A Reality Check of the Schrems Saga

From an enforcement point of view, the revocation of the European Commission’s two adequacy decisions on the federal US system of data protection raises many questions regarding the interrelations between the EU data protection regime and the Union’s legal frameworks for data ‘transfers’. Whereas data uploaded in the Union was once upon a time wired over the Atlantic to be downloaded in the US and vice versa, data packets are nowadays often exchanged over various radio spectra. As online resources around the world can be used to store data, and the data is made available and retrieved from domains rather than ‘exported’ and ‘imported’, the idea that the EU data protection regime would no longer apply when data is ‘transferred’ from the Union easily leads astray. In fact, the location of data or data processing equipment is irrelevant for the applicability of EU law as its territorial scope is determined by the location of the data subjects or undertakings concerned. Whereas the EU legislation applies with regard to legal entities overseas with affiliated undertakings in the Union, the Union seeks to guarantee the EU data subjects an adequate level of protection also in cases of onward transfers of data to non-affiliated organisations and unwarranted interceptions. Furthermore, the European Commission promotes a level of protection in non-EU Member States that is essentially equivalent to that enjoyed under the EU data protection regime since the authorities and courts may refrain from applying EU law pursuant to private international law. However, the Cases which resulted in the revocation of the two adequacy decisions concerned an Austrian citizen filing complaints against an undertaking established in Ireland and its US parent company. Hence, it must be called into question whether the EU data protection regime should at all have been substituted by the US system irrespective of whether it provided an adequate level of data protection. An argument could be made that the adequacy decisions applied beyond the substantive scope of EU law, but that brings questions to fore about the competence of the Union to adopt such decisions. In addition, the procedural system introduced in the first Case regarding Mr. Schrems is rather problematic as it requires national authorities and courts to assess the validity of adequacy decisions. Besides the distortion of the right for national courts to request preliminary rulings into an obligation to do so, most data subject are reluctant to get involved in disputes about the entire legal regime. In many instances, the data subject may rather rely on her or his procedural rights as a consumer. In this article, a systematic analysis of these aspects of the EU privacy safeguards is provided.

A Mixed Method Study on the Effectiveness of Using Virtual Reality to Improve Adolescent Public Speaking

This study analyzes the extent to which virtual reality technology is effective in improving self-confidence in children and adolescents ages 12-18 when public speaking. Using a mixed method of both quantitative and qualitative data, subject responses were collected through a pre- and post-test survey prior to and after completing a set of three virtual reality simulations. The data demonstrated that with an increasing number of audience members present in a virtual simulation, subject confidence levels decreased, suggesting that virtual reality can be used as an effective tool in reducing public speaking anxiety. While the current study supports this claim, additional research should be conducted based on the limitations of this study, specifically to enlarge the sample size beyond 20 subjects.

Assesing the Merger of Online Platform Companies: Does it Lead to Monopoly or just Business Expansion? (Analysis of The Merged Company of GoTo)

