Showing total 257 results

1. Privacy Policy Classification with XLNet (Short Paper)

Author

Anas Al Bassit, Majd Mustapha, Katsiaryna Krasnashchok, and Sabri Skhiri

Subjects

Multi-label classification, Majority rule, Computer science, Privacy policy, Computer security, computer.software_genre, General Data Protection Regulation, media_common.cataloged_instance, European union, Macro, Baseline (configuration management), computer, media_common, Interpretability

Abstract

Popularization of privacy policies has become an attractive subject of research in recent years, notably after General Data Protection Regulation came into force in the European Union. While GDPR gives Data Subjects more rights and control over the use of their personal data, length and complexity of privacy policies can still prevent them from exercising those rights. An accepted way to improve the interpretability of privacy policies is through assigning understandable categories to every paragraph or segment in said documents. Current state of the art in privacy policy analysis has established a baseline in multi-label classification on the dataset containing 115 privacy policies, using BERT Transformers. In this paper, we propose a new classification model based on the XLNet. Trained on the same dataset, our model improves the baseline F1 macro and micro averages by 1–3% for both majority vote and union-based gold standards. Moreover, the results reported by our XLNet-based model have been achieved without fine-tuning on domain-specific data, which reduces the training time and complexity, compared to the BERT-based model. To make our method reproducible, we report our hyper-parameters and provide access to all used resources, including code. This work may therefore be considered as a first step to establishing a new baseline for privacy policy classification.

Published

2020

2. Risks of the new EU Data Protection Regulation: an ESMO position paper endorsed by the European oncology community

Author

Paolo G. Casali

Subjects

Risk, business.industry, Hematology, Public administration, Medical Oncology, Community Networks, Europe, Epidemiologic Studies, Oncology, General Data Protection Regulation, Epidemiologic Research Design, Practice Guidelines as Topic, Position paper, Medicine, Humans, European Union, Registries, business, Computer Security, Confidentiality

Published

2014

3. Artificial Intelligence and Europe: Risks, Developments and Implications

Author

Jacopo Scipione

Subjects

Fair use, business.industry, Public sector, Global Leadership, Legislation, Commission, White paper, General Data Protection Regulation, Political science, media_common.cataloged_instance, Artificial intelligence, European union, business, media_common

Abstract

During a lesson on Knowledge Day in September 2017, Russian President Vladimir said: “Artificial intelligence is the future, not only for Russia, but for all humankind. It comes with colossal opportunities, but also threats that are difficult to predict. Whoever becomes the leader in this sphere will become the ruler of the world”. Technology seems to have the power to change our work, our society and our daily life. It has become almost indispensable in everyday activities, and it involves many aspects of our lives. According to many experts, academics and policymakers, we are in the middle of the 4th industrial revolution that will affect our societies in the next decades. The real actor in this process is Artificial Intelligence (AI), which has become more present and essential both in the private and public sector. AI is changing many aspects of people’s lives and bring important benefits to society and the economy thanks to better healthcare, an efficient public administration, and safer transport. Comprehending and analysing AI is fundamental in order to embrace the next challenges of the future, and to be competitive with other global leaders. How can AI be used by Europe as a whole? Which are the rules that would be considered in the following years? And how would the rest of the world react to such innovations? How the EU should we respond to such innovation and create a quality brand? Intending to respond to these questions, the present paper examines the AI framework in Europe, its legal and ethical implications. This paper is divided into three sections: the first one gives an overall vision on AI and on the state of the art worldwide; the second one analyses the efforts that EU is making and should make to become a relevant character in the AI race; and finally the conclusion focuses on what lacks to Europe to be a global leader in the AI field. The United States (US) and China are clearly the world’s leaders in such environment. On the other way round, the European Union (EU), is not in the game, despite the recent legislation developed by the Commission. In order to maximise the development of AI, new rules are necessary to guarantee principles, rights, and a fair use of it. To tackle the huge development carried out by the AI world’s leaders, Europe should respond by setting two objectives: on one hand, to create a positive environment to invest; on the other hand, to emerge as a quality brand for AI, as recently happened with the General Data Protection Regulation (GDPR). The paper argues that the EU is pointing to become a sort of referee in such field, spreading rules and guidelines in the digital environment. Nevertheless, leading in this field would not permit Europe to explore the opportunities that AI may give to European technological process.

Published

2020

4. Fifteen Years’ Use of Patient-Reported Outcome Measures at the Group and Patient Levels: Trend Analysis

Author

Niels Henrik Hjollund

Subjects

medicine.medical_specialty, Short Message Service, Time Factors, Health Informatics, lcsh:Computer applications to medicine. Medical informatics, patient-reported outcome, Electronic mail, 03 medical and health sciences, 0302 clinical medicine, Surveys and Questionnaires, Epidemiology, medicine, International Statistical Classification of Diseases and Related Health Problems, media_common.cataloged_instance, Humans, 030212 general & internal medicine, Patient Reported Outcome Measures, European union, media_common, outpatient follow-up, patient involvement, Original Paper, Data collection, business.industry, 030503 health policy & services, lcsh:Public aspects of medicine, lcsh:RA1-1270, questionnaires, resource reallocation, Family medicine, General Data Protection Regulation, lcsh:R858-859.7, Patient-reported outcome, Female, 0305 other medical science, business, chronic disease

