European Data Protection Law Research Articles

Pragmatism over sovereignty? The Italian policy response to the infrastructuralization of non-EU cloud service providers

ABSTRACT The digital transformation of the public sector is a crucial objective for the European Commission and member states. Concerns arise due to US and Chinese tech giants’ dominance in cloud computing, impacting sovereignty, privacy, and security. Some European member states established restrictions on non-EU Cloud Service Providers (CSPs) to ensure compliance with European data protection laws. Investigating how states respond to growingly infrastructuralized non-EU public CSPs is crucial. This paper scrutinizes the Italian Cloud Strategy in the context of the public sector’s migration to the cloud. Critical and interpretive policy analysis tools are employed to examine the Strategy’s underlying problematizations and prevailing discourses. The paper argues that while the Italian Strategy recognizes the trade-off between pragmatism and sovereignty, it lacks comprehensive solutions. The unquestioned dominance of non-EU public CSPs, symbolic proposals, and limitations in data classification call for further considerations to strike a balance between pragmatism and safeguarding digital sovereignty.

CTI Sharing Practices and MISP Adoption in Finland’s Critical Infrastructure Protection

Cyber Threat Intelligence (CTI) sharing is crucial for safeguarding organisations and securing national critical infrastructure. This study delves into the CTI-sharing practices of large, safety-critical Finnish organisations, with a specific interest in the deployment and potential of the Malware Information Sharing Platform (MISP). We gathered insights through qualitative interviews with cybersecurity experts from key sectors: energy, healthcare, and transportation. Our findings reveal that a significant proportion of regional CTI data is still shared through manual methods such as email and chat. While these systems are generally viewed positively, they are also understood to be prone to delays and inaccuracies. The interest in utilising MISP is rising in Finland, yet its implementation is still in the nascent stages. Organisations are looking towards the National Cyber Security Center to lead the establishment of a national MISP instance. The benefits of adopting a national MISP framework could be further amplified by organisations joining Europewide industry-specific MISP instances or leveraging MISP to share threat intelligence with their supply chain partners. However, challenges remain, particularly in balancing threat data sharing with European data protection laws, motivating community contributions, and standardising CTI-sharing tools and practices within a country.

Implementation and Execution of Big Data-based Studies in Ophthalmology within the Framework of the GDPR.

The processing of the retrospective data pool for ophthalmology holds huge potential, especially for the research sector. "Big Data" enables medical science to draw conclusions for the future from historical data. Based on the evaluation of such data, algorithms could be trained, for instance, that are capable of making decisions with the help of artificial intelligence. As a result, the medical decision-making process on certain issues could be accelerated, enriched in qualitative and quantitative terms, or even completely be taken over. Ophthalmology is a rapidly evolving field. Due to the multitude of partly automated medical imaging technologies and the predestined accessibility of the eye for such technologies, ophthalmology, similarly to radiology or dermatology, is well suited for artificial intelligence-assisted image data analysis and the frequently associated initiation of diagnosis and therapy. Meanwhile, numerous studies exist based on AI-assisted image data analysis of ophthalmological image data. To the extent that the algorithms filter out results from the data pools by means of calculation rules and are even capable of making independent decisions on the basis of decision trees, the enormous benefit and, simultaneously, the profit for scientific research is quite obvious. Accordingly, it would be desirable to have unrestricted and comprehensive possibility of corresponding data processing of these health data for ophthalmological research. In spite of the potential for ophthalmology, for which there is only fragmentary evidence, the question of practical feasibility arises. In particular, the legal requirements and limits of European and national data protection law must be taken into account, prior to any unreflected processing of personal (health) data. Only by doing so can we circumvent existing obstacles and pitfalls, which can lead to severe fines. Most important are to date the requirements of two legal texts: The General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). This article provides an overview of the relevant legal requirements applicable in the field of ophthalmology and highlights the major pitfalls and implementation requirements.

