Data Protection Legislation Research Articles

Compartmentalised data protection in South Africa: The right to privacy in the Protection of Personal Information Act

In European Union (‘EU’) law, the entrenched right to data protection is an independent fundamental right. EU case law has gradually disconnected the right to data protection from the right to a private life. South Africa’s first exclusive data protection legislation, the Protection of Personal Information Act 4 of 2013 (‘POPIA’), is redolent of EU data protection legislation. However, the stated purpose of the POPIA is to give effect to the right to privacy. This article examines whether the laws of data protection can be wholly encapsulated within s 14 of the Constitution. To this end, this article considers two main conceptions of privacy in our law. The first is Neethling’s informational privacy and the reasonable expectation of privacy. The second is Rautenbach’s theory of informational control over personal matters in relation to other rights. On either approach, I argue that the substantive provisions of the POPIA are irreducible to privacy protection alone. Ultimately, framing the POPIA exclusively within the domain of privacy will either (i) unduly restrict legislative interpretation; or (ii) the true meaning of privacy will be diluted, leading to legal uncertainty. To avoid this, I suggest distinguishing between the value of privacy in the POPIA and the actual loss of privacy.

ОБЛАЧНЫЕ СЕРВИСЫ ХРАНЕНИЯ ЦИФРОВЫХ ДОКУМЕНТОВ: ЗАКОНОДАТЕЛЬНАЯ БАЗА И СУЩЕСТВУЮЩИЕ РИСКИ

The article analyzes the current situation concerning the storage and management of electronic documents and the creation of the associated cloud services. The paper gives a definition of the cloud storage. It considers the legislative framework formed in the European Union regarding the use of cloud computing for digital records management and storage of digital documents; the article also names the main legal acts, standards and other normative documents adopted in Europe in recent years. It is noted that at present there is no common policy among the European countries on these issues, the decisions they make are often fragmentary. In some countries, the cloud storage legislation has not been developed yet, and consumer protection in the cloud computing market is implemented through data protection and digital rights legislation. Risks associated with the creation and storage of digital documents in cloud systems and the required level of control over the creation, organization, maintenance and access to documents stored in the cloud are described and analyzed in detail. Potential risks should be assessed both on the basis of the content or subject matter of information and documentation, and the level of their confidentiality and significance for the organization’s activities. The rights and obligations of the cloud service providers are discussed. Attention is focused on the still unresolved issues of proof of the authenticity, reliability, security, confidentiality of the documents stored in the cloud

The international data governance landscape.

As the adoption of digital health accelerates health research increasingly relies on large quantities of biomedical data. Research institutions scattered across a large number of jurisdictions collaborate in producing and analyzing biomedical big data. National data protection legislation, for its part, grows increasingly complex and localized. To respond to heterogeneous legal requirements arising in numerous jurisdictions, decentralized health consortia must develop scalable organizational and 6 technological arrangements that enable data flows across jurisdictional boundaries. In this article, proposals are made to enable health sector organisations to align established biomedical ethics process and data analysis practices to shifting data protection norms through both public law co-regulation, private law tools, and design-oriented approaches.

Immigrant Irishwomen and maternity services in New York and Boston, 1860–1911

AbstractMedical acculturation forms a crucial part of the process of migration, and equally, the influx of migrants can shape how medical structures develop in receiving societies – nowhere is that more evident than in the American metropolis. In the late nineteenth century, few ethnic groups caused such sustained bio-hazard concerns as the Irish in America. Poverty and the sheer numbers migrating in the post-Famine (1852-) era, caused the immigrant Irish body to be pathologised, or described in medical terms, to a much greater degree and for longer than their Anglo-Saxon or German counterparts. With a particular focus on Irishwomen’s use of maternity services in New York and Boston, this article aims to elucidate the potential of medical records to flesh out the understandings of how immigrants navigated healthcare. By adopting a case study approach to hospital records in tandem with other data sources, it shows what is being lost through restrictive data protection legislation. It discusses how Irishness was politicised in the contexts of immigration, the social history of medicine and medicalisation.

