Protection of Personal Data in Clouds and Rights of Individuals

2021 ◽  
pp. 257-293
Author(s):  
Dimitra Kamarinou ◽  
Christopher Millard ◽  
Felicity Turton
Keyword(s):  
Personal Data ◽  
General Data Protection Regulation ◽  
Computing Services ◽  
Cloud Computing Services ◽  
Data Portability ◽  
In Parenthesis ◽  
Definition Of ◽  
The Individual ◽  
The Right ◽  
Data Subject

This chapter focuses on the rights and remedies that individual users of cloud computing services may enjoy under the EU's General Data Protection Regulation (GDPR). It begins by considering the concept of the individual as 'data subject', which is inextricably linked to the concept of 'personal data'. The term 'data subject' is not defined explicitly in the GDPR. Instead, it is referenced in parenthesis within the definition of personal data. The definition of personal data is purposefully broad so as to include the vast range of information from which an individual may be identified. The chapter then explores the rights afforded to data subjects, including the right to be informed; the rights of access, rectification, and erasure; the right to data portability; the right to object to processing; and the right not to be subject to automated decision making, including profiling. Finally, it looks at the remedies and compensation available to data subjects. One of the biggest challenges to data subjects knowing and being able to exercise their rights is a potential lack of transparency with regard to how and by whom their personal data are collected and further processed in the cloud.

scholarly journals PROBLEMS OF APPLICATION OF THE RIGHT TO DATA PORTABILITY

2020 ◽  
pp. 116-127
Author(s):  
Marta Kive
Keyword(s):  
Personal Data ◽  
Legal Framework ◽  
The European Union ◽  
General Data Protection Regulation ◽  
Advantages And Disadvantages ◽  
Data Portability ◽  
The Right ◽  
Data Controller ◽  
Machine Readable ◽  
Data Subject

The aim of the publication is to analyze the advantages and disadvantages of the right to data portability, as well as to look at them in the context of development of a legal framework for the protection of personal data. The General Data Protection Regulation entered into force on 25 May 2018 and introduced a new legal framework for the protection of personal data in the European Union, and also included several new rights, including the right to data portability. These are rights of the data subject to receive personal data concerning himself, which he has provided to the controller, in a structured, widely used and machine‐readable format, and transmit this information to another controller, if it is possible. The right to data portability applies only to personal data provided by the controller to the data subject himself, and only if the processing was initially based on the consent of the user or on the basis of a contract. This means that the right to data portability is not feasible when data processing is based on another legal basis. In the context of the right to data portability, data subjects directly transmit data from one data controller to another where technically possible. The regulation does not specify what is meant by “technically feasible”. The wording indicates that this should be addressed on a case‐by‐case basis and a dynamic interpretation of the term “technically feasible” should be ensured. This is limited because the Regulation does not oblige data controllers to accept or maintain compatible processing systems.

Article 9 Processing of special categories of personal data

2020 ◽  
Author(s):  
Ludmila Georgieva ◽  
Christopher Kuner
Keyword(s):  
Decision Making ◽  
Data Protection ◽  
Personal Data ◽  
Genetic Data ◽  
Biometric Data ◽  
Individual Decision Making ◽  
Vital Interest ◽  
Data Portability ◽  
Definition Of ◽  
Data Subject

Article 4(1) (Definition of personal data); Article 4(2) (Definition of processing); Article 4(11) (Definition of consent); Article 4(13) (Definition of genetic data, see also recital 34); Article 4(14) (Definition of biometric data); Article 4(15) (Definition of data concerning health, see also recital 35); Article 6(4)(c) (Lawfulness of processing, compatibility test) (see too recital 46 on vital interest); Article 13(2)(c) (Information to be provided where personal data are collected from the data subject); Article 17(1)(b), (3)(c) (Right to erasure (‘right to be forgotten’)); Article 20(1)(a) (Right to data portability); Article 22(4) (Automated individual decision-making, including profiling); Article 27(2)(a) (Representatives of controllers or processors not established in the Union); Article 30(5) (Records of processing activities); Article 35(3)(b) (Data protection impact assessment) (see too recital 91); Article 37(1)(c) (Designation of the data protection officer) (see too recital 97); Article 83(5)(a) (General conditions for imposing administrative fines).

