Pre-formulated Declarations of Data Subject Consent—Citizen-Consumer Empowerment and the Alignment of Data, Consumer and Competition Law Protections

AbstractOne of the novelties brought about by the new General Data Protection Regulation (GDPR) is a strengthening of the concept of consent. For instance, although the freely given stipulation existed in the old framework—the Data Protection Directive 95/46/EC—the changes introduced by the GDPR arguably imply that access to services may no longer depend on data subject consent. In reality however, data subjects often find themselves confronted with standard privacy policies and take-it-or-leave-it offers. Against this background, this Article aims to examine the alignment of the respective data protection and privacy, consumer protection, and competition law policy agendas through the lens of pre-formulated declarations of consent. The Article aims to delineate the role of each area with specific reference to the GDPR and ePrivacy Directive, the Unfair Terms Directive, the Consumer Rights Directive, and the Digital Content Directive (Compromise), in addition to market dominance. Competition law analysis is explored vis-à-vis whether it could offer indicators of when a clear imbalance in controller-data subject relations may occur in the context of the requirement for consent to be freely given, as per its definition in the GDPR. This complements the data protection and consumer protection analysis which focuses on the specific reference to the Unfair Terms Directive in Recital 42 GDPR, stating that pre-formulated declarations of consent should not contain unfair terms.

Download Full-text

The EU General Data Protection Regulation (GDPR)

10.1093/oso/9780198826491.001.0001 ◽

2020 ◽

Cited By ~ 1

Keyword(s):

Data Protection ◽

Personal Data ◽

Privacy Regulation ◽

General Data Protection Regulation ◽

Data Protection Directive ◽

Ongoing Work ◽

Protection Legislation ◽

Recent Reform ◽

General Data ◽

The Eu

This new book provides an article-by-article commentary on the new EU General Data Protection Regulation. Adopted in April 2016 and applicable from May 2018, the GDPR is the centrepiece of the recent reform of the EU regulatory framework for protection of personal data. It replaces the 1995 EU Data Protection Directive and has become the most significant piece of data protection legislation anywhere in the world. This book is edited by three leading authorities and written by a team of expert specialists in the field from around the EU and representing different sectors (including academia, the EU institutions, data protection authorities, and the private sector), thus providing a pan-European analysis of the GDPR. It examines each article of the GDPR in sequential order and explains how its provisions work, thus allowing the reader to easily and quickly elucidate the meaning of individual articles. An introductory chapter provides an overview of the background to the GDPR and its place in the greater structure of EU law and human rights law. Account is also taken of closely linked legal instruments, such as the Directive on Data Protection and Law Enforcement that was adopted concurrently with the GDPR, and of the ongoing work on the proposed new E-Privacy Regulation.

Download Full-text

The Second Internet: The Brussels Bourgeois Internet

Four Internets ◽

10.1093/oso/9780197523681.003.0007 ◽

2021 ◽

pp. 77-91

Author(s):

Kieron O’Hara

Keyword(s):

European Union ◽

Public Space ◽

Data Protection ◽

The European Union ◽

Privacy Rights ◽

General Data Protection Regulation ◽

Internet Privacy ◽

Data Protection Directive ◽

General Data ◽

Data Protection Law

This chapter describes the Brussels Bourgeois Internet. The ideal consists of positive, managed liberty where rights of others are respected, as in the bourgeois public space, where liberty follows only when rights are secured. The exemplar of this approach is the European Union, which uses administrative means, soft law, and regulation to project its vision across the Internet. Privacy and data protection have become the most emblematic struggles. Under the Data Protection Directive of 1995, the European Union developed data-protection law and numerous privacy rights, including a right to be forgotten, won in a case against Google Spain in 2014, the arguments about which are dissected. The General Data Protection Regulation (GDPR) followed in 2018, amplifying this approach. GDPR is having the effect of enforcing European data-protection law on international players (the ‘Brussels effect’), while the European Union over the years has developed unmatched expertise in data-protection law.

