General Data Protection Regulation Research Articles

Overcoming the Friction between the “Right to be Forgotten” and Blockchain Technology through a New Approach

Objective: this paper explores the challenges arising from the conflict between blockchain technology and the “right to be forgotten” as provided by the European data protection framework.Methods: in the First Section, the author provides a brief description of the evolution of blockchain technology and the most pressing issues between traditional blockchain models and UE’s legislations. Among the latter, the author analyzes the specific issue concerning the clash between the traditional blockchains (both private and public models), typically immutable, and the individual’s right to cancellation or modification of own personal data. This section emphasizes the importance of personal data protection, which has always been one of the main tasks for supranational legislators. The legal regulation of data protection and the relevant judicial practice of the European Court of Human Rights is analyzed. The author raises the problem of expressing the free self-determination of an individual in the form of controlling their personal data on the Internet. The Second Section of this contribution is dedicated to the study of probable ways to solve the existing incompatibility and to make the distributed ledger system compatible with the European data protection legislation. An emphasis is made on the model provided by “Traent” company, which ensures the right to data cancellation or modification. The capability of this model to solve the said contradiction is analyzed.Results: the study delves into the peculiar features of the new model to understand how it strategically utilizes the advantages of public and private blockchains guaranteeing not only the validity and authenticity of the chain where the transaction was performed, but, most importantly, the modification and granular cancellation of client’s personal data. This innovative solution offers a potential path forward for navigating the complex intersection of data privacy and blockchain innovation in the European context.Scientific novelty: Traent has implemented a “hybrid” model blockchain that, incorporating both public and private components, to achieve an effective compliance with the European Union regulations, especially those concerning data protection and privacy.Practical significance: the obtained conclusions and proposals can be taken into consideration in improving the compliance of blockchain technologies with the European Union General Data Protection Regulation.

Machine Unlearning in Digital Healthcare: Addressing Technical and Ethical Challenges

The ``Right to be Forgotten," as outlined in regulatory frameworks such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), allows individuals to request the deletion of their personal data from deployed machine learning models. This provision ensures that individuals can maintain control over their personal information. In the digital health era, this right has become a critical concern for both patients and healthcare providers. To facilitate the effective removal of personal data from machine learning models, the concept of ``machine unlearning" has been introduced. This paper highlights the technical and ethical challenges associated with machine unlearning in digital healthcare. By examining current unlearning methodologies and their limitations, we propose a roadmap for future research and development in this field.

Systematic review of ethics and legislation of a Global Patient co-Owned Cloud (GPOC)

Background The use of cloud-based storage for personal health records (PHRs) has significantly increased globally over the past thirty years. The four recently published GPOC Series articles introduced the concept of a Global Patient co-Owned Cloud (GPOC) for personal health records. The series includes a systematic review and meta-analysis, a summit, a sandbox, and a survey, with 100% participation from UN member states and key international health organisations. GPOC aims to establish patient co-ownership of PHRs, addressing integration and access challenges. Methods This study is built upon the published GPOC systematic review and meta-analysis that focused on examining cloud-based personal health records and elements such as data security, efficiency, performance, privacy and cost-based factors. However, this study selectively reviews the ethical, legislative and potential human rights dimensions of GPOC. Thus, it includes ethical aspects of co-ownership, rights, privacy, policies, and AI integration. The original study was PROSPERO registered with CRD42022342597, which serves as the foundation for the current study. Results This study offers a comprehensive global overview of ethics, legislation and initiatives by states and organisations. We analyse AI integration and future challenges for GPOC implementation. We present principles from ‘Ethics by Design’ and the ‘Principles of Biomedical Ethics’ by Beauchamp and Childress alongside the European General Data Protection Regulation (GDPR). The study presents a global overview of the relevant global latticework of legislation. Conclusions This study suggests that GPOC could potentially establish a new human right to patient co-ownership of personal health information. GPOC aims to facilitate global AI integration in healthcare and address existing challenges in PHR integration. A decentralised GPOC, supported by blockchain consensus, may offer benefits such as enhanced data security, interoperability, and equitable access to healthcare information globally. Thus, GPOC may have a positive impact on global health.