Data Portability as a Data Subject Right

2021 ◽  
pp. 159-188
Author(s):  
Helena U. Vrabec
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Narrow Scope ◽  
Right To Be Forgotten ◽  
Data Protection Law ◽  
Data Portability ◽  
The Right ◽  
Data Subject

Chapter 7 analyses the right to data portability set out in Article 20 of the GDPR. It first provides an overview of several commercial and regulatory initiatives that preceded the GDPR version of the right to personal data portability. Next, it explores the language of Article 20 to demonstrate the effects of the narrow scope of the right. The chapter then shows how data portability interacts with other data subject rights, particularly with the right to access and the right to be forgotten, before it describes manifestations of data portability in legal areas outside of the data protection law. Finally, the chapter explores the specific objective of the right to data portability under the GDPR as an enabler of data subjects’ control.

scholarly journals The Right to Data Portability: conception, status quo, and future directions

2021 ◽  
Author(s):  
Sophie Kuebler-Wachendorff ◽  
Robert Luzsa ◽  
Johann Kranz ◽  
Stefan Mager ◽  
Emmanuel Syrmoudis ◽  
...  
Keyword(s):  
Service Providers ◽  
Personal Data ◽  
The European Union ◽  
Future Directions ◽  
General Data Protection Regulation ◽  
Digital Service ◽  
General Data ◽  
Data Portability ◽  
The One ◽  
The Right

AbstractFor almost three years, the General Data Protection Regulation (GDPR) has been granting citizens of the European Union the right to obtain personal data from companies and to transfer these data to another company. The so-called Right to Data Portability (RtDP) promises to significantly reduce switching costs for consumers in digital service markets, provided that its potential is effectively translated into reality. Thus, of all the consumer rights in the GDPR, the RtDP has the potential to be the one with the most significant implications for digital markets and privacy. However, our research shows that the RtDP is barely known among consumers and can currently only be implemented in a fragmented manner—especially with regard to the direct transfer of data between online service providers. We discuss several ways to improve the implementation of this right in the present article.

Dude, where's my data? The GDPR in practice, from a consumer's point of view

2020 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Hanne Sørum ◽  
Wanda Presthus
Keyword(s):  
Design Methodology ◽  
Point Of View ◽  
Consumer Market ◽  
Content Type ◽  
General Data Protection Regulation ◽  
General Data ◽  
Data Portability ◽  
The Right ◽  
Data Subject

PurposeThis paper investigates the European Union's General Data Protection Regulation (GDPR) in information systems (ISs). The GDPR consists of 99 articles, and two articles are emphasised – namely Article 15, which deals with rights of access by the data subject, and Article 20, which deals with the right to data portability.Design/methodology/approach15 companies operating in the Norwegian consumer market were randomly selected. Each company received an inquiry pertaining to rights of access by the data subject (Article 15) and the right to data portability (Article 20). The research team carefully analysed the answers received and categorised the responses according to the two articles emphasised.FindingsThe findings show extensive variations among the companies in terms of response time, quality of feedback and how companies handle requests concerning rights of access by the data subject (Article 15) and the right to data portability (Article 20). Differences are also pertaining to the types of files, along with the content of these files. It should be noted, however, that most of the companies replied to the inquiry before the deadline. The findings show that companies comply better with Article 20 than Article 15. However, it appears that they do not differentiate between the two articles.Originality/valueThis study explores a research topic that is relatively new. It addresses a gap in the extant research by highlighting how the GDPR works in practice from a consumer's perspective. In addition, guidelines are offered to the consumers and companies affected by the GDPR.

scholarly journals Data Portability and Data Control: Lessons for an Emerging Concept in EU Law

2018 ◽  
Vol 19 (6) ◽  
pp. 1359-1398 ◽  
Author(s):  
Inge Graef ◽  
Martin Husovec ◽  
Nadezhda Purtova
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
General Purpose ◽  
Current Data ◽  
Fundamental Rights ◽  
Eu Law ◽  
General Data Protection Regulation ◽  
Data Control ◽  
Data Portability ◽  
The Right

AbstractThe right to data portability (RtDP) introduced by Article 20 of the General Data Protection Regulation (GDPR) forms a regulatory innovation within EU law. The RtDP provides data subjects with the possibility to transfer personal data among data controllers, but has an impact beyond data protection. In particular, the RtDP facilitates the reuse of personal data that private companies hold by establishing a general-purpose control mechanism of horizontal application. Article 20 of the GDPR is agnostic about the type of use that follows from the ported data and its further diffusion. We argue that the RtDP does not fit well with the fundamental rights nature of data protection law, and should instead be seen as a new regulatory tool in EU law that aims to stimulate competition and innovation in data-driven markets.What remains unclear is the extent to which the RtDP will be limited in its aspirations where intellectual property rights of current data holders—such as copyright, trade secrets andsui generisdatabase rights—cause the regimes to clash. In such cases, a reconciliation of the interests might particularly confine the follow-on use of ported data again to specific set of socially justifiable purposes, possibly with schemes of fair remuneration. Despite these uncertainties, the RtDP is already being replicated in other fields, namely consumer protection law and the regulation of non-personal data. Competition law can also facilitate portability of data, but only for purpose-specific goals with the aim of addressing anticompetitive behavior.We conclude that to the extent that other regimes will try to replicate the RtDP, they should closely consider the nature of the resulting control and its breadth and impact on incentives to innovate. In any case, the creation of data portability regimes should not become an end in itself. With an increasing number of instruments, orchestrating the consistency of legal regimes within the Digital Single Market and their mutual interplay should become an equally important concern.

scholarly journals The exercisability of the right to data portability in the emerging Internet of Things (IoT) environment