Download Full-text

Regulating European Clouds

Advances in Systems Analysis, Software Engineering, and High Performance Computing - Developing Interoperable and Federated Cloud Architecture ◽

10.4018/978-1-5225-0153-4.ch002 ◽

2016 ◽

pp. 42-60

Author(s):

Szilvia Varadi

Keyword(s):

Cloud Computing ◽

Data Protection ◽

New Technology ◽

Research Area ◽

Third Party ◽

The European Union ◽

General Data Protection Regulation ◽

Goods And Services ◽

Data Protection Directive ◽

Set Up

Cloud Computing is a diverse research area that encompasses many aspects of sharing software and hardware solutions, including computing and storage resources, application runtimes or complex application functionalities. In the supply of any goods and services, the law gives certain rights that protect the consumer and provider, which also applies for Cloud Computing. This new technology also moves functions and responsibilities away from local ownership and management to a third-party provided service, and raises several legal issues, such as data protection, which require this service to comply with necessary regulation. In this chapter the author investigates the revised legislation of the European Union resulting in the General Data Protection Regulation, which will be used to set up the new European Data Protection Framework. The author gathers and summarizes the most relevant changes this regulation brings to the field of Clouds, and draws relations to the previous legislation called the Data Protection Directive currently in force.

Download Full-text

The GDPR as Global Data Protection Regulation?

AJIL Unbound ◽

10.1017/aju.2019.80 ◽

2020 ◽

Vol 114 ◽

pp. 5-9 ◽

Cited By ~ 2

Author(s):

Cedric Ryngaert ◽

Mistale Taylor

Keyword(s):

International Law ◽

Data Protection ◽

Personal Data ◽

Fundamental Rights ◽

General Data Protection Regulation ◽

Data Protection Directive ◽

Protection Legislation ◽

General Data ◽

Global Data ◽

The Eu

The deterritorialization of the Internet and international communications technology has given rise to acute jurisdictional questions regarding who may regulate online activities. In the absence of a global regulator, states act unilaterally, applying their own laws to transborder activities. The EU's “extraterritorial” application of its data protection legislation—initially the Data Protection Directive (DPD) and, since 2018, the General Data Protection Regulation (GDPR)—is a case in point. The GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services . . . to such data subjects in the Union; or (b) the monitoring of their behaviour . . . within the Union.” It also conditions data transfers outside the EU on third states having adequate (meaning essentially equivalent) data protection standards. This essay outlines forms of extraterritoriality evident in EU data protection law, which could be legitimized by certain fundamental rights obligations. It then looks at how the EU balances data protection with third states’ countervailing interests. This approach can involve burdens not only for third states or corporations, but also for the EU political branches themselves. EU law viewed through the lens of public international law shows how local regulation is going global, despite its goal of protecting only EU data subjects.

Download Full-text

Delegation-Based Personal Data Processing Request Notarization Framework for GDPR Based on Private Blockchain

Applied Sciences ◽

10.3390/app112210574 ◽

2021 ◽

Vol 11 (22) ◽

pp. 10574

Author(s):

Sung-Soo Jung ◽

Sang-Joon Lee ◽

Ieck-Chae Euom

Keyword(s):

Data Processing ◽

Data Protection ◽

Data Privacy ◽

Personal Data ◽

General Data Protection Regulation ◽

Personal Data Protection ◽

Compliance Audit ◽

General Data ◽

Data Controller ◽

Data Subject

With the growing awareness regarding the importance of personal data protection, many countries have established laws and regulations to ensure data privacy and are supervising managements to comply with them. Although various studies have suggested compliance methods of the general data protection regulation (GDPR) for personal data, no method exists that can ensure the reliability and integrity of the personal data processing request records of a data subject to enable its utilization as a GDPR compliance audit proof for an auditor. In this paper, we propose a delegation-based personal data processing request notarization framework for GDPR using a private blockchain. The proposed notarization framework allows the data subject to delegate requests to process of personal data; the framework makes the requests to the data controller, which performs the processing. The generated data processing request and processing result data are stored in the blockchain ledger and notarized via a trusted institution of the blockchain network. The Hypderledger Fabric implementation of the framework demonstrates the fulfillment of system requirements and feasibility of implementing a GDPR compliance audit for the processing of personal data. The analysis results with comparisons among the related works indicate that the proposed framework provides better reliability and feasibility for the GDPR audit of personal data processing request than extant methods.