Cross-Border Data Flows and the Protection of Personal Information Act 4 of 2013 – Part I: The Territorial Scope Provision

The Protection of Personal Information Act 4 of 2013 (POPIA) was introduced to protect the right to privacy of the South African data subject. The Act prescribes obligations that a responsible party must fulfil to achieve this purpose. However, for the Act to be enforced against a responsible party who has transgressed any of its provisions, the responsible party needs to be brought under its jurisdiction. To that end, POPIA makes provision for a territorial scope provision (section 3) based on the notion of domicilium and the use of automated and non-automated means for processing personal information situated in the Republic. This article makes use of comparative analysis to interpret the content of these provisions with reference to the European Union (EU)'s 1995 Data Protection Directive (DPD), on which they were modelled, and its successor, the 2016 General Data Protection Regulation (GDPR). The article demonstrates that section 3 can give rise to interpretative uncertainties which could result therein that personal information processed by responsible parties who are outside the Republic would not be regulated by the Act, or that these parties could move their processing activities out of the country to escape liability. An expansive interpretation of these provisions by the courts is needed to plug these gaps; alternatively, legislative revision must be undertaken in line with developments in the EU, where the GDPR endeavoured to address some of these aspects.

Privacy, confidentiality and ethical concerns in audio ai assistants: A comparative study of North American, European, and Asian Markets

This study examines the ethical, privacy, and confidentiality issues with audio AI assistants in the markets of North America, Europe, and Asia. Understanding the ramifications of data collecting, storage, and usage is crucial as the use of technologies like Google Assistant and Amazon Alexa grows. The study highlights significant regulatory differences between the areas; North America offers a fragmented landscape, and many Asian nations are still developing their data protection legislation, while Europe leads with strong frameworks like the General Data Protection Regulation (GDPR). Key challenges identified include a lack of user awareness regarding privacy rights, extensive data collection practices, unauthorized listening, data breaches, and cultural differences influencing attitudes toward data protection. The findings reveal that these challenges impact user trust and hinder the responsible innovation of AI technologies. Recommendations for improvement include establishing global regulations to promote consistency in data protection, adopting best practices such as privacy-by-design principles, and enhancing user education initiatives. Additionally, the study identifies critical areas for future research, particularly the role of AI assistants in sensitive sectors like healthcare and education, where privacy concerns may differ significantly. Overall, this comparative analysis provides a foundational understanding of audio AI assistants' ethical landscape and underscores the importance of addressing these issues to foster a secure and trustworthy digital environment.

Navigating the ethical and governance challenges of ai deployment in AML practices within the financial industry

The rapid deployment of Artificial Intelligence (AI) in Anti-Money Laundering (AML) practices within the financial industry presents significant ethical and governance challenges that must be navigated effectively. As financial institutions increasingly adopt AI technologies to enhance their AML efforts, concerns regarding data privacy, algorithmic bias, and transparency emerge. This review explores the ethical implications of AI in AML and offers governance strategies to mitigate risks while ensuring compliance with regulatory frameworks. One of the primary ethical challenges in deploying AI for AML is the potential for algorithmic bias. AI systems trained on historical data may inadvertently perpetuate existing biases, leading to discriminatory practices in transaction monitoring and customer profiling. This raises serious concerns about fairness and equity in the financial sector. Addressing algorithmic bias requires the implementation of rigorous testing and validation processes to ensure AI systems function impartially across diverse populations. Data privacy is another critical issue. The extensive data collection required for effective AML monitoring raises questions about the protection of sensitive customer information. Financial institutions must establish robust data governance frameworks that prioritize privacy and comply with regulations such as the General Data Protection Regulation (GDPR). Ensuring transparency in how data is used and providing clear communication to customers about data practices is essential for building trust. Effective governance frameworks are crucial in navigating these ethical challenges. Financial institutions should adopt a multi-disciplinary approach that includes ethical guidelines, compliance measures, and risk management strategies. Establishing oversight committees can help ensure that AI deployment aligns with ethical standards and regulatory requirements. Furthermore, ongoing training for employees on the ethical use of AI in AML can foster a culture of responsibility and accountability. This review highlights the need for a balanced approach to AI deployment in AML, emphasizing the importance of ethical considerations and governance structures. As the financial industry continues to evolve, addressing these challenges will be essential for maintaining trust, ensuring compliance, and leveraging AI’s potential to enhance AML practices effectively.

