Adtech and Real-Time Bidding under European Data Protection Law

European Data ◽

Prior Consent ◽

General Data ◽

This paper discusses the troubled relationship between contemporary advertising technology (adtech) systems, in particular systems of real-time bidding (RTB, also known as programmatic advertising) underpinning much behavioural targeting on the web and through mobile applications. This paper analyses the extent to which practices of RTB are compatible with the requirements regarding (i) a legal basis for processing, transparency, and security in European data protection law. We first introduce the technologies at play through explaining and analysing the systems deployed online today. Following that, we turn to the law. Rather than analyse RTB against every provision of the General Data Protection Regulation (GDPR), we consider RTB in the context of the GDPR’s requirement of a legal basis for processing and the GDPR’s transparency and security requirements. We show, first, that the GDPR requires prior consent of the internet user for RTB, as other legal bases are not appropriate. Second, we show that it is difficult – and perhaps impossible – for website publishers and RTB companies to meet the GDPR’s transparency requirements. Third, RTB incentivises insecure data processing. We conclude that, in concept and in practice, RTB is structurally difficult to reconcile with European data protection law. Therefore, intervention by regulators is necessary.

How Comprehensive Is Chinese Data Protection Law? A Systematisation of Chinese Data Protection Law from a European Perspective

GRUR International ◽

10.1093/grurint/ikaa136 ◽

2020 ◽

Vol 69 (12) ◽

pp. 1191-1203

Author(s):

Anja Geller

Keyword(s):

Data Protection ◽

European Perspective ◽

General Development ◽

General Direction ◽

Chinese Law ◽

European Data ◽

General Data ◽

Abstract In China, there is no unified data protection law similar to the EU’s General Data Protection Regulation (GDPR). As a result, there are many different relevant regulations. Among other things, this makes enforcement and comprehension more difficult. To alleviate this problem and assess the comprehensiveness of Chinese data protection, this article uses the GDPR as a frame to organise and systematise the most important Chinese regulations. Binding and non-binding as well as enacted and draft provisions are included to show the dynamic progress and the general direction of Chinese law. While from a European data protection perspective there still are numerous deficiencies, the general development is positive.

Conclusion

Protecting Genetic Privacy in Biobanking through Data Protection Law ◽

10.1093/oso/9780192896476.003.0011 ◽

2021 ◽

pp. 256-260

Author(s):

Dara Hallinan

Keyword(s):

Data Protection ◽

Baseline Level ◽

Genetic Privacy ◽

Early Stages ◽

European Data ◽

General Data ◽

This concluding chapter argues that European data protection law, under the General Data Protection Regulation (GDPR), can and ought to be looked at to play a central role in the protection of genetic privacy in biobanking in Europe. In the first instance, the substantive framework presented by the GDPR already offers an impressive baseline level of protection for genetic privacy. In turn, while numerous problems with this baseline standard of protection are identifiable, the GDPR offers the normative flexibility to accommodate solutions to these problems, as well as the procedural mechanisms to facilitate the realisation of solutions. The interaction between GDPR and biobanking is still, however, in the early stages. Whether this potential is realised now depends on the decisions and actions of regulatory stakeholders in the biobanking space. Their decisions have the potential to optimise or undermine the GDPR as a system for the protection of genetic privacy in biobanking. The biobanking community also have consequential choices as to how they perceive and operationalise the GDPR.

Do We Need Data Protection at All?

Protecting Genetic Privacy in Biobanking through Data Protection Law ◽

10.1093/oso/9780192896476.003.0006 ◽

2021 ◽

pp. 91-128

Author(s):

Dara Hallinan

Keyword(s):

Data Protection ◽

Thought Experiment ◽

Legal Systems ◽

Genetic Privacy ◽

European Data ◽

Viable Solution ◽

General Data ◽

Data Protection Law ◽

The Uk

This chapter assesses whether there is any need to consider European data protection law as a framework for the protection of genetic privacy in biobanking in Europe at all. To answer the question, the chapter conducts a thought experiment and examines what the standard of protection in Europe would look like if one were to exclude data protection law from consideration. This is merely a thought experiment, as data protection already plays, and will continue to play, a significant role in the protection of genetic privacy in biobanking in Europe. The exercise is enlightening, however, in showing the extent of flaws in protection in European legal systems stripped of data protection. In this regard, the chapter then maps the protection provided to genetic privacy in biobanking by the EU's, and three European states'—Estonia, Germany, and the UK—legal systems. It then engages in a critical analysis, highlighting the significant inadequacy of the protection provided by these systems excluding data protection law. Finally, the chapter shows why, generally, European data protection law under the General Data Protection Regulation (GDPR) looks a viable solution to address the problems displayed by other approaches.