Download Full-text

The Right to Erasure in EU Data Protection Law

10.1093/oso/9780198847977.001.0001 ◽

2020 ◽

Author(s):

Jef Ausloos

Keyword(s):

Data Protection ◽

Fundamental Rights ◽

Individual Autonomy ◽

General Data Protection Regulation ◽

Power Asymmetries ◽

The Face ◽

Charter Of Fundamental Rights ◽

Data Protection Law ◽

The Right ◽

Data Subject

This book critically investigates the role of data subject rights in countering information and power asymmetries online. It aims at dissecting ‘data subject empowerment’ in the information society through the lens of the right to erasure (‘right to be forgotten’) in Article 17 of the General Data Protection Regulation (GDPR). In doing so, it provides an extensive analysis of the interaction between the GDPR and the fundamental right to data protection in Article 8 of the Charter of Fundamental Rights of the EU (Charter), how data subject rights affect fair balancing of fundamental rights, and what the practical challenges are to effective data subject rights. The book starts with exploring the data-driven asymmetries that characterize individuals’ relationship with tech giants. These commercial entities increasingly anticipate and govern how people interact with each other and the world around them, affecting core values such as individual autonomy, dignity, and freedom. The book explores how data protection law, and data subject rights in particular, enable resisting, breaking down or at the very least critically engaging with these asymmetric relationships. It concludes that despite substantial legal and practical hurdles, the GDPR’s right to erasure does play a meaningful role in furthering the fundamental right to data protection (Art 8 Charter) in the face of power asymmetries online.

Download Full-text

Does The GDPR Achieve Its Goal of “Protection of Youth”?

INTERNATIONAL JOURNAL OF MULTIDISCIPLINARY RESEARCH AND ANALYSIS ◽

10.47191/ijmra/v4-i8-16 ◽

2021 ◽

Vol 04 (08) ◽

Author(s):

Ammar Younas ◽

Keyword(s):

Data Protection ◽

Mobile Apps ◽

Personal Data ◽

General Data Protection Regulation ◽

Data Protection Directive ◽

Actual Choice ◽

Automated Processing ◽

General Data ◽

Privacy Risks ◽

Privacy Notices

The increasing ‘datafication of society’1 and ubiquitous computing resulted in high privacy risks such as commercial exploitation of personal data, discrimination, identity theft and profiling (automated processing of personal data). 2 Especially, minor data subjects are more likely to be victims of unfair commercial practices due to their behavioral characteristics (emotional volatility and impulsiveness) and unawareness of consequences of their virtual activities.3 Accordingly, it has been claimed that thousands of mobile apps utilized by children collected their data and used it for tracking their location, processed it for the development of child profiles so as to tailor behavioral advertising targeted at them and shared it with third parties without children’s or parent’s knowledge.4 Following these concerns, recently adopted EU General Data Protection Regulation (679/2016) departed from its Data Protection Directive (DPD) in terms of children’s data protection by explicitly recognizing that minors need more protection than adults5 and providing specific provisions aimed at protecting children’s right to data protection.6 Unlike the GDPR, the DPD was designed to provide “equal” protection for all data subjects irrespective of their age.7 This paper argues that consent principle along with the requirement of parental consent cannot effectively be implemented for the protection of children’s data due to the lack of actual choice, verification issues and complexity of data processing, and also the outcome of the privacy notices in a child-appropriate form is limited. However, there are other mechanisms and restrictions embodied in the GDPR, which provide opportunities for the protection of children’s data by placing burden on data controllers rather than data subjects.