Abstract

Background Since 2004, we have collected patient-reported outcome (PRO) data from several Danish patient populations for use at the group and patient levels. Objective The aim of this paper is to highlight trends during the last 15 years with respect to patient inclusion, the methods for collection of PRO data, the processing of the data, and the actual applications and use of the PRO measurements. Methods All PRO data have been collected using the AmbuFlex/WestChronic PRO system, which was developed by the author in 2004 and has been continuously updated since. The analysis of trends was based on a generic model applicable for any kind of clinical health data, according to which any application of clinical data may be divided into four processes: patient identification, data collection, data aggregation, and the actual data use. Data for analysis were generated by a specific application in the system and transferred for analysis to the R package. Results During the 15-year period, 78,980 patients within 28 different groups of chronic and malignant illnesses have answered 260,433 questionnaires containing a total of 13,538,760 responses. Several marked changes have taken place: (1) the creation of cohorts for clinical epidemiological research purposes has shifted towards cohorts defined by clinical use of PRO data at the patient level; (2) the development of AmbuFlex, where PRO data are used as the entire basis for outpatient follow-up instead of fixed appointments, has undergone exponential growth and the system is currently in use in 47 International Statistical Classification of Diseases and Related Health Problems groups, covering 16,000 patients and 94 departments throughout Denmark; (3) response rates (up to 92%) and low attrition rates have been reached in group level projects, and there are even higher response rates in AmbuFlex where the patients are individually referred; (4) The answering method has shifted, as while in 2005 a total of 66.5% of questionnaires were paper based, this is the case for only 4.3% in 2019; and (5) the approach methods for questionnaires and reminders have changed dramatically from letter, emails, and short message service text messaging to a national, secure electronic mail system through which 93.2% of the communication to patients took place in 2019. The combination of secure email and web-based answering has resulted in a low turnaround time in which half of responses are now received within 5 days. Conclusions The demand for clinical use of PRO measurements has increased, driven by a wish among patients as well as clinicians to use PRO to promote better symptom assessment, more patient-centered care, and more efficient use of resources. Important technological changes have occurred, creating new opportunities, and making PRO collection and use cheaper and more feasible. Several legal changes may constitute a barrier for further development as well as a barrier for better utilization of patients’ questionnaire data. The current legal restrictions on the joint use of health data imposed by the European Union’s General Data Protection Regulation makes no distinction between use and misuse, and steps should be taken to alleviate these restrictions on the joint use of PRO data.

Published

2019

5. Making Machine Learning Forget

Author

Saurabh Shintre, Kevin Roundy, and Jasjeet Dhaliwal

Subjects

Privacy by Design, Right to be forgotten, business.industry, Computer science, 030503 health policy & services, Overfitting, Machine learning, computer.software_genre, 03 medical and health sciences, 0302 clinical medicine, General Data Protection Regulation, Position paper, media_common.cataloged_instance, Data Protection Act 1998, 030212 general & internal medicine, Artificial intelligence, European union, 0305 other medical science, business, computer, media_common, Vulnerability (computing)

Abstract

Machine learning models often overfit to the training data and do not learn general patterns like humans do. This allows an attacker to learn private membership or attributes about the training data, simply by having access to the machine learning model. We argue that this vulnerability of current machine learning models makes them indirect stores of the personal data used for training and therefore, corresponding data protection regulations must apply to machine learning models as well. In this position paper, we specifically analyze how the “right-to-be-forgotten” provided by the European Union General Data Protection Regulation can be implemented on current machine learning models and which techniques can be used to build future models that can forget. This document also serves as a call-to-action for researchers and policy-makers to identify other technologies that can be used for this purpose.

Published

2019

6. OpenEHR and General Data Protection Regulation: Evaluation of Principles and Requirements

Author

Ricardo Cruz-Correia, Gustavo Marísio Bacelar-Silva, Mariana Sousa, Samuel Frade, Luís Antunes, Thomas Beale, and Duarte Nuno Goncalves-Ferreira

Subjects

Process management, 020205 medical informatics, Computer science, Interoperability, Health Informatics, Legislation, 02 engineering and technology, health information interoperability, 03 medical and health sciences, 0302 clinical medicine, Health Information Management, 0202 electrical engineering, electronic engineering, information engineering, Information system, Data Protection Act 1998, media_common.cataloged_instance, 030212 general & internal medicine, openEHR, European union, GDPR, media_common, Original Paper, data protection, electronic health record, Directive, General Data Protection Regulation

Abstract

Background: Concerns about privacy and personal data protection resulted in reforms of the existing legislation in the European Union (EU). The General Data Protection Regulation (GDPR) aims to reform the existing directive on the topic of personal data protection of EU citizens with a strong emphasis on more control of the citizens over their data and in the establishment of rules for the processing of personal data. OpenEHR is a standard that embodies many principles of interoperable and secure software for electronic health records (EHRs) and has been advocated as the best approach for the development of hospital information systems. Objective: This study aimed to understand to what extent the openEHR standard can help in the compliance of EHR systems to the GDPR requirements. Methods: A list of requirements for an EHR to support GDPR compliance and also a list of the openEHR design principles were made. The requirements were categorized and compared with the principles by experts on openEHR and GDPR. Results: A total of 50 GDPR requirements and 8 openEHR design principles were identified. The openEHR principles conformed to 30% (15/50) of GDPR requirements. All the openEHR principles were aligned with GDPR requirements. Conclusions: This study showed that the openEHR principles conform well to GDPR, underlining the common wisdom that truly realizing security and privacy requires it to be built in from the start. By using an openEHR-based EHR, the institutions are closer to becoming compliant with GDPR while safeguarding the medical data.

Published

2019

7. Enhancing Safety on Construction Sites: A UWB-Based Proximity Warning System Ensuring GDPR Compliance to Prevent Collision Hazards.

Author

Mastrolembo Ventura, Silvia, Bellagente, Paolo, Rinaldi, Stefano, Flammini, Alessandra, and Ciribini, Angelo L. C.

