Analysis of the US Privacy Model

International Journal of Hyperconnectivity and the Internet of Things ◽

10.4018/ijhiot.2019010103 ◽

2019 ◽

Vol 3 (1) ◽

pp. 43-52

Author(s):

Francisco García Martínez

Keyword(s):

Data Privacy ◽

Personal Information ◽

National Level ◽

The United States ◽

The European Union ◽

General Data Protection Regulation ◽

Privacy Laws ◽

The Us ◽

General Data ◽

The Eu

The creation of the General Data Protection Regulation (GDPR) constituted an enormous advance in data privacy, empowering the online consumers, who were doomed to the complete loss of control of their personal information. Although it may first seem that it only affects companies within the European Union, the regulation clearly states that every company who has businesses in the EU must be compliant with the GDPR. Other non-EU countries, like the United States, have seen the benefits of the GDPR and are already developing their own privacy laws. In this article, the most important updates introduced by the GDPR concerning US corporations will be discussed, as well as how American companies can become compliant with the regulation. Besides, a comparison between the GDPR and the state of art of privacy in the US will be presented, highlighting similarities and disparities at the national level and in states of particular interest.

Download Full-text

Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems (C.J.E.U.)

International Legal Materials ◽

10.1017/ilm.2020.62 ◽

2021 ◽

Vol 60 (1) ◽

pp. 53-98

Author(s):

Michael S. Aktipis ◽

Ron B. Katwan

Keyword(s):

Data Protection ◽

Data Privacy ◽

Personal Data ◽

The United States ◽

Transfer Mechanism ◽

The European Union ◽

Privacy Concerns ◽

General Data Protection Regulation ◽

General Data ◽

The Eu

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its ruling in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, commonly known as Schrems II, invalidating the EU–U.S. Privacy Shield as a valid transfer mechanism under the EU's General Data Protection Regulation (GDPR) and creating significant legal uncertainty for the continued availability of another widely used transfer mechanism, Standard Contractual Clauses (SCCs), for transfers of EU personal data from commercial entities in the EU to the United States. The widely anticipated ruling marked the second time in five years that the CJEU had invalidated the legal foundation for such data transfers, which in both cases had been the result of a carefully negotiated compromise balancing European data privacy concerns with statutory and constitutional limitations of the U.S. system (see Schrems I).

Download Full-text

A Layered Approach to Jurisdiction

10.1093/oso/9780198795674.003.0010 ◽

2017 ◽

Author(s):

Dan Jerker B. Svantesson

Keyword(s):

Data Protection ◽

Data Privacy ◽

General Data Protection Regulation ◽

Legal Rules ◽

Privacy Laws ◽

Scope Of Application ◽

General Data ◽

Layered Approach ◽

Substantive Law

This chapter observes how it may be inappropriate to apply a single jurisdictional threshold to diverse instruments such as data privacy laws. In the light of this observation, a proposal is outlined for a ‘layered approach’ under which the substantive law rules of such instruments are broken up into different layers, with different jurisdictional thresholds applied to each such layer. This layered approach is discussed primarily as a technique to be utilized in legal drafting, but it may also be applied in the interpretation and application of legal rules. Article 3 of the European Union’s General Data Protection Regulation, which determines that regulation’s scope of application in a territorial sense, provides a particularly useful lens through which to approach this topic and, thus, the discussion is largely centred around that Article.

Download Full-text

Complying with Privacy Legislation: From Legal Text to Implementation of Privacy-Aware Location-Based Services

ISPRS International Journal of Geo-Information ◽

10.3390/ijgi7110442 ◽

2018 ◽

Vol 7 (11) ◽

pp. 442 ◽

Cited By ~ 1

Author(s):

Mehrnaz Ataei ◽

Auriol Degbelo ◽

Christian Kray ◽

Vitor Santos

Keyword(s):

Data Privacy ◽

Location Privacy ◽

Service Providers ◽

Location Based Services ◽

Legal Text ◽

General Data Protection Regulation ◽

Location Data ◽

Privacy Laws ◽

Technical Issues ◽

General Data

An individual’s location data is very sensitive geoinformation. While its disclosure is necessary, e.g., to provide location-based services (LBS), it also facilitates deep insights into the lives of LBS users as well as various attacks on these users. Location privacy threats can be mitigated through privacy regulations such as the General Data Protection Regulation (GDPR), which was introduced recently and harmonises data privacy laws across Europe. While the GDPR is meant to protect users’ privacy, the main problem is that it does not provide explicit guidelines for designers and developers about how to build systems that comply with it. In order to bridge this gap, we systematically analysed the legal text, carried out expert interviews, and ran a nine-week-long take-home study with four developers. We particularly focused on user-facing issues, as these have received little attention compared to technical issues. Our main contributions are a list of aspects from the legal text of the GDPR that can be tackled at the user interface level and a set of guidelines on how to realise this. Our results can help service providers, designers and developers of applications dealing with location information from human users to comply with the GDPR.

