New Boundaries for the Right to Be Forgotten?

The right to be forgotten has come to the forefront of the academic debate as a reaction to Court of Justice's decision in case C-507/17 Google LLC c. CNIL concerning the issue of geographical extension of the delisting obligation. Along with the development of CJEU jurisprudence, national courts have developed their own caselaw interpreting and adapting the right to be forgotten, now included in art 17 of the General Data Protection Regulation, to the pre-existing legal framework. Italian courts, and in particular the Italian Supreme Court, have addressed in several occasions the features and facets of the right to be forgotten, and the recent decision of the Grand Chamber (n. 19681, 22 July 2019) is the last though not the least. Starting form this decision, the chapter will analyse how the Supreme Court has attempted to systematise the right to be forgotten distinguishing what is called the traditional application of the right from the ones emerging in the digital context.

The Impact of the GDPR on Extra-EU Legal Systems

The chapter discusses the influence of the General Data Protection Regulation (GDPR) on legal systems extra-EU and particularly the Kingdom of Bahrain, country member to a regional organisation located in the Arabian Gulf denominated Gulf Cooperation Council (GCC), which is exclusive to six states (i.e., Saudi Arabia, United Arab Emirates, Oman, Qatar, and Kuwait in addition to Bahrain). Amongst these countries, Bahrain is the only one that has recently enacted its own separate Personal Data Protection Law (PDPL) mostly resembling the GDPR due to the ever-increasing commercial relationship with business undertakings in Europe. Moreover, the adoption of the data protection law counts as a huge leap forward taken by the kingdom in reforming its legal framework, since it is the state's striving strategy to grow into a midpoint for data centre, just on time for the launch of data centres opening in Bahrain that are endorsed by Amazon Web Services.

Is “Privacy” a Means to Protect the Competition or Advance Objectives of Innovation and Consumer Welfare?

The relationship between competition law and privacy is still seen as problematic with academics and professionals trying to adequately assess the impact of privacy on the competition law sphere. The chapter looks at the legal development of the EU merger proceedings to conclude that EU competition law is based on the prevailing approach and assesses decisions involving data through the spectrum of keeping a competitive equilibrium in hypothetical markets. Secondly, it considers the legal developments in the EU Member States' practice, which acknowledges the apparent intersection between the phenomena of competition law and privacy. This chapter attempts to propose that privacy concerns appear to hold a multidimensional approach on competition legal regime; nevertheless, it does not result in the need of legal changes within the remits of competition law, as the privacy concerns are already protected by the data protection and consumer protection law.

Where Now for the Right to Be Forgotten?

Increased recognition of the pervasiveness of information collected and accessed has led to concern as to its impact on privacy. The ability to impact people's lives with the easy availability of information that in other eras would have remained hidden or “forgotten” is highlighted by the use of the internet for instant recall. Such information, which organizations often hold for commercial benefit, is increasingly made available through search results or from online archives. This chapter will focus on the impact of the Google Spain case, which was believed to have created a new right to be forgotten, leading to the finalization of Article 17 of the General Data Protection Regulation. The author will then examine more recent cases where the new right has been applied and their impact on defining its scope. In particular, the author will focus on the UK joined cases of NT1 and NT2.

The Unexpected Consequences of the EU Right to Be Forgotten

The right to be forgotten as established in the CJEU's decision in Google Spain is the first online data privacy right recognized in the EU legal order. This contribution explores two currently underdeveloped in the literature aspects of the right to be forgotten: its unexpected consequences on search engines and the difficulties of its implementation in practice by the latter. It argues that the horizontal application of EU privacy rights on private parties, such as internet search engines—as undertaken by the CJEU—is fraught with conceptual gaps, dilemmas, and uncertainties that create confusions about the enforceability of the right to be forgotten and the role of search engines. In this respect, it puts forward a comprehensive legal framework for the implementation of this right, which aims to ensure a legally certain and proportionate balance of the competing interests online in the light of the EU's General Data Protection Regulation (GDPR).

