Union General Data Protection Regulation Research Articles

Implication of Personalized Advertising on Personal Data: A Legal Analysis of the EU General Data Protection Regulation

p>The accelerating emergence of personalised advertising is mostly driven by data. Accordingly, algorithmic profiling has become a constant experience for every online user in predicting preference and interest. The profiling process raises several issues of human privacy and personal data invasion. Therefore, this study adopts the doctrinal legal method through the analysis of International Instruments and the European Union General Data Protection Regulation as legal avenue to safeguard and protect online activities of the data subjects. The findings of this paper discuss the main principles to be observed by the data controller in ensuring the legality of personal data profiling. This paper suggests the profiling process to be design-based security due to unavailability of system procedure to human knowledge. Keywords: Personalised Advertising; Algorithmic Targeting; Personal Data Profiling; EU General Data Protection Regulation eISSN: 2398-4287 © 2022. The Authors. Published for AMER ABRA cE-Bs by e-International Publishing House, Ltd., UK. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer–review under responsibility of AMER (Association of Malaysian Environment-Behaviour Researchers), ABRA (Association of Behavioural Researchers on Asians/Africans/Arabians) and cE-Bs (Centre for Environment-Behaviour Studies), Faculty of Architecture, Planning & Surveying, Universiti Teknologi MARA, Malaysia. DOI: https://doi.org/10.21834/ebpj.v7i22.4160

The Magnitude of GDPR To Malaysia

The European Union (“EU”) General Data Protection Regulation (“GDPR”) governs any individuals or companies that stores or processes personal information about EU citizens within EU states even if it does not involve a business presence within the EU. Malaysian businesses need to comply with the GDPR as failure to comply will cause disruption or discontinuance of business. This paper aims to understand and evaluate the scope of the GDPR and its effect on personal data protection in Malaysia. It employs a doctrinal qualitative approach by examining the GDPR and the Malaysia Personal Data Protection Act 2010. This paper suggests that the GDPR provides a more comprehensive law with its holistic principles and rights which may provide lessons for Malaysia in protecting personal data as the area covered by the GDPR is broader specifically the non-commercial transactions, its wider range of rights and the extraterritorial applicability.

Implications of GDPR on Emerging Technologies in Healthcare

In the present digital era, organizations worldwide, including healthcare institutions, are facing several opportunities and challenges in safeguarding and preserving significant data that are essential in the efficient functioning of organizational activities. Organizations have realized and understood the importance of data collection and analysis to influence target achievements and meet futuristic demands. Many small-scale enterprises and start-ups have also initiated decisions to implement technologies that enable a positive long-term impact. Due to these requirements, the General Data Protection Regulation (GDPR) implementation has become a necessity to ensure future sustenance and functionality of existing and growing organizations. The operational activities in the organizational environment are forced to comply with the general data protection regulation policies and framework. The European Union general data protection regulation, which was imposed in May 2018 (European Union General Data Protection Regulation, 2016), has proven to be effective, both within the country’s internal boundaries and globally. However, many organizations are still not familiar with the general data protection regulation compliance policies. The emergence of general data protection regulation has been a recent interest in the activities of various organizational sectors as they are attempting to understand the policies and compliance requirements on the implementation of GDPR applications. The research intends to explore the implications between the GDPR and emerging technologies and suggests various recommendations for organizations to implement and follow the GDPR guidelines that could enhance organizational activities.

Data governance through a multi-DLT architecture in view of the GDPR

The centralization of control over the processing of personal data threatens the privacy of individuals due to the lack of transparency and the obstruction of easy access to their data. Individuals need the tools to effectively exercise their rights, enshrined in regulations such as the European Union General Data Protection Regulation (GDPR). Having direct control over the flow of their personal data would not only favor their privacy but also a “data altruism”, as supported by the new European proposal for a Data Governance Act. In this work, we propose a multi-layered architecture for the management of personal information based on the use of distributed ledger technologies (DLTs). After an in-depth analysis of the tensions between the GDPR and DLTs, we propose the following components: (1) a personal data storage based on a (possibly decentralized) file storage (DFS) to guarantee data sovereignty to individuals, confidentiality and data portability; (2) a DLT-based authorization system to control access to data through two distributed mechanisms, i.e. secret sharing (SS) and threshold proxy re-encryption (TPRE); (3) an audit system based on a second DLT. Furthermore, we provide a prototype implementation built upon an Ethereum private blockchain, InterPlanetary File System (IPFS) and Sia and we evaluate its performance in terms of response time.