Subjects

BUILDING sites, GENERAL Data Protection Regulation, 2016, INDUSTRIAL safety, COLLISIONS at sea, DATA protection, HAZARDS

Abstract

Construction is known as one of the most dangerous industries in terms of worker safety. Collisions due the excessive proximity of workers to moving construction vehicles are one of the leading causes of fatal and non-fatal accidents on construction sites internationally. Proximity warning systems (PWS) have been proposed in the literature as a solution to detect the risk for collision and to alert workers and equipment operators in time to prevent collisions. Although the role of sensing technologies for situational awareness has been recognised in previous studies, several factors still need to be considered. This paper describes the design of a prototype sensor-based PWS, aimed mainly at small and medium-sized construction companies, to collect real-time data directly from construction sites and to warn workers of a potential risk of collision accidents. It considers, in an integrated manner, factors such as cost of deployment, the actual nature of a construction site as an operating environment and data protection. A low-cost, ultra-wideband (UWB)-based proximity detection system has been developed that can operate with or without fixed anchors. In addition, the PWS is compliant with the General Data Protection Regulation (GDPR) of the European Union. A privacy-by-design approach has been adopted and privacy mechanisms have been used for data protection. Future work could evaluate the PWS in real operational conditions and incorporate additional factors for its further development, such as studies on the timely interpretation of data. [ABSTRACT FROM AUTHOR]

Published

2023

8. General Data Protection Regulation: Current Challenges and Future Directions

Author

Mesarčík, Matúš, Hamuľák, Ondrej, and Ramiro Troitiño, David, editor

Published

2024

9. INDEPENDENŢA AUTORITĂŢILOR DE SUPRAVEGHERE A PRELUCRĂRII DATELOR CU CARACTER PERSONAL.

Author

SAVA, MIHAELA-RUXANDRA

Subjects

PERSONALLY identifiable information, DATA protection, GENERAL Data Protection Regulation, 2016, CIVIL rights, POLITICAL movements, JUDGE-made law, ELECTRONIC data processing

Abstract

According to the General Data Protection Regulation (hereinafter GDPR), in each Member State of the European Union, one or more independent supervisory authorities of personal data processing must operate under conditions of full independence. Therefore, by this article we aim to achieve two main objectives. A first objective is to explain the notion of „full independence“ and the second objective is to find and analyze some of the essential elements for guaranteeing full independence. The methodology used has focused on the study of the European and national legislation (the European treaties, the GDPR, the Romanian Constitution, the Administrative Code), on the study of doctrine and on the analysis of the case law of the Court of Justice of the European Union (hereinafter CJEU) on the issue of full independence of the supervisory authorities. This paper concludes that the notion of the independence of the supervisory authorities is a fragile notion that requires the full attention of the Member States. The fundamental human rights and freedoms must survive any political movements or commercial interests. The Member States, by the national law, must ensure adequate safeguards to ensure full independence of the supervisory authorities and must establish effective rules on the sanctioning of those who infringe on their independent status. As the notion of independence is a fragile notion, in the future, the Member States' actions to safeguard the independence of the supervisory authorities must increase in direct proportion to the degree of risk of the new technologies to privacy and to the other fundamental rights and freedoms. Regarding the structure of the paper, in the Introduction, we discussed the necessity of existence of some national data protection authorities. In Section II, we briefly presented certain general considerations about supervisory authorities. In Section III, we set out certain general considerations about the legal regime of the autonomous administrative authorities in Romania. In Section IV.A we analyzed and defined the notion of „full independence“, and in Section IV.B we extracted from the legislation, doctrine and case law a part of the essential elements for guaranteeing a full independence and we briefly explained these elements. [ABSTRACT FROM AUTHOR]

Published

2021

10. FACTORS DETERMINING THE EXTENT OF GDPR IMPLEMENTATION WITHIN ORGANIZATIONS: EMPIRICAL EVIDENCE FROM CZECH REPUBLIC.

Author

FAIFR, Adam and JANUŠKA, Martin

Subjects

GENERAL Data Protection Regulation, 2016, REGRESSION trees, CHI-squared test

Abstract

In this paper, the key factors that affect the extent of GDPR implementation in enterprises are analysed. Since 2018, all organizations operating in the European Union or processing personal data of EU citizens have had to incorporate a new regulation in their work. After three years of experience, possible key factors that significantly affect the cost of the entire project have been theoretically identified. However, a research gap remains whether the factors thus defined actually have a real impact on the implementation within organizations. Therefore, this study focuses on an empirical investigation of those characteristics using quantitative approach combining Chi-squared tests and the Classification and Regression Tree method. Based on a survey of organizations in the Czech Republic, this paper outlines that the size of the organization, the typology of personal data processed and the way GDPR is implemented determine the scope of the implementation project within organizations. On the other hand, there is no clear evidence that there is significant role in whether it is a public or private organization. [ABSTRACT FROM AUTHOR]

Published

2021

11. General Data Protection Regulation (GDPR): Legal, Ethic and Other Issues, Especially in Covid-19 Time.

Author

Isabel Guerra, Ana, João Machado, Maria, Malta Fernandes, Maria, Anjos Azevedo, Patrícia, Tenreiro Tomás, Sérgio, and Sousa Machado, Susana

Subjects

GENERAL Data Protection Regulation, 2016, COVID-19, BODY temperature, COVID-19 pandemic, INDUSTRIAL relations, INFECTIOUS disease transmission, PERSONALLY identifiable information