AN ASSESSMENT OF PRIVACY REGIME IN BANGLADESH

Privacy is one of the most valued human rights in the information age. Due to the present digital world context, privacy appears as one of the pressing problems. In a data-driven world, a vast majority of works are going online using personal data. Personal data emerge as the new fuel to the Internet, and coin to the digital world. This digital atmosphere makes life easier, faster, and smarter, while simultaneously posing tremendous challenges to privacy. Therefore, the debate encompassing privacy evolves as one of the hot-button issues in contemporary world policies, politics, and business. In response, multiple policy measures have been adopted at national, regional, and international levels. To cope with this global trend, establish a safer online ecosystem, and secure citizens’ right to privacy, Bangladesh should maintain an adequate privacy protection regime. This landscape leads the current researcher to explore and assess the privacy protection regime of Bangladesh, as there is a lack of research in this area. There is a clear gap in the existing literature that requires to be filled in, and this research aimed to fill that gap using doctrinal legal research. The findings revealed that privacy was not adequately protected in Bangladesh due to, mainly, the lack of omnibus data privacy legislation. This article concluded by offering some workable suggestions, and especially, urged for enacting comprehensive data protection legislation in Bangladesh. Presumably, this research will enlighten all stakeholders regarding an overall picture of the privacy protection regime of Bangladesh. Moreover, this study will facilitate relevant stakeholders to map their future strategies and policy directions towards establishing an effective privacy protection regime in Bangladesh.

ГОСУДАРСТВЕННАЯ ГРАЖДАНСКАЯ СЛУЖБА В РОССИИ: ПРАВИЛА, ТРАДИЦИИ, ДОКУМЕНТЫ, ТЕХНОЛОГИИ

The article studiers reasons for the emergence and the main stages in the formation of the document system connected with the public service career development in the Russian Empire. The main imperial principles of the “service” to the state are considered. Over the last thirty years, there has been a tendency towards the revival of the public service in Russia. The article also focuses on the fundamentals of implementing the principle of accessibility and openness of information about the public service through the Internet free access to the state information resources. The present paper characterizes those resources, describes their purpose and the procedure of using them in compliance with the norms of the personal data protection legislation and with other local regulations governing the accumulation, analysis, reporting, systematization and also the provision of information concerning the civil servants. It is also worth noting that in all the time periods considered in the article, the principle of transparency of the processes and results of the civil servants’ activity remained fundamental. Summing up the results of the study of the principles, rules and technologies for the documenting of the civil service stages, one can emphasize a special, perhaps at first glance implicit, but a timehonored tradition of observing a civic duty and responsibility of the public service representatives towards themselves, towards the people and the state.

Effective Data Protection in Nigeria: Challenges

The importance of protecting data and privacy cannot be overemphasized in this day of technological and digital breakthroughs. Nigeria, a developing nation, is prone to suffering from the shortcomings of conventional methods of data protection as well as from the cost of insufficient legislation to secure the data or the privacy of the data users. This has brought up a number of issues, including the applicability and responsiveness of current laws and how it tends to handle or manage violations. It is imperative to address these issues and challenges faced by data and privacy protection in Nigeria, given the complexity of the emerging data technology and the privacy challenges posed by the use and retention of data. The paper identified the lack of a comprehensive data protection legislation as well as their non-enforcement as the main barrier to effective data protection in the country. In order to solve some of the issues affecting effective data privacy in Nigeria, this paper proffers cogent and practical recommendations.

The Development of Catholic Data Protection Legislation Since the KDG Came into Effect

The Development of Catholic Data Protection Legislation Since the KDG Came into Effect

Personal Data Protection in Ukraine: Realities and Prospects for Implementing the European Experience

The purpose of the article is to study the theoretical and methodological foundations of the process of adaptation of Ukrainian legislation to EU norms and standards through the development of specific proposals for modernization of the theoretical and applied model of the personal data protection mechanism in Ukraine, through the creation of a system of specialized state bodies, and also in the formulation of reasonable proposals and methods for addressing the issues raised. The main elements and effectiveness of the process of adaptation of Ukrainian legislation to EU norms and standards are studied based on the concept of contextual integrity and comparative analysis of EU legislation in the field of personal data protection. Sociological research was also conducted by surveying Ukrainian citizens on the effectiveness of personal data protection legislation. In the course of the research, it was concluded that the future update of the UkrDPR should take into account: modern regulatory requirements necessary to ensure an appropriate level of mass processing of personal data (especially in the field of social networks); a rapidly changing data processing environment at the International and European levels; a higher level of personal data protection of children and minors is needed; updating industry standards for personal data protection as an important condition for the development of Ukrainian society. Based on the empirical research, the author proves that when processing personal data, it is necessary to adhere to the following data processing principles: legality, good faith and transparency; limitation of purpose; minimization of personal data; accuracy of personal data; limitation of storage periods; integrity and confidentiality; personal data may be processed only on the grounds provided for by law.