Download Full-text

A Weaponized Court of Justice in Schrems II

Nordic Journal of European Law ◽

10.36969/njel.v4i2.23778 ◽

2021 ◽

Vol 4 (2) ◽

pp. 1-18

Author(s):

Jeffery Atik ◽

Xavier Groussot

Keyword(s):

European Union ◽

National Security ◽

The United States ◽

Constitutional Court ◽

The European Union ◽

General Data Protection Regulation ◽

Legal Development ◽

Court Of Justice ◽

General Data ◽

The U.S

The U.S.-EU conflict over the application of the General Data Protection Regulation (GDPR) to U.S.-based digital platform companies is marked by a startling legal development: the insertion of a constitutional court squarely into the heart of the dispute. The engagement of the EU’s top court - the Court of Justice (CJEU) - in the Schrems I and Schrems II cases - has significantly inflamed the dispute. The CJEU has now twice struck down GDPR accommodations reached between the United States and the European Union. In doing so, the Court has rebuked both U.S. and EU officials. By transfiguring provisions of the GDPR with constitutional (that is, treaty-based) and human rights values, the Court has placed out of reach any accommodation that does not involve significant reform of U.S. privacy and national security provisions. Heated trans-Atlantic disputes involving assertions of extraterritorial extensions of regulatory power is an inappropriate place for a constitutional court like the CJEU to throw its declarative weight around.

Download Full-text

Privacy Rights Management

Electronic Government ◽

10.4018/978-1-59904-947-2.ch105 ◽

2011 ◽

pp. 1400-1412

Author(s):

Larry Korba ◽

Ronggong Song ◽

George Yee

Keyword(s):

European Union ◽

Data Privacy ◽

Digital Rights Management ◽

The United States ◽

The European Union ◽

Privacy Rights ◽

Technical Requirements ◽

Privacy Laws ◽

Personally Identifiable Information ◽

Rights Management

Managing privacy is important because organizations must meet legislative and organizational requirements. Some countries, such as the United States of America, have a patchwork of legislation, making it difficult to understand technical requirements. Other countries, such as Canada and the European Union, have well-established and understood privacy laws. As well, many different technologies that may be applied to provide compliance with those laws exist, but there are no established technological solutions suited for handling all of the challenging requirements expressed by privacy regulations. The question remains: how can a citizen’s privacy rights be managed or enforced? This article describes extensions to a privacy architecture that employs digital rights management technologies to manage individual data privacy. Several scenarios related to the management of personally identifiable information are described, illustrating how the system operates in support of the requirements expressed in the European Union privacy principles.

Download Full-text

Your Data Is My Data: A Framework for Addressing Interdependent Privacy Infringements

Journal of Public Policy & Marketing ◽

10.1177/0743915619858924 ◽

2019 ◽

Vol 38 (4) ◽

pp. 433-450 ◽

Cited By ~ 7

Author(s):

Bernadette Kamleitner ◽

Vince Mitchell

Keyword(s):

Data Protection ◽

Privacy Protection ◽

Personal Information ◽

The European Union ◽

Current Policy ◽

General Data Protection Regulation ◽

Major Threat ◽

Fourth Class ◽

General Data ◽

Multiple Actors

Everyone holds personal information about others. Each person’s privacy thus critically depends on the interplay of multiple actors. In an age of technology integration, this interdependence of data protection is becoming a major threat to privacy. Yet current regulation focuses on the sharing of information between two parties rather than multiactor situations. This study highlights how current policy inadequacies, illustrated by the European Union General Data Protection Regulation, can be overcome by means of a deeper understanding of the phenomenon. Specifically, the authors introduce a new phenomenological framework to explain interdependent infringements. This framework builds on parallels between property and privacy and suggests that interdependent peer protection necessitates three hierarchical steps, “the 3Rs”: realize, recognize, and respect. In response to observed failures at these steps, the authors identify four classes of intervention that constitute a toolbox addressing what can be done by marketers, regulators, and privacy organizations. While the first three classes of interventions address issues arising from the corresponding 3Rs, the authors specifically advocate for a fourth class of interventions that proposes radical alternatives that shift the responsibilities for privacy protection away from consumers.

