The Right to Data Protection and the Commissions’ Adequacy Decision

Data protection is a fundamental right protected by the EU as well as several international human rights instruments. However, an adequate relation of this right faces new challenges every day. A complicated area for the effectiveness of EU data protection law is the cross-border transfer of personal data. In European law, the main principle applicable to international data flows is the principle of adequate protection. This principle implies that a transfer to a third country/international organization is only permissible if an adequate level of protection of the personal data transferred is guaranteed. In this regard, this paper examines the application of this principle in the adequacy decisions adopted by the European Commission.

Download Full-text

Tracing Individuals under the EU Regime on Serious, Cross-border Health Threats: An Appraisal of the System of Personal Data Protection

European Journal of Risk Regulation ◽

10.1017/err.2017.60 ◽

2017 ◽

Vol 8 (4) ◽

pp. 700-722 ◽

Cited By ~ 2

Author(s):

Patrycja DĄBROWSKA-KŁOSIŃSKA

Keyword(s):

Data Protection ◽

Personal Data ◽

Integrated Approach ◽

Border Health ◽

Health Security ◽

Personal Data Protection ◽

Cross Border ◽

Health Threats ◽

The Right ◽

The Eu

AbstractThe article tackles the issue of personal data protection in case of tracing (looking for) individual persons who have been exposed to health risks pursuant to the EU Decision 1082/2013 on Serious, Cross-border Health Threats. This problem exemplifies just one among many challenges of the health-security nexus in the EU. That is, it regards a certain trade-off between the limitation of individual rights and securing populations’ safety. The text appraises the safeguards for the (lawful) limitation of the right to data protection after an in-depth examination of the provisions of the Health Threats Decision, its implementing measures, the reports on its operation, and in light of the general EU data protection laws. In conclusion, it claims that a number of improvements are needed because of the incompleteness, and the insufficient coherence and transparency of the EU regime for health threats. The established shortcomings are, at least in part, caused by the new EU “integrated approach” to health and security. In effect, an overall philosophy of reforms of public health policy in the name of “all-hazards security” applied in the Health Threats Decision can result in a reduction of the adequate level of protection of individuals’ personal data.

Download Full-text

Toward Compatibility of the EU Trade Policy with the General Data Protection Regulation

AJIL Unbound ◽

10.1017/aju.2019.81 ◽

2020 ◽

Vol 114 ◽

pp. 10-14

Author(s):

Svetlana Yakovleva ◽

Kristina Irion

Keyword(s):

Data Protection ◽

Personal Data ◽

Fundamental Rights ◽

General Data Protection Regulation ◽

Cross Border ◽

Charter Of Fundamental Rights ◽

Strong Position ◽

General Data ◽

The Right ◽

The Eu

The European Union's (EU) negotiating position on cross-border data flows, which the EU has recently included in its proposal for the World Trade Organization (WTO) talks on e-commerce, not only enshrines the protection of privacy and personal data as fundamental rights, but also creates a broad exception for a Member's restrictions on cross-border transfers of personal data. This essay argues that maintaining such a strong position in trade negotiations is essential for the EU to preserve the internal compatibility of its legal system when it comes to the right to protection of personal data under the EU Charter of Fundamental Rights (EU Charter) and the recently adopted General Data Protection Regulation (GDPR).

Download Full-text

Cross-Border Transfers of Personal Data After Schrems II: Supplementary Measures and new Standard Contractual Clauses (SCCs)

Nordic Journal of European Law ◽

10.36969/njel.v4i2.23780 ◽

2021 ◽

Vol 4 (2) ◽

pp. 37-47

Author(s):

Marcelo Corrales Compagnucci ◽

Mateo Aboy ◽

Timo Minssen

Keyword(s):

Data Protection ◽

Personal Data ◽

The European Union ◽

Cross Border ◽

Data Protection Directive ◽

Legal Challenges ◽

International Data ◽

Data Transfers ◽

International Data Transfers ◽

The Eu

This article analyses the legal challenges of international data transfers resulting from the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). This judgement invalidated the EU-US Privacy Shield Framework but upheld the use of standard contractual clauses (SCCs). However, one caveat is that organisations would have to perform a case-by-case assessment on the application of the SCCs and implement ‘supplementary measures’ to compensate for the lack of data protection in the third country, where necessary. Regrettably, the CJEU missed the opportunity to specify what exactly these ‘supplementary measures’ could be. To fill this gap, the European Data Protection Board (EDPB) adopted guidelines on the measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In addition, on June 4th, 2021 the European Commission issued new SCCs which replaced the previous SCCs that were adopted under the previous Data Protection Directive 95/46. These new developments have raised the bar for data protection in international data transfers. In this article, we analyse the current regulatory framework for cross-border transfers of EU personal data and examine the practical considerations of the emerging post-Schrems II legal landscape.