Two large digital platform companies, Gojek and Tokopedia, officially merged to form a holding company called the GoTo Group that is considered to have anti-competitive behavior and potentially data monopoly. This article aimed to analyze the adequate response to potential violations of the Prohibition of Monopolistic Practices and Unfair Business Competition Regulation and legal issues related to consumer data monopoly issues. This article uses normative legal research with the conceptual research and statute approach. The result shows that it is necessary to define “relevant markets” and the “substituted products” to determine the existence of unfair business competition in the Gojek-Tokopedia merger. It requires analyzing the consumer behavior in other marketplaces other than Tokopedia; when consumers do not "run" to Gojek, it means they are not in the same market. To prevent privacy protection failures in post-merger data integration, companies need to assess data sharing that may be carried out as part of a risk assessment. Regarding the rights of data subjects, The company needs to provide notification to the data subject regarding the Merger and Acquisition (M & A) given the data subject's right to refuse and guarantee that the M & A process will not violate the right to privacy of the customer's dataKeywords: Competition Law; Digital Platform; Merger Menilai Penggabungan Perusahaan Platform Online: Apakah Mengakibatkan Monopoli atau Hanya Ekspansi Bisnis? (Analisis Penggabungan GoTo)AbstrakDua perusahaan platform digital besar, Gojek dan Tokopedia, resmi bergabung membentuk holding company bernama GoTo Group yang dinilai memiliki perilaku anti persaingan dan berpotensi monopoli data. Artikel ini bertujuan untuk menganalisis respon yang memadai terhadap potensi pelanggaran Peraturan Larangan Praktik Monopoli dan Persaingan Usaha Tidak Sehat serta masalah hukum terkait masalah monopoli data konsumen. Artikel ini menggunakan penelitian hukum normatif dengan pendekatan penelitian konseptual dan undang-undang. Hasil penelitian menunjukkan perlunya mendefinisikan “pasar relevan” dan “produk substitusi” untuk mengetahui adanya persaingan usaha tidak sehat dalam merger Gojek-Tokopedia. Hal ini membutuhkan analisis perilaku konsumen di pasar lain selain Tokopedia; ketika konsumen tidak “lari” ke Gojek, berarti mereka tidak berada di pasar yang sama. Untuk mencegah kegagalan perlindungan privasi dalam integrasi data pasca-merger, perusahaan perlu menilai pembagian data yang mungkin dilakukan sebagai bagian dari penilaian risiko. Mengenai hak subjek data, Perusahaan perlu memberikan pemberitahuan kepada subjek data mengenai Merger dan Akuisisi (M&A) mengingat hak subjek data untuk menolak dan menjamin bahwa proses M&A tidak akan melanggar hak privasi data pelangganKata Kunci: Hukum Persaingan Usaha; Platform Digital; PenggabunganОценка слияний компаний онлайн-платформ: приведет ли это к монополии или просто к расширению бизнеса? (Анализ слияний GoTo (Gojek и Tokopedia) АннотацияДве крупные компании, занимающиеся цифровыми платформами, Gojek и Tokopedia, официально объединили свои усилия, чтобы сформировать холдинговую компанию GoTo Group, которая, как считается, ведет антиконкурентную политику и может монополизировать данные. Данная статья направлена на анализ адекватного реагирования на возможные нарушения Положения о запрещении монополистической практики и недобросовестной конкуренции, а также на правовые вопросы, связанные с проблемой монополии на данные потребителей. В данной статье используется нормативно-правовое исследование с концептуальным и правовым исследовательским подходом. Результаты исследования указывают на необходимость определить «соответствующие рынки» и «продукты-заменители», чтобы определить наличие недобросовестной деловой конкуренции в слиянии Gojek-Tokopedia. Это требует анализа поведения потребителей на рынках, отличных от Tokopedia; когда потребители не «бегут» в Gojek, это означает, что они не находятся на одинаковом рынке. Чтобы предотвратить сбои в защите конфиденциальности при интеграции данных после слияния, компаниям необходимо оценить возможное совместное использование данных в рамках оценки рисков. Что касается прав субъекта данных, Компания должна уведомить субъект данных о слиянии и поглощении (M&A), учитывая право субъекта данных отказаться и гарантировать, что процесс M&A не нарушит права на конфиденциальность данных клиента.Ключевые слова: Закон о деловой конкуренции; цифровые платформы; слияние

Active Aging and the Mattheus Effect

While active ageing has been discursivized in international organizations and among researchers as a major means to combat the challenges of demographic ageing, this study aims to make a critical-theoretical and empirical assessment of the active ageing concept. It falls into three parts, the first showing how the conceptual framework of active ageing is undertheorized, lacks conceptual and analytical clarity, and that the theoretical framework does not hold clear ideas regarding the factors conditioning active ageing. The second part investigates the main patterns and structuring mechanisms of active ageing in an outcome perspective using Danish data subject to a correspondence analysis. Here, a Matthew Effect of accumulated advantage is found; that is, older adults who are blessed in one sphere of life are also blessed in others, and such inequalities in old age are the outcomes of social life biographies (i.e., cumulative advantages/disadvantages over the life course). Although nursed by the political system, EU ideas about active ageing are only weakly translated into policies and programs. Part three discusses some of the reasons for this, one obviously being that active ageing is elusive and lacks well-defined cause-and-effect descriptions. Another reason is that the concept has been developed in global elite networks that are quite distant from policymakers; at least in a decentralized political system like the Danish welfare state.

Delegation-Based Personal Data Processing Request Notarization Framework for GDPR Based on Private Blockchain

With the growing awareness regarding the importance of personal data protection, many countries have established laws and regulations to ensure data privacy and are supervising managements to comply with them. Although various studies have suggested compliance methods of the general data protection regulation (GDPR) for personal data, no method exists that can ensure the reliability and integrity of the personal data processing request records of a data subject to enable its utilization as a GDPR compliance audit proof for an auditor. In this paper, we propose a delegation-based personal data processing request notarization framework for GDPR using a private blockchain. The proposed notarization framework allows the data subject to delegate requests to process of personal data; the framework makes the requests to the data controller, which performs the processing. The generated data processing request and processing result data are stored in the blockchain ledger and notarized via a trusted institution of the blockchain network. The Hypderledger Fabric implementation of the framework demonstrates the fulfillment of system requirements and feasibility of implementing a GDPR compliance audit for the processing of personal data. The analysis results with comparisons among the related works indicate that the proposed framework provides better reliability and feasibility for the GDPR audit of personal data processing request than extant methods.

