Is European Data Protection Toxic for Innovative AI? An Estonian Perspective

The General Data Protection Regulation (GDPR) is, together with its seven principles, designed to function as the cornerstone of data protection in the European Union. Although the GDPR was meant to keep up with technological and socioeconomic changes while guaranteeing fundamental rights, its unclear wording with regard to the use of artificial intelligence (AI) systems has led to uncertainty. Therefore, the development and application of ever new AI systems raises various, as yet unresolved questions. Moreover, the complexity of legal requirements poses the risk of inhibiting AI innovation in the European Union. On the other hand, the GDPR gives Member States certain leeway to regulate data processing by public authorities. Therefore, data protection requirements for AI systems in public administration must be assessed under both the GDPR and national law. Against this backdrop, the article aims to guide the reader through the relevant data-protection rules applicable to AI systems in both the EU and in Estonia.

Download Full-text

Data protection impact assessment in the European Union: developing a template for a report from the assessment process

10.31228/osf.io/7qrfp ◽

2020 ◽

Author(s):

Dariusz Kloza ◽

Alessandra Calvi ◽

Simone Casiraghi ◽

Sergi Vazquez Maymir ◽

Nikolaos Ioannidis ◽

...

Keyword(s):

European Union ◽

Impact Assessment ◽

Data Protection ◽

Fundamental Rights ◽

Assessment Process ◽

The European Union ◽

General Data Protection Regulation ◽

Use Of Resources ◽

General Data ◽

The Eu

This Policy Brief proposes a template for a report from a process of data protection impact assessment (DPIA) in the European Union (EU). Grounded in the previously elaborated framework (cf. Policy Brief No. 1/2017) and method for impact assessment (cf. Policy Brief No. 1/2019), the proposed template conforms to the requirements of Articles 35–36 of the General Data Protection Regulation (GDPR) and reflects best practices for impact assessment, offering at the same time five novel aspects. First, it aims at comprehensiveness to arrive at the most robust advice for decision making. Second, it aims at efficiency, that is, to produce effects with the least use of resources. Third, it aims at exploring and accommodating the perspectives of various stakeholders, although the perspective of individuals dominates; it, therefore, fosters fundamental rights thinking by, for example, requiring justification for each choice, hence going beyond a mere ‘tick-box’ exercise. Fourth, it aims at adhering to the legal design approach to guide the assessors in a practical, easy and intuitive manner throughout the 11-step assessment process, providing necessary explanations for each step, while being structured in expandable and modifiable tables and fields to fill in. Fifth, it assumes its lack of finality as it will need to be revised as experience with its use grows. The template is addressed predominantly to assessors entrusted by data controllers to perform the assessment process, yet it may also assist data protection authorities (DPA) in the EU to develop (tailored down) templates for DPIA for their own jurisdictions.

Download Full-text

Data Protection in the EU and its Implications on Software Development outside the EU

Journal of Institute of Science and Technology ◽

10.3126/jist.v24i1.24620 ◽

2019 ◽

Vol 24 (1) ◽

pp. 1-5

Author(s):

Ralf Kneuper

Keyword(s):

European Union ◽

Software Development ◽

Data Protection ◽

Personal Data ◽

Software Requirements ◽

The European Union ◽

General Data Protection Regulation ◽

It Systems ◽

General Data ◽

The Eu

In May 2018, the General Data Protection Regulation (GDPR 2016) came into effect in the European Union (EU), defining requirements on how to handle personal data of EU citizens. This report discusses the effects of this regulation on software development organisations outside the EU, and summaries the software requirements that result from GDPR and therefore apply to most information technology (IT) systems that will handle data of individuals based in the EU.

Download Full-text

Data Sharing Under the General Data Protection Regulation

Hypertension ◽

10.1161/hypertensionaha.120.16340 ◽

2021 ◽

Vol 77 (4) ◽

pp. 1029-1035

Author(s):

Antonia Vlahou ◽

Dara Hallinan ◽

Rolf Apweiler ◽

Angel Argiles ◽

Joachim Beige ◽

...