Abstract

[Purpose] This paper intends to present an academic analysis about the legal, ethic and other issues raised by the General Data Protection Regulation, especially in Covid-19 time. In this context, we present the main legal aspects of networked privacy, online privacy literacy, transparency, data integrity and others. Besides, we present the employee's rights in the context of the Covid-19 pandemic, such as the right to erase data, temperature monitoring, the employee's consent, the legitimation of the processing of personal data and body temperature control. We also give a word about data protection and teleworking. Our purpose is to contribute for the evolution of law, regarding the challenges and all the changes in our daily-life, provoked by the Covid-19 pandemic. [Methodology] Our objectives are fundamentally achieved with a legal and doctrinal analysis, which is our methodology. The topics presented in this paper are linked between each other and this kind of joint treatment is our goal. [Findings] Privacy is a broad concept that includes a set of personal characteristics that go beyond a user's name and location. Personal data includes the fundamental rights that privacy helps to guarantee. The GDPR is a legal basis for the processing of personal data, which is directly applicable in the European Union and does not require national transpositions. Employers are facing increasingly complex challenges in the day-to-day of their companies, given the need to stop the spread of coronavirus. To respond to the growing threat of coronavirus, many employers are considering monitoring the he alth of their employees to minimize the risk of infection and contagion in the workplace. Consent as a free, informed and unequivocal manifestation, required by the GDPR, collides with the existing asymmetries in the employment relationship. Despite all the difficulties in framing consent, it is unequivocal that the employment relationship requires the collection and processing of numerous employee data. It is an inevitability. Teleworking, provided from the employee's home, was one of the first measures adopted in the context of the pandemic caused by the Covid-19 disease. This type of work provision raises a number of questions regarding the protection of employees' personal data, namely in terms of control by the employer. [ABSTRACT FROM AUTHOR]

Published

2021

12. Consimțământul: un ingredient esențial pentru cookie?

Author

RUSU, Ioana

Subjects

PERSONALLY identifiable information, FREEDOM of expression, FREEDOM of information, DATA protection, ECONOMIC liberty, CIVIL rights

Abstract

Copyright of Revista Română de Drept European is the property of Wolters Kluwer Romania and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published

2023

13. An analysis of violations and sanctions following the GDPR.

Author

Presthus, Wanda and Sønslien, Kaja Felix

Subjects

GENERAL Data Protection Regulation, 2016, DATA privacy, CIVIL rights

Abstract

This paper investigates the violations and sanctions that have occurred following the implementation of the General Data Protection Regulation (GDPR). The GDPR came into effect in May 2018 with the aim of strengthening the information privacy of European Union/European Economic Area citizens. Based on existing taxonomies of (i) potential consequences of violating the GDPR (including surveillance, discrimination), (ii) an analysis of 277 sanctions, and (iii) interviews with experts, we offer a mapping of the violations and sanctions almost two years after the regulation was implemented. The most typical complaints were, in descending order: unlawful processing and disclosure of personal information, failure to act on and secure subject rights and personal information, and insufficient cooperation with supervising authorities. Our analysis also indicates an increasing number of fines over time. Regarding size, the fines range from 50,000,000 euros to (symbolic?) 90 euros. While research on GDPR violations and sanctions is somewhat scarce, our study mainly confirms existing findings: that the GDPR is complex and challenging. However, our study provides insight on some of the challenges. Our contribution is mainly practical and aimed at managers in any organization whose goal is to protect information privacy and to learn from the mistakes made by other companies. We also welcome more research on the topic. [ABSTRACT FROM AUTHOR]

Published

2021

14. How U.S. Courts Handle GDPR in Discovery Process: An Examination of a U.S. Patent Infringement Case

Author

Chahoki, Azam Zare, Duruigbo, Emeka, editor, Chibueze, Remigius, editor, Gozie Ogbodo, Sunday, editor, and Nweze, Chima Centus, Foreword by

Published

2023

15. OPŠTA UREDBA O ZAŠTITI PODATAKA: ODNOS PRAVA NA PRIVATNOST I ZAŠTITE LIČNIH PODATAKA S OSVRTOM NA BOSNU I HERCEGOVINU.

Author

Murtezić, Arben

Subjects

RIGHT of privacy, CIVIL rights, PERSONALLY identifiable information, RIGHT to be forgotten, HUMAN rights, EUROPEAN Union law, LEGISLATION

Abstract

Copyright of Anali Pravnog Fakulteta Univerziteta u Zenici is the property of Anali Pravnog Fakulteta Univerziteta u Zenici and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published

2019

16. The curious case of automated decision-making in India: A comparative analysis of automated decision-making under the General Data Protection Regulation in the European Union and the Personal Data Protection Bill in India

Author

Ashok, Pratiksha

Published

2023

17. IZAZOVI PRAVNOG UREĐENJA UPOTREBE OSOBNIH PODATAKA IZ GENSKIH TESTOVA U SVRHU OSIGURANJA.

Author

Puvača, Maja Bukovac and Belanić, Loris

Subjects

*PERSONALLY identifiable information, *DATA protection, *GENETIC testing, *GENERAL Data Protection Regulation, 2016, *COMPARATIVE law, *INSURANCE

Abstract

The paper deals with the issue of using genetic tests for insurance purposes. After introductory remarks, the paper provides an overview of various international and European legal sources both on data protection in general, and on the protection of data from genetic tests. The paper then researches into different solutions proposed by comparative law concerning the use of data from genetic tests for insurance purposes. Some solutions explicitly ban the use of genetic tests for insurance purposes (France, Austria, Portugal, Croatia), while others adopt a more liberal approach, allowing for its use (the USA, the UK, Germany). It is concluded that personal data protection does not exclude the possibility using data from genetic tests for insurance purposes, which proves the need for a common EU approach to the issue. [ABSTRACT FROM AUTHOR]

Published

2021

18. Dude, where's my data? The GDPR in practice, from a consumer's point of view.

Author

Sørum, Hanne and Presthus, Wanda

Subjects

GENERAL Data Protection Regulation, 2016, SPORTS forecasting

Abstract

Purpose: This paper investigates the European Union's General Data Protection Regulation (GDPR) in information systems (ISs). The GDPR consists of 99 articles, and two articles are emphasised – namely Article 15, which deals with rights of access by the data subject, and Article 20, which deals with the right to data portability. Design/methodology/approach: 15 companies operating in the Norwegian consumer market were randomly selected. Each company received an inquiry pertaining to rights of access by the data subject (Article 15) and the right to data portability (Article 20). The research team carefully analysed the answers received and categorised the responses according to the two articles emphasised. Findings: The findings show extensive variations among the companies in terms of response time, quality of feedback and how companies handle requests concerning rights of access by the data subject (Article 15) and the right to data portability (Article 20). Differences are also pertaining to the types of files, along with the content of these files. It should be noted, however, that most of the companies replied to the inquiry before the deadline. The findings show that companies comply better with Article 20 than Article 15. However, it appears that they do not differentiate between the two articles. Originality/value: This study explores a research topic that is relatively new. It addresses a gap in the extant research by highlighting how the GDPR works in practice from a consumer's perspective. In addition, guidelines are offered to the consumers and companies affected by the GDPR. [ABSTRACT FROM AUTHOR]