Public interests as a basis for the genetic information obtaining and using without consent of the person

The article systematically examines the collection, storage, dissemination and use of information about private life (including genetic data) without the consent of the data subject under the pretext of having public interests. The relevant legal provision (Article 152.2 of the Civil Code of the Russian Federation) is subjected to a thorough critical analysis from the perspective of: a) identifying its relationship with the norm of the Civil Code of the Russian Federation, which provides for a general ban on uncoordinated transactions with the specified information; b) the breadth and uncertainty of the content (including due to the absence of any differentiation of regulation based on the type of actions performed on the information, as well as the evaluative nature of the concept of public interest). Based on the thesis about the inexpediency of unconditional refusal to use the category of public interest, the author emphasizes the relevance of the formulation and legislative fixation of algorithms for recognizing the fact of the presence of public interest (taking into account the provisions of Article 55 of the Constitution of the Russian Federation), as well as the establishment of restrictions of a subject, target, organizational and other nature for the collection, storage, dissemination and use of information about private life in the public interest. Particular attention is paid to the issue of the voluntary participation of individuals in the planned general genetic passporting of the population of Russia (it is emphasized that ignoring the principle of consent cannot be explained only by referring to the presence of public interest).

Digital data: is a new legal regulation needed?

This article analyzes the phenomenon of digital data and its impact on both the daily lives of each individual and businesses. Article discusses the legal issue of data ownership, which is inextricably linked with the emergence of Big data. The EU legal regulation of digital data faces the following shortcomings: i. legal regulation of data does not keep pace with the rapid development of technology and the phenomenon of such large-scale data creation; ii. the current EU data legislation is intended to protect the interests of the data subject or business and not to create a common data regulatory ecosystem. For these reasons, the question of data ownership is raised, which is thought to be able to change the whole legal perception of digital data in the further evolution of the Industrial Revolution.

Wybrane aspekty prawne dotyczące przetwarzania danych biometrycznych pracowników

<p>Given the growing popularity of biometrics, doubts about the conditions for biometric data processing can be noticed in practice. These inaccuracies take place in various areas of law, including labour law. This article provides a theoretical discussion on the processing of special categories of data. It aims to point to the need for appropriate legal regulations to ensure the security of the processing of biometric data of employees and candidate employees. The article starts with clarifying the concept of biometric data and discusses the practical aspects of the use of biometric tools. Further on, the author analyses the legal regulations concerning the processing of biometric data in the relations between the employer as the personal data controller and the employee as the data subject. As a result of the studies carried out, a position was presented which indicates that the employer who processes biometric data of employees and candidates for employment should always find out whether he has legal justification to process the data in question. This article is one of the few studies on the processing of biometric data in Polish literature on the subject. The main purpose hereof is to present situations under the current legislation, in which the employer can process biometric data of its employees. The article is a form of universal presentation of the problem and may be of interest especially to legal practitioners.</p>

The Adequacy of Data Protection Laws in Protecting Personal Data in Malaysia

With the burgeoning technology, Malaysia has seen a staggering number of data breaches and data leaks within this past decade alone, with no signs of the trend decreasing. This has raised questions on whether the Personal Data Protection Act 2010 (PDPA) adequately protects the personal data of Malaysians. With the recent COVID-19 pandemic, data has been collected on a larger scale than before, with more frequent data leaks occurring. Hence, this study aims to analyse the adequacy of the PDPA by benchmarking it to the United Kingdom’s (UK) Data Protection Act 2018, which have seen a decrease in data breaches since the implementation of the new legislation. In this context, personal data refers to information processed or recorded that relates directly or indirectly to a data subject, who may be identified from the information and may include sensitive personal data. The study uses a doctrinal analysis methodology to best explore the ideas and concepts within the literature available regarding the protection of personal data. The study also employs a comparative analysis methodology by comparing the scope and application of Malaysian and UK legislation for benchmarking. The findings suggest that there are improvements to be made for the PDPA to be adequate.

The Death of the Data Subject

This paper situates the data privacy debate in the context of what I call the death of the data subject. My central claim is that concept of a rights-bearing data subject is being pulled in two contradictory directions at once, and that simultaneous attention to these is necessary to understand and resist the extractive practices of the data industry. Specifically, it is necessary to treat the problems facing the data subject structurally, rather than by narrowly attempting to vindicate its rights. On the one hand, the data industry argues that subjects of biometric identification lack legal standing to pursue claims in court, and Facebook recently denied that that its facial recognition software recognizes faces. On the other hand, industry takes consent to terms of service and arbitration clauses to create enforceable legal subject positions, while using promises of personalization to create a phenomenological subject that is unaware of the extent to which it is being manipulated. Data subjects thus have no legal existence when it is a matter of corporate liability, but legal accountability when it is a matter of their own liability. Successful reform should address the power asymmetries between individuals and data companies that enable this structural disempowerment.