Field Of Data Protection Research Articles

Legislative mechanisms of personal data protection in the health care system

Human rights and freedoms, guarantees of their observance and protection should be the basis of the activities of any democratic country in the world. The issue of information security becomes particularly relevant in modern conditions, because medical institutions collect and store personal data of persons who contact them, the results of laboratory and instrumental research, diagnoses, medical histories, etc. Endless reforms, changes in legislation, introduction of an electronic system in the field of health care cause a lot of discussions about individual mechanisms of its functioning and ensuring the protection of personal data. The collection of personal data must be lawful, subject to strict requirements and for a legitimate purpose. In addition, persons or organizations engaged in the collection and processing of personal information must protect it from abuse and respect the rights of data owners guaranteed by law. The reform of legislation in the field of data protection should take place in parallel with the dynamic process of development of Internet technologies, including the creation of a formalized system of legislation in the field of privacy. In addition, considerable attention should be paid to the level of awareness of citizens about how their personal data may be collected and used. In particular, the request for consent to the processing of personal data must be clear; access to own data should be simplified and their mobility should be increased for easier transfer of data from one service to another; companies and organizations must report serious security breaches in a timely manner. And of course, ensuring the appropriate level of responsibility and reporting of all those involved in personal data processing. Health care is increasingly reliant on information technology. More and more hospitals and healthcare institutions are using information and communication technologies to support and improve their work. Digital technologies are widely used in the public health care sector, including electronic prescriptions, appointments with a family doctor, records of services rendered, hospitalization, hospital discharge, etc. In this context, a wide range of eHealth tools and services have emerged. Electronic medical records are created in such a way that it is possible to transfer patient data between different medical professionals. Although digital health technologies have so many important functions, their high dependence on sensitive patient health information can cause information security issues. At the same time, a significant part of personal health data is often collected without informing patients about it.

An Overview of Privacy-Enhancing Technologies in Biometric Recognition

Privacy-enhancing technologies are technologies that implement fundamental data protection principles. With respect to biometric recognition, different types of privacy-enhancing technologies have been introduced for protecting stored biometric data which are generally classified as sensitive. In this regard, various taxonomies and conceptual categorizations have been proposed and standardisation activities have been carried out. However, these efforts have mainly been devoted to certain sub-categories of privacy-enhancing technologies and therefore lack generalization. This work provides an overview of concepts of privacy-enhancing technologies for biometric recognition in a unified framework. Key properties and differences between existing concepts are highlighted in detail at each processing step. Fundamental characteristics and limitations of existing technologies are discussed and related to data protection techniques and principles. Moreover, scenarios and methods for the assessment of privacy-enhancing technologies for biometric recognition are presented. This paper is meant as a point of entry to the field of data protection for biometric recognition applications and is directed towards experienced researchers as well as non-experts.

Правові аспекти забезпечення кібербезпеки в Україні: сучасні виклики та роль національного законодавства

The article identifies the peculiarities of the current state of cybersecurity in Ukraine and emphasizes the importance of applying effective legislation aimed at protecting the cyber structure, as well as choosing the best tools and mechanisms to combat cyber threats. For the purpose of this study, the author has selected the national legislation aimed at regulating the cybersecurity sector. The key aspects of legislation affecting cybersecurity and protection of information resources of Ukraine, in particular in the context of current challenges and threats of modern cyberspace, are quite effective today, as evidenced by the results of statistics on solving problems related to hacker attacks on Ukraine during the military conflict in 2022–2024. However, despite the fact that the current legislative acts create a solid basis for the development of Ukraine’s cybersecurity system, the article discusses issues that remain unresolved. In particular, the role of artificial intelligence in the field of data protection against cyberattacks in the current environment. The role of international cooperation in ensuring cybersecurity is also considered as one of the necessary conditions for ensuring the national security protection system of Ukraine.

Cutting-Edge Cryptography and Cybersecurity : Innovations and Applications

In this special issue titled “Cutting-Edge Cryptography and Cybersecurity : Innovations and Applications”, we explore the intricate relationship between advanced cryptographic techniques and their diverse applications in cybersecurity. This issue features a range of topics, each contributing to the expansive field of data protection, privacy, and cyber defense.