Leveraging Privacy Torts: A Case for Statutory Damages under European Data Protection Law

Leveraging Privacy Torts: A Case for Statutory Damages under European Data Protection Law

Strategic Indeterminacy and Online Privacy Policies: (Un)informed Consent and the General Data Protection Regulation

AbstractArticle 12 of the General Data Protection Regulation (GDPR) requires data controllers to provide data subjects with any information relating to data processing operations “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” Linguistic inclusivity of privacy policies is no longer a matter of style, but has been a binding legal requirement under the new data protection framework. Article 5 GDPR sets forth the requirements of lawfulness, fairness and transparency and prohibits any data processing operations which do not meet the standards of specification, explicitness and legitimacy of processing purposes [29]. In this study, a quantitative and qualitative analysis of linguistic indeterminacy in a corpus of 350 online privacy policies is presented and it is argued that a considerable number of data controllers continue to make use of strategic vagueness in the context of purpose limitation, therefore potentially prejudicing compliance with the GDPR. A legal-linguistic perspective on the current challenges of informed consent in European data protection law is provided. Finally, it is concluded that while the GDPR has contributed significantly to the linguistic empowerment of the data subject, the framework fails to satisfy the expectation of creating a participatory culture (see [36]) with a high degree of informational self-determination.

Workers’ right to the subject: The social relations of data production

The use of data to profile and make decisions about data subjects for citizenship, targeted advertising, job recruitment and other reasons, has been eminently normalised, which is an emerging threat to protected spaces for personal subjectivation and identity formation. The ‘right to the subject’; or to agency via personal subject formation outside bilateral profiling; is at stake. This is especially true for workers. Algorithmic management infused with worker control mechanisms occurs in structurally and objectively unequal conditions within subjective, and unequal, social relations. Data harms protections in European privacy and data protection law, despite being heralded as the strongest in the world, are insufficient to protect workers’ right to the subject. Indeed, structural features of inequality within the capitalist data political economy mean that workers experience different power relations to consumers and citizens. Analysing the social relations surrounding policy features of ‘consent’, and ‘risk’, with focus on the General Data Protection Regulation (GDPR) and the negotiations for the AI Act, it is not difficult to see that these policies do not protect all data subjects’ rights to the subject identically. Indeed, workers never have the capacity to truly consent at work; and the risks workers face are different from that of other data subjects, such as consumers. Data subjects do not, across categories, have equal access to equality, within, and because of, the social relations of data production. From a cross-disciplinary perspective and with contributions to sociology, critical theory, media and policy studies, this article argues that workers’ right to the subject is at stake, in datafied social relations.

Preserving Consumer Autonomy through European Union Regulation of Artificial Intelligence: A Long-Term Approach

AbstractPersonal autonomy is at the core of liberal societies, and its preservation has been a focus of European Union (EU) consumer and data protection law. Professionals increasingly use artificial intelligence in consumer markets to shape user preferences and influence their behaviours. This paper focuses on the long-term impact of artificial intelligence on consumer autonomy by studying three specific commercial practices: (1) dark patterns in user interfaces; (2) behavioural advertising; and (3) personalisation through recommender systems. It explores whether and to what extent EU regulation addresses the risks to consumer autonomy of using artificial intelligence in markets in the long term. It finds that new EU regulation does bring novelties to protect consumer autonomy in this context but fails to sufficiently consider the long-term consequences of autonomy capture by professionals. Finally, the paper makes several proposals to integrate the long-term risks affecting consumer autonomy in EU consumer and data protection regulation. It does so through an interdisciplinary approach, drawing from legal research and findings in the study of long-term thinking, philosophy and ethics and computer science.

A Reference System Architecture with Data Sovereignty for Human-Centric Data Ecosystems

Since the European information economy faces insufficient access to and joint utilization of data, data ecosystems increasingly emerge as economical solutions in B2B environments. Contrarily, in B2C ambits, concepts for sharing and monetizing personal data have not yet prevailed, impeding growth and innovation. Their major pitfall is European data protection law that merely ascribes human data subjects a need for data privacy while widely neglecting their economic participatory claims to data. The study reports on a design science research (DSR) approach addressing this gap and proposes an abstract reference system architecture for an ecosystem centered on humans with personal data. In this DSR approach, multiple methods are embedded to iteratively build and evaluate the artifact, i.e., structured literature reviews, design recovery, prototyping, and expert interviews. Managerial contributions embody novel design knowledge about the conceptual development of human-centric B2C data ecosystems, considering their legal, ethical, economic, and technical constraints.