The role of data governance in enhancing cybersecurity resilience for global enterprises

Data governance plays a critical role in enhancing cybersecurity resilience for global enterprises. In the face of increasingly sophisticated cyber threats, coupled with rising regulatory demands such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), enterprises must implement robust data governance frameworks to safeguard data integrity, availability, and confidentiality (Ramirez et al., 2008). Effective data governance involves a combination of policies, procedures, and technologies that align with an organization’s overall cybersecurity strategy (Khatri & Brown, 2010). This paper provides a comprehensive analysis of the critical intersection between data governance and cybersecurity, emphasizing the link between governance structures, risk management processes, and technological innovations in mitigating evolving cyber threats (Weber et al., 2009). Additionally, we explore the essential role of data stewardship, stakeholder responsibilities, and the deployment of advanced technologies, such as artificial intelligence (AI) and machine learning (ML), in fostering organizational resilience (Arora & Pedersen, 2017). Through case studies and best practices, the study presents a conceptual framework that enables global enterprises to adapt to the fast-changing cybersecurity landscape while maintaining compliance with international data regulations. By addressing key elements such as access control, data classification, and real-time monitoring, this research underscores how comprehensive data governance frameworks serve as a foundation for enhanced cybersecurity resilience in today’s digital economy (Da Veiga & Eloff, 2007).

Data-driven Public Administration and the GDPR: Seeing the Court of Justice's Judgement in Case C-175/20 in a Broader Context

Increasingly, public authorities are looking to get the most from their records, with the aid of new technologies that allow them to extract the desired features or patterns from large volumes of data. This could position these authorities well for efficiency and to identify offenders – and, in some cases, future offenders. At the same time, the General Data Protection Regulation lays down the principle of purpose limitation and requires both the European Union and its member states to ensure that the rules by which personal data get processed are foreseeable for the individuals affected. In this context, a distinction must be made between two steps to processing, each with its own issues – the request for or direct access to personal data and mass analysis of the data obtained. The European Court of Justice dealt with several of these after the Latvian tax authority requested ‘big data’ from a private company. The article examines the guidance that the Court issued in this case (C-175/20) to both national legislators and administrations with regard to the distinct stages of mass processing of data, and it considers which questions remain unanswered.

Text analysis and optimization strategy of an app’s privacy policy from the perspective of dual perception: taking Chinese shopping apps as an example

Purpose This paper aims to conduct an in-depth analysis of the shortcomings of apps’ privacy policies and to propose improvement and optimization strategies, which are of great significance for establishing a transparent and responsible privacy protection framework that ensures compliant collection and use of users’ information and effective protection of their privacy. Design/methodology/approach This paper obtained privacy policy texts for 100 shopping apps through Web crawlers and manual downloads. Based on the perspective of perceived usefulness, thematic analysis is conducted through the latent Dirichlet allocation topic model and comparison with existing policies. Based on the perspective of perceived ease of use, readability analysis is conducted through content analysis and formula calculation. Findings The apps privacy policies can be divided into seven themes. The authors benchmark these seven topics with the Personal Information Protection Law of the People’s Republic of China, the E-Commerce Law of the People’s Republic of China and the General Data Protection Regulation. It is found that there are omissions in the information collection and use and juvenile protection of the existing apps. Through the indicators’ readability analysis and calculation, it is found that the existing apps privacy policies have good performance in the readability indicators such as naming method, frame directory and so on. However, text personalization and text readability need to be improved and optimized. Originality/value At the theoretical level, this paper constructs a model from the dual perception perspectives of perceived usefulness and perceived ease of use and analyses the apps’ privacy policy texts at a fine-grained level. At the practical level, based on large-scale apps’ privacy policy text data, this paper conducts multi-dimensional research from theme analysis, authoritative law benchmarking analysis, content analysis and text readability calculation and analysis. At the same time, this paper identifies the current problems of apps’ privacy policies and puts forward countermeasure suggestions for their content improvement and optimization.