The administrative capacity to manage the effects of the COVID-19 pandemic in schools: legality of personal data processing concerning the staff vaccination status in order to resume courses with physical presence or online*

The administrative capacity of public authorities and bodies, as well as of the institutions under their subordination/in their coordination, includes, not only all material, institutional and human resources, but also the actions they carry out for the exercise of the competencies established by law. In the context of the COVID-19 pandemic, the Minister of Education together with the Minister of Health issued Joint Order no. 5558/2389/2021 which provided that, starting with 8 November 2021, the resumption of courses with physical presence is to take place in all pre-university education units in which a minimum percentage of 60% of the staff is vaccinated, otherwise the resumption of courses will be done online, and the Boards of Directors of the pre-university education units issue the decision on how to resume the courses. Therefore, this study will analyse, in the light of data protection legislation, if, in view of the competencies established by law, the pre-university education units had the necessary administrative capacity to issue an informed decision on how to resume the courses. The main conclusion after analysing the legal framework is that the legitimate basis for personal data processing concerning the staff vaccination status can only be point (c) of Article 6 (1) and point (g) of Article 9 (2) of Regulation (EU) 2016/679, but the Joint Order no. 5558/2389/2021 does not fall into either of these two legal basis for the processing, with the consequence that the Boards of Directors were in fact deprived of the necessary administrative capacity to issue the decision on how to resume the courses.

‘The Right to Be Forgotten’ and the Sui Generis Controller in the Context of CJEU Jurisprudence and the GDPR

The Google Spain judgment established a search engine as a sui generis controller and the related ‘right to be forgotten’ (right to delisting) under data protection legislation, despite the controversies surrounding it primarily on account of the logic of the search engine operator’s functioning and its consequent inability to comply with certain basic data protection requirements. Resulting interpretations, ie the contouring of data protection legislation under CJEU case law (the Google Spain and the GC and Others judgment), are examined in this paper in detail in relation to the currently applicable GDPR provisions, which allows conclusions to be drawn on the substance of the (sui generis) delisting right, the legal standing of data subjects, the assessment of delisting requests, and the related role and responsibilities of search engine operators. While neither removal from the source web page is required nor can delisting be denied exclusively on the basis of the publisher’s right to freedom of information and expression, analysis shows several manifestations of inherent interweavement with concerns of freedom of information and expression, which at the same time intrinsically oppose data protection and privacy rights. The issue is further challenged by a lack of harmonisation in the area of reconciling privacy and data protection rights with the freedom of expression and information. The last section of the paper discusses the rationale behind the recently established duty of adjusting, ie rearranging, search results in certain cases where delisting requests were denied, the implications for the operators, and the future outlook. Keywords: right to be forgotten, GDPR, GC and Others v CNIL, sensitive data, legitimate interest, substantial public interest, freedom of information, adjusting search results.   This work is licensed under the Creative Commons Attribution − Non-Commercial − No Derivatives 4.0 International License.   Suggested citation: N Gumzej, ‘“The Right to Be Forgotten” and the Sui Generis Controller in the Context of CJEU Jurisprudence and the GDPR’ (2021) 17 CYELP 127.

Privacy and Data Protection: Indonesian Legal Framework

Due to technological advancement, the utilization of internet and mobile connections in Indonesia to perceive rapid growth in recent years. A major development in particular lies within the field of e-commerce, marketplace, and digital portal applications. Extensive advancement within the abovementioned fields led to the involvement of the Indonesian government and private companies in which collecting and processing Indonesian citizens’ personal data took place. Multitude issues relating to data protection regimes arose due to such acts as Indonesian data protection legislations are considered inadequate for their overlapping and vague aspects. These issues obtained numbers of apprehension from the Indonesian government as well as experts within this field with regard to the urgency of having a sufficient data protection law. Plenty of countries have competent data protection laws that have implemented the required elements, for instance, the European Union and Singapore. Accordingly, data protection laws from those countries will play an important role in providing a perfect example for the drafting of an advanced Indonesian data protection law that is uniform and encompassed all required aspects of data protection regimes without neglecting profound deliberation relating to the pitfalls.