Applying the Purpose Limitation Principle in Smart-City Data-Processing Practices: A European Data Protection Law Perspective

Protection of privacy rights in the context of smart cities is novel, currently underdeveloped, and a hot topic worldwide. This article examines the purpose limitation of European data protection law in the context of smart cities. The “purpose limitation” principle of the General Data Protection Regulation (GDPR) outlines the ways and means of processing personal data to protect individuals’ fundamental right to personal data protection and related risks. The principle, which empowers controller(s) to process data in a controlled manner, requires that controller(s) process personal data only after meeting two fundamental requirements: they must act on the requirements of purpose specification, and they must perform an “incompatibility test” while processing personal data for further purposes. This article aims to outline the permissible limits of the purpose limitation principle to pursue different purposes in the context of smart cities. Indeed, the principle only applies when controllers process personal data in smart cities. With the authority provided by the principle, data controllers may process personal data for primary and secondary purposes. However, processing purposes cannot go beyond defined restrictions. The study, which is conducted within the European legal framework, deploys a multimethod approach to address different parts of the research question.

Blockchain, Data Protection and P2P Energy Trading: A Review on Legal and Economic Challenges

Blockchain technology (BCT) enables the automated execution of smart contracts in peer-to-peer (P2P) energy trading. BCT-based P2P platforms allow the sharing, exchange and trade of energy among consumers or prosumers as peers, fostering the decarbonization, decentralization and digitalization of the energy industry. On the other hand, BCT-based P2P energy trading relies on the collection, storage and processing of a large amount of user data, posing interdisciplinary challenges, including user anonymity, privacy, the governance of BCT systems and the role of energy market players. First, this paper seeks to review the state of the art of European data protection law and regulations by focusing on BCT compliance with the General Data Protection Regulation (GDPR) of 2018. Second, it explores both the potentials and the challenges of BCT-based P2P energy trading from a legal–economic perspective. To do so, the paper adopts an interdisciplinary approach which intertwines both law and economics, by reviewing the recent literature on BCT and P2P energy trading. Findings have revealed that the deployment of BCT-based P2P energy trading is still in its pilot stage because of technology immaturity, data protection uncertainty, incomplete disintermediation and the lack of both user awareness and collaboration among market players. Drawing on the review, the paper also proposes a selection of solutions to foster the implementation of BCT-based P2P energy trading.

Smart Cities as “Big Brother Only to the Masses”: The Limits of Personal Privacy and Personal Surveillance

Smart city projects in Europe and North America are employing a novel approach to data analysis that processes hardly any or no personal data at all. As such, these projects—at least, for the most part—escape the scope of (European) data protection law. The idea behind this new approach to smartness can be condensed in the statement: “smart cities are only Big Brother to the masses.” In other words, if the data collected within smart city projects do not identify any individuals, then there are no issues with privacy and data protection law. This problematic assumption relies on two reductive understandings of key notions in this context: that of “personal privacy” and “personal surveillance.” In this contribution, I focus on the latter and call for a broader understanding of surveillance as a set of diverse modes of social control by privacy law scholars. After all, in order to reveal the underlying dynamics of power and how these might lead to surveillance abuse—even, or especially, when surveillance is based on the processing of seemingly non-personal data—concrete surveillance practices and their logics need to be examined. For this purpose, I take the example of the Stratumseind Living Lab in the Netherlands and examine it through the lens of Foucault’s notion of security. This examination leads to two valuable insights for privacy and data protection law scholars. First of all, it strengthens the argument of contemporary group privacy scholars that a narrow focus on individual privacy and surveillance is inadequate and that the regulatory framework needs to be adapted. The second insight raises another broad issue: smart cities, which function according to the securitizing logic of surveillance, such as the Stratumseind Living Lab, are transforming public spaces into consumption spaces. Yet, the protection of privacy in public can and should serve to protect key aspects of public space—political participation and sociability—as well.

Developing a Code of Practice for Using Data in Wellbeing Support

With student and staff wellbeing a growing concern, several authors have asked whether existing data might help institutions provide better support. By analogy with the established field of Learning Analytics, this might involve identifying causes of stress, improving access to information for those who need it, suggesting options, providing rapid feedback, even early warning of problems. But just investigating the possibility of such uses can create significant risks for individuals: feelings of creepiness or surveillance making wellbeing worse, inappropriate data visibility destroying trust, assessments or interventions becoming self-fulfilling prophecies. To help institutions decide whether and how to explore this area, and to reassure individuals that this is being done safely, we propose a Wellbeing Analytics Code of Practice. This starts from an existing Learning Analytics Code, confirms that its concerns and mitigations remain relevant, and adds additional safeguards and tools for the wellbeing context. These are derived from a detailed analysis of European and UK data protection law, extracting all rules and safeguards mentioned in relation to health data. We also develop context-specific tools for managing risk and evaluating data sources. Early feedback suggests that these documents will indeed increase confidence that this important area can be safely explored.