Traditional Quizzing with a Twist: Involving University Students in the Development Process

Quizzes have been used for educational purposes for many years. Mainly it has been digital quizzes like Kahoot or ZippyGo. However, there is an ongoing debate on the security of students’ data. As the university cannot be responsible for what is stored in computers outside of Norway and at the same time paying attention to the General Data Protection Regulation (GDPR). The General Data Protection Regulation (GDPR) is a critical framework for data privacy across Europe, including the UK, Norway, and the EU (ICO, 2024). The GDPR came into force in 2018, agreeing data privacy laws across all member states. It applies to any organization processing personal data of individuals in the EU, regardless of the company's location. The regulation grants rights such as data access, correction, and deletion, and imposes strict penalties for non-compliance (ICO, 2024). As part of the European Economic Area (EEA), Norway implements the GDPR similarly to EU countries. The regulation applies to Norwegian businesses processing data of EU citizens, ensuring that data privacy standards are uniform across the region (Team, 2016; ICO, 2024). Therefore, utilizing digital games have become increasingly difficult. The students, however, are missing the gaming, and the lecturers are missing the opportunity to utilize games-based learning techniques. This leads the lecturer in the research methodology course to “Go Native” and turn to the “old style” analogue quizzing. However, previous research showed that students are not only engaged in the solving of the quizzes, but also, they engage in the development of the questions and answers for the quizzing, i.e. ‘co-creating’. This paper will present a pilot study of a paper-based quiz developed by university students, and their reactions from this. Through informal interviews, data was collected to establish how they felt about this “old school” quiz type of learning after having had several different digital tools for educational games. In this paper, and based on our previous research findings (from the informal interviews with the students), we will develop this further into a digital but low-tech version of a quiz game; it should be still both fun and educational.

REGULAÇÃO LEGAL DAS REDES SOCIAIS: PROTEÇÃO DE DADOS E LIBERDADE DE EXPRESSÃO

The legal regulation of social networks is a field in constant evolution, which seeks to balance two fundamental pillars in the digital era: data protection and freedom of expression. Social networks manage a huge amount of personal data, which makes the existence of legal frameworks that protect users’ privacy imperative. Regulations such as the General Data Protection Regulation (GDPR) in the European Union and the General Data Protection Law (LGPD) in Brazil establish strict standards on how platforms must manage personal information. These laws not only allow users to access, correct or delete their data, but also impose sanctions on companies that do not comply with these requirements, ensuring a high level of security and transparency. At the same time, freedom of expression is a fundamental right that must be protected in the digital environment. However, exercising this right on social media often conflicts with the need to moderate content that may be considered offensive, dangerous or even illegal. Platforms implement moderation policies to mitigate the spread of hate speech, misinformation, and other harmful content. This, however, creates significant challenges in relation to censorship and the delimitation of permitted speech, which can affect the free expression of ideas and opinions. The challenge lies in finding an appropriate balance between protecting users’ privacy and data and enabling robust freedom of expression. An excessive focus on data protection can limit users’ ability to express themselves freely, while unrestricted freedom of expression can put individuals’ security and privacy at risk. As social media becomes more deeply integrated into everyday life and becomes a key platform for communication and the exchange of ideas, it is essential that regulations continue to adapt to address these dilemmas in a balanced and fair way. The future of regulation in this field will depend on the ability of legislators and platforms to adapt to rapid technological and social changes. ensuring that both rights are protected effectively and equitably.