The practice of imposing administrative fines by the State Data Protection Inspectorate in the context of other EU Member States

The implementation of the EU General Data Protection Regulation (hereinafter referred to as the Regulation), which, among other things, aims to eliminate disparities between national systems and to alleviate unnecessary administrative burdens, began on 25 May 2018. Each Member State is to ensure that there is one or more independent public authorities (hereinafter referred to as the supervisory authority) responsible for monitoring the implementation of the Regulation. In Lithuania, personal data protection is supervised by two authorities, namely by the State Data Protection Inspectorate (hereinafter referred to as the SDPI) and by the Office of the Inspector of Journalist Ethics. The powers conferred on the supervisory authorities by the Regulation are greater and broader in scope than those granted under previous data protection legislation. Organizations which process personal data must ensure compliance with the requirements laid down in the Regulation. A supervisory authority that violates the provisions of the Regulation may be faced with heavy administrative fines and other sanctions. This article analyzes the practice of imposing administrative fines in the EU and in Lithuania as compared to other EU Member States. The author of the article believes that evaluating the practice of imposing administrative fines by the SDPI within the general context of the EU shall enable one to search for the reasons behind the current situation, as well as to improve the processes the SDPI employs to perform functions associated with data protection supervision. The article uses generalization and comparative analysis of scientific literature, legal documents and statistical data.

Legislative discourse of digital governance: a corpus-driven comparative study of laws in the European Union and China

Abstract Based on the self-compiled corpora of the European Union and Chinese laws on data governance, this study adopts a corpus-driven approach to comparatively study the legislative design of the EU and China on digital governance, especially on key issues such as data protection, data processing and utilization, and cross-border data transfer. It is found through corpus analysis that the EU has developed a relatively comprehensive data protection system, which internally focuses on the protection of individual data rights and externally sets high standards on the cross-border transfer of data. Despite the data protection paradigm as it manifests, the EU is facing new challenges on data exportation, data jurisdiction in the competitive digital marketplace. Shared the same concern on the data protection legislation, Chinese data law has made significant progress in personal data protection with the nascent enactment of Data Security Law and Personal Data Protection Law. Notably, Chinese legislation features the hierarchal taxonomy of data under the principle of the national security exception, while it requires more legislative skills, flexible response mechanisms, and more subordinate laws to prevent future data security threats. Moreover, the corpus-driven method conducted in this study provides evidential insights for the comparative legal textual studies across jurisdictions.

Nigeria’s data protection legal and institutional model: an overview

In the past two decades, the unprecedented incursion of technology into the economic and socio-cultural activities in Nigeria increasingly posed many unanswered questions on data protection and privacy. Consequently, this led to the country’s numerous attempts to enact a principal data protection legislation in addition to the existing sectoral laws on the subject. Despite its ratification of the Economic Community of West African States (ECOWAS) Supplementary Act on data protection in 2010, Nigeria carried on without a general data protection legislation until nine years later when the National Information Technology Development Agency (NITDA), in a face-saving regulatory move, issued the Nigeria Data Protection Regulation (NDPR) as Nigeria’s first all-encompassing and comprehensive, albeit subsidiary legislation on data protection. This article provides an analytical synopsis of Nigeria’s current legal framework on data protection touching its brief history, the general and sectoral enactments on data protection, the enforcement mechanism created under the NDPR as well as the Implementation Framework issued in the mould of guidance notes.

Success indicators for an efficient utilization of cloud computing in healthcare organizations: Saudi healthcare as case study

The population in Saudi Arabia is expected to reach 40 million by 2025. Consequently, healthcare information will become critical to manage. Despite the fact that adopting cloud computing in the Saudi healthcare organizations can facilitate cost reduction, capacity building, institutional interoperability, and get access to data analytics, the adoption rate is very low. Hence, a new model is proposed to adopt cloud computing in the Saudi healthcare organization. The novelty of this work comes from using a quantitative method to test users’ attitudes, data security, data control, data privacy, compliance, and reliability influence on the cloud computing adoption intention in the context of Saudi Arabian healthcare organizations. Partial Least Squares (PLS) method based Structural Equation Modeling (SEM) was used for model development. About 160 respondents from the relevant health organizations participated. The result shows that the attitude towards using technology, data security, compliance, and reliability of the cloud computing services are important determining factors in the adoption of cloud computing in Saudi healthcare organizations. However, the distinction in the findings regarding Data privacy and Data control in the Saudi healthcare organizational context is a clear manifestation of the fact that there is a need for policy formation for data privacy, data control, and data protection legislation in Saudi Arabia. Therefore, raising awareness regarding the practice of data privacy and data control policies among IT managers is essential. Future study should use a more holistic and industry-specific framework such as the technology-organization-environment (TOE) framework to find new influencing factors from the domains of technological context, the organizational context, and the environmental context.