The European Union’s external competence in the data protection field: Is mixity the only way out?

El presente estudio resume la jurisprudencia y las normas convencionales que sustentan el ejercicio de las competencias externas (implícitas) de la Unión Europea (UE) aplicadas al art. 16.2 del Tratado de Funcionamiento de la UE (TFUE). El art. 16.2 del TFUE faculta a la UE para adoptar normas sobre la protección de las personas cuyos datos personales se procesados y sobre la libre circulación de dichos datos. Las normas adoptadas sobre esta base jurídica podrían activar el criterio de afectación AETR/ERTA codificado en el art. 3.2 del TFUE, convirtiendo la competencia compartida interna de la UE en competencia exclusiva externa. Nuestro análisis sostiene que, a la luz de la legislación de la Unión vigente en materia de protección de datos, la UE posee una competencia externa (implícita) compartida/concurrente basada en el art. 16.2 del TFUE. Por este motivo, las negociaciones para acceder al Convenio 108+ del Consejo de Europa fueron mixtas.

Moral autonomy of patients and legal barriers to a possible duty of health related data sharing

Informed consent bears significant relevance as a legal basis for the processing of personal data and health data in the current privacy, data protection and confidentiality legislations. The consent requirements find their basis in an ideal of personal autonomy. Yet, with the recent advent of the global pandemic and the increased use of eHealth applications in its wake, a more differentiated perspective with regards to this normative approach might soon gain momentum. This paper discusses the compatibility of a moral duty to share data for the sake of the improvement of healthcare, research, and public health with autonomy in the field of data protection, privacy and medical confidentiality. It explores several ethical-theoretical justifications for a duty of data sharing, and then reflects on how existing privacy, data protection, and confidentiality legislations could obstruct such a duty. Consent, as currently defined in the General Data Protection Regulation – a key legislative framework providing rules on the processing of personal data and data concerning health – and in the recommendation of the Council of Europe on the protection of health-related data – explored here as soft-law – turns out not to be indispensable from various ethical perspectives, while the requirement of consent in the General Data Protection Regulation and the recommendation nonetheless curtails the full potential of a duty to share medical data. Also other legal grounds as possible alternatives for consent seem to constitute an impediment.

Implementation of the General Data Protection Regulation in Romania: problems, perspectives, solutions

In the context of the accelerated development of new technologies and the evolution of artificial intelligence programs, in the context of more and more discussions related to the digitization of public services, interoperability, cross-border data transfer, Big Data, fake news, deep fake, hybrid warfare and cyberattacks we must admit that it is necessary to find quickly solutions to give to all data subjects the right to have control over their personal data. Legislative solutions are not enough. Can a state, through a correct, coherent, constant information of citizens and their institutionalized training in the field of privacy protection to reach through prevention, to ensure effective protection of personal data? Using comparative analysis as a research method, we have identified good practices of implementing GDPR in several European countries. The results obtained through the analysis of the data collected by the open-ended questionnaire and the interview research methods revealed to us the real needs of the Romanian citizens. Having good practices models for implementing GDPR in several European countries and the real needs of the population regarding the data protection field, we aim to provide solutions to improve the implementation of the GDPR in Romania.

ABOUT DATA PROTECTION STANDARDS AND INTELLECTUAL PROPERTY REGULATION IN THE DIGITAL ECONOMY: KEY ISSUES FOR UKRAINE

Changes that are constantly taking place in the digital economy cause increasing instability of legislation in the field of data protection and security. For example, in Ukraine, under martial law, there is an urgent need to adapt the legal regulation to European data protection standards (in terms of personal data processing). First of all, the correlation between EU law, national law of the EU Member States and national legislation of the EU candidate countries results in the principle of direct effect of EU law. In addition, EU data protection law has become an essential source for EU Member States in regulating artificial intelligence (AI), e-commerce and the Internet of Things (IoT). The article considers the specific topic of the conditions of approximation of international norms and legislation of Ukraine to EU law, trying to answer the questions of personal data protection in the conditions of martial law that have arisen. This work is based on a comparative analysis of the General Data Protection Regulation 2016/679 and internal data protection rules in Ukraine. At present, the research purpose of the article is to reveal the fact that data protection is a specific category of procedural law based on the principles of intellectual property law regarding data access rights and data ownership rights in the digital economy.

