The Impact of the GDPR on Extra-EU Legal Systems

Data Protection Law ◽

Regional Organisation

The chapter discusses the influence of the General Data Protection Regulation (GDPR) on legal systems extra-EU and particularly the Kingdom of Bahrain, country member to a regional organisation located in the Arabian Gulf denominated Gulf Cooperation Council (GCC), which is exclusive to six states (i.e., Saudi Arabia, United Arab Emirates, Oman, Qatar, and Kuwait in addition to Bahrain). Amongst these countries, Bahrain is the only one that has recently enacted its own separate Personal Data Protection Law (PDPL) mostly resembling the GDPR due to the ever-increasing commercial relationship with business undertakings in Europe. Moreover, the adoption of the data protection law counts as a huge leap forward taken by the kingdom in reforming its legal framework, since it is the state's striving strategy to grow into a midpoint for data centre, just on time for the launch of data centres opening in Bahrain that are endorsed by Amazon Web Services.

The Personal Data Protection Bill, 2018: India’s regulatory journey towards a comprehensive data protection law

International Journal of Law and Information Technology ◽

10.1093/ijlit/eaaa003 ◽

2020 ◽

Vol 28 (1) ◽

pp. 1-19

Author(s):

Deva Prasad M ◽

Suchithra Menon C

Keyword(s):

Data Protection ◽

Personal Data ◽

Legal Framework ◽

The European Union ◽

Supreme Court Of India ◽

Indian Context ◽

General Data ◽

Data Protection Law

Abstract This article analyses the relevance of Personal Data Protection Bill, 2018 for developing a data protection legal framework in India. In this regard, the article attempts to analyse the evolution process of comprehensive personal data protection law in the Indian context. The manner in which the Personal Data Protection Bill, 2018 will revamp and strengthen the existing data protection regulatory framework forms the major edifice of this article. The article also dwells on the significant role played by the fundamental right to privacy judgment (Justice K.S. Puttaswamy v Union of India) of Supreme Court of India, thus preparing the regulatory ground for the evolution of the Personal Data Protection Bill, 2018. The influence of the European Union General Data Protection Regulation in shaping the Indian legal framework is highlighted. The article also discusses pertinent legal concerns that could question the effectiveness of the proposed data protection legal framework in the Indian context.

ESTUDO SOBRE A REALIZAÇÃO DO DIREITO DA PROTECÇÃO DE DADOS PESSOAIS ATRAVÉS DA JURISPRUDÊNCIA DO TRIBUNAL DE JUSTIÇA DA UNIÃO EUROPEIA

Dereito revista xurídica da Universidade de Santiago de Compostela ◽

10.15304/dereito.29.1.6519 ◽

2020 ◽

Vol 29 (1) ◽

Author(s):

Rita De Sousa Costa

Keyword(s):

European Union ◽

Data Protection ◽

Personal Data ◽

Case Law ◽

Legal Framework ◽

The European Union ◽

Court Of Justice ◽

European Data ◽

Data Protection Law

[PT]No presente texto, apresentamos as grandes linhas de aplicação do direito europeu da protecção de dados conforme gizadas pela jurisprudência do TJUE, com o objectivo de demonstrar como e em que medida este Tribunal modelou – e continua a modelar – o quadro jurídico em vigor, na certeza de que aquela jurisprudência impõe um conjunto de desafios determinantes para a realização material do direito europeu da protecção de dados pessoais. [ESP]Este texto presenta las líneas generales de la aplicación de la legislación europea de protección de datos tal como se establece en la jurisprudencia del TJUE, con el objetivo de demostrar cómo y en qué medida este Tribunal ha configurado -y sigue configurando- el marco jurídico vigente, con la certeza de que la dicha jurisprudencia plantea una serie de retos cruciales para la aplicación material del derecho europeo de la protección de datos personales. [ENG]This text outlines the implementation of the European data protection law as laid down in the case-law of the Court of Justice of the European Union, with the aim of demonstrating how and to what extent the Court has shaped – and continues to shape – the current legal framework. The case-law analysed points out a plethora of challenges which are key to the implementation of the European personal data protection law.

Personal Data Protection in Russia

The Palgrave Handbook of Digital Russia Studies ◽

10.1007/978-3-030-42855-6_6 ◽

2020 ◽

pp. 95-113

Author(s):

Alexander Gurkov

Keyword(s):

Data Protection ◽

Personal Data ◽

Legal Framework ◽

Fundamental Rights ◽

Special Role ◽

State Control ◽

General Data

AbstractThis chapter considers the legal framework of data protection in Russia. The adoption of the Yarovaya laws, data localization requirement, and enactment of sovereign Runet regulations allowing for isolation of the internet in Russia paint a grim representation of state control over data flows in Russia. Upon closer examination, it can be seen that the development of data protection in Russia follows many of the steps taken at the EU level, although some EU measures violated fundamental rights and were invalidated. Specific rules in this sphere in Russia are similar to the European General Data Protection Regulation. This chapter shows the special role of Roskomnadzor in forming data protection regulations by construing vaguely defined rules of legislation.

