EU Data Protection Framework Research Articles

Protecting Their Own: Fundamental Rights Implications for EU Data Sovereignty in the Cloud

The recent PRISM scandal has illustrated the privacy risks that EU citizens take when their personal information is stored or processed in the cloud. Although EU data protection laws are designed to restrict the private actors handling that data from processing it in a way and for purposes that are unlawful, those laws have no effect on public bodies, including law enforcement and security agencies in third countries whose access to that data may be authorized by the laws of their own countries. This is the case even if such access would violate the individual’s fundamental human rights had it occurred within the EU. This article examines the means by which the existing EU data protection framework restricts the transfer of personal data from the EU to third countries particularly in a cloud context. It analyses whether the European Commission’s proposal for a new Data Protection Regulation in its current form is likely to increase or reduce the protection provided to EU citizens in this regard, and it looks at the potential threat that the laws of third countries may pose to EU citizens’ right to privacy with respect to data uploaded to the cloud. The article assesses, in particular, the laws authorising the US government’s access to personal data held or processed by US cloud providers, focusing specifically on the US Foreign Intelligence Surveillance Act of 1978 (FISA) . It also highlights the lack of equivalent protections currently granted to EU citizens by the US constitution. The article argues that in the light of the clear and present danger that provisions like §1881a of FISA represent to EU citizens’ right to privacy, the EU institutions - as part of their own obligation under the Charter of Fundamental Rights and, in the future, the European Convention on Human Rights must take the appropriate steps to protect their citizens from this kind of interference.

Round and Round the Garden? Big Data, Small Government and the Balance of Power in the Information Age

We live in an age of information, where from government departments to small high street businesses, personal data has evolved into a currency that is tradeable for goods, services, information and social contacts. This has made it vulnerable to political and economic pressures where an individual may be tempted or even forced to disclose or share their data with others in to be able to participate in commercial, social or political life. This may result in a situation where existing power imbalances within society could be further exacerbated through an increasing asymmetry between those with access to information about others and those whose information is being accessed. The EU data protection framework is designed to ensure that individuals (data subjects) retain overall control of their data in order to protect their right to information privacy, which is acknowledged as a human right in the EU. However, the advent of the internet and the worldwide web has put increasing pressure on the rules comprising that framework. This article looks at the evolving concept of personal data within EU data protection law and the way in which it continues to link protection to the identifiability of the data subject. It also explores the prevailing understanding of privacy harms as material, quantifiable and individualized damage to data subjects’ interests. It highlights a number of invisible harms that have not yet been adequately addressed by the existing or the proposed new framework and argues that those harms as well as a wider concept of personal data need to be considered in the future to prevent a division of our societies into privacy haves and have-nots. This articles concludes that, after all, the question is not whether changes to the existing EU data protection regime will be sufficient to tackle the new privacy issues raised by the online environment, but whether we must replace familiar concepts like identifiable personal data and easily quantifiable harms with new ways of thinking about privacy and data protection, if we want to prevent the growing information asymmetry, and the invisible harms resulting from it, that is capable of causing long-term harm to our societies.

Perceptions of controllers on EU data protection reform: A Finnish perspective

Data protection regulations are undergoing a global reform. The European Commission proposed a reform of the EU data protection framework in 2012. One major driver for the reform has been the research on the consumer perceptions indicating that the consumers are worried about their personal privacy. However, there has been practically no research on perceptions of companies (the controllers of the personal data) and on the data protection reform. This research analyses the awareness and the willingness to act towards compliance regarding the proposed General Data Protection Regulation (GDPR) in Finland in 2013. The GDPR will replace the Finnish Personal Data Act and therefore plays a central role in the Finnish privacy regulation. This research found that the general level of awareness was low: only 43% of the controllers were aware of the forthcoming reform. The willingness to act or to take steps towards the compliance was even lower: 31% of controllers said that they are planning to act towards compliance during this year. These results indicate that the companies are quite unfamiliar with the reform that correlates with other relevant studies in Europe. Personal data are said to be the oil of the digital economy, the hottest commodity of the market today. There are companies that understand this, but the majority seems to ignore this at least what comes to their awareness regarding the reform, even the reform captures many of the best practices regarding processing of personal data.

One Step Forward, Two Steps Back? Critical Observations on the Proposed Reform of the EU Data Protection Framework

Recent changes in market dynamics of electronic and mobile commerce mean that users of online services are no longer “passive agents of consumption”. Instead online business models increasingly provide a platform for user interaction while simultaneously relying on the contributions made by those users for the population of those spaces. Like many other online services that form part of the Web 2.0 economy, SNS, in the main, are offered free at the point of access. Instead of charging their users a monetary fee, most SNS providers generate revenue through payments they receive from third parties in exchange for the right directly to display advertising to their users or in exchange for providing aggregated data on those users’ behaviour, likes and dislikes. This means that users now “pay’” for online services with the personal information they disclose. Despite repeated announcements by members of the SNS industry that they are committed to the protection of their users’ online privacy, it can therefore not be denied that, in practice, a high level of privacy protection is likely to be in stark conflict with SNS providers’ business objectives and that, in reality, most SNS providers are entirely dependent for their market position on promoting an environment that encourages “openness” and widespread information-sharing by their users through the use of default privacy settings and the subtle encouragement of maximum disclosure in the form of financial and non-financial incentives (for example, additional “free” functionality). This article will examine the implications of these technical, economical and social developments of internet users’ rights to privacy under the current EU data protection framework and whether the changes to that framework proposed by the European Commission in 2012 are likely to address the policy issues identified.