Published

2021

19. Selected aspects of proposed new EU general data protection legal framework and the Croatian perspective.

Author

GUMZEJ, Nina

Subjects

DATA protection laws, BUSINESS information services, LEGISLATION drafting, LEGAL authorities

Abstract

Proposed new EU general data protection legal framework profoundly affects a large number of day-to-day business operations of organizations processing personal data and calls for significant effort on their part toward the necessary legal-regulatory compliance. In this paper the author examines key legislative developments towards this new EU frame and impact for the Republic of Croatia as the youngest EU Member State. Following introductory overview, legal analysis of draft EU General Data Protection Regulation as proposed by the European Commission and recently adopted amendments by the European Parliament mainly focuses on selected solutions impacting national data protection supervisory authorities. This is complemented with examination of relevant sources of EU law, including the case law of the Court of Justice of the European Union. Assessment of results of this research is next made with respect to prospects of the data protection legal framework of the Republic of Croatia. The paper is concluded with the author's critical overview of analyzed EU proposals impacting national data protection supervisory authorities in light of EU pivotal goals, and de lege ferenda proposals to timely address identified obstacles towards more adequate enforcement of data protection legislation in Croatia. [ABSTRACT FROM AUTHOR]

Published

2013

20. THE ROLE OF OPENING CLAUSES IN HARMONIZATION OF EU LAW: EXAMPLE OF THE EU'S GENERAL DATA PROTECTION REGULATION (GDPR).

Author

Mišćenić, Emilia and Hoffmann, Anna-Lena

Subjects

INTERNAL marketing, INTERNATIONAL unification of law, FREE trade, JUSTICE administration

Abstract

As the main tool for the achievement of the proper functioning of the internal market, the Union is focused on the process of harmonization. The role of harmonization in the EU's internal market is to remove barriers to trade and to facilitate free movement of goods, persons, services, and capital (as well as payment). This can be achieved in many ways, including through the adoption of harmonization, i.e., approximation measures, such as directives and regulations. The established CJEU case law confirms that the aim of harmonization measures is to 'reduce disparities between legal systems.' This aim's realization very often depends upon the form of the chosen harmonization measure and the level of harmonization the measure is based on (e.g., minimum, maximum, full (targeted) harmonization). However, today, we are faced with changes in the regulatory approach of the EU legislator and these changes are greatly affecting the process of harmonization. Due to the increased level of harmonization, EU directives are starting to appear and function more like EU regulations, and vice versa. Because of numerous optional clauses, clauses of minimal harmonization, and the so-called 'opening clauses', EU regulations are not reducing but enabling 'disparities between legal systems.' As an example, authors are analyzing the EU's General Data Protection Regulation (GDPR) containing more than 69 opening clauses, which play an important role in the process of harmonization and present an instrument of interplay between EU law and Member States' laws. Therefore, it remains to be answered within the lines of this paper whether the role of opening clauses is in compliance with the aim of harmonization in the EU law. [ABSTRACT FROM AUTHOR]

Published

2020

21. Privacy by Design to Comply with GDPR: A Review on Third-Party Data Processors.

Author

Kurtz, Christian, Semmann, Martin, and Böhmann, Tilo

Subjects

GENERAL Data Protection Regulation, 2016, INFORMATION storage & retrieval systems, LITERATURE reviews, INFORMATION design

Abstract

As the General Data Protection Regulation (GDPR) within the European Union comes into effect, organizations need to cope with novel legal requirements regarding the processing of user data and particularly how other, in the service integrated, organizations can process these. Information systems (IS) and their design as mashing up services of various providers (ecosystems) is state of practice. The GDPR raises for companies the question of how they can ensure that operations conform with external data processors according to the regulation. The approach of Privacy by Design (PbD), which is also included in the GDPR, offers for organizations a way to operationalize these legal requirements. Therefore, we conduct the first, rigorous, and systematic literature review of PbD. Specifically, we focus on works that seek implementation of PbD in organizations, located in ecosystems. The results show a surprising dearth of research in this field, although GDPR explicitly emphasizes this critical issue. [ABSTRACT FROM AUTHOR]

Published

2018

22. Consumer perspectives on information privacy following the implementation of the GDPR.

Author

Presthus, Wanda and Sørum, Hanne

Subjects

RIGHT of privacy, DATA privacy, INTERNET privacy, PERSONALLY identifiable information, DATA protection, INTERNATIONAL economic integration, INTERNET surveys

Abstract

The General Data Protection Regulation (GDPR) was implemented in the European Union and European Economic Area in May 2018. The GDPR aims to strengthen consumers' rights to data privacy in the wake of technological developments like big data and artificial intelligence. This was a hot topic for stakeholders, such as lawyers, companies and consumers, prior to the GDPR's implementation. This paper investigates to what extent consumers are concerned about information privacy issues following the implementation of the GDPR. We present findings from an online survey conducted during spring 2019 among 327 Norwegian consumers, as well as findings from a survey conducted immediately prior to the implementation of the GDPR in spring 2018. We draw the following conclusions: (1) consumers gained significant knowledge about their information privacy from the GDPR, but felt relatively little need to execute their enhanced rights; (2) about 50% of respondents believed themselves to have control over their data, while almost 40% stated that they had no control about their personal data; and (3) consumers largely trusted companies to manage their personal data. These insights are of interest to both academia and to industries that deal with personal data. [ABSTRACT FROM AUTHOR]

Published

2019

23. The European Union general data protection regulation: what it is and what it means.

Author

Hoofnagle, Chris Jay, van der Sloot, Bart, and Borgesius, Frederik Zuiderveen

Subjects

DATA protection laws, PERSONALLY identifiable information, INTERNET privacy laws, BUSINESS enterprises

Abstract

This paper introduces the strategic approach to regulating personal data and the normative foundations of the European Union's General Data Protection Regulation ('GDPR'). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR's approach and provisions; and make predictions about the GDPR's implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some informationintensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches. [ABSTRACT FROM AUTHOR]

Published

2019

24. Investigación, salud pública y asistencia sanitaria en el Reglamento General de Protección de Datos de la Unión Europea y en la Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales.