DEVELOPMENT OF THE PERSONAL DATA PROTECTION FRAMEWORK – WILL THE PANDEMIC BRING NEW CHANGES?

Acta Prosperitatis ◽

10.37804/1691-6077-2021-12-59-66 ◽

2021 ◽

Vol 12 ◽

pp. 59-66

Author(s):

Marta Mackeviča ◽

Keyword(s):

European Union ◽

Data Protection ◽

Personal Data ◽

Legal Framework ◽

Point Of View ◽

The European Union ◽

Personal Privacy ◽

Complex Concept ◽

Personal Data Protection

The General Data Protection Regulation (hereinafter – the Regulation), which entered into force on 25 May 2018 and introduced a new legal framework for the protection of personal data in the European Union, also included a number of new rights, more precise definitions and improvements in the field of personal data protection. The three‐year period has shown that the Regulation has successfully replaced Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement ofsuch data, but the Covid‐19 pandemic posed the question: does the Regulation sufficiently define and explain how controllers should deal with the processing of sensitive data, or in situations where employees of companies and institutions work remotely? Data protection is a complex concept that can be analyzed from both a legal and a social point of view. Traditionally, data protection has been referred to as the protection of personal privacy in the context of processes involving the use of personal data. Prior to the implementation of the Regulation, the existing rules on the protection of personal data in the European Union were not sufficiently uniform and were implemented differently in each Member State. It contributed to the development and implementation of the Regulation, in the hope that it would modernize and promote a common data protection regime, while maintaining all the basic principles of data protection that have been followed so far. Prior to the pandemic, the Regulation successfully achieved its original objectives, but hasthe pandemic necessitated a revision of the Regulation? This article will analyze the development of the legal framework for the protection of personal data and analyze the compliance of the Regulation with the requirements arising from the effects of the pandemic.

Research Biobanking, Personal Data Protection and Implementation of the GDPR in France

GDPR and Biobanking - Law, Governance and Technology Series ◽

10.1007/978-3-030-49388-2_14 ◽

2021 ◽

pp. 257-276

Author(s):

Gauthier Chassang ◽

Michael Hisbergues ◽

Emmanuelle Rial-Sebbag

Keyword(s):

Data Protection ◽

Personal Data ◽

Legal Framework ◽

The European Union ◽

French Law ◽

Research Biobanks ◽

Active Research ◽

Set Up

AbstractSince 1978 and the initial French data protection law (Loi n°78-17 du 6 Janvier 1978), consecutive modifications regarding the protection of personal health data, especially in 2004, 2016 and 2018, set up a strict legal regime for processing sensitive personal data, including for research purposes. In recent years, French law has evolved proactively and in parallel with the work of the European Union (EU) on the preparation of what became the General Data Protection Regulation (GDPR), which has been in force since May 2018. This Chapter performs a state-of-art analysis (as of 1 July 2019) of the French legal framework for research biobanks and data protection rules applying to biobanking, in particular those related to data subjects’ rights and Article 89 of the GDPR. Firstly, it provides updated information about the national landscape of active research biobanks in France (Sect. 1). Secondly, it explores how the French law embodies the developments brought by the GDPR and how it envisages individuals’ rights in the context of research biobanking (Sects. 2 and 3). Thirdly, this Chapter analyses existing and potential national exemptions to individuals’ rights, including with regard to Article 89 GDPR, and how France conceives of processing activities of ‘public interest’ (Sect. 4). Finally, the authors address ongoing debates around bioethics law in France and argue for the creation of a specific Act focused on biobanking as a means of integrating, clarifying and developing not only data protection rules but also other activities related to samples, human or not, in a unique, operational and compact act (Sect. 5).

PERSONAL DATA PROTECTION IN CRIMINAL LAW

Journal of Criminology and Criminal Law ◽

10.47152/rkkp.59.2.7 ◽

2021 ◽

Vol 59 (2) ◽

pp. 113-130

Author(s):

Mladen Milošević ◽

Keyword(s):

Criminal Law ◽

Data Protection ◽

Personal Data ◽

Legal Protection ◽

Legal Framework ◽

Penal Code ◽

Data Protection Law ◽

Legislative Changes

The paper focuses on the norms of Serbian Penal Code that incriminates personal data abuse. Starting with a brief overview of personal data legislation in Serbia, the author states that legal protection of data is guaranteed through constitutional (former federal and republic and the current Constitution) and provisions of Data Protection Law (three Laws were adopted and implemented since 1998), but also with criminal law norms. However, the quality and the implementation of mentioned criminal law provisions is questionable. The author analyses different crimes and notes that certain norms are incoherent with other relevant legislative provisions. The author points to incoherent provisions and provides recommendations de lege ferenda, concluding that legislative changes are needed in order to construct a solid legal framework for personal data protection in domestic Criminal law.