Keyword(s):

European Union ◽

Data Protection ◽

Personal Data ◽

Research Approach ◽

The European Union ◽

General Data Protection Regulation ◽

Personal Data Protection ◽

Protection Legislation ◽

General Data ◽

Almost All

The General Data Protection Regulation (GDPR) became binding law in the European Union Member States in 2018, as a step toward harmonizing personal data protection legislation in the European Union. The Regulation governs almost all types of personal data processing, hence, also, those pertaining to biomedical research. The purpose of this article is to highlight the main practical issues related to data and biological sample sharing that biomedical researchers face regularly, and to specify how these are addressed in the context of GDPR, after consulting with ethics/legal experts. We identify areas in which clarifications of the GDPR are needed, particularly those related to consent requirements by study participants. Amendments should target the following: (1) restricting exceptions based on national laws and increasing harmonization, (2) confirming the concept of broad consent, and (3) defining a roadmap for secondary use of data. These changes will be achieved by acknowledged learned societies in the field taking the lead in preparing a document giving guidance for the optimal interpretation of the GDPR, which will be finalized following a period of commenting by a broad multistakeholder audience. In parallel, promoting engagement and education of the public in the relevant issues (such as different consent types or residual risk for re-identification), on both local/national and international levels, is considered critical for advancement. We hope that this article will open this broad discussion involving all major stakeholders, toward optimizing the GDPR and allowing a harmonized transnational research approach.

Download Full-text

The European Union and the Search for an International Data Protection Framework

Groningen Journal of International Law ◽

10.21827/5a86a82b67dab ◽

2014 ◽

Vol 2 (2) ◽

pp. 55 ◽

Cited By ~ 2

Author(s):

Christopher Kuner

Keyword(s):

European Union ◽

Data Protection ◽

Legal Framework ◽

Fundamental Rights ◽

The European Union ◽

International Data ◽

Data Protection Law ◽

Eu Fundamental Rights ◽

Global Data ◽

The Eu

The European Union (EU) has supported the growing calls for the creation of an international legal framework to safeguard data protection rights. At the same time, it has worked to spread its data protection law to other regions, and recent judgments of the Court of Justice of the European Union (CJEU) have reaffirmed the autonomous nature of EU law and the primacy of EU fundamental rights law. The tension between initiatives to create a global data protection framework and the assertion of EU data protection law raises questions about how the EU can best promote data protection on a global level, and about the EU’s responsibilities to third countries that have adopted its system of data protection.

Download Full-text

The Second Internet: The Brussels Bourgeois Internet

Four Internets ◽

10.1093/oso/9780197523681.003.0007 ◽

2021 ◽

pp. 77-91

Author(s):

Kieron O’Hara

Keyword(s):

European Union ◽

Public Space ◽

Data Protection ◽

The European Union ◽

Privacy Rights ◽

General Data Protection Regulation ◽

Internet Privacy ◽

Data Protection Directive ◽

General Data ◽

Data Protection Law

This chapter describes the Brussels Bourgeois Internet. The ideal consists of positive, managed liberty where rights of others are respected, as in the bourgeois public space, where liberty follows only when rights are secured. The exemplar of this approach is the European Union, which uses administrative means, soft law, and regulation to project its vision across the Internet. Privacy and data protection have become the most emblematic struggles. Under the Data Protection Directive of 1995, the European Union developed data-protection law and numerous privacy rights, including a right to be forgotten, won in a case against Google Spain in 2014, the arguments about which are dissected. The General Data Protection Regulation (GDPR) followed in 2018, amplifying this approach. GDPR is having the effect of enforcing European data-protection law on international players (the ‘Brussels effect’), while the European Union over the years has developed unmatched expertise in data-protection law.

Download Full-text

The GDPR as Global Data Protection Regulation?

AJIL Unbound ◽

10.1017/aju.2019.80 ◽

2020 ◽

Vol 114 ◽

pp. 5-9 ◽

Cited By ~ 2

Author(s):

Cedric Ryngaert ◽

Mistale Taylor

Keyword(s):

