The “Riskification” of European Data Protection Law through a two-fold Shift

2017 ◽  
Vol 8 (3) ◽  
pp. 506-540 ◽  
Author(s):  
Milda MACENAITE
Keyword(s):  
Risk Management ◽  
Data Protection ◽  
Personal Data ◽  
Risk Regulation ◽  
General Data Protection Regulation ◽  
Regulation Mechanisms ◽  
General Data ◽  
Data Protection Law ◽  
Practical Level

The importance of the concept of risk and risk management in the data protection field has grown explosively with the adoption of the General Data Protection Regulation (2016/679). The article explores the concept and the role of risk, as well as associated risk regulation mechanisms in EU data protection law. It shows that with the adoption of the General Data Protection Regulation there is evidence of a two-fold shift: first on a practical level, a shift towards risk-based data protection enforcement and compliance, and second a shift towards risk regulation on the broader regulatory level. The article analyses these shifts to enhance the understanding of the changing relationship between risk and EU data protection law. The article also discusses associated potential challenges when trying to manage multiple and heterogeneous risks to the rights and freedoms of individuals resulting from the processing of personal data.

The Risk-Based Approach to Data Protection

2020 ◽  
Author(s):  
Raphaël Gellert
Keyword(s):  
Risk Management ◽  
Data Protection ◽  
Personal Data ◽  
Management Tools ◽  
General Data Protection Regulation ◽  
Regulation Theory ◽  
Régulation Theory ◽  
General Data ◽  
Data Protection Law ◽  
The Way

The main goal of this book is to provide an understanding of what is commonly referred to as “the risk-based approach to data protection”. An expression that came to the fore during the overhaul process of the EU’s General Data Protection Regulation (GDPR)—even though it can also be found in other statutes under different acceptations. At its core it consists in endowing the regulated organisation that process personal data with increased responsibility for complying with data protection mandates. Such increased compliance duties are performed through risk management tools. It addresses this topic from various perspectives. In framing the risk-based approach as the latest model of a series of regulation models, the book provides an analysis of data protection law from the perspective of regulation theory as well as risk and risk management literatures, and their mutual interlinkages. Further, it provides an overview of the policy developments that led to the adoption of such an approach, which it discusses in the light of regulation theory. It also includes various discussions pertaining to the risk-based approach’s scope and meaning, to the way it has been uptaken in statutes including key provisions such as accountability and data protection impact assessments, or to its potential and limitations. Finally, it analyses how the risk-based approach can be implemented in practice by providing technical analyses of various data protection risk management methodologies.

scholarly journals Personal Data Protection in Russia

2020 ◽  
pp. 95-113
Author(s):  
Alexander Gurkov
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Legal Framework ◽  
Fundamental Rights ◽  
Special Role ◽  
State Control ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
General Data

AbstractThis chapter considers the legal framework of data protection in Russia. The adoption of the Yarovaya laws, data localization requirement, and enactment of sovereign Runet regulations allowing for isolation of the internet in Russia paint a grim representation of state control over data flows in Russia. Upon closer examination, it can be seen that the development of data protection in Russia follows many of the steps taken at the EU level, although some EU measures violated fundamental rights and were invalidated. Specific rules in this sphere in Russia are similar to the European General Data Protection Regulation. This chapter shows the special role of Roskomnadzor in forming data protection regulations by construing vaguely defined rules of legislation.

scholarly journals The Digital tax system in the light of GDPR

2018 ◽  
Vol 2 (2) ◽  
pp. 183-190
Author(s):  
Martin Daňko ◽  
Petra Žárská
Keyword(s):  
Data Protection ◽  
Crucial Role ◽  
Personal Data ◽  
Modern World ◽  
Tax System ◽  
General Data Protection Regulation ◽  
Eu Member States ◽  
State Administration ◽  
General Data

The digital tax system is becoming extremely essential in the modern world. As we look at the system itself as a great benefit for its users and states as well, we tend to forget the role of personal data within it. Personal data play crucial role in the errorless digital tax system. The new regulation of EU, General Data Protection Regulation is addressing processing of personal data within the state administration of EU member states. The aim of this article is to examine the effect of GDPR on the digital tax system and encourage wide academic and public discussion in relation to processing of personal data in the digital tax system.