The Risk-Based Approach to Data Protection

10.1093/oso/9780198837718.001.0001 ◽

2020 ◽

Author(s):

Raphaël Gellert

Keyword(s):

Risk Management ◽

Data Protection ◽

Personal Data ◽

Management Tools ◽

Regulation Theory ◽

Régulation Theory ◽

General Data ◽

Data Protection Law ◽

The Way

The main goal of this book is to provide an understanding of what is commonly referred to as “the risk-based approach to data protection”. An expression that came to the fore during the overhaul process of the EU’s General Data Protection Regulation (GDPR)—even though it can also be found in other statutes under different acceptations. At its core it consists in endowing the regulated organisation that process personal data with increased responsibility for complying with data protection mandates. Such increased compliance duties are performed through risk management tools. It addresses this topic from various perspectives. In framing the risk-based approach as the latest model of a series of regulation models, the book provides an analysis of data protection law from the perspective of regulation theory as well as risk and risk management literatures, and their mutual interlinkages. Further, it provides an overview of the policy developments that led to the adoption of such an approach, which it discusses in the light of regulation theory. It also includes various discussions pertaining to the risk-based approach’s scope and meaning, to the way it has been uptaken in statutes including key provisions such as accountability and data protection impact assessments, or to its potential and limitations. Finally, it analyses how the risk-based approach can be implemented in practice by providing technical analyses of various data protection risk management methodologies.

European Data Protection Regulation, Journalism, and Traditional Publishers

10.1093/oso/9780198841982.001.0001 ◽

2019 ◽

Author(s):

David Erdos

Keyword(s):

New Media ◽

Data Protection ◽

Freedom Of Expression ◽

Code Of Conduct ◽

Academic Disciplines ◽

European Data ◽

General Data ◽

Professional Artists ◽

Normative Perspective

This book explores the interface between European data protection and the freedom of expression activities of traditional journalism, professional artists, and both academic and non-academic writers from both an empirical and normative perspective. It draws on an exhaustive examination of both historical and contemporary public domain material and a comprehensive questionnaire of European Data Protection Authorities (DPAs). Empirically it is found that, notwithstanding an often confusing statutory landscape, DPAs have sought to develop an approach to regulating the journalistic media based on contextual rights balancing. However, they have struggled to secure a clear and specified criterion of strictness as regards standard-setting or a consistent and reliable approach to enforcement. DPAs have appeared even more confused as regards other traditional publishers, largely abstaining from regulating most professional artists and writers but attempting to subject all academic disciplines to onerous statutory restrictions established for medical, scientific, and related research. From these findings, it is argued that balancing contextual rights has value and should be both generalized across all traditional publishers and systematically and sensitively developed through structured and robust co-regulation. Such co-regulation should adopt the new code of conduct and monitoring provisions included in the General Data Protection Regulation (GDPR) as a broad guideline. DPAs should accord strong deference to any codes and monitoring bodies which verifiably meet the accredited criteria but must engage more proactively when these are absent. In any case, DPAs should also intervene directly as regards particularly serious or systematic issues and have an increasingly important role in ensuring a joined-up approach between traditional publishing and new media activity.

Expanding the European data protection scope beyond territory: Article 3 of the General Data Protection Regulation in its wider context

International Data Privacy Law ◽

10.1093/idpl/ipw008 ◽

2016 ◽

Vol 6 (3) ◽

pp. 230-243 ◽

Cited By ~ 8

Author(s):

Paul de Hert ◽

Michal Czerniawski

Keyword(s):

Data Protection ◽

European Data ◽

General Data

Protecting Genetic Privacy in Biobanking through Data Protection Law

10.1093/oso/9780192896476.001.0001 ◽

2021 ◽

Author(s):

Dara Hallinan

Keyword(s):