Image Copyright Protection Based on Blockchain and Zero-Watermark

Generally, image protection is often accomplished by digital watermark, which is also widely used in the field of data protection and data ownership authentication. However, the existing digital watermark has inherent disadvantages, it needs completely trusted third parties to act as the arbitration parties, which may be difficult to achieve. Second, an image watermark algorithm will inevitably lead to the loss of image data when operating on the image data, while it is usually irreversible. The zero-watermark algorithm can solve the problem of data loss but relies more on the trusted third party than a traditional digital watermark, which makes its prospects limited. With the development of blockchain technology in recent years, its features of de-trusted third parties combine the fairness and process automation of smart contracts to make up for the shortcomings of the zero-watermarking algorithm. This paper studies image storage and authentication frameworks. This framework utilizes the advantages of zero-watermarking algorithm and blockchain, using the Inter-Planetary File System to solve the data expansion problem of blockchain, which well avoids the shortcomings of zero-watermarking algorithm and blockchain. Experiment and inference illustrate that the proposed framework is feasible.

A Review for Data Fragmentation in Cloud Computing

The importance of network security is demonstrated by preserving data from being stolen or tampered with by attackers. The computerized cloud supports the protection of both large and small data as well as authorized remote access. Although its protection is secured in the cloud, it needs to use additional methods to enhance data protection from attackers. In this paper, we present the various methods that researchers used to protect data through the computerized cloud, as the diversity in the use of methods led to obtaining good results, albeit to varying degrees. This relieved data fragmentation using multiple technologies and storing it in the cloud, and some used data encryption methods. The aim of this research is to present different types of methods used in the field of data protection across the network via the cloud, which provides an opportunity for researchers to present research that addresses the gaps in order to obtain better results

Administrative Independence Under EU Law: Stuck Between a Rock and Costanzo?

EU law places a number of requirements on administrative authorities that puts them in potentially invidious positions; while EU law today does not require institutionally independent administrative authorities or provide protection for the independence of authorities beyond the field of data protection, it does require administrative authorities to act independently through the loyal and effective enforcement of EU law. This requirement of acting independently without institutional independence raises certain implications for the role of administrative authorities acting within the hierarchical administrative orders of Member States. Using the case of Sweden – a Member State where administrative authorities enjoy significant constitutionally protected independence in the application of law and decision of cases – this article argues that the effect of EU law obligations of effectiveness and loyalty is a weakening of the hierarchical influence of the government over its own authorities, with a resulting shift of influence towards the legal arena through the provision of politically expedient interpretations of EU law. The invidious position of administrative authorities within the scope of EU law is likely to make them vulnerable to such influence, which may ultimately interfere with the effective administration of EU law. Administrative independence, EU-law, principle of effectiveness, national institutional and procedural autonomy, distributed administration, national administrative authorities, constitutional law, Costanzo, Tele2/Watson

Who’s sovereign? The AVMSD’s country of origin principle and video-sharing platforms

This article aims to discuss the impact of the expansion of the country of origin principle to video-sharing digital platforms, and how this contributes to a new paradigm of centralized governance of online media content in Europe. Compared to other jurisdictional regimes in the fields of data protection, intellectual property and personality rights, where other country of receipt and targeting tests are utilized, the case of the Audiovisual Media Services Directive (AVMSD) demonstrates the emergence of a split governance model between individual rights and public interests, which fails to protect adequately local cultural and social specificities in the media sphere.

Third party cookies: what kind of world is without them?