2020 ◽  
pp. 146144482093403
Author(s):  
Sarah Turner ◽  
July Galindo Quintero ◽  
Simon Turner ◽  
Jessica Lis ◽  
Leonie Maria Tanczer
Keyword(s):  
Internet Of Things ◽  
Empirical Analysis ◽  
Data Protection ◽  
General Data Protection Regulation ◽  
General Data ◽  
Data Portability ◽  
Iot Devices ◽  
The Right ◽  
Data Subject

The right to data portability (RtDP), as outlined in the European Union’s General Data Protection Regulation (GDPR), enables data subjects to transmit their data from one service to another. This is of particular interest in the evolving Internet of Things (IoT) environment. This research delivers the first empirical analysis detailing the exercisability of the RtDP in the context of consumer IoT devices and the information provided to users about exercising the right. In Study 1, we reviewed 160 privacy policies of IoT producers to understand the level of information provided to a data subject. In Study 2, we tested four widely available IoT systems to examine whether procedures are in place to enable users to exercise the RtDP. Both studies showcase how the RtDP is not yet exercisable in the IoT environment, risking consumers being unable to unlock the long-term benefits of IoT systems.

scholarly journals An Exploration of Data Interoperability for GDPR

2018 ◽  
Vol 16 (1) ◽  
pp. 1-21 ◽  
Author(s):  
Harshvardhan J. Pandit ◽  
Christophe Debruyne ◽  
Declan O'Sullivan ◽  
Dave Lewis
Keyword(s):  
Personal Data ◽  
Use Case ◽  
Information Flows ◽  
Data Interoperability ◽  
General Data Protection Regulation ◽  
Data Formats ◽  
General Data ◽  
Strong Motivation ◽  
Data Portability ◽  
The Right

The General Data Protection Regulation (GDPR) specifies obligations that shape the way information is collected, shared, provided, or communicated, and provides rights for receiving a copy of their personal data in an interoperable format. The sharing of information between entities affected by GDPR provides a strong motivation towards the adoption of an interoperable model for the exchange of information and demonstration of compliance. This article explores such an interoperability model through entities identified by the GDPR and their information flows along with relevant obligations. The model categorises information exchanged between entities and presents a discussion on its representation using existing standards. An investigation of data provided under the Right to Data Portability for exploring interoperability in a real-world use-case. The findings demonstrate how the use of common data formats hamper its usability due to a lack of context. The article discusses the adoption of contextual metadata using a semantic model of interoperability to remedy these identified shortcomings.

23. Data protection: rights and obligations

2019 ◽  
pp. 595-619
Author(s):  
Andrew Murray
Keyword(s):  
Data Protection ◽  
Financial Services ◽  
Personal Data ◽  
General Data Protection Regulation ◽  
Role Of The State ◽  
General Data ◽  
The Right ◽  
Access Right ◽  
Data Subject

This chapter examines the rights of data subjects under GDPR and the role of the state in supervising data controllers. It examines data subject rights, including the subject access right and the right to correct and manage personal data. It deals with the development of the so-called Right to be Forgotten and the Mario Costeja González case. It examines the current supervisory regime, including the role of the Information Commissioner’s Office and the enforcement rights of data subjects. Key cases, including Durant v The Financial Services Authority, Edem v IC & Financial Services Authority, Dawson-Damer v Taylor Wessing, and Ittihadieh v 5–11 Cheyne Gardens are discussed, and the chapter concludes by examining the enhanced enforcement rights awarded to the Information Commissioner’s Office by the General Data Protection Regulation in 2018.

EDUCATIONAL INSTITUTION AS A DATA CONTROLLER: PROBLEMS AND CHALLENGES

2020 ◽  
Vol 1 ◽  
Author(s):  
Marta Kive
Keyword(s):  
Educational Institution ◽  
Personal Data ◽  
Transition Process ◽  
Educational Institutions ◽  
School Year ◽  
Data Portability ◽  
The Right ◽  
Data Controller ◽  
The Relationship ◽  
Data Subject

The right to data portability applies only to personal data provided to the controller by the data subject himself, and only if the processing was initially based on the consent of the user or on the basis of a contract. Most cases when students or their parents submits their personal data to educational institution are cases covered by this right, moreover, in most cases, those are sensitive personal data.In the context of the right to data portability, data subjects directly transmit data from one data controller to another where technically possible. The regulation does not specify what is meant by “technically feasible”. The wording indicates that this should be addressed on a case-by-case basis and a dynamic interpretation of the term "technically feasible" should be ensured. This is limited because the Regulation does not oblige data controllers to accept or maintain compatible processing systems. In case with educational institutions and students’ opportunities to change the study place including mid-school year it’s important to identify problems with data portability and facilitate the transition process to get student into the new study environment and system faster and more effective.For this purpose, the author identifies main problems and challenges that educational institutions can face when they act as a data controllers. The subject of the research is the relationship between the data subject (students) and the data controller (educational institution), implementing the right to data portability.

Sign in / Sign up

Export Citation Format

Share Document