The European General Data Protection Regulation (GDPR) in mHealth: Theoretical and practical aspects for practitioners' use.

The extensive use of smart technology (smartphones and wearables) and the vast amount of information they contain have positioned remote devices and technology as a massive database resource. Harnessing these big data into the clinical and research fields has introduced a new horizon of possibilities along with significant privacy issues. A significant evolution in this respect has been the introduction of the new European Union (EU) General Data Protection Regulation (GDPR). The GDPR acknowledges that information related to individuals (i.e. personal data), as well as data flow, and thus databases, are of high political, clinical, and economic value. Hence, the Regulation aims to protect personal data and, consequentially, privacy. Nevertheless, the GDPR is a legal document with legal language. The purpose of this paper is to serve as a - practical guidance as well as a theoretical framework - for clinicians (and non-clinicians) who integrates digital tools in their clinical and research work.

Conception of An Independent Surveillance Authority in the Effort to Protect Population Data

The rapid progress of digital transformation underscores the critical need for robust personal data protection as a guarantee of individual rights, particularly to address the prevalent issues of data leakage and misuse, including population data. This need aligns with Article 28 G of the 1945 Constitution, which is actualized through the provision of access to population data for verification purposes to both state and private institutions. Additionally, data users are mandated to adhere to a Zero Data Sharing Policy that strictly prohibits the dissemination or sharing of population data with third parties. However, challenges persist due to limited legal protections concerning personal data classifications and the delineation of authority between data owners and users, highlighting the urgent need for comprehensive personal data protection legislation. Furthermore, the establishment of an Independent Surveillance Authority is essential to ensure effective regulation enforcement. This Authority's roles and powers would align with government efforts to protect population data and be guided by the standards set forth in the European Union General Data Protection Regulation (EU GDPR). Its independent status is crucial to prevent undue influence from parties with vested interests. Functionally, such an authority would enhance the effectiveness of the Zero Data Sharing Policy through its capacity to conduct investigations and enforce collective rights, thus ensuring the protection of human rights. This research employs normative legal research, utilizing legislation and literature reviews alongside descriptive analysis with a deductive approach to manage qualitative data, concluding that legal protections must be bolstered by optimal oversight through an established Independent Surveillance Authority.

Privacy, Data Sharing, and Data Security Policies of Women's mHealth Apps: Scoping Review and Content Analysis.

BackgroundWomen’s mobile health (mHealth) is a growing phenomenon in the mobile app global market. An increasing number of women worldwide use apps geared to female audiences (female technology). Given the often private and sensitive nature of the data collected by such apps, an ethical assessment from the perspective of data privacy, sharing, and security policies is warranted.ObjectiveThe purpose of this scoping review and content analysis was to assess the privacy policies, data sharing, and security policies of women’s mHealth apps on the current international market (the App Store on the Apple operating system [iOS] and Google Play on the Android system).MethodsWe reviewed the 23 most popular women’s mHealth apps on the market by focusing on publicly available apps on the App Store and Google Play. The 23 downloaded apps were assessed manually by 2 independent reviewers against a variety of user data privacy, data sharing, and security assessment criteria.ResultsAll 23 apps collected personal health-related data. All apps allowed behavioral tracking, and 61% (14/23) of the apps allowed location tracking. Of the 23 apps, only 16 (70%) displayed a privacy policy, 12 (52%) requested consent from users, and 1 (4%) had a pseudoconsent. In addition, 13% (3/23) of the apps collected data before obtaining consent. Most apps (20/23, 87%) shared user data with third parties, and data sharing information could not be obtained for the 13% (3/23) remaining apps. Of the 23 apps, only 13 (57%) provided users with information on data security.ConclusionsMany of the most popular women’s mHealth apps on the market have poor data privacy, sharing, and security standards. Although regulations exist, such as the European Union General Data Protection Regulation, current practices do not follow them. The failure of the assessed women’s mHealth apps to meet basic data privacy, sharing, and security standards is not ethically or legally acceptable.