Biometric Data in the EU (Reformed) Data Protection Framework and Border Management

Biometrics technologies have been spreading cross-sector in the public and private domains. Their potential intrusiveness, in particular regarding privacy and data protection, has called the European legislators, in the recent EU data protection reform, to introduce a definition of “biometric data,” and to grant biometric data specific protection, as a “special category of data.” Despite the reformed framework, in the field of border management, the use of biometric data is expected to increase steadily because it is seen as a more efficient and reliable solution. This chapter will look into the reformed data protection and border management legal frameworks to highlight discrepancies between the two, and ultimately assess to what extent the new data protection reformed regime for biometric data is satisfactory.

Erosion by Standardisation

This chapter examines the interplay between the GDPR and parallel private regulation in the form of privacy-related standards adopted by the International Organisation for Standardisation (ISO). Focusing on the understanding of ‘risks' in the GDPR and ISO respective ecosystems, it compares the GDPR requirement for Data Protection Impact Assessments (DPIAs) with ISO/IEC 29134:2017, a private standard on Privacy Impact Assessment explicitly referred to by EU Data Protection Authorities as relevant in the context of DPIA methods. The resulting gap analysis identifies and maps misalignments, critically reflecting on whether the parallel form of ISO regulation, in the context of DPIAs, could support or rather blurs GDPR's objective to protect fundamental rights by embracing a risks-based approach.

Is There Anything Left of the Portuguese Law Implementing the GDPR?

The entry into force of the General Data Protection Regulation (GDPR) was expected to cause difficulties to data controllers and data processors mostly due to the practical consequences of the accountability principle and the role of risk. However, in Portugal, there were supplementary problems triggered by two events: the long legislative process of the national law implementing the GDPR and the decision of the national supervisory authority to disapply nine provisions of it. In August 2019, the Portuguese Parliament adopted the law implementing the GDPR, Law 58/2019, and one month later, the Portuguese supervisory authority, Comissão Nacional de Proteção de Dados, decided that nine articles of the recently adopted national law were incompatible with European Union Law. This chapter aims to address this chain of events, to understand the reasoning behind the decision of the Portuguese authority, and to tackle its practical consequences to day-to-day data-processing activities of data controllers and data processors. Overall, it also aims to evaluate what is left of the national piece of legislation after this decision.

GDPR in Between Profiles and Decision-Making

The creation and application of profiles may affect individuals and their lives. The lack of transparency and accuracy that may result from these profiles can cause asymmetries of knowledge and unbalanced distribution of powers between business entities and individual subjects. As such, profiling challenges the protection of individuals and generates concerns over the individuals' privacy and data protection. In using profiling practices, every business entity must comply with data protection legislation.The purpose of the chapter is to examine the effectiveness of the GDPR to ensure protection for individuals within the context of profiling. It identifies and analyses, from a profiling point of view, a number of strengths and weaknesses associated with the general data protection principles as adopted under the Article 5 GDPR. The author argues that profiling contradicts the transparent nature of data protection principles, and thus of the GDPR. In practice, the law is ineffective to ensure fair, lawful, and transparent profiling activities to safeguard individuals and their rights.

GDPR

Implementation of the GDPR changed the way how personal data of EU customers are processed. The purpose of this chapter is to explore the links between the rights of customers as a data subject and related aspects of customer satisfaction. Entities in modern economy (encompassing not only goods and services but also intellectual property) generate and process huge quantities of customer data. Information and communication technology (ICT) infrastructure became a basis for the digital economy and society in the EU (settled by Eurostat as ISOC) that definitely replaced the previous era of the information economy that was based on the effective acquisition, dissemination, and use of information. Data-driven marketing puts data at the center of additional value creation and brings new insights and perspectives, included in the results of this research. The impact of GDPR on customer-centric ICT, stronger consumer awareness of data protection rights, creates new pathways to customer centricity and the legal and technical aspects of data processing within the digital economy ecosystem.