International Law ◽

Data Protection ◽

Personal Data ◽

Fundamental Rights ◽

General Data Protection Regulation ◽

Data Protection Directive ◽

Protection Legislation ◽

General Data ◽

Global Data ◽

The Eu

The deterritorialization of the Internet and international communications technology has given rise to acute jurisdictional questions regarding who may regulate online activities. In the absence of a global regulator, states act unilaterally, applying their own laws to transborder activities. The EU's “extraterritorial” application of its data protection legislation—initially the Data Protection Directive (DPD) and, since 2018, the General Data Protection Regulation (GDPR)—is a case in point. The GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services . . . to such data subjects in the Union; or (b) the monitoring of their behaviour . . . within the Union.” It also conditions data transfers outside the EU on third states having adequate (meaning essentially equivalent) data protection standards. This essay outlines forms of extraterritoriality evident in EU data protection law, which could be legitimized by certain fundamental rights obligations. It then looks at how the EU balances data protection with third states’ countervailing interests. This approach can involve burdens not only for third states or corporations, but also for the EU political branches themselves. EU law viewed through the lens of public international law shows how local regulation is going global, despite its goal of protecting only EU data subjects.

Download Full-text

Das intelligente Energiesystem der Zukunft

10.5771/9783748905622 ◽

2020 ◽

Author(s):

Ryan Kelly

Keyword(s):

Data Protection ◽

Energy System ◽

Fundamental Rights ◽

Smart Meter ◽

Eu Law ◽

Smart Meters ◽

General Data Protection Regulation ◽

Regulatory Strategy ◽

General Data ◽

The Eu

The regulated rollout of smart meters is intended to digitise the energy infrastructure with the goal of creating a future-oriented European energy system. In order to implement the EU requirements, the German legislature is pursuing a regulatory strategy with mandatory legal toleration of intelligent metering systems. This is associated with a variety of fundamental rights and data protection problems. The study examines the smart meter rollout in its complex reality between constitutional, energy and data protection law, as well as European and national regulations. The implementation of smart meters will be discussed in its entirety and analysed on the basis of constitutional and EU law. The focus lies, in particular, on the dogmatic localisation in the European constitutional framework and the examination on the legal basis of the General Data Protection Regulation (GDPR). The results of the study are visualised in two condensed illustrations.

Download Full-text

GDPR implementation as the main reason for the regional fragmentation in the online mediasphere

E3S Web of Conferences ◽

10.1051/e3sconf/202127308099 ◽

2021 ◽

Vol 273 ◽

pp. 08099

Author(s):

Mikhail Smolenskiy ◽

Nikolay Levshin

Keyword(s):

European Union ◽

Data Protection ◽

Personal Data ◽

Main Role ◽

The European Union ◽

Protection Measures ◽

General Data Protection Regulation ◽

Personal Data Protection ◽

The Usa ◽

General Data

The EU’s General Data Protection Regulation (GDPR) applies not only to the territory of the European Union, but also to all information systems containing data of EU’s citizens around the world. Misusing or carelessly handling personal data bring fines of up to 20 million euros or 4% of the annual turnover of the offending company. This article analyzes the main trends in the global implementation of the GDPR. Authors considered and analyzed results of personal data protection measures in nineteen regions: The USA, Canada, China, France, Germany, India, Kazakhstan, Nigeria, Russia, South Korea and Thailand, as well as the European Union and a handful of other. This allowed identifying a direct pattern between the global tightening of EU’s citizens personal data protection and the fragmentation of the global mediasphere into separate national segments. As a result of the study, the authors conclude that GDPR has finally slowed down the globalization of the online mediasphere, playing a main role in its regional fragmentation.

Download Full-text

Apply or not to apply?

Bratislava Law Review ◽

10.46282/blr.2020.4.2.171 ◽

2020 ◽

Vol 4 (2) ◽

pp. 81-94

Author(s):

Matúš Mesarčík

Keyword(s):

Data Protection ◽

Personal Data ◽

The European Union ◽

Privacy Regulation ◽

New Era ◽

General Data Protection Regulation ◽

Consumer Privacy ◽

Privacy Act ◽

General Data ◽

The Eu

A new era of data protection laws arises after the adoption of the General Data Protection Regulation (GDPR) in the European Union. One of the newly adopted regulations of processing of personal data is Californian Consumer Privacy Act commonly referred to as CCPA. The article aims to fill the gap considering a deep analysis of the territorial scope of both acts and practical consequences of the application. The article starts with a brief overview of privacy regulation in the EU and USA. Introduction to GDPR and CCPA follows focusing on the territorial scope of respective legislation. Three scenarios of applicability are derived in the following part including practical examples.

Download Full-text