Download Full-text

EU Data Protection Regulation and How It Affects Arbitration and ADR-ODR

REVISTA BRASILEIRA DE ALTERNATIVE DISPUTE RESOLUTION ◽

10.52028/rbadr.v3i5.9 ◽

2021 ◽

Vol 3 (5) ◽

pp. 195-202

Author(s):

Olga N. Tsiptse

Keyword(s):

International Law ◽

Data Protection ◽

Alternative Dispute Resolution ◽

Personal Responsibility ◽

Personal Data ◽

European Regulation ◽

Public International Law ◽

General Data Protection Regulation ◽

General Data ◽

Data Subject

On May 2018 a European Regulation, with direct force to all European Members, was in action. The General Data Protection Regulation, EU2016/679. A severe Regulation that was published in 2016 and set a 2-year period of time for all the Member States to be adjusted. This text, that implies huge fines for noncompliance, also affects the ADR mechanisms, like Arbitration, Mediation, etc. There is a paramount importance Principle of accountability, that GDPR implies, which requires data controllers to take personal responsibility for data protection compliance and record the measures they take to comply with their data protection obligations. Even almost 3 years have passed, the issues still remain: How is the interaction between ADR and GDPR? Which are the roles of the actors of alternative dispute resolution methods, and due to these roles which are the responsibilities? What is considered a lawful process, in accordance with GDPR, during the procedure of an ADR mechanism? It is also paramount to take into consideration, that the scope of that European Regulation affects directly even actors of non-EU territory, according to article 3.2 & 3 GDPR: 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: - the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or – the monitoring of their behavior as far as their behavior takes place within the Union. 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Download Full-text

The Proposed Data Protection Regulation: The Illusion of Harmonisation, the Private/Public Sector Divide and the Bureaucratic Apparatus

Cambridge yearbook of European legal studies ◽

10.5235/152888713809813639 ◽

2013 ◽

Vol 15 ◽

pp. 27-46 ◽

Cited By ~ 1

Author(s):

Peter Blume ◽

Christian Wiese Svanberg

Keyword(s):

Data Protection ◽

Current Data ◽

General Data Protection Regulation ◽

Data Protection Directive ◽

Central Elements ◽

Scope Of Application ◽

General Data ◽

Data Protection Law ◽

Draft Regulation ◽

Practical Implications

AbstractThe proposal for a new General Data Protection Regulation has been billed as a harbinger of increased harmonisation, better enforcement and modernised rules within the area of data protection law. Through an analysis of several central elements in the draft Regulation—and European data protection law in general—as well as an assessment of the practical implications the proposal is likely to have if adopted, this chapter challenges whether the proposal will be able to deliver the harmonised rules that have been promised. It focuses particularly on the proposed regulations scope of application, its legal architecture, the use of discretionary provisions and related issues.It is argued that the proposal not only fails to address the root causes of why the current data protection directive (Directive 95/46) failed to bring about harmonisation and effective rules, but also looks set to transplant them into the new regulation.

Download Full-text

Cooperation between Financial Intelligence Units in the European Union: Stuck in the middle between the General Data Protection Regulation and the Police Data Protection Directive

New Journal of European Criminal Law ◽

10.1177/2032284420943303 ◽

2020 ◽

Vol 11 (3) ◽

pp. 351-374

Author(s):

Foivi Mouzakiti

Keyword(s):

European Union ◽

Data Protection ◽

Information Exchange ◽

The European Union ◽

Significant Information ◽

General Data Protection Regulation ◽

Police Data ◽

Data Protection Directive ◽

General Data ◽

Financial Intelligence

Financial Intelligence Units (FIUs) hold a central position in the chain of actors responsible for the monitoring of money movements in the European Union. In support of their role, which is to receive, analyse and disseminate suspicious transaction reports, they have been furnished with significant information processing powers. At present, FIUs feature prominently in the EU’s anti-money laundering and counterterrorist financing agendas and plans to further enhance their powers of information exchange are underway. At the same time, however, the legal challenges that arise from their constant empowerment, particularly for the protection of personal data, are being overlooked. This article focuses on the cooperation between FIUs in the EU and argues that the latter takes place under a complex legal framework, which raises significant challenges for data protection. In particular, it highlights the present-day uncertainty over the data protection framework that governs their operations and discusses whether FIUs should be subject to the General Data Protection Regulation or to its law enforcement counterpart, the Police Data Protection Directive. The remaining of the article focuses on the ‘ FIU.net ’ – the decentralized network for information exchanges between EU FIUs – and on the data protection challenges that emerged from the recent integration of this network into Europol.

Download Full-text