Download Full-text

A Tale of Two Privacy Laws: The GDPR and the International Right to Privacy

AJIL Unbound ◽

10.1017/aju.2019.79 ◽

2020 ◽

Vol 114 ◽

pp. 26-30

Author(s):

Vivek Krishnamurthy

Keyword(s):

Data Privacy ◽

Political Rights ◽

Right To Privacy ◽

General Data Protection Regulation ◽

The Right To Privacy ◽

Digital World ◽

Privacy Laws ◽

General Data ◽

The Right ◽

The Relationship

The European Union's General Data Protection Regulation (GDPR) is widely viewed as setting a new global standard for the protection of data privacy that is worthy of emulation, even though the relationship between the GDPR and existing international legal protections for the right to privacy remain unexplored. Correspondingly, this essay examines the relationship between these two bodies of law, and finds that the GDPR's provisions are neither necessary nor sufficient to protect the right to privacy as enshrined in Article 17 of the International Covenant on Civil and Political Rights (ICCPR). It argues that there are other equally valid and effective approaches that states can pursue to protect the right to privacy in an increasingly digital world, including the much-maligned American approach of regulating data privacy on a sectoral basis.

Download Full-text

Can Visual Design Provide Legal Transparency? The Challenges for Successful Implementation of Icons for Data Protection

Design Issues ◽

10.1162/desi_a_00605 ◽

2020 ◽

Vol 36 (3) ◽

pp. 82-96

Author(s):

Arianna Rossi ◽

Monica Palmirani

Keyword(s):

Data Protection ◽

Participatory Design ◽

Data Privacy ◽

Personal Data ◽

Successful Implementation ◽

The European Union ◽

General Data Protection Regulation ◽

General Data ◽

Legal Ontologies ◽

Machine Readable

Design is a key player in the future of data privacy and data protection. The General Data Protection Regulation (GDPR) established by the European Union aims to rebalance the information asymmetry between the organizations that process personal data and the individuals to which that data refers. Machine-readable, standardized icons that present a “meaningful overview of the intended processing” are suggested by the law as a tool to enhance the transparency of information addressed to data subjects. However, no specific guidelines have been provided, and studies on privacy iconography are very few. This article describes research conducted on the creation and evaluation of icons representing data protection concepts. First, we introduce the methodology used to design the Data Protection Icon Set (DaPIS): participatory design methods combined with legal ontologies and machine-readable representations. Second, we discuss some of the challenges that have been faced in the development and evaluation of DaPIS and similar icon sets. Third, we provide some tentative responses and indicate a way forward for evaluation of the effectiveness of privacy icons and their widespread adoption.

Download Full-text

Troubleshooting AI and Consent

The Oxford Handbook of Ethics of AI ◽

10.1093/oxfordhb/9780190067397.013.23 ◽

2020 ◽

pp. 357-374

Author(s):

Meg Leta Jones ◽

Elizabeth Edenberg

Keyword(s):

Data Protection ◽

The United States ◽

The European Union ◽

Daily Lives ◽

General Data Protection Regulation ◽

Choice Making ◽

General Data ◽

The Individual ◽

Alternative Solutions

This chapter addresses the controversy over the role of consent in data protection, as artificial intelligence systems have proliferated in people’s daily lives. Digital consent has been criticized as a meaningless, procedural act because users encounter so many different, long, and complicated terms of service that do not help them effectively assess potential harms or threats. AI systems have played a role in exacerbating existing issues, creating new challenges, and presenting alternative solutions. Most of the critiques and cures for this broken arrangement address choice-making, not consent. As the United States debates whether and why to break up big tech, and the European Union considers enforcement actions under the General Data Protection Regulation and how to update its laws to address tracking techniques in a new AI-driven smart world, consent cannot be confused with choice. Consent must be defined by its moral core, involving clear background conditions, defined scope, knowledge, voluntariness, and fairness. When consent meets these demands, it remains a powerful tool for contributing to meaningful data protection at the individual and societal levels.

Download Full-text