiquen en países que no garantizan un nivel adecuado. Para poder efectuar estas transferencias de datos a terceros países se requieren salvaguardias específicas mediante el uso de disposiciones de puerto seguro, cláusulas contractuales tipo o normas corporativas vinculantes, según proceda. En este trabajo se analizan las diferentes herramientas que se pueden emplear para que la computación en nube se realice de acuerdo a la normativa de protección de datos.Articles 25 and 26 of Directive 95/46/EC provides the free movement of personal data to countries outside the EEA only if the country in question ensures an adequate level of data protection. Otherwise, the controller and the stewards or processors should establish specific safeguards. In the case of cloud computing is very common that the data are located in countries that do not ensure an adequate level. To make these transfers of data to third countries, specific safeguards are required using safe harbor provisions, contractual clauses or binding corporate rules. In this paper the different tools that can be used for cloud computing is carried out in compliance with the rules of data protection are studied.

Evaluation of Legal Data Protection Requirements in Cloud Services in the Context of Contractual Relations with End-Users

Purpose – to analyse the compliance with basic principles of data protection in selected consumer oriented cloud services contracts, and also to highlight the adequate level of data protection in the mentioned contracts, evaluating existing data protection directive 95/46/EC, also proposed General data protection regulation.Design/methodology/approach – various survey methods have been used in the work integrated. Documental analysis method has been used in analysis of scientific literature, legal acts and other documents, where aspects of legal data protection requirements have been included. Legal documents analysis method together with logical-analytic method has been used in analysing Directive 95/46/EU, Proposal for a regulation of the European Parliament and of the Council and jurisprudence of the European Court of Human Rights. Comparative method has been applied for revealing difference between particular cloud services contracts and also comparing the compliance of cloud services contracts to requirements of basic European data protection principles, established in the international documents.Findings – from the brief analysis of selected consumer oriented cloud service providers, it may be implied that more or less all the legal principles, established in the legal acts, are reflected in the privacy policies and/or service agreements. However, it shall be noted that there is a big difference in wording of the analysed documents. Regarding other principles, all examined cloud service providers do not have indemnification provisions regarding unlawful use of personal data.Research limitations/implications – the concept of the contract was presented in a broad sense, including the privacy policies and/or terms and conditions of the service providers. In accordance with the content of the principles, the authors grouped data protection principles, applied in cloud services into fundamental and recommendatory.Practical implications – the research results will be helpful for cloud service providers, dealing with personal data of data subjects (natural persons).Originality/value – the mentioned research of cloud provider contracts examined 4 sets of standard terms and conditions of cloud service providers targeting individual consumers. The following personal data protection principles were evaluated: transparency, purpose specification and limitation, erasure of data, confidentiality, availability, integrity, indemnification.Research type: research paper, viewpoint, case study.

Data TransfersWithin Europe: Contractual Data Protection Clauses in Practice

Abstract Other than in case of data transfers from Europe to countries without an adequate level of data protection, there is no set of standard contractual clauses - similar to the EU Model Clauses - for data transfers within countries with an adequate level data protection. In practice, this lack of such standard agreements sometimes raises questions and it (seemingly) also leaves more room to achieve compliance than in case of data transfers to countries without an adequate level of data protection. This article discusses and analyzes these questions and this “room”, with a focus on the practical implications of the use of “boilerplate” data protection clauses, i.e. generic contractual data protection clauses that are directly incorporated into commercial agreements.

Personal Data Protection in New Zealand: Lessons for South Africa?

In 1995 the European Union adopted a Directive on data protection. Article 25 of this Directive compels all EU member countries to adopt data protection legislation and to prevent the transfer of personal data to non-EU member countries (\'third countries\') that do not provide an adequate level of data protection. Article 25 results in the Directive having extra-territorial effect and exerting an influence in countries outside the EU. Like South Africa, New Zealand is a \'third\' country in terms of the EU Directive on data protection. New Zealand recognised the need for data protection and adopted a data protection Act over 15 years ago. The focus of this article is on the data protection provisions in New Zealand law with a view to establishing whether South Africa can learn any lessons from them. In general, it can be said that although New Zealand law does not expressly recognise a right to privacy, it has a data protection regime that functions well and that goes a long way to providing adequate data protection as required by the EU Directive on data protection. Nevertheless, the EU has not made a finding to that effect as yet. The New Zealand data protection act requires a couple of amendments before New Zealand might be adjudged ‘adequate'. South Africa's protection of the right to privacy and identity is better developed and more extensive than that of New Zealand. Privacy is recognised and protected in the law of delict and by the South African Constitution. Despite South Africa's apparently high regard for the individual's right to privacy and identity and our well-developed common and constitutional law of privacy, South Africa does not meet the adequacy requirement of the EU Directive, because we do not have a data protection Act. This means that South African participants in the information technology arena are at a constant disadvantage. It is argued that South Africa should follow New Zealand's example and adopt a data protection law as soon as possible. PER/PELJ Vol. 4 2008: pp. 61-109

The EU Data Protection Directive: An engine of a global regime

The article explores a unique form of legal globalization, in which one jurisdiction induces other countries to adopt similar legal mechanisms, without coercion, taking advantage of ignorance or abusing political power. The 1995 EU Directive on data protection regulates the collection, processing and transfer of personal data within the EU, with the dual goal of enabling the free flow of data while maintaining a high level of protection. It includes a mechanism which addresses the export of such data. Article 25 stipulates that member states should allow transfer of data to a third country only if the third country ensures an adequate level of data protection. Thus, countries that wish to engage in data transactions with EU member states are indirectly required to provide an adequate level of protection. The article shows that the Directive has had a far greater global impact than thus far acknowledged and that it is currently the main engine of an emerging global data protection regime. Studying the Directive and its actual impact and comparing it to other mechanisms of legal globalization, I conclude that unlike some American scholars who described the Directive as “aggressive”, it is better understood as a non-coercive mechanism of soft legal globalization.

DATA PROTECTION — THIRD COUNTRY TRANSFERS

On 15 June 15 2001, the European Commission proposed Standard Contractual Clauses (“Clauses”), to allow data transfers to third countries that do not ensure an adequate level of data protection. The Commission has summarised these Clauses in a model contract to be concluded between a data exporter and a data importer. This model contract is ready-to-sign; the contracting parties only have to add their name and address. Even an area for the company seal is reserved. The Clauses look as if they could be signed ‘blind’. The following article shows that this may lead to worrying surprises later.