Author

Troncoso Reigada, Antonio

Subjects

PUBLIC health, HUMAN genetic engineering, DATA protection, DIGITAL rights management

Abstract

Copyright of Revista de Derecho y Genoma Humano is the property of Dykinson SL and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published

2018

25. Simplification of Administrative Procedures through Fully Automated Decision-Making: The Case of Norway.

Author

Weitzenboeck, Emily M.

Subjects

GENERAL Data Protection Regulation, 2016, DATA protection laws, ADMINISTRATIVE procedure, ADMINISTRATIVE law, DECISION making, PUBLIC sector

Abstract

Norway has a high degree of digitalisation. In the public sector, there is a long tradition of automation of parts of case management. This includes automation of cases where a public sector body makes a so-called individual administrative decision, that is, a decision made in the exercise of public authority through which the rights or duties of one or more specified private persons are determined. In the last five years, various amendments to public sector legislation were proposed by a number of government departments and agencies in Norway to ensure that the relative administrative agency has a legal basis to carry out fully automated individual decisions. This is challenging both from an administrative law and from a data protection law standpoint. Among the main reasons for the move towards fully automated legal decision-making that are mentioned in the preparatory works to the proposed amendments are greater efficiency in decision-making, equal treatment of citizens and a claim that such decisions will be less prone to error than human decisions. This paper examines this trend in Norway and identifies the statutes and regulations that have been amended or are in the process of being amended. It analyses the measures specified in these amendments to safeguard the individual party's rights, freedoms and legitimate interests. Finally, it discusses the tightrope that must be walked to safeguard important administrative law principles and rules such as protection from arbitrary decisions, the audi alternam partem rule and the right under the European Union's General Data Protection Regulation not to be subject to fully automated decisions. [ABSTRACT FROM AUTHOR]

Published

2021

26. DUALISTIC DATA PROPERTY RIGHT: SOLUTION FOR CONTROLLERSHIP OF DATA IN THE EUROPEAN UNION?

Author

Žárská, Petra and Mesarčík, Matúš

Subjects

PROPERTY rights, DATA protection, PERSONALLY identifiable information, JUSTICE administration, GENERAL Data Protection Regulation, 2016, SOCIAL & economic rights

Abstract

Personal data are new assets in the digital economy. While personal data are protected by GDPR in the European Union, its economic value is not protected. Unless, the economic value of personal data is addressed in legal systems of Member states, the interests of people are not fully covered. The article aims to fill the vacuum by introducing new property right to data, the dualistic data property rights. The dualistic data property right is conceptually inspired by Copyright. The article proposes the character and content of the right that is in line with existing legal system and GDPR as well. The authors embark on analyses of all aspect of the dualistic property right and its benefits for the digital economy. [ABSTRACT FROM AUTHOR]

Published

2021

27. LISBON TREATY AND THE PROTECTION OF PERSONAL DATA IN THE EUROPEAN UNION - A NEW REFORM.

Author

Nikodinovska - Stefanovska, Snezana

Subjects

DATA protection, CRIMINAL justice system, DATA analysis

Abstract

The protection of personal data is one of the basic values in Europe, for the Member States of the EU and for the EU institutions. The protection of persons in relation to the processing of their personal data is a fundamental right laid down in the Charter of Fundamental Rights of the EU (Article 8) and in the Treaty on the Functioning of the European Union (Article 16). Lisbon Treaty brings fresh air not only to the future of the EU in general, but also to the relevance of fundamental rights-and in particular the right to the protection of personal data. Also, rapid technological developments and globalization have brought new challenges for the protection of personal data. The entry into force of the Lisbon Treaty provides a much needed opportunity to reflect on the main challenges for the protection of personal data and on how the European Commission intends to address these challenges in the future. In January 2012 European Commission proposed a comprehensive reform of the EU's data protection rules. The data protection reform is a legislative package to update and modernize the rules of the 1995 Data Protection Directive and the 2008 Framework Decision on data protection in judicial cooperation in criminal matters and police cooperation. It concerns two legislative instruments: the General Data Protection Regulation (intended to replace 1995 Directive on Data Protection) and the Data Protection Directive in the area of law enforcement (intended to replace the 2008 Data Protection Framework Decision). The Commission introduced again two sector-specific instruments rather than one of general application. In these paper will be discuss briefly the EU legal framework on data protection before and under the Lisbon Treaty. Than the draft General Data Protection Regulation and Police and Criminal Justice Data Protection Directive will be comment and analyzed. Finally, a summary and some concluding remarks will be present. [ABSTRACT FROM AUTHOR]

Published

2016

28. The impact of the EU General data protection regulation on product innovation.

Author

Blind, Knut, Niebel, Crispin, and Rammer, Christian

Subjects

GENERAL Data Protection Regulation, 2016, TECHNOLOGICAL innovations, DATA protection