Protection of Consumer’s Personal Data and the Electronic Geodiscrimination Practice

The purpose of this study is to analyse the General Data Protection Law for the Protection of Personal Data from the perspective of the protection of the consumer's personal data, with a view to ascertaining the main aspects of the legislation and verifying its impacts in relation to geopricing practices and geoblocking. To that effect, it begins by addressing the principles of the new legislation that inform the activity of processing personal data. Right after, the main axes of structuring the law are presented, focusing on aspects that concern the processing of consumer data. Finally, the practices of geodiscrimination will be examined, with the effect of assessing the legal treatment in relation to such techniques and how they may be affected after the entry into force of the General Data Protection Law. For that, the hypothetico-deductive methodology and the bibliographic research technique were adopted. Thus, it is observed that new data protection legislation added to the protection of consumers' rights in relation to the practices of geopricing and geoblocking, insofar as the standard was designed to prevent the disinformation of the personal data holder on the purpose of the treatment of your information and the illegitimate treatment of personal data, as well as covering the possibility of redressing the consumer who holds personal data if he experiences damage.

Exploring the prevalence and profile of epilepsy across Europe using a standard retrospective chart review: Challenges and opportunities.

This study aimed to determine the prevalence of epilepsy in four European countries (Austria, Denmark, Ireland, and Romania) employing a standard methodology. The study was conducted under the auspices of ESBACE (European Study on the Burden and Care of Epilepsy). All hospitals and general practitioners serving a region of at least 50000 persons in each country were asked to identify patients living in the region who had a diagnosis of epilepsy or experienced a single unprovoked seizure. Medical records were accessed, where available, to complete a standardized case report form. Data were sought on seizure frequency, seizure type, investigations, etiology, comorbidities, and use of antiseizure medication. Cases were validated in each country, and the degree of certainty was graded as definite, probable, or suspect cases. From a total population of 237757 in the four countries, 1988 (.8%) patients were identified as potential cases of epilepsy. Due to legal and ethical issues in the individual countries, medical records were available for only 1208 patients, and among these, 113 had insufficient clinical information. The remaining 1095 cases were classified as either definite (n=706, 64.5%), probable (n=191, 17.4%), suspect (n=153, 14.0%), or not epilepsy (n=45, 4.1%). Although a precise prevalence estimate could not be generated from these data, the study found a high validity of epilepsy classification among evaluated cases (95.9%). More generally, this study highlights the significant challenges facing epidemiological research methodologies that are reliant on patient consent and retrospective chart review, largely due to the introduction of data protection legislation during the study period. Documentation of the epilepsy diagnosis was, in some cases, relatively low, indicating a need for improved guidelines for assessment, follow-up, and documentation. This study highlights the need to address the concerns and requirements of recruitment sites to engage in epidemiological research.

BlockHealth: Blockchain-based secure and peer-to-peer health information sharing with data protection and right to be forgotten

To identify health risks in working environments, it is crucial for companies to share personal health data demonstrating to clients and suppliers their employees are healthy, while being compliant with data protection legislation. Based on these considerations, our Blockchain-based BlockHealth solution allows personal health data sharing with tamper proofing and data protection. Traditionally, the Blockchain guarantees data immutability but not confidentiality. On the contrary, BlockHealth stores in the Blockchain only hash values of data. Health data is stored in private databases managed by companies, thus also allowing to delete data in compliance with the right to be forgotten.

Understanding the Role of Consent in Data Protection Regime: How Indonesia Can Learn From the GDPR

The issue of consent has received considerable critical attention in the data protection regime. The recent development of the data-driven economy, which heavily rely on data processing, have heightened the need for data protection. Furthermore, previous research has established that data processing deals with the individual’s fundamental rights where the processing would be considered as unlawful without prior individual’s consent. However, the Indonesian Government seems to not address these issues of consent in the data processing seriously, since currently there is no general data protection law. Conversely, the European Union’s (‘EU’) legislative history shows the reliance on consent as a measure for legitimising data processing. The General Data Protection Regulation (‘GDPR’) provides the most comprehensive requirements of consent as a lawful ground of data processing. Interestingly, the concept of consent is a dominant feature in Indonesia’s proposed Personal Data Protection Law (‘PDPL’) which first introduced in 2015. The present research aimed to evaluate the effectiveness of conditions of consent in the proposed PDPL, using the GDPR as the benchmark of the comparative analysis. The analysis revealed that the proposed PDPL fails to address the conditions of consent as comprehensive as the GDPR. It is argued that the substance of the proposed PDPL content was more or less a copy-paste of the concept and provisions from the GDPR without knowing the objective of such concept and provisions. This research provided a valuable opportunity to demonstrate that it is essential to include a comprehensive condition of consent within Indonesian data protection legislation.