Comparing Private Enforcement of EU Competition and Data Protection Law

Abstract Compared to art 82(1) of the General Data Protection Regulation (GDPR), which since 2018 grants data subjects a claim for damages resulting from the infringement of European data protection law, private enforcement of European competition law looks back on a much longer history. Thus, its concepts and learnings may serve as a model for data protection law. However, any potential transfer from one area to the other must be carefully weighed, as both the factual circumstances and the underlying regulatory framework differ. Against this background, this paper aims at identifying important similarities and differences between the private enforcement of European competition and data protection law. Amongst others, it reaches the conclusion that both fields of law – although for different reasons – share a comparably high level of Europeanisation and that the primary aims of private enforcement generally align. In addition, potential for spill-over effects from the area of competition to data protection law is identified, namely with regard to causation and the European concept of undertaking.

Speak Up! Legal Challenges in the Light of the Determination of Emotion in Conducting Targeted Advertising through a Voice Recognition Device

Artificial Intelligence (AI) technology keeps on being developed and has started to emerge into some devices and/or machines. AI can be embedded in many forms, and one of them is voice recognition technology. This technology that offered a human-like interactive feature has featured such as in iPhone Siri and Amazon Alexa. The rising trend of this technology also showed when Amazon has been granted a new patent regarding its virtual assistant, Alexa, in 2018. According to the patent, the device will automatically infer the user’s voice to determine their emotion in order to generate targeted advertisements. This patent hence posed a risk of harming the user’s autonomy since the user is unable to leave their emotions to go undetected by the device. Therefore, the commodification of emotion could challenge the adequacy of the current legal regimes, in particular, data protection and consumer laws since both have the primary concern to protect the autonomy and dignity of consumers. This research aimed to analyse whether the current European data protection and consumer laws are adequate to mitigate the risks posed by the commodification of emotion to conduct targeted advertising in the voice recognition technology.

Differential Data Protection Regimes in Data-Driven Research: Why the GDPR is More Research-Friendly Than You Think

AbstractAgainst the backdrop of an evolving landscape describing data driven research, this article discusses the role of data protection laws in shaping a free flow of research data. In particular, the analysis inquires whether European data protection law hampers or encourages data-driven research. The analysis critically challenges the shared belief that the more severe data protection regime laid down by the European legislator adversely affects data flows and with that data-driven research. This is contrary to what occurs in the United States, where the more fragmented and less developed data protection framework facilitates data flows and related innovation patterns. We show how research objectives through data re-usability have been very recently given primary importance in the GDPR, where they find a formidable ally enabling the re-usability of public data by businesses and of private data by public institutions, for either public interest-related research purposes or commercially oriented innovation purposes. We argue that the GDPR differently promotes research-valuable data flows in consistency with an emerging principle of free movement of personal data. In order to ground this statement, our analysis links to this principle three-directional research regimes emerging from the GDPR.

Adtech and Real-Time Bidding under European Data Protection Law

AbstractThis article discusses the troubled relationship between contemporary advertising technology (adtech) systems, in particular systems of real-time bidding (RTB, also known as programmatic advertising) underpinning much behavioral targeting on the web and through mobile applications. This article analyzes the extent to which practices of RTB are compatible with the requirements regarding a legal basis for processing, transparency, and security in European data protection law.We first introduce the technologies at play through explaining and analyzing the systems deployed online today. Following that, we turn to the law. Rather than analyze RTB against every provision of the General Data Protection Regulation (GDPR), we consider RTB in the context of the GDPR’s requirement of a legal basis for processing and the GDPR’s transparency and security requirements. We show, first, that the GDPR requires prior consent of the internet user for RTB, as other legal bases are not appropriate. Second, we show that it is difficult—and perhaps impossible—for website publishers and RTB companies to meet the GDPR’s transparency requirements. Third, RTB incentivizes insecure data processing. We conclude that, in concept and in practice, RTB is structurally difficult to reconcile with European data protection law. Therefore, intervention by regulators is necessary.