Abstract

In May 2018, a new regulation, the General Data Protection Regulation (GDPR), on data protection came in the European Union into force. It requires firms to update their data protection strategy and may complicate the use of data related to individuals, with potentially adverse effects on product innovation. This study provides evidence on the likely impacts of the GDPR on innovation. We employ a conditional difference-in-differences research design and estimate firm fixed-effects models based on data from the German innovation survey. We find that the GDPR led to a substantial shift from radical to incremental product innovation. Our finding indicates that the GDPR stimulated firms to re-organise their data management in a more profound way than they would have done in the absence of the regulation, opening up opportunities for improving existing products. The additional resources needed for complying with the GDPR limited their capacity for developing entirely new products. [ABSTRACT FROM AUTHOR]

Published

2024

29. CITIZEN OR CONSUMER? THE RIGHT TO DATA ACCESS IN THE EUROPEAN UNION AND AUSTRALIA

Author

James Meese

Subjects

business.industry, Datafication, General Engineering, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Public relations, Intervention (law), Data access, General Data Protection Regulation, Political science, Digital rights, media_common.cataloged_instance, Social media, Privacy law, European union, business, media_common

Abstract

This paper presents early stage findings from a research project that explores whether the provision of data access addresses concerns that have emerged with regards to data collection by private and public actors. Using the recent right to data access secured by the European Union’s General Data Protection Regulation (GDPR) as a point of departure, I examine Facebook and Twitter’s response to these regulations through the lens of their data access policies and processes. I analyse what sort of data is made available and assess what benefit the public gains from having access to their social media data. I then offer a conceptual intervention through a comparative analysis of the divergent approaches two jurisdictions take to data access. I compare the GDPR with an ongoing debate around the introduction of a consumer data access right into Australian law and analyse how these divergent legal traditions and public discourses alter the conceptualisation and enacting of the data access right (and digital rights more generally). This paper provides a timely examination of a right that has emerged in response to the increased datafication of society. As well as offering a detailed analysis of how social media platforms have responded to the data access provisions within the GDPR, the comparative analysis of the EU and Australia shows that significantly different legal foundations can animate this right, ultimately presenting two starkly different visions of internet users as either consumers or citizens.

Published

2020

30. Toward a taxonomy of corporate data protection malpractices and their causal mechanisms: A regulatory view.

Author

Haiping Zhao, Na Jiang, Zhao Cai, Lim, Eric T. K., and Chee-Wee Tan

Subjects

DATA protection, ORGANIZATION management, GENERAL Data Protection Regulation, 2016, DATA analysis

Abstract

Corporate data protection malpractices are not uncommon, especially in contemporary technological environments. Embracing a regulatory view, this study attempts to advance a taxonomy of prevailing corporate data protection practices and their causal mechanisms by analyzing cases where organizations were fined for violating data protection legislation. Selecting the General Data Protection Regulation (GDPR) enacted by the European Union (EU) as our benchmark, this study employs an iterative taxonomy development technique as guidance and conducts a thematic analysis on 875 cases of GDPR enforcement. In so doing, we derive a conceptual model comprising 6 focal categories and 28 subcategories of prevailing corporate data protection malpractices existing within organizations as well as 4 main categories and 22 subcategories of causal mechanisms underlying these identified malpractices. Empirical findings from this study not only reinforce corporate data protection malpractices established in prior research but also yield novel malpractices that have been neglected in previous work. From a pragmatic standpoint, this study yields invaluable insights into the prevention and resolution of corporate data protection malpractices for practitioners. [ABSTRACT FROM AUTHOR]

Published

2023

31. Architecture of solution for panoramic image blurring in GIS project application

Author

Ivan Radosavljević, Đorđe Obradović, Dejan Vasić, and Marina Davidović

Subjects

Atmospheric Science, Laser scanning, Computer science, business.industry, QC801-809, Geophysics. Cosmic physics, Point cloud, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Geology, Oceanography, Object (computer science), Pipeline (software), Object detection, Data set, General Data Protection Regulation, media_common.cataloged_instance, Computer vision, Artificial intelligence, European union, business, media_common

Abstract

Panoramic images captured using laser scanning technologies, which principally produce point clouds, are readily applicable in colorization of point cloud, detailed visual inspection, road defect detection, spatial entities extraction, diverse map creation, etc. This paper underlines the importance of images in modern surveying technologies and different GIS projects at the same time having regard to their anonymization in accordance with law. The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Namely, it is a legislative requirement that faces of persons and license plates of vehicles in the collected data are blurred. The objective of this paper is to present a novel architecture of the solution for a particular object blurring. The architecture is designed as a pipeline of object detection algorithms that progressively narrows the search space until it detects the objects to be blurred. The methodology was tested on four data sets counting 5000, 10 000, 15 000 and 20 000 panoramic images. The percentage of accuracy, i.e., successfully detected and blurred objects of interest, was higher than 97 % for each data set. Additionally, our aim was to achieve efficiency and broad use.

Published

2021

32. The European General Data Protection Regulation and Competitiveness of Firms.

Author

Bandyopadhyay, Soumava and Bandyopadhyay, Kakoli

Abstract

The newly-implemented General Data Protection Regulation (GDPR) by the European Union will have widespread impact on the personal data handling practices of firms both in and outside the European Union. This paper discusses the key provisions of the GDPR and the main challenges faced by firms in adapting to its requirements. The challenges will be both technological and financial in nature, particularly affecting businesses that employ blockchain technology, small and medium-sized businesses, and firms that are located outside the European Union. Compliance with the GDPR will have a significant impact on the competitiveness of firms that handle personal data of the residents of the European Union. [ABSTRACT FROM AUTHOR]