Download Full-text

Review of the right to self-determination of personal data in the AI era - based on the EU Personal Data Protection Act

Center for Public Interest & Human Rights Law Chonnam National University ◽

10.38135/hrlr.2021.26.123 ◽

2021 ◽

Vol 26 ◽

pp. 123-151

Author(s):

In-Seon Ham

Keyword(s):

Data Protection ◽

Personal Data ◽

Self Determination ◽

Personal Data Protection ◽

The Right ◽

The Eu

Download Full-text

Applicable Law to Transnational Personal Data: Trends and Dynamics

German Law Journal ◽

10.1017/glj.2020.73 ◽

2020 ◽

Vol 21 (6) ◽

pp. 1283-1308

Author(s):

Jie (Jeanne) Huang

Keyword(s):

Data Protection ◽

Personal Data ◽

Chinese Media ◽

Applicable Law ◽

Personal Data Protection ◽

Regional Coordination ◽

The Law ◽

Model Law ◽

The Right ◽

The Eu

AbstractThe recent COVID-19 outbreak has pushed the tension of protecting personal data in a transnational context to an apex. Using a real case where the personal data of an international traveler was illegally released by Chinese media, this Article identifies three trends that have emerged at each stage of conflict-of-laws analysis for lex causae: (1) The EU, the US, and China characterize the right to personal data differently; (2) the spread-out unilateral applicable law approach comes from the fact that all three jurisdictions either consider the law for personal data protection as a mandatory law or adopt connecting factors leading to the law of the forum; and (3) the EU and China strongly advocate deAmericanization of substantive data protection laws. The trends and their dynamics provide valuable implications for developing the choice of laws for transnational personal data. First, this finding informs parties that jurisdiction is a predominant issue in data breach cases because courts and regulators would apply the law of the forum. Second, currently, there is no international treaty or model law on choice-of-law issues for transnational personal data. International harmonization efforts will be a long and difficult journey considering how the trends demonstrate not only the states’ irreconcilable interests but also how states may consider these interests as their fundamental values that they do not want to trade off. Therefore, for states and international organizations, a feasible priority is to achieve regional coordination or interoperation among states with similar values on personal data protection.

Download Full-text

Personal Data and Contract Law: Challenges and Concerns about the Economic Exploitation of the Right to Data Protection

European Review of Contract Law ◽

10.1515/ercl-2018-1022 ◽

2018 ◽

Vol 14 (4) ◽

pp. 374-392

Author(s):

Giuseppe Versaci

Keyword(s):

Data Protection ◽

Business Models ◽

Policy Issue ◽

Personal Data ◽

Contract Law ◽

Related Case ◽

Economic Exploitation ◽

Digital Business Models ◽

The Right ◽

The Eu

Abstract The so-called ‘free’ digital business models – users are not requested to pay a price, but to disclose personal data – are a very common reality. To tackle this phenomenon, the European Commission’s proposal of Directive on contracts for the supply of digital content used the concept of personal data as counter-performance. This stance proved to be quite problematic. It has been opposed by the European Data Protection Supervisor (EDPS) arguing that it should not be possible to subject the fundamental right to data protection to a commercial transaction. This article dwells upon the economic exploitability of the right to data protection, showing that Article 8 of the EU Charter of fundamental rights and the related case law of the CJEU do not justify the concerns raised by the EDPS. This seems to be confirmed by the fact that the legal traditions of the EU Member States recognize that personality rights can be the object of a contract, although they limit to a certain extent the private autonomy of the parties. Thus, the commodification of personal data – like the commodification of other incorporeal attributes of personality – is not banned. Rather, there is now a policy issue about how to handle the risk of personalized discrimination and the problem of inequality of bargaining power in digital business models based on personal data. In this respect, political decisions should not be too affected by conceptual barriers between data protection law and contract law. In line with this position, the author argues that the economic exploitation of the right to data protection should not be considered a waiver of the same right.