Empowering Families Through Technology: A Mobile-Health Project to Reduce the TAND Identification and Treatment Gap (TANDem).

IntroductionTuberous Sclerosis Complex (TSC) is a multi-system genetic disorder with various TSC-Associated Neuropsychiatric Disorders (TAND) that significantly impact the mental health and wellbeing of individuals with TSC and their caregivers. TAND represents the number one concern to families worldwide, yet is highly under-identified and under-treated. The clinician-administered TAND-Checklist (Lifetime version, TAND-L) has improved identification of TAND in clinical settings. However, many individuals with TSC and their caregivers still have difficulty accessing suitable support for diagnosis and evidence-informed interventions. The TANDem study is a community-based participatory research project with a broad range of TSC stakeholders aimed at reducing the TAND identification and treatment gap.ObjectivesParticipatory research identified three priority next steps: 1) development and validation of a self-report, quantified version of the TAND Checklist (TAND-SQ) and building the TAND-SQ into a smartphone application, 2) generation of consensus clinical recommendations for the identification and treatment of TAND, to be incorporated as a TAND toolkit on the app, and 3) establishment of a global TAND consortium through networking, capacity-building and public engagement activities.MethodsTANDem is a four-year project, and includes 24 consortium members from 10 countries representing all World Health Organization regions. Collaborators represent five stakeholder groups (family representatives, technology experts, clinical experts, non-profit organisations and researchers). Here we outline the project study protocol in detail, describing the scientific rationale, the project aims and objectives, the methods involved in participant recruitment, multi-site and multi-phase data collection, data analysis, ethical considerations including informed consent, data protection, privacy and confidentiality considerations related to the European Union General Data Protection Regulation and the USA Health Insurance Portability and Accountability Act. The expected outcomes and potential impact on the TSC community, implementation and dissemination of results, as well as future scale-up and scale-out plans are also discussed.ConclusionsThe TANDem project has the potential to transform the global TSC community by empowering families living with TSC through an easily accessible digital solution to allow them to document their own TAND needs linked to an evidence-informed toolkit to enhance personalised healthcare, and by providing healthcare professionals with consensus clinical recommendations to prevent, identify and manage TAND manifestations.

Data privacy project efficiency with cross-functional data governance team

The paper aims to observe the impact of data governance and leadership related cross-functional organisational practices on project efficiency, measuring several predictors, moderator, and mediator variables. The paper's empirical data are collected from 98 data management professionals involved in recent European Union General Data Protection Regulation (EU GDPR) projects associated with party data in larger organisations across Europe. The study suggests that Cross-Functional Governance Integration (CFGI) leads to an increase of Privacy Project Speed (PPS). The strength of that relationship is increased by Line-of-Business Stakeholders Governance Participation (LOBS-GP) (moderation). The central construct in this research of CFGI is even more relevant as it is the underlying mechanism where Governance Team Leadership (GTL) also leads to an increase of PPS (mediation).

Controversies between regulations of research ethics and protection of personal data: informed consent at a cross-road.

This paper explores some key discrepancies between two sets of normative requirements applicable to the research use of personal data and human biological materials: (a) the data protection regime which follows the application of the European Union General Data Protection Regulation (GDPR), and (b) the Declaration of Helsinki, CIOMS guidelines and other research ethics regulations. One source of this controversy is that the GDPR requires consent to process personal data to be clear, concise, specific and granular, freely given and revocable and therefore has challenged the concept of ‘broad consent’, which has been widely applied in the context of biobanking. Another source of controversy is the interplay between regulations of research ethics and protection of personal data related to the secondary use of personal data and biological materials. In this case, the GDPR ‘research condition’ provides an alternative to re-consent for the use of previously collected personal data and biological materials. Although the mentioned controversies have been raised in the legal literature, they have not been explicitly addressed from the research ethics perspective. Should consent be regarded as a priority legal basis for personal data processing in health data research? Can broad consent still be a suitable legal ground for biobanking? What should be the role of research ethics provisions that differ from the GDPR standards, and what should be the role and function of research ethics committees in the changing environment of health data research? These are the ongoing controversies to be explored in the paper.