PERSONAL DATA PROTECTION IN GENERAL ADMINISTRATIVE PROCEEDINGS

2018 ◽  
Vol 2 (XVIII) ◽  
pp. 199-213
Author(s):  
Agnieszka Kręcisz-Sarna
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
General Data ◽  
Administrative Proceedings

This article aims to draw attention to the duties of personal data protection in general administrative proceedings in the context of the General Data Protection Regulation, which came into force on 25 May 2018. It depicts the subjective, the objective, as well as the territorial scope of the application of GDPR, subsequently referring it to certain procedural steps taken in the course of administrative proceedings. Moreover, deliberations concerning the processing of personal data which takes place within the scope of administrative proceedings, as well as the role of the parties in such proceedings have been presented.

Personal Data in Insolvency Proceedings: The Interface between the New General Data Protection Regulation and (German) Insolvency Law

2019 ◽  
Vol 16 (6) ◽  
pp. 724-745
Author(s):  
Ronny Hauck
Keyword(s):  
Data Protection ◽  
German Law ◽  
Personal Data ◽  
Third Party ◽  
Insolvency Law ◽  
General Data Protection Regulation ◽  
General Data ◽  
Data Protection Law ◽  
Principle Of Proportionality ◽  
Insolvency Proceedings

When the General Data Protection Regulation (henceforth: GDPR) came into force, it quickly became clear that the new data protection law would strongly influence many different areas of law. This article deals with the relationship between data protection law and insolvency law, which was hardly considered before the GDPR was adopted. This relationship is particularly relevant where personal data is to be sold as asset in insolvency proceedings. As will be shown, the new data protection law imposes requirements on such data transfers which are very difficult to fulfil. The main problem is that in German law, personal data is not transferable because it is considered part of a subject’s personality. This situation is comparable to German copyright law, since the copyright itself is a non-transferable good. However, just as usage rights in copyright, the rights to use the personal data can be transferred to a third party provided that the requirements of the GDPR are satisfied. This article will comprehensively analyse under which conditions a transfer of such rights would be possible in insolvency proceedings. To create a balanced relationship between data protection law and insolvency law, the principle of proportionality is of crucial importance in this respect.

23. Data protection: rights and obligations

2019 ◽  
pp. 595-619
Author(s):  
Andrew Murray
Keyword(s):  
Data Protection ◽  
Financial Services ◽  
Personal Data ◽  
General Data Protection Regulation ◽  
Role Of The State ◽  
General Data ◽  
The Right ◽  
Access Right ◽  
Data Subject

This chapter examines the rights of data subjects under GDPR and the role of the state in supervising data controllers. It examines data subject rights, including the subject access right and the right to correct and manage personal data. It deals with the development of the so-called Right to be Forgotten and the Mario Costeja González case. It examines the current supervisory regime, including the role of the Information Commissioner’s Office and the enforcement rights of data subjects. Key cases, including Durant v The Financial Services Authority, Edem v IC & Financial Services Authority, Dawson-Damer v Taylor Wessing, and Ittihadieh v 5–11 Cheyne Gardens are discussed, and the chapter concludes by examining the enhanced enforcement rights awarded to the Information Commissioner’s Office by the General Data Protection Regulation in 2018.

THE ROLE OF THE DATA PROTECTION OFFICER IN THE ORGANIZATION’S STRUCTURE

2019 ◽  
Vol 1 (XIX) ◽  
pp. 295-310
Author(s):  
Weronika Kupny
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Main Task ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Legal Situation ◽  
General Data ◽  
Expert Support ◽  
External Consultant

Entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/ EC (General Data Protection Regulation) significantly changed the legal situation of information security administrators. The new institution is a data protection officer. The provisions of the regulation not only changed the name but also the requirements for the person who will perform it in the organization. The main task of the DPO is to provide expert support to the controller and the processor and to monitor compliance with the provisions on personal data protection in cooperation with the supervisory authorities. The importance of the DPO’s function has been strongly emphasized in recital 97 of the preamble to the GDPR. This means that the data protection officer is the person responsible for acting in accordance with the data processing regulations. The independence of DPO is guarantee by its correct placement in the structure of the controller’s organization. As regards the employment of a DPO, the legislator left employers a large dose of freedom. Acquiring specialists dealing in the personal data protection in the company is possible by selecting several options. We can deal with the employment of a stationary specialist or an external consultant. Due to the very wide competence of the DPO, the legislator also provided for the possibility of commissioning the inspector’s tasks to a group of people or a department or an external company.