Data Protection ◽

Critical Infrastructure ◽

Legal Framework ◽

Privacy Rights ◽

Genetic Privacy ◽

General Data ◽

Research Biobanks ◽

The Subject ◽

Biobanks are critical infrastructure for medical research. Biobanks, however, are also the subject of considerable ethical and legal uncertainty. Given that biobanks process large quantities of genomic data, questions have emerged as to how genetic privacy should be protected. What types of genetic privacy rights and rights holders should be protected and to what extent? Since 25 May 2018, the General Data Protection Regulation (GDPR) has applied and now occupies a key position in the European legal framework for the regulation of biobanking. This book takes an in-depth look at the function, problems, and opportunities presented by European data protection law under the GDPR as a framework for the protection of genetic privacy in biobanking. It argues that the substantive framework presented by the GDPR already offers an admirable baseline level of protection for the range of genetic privacy rights engaged by biobanking. The book further contends that while numerous problems with this standard of protection are indeed identifiable, the GDPR offers the flexibility to accommodate solutions to these problems, as well as the procedural mechanisms to realise these solutions.

The Second Internet: The Brussels Bourgeois Internet

Four Internets ◽

10.1093/oso/9780197523681.003.0007 ◽

2021 ◽

pp. 77-91

Author(s):

Kieron O’Hara

Keyword(s):

European Union ◽

Public Space ◽

Data Protection ◽

The European Union ◽

Privacy Rights ◽

Internet Privacy ◽

Data Protection Directive ◽

General Data ◽

This chapter describes the Brussels Bourgeois Internet. The ideal consists of positive, managed liberty where rights of others are respected, as in the bourgeois public space, where liberty follows only when rights are secured. The exemplar of this approach is the European Union, which uses administrative means, soft law, and regulation to project its vision across the Internet. Privacy and data protection have become the most emblematic struggles. Under the Data Protection Directive of 1995, the European Union developed data-protection law and numerous privacy rights, including a right to be forgotten, won in a case against Google Spain in 2014, the arguments about which are dissected. The General Data Protection Regulation (GDPR) followed in 2018, amplifying this approach. GDPR is having the effect of enforcing European data-protection law on international players (the ‘Brussels effect’), while the European Union over the years has developed unmatched expertise in data-protection law.

Enhancing Compliance under the General Data Protection Regulation: The Risky Upshot of the Accountability- and Risk-based Approach

European Journal of Risk Regulation ◽

10.1017/err.2018.47 ◽

2018 ◽

Vol 9 (3) ◽

pp. 502-526 ◽

Cited By ~ 3

Author(s):

Claudia QUELLE

Keyword(s):

Data Protection ◽

Fundamental Rights ◽

New Approach ◽

Legal Norms ◽

Improve Compliance ◽

Rules And Principles ◽

General Data ◽

Data Protection Law ◽

Fundamental Rights And Freedoms

The risk-based approach has been introduced to the General Data Protection Regulation (GDPR) to make the rules and principles of data protection law “work better”. Organisations are required to calibrate the legal norms in the GDPR with an eye to the risks posed to the rights and freedoms of individuals. This article is devoted to an analysis of the way in which this new approach relates to “tick-box” compliance. How can the law enhance itself? If handled properly by controllers and supervisory authorities, the risk-based approach can bring about a valuable shift in data protection towards substantive protection of fundamental rights and freedoms. While the risk-based approach has a lot of potential, it also has a risk of its own: it relies on controllers to improve compliance, formulating what it means to attain compliance 2.0.

EU Data Protection Law: The Review of Directive 95/46/EC and the General Data Protection Regulation

10.1093/acprof:oso/9780198807216.003.0005 ◽

2017 ◽

Cited By ~ 10

Author(s):

Peter Hustinx

Keyword(s):

Data Protection ◽

Legal Framework ◽

Fundamental Rights ◽

Full Potential ◽

Gradual Development ◽

Charter Of Fundamental Rights ◽

General Data ◽

Data Protection Law ◽

The Difference

This chapter looks at the origins and the current state of EU data protection law, and highlights the context of the ongoing review of Directive 95/46/EC as its key instrument, as well as the main lines of the proposed General Data Protection Regulation which will replace the Directive in the near future. The analysis shows a gradual development along two lines: one aiming at stronger rights in order to provide more effective protection, and one ensuring more consistent application of those rights across the EU. It also demonstrates the increasing impact of the Charter of Fundamental Rights, both in the case law of the Court of Justice and in the review of the legal framework. At the same time, it is argued that a lack of awareness of the difference in character between Articles 7 and 8 of the Charter could prevent Article 8 from reaching its full potential.