Implications of GDPR on Emerging Technologies

In the present digital era, organizations worldwide are facing several opportunities and challenges in safeguarding and preserving significant data that are essential in the efficient functioning of organizational activities. Organizations have realized and understood the importance of data collection and analysis to influence target achievements and meet futuristic demands. Many small-scale enterprises and start-ups have also initiated decisions to implement technologies that enable a positive long-term impact. Due to these requirements, the General Data Protection Regulation (GDPR) implementation has become a necessity to ensure future sustenance and functionality of existing and growing organizations. The operational activities in the organizational environment are forced to comply with the general data protection regulation policies and framework. The European Union general data protection regulation, which was imposed in May 2018 (European Union General Data Protection Regulation, 2016), has proven to be effective, both within the country's internal boundaries and globally. However, many organizations are still not familiar with the general data protection regulation compliance policies. The emergence of general data protection regulation has been a recent interest in the activities of various organizational sectors as they are attempting to understand the policies and compliance requirements on the implementation of GDPR applications. The research intends to explore the implications between the GDPR and emerging technologies and suggests various recommendations for organizations to implement and follow the GDPR guidelines that could enhance organizational activities.

THE RIGHT TO PRIVACY IN THE AGE OF PANDEMICS “A STUDY IN GERMAN AND EUROPEAN LAW”

The right to protection of personal data arises where personal data requires processing, usage ad storage. It is therefore a process requiring extracting of personal data from an individual and processing it without infringing on the person’s rights to protection of data as well as privacy. Contact tracing technology is used at the time of epidemics, and it is a technique by which people can be monitored to find out their interactions with a person who has tested positive for a specific infectious disease. This process was previously done as a means of managing infectious diseases so as to shorten the response time. Specifically, for the Covid-19 pandemic, the process has been digitized across the globe. In dealing with covid-19, the state should take into consideration the need to balance between the right of individuals to good health and the right to protection of data as contact tracing and following up on infections is paramount in managing the corona virus pandemic. This can be through setting out legislation that limits the use of information collected for the purposes of corona-virus for that limited purpose in the required institutions. Since Coronavirus is an emerging problem, more needs to be done in terms of research to understand how to deal with it effectively and in balance while protecting the rights and freedoms of individuals. The Paper discuss the legal principles on the right to personal privacy in both Germany and the European Union, through a comparative study between European Union General Data Protection Regulation (GDPR) which came into force on 25th May 2018, and German Federal Data Protection Act (BDSG) of 30 June 2017, amended by Article 12 of the Act of November 20, 2019. it will delve deeper on the relationship between the protection of personal data and other fundamental rights and freedoms. Lastly it studies the balancing between measures that could help track and contain the virus while safeguarding the privacy of individuals.

Personal Data Security in South Africa’s Financial Services Market: The Protection of Personal Information Act 4 of 2013 and the European Union General Data Protection Regulation Compared

The contemporary global financial services market has witnessed a substantial increase in cybercrime which places consumers’ personal data at risk. Rapid increases in cybercrime linked to the financial services market have driven financial market regulators to pass novel laws and regulations aimed at curbing the rate of occurrence of cybercrimes connected to personal data sharing. To that end, banks and/or financial services companies in Europe have swiftly moved to comply with the European Union’s General Data Protection Regulation. Whilst personal data protection regulation is not a new concept in Europe, most African countries (with exception of South Africa) do not have laws and regulations on personal data protection. With the financial services market being extremely vulnerable to cyber risks owing to the digitisation of the financial services sector, it is important to assess the suitability of South Africa’s current regulatory framework concerning the protection of personal data. This article thus examines South Africa’s Protection of Personal Information Act 4 of 2013 with a view to ascertaining its suitability and/or adequacy in protecting personal data in the country’s financial services market. With the global Covid-19 pandemic bringing about concerns related to rapid increases in cyber-attacks in the financial services market owing to the increased sharing of the sensitive personal data of consumers, there is also need to test the POPIA’s conformity with the strict European Union GDPR personal data protection guidelines.

'If relevant, yes; if not, no': General practitioner (GP) users and GP perceptions about asking ethnicity questions in Irish general practice: A qualitative analysis using Normalization Process Theory.