The proposed Regulation and the construction of a principles-driven system for individual data protection

The overhaul of the EU data protection regime is a welcome development for various reasons: the 1995 Directive is largely outdated and cumbersome within an Internet (indeed, Web 2.0) environment. The 2008 Framework Decision is a practically unenforceable instrument, and even harmful in its weakness in protecting personal data. The Commission's proposed Regulation and Directive intended to replace it to improve the data protection afforded to individuals in their respective fields of application across the EU today. This paper considers some of the principles, some new, some old, that underpin the proposed new data protection framework, which was released on 25 January 2012. We offer an analysis of the key principles of lawfulness of the processing, access to justice, transparency and accountability – principles intended to be all-encompassing, abstract and omnipresent. Some of the above principles may appear to be new, but such is not necessarily the case. For instance, the principle of lawfulness is central in the current 1995 Directive, but it reappears in an amended form in the proposed EU data protection framework. On the other hand, the principle of accountability is an addition to the list that will need to prove its value in practice. Regardless of the outcome of the EU data protection framework amendment process and the ultimate wording of the instruments that compose it, the application and visibility of these principles ought to remain unaffected.

Privacy law implications of the use of drones for security and justice purposes

With the advent of new technologies, new means of surveillance and data collection have appeared on the radar. Drones are among the latest to be considered for domestic security purposes, both in the EU and the USA. After surveying some examples of the non-warfare use of drone for security and criminal justice purposes, this article analyses applicable privacy and data protection legislation and constitutional guarantees, on both sides of the Atlantic. This study extends to the application to drone-generated data of, inter alia, the Fourth Amendment to the US Constitution, Council of Europe instruments, and the EU Data Protection Framework, highlighting challenges to civil liberties and tensions between these and national security and justice concerns. Finally, this article looks briefly at proposals for legislative reform regarding drones at the US State and Federal levels and prospects for future legislation.

Confused? Analysing the Scope of Freedom of Speech Protection vis-à-vis European Data Protection

This paper analyses the qualified derogations under the EU Data Protection (DP) framework made available for activities which are solely journalistic, literary or artistic (Directive 95/46/EC, Article 9). It is found that, notwithstanding the apparent breath of the European Court of Justice’s 2008 Satamedia judgment, the scope of this provision remains highly opaque and confused. This has led courts and regulators alike to find this ‘special purposes’ Article inapplicable when large databases of information are disseminated, when data is communicated to essentially privatized individuals, even if indeterminate in number, and when the processing includes a purpose other than journalism, literature and art. Since Member States have almost exclusively relied on this provision to reconcile Data Protection (DP) and free speech, a wide variety of expressive activity, including rating websites, mapping services, search engines, academic research, socio-political speech and social networking, are subject to onerous standards in the general data protection (DP) scheme. The ‘special purposes’ provision in the proposed European Data Protection Regulation (COM (2012) 11 Final) must be revised so as to clearly and explicitly protect all activities orientated to disseminating information, opinions or ideas for the benefit of the public collectively. In addition, Member States should deploy more limited derogations available in the interests of the ‘rights and freedoms of others’ to protect activities which merely, but importantly, facilitate public expression (for example, search engines) or which promote individual self-expression (for example, social networking). Nevertheless, to properly balance the competing values in this area, it is essential that such an expansion be coupled with measures specifying in a more unambiguous fashion the requirement that all derogations be truly proportionate in relation to the various rights and interests involved.

The intricacies of independence

In the European Union, compliance with data protection requirements is overseen by public authorities (ie data protection authorities or DPAs), who ‘shall act with complete independence in exercising the functions entrusted to them’. Given the growing number of countries around the world that have adopted data protection legislation based on the EU model, the requirement of having an independent data protection authority has spread to other regions as well. This requirement has recently been reinforced by the judgment of the European Court of Justice (ECJ) in the case Commission v Germany, where the Court found that the DPAs of the German federal states (Lander) were structured so as to be subject to governmental oversight, and that Germany had thus failed to properly implement Article 28(1) of the EU Data Protection Directive. These developments lead to reflection on the concept of ‘independence’. As the ECJ found, the basis for requiring independence is that it helps ensure the effectiveness and reliability of supervision by allowing the authorities to carry out their tasks free from external influence. The experience in Europe shows the need for such regulatory independence, given that governments sometimes have sought to influence the work of the data protection authorities (one such example is the resignation en masse of the entire Greek Data Protection Commission in 2007 for alleged political interference). However, the issue of independence is more complex than it may seem at first glance. While independence is indeed an indispensable requirement for the work of DPAs, complete and total independence is never possible, or even desirable, on the part of any public authority. Principles of accountability and transparency require that a supervisory authority be answerable for its actions (eg through the possibility of judicial review), and that it be subject to controls in order to ensure its integrity. There are also different types of independence. The ECJ decision concentrates on legal independence, that is how the DPAs are set up and structured so as to be free of undue governmental influence. However, just as important is independence in terms of financial and personnel resources. Indeed, many European data protection commissioners complain that they have insufficient resources to do their jobs properly (a view supported by a recent study of the European Agency for Fundamental Rights). Indeed, one European DPA even had to shut down its operations for several months toward the end of 2010 because it had completely run out of funds. Some European governments have used structural independence as a ‘poisoned chalice’, freeing their DPAs from being part of government ministries but also making it clear that from that point the DPA is required to provide for its own budget. It is therefore welcome that the European Commission has taken a broad view of the concept of independence of the DPAs in its current review of the EU data protection framework. Independence may also be viewed differently in different legal cultures. For instance, one non-EU DPA has stated privately that in its country, being part of a government ministry gives it more ‘clout’ and results in it being taken more seriously than if it were set up as a free-standing, independent regulatory authority. It may therefore be necessary to consider the complete legal and political structure of a country before determining whether its data protection regulator is independent.