scholarly journals When Data Protection by Design and Data Subject Rights Clash

2018 ◽  
Author(s):  
Michael Veale ◽  
Reuben Binns ◽  
Jef Ausloos
Keyword(s):  
Data Protection ◽  
Data Privacy ◽  
Personal Data ◽  
Large Data ◽  
Holistic Approach ◽  
Privacy By Design ◽  
Privacy Law ◽  
Ex Post ◽  
Trade Offs ◽  
Data Subject

Cite as: Michael Veale, Reuben Binns and Jef Ausloos (2018) When Data Protection by Design and Data Subject Rights Clash. International Data Privacy Law (2018) doi:10.1093/idpl/ipy002. [Note: An earlier draft was entitled "We Can't Find Your Data, But A Hacker Could: How 'Privacy by Design' Trades-Off Data Protection Rights"]Abstract➔Data Protection by Design (DPbD), a holistic approach to embedding principles in technical and organisational measures undertaken by data controllers, building on the notion of Privacy by Design, is now a qualified duty in the GDPR.➔Practitioners have seen DPbD less holistically, instead framing it through the confidentiality-focussed lens of Privacy Enhancing Technologies (PETs).➔While focussing primarily on confidentiality risk, we show that some DPbD strategies deployed by large data controllers result in personal data which, despite remaining clearly reidentifiable by a capable adversary, make it difficult for the controller to grant data subjects rights (eg access, erasure, objection) over for the purposes of managing this risk.➔Informed by case studies of Apple's Siri voice assistant and Transport for London's Wi-Fi analytics, we suggest three main ways to make deployed DPbD more accountable and data subject-centric: building parallel systems to fulfil rights, including dealing with volunteered data; making inevitable trade-offs more explicit and transparent through Data Protection Impact Assessments; and through ex ante and ex post information rights (arts 13-15), which we argue may require the provision of information concerning DPbD trade-offs.➔Despite steep technical hurdles, we call both for researchers in PETs to develop rigorous techniques to balance privacy-as-control with privacy-as-confidentiality, and for DPAs to consider tailoring guidance and future frameworks to better oversee the trade-offs being made by primarily well-intentioned data controllers employing DPbD.

scholarly journals Delegation-Based Personal Data Processing Request Notarization Framework for GDPR Based on Private Blockchain

2021 ◽  
Vol 11 (22) ◽  
pp. 10574
Author(s):  
Sung-Soo Jung ◽  
Sang-Joon Lee ◽  
Ieck-Chae Euom
Keyword(s):  
Data Processing ◽  
Data Protection ◽  
Data Privacy ◽  
Personal Data ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Compliance Audit ◽  
General Data ◽  
Data Controller ◽  
Data Subject

With the growing awareness regarding the importance of personal data protection, many countries have established laws and regulations to ensure data privacy and are supervising managements to comply with them. Although various studies have suggested compliance methods of the general data protection regulation (GDPR) for personal data, no method exists that can ensure the reliability and integrity of the personal data processing request records of a data subject to enable its utilization as a GDPR compliance audit proof for an auditor. In this paper, we propose a delegation-based personal data processing request notarization framework for GDPR using a private blockchain. The proposed notarization framework allows the data subject to delegate requests to process of personal data; the framework makes the requests to the data controller, which performs the processing. The generated data processing request and processing result data are stored in the blockchain ledger and notarized via a trusted institution of the blockchain network. The Hypderledger Fabric implementation of the framework demonstrates the fulfillment of system requirements and feasibility of implementing a GDPR compliance audit for the processing of personal data. The analysis results with comparisons among the related works indicate that the proposed framework provides better reliability and feasibility for the GDPR audit of personal data processing request than extant methods.

URGENSI PEMBENTUKAN PENGATURAN PERLINDUNGAN DATA PRIBADI DI INDONESIA SERTA KOMPARASI PENGATURAN DI JEPANG DAN KOREA SELATAN

2021 ◽  
Vol 17 (1) ◽  
pp. 23-33
Author(s):  
Jeremias Palito ◽  
Safira Aninditya Soenarto ◽  
Tiara Almira Raila
Keyword(s):  
South Korea ◽  
Data Protection ◽  
Data Privacy ◽  
Personal Data ◽  
National Legislation ◽  
Personal Data Protection ◽  
Protection Mechanisms ◽  
Data Subject ◽  
What Matters