The use of ethnic identifiers in health systems is recommended in several European countries as a means to identify and address heath inequities. There are barriers to implementation that have not been researched. This study examines whether and how ethnicity data can be collected in Irish general practices in a meaningful and acceptable way. Qualitative case study data generation was informed by Normalization Process Theory (NPT) constructs about 'sense' making and 'engagement'. It consisted of individual interviews and focus group discussions based on visual participatory techniques. There were 70 informants, including 62 general practitioner (GP) users of diverse ethnic backgrounds recruited through community organisations and eight GPs identified through an inter-agency steering group. Data were analysed according to principles of thematic analysis using NPT. The link between ethnicity and health was often considered relevant because GP users grasped connections with genetic (skin colour, lactose intolerance), geographic (prevalence of disease, early years exposure), behavioural (culture/food) and social determinant (housing) factors. The link was less clear with religion. There was some scepticism and questions about how the collection of data would benefit GP consultations and concerns regarding confidentiality and the actual uses of these data (e.g. risk of discrimination, social control). For GPs, the main theme discussed was relevance: what added value would it bring to their consultations and was it was their role to collect these data? Their biggest concern was about data protection issues in light of the European Union (EU) General Data Protection Regulation (GDPR). The difficulty in explaining a complex concept such as 'ethnicity' in the limited time available in consultations was also worrying. Implementation of an ethnicity identifier in Irish general practices will require a strong rationale that makes sense to GP users, and specific measures to ensure that its benefits outweigh any potential harm. This is in line with both our participants' views and the EU GDPR.

Privacy in the Era of Big Data: Unlocking the Blue Oceans of Data Paradigm in Malaysia

Big Data has revolutionized the process of online activities such as marketing and advertisement based on individual preferences in the eCommerce industry. In Malaysia, the integration of Big Data in the commercial and business environment is keenly felt by establishing the National Big Data Analytics Framework catalyzing further economic growth in all sectors. However, the distinct features of Big Data spawn issues relating to privacy, such as data profiling, lack of transparency regarding privacy policies, accidental disclosures of data, false data or false analytics results. Hence, this research provides an insight into the intersection between Big Data and an individual's fundamental rights. The trade-off between privacy breaching and preserving is becoming more intense due to the rapid advancement of Big Data. Suggesting comparative analysis method as the data analysis approach, the adequacy of the Malaysian Personal Data Protection Act 2010 (PDPA 2010) in governing the risks of Big Data is evaluated against the European Union General Data Protection Regulation (GDPR) in managing the risk arising from the integration of Big Data. This research is hoped to initiate the improvement to the legislative framework, provides fundamentals to the formulation of national policy, and creation of specific law on Big Data in Malaysia, which will subsequently benefit industrial players and stakeholders.

BCFL logging: An approach to acquire and preserve admissible digital forensics evidence in cloud ecosystem

Log files are the primary source of recording users, applications and protocols, activities in the cloud ecosystem. Cloud forensic investigators can use log evidence to ascertain when, why and how a cyber adversary or an insider compromised a system by establishing the crime scene and reconstructing how the incident occurred. However, digital evidence acquisition in a cloud ecosystem is complicated and proven difficult, even with modern forensic acquisition toolkit. The multi-tenancy, Geo-location and Service-Level Agreement have added another layer of complexity in acquiring digital log evidence from a cloud ecosystem. In order to mitigate these complexities of evidence acquisition in the cloud ecosystem, we need a framework that can forensically maintain the trustworthiness and integrity of log evidence. In this paper, we design and implement a Blockchain Cloud Forensic Logging (BCFL) framework, using a Design Science Research Methodological (DSRM) approach. BCFL operates primarily in four stages: (1) Process transaction logs using Blockchain distributed ledger technology (DLT). (2) Use a Blockchain smart contract to maintain the integrity of logs and establish a clear chain of custody. (3) Validate all transaction logs. (4) Maintain transaction log immutability. BCFL will also enhance and strengthen compliance with the European Union (EU) General Data Protection Regulation (GDPR). The results from our single case study will demonstrate that BCFL will mitigate the challenges and complexities faced by digital forensics investigators in acquiring admissible digital evidence from the cloud ecosystem. Furthermore, an instantaneous performance monitoring of the proposed Blockchain cloud forensic logging framework was evaluated. BCFL will ensure trustworthiness, integrity, authenticity and non-repudiation of the log evidence in the cloud.