In the article “Third-party cookies: what kind of world is without them?” the decision to remove third-party cookies is being analysed. This objective is being pursued, firstly, because of the problems that have arisen as a result of the “cookies” lack of compliance with law norms. Firefox and Safari were the first ones to make these changes, followed by Google, the largest “giant” in the market. Knowing the benefits of third-party cookies, it has become clear that there will be a need to find alternatives to replace this technology. The following solutions were proposed: “Privacy Sandbox”, contextual targeting, Firefox implemented an enhanced security program “Firefox 69”, and Safari’s privacy feature “Intelligent Tracking Protection”.The article also describes the possible nature of the digital advertising market after the implementation of this change, which will determine the necessity for marketing and business companies to change the strategies in the development of their activities. The article also analyses the legal mechanisms and aspirations of the European Union institutions in the legislative process, which will help to ensure consumer rights in the field of data protection.

Online Political Advertising and Disinformation during Elections: Regulatory Framework in the EU and Member States

Online political advertising and its implications for liberal democracies has become a topic of considerable scholarly and regulatory interest in recent years. The report is guided by the question of how online political advertising is regulated in Europe, especially in the context of elections but also more generally. Its aim is to map the existing, and to some extent upcoming, regulatory framework of online political advertising in the EU and in selected Member States of Germany, France, Spain, Ireland and Poland. After a brief analysis of key concepts, the report maps the EU regulation of data protection and electronic commerce, and other complementary regulation within the Union’s competence. Lastly, the report contains the five case studies of Member State election and online media law. While the relevant EU law is in flux with new regulatory initiatives being processed in the fields of data protection, e-commerce and artificial intelligence, uncertainties also remain concerning the interpretation of existing laws, for instance, on data protection obligations and intermediary liability. In turn, the addressed Member States currently a lack proper electoral and media law framework that would systematically take into account the deployment of online services in the dissemination of election propaganda. However, there is increasing attention paid to online services by national regulators that focuses primarily on information disseminated via the largest online services.

Towards the Trustworthy AI

After decades of theoretical deliberations, the rapid development of advanced information technology has allowed machine learning as a first practical step towards artificial intelligence to enter widespread commercial and government use. The transition into a post-industrial, information society has revealed the value of data as an important resource whose processing is the basis of the new innovative information society services. The European Union has enacted several important regulations and directives in the recent past to protect the recognized fundamental rights of individuals and to regulate the obligations of service providers to ensure safe and secure processing. The Charter of Fundamental Rights as the legal basis of the European system of human rights contains significant checks and limitations to the effect and purpose of future EU AI regulation. Whenever and however this regulation is adopted, it will need to comply with and contain existing European legal standards regarding the fundamental rights of individuals in the EU. The European Commission’s ethical guidelines establish ethical principles based on the recognized fundamental rights that future AI systems need to adhere to in order to be recognized as trustworthy. The purpose of this paper is to present and analyse the mechanisms present in existing European regulations in the fields of data protection and information security and in the European Union documents regarding the future artificial intelligence regulation and to offer suggestions for future regulations. The research methodology includes a comparative analysis of available regulations and policy documents of the European Union, national laws, legal literature, and other sources.

Ochrona danych osobowych po rozpoczęciu obowiązywania rozporządzenia RODO: analiza przypadku Banków Spółdzielczych

W związku z rozpoczęciem obowiązywania rozporządzenia RODO, zarówno w doktrynie, jak i środowisku gospodarczym jest wiele wątpliwości i niepewności co prawidłowości stosowania i interpretacji nowych przepisów. W świetle tych zajść ważnym elementem jest edukacja, szkolenia, rozmowy, a także wymiana spostrzeżeń i doświadczeń osób zajmujących się kwestiami RODO oraz tymi, które były zobowiązane zastosować się do treści rozporządzenia. W kwestii RODO w literaturze przedmiotu małą rolę poświęca się bankom spółdzielczym. Celem artykułu jest diagnoza przeprowadzonych zmian w zakresie ochrony danych klientów banku na skutek wejścia w życie rozporządzenia o ochronie danych osobowych, tzw. RODO. W celu określenia modyfikacji zaszłych w sposobie przetwarzania danych, dokonano analizy treści informacji komunikatów zamieszczonych na stronach internetowych czterech banków spółdzielczych.