Respecting the GDPR in Online Interviewed Focus Groups

Since March 2020 the Corona virus has limited personal encounters due to social distancing measures. Thus, many data collection techniques relying on face-to-face interaction, like interviews or Focus Groups (FG), are now being practised in online environments. Such change requires the implementation of innovative measures to comply with Regulation EU 2016/679 (GDPR) and obey national data protection laws. Processing personal data of voluntary participants has to have a lawful ground and a clear purpose behind it. Moreover, the researcher has to respect legal requirements and principles for processing personal data, provide the participants with information about the research procedure and apply security measures to avoid risks to the rights and freedoms of individuals. This process has to apply to any interaction mediated by Web-Conferencing Systems (WCS). The purpose of this paper is to describe the legal requirements for conducting online interviews or FG under social distancing conditions. The project of reference for the application of these requirements is the EU Horizon2020 HELIOS project consisting of the development of a decentralised social media platform. Lay summary At universities or in industry researchers can interview people personally to test, for instance, the use of a specific technology. The objective is to collect data for future improvements. In 2020 people all over the world found themselves in a pandemic. The Covid-19 limited social meetings with beloved ones and also restricted the work of scientific researchers. Individual or group interviews could not take place in presence. Thus, a solution was seen in online conferencing platforms such as Zoom. Modifying the space and the way in which an interview takes place poses some legal challenges regarding data protection. Such conversations with individuals always have to apply European and national data protection laws. Among other things, this means that there needs to be a specific legal reason to process personal data and a specific purpose behind the interview. Additionally, the researcher has to inform participants about all the legal terms, legal guarantees and research procedure. All this applies as well if online conferencing platforms are used. In this article, you can find a description of the necessary legal steps to develop online interviews with individuals or focus groups and fulfil European data protection requirements.

The (Extra-)territorial Scope Rules of the New European Data Protection Law from a Private International Law Perspective—A Model for South Africa?

Novel technical developments are a source for new business models and, at the same time, a challenge for legal systems and in particular data protection laws. A fundamental challenge in this respect is the delocalisation of data proceedings enabled by modern technologies. In addition, most cases related to such new data driven business models contain foreign elements. From a data protection perspective this raises numerous legal questions, related to the territorial scope of data protection instruments and their relation to the established rules and principles of private international law. The European General Data Protection Regulation (GDPR) addresses the delocalisation with extra-territorial scope rules, but the discussion on how those provisions are embedded in the legal framework of private international law has only started. This article will address those questions in context of the GDPR and the South African Protection of Personal Information Act (POPIA) from a comparative perspective. After a brief overview of the GDPR, the requirements of the territorial scope rules of Articles 3(1) and (2) GDPR will be examined. Thereafter, the doctrinal classification of these rules within the established categories of private international law and the question of whether a choice of the applicable data protection law is permitted within the legal framework of the EU will be investigated. In conclusion, the article examines the territorial scope of the POPIA and provides recommendations for an improvement of the existing rules de lege ferenda.

Getting under your skin(s): a legal-ethical exploration of Fortnite's transformation into a content delivery platform and its manipulative potential*

This article investigates the ethical and legal implications of increasingly manipulative practices in the gaming industry by looking at one of the currently most popular and profitable video games in the world. Fortnite has morphed from an online game into a quasi-social network and an important cultural reference point in the lifeworld of many (young) people. The game is also emblematic of the freemium business model, with strong incentives to design the game in a manner which maximizes microtransactions. This article suggests that to properly understand Fortnite's practices – which we predict will become more widely adopted in the video game industry in the near future – we need an additional perspective. Fortnite is not only designed for hyper-engagement; its search for continued growth and sustained relevance is driving its transformation from being a mere video game into a content delivery platform. This means that third parties can offer non game-related services to players within Fortnite's immersive game experience. In this paper, we draw on an ethical theory of manipulation (which defines manipulation as an ethically problematic influence on a person's behaviour) to explore whether the gaming experience offered by Fortnite harbours manipulative potential. To legally address the manipulative potential of commercial video game practices such as the ones found in Fortnite, we turn to European data protection and consumer protection law. More specifically, we explore how the European Union's General Data Protection Regulation and Unfair Commercial Practices Directive can provide regulators with tools to address Fortnite's manipulative potential and to make Fortnite (more) forthright.

Can the GDPR make data flow for research easier? Yes it can, by differentiating! A careful reading of the GDPR shows how EU data protection law leaves open some significant flexibilities for data protection-sound research activities

Against the common perception of data protection as a road-block, we demonstrate that the GDPR can work as a research enabler. This study demonstrates that European data protection law's regulatory pillars, the first related to the protection of the fundamental right to data protection and the second regarding the promotion of the free flow of personal data, result into an architecture of layered data protection regimes, which come to tighten or relax data subjects’ rights and data protection safeguards vis à vis processing activities differently grounded in public or merely economic interests. Each of the identified data protection regimes shape different “enabling regulatory spots” for the processing of sensitive personal data for research purposes.