Abstract Protection of data privacy is a topic that is currently being discussed a lot. Globally, there are 132 countries that already have exclusive regulation regarding the protection of personal data, including Japan and South Korea. In Indonesia, the Personal Data Protection Bill (RUU PDP) has been included in the National Legislation Program. From the research conducted, it was found that Indonesia does not have any specific regulations regarding the protection of personal data. Furthermore, this paper also discussed the comparison between the personal data protection regulations in Japan and South Korea, so that further research can be made of what matters should be contained in the RUU PDP. The regulations in Japan and South Korea certainly have differences, but they basically contain the same things, such as principles, protection mechanisms, data subject rights, transfers to third countries, and sanctions. Keywords: Protection of Data Privacy; Japan; and South Korea. Abstrak Perlindungan data pribadi merupakan diskursus yang belakangan ini banyak dibicarakan. Secara global, terdapat 132 negara yang sudah memiliki pengaturan khusus mengenai perlindungan data pribadi, termasuk Jepang dan Korea Selatan. Di Indonesia, Rancangan Undang-Undang tentang Perlindungan Data Pribadi (RUU PDP) telah masuk ke dalam Program Legislasi Nasional. Dari penelitian yang dilakukan, didapatkan hasil bahwa Indonesia belum memiliki pengaturan mengenai perlindungan data pribadi secara khusus. Selanjutnya, dibahas pula mengenai komparasi antara peraturan perlindungan data pribadi di Jepang dan Korea Selatan, agar selanjutnya dapat diteliti hal-hal apa saja yang seharusnya dimuat dalam RUU PDP. Pengaturan di Jepang dan Korea Selatan tentunya memiliki perbedaan, tetapi pada dasarnya memuat berapa hal yang sama seperti prinsip, mekanisme perlindungan, hak data subjek, transfer ke negara ketiga, serta sanksi. Kata Kunci: Perlindungan Data Pribadi; Jepang; dan Korea Selatan.

scholarly journals A Systematic Mapping Study on Privacy by Design in Software Engineering

2019 ◽  
Vol 22 (1) ◽  
Author(s):  
Miguel Ehecatl Morales-Trujillo ◽  
Gabriel Alberto García-Mireles ◽  
Erick Orlando Matla-Cruz ◽  
Mario Piattini
Keyword(s):  
Software Development ◽  
Data Privacy ◽  
Theoretical Perspective ◽  
Relevant Literature ◽  
Personal Data ◽  
Software Systems ◽  
Systematic Mapping Study ◽  
Privacy By Design ◽  
Mapping Study ◽  
Systematic Mapping

Protecting personal data in current software systems is a complex issue that requires legal regulations and constraints to manage personal data as well as a methodological support to develop software systems that would safeguard data privacy of their respective users. Privacy by Design (PbD) approach has been proposed to address this issue and has been applied to systems development in a variety of application domains. The aim of this work is to determine the presence of PbD and its extent in software development efforts. A systematic mapping study was conducted in order to identify relevant literature that collects PbD principles and goals in software development as well as methods and/or practices that support privacy aware software development. 53 selected papers address PbD mostly from a theoretical perspective with proposals validation based primarily on experiences or examples. The findings suggest that there is a need to develop privacy-aware methods to be integrated at all stages of software development life cycle and validate them in industrial settings.

Personal Data Privacy and Protection in the Meeting, Incentive, Convention, and Exhibition (MICE) Industry

2019 ◽  
pp. 440-466
Author(s):  
M. Fevzi Esen ◽  
Eda Kocabas
Keyword(s):  
Data Protection ◽  
Data Privacy ◽  
Information Technologies ◽  
Personal Data ◽  
Global Networks ◽  
New Developments ◽  
Personal Data Protection ◽  
Business Opportunities ◽  
Mice Industry ◽  
Industry Professionals

With the new developments in information technologies, personal and business data have become easily accessible through different channels. The huge amounts of personal data across global networks and databases have provided crucial benefits in a scientific manner and many business opportunities, also in the meeting, incentive, convention, and exhibition (MICE) industry. In this chapter, the authors focus on the analysis of MICE industry with regards to the new regulation (GDPR) of personal data protection of all EU citizens and how the industry professionals can adapt their way of business in light of this new regulation. The authors conducted an online interview with five different meetings industry professionals to have more insight about the data produced with its content and new regulations applied to the industry. The importance of personal data privacy and protection is discussed, and the most suitable anonymization techniques for personal data privacy are proposed.