As Darkness Deepens: The Right to be Forgotten in the Context of Authoritarian Constitutionalism

AbstractThere is no point in denying the significance of the Right to be forgotten for the state of judicial dialogue in Europe. It vindicates the position of the BVerfG as a court deserving international recognition for advancing the law in the crucial field of data protection. Nevertheless, restricting the scope of analysis to the narrow context of judicial dialogue misses the wider context of the rise of authoritarian constitutionalism in certain EU Member States. In this respect, it is of the highest significance that the decisions on the Right to be forgotten effectively eliminate the imagined normative hierarchy between domestic and EU law that provided the basis for the BVerfG’s jurisprudence ever since Solange I and Maastricht. Moreover, by reasserting the primacy of EU law, the BVerfG strengthens the position of embattled judges in Poland facing disciplinary action for implementing the primacy of EU law. The concern shown by some members of the First Senate for the situation in Poland corroborates this reading.

Data Protection Impact Assessment: A tool for accountability and the unclarified concept of ‘high risk’ in the General Data Protection Regulation

Article 35 of the GDPR introduces the legal obligation to perform DPIAs in cases where the processing operations are likely to present high risks to the rights and freedoms of natural persons. This obligation is part of a change of approach in the GDPR towards a modified compliance scheme in terms of a reinforced principle of accountability. The DPIA is a prominent example of this approach given that it has an inclusive, comprehensive and proactive nature. Its importance lies in the fact that it forces data controllers to identify, assess and ultimately manage the high risks to the rights and freedoms. However, what is first and foremost important for a meaningful performance of DPIAs, is to have a common and objective understanding of what constitutes a risk in the field of data protection and of how to assess its likelihood and severity. The legislature has approached these concepts via the method of denotation, meaning by giving examples of (highly) risky processing operations. This article suggests a complementary approach, the connotation of these concepts and explains the added value of such a method. By way of a case-study the article also demonstrates the importance of performing complete and accurate DPIAs, in terms of contributing to improving the protection of personal data.

The Expanding Right to Damages in the Case Law of CJEU

A network analysis on how the CJEU interprets the right to damages in the fields of data protection, air passenger rights, defective product liability and private enforcement of competition law.

A Seat at the Table: Negotiating Data Processing in the Workplace. A National Case Study and Comparative Insights

It is already a common understanding that datafication is one of the most important trends in our society and, as a consequence, in the economic environment. Datafication and big data are not only the core of the two most debated new business and technological models - platform economy and Industry 4.0 (or smart manufacturing) - but have also permeated more traditional organizations, entering all their departments (marketing, production, sales, finance). In the latest years, datafication is becoming ever more a reality in work organization and human resource management, considerably impacting on the way work is organized, managed and performed. Stemming from this background, this paper wants to analyze the topic of data processing in the employment context focusing on the specific role that collective representation can play. Although there are some interesting antecedents in research regarding the role of workers’ representatives in this context, the topic has received very limited attention as far as the new wave of digitalization is concerned, and almost no interest in its double -- individual and collective -- dimension. By contrast, we believe that ongoing technological and organizational changes raise new challenges and open a new room for intervention for workers’ representatives. In this sense, they are expected not only to limit the quantity and fix the typologies of data collected and processed, against the risk of workers’ surveillance, but also to co-decide over purposes and procedures of data processing, for the self-determination and concrete participation of workers. Negotiating the algorithm, in our opinion, starts here. In order to achieve the above-mentioned purposes, a case study analysis is developed and focused on the Italian context. Firstly, we focus on the legal framework to shed light on the prerogatives and powers formally attributed to workers’ representatives in the field of data protection and workplace monitoring. Emphasis will be placed on the changes made by the so-called Jobs Act reform from September 2015. Secondly, we examine a set of 1,161 company-level collective agreements concluded in Italy between late September 2015 and 2018 to investigate the actual role played by labor representation in this field. Moreover, we provide some insights into other national contexts, with a view to comparing the results of our analysis with the negotiated outcomes achieved in other countries, in an attempt to better understand the institutional determinants of varieties of actors’ orientations and collective solutions.