Importance of Personal Data Protection Law for Commercial Air Transport

Transactions on Aerospace Research ◽

10.2478/tar-2017-0004 ◽

2017 ◽

Vol 2017 (1) ◽

pp. 35-44

Author(s):

Dawid Zadura

Keyword(s):

Data Protection ◽

Public Information ◽

Personal Data ◽

Air Transport ◽

Civil Aviation ◽

Aviation Industry ◽

It Systems ◽

Data Protection Law ◽

The Law

Abstract In the review below the author presents a general overview of the selected contemporary legal issues related to the present growth of the aviation industry and the development of aviation technologies. The review is focused on the questions at the intersection of aviation law and personal data protection law. Massive processing of passenger data (Passenger Name Record, PNR) in IT systems is a daily activity for the contemporary aviation industry. Simultaneously, since the mid- 1990s we can observe the rapid growth of personal data protection law as a very new branch of the law. The importance of this new branch of the law for the aviation industry is however still questionable and unclear. This article includes the summary of the author’s own research conducted between 2011 and 2017, in particular his audits in LOT Polish Airlines (June 2011-April 2013) and Lublin Airport (July - September 2013) and the author’s analyses of public information shared by International Civil Aviation Organization (ICAO), International Air Transport Association (IATA), Association of European Airlines (AEA), Civil Aviation Authority (ULC) and (GIODO). The purpose of the author’s research was to determine the applicability of the implementation of technical and organizational measures established by personal data protection law in aviation industry entities.

GDPR Implementation Series ∙ Czech Republic: Personal Data Protection Law

European Data Protection Law Review ◽

10.21552/edpl/2020/2/15 ◽

2020 ◽

Vol 6 (2) ◽

pp. 289-293

Author(s):

J. Míšek ◽

F. Kasl ◽

P. Loutocký

Keyword(s):

Czech Republic ◽

Data Protection ◽

Personal Data ◽

Data Protection Law

The Risk-Based Approach to Data Protection

10.1093/oso/9780198837718.001.0001 ◽

2020 ◽

Author(s):

Raphaël Gellert

Keyword(s):

Risk Management ◽

Data Protection ◽

Personal Data ◽

Management Tools ◽

Regulation Theory ◽

Régulation Theory ◽

General Data ◽

Data Protection Law ◽

The Way

The main goal of this book is to provide an understanding of what is commonly referred to as “the risk-based approach to data protection”. An expression that came to the fore during the overhaul process of the EU’s General Data Protection Regulation (GDPR)—even though it can also be found in other statutes under different acceptations. At its core it consists in endowing the regulated organisation that process personal data with increased responsibility for complying with data protection mandates. Such increased compliance duties are performed through risk management tools. It addresses this topic from various perspectives. In framing the risk-based approach as the latest model of a series of regulation models, the book provides an analysis of data protection law from the perspective of regulation theory as well as risk and risk management literatures, and their mutual interlinkages. Further, it provides an overview of the policy developments that led to the adoption of such an approach, which it discusses in the light of regulation theory. It also includes various discussions pertaining to the risk-based approach’s scope and meaning, to the way it has been uptaken in statutes including key provisions such as accountability and data protection impact assessments, or to its potential and limitations. Finally, it analyses how the risk-based approach can be implemented in practice by providing technical analyses of various data protection risk management methodologies.

Data Protection Impact Assessment (DPIA) for Cloud-Based Health Organizations

Future Internet ◽

10.3390/fi13030066 ◽

2021 ◽

Vol 13 (3) ◽

pp. 66

Author(s):

Dimitra Georgiou ◽

Costas Lambrinoudakis

Keyword(s):

Impact Assessment ◽

Data Protection ◽

Gap Analysis ◽

Health Care Organization ◽

Personal Data ◽

Care Organization ◽

The European Union ◽

Compliance Level

The General Data Protection Regulation (GDPR) harmonizes personal data protection laws across the European Union, affecting all sectors including the healthcare industry. For processing operations that pose a high risk for data subjects, a Data Protection Impact Assessment (DPIA) is mandatory from May 2018. Taking into account the criticality of the process and the importance of its results, for the protection of the patients’ health data, as well as the complexity involved and the lack of past experience in applying such methodologies in healthcare environments, this paper presents the main steps of a DPIA study and provides guidelines on how to carry them out effectively. To this respect, the Privacy Impact Assessment, Commission Nationale de l’Informatique et des Libertés (PIA-CNIL) methodology has been employed, which is also compliant with the privacy impact assessment tasks described in ISO/IEC 29134:2017. The work presented in this paper focuses on the first two steps of the DPIA methodology and more specifically on the identification of the Purposes of Processing and of the data categories involved in each of them, as well as on the evaluation of the organization’s GDPR compliance level and of the gaps (Gap Analysis) that must be filled-in. The main contribution of this work is the identification of the main organizational and legal requirements that must be fulfilled by the health care organization. This research sets the legal grounds for data processing, according to the GDPR and is highly relevant to any processing of personal data, as it helps to structure the process, as well as be aware of data protection issues and the relevant legislation.