Article 30 Records of processing activities

2020 ◽  
Author(s):  
Waltraut Kotschy
Keyword(s):  
Impact Assessment ◽  
Data Protection ◽  
Personal Data ◽  
Data Flows ◽  
Right Of Access ◽  
Data Subject ◽  
General Conditions

Article 13 (Information to be provided where personal data are collected from the data subject); Article 14 (Information to be provided where personal data have not been obtained from the data subject); Article 15 (Right of access by the data subject); Article 24 (Responsibility of the controller); Article 32 (Security of processing); Article 35 (Data protection impact assessment); Article 37 (Designation of a data protection officer); Article 49 (Derogations for specific situations concerning transborder data flows); Article 83 (General conditions for imposing administrative fines)

Article 9 Processing of special categories of personal data

2020 ◽  
Author(s):  
Ludmila Georgieva ◽  
Christopher Kuner
Keyword(s):  
Decision Making ◽  
Data Protection ◽  
Personal Data ◽  
Genetic Data ◽  
Biometric Data ◽  
Individual Decision Making ◽  
Vital Interest ◽  
Data Portability ◽  
Definition Of ◽  
Data Subject

Article 4(1) (Definition of personal data); Article 4(2) (Definition of processing); Article 4(11) (Definition of consent); Article 4(13) (Definition of genetic data, see also recital 34); Article 4(14) (Definition of biometric data); Article 4(15) (Definition of data concerning health, see also recital 35); Article 6(4)(c) (Lawfulness of processing, compatibility test) (see too recital 46 on vital interest); Article 13(2)(c) (Information to be provided where personal data are collected from the data subject); Article 17(1)(b), (3)(c) (Right to erasure (‘right to be forgotten’)); Article 20(1)(a) (Right to data portability); Article 22(4) (Automated individual decision-making, including profiling); Article 27(2)(a) (Representatives of controllers or processors not established in the Union); Article 30(5) (Records of processing activities); Article 35(3)(b) (Data protection impact assessment) (see too recital 91); Article 37(1)(c) (Designation of the data protection officer) (see too recital 97); Article 83(5)(a) (General conditions for imposing administrative fines).

Data Protection

2016 ◽  
Author(s):  
Tibor Tajti
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Commercial Law ◽  
Insolvency Law ◽  
Member States ◽  
Privacy Law ◽  
Data Protection Directive ◽  
Data Protection Law ◽  
Made In

Chapter VI is a new chapter in the EIR. Its presence signals the importance that data protection law has gained in Europe since the adoption of the Data Protection Directive 95/46/EC (DPD) and Regulation 45/2001. Although the DPD is not—though it comes close to—a maximum harmonisation directive, its implementation by Member States by the end of 1998 increased data protection standards on national levels as well. Yet the concrete reason that led to the addition of this Chapter is the expanded scope of the EIR as far as the exchange and publication of personal data is concerned. The expansion and thus the enhanced need for data protection is due in particular to the provision made in the recast EIR for newly established interconnected national insolvency registers, accessible via the European e-Justice Portal. This provision has been made at a time when data protection law is increasingly recognised as a ‘stand-alone’ subject, emancipated from privacy law, as expressed indirectly also by the popularisation of the ‘data protection’ nomenclature originating in the German term ‘Datenschutz’. This has clear implications for private and commercial law, including insolvency law.

Conclusions: Striving for Data Subject Control within and beyond Data Subject Rights

2021 ◽  
pp. 215-236
Author(s):  
Helena U. Vrabec
Keyword(s):  
Data Protection ◽  
Holistic Approach ◽  
Control Rights ◽  
Data Protection Law ◽  
Article 5 ◽  
Data Subject

Chapter 9 is a concluding section of the book. It takes a look at the rights from the perspective of effectiveness and analyses them in a more structured manner by utilising a framework of data protection principles from Article 5 of the GDPR. The analysis shows that data subjects’ control rights are sometimes ineffective. However, this part of data protection law must be, nonetheless, maintained, because it not only serves the objective of control but has other objectives too. To mitigate the ineffectiveness, some alterative measures are considered, for example technological solutions and legal mechanisms outside of data protection law. The chapter refers to these alternatives as ‘a holistic approach to control’.

Sign in / Sign up

Export Citation Format

Share Document