The diffusion of data privacy laws in Southeast Asia: learning and the extraterritorial reach of the EU’s GDPR

ABSTRACT The European Union’s General Data Protection Regulation (GDPR) of 2016 is widely recognised as the benchmark global standard for data-privacy law. In recent years, countries across Southeast Asia have enacted or updated data-privacy laws with provisions that align with the GDPR. This paper explores the balance of internal and external forces driving these regulatory changes. It argues that a nuanced understanding of diffusion in the policymaking process allows us to see beyond the ‘Brussels Effect’ and how the increasing digitalistion of Southeast Asian societies has created increasing local demand for regulatory change. While an analytical focus on scripting in the drafting of GDPR-like laws focuses attention on the extraterritorial reach of the EU’s regulatory power, an analytical focus on problematisation points to different pathways of domestic learning regarding data privacy, especially in response to rising data-security threats.

Railway security checks at the border: between intrusive security technologies and fundamental traveller rights.

European railway borders are facing a particular exposure to security threats and need a delicate balance between securitization and free movement, especially amid globalisation, the current geopolitical landscape and increased migrant flows. For example, the war in Ukraine illustrated the challenges experienced at the Eastern EU borders by the refugee migration surge in early 2022. This exploratory focuses on the European border security control process from the rail border perspective. It encompasses a descriptive synthesis of the lessons learned from the UIC Refugee Task Force as well as insights from the ongoing EU-funded Horizon Europe project ODYSSEUS (Unobtrusive Technologies for Secure and Seamless Border Crossing for Travel Facilitation). Project ODYSSEUS aims to support the security and integrity of the European space, reduce illegal movements of people and goods across EU borders, facilitate travelling for citizens all while protecting fundamental rights of travellers. The project will test a combination of multi-behavioural and General Data Protection Regulation (GDPR) compliant biometric user identity verification tools, allowing, when possible, citizens to cross EU border without any interruption or queue. Further, novel luggage and baggage checks will allow citizens' vehicles and cargos to be remotely checked at land borders to speed up the border check processes in a secure and reliable manner. The project will run three pilot tests at road, rail and water borders. In this paper, we analyse the implementation of project's technologies in the rail border crossing pilot test and discuss the implications for the actors involved in the process of railway border crossing (e.g., border authorities, railway operators and railway travellers).

An Efficient Multilayer approach for Securing E-Healthcare Data in Cloud using Crypto – Stego Technique

Healthcare data has been moving to cloud platforms in recent years, which has increased accessibility and scalability but also raised security issues. Ensuring data integrity and safeguarding private health information from unwanted access are critical. This paper presents a comprehensive strategy to integrate effective Elliptic Curve Cryptography ECC-AES with steganography techniques to improve the security of healthcare data in the cloud. ECCAES is especially well-suited for cloud situations with limited resources since it provides strong security with reduced key sizes. Confidentiality is guaranteed by encrypting healthcare data using ECC- AES before storage, reducing the possibility of data breaches. Steganography techniques are also integrated to improve security against skilled adversaries by adding an extra degree of obfuscation by concealing encrypted data inside innocuous files or images. Strict key management procedures, access control systems, and frequent security audits are important components of the proposed system that ensure adherence to Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation (GDPR) compliance requirements pertaining to healthcare data protection. Programs for employee awareness and training are also crucial for reducing the likelihood of human mistakes. Healthcare businesses can safely use cloud technology while protecting patient data integrity and privacy by putting in place multi-layered security safeguards. The proposed system provides the multilayer security on healthcare data in cloud environment than other existing systems.