scholarly journals Algorithms that Remember: Model Inversion Attacks and Data Protection Law

2018 ◽  
Author(s):  
Michael Veale ◽  
Reuben Binns ◽  
Lilian Edwards
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Training Data ◽  
Future Directions ◽  
Model Inversion ◽  
General Data Protection Regulation ◽  
General Data ◽  
Inference Attacks ◽  
Data Protection Law ◽  
Use Of Models

Cite as: Michael Veale, Reuben Binns and Lilian Edwards (2018) Algorithms That Remember: Model Inversion Attacks and Data Protection Law. Philosophical Transactions A, forthcoming. doi:10.1098/rsta.2018.0083Many individuals are concerned about the governance of machine learning systems and the prevention of algorithmic harms. The EU's recent General Data Protection Regulation (GDPR) has been seen as a core tool for achieving better governance of this area. While the GDPR does apply to the use of models in some limited situations, most of its provisions relate to the governance of personal data, while models have traditionally been seen as intellectual property. We present recent work from the information security literature around `model inversion' and `membership inference' attacks, which indicate that the process of turning training data into machine learned systems is not one-way, and demonstrate how this could lead some models to be legally classified as personal data. Taking this as a probing experiment, we explore the different rights and obligations this would trigger and their utility, and posit future directions for algorithmic governance and regulation.

Effects and Projections of the Brazilian General Data Protection Law (LGPD) Application and the Role of the DPO

2021 ◽  
pp. 195-208
Author(s):  
Claudio Roberto Pessoa ◽  
Bruna Cardoso Nunes ◽  
Camila de Oliveira ◽  
Marco Elísio Marques
Keyword(s):  
Artificial Intelligence ◽  
Data Protection ◽  
Personal Data ◽  
Personal Data Protection ◽  
Specific Objective ◽  
The World ◽  
General Data ◽  
Data Protection Law ◽  
The Impact

The world scenario is changing when we talk about personal data protection. Not that long ago, it was common to find companies that sell databases, and other companies that work with the information contained into these databases, aimed to create profiles and generate solutions, using technologies such as big data and artificial intelligence, among others, looking to be attractive and get more customers. In order to protect the privacy of citizens across the world, laws have been created and/or expanded to reinforce this protection. In Brazil, specifically, the Lei de Proteção de Dados Pessoais – LGPD [General Data Protection Law] was created. This research aims to analyze this law, as well as other laws that orbit around it. The goal is to know the impact of law enforcement on business routine and, as a specific objective, what the role of DPO (Data Protection Officer) in organizations will be.

Responsibilities of Controllers and Processors of Personal Data in Clouds

2021 ◽  
pp. 294-339
Author(s):  
Dimitra Kamarinou ◽  
Christopher Millard ◽  
Felicity Turton
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Fundamental Question ◽  
Record Keeping ◽  
General Data Protection Regulation ◽  
Roles And Responsibilities ◽  
General Data ◽  
Computing Environments ◽  
Contractual Rights

This chapter outlines the roles and responsibilities of controllers and processors of personal data in clouds. The realisation of the rights of data subjects whose personal data are processed in cloud computing environments depends, in large part, on whom they may be exercised against. The concepts of 'controller' and 'processor' play a crucial role in this respect since they determine who is responsible for compliance with the core obligations set out in the General Data Protection Regulation (GDPR). The chapter then addresses the fundamental question of what constitutes a controller or processor and looks at the circumstances in which two or more controllers may be characterised as joint controllers. It considers the contractual rights and obligations of controllers and processors. The chapter also analyses the allocation of responsibility for compliance with a range of GDPR obligations, including security, breach notification requirements, requirements relating to Data Protection Impact Assesments (DPIA), consultations with data protection regulators, record-keeping, and audits. Finally, it examines the role of Data Protection Officers (DPO) and at the role of supervisory authorities in enforcing compliance with the GDPR.

Sign in / Sign up

Export Citation Format

Share Document