Legal Aspects of Artificial Intelligence on Automated Decision-Making in Indonesia

This paper analyzes the importance of Indonesia's comprehensive legal framework on automated decision-making empowered by Artificial Intelligence, comparing it to the European Union, the United States, and China. Specifically, this paper inquires about the status quo of the legal protection of automated decision-making In Indonesia. The analysis highlights profiling in an automated decision-making system with the following discussion about personal data protection. In this context, the European Union's member states set out the General Data Protection Regulation (GDPR) that prohibits automated decision-making to a certain extent. In the United States, the practice of automated decision-making is rather usual. Simultaneously, China takes an exceptional measure instead and develops this automation through a social credit system. The analysis concludes that Indonesia has weak legal protection towards personal data and profiling, which later becomes the basis in facilitating automated decision-making. The provision of automated decision-making and profiling is the absolute bare minimum to Indonesia's Personal Data Protection Bill due to insufficient legal certainty. In the end, it is paramount for lawmakers to consider a comprehensive regulation on automated decision-making by adopting the European Union's GDPR framework.
 KEYWORDS: Artificial Intelligence, Automated Decision-Making, Personal Data Protection.

Remote monitoring of cardiac implanted electronic devices: legal requirements and ethical principles - ESC Regulatory Affairs Committee/EHRA joint task force report.

The European Union (EU) General Data Protection Regulation (GDPR) imposes legal responsibilities concerning the collection and processing of personal information from individuals who live in the EU. It has particular implications for the remote monitoring of cardiac implantable electronic devices (CIEDs). This report from a joint Task Force of the European Heart Rhythm Association and the Regulatory Affairs Committee of the European Society of Cardiology (ESC) recommends a common legal interpretation of the GDPR. Manufacturers and hospitals should be designated as joint controllers of the data collected by remote monitoring (depending upon the system architecture) and they should have a mutual contract in place that defines their respective roles; a generic template is proposed. Alternatively, they may be two independent controllers. Self-employed cardiologists also are data controllers. Third-party providers of monitoring platforms may act as data processors. Manufacturers should always collect and process the minimum amount of identifiable data necessary, and wherever feasible have access only to pseudonymized data. Cybersecurity vulnerabilities have been reported concerning the security of transmission of data between a patient's device and the transceiver, so manufacturers should use secure communication protocols. Patients need to be informed how their remotely monitored data will be handled and used, and their informed consent should be sought before their device is implanted. Review of consent forms in current use revealed great variability in length and content, and sometimes very technical language; therefore, a standard information sheet and generic consent form are proposed. Cardiologists who care for patients with CIEDs that are remotely monitored should be aware of these issues.

What GDPR and the Health Research Regulations (HRRs) mean for Ireland: a research perspective

BackgroundIrish Health Research Regulations (HRRs) were introduced following the European Union (EU) General Data Protection Regulation (GDPR) in 2018. The HRRs described specific supplementary regulatory requirements for research regarding governance, processes and procedure that impact on several facets of research. The numerous problems that the HRRs and particularly “explicit consent” inadvertently created were presented under the auspices of the Irish Academy of Medical Sciences (IAMS) on November 25, 2019, at the Royal College of Surgeons in Ireland.AimsThe objective of this review was to obtain feedback and to examine the impact of GDPR and the HRRs on health research in Ireland in order to determine whether the preliminary feedback, presented at the IAMS meetings, was reflected at a national level.MethodsIndividuals from the research community were invited to provide feedback on the impact, if any, of the HRRs on health research. Retrospective patient recruitment and consent outside a hospital setting for a multi-institutional Breast Predict study (funded by the Irish Cancer Society) were also analysed.ResultsFeedback replicated the issues presented at the IAMS with additional concerns identified. Only 20% of the original target population (n = 1987) could be included in the Breast Predict study.ConclusionsOur results confirm that the HRRs have had a significantly negative impact on health research in Ireland. Urgent meaningful engagement between patient advocate groups, the research community and legislators would help ameliorate these impacts.

Ensure future EU GDPR compliance with ongoing conversations, planning

Panic. Two years ago, that was a common feeling when it came to preparing to comply with the European Union General Data Protection Regulation.