Published

2018

33. Regulating data intermediaries: The impact of the Data Governance Act on the EU's data economy.

Author

Carovano, Gabriele and Finck, Michèle

Subjects

*INTERNET marketing, *LIBERTY, *ECONOMICS

Abstract

As part of the European Commission's broader data strategy, the Data Governance Act ("DGA") introduces a new regulatory regime for data intermediaries, which, inter alia, pursues the objective of increasing the competitiveness of the European data economy by bolstering trust in data-sharing mechanisms. Against this backdrop, we introduce data intermediaries and critically examine the DGA's related legal regime by testing its underlying assumptions and highlighting its intrinsic weaknesses and limitations as part of the broader EU data law puzzle. As a result, the paper brings to the fore certain contradictions between DGA's means and ends. Indeed, due to various questionable assumptions, the DGA imposes requirements that not all data intermediaries can satisfy and entrenches a specific techno-organisational form for data intermediation services that may turn out to be economically non-viable. Consequently, one must wonder whether the DGA's rules on data intermediaries are necessary and proportionate in light of the freedom to conduct a business. We furthermore uncover inconsistencies and loopholes between the DGA, the GDPR, the draft Data Act, and the Digital Markets Act. Overall, while the DGA's underlying efforts are laudable, its precise postulations may hinder the achievement of its underlying objectives due to two main factors. First its own internal limitations and incoherences, and, second, uncertainties and tensions resulting from its interplay with the broader EU data law framework. [ABSTRACT FROM AUTHOR]

Published

2023

34. Designing privacy-friendly data repositories: a framework for a blockchain that follows the GDPR

Author

Izzat Alsmadi, Ruwaida AlAbdullah, Bernie Farkas, and Muhammad Al-Abdullah

Subjects

Information privacy, Information Systems and Management, Blockchain, Privacy by Design, Computer Networks and Communications, business.industry, Computer science, 05 social sciences, 02 engineering and technology, Information repository, Data science, Management Information Systems, 020204 information systems, Management of Technology and Innovation, General Data Protection Regulation, 0502 economics and business, 0202 electrical engineering, electronic engineering, information engineering, Information system, media_common.cataloged_instance, European union, business, 050203 business & management, Risk management, Information Systems, media_common

Abstract

Purpose The paper posits that a solution for businesses to use privacy-friendly data repositories for its customers’ data is to change from the traditional centralized repository to a trusted, decentralized data repository. Blockchain is a technology that provides such a data repository. However, the European Union’s General Data Protection Regulation (GDPR) assumed a centralized data repository, and it is commonly argued that blockchain technology is not usable. This paper aims to posit a framework for adopting a blockchain that follows the GDPR. Design/methodology/approach The paper uses the Levy and Ellis’ narrative review of literature methodology, which is based on constructivist theory posited by Lincoln and Guba. Using five information systems and computer science databases, the researchers searched for studies using the keywords GDPR and blockchain, using a forward and backward search technique. The search identified a corpus of 416 candidate studies, from which the researchers applied pre-established criteria to select 39 studies. The researchers mined this corpus for concepts, which they clustered into themes. Using the accepted computer science practice of privacy by design, the researchers combined the clustered themes into the paper’s posited framework. Findings The paper posits a framework that provides architectural tactics for designing a blockchain that follows GDPR to enhance privacy. The framework explicitly addresses the challenges of GDPR compliance using the unimagined decentralized storage of personal data. The framework addresses the blockchain–GDPR tension by establishing trust between a business and its customers vis-à-vis storing customers’ data. The trust is established through blockchain’s capability of providing the customer with private keys and control over their data, e.g. processing and access. Research limitations/implications The paper provides a framework that demonstrates that blockchain technology can be designed for use in GDPR compliant solutions. In using the framework, a blockchain-based solution provides the ability to audit and monitor privacy measures, demonstrates a legal justification for processing activities, incorporates a data privacy policy, provides a map for data processing and ensures security and privacy awareness among all actors. The research is limited to a focus on blockchain–GDPR compliance; however, future research is needed to investigate the use of the framework in specific domains. Practical implications The paper posits a framework that identifies the strategies and tactics necessary for GDPR compliance. Practitioners need to compliment the framework with rigorous privacy risk management, i.e. conducting a privacy risk analysis, identifying strategies and tactics to address such risks and preparing a privacy impact assessment that enhances accountability and transparency of a blockchain. Originality/value With the increasingly strategic use of data by businesses and the contravening growth of data privacy regulation, alternative technologies could provide businesses with a means to nurture trust with its customers regarding collected data. However, it is commonly assumed that the decentralized approach of blockchain technology cannot be applied to this business need. This paper posits a framework that enables a blockchain to be designed that follows the GDPR; thereby, providing an alternative for businesses to collect customers’ data while ensuring the customers’ trust.

Published

2020

35. Processing of Genetic Data under GDPR: Unresolved Conflict of Interests

Author

Valeriia Hutsaliuk and Petro Sukhorolskyi

Subjects

0301 basic medicine, Public economics, Genetic data, Legislation, 02 engineering and technology, 030105 genetics & heredity, Library and Information Sciences, Data Protection Directive, Field (computer science), Computer Science Applications, Task (project management), 03 medical and health sciences, 020204 information systems, General Data Protection Regulation, 0202 electrical engineering, electronic engineering, information engineering, Research exemption, media_common.cataloged_instance, Business, European union, Law, media_common

Abstract

Over the last decades, developments in the fields of genetics and bioinformatics caused a marked increase in the processing of human genetic data by various companies and institutions. This results in the adoption of several international documents and the emergence of legal norms on the protection of genetic data. The paper examines how and to what extent the interests and rights of the data subject with regard to the processing of genetic data are protected in the European Union. It is concluded that under the GDPR this task is implemented through classifying genetic data as sensitive, reliance on anonymisation and pseudonymisation, as well as introduction of the procedure of data protection impact assessment. Nevertheless, given the unique characteristics of genetic data distinguishing them from other categories of personal data, these measures cannot be regarded as sufficient and effective. The paper argues that current EU data protection legislation creates favourable conditions for genetic research, thereby ensuring particular public interests, but does not establish a special regime for genetic data processing appropriate to potential threats in this