Discrimination in the Automated Targeting of Job Advertising: The role of the General Data Protection Regulation

Recently, companies have increasingly been using AI to attract potential candidates through targeted job advertising, whose delivery is then algorithmically optimised. By excluding certain groups from job opportunities, these practices can discriminate in access to work, in relation to grounds protected by EU equality law. This article investigates the possible role of GDPR (Reg. n. 2016/679) in litigating discrimination in targeted and optimised job advertising. It firstly analyses whether and how the data access right under Art. 15(1)(h) can be exercised to gather the prima facie discrimination evidence necessary to bring a discrimination claim against the employer. It then deepens the potential use of Art. 80(2) to address the challenges relating to litigating these discriminatory practices, particularly the victims’ lack of awareness and their difficulty in coordinating.

Issues of personal data protection when using cloud technologies

It is indicated that in today’s digital world, where the amount of stored and processed data is growing at a frantic pace, issues of personal data protection are becoming increasingly important. With the proliferation of cloud technologies that allow companies and individuals to store and process information on remote servers, a new spectrum of threats to data privacy and security is emerging. The article examines the issue of personal data protection when using cloud technologies, in particular, the need to integrate legal and technological aspects to ensure comprehensive protection. The impact of international regulatory acts, such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Protection Act), on cloud data protection processes is analyzed. Particular attention is paid to problems arising from differences in the legal regimes of different countries, which complicate data management at the international level. The article examines in detail modern technical solutions, such as data encryption and multi­factor authentication, which are key elements in protecting confidential information. These technologies have been found to provide a high level of protection, but also have their vulnerabilities. Based on this, it is proposed to invest in the latest technologies, in particular quantum encryption and artificial intelligence, to improve the effectiveness of data protection. Practical cases of data leaks are separately considered, which emphasize the importance of proper configuration of security systems and regular monitoring. Analysis of the results of empirical research shows the need to adapt business processes to changes in the regulatory environment and introduce new technologies to reduce risks. Based on the received data, recommendations for organizations are formulated, which include reviewing data protection policies, investing in modern technologies and training employees. The conclusions of the article emphasize the need for a comprehensive approach to ensuring the protection of personal data in cloud environments. This involves taking into account both modern technologies and current legal requirements to ensure adequate data protection and minimize possible risks.

Legal aspects of children’s privacy on the Internet: balance between protection and freedom

The article is devoted to the study of legal aspects of protection of personal data of minors in the digital environment. In today’s world, the development of information technologies and the widespread use of the Internet create new challenges for the legal system, in particular with regard to the protection of personal data of children and adolescents. The article analyzes national and international legislation regulating the protection of personal data of minors, in particular the provisions of the General Data Protection Regulation (GDPR) and Ukrainian legal acts. Different approaches to giving consent to the processing of personal data by minors are highlighted, in particular, the role of parents or legal representatives in this process. Existing methods of ensuring consent, such as double opt-in, as well as challenges associated with the practical implementation of these methods are considered. The article also outlines the risks children face online, including illegal data collection, including cyberbullying, phishing, child trafficking and other threats. The need to implement effective legal mechanisms for the protection of children on the Internet, which ensure both safety and freedom of information activity, is emphasized. Ensuring the security of personal data of minors in the digital environment should become one of the priority tasks of modern legal regulation, which requires a comprehensive approach and integration of the best international practices. The author concludes that the effective protection of children’s personal data requires a balanced approach that would combine a high level of security with respect for the rights and freedoms of the child in the digital environment. Increasing the level of digital literacy among children and their parents, as well as creating an appropriate legal infrastructure, are important factors that will contribute to reducing risks in the digital environment. The integration of such approaches into the national legal system should become a priority to ensure the sustainable development of the information society. Successful implementation of these initiatives will not only reduce potential threats to children, but also contribute to the formation of a safe and responsible information space for future generations.