Download Full-text

The Right to Privacy—A Fundamental Right in Search of Its Identity: Uncovering the CJEU’s Flawed Concept of the Right to Privacy

German Law Journal ◽

10.1017/glj.2019.57 ◽

2019 ◽

Vol 20 (05) ◽

pp. 722-733 ◽

Cited By ~ 1

Author(s):

Valentin M. Pfisterer

Keyword(s):

Data Protection ◽

Personal Data ◽

Fundamental Rights ◽

The Political ◽

Strong Impact ◽

Right To Privacy ◽

Eu Member States ◽

The Right To Privacy ◽

The Right ◽

The Eu

AbstractIn recent years, the CJEU has impressively brought to bear the protection of the fundamental rights to privacy and protection of personal data as contained in the CFREU. The Court’s decisions in the Digital Rights, Schrems, Tele2, and PNR cases have reshaped the political and legal landscape in Europe and beyond. By restricting the powers of the governments of EU Member States and annulling legislative acts enacted by the EU legislator, the decisions had, and continue to have, effects well beyond the respective individual cases. Despite their strong impact on privacy and data protection across Europe, however, these landmark decisions reveal a number of flaws and inconsistencies in the conceptualization of the rights to privacy and protection of personal data as endorsed and interpreted by the CJEU. This Article identifies and discusses some of the shortcomings revealed in the recent CJEU privacy and data protection landmark decisions and proposes to the CJEU a strategy aimed at resolving these shortcomings going forward.

Download Full-text

Can the Internet Forget? – Rhe Eight to be Forgotten in the EU Law and its Actual Impact on the Internet. Comparison of the Approaches Towards the Notion and Assessment of its Effectiveness

Wroclaw Review of Law Administration & Economics ◽

10.2478/wrlae-2019-0006 ◽

2020 ◽

Vol 9 (1) ◽

pp. 86-101

Author(s):

Aleksandra Gebuza

Keyword(s):

Data Protection ◽

Personal Data ◽

The Internet ◽

Eu Law ◽

General Data Protection Regulation ◽

Actual Impact ◽

Right To Be Forgotten ◽

General Data ◽

The Right ◽

The Eu

AbstractThe main aim of the article is to provide analysis on the notion of the right to be forgotten developed by the CJEU in the ruling Google v. AEPD & Gonzalez and by the General Data Protection Regulation within the context of the processing of personal data on the Internet. The analysis provides the comparison of approach towards the notion between European and American jurisprudence and doctrine, in order to demonstrate the scale of difficulty in applying the concept in practice.

Download Full-text

Managing innovative company’s capital

Zbornik Pravnog fakulteta Sveučilišta u Rijeci ◽

10.30925/zpfsr.39.4.19 ◽

2019 ◽

Vol 39 (4) ◽

pp. 1779-1805

Author(s):

Danijela Vrbljanac

Keyword(s):

Data Protection ◽

Personal Data ◽

European Law ◽

Safe Harbour ◽

Data Flows ◽

The Us

Not many areas of European law proved themselves as controversial as data protection. The only case in which this issue could become more debatable is if personal data crosses EU borders. The transfer of personal data to third countries proved its disputed status when the CJEU invalidated the Safe Harbour Agreement, one of the frameworks for the transfer of personal data to the US and several more came under the CJEU’s scrutiny, including the Safe Harbour Agreement’s successor, the Privacy Shield Agreement. It has been suggested that some of these instruments for transfer need to be repealed or amended in order to be brought in conformity with the GDPR. The paper, after analysing each of the grounds for transfer which may be used by EU companies, argues that regardless of the recent entry into force of the GDPR, the data protection “revolution” is still not complete, at least as far the transborder data flows are concerned.

Download Full-text

A Comparative Study of the APEC Privacy Framework- A New Voice in the Data Protection Dialogue?

Asian Journal of Comparative Law ◽

10.1017/s2194607800000181 ◽

2008 ◽

Vol 3 ◽

pp. 1-44

Author(s):

Johanna G. Tan

Keyword(s):

Comparative Study ◽

Data Protection ◽

Personal Data ◽

Eu Member States ◽

Cross Border ◽

Eu Directive ◽

Free Flow Of Information ◽

International Conventions ◽

Flow Of Information ◽

The Eu

AbstractThe dialogue on data protection has so far been dominated by European and American voices. There are currently a few international conventions in place such as the Council of Europe's 1981 Convention for the Protection of Individuals with regard to the Automatic processing of personal data, the 1980 OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data , which apply to 30 OECD countries, and the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data, which binds EU member states but has had some impact on non-European countries due to the restriction on cross border flow of information.This has changed with the emergence of the APEC Privacy Framework in 2004 which focuses on the importance of the free flow of information in the digital age. Does the APEC Privacy Framework have anything of value to add or does it dilute the standards already in place? This article will examine these questions and argue that perhaps the APEC Privacy Framework is the first step towards a truly global standard for data protection.

Download Full-text