The Impact of Machine Learning Algorithms and Big Data on Privacy in Data Collection and Analysis

In the era of rapid technological advancements, machine learning (ML) and big data analytics have become pivotal in harnessing vast amounts of data for insights, efficiency, and innovation across various sectors. However, the widespread collection and analysis of data raise significant privacy concerns, highlighting the delicate balance between leveraging technology for societal benefits and safeguarding individual privacy. This article delves into the complexities of data collection and analysis practices, emphasizing the potential for privacy breaches through methods such as location tracking, browsing habits analysis, and the creation of detailed personal profiles. It discusses the implications of ML algorithms capable of de-anonymizing data, despite measures like data anonymization and encryption aimed at protecting privacy. The article also examines the existing legal frameworks, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), designed to enhance privacy protection, alongside the ethical considerations for developers and companies in using ML and big data. Furthermore, it explores future outlooks, including developments in technologies like federated learning and differential privacy, that promise enhanced privacy protection. The conclusion calls for a concerted effort among policymakers, technologists, and the public to engage in ongoing dialogue and develop solutions that ensure the ethical use of ML and big data while upholding privacy rights.

Data Protection Considerations in Competition Law Assessments: A Qualitative Document Analysis of EU Decision Texts

Abstract Personal data are both protected by a fundamental right and serves as a source of market power. As such, a complex interplay between data protection and competition law arises, sparking debate among policymakers and scholars on whether to incorporate data protection considerations (DPCs) in competition law assessments. Proponents argue that competition cases involving such an interplay require a normative contribution from data protection law, while opponents emphasize the practical challenges of considering data protection as a non-economic public policy objective. We identify nine ways in which data protection might ultimately surface in competition law assessments, categorized into five areas: (i) competition enforcement actions, (ii) existing legal and regulatory framework, (iii) personal data collection, (iv) exclusionary abuses, and (v) alleviation of competition concerns. Using a multiple-step approach for qualitative document analysis, we explore how these considerations have surfaced in the European Commission’s decisional practice through a dataset of 2.041 EU competition decision texts based on articles 101 TFEU and 102 TFEU and the EU Merger Regulation. We identify 53 decisions where DPCs have surfaced, especially in the information and communication industry, where they are more frequently subjected to commitments. In line with the evolving literature, we observe an increasingly integrationist trend as these considerations surface more frequently, particularly since the adoption of the General Data Protection Regulation in 2016 and the Digital Markets Act proposal in 2020. We also find a pattern where data protection provisions are included in commitments as a ‘tick-the-box’ exercise. Several influential alleviations of competition concerns suggest that the Commission is more comfortable using data protection to approve transactions unconditionally rather than as a substantive argument for commitments. We conclude by making a case for a more collaborative approach based on the European Court of Justice’s recent Meta Platforms (2023) judgment. Data protection should be considered in competition law assessments if its normative contribution is required. Such a stance would simply align with the internal logic of competition law without unlawfully expanding its material scope.

Utilization of registers to create an evidence-based approach in catastrophes and civil defence

Medical data registers are a key instrument of medical care research and a valuable tool for medical quality assurance. The structured plausibility tested documentation of large case numbers on a longitudinally oriented time axis with different points in time of data acquisition enables statements to be made on numerous relevant outcomes, not only the mortality of patients. For incidents outside the daily routine care in trauma surgery, such as natural disasters, accidents with multiple casualties and nonmilitary treatment of the domestic population in defence situations, such registers can provide data-based recommendations for action. These data, mainly obtained from routine traumatological treatment, enable a targeted resource management in the abovenamed incidents, which are associated with mass casualties. Due to the utilization of registers from the military field or from international registers, the perspective is additionally extended with respect to treatment strategies and injury patterns. Whether data can also be generated in a suitable manner for the abovenamed registers in specific disaster situations and can provide a direct gain of knowledge from the incident, must be critically discussed. The maintenance of the register datasets is time-consuming and has been subjected to a more stringent regulation at least since May 2018, when the European Union General Data Protection Regulation (EU-GDPR) came into force. The future Register Act in Germany will hopefully achieve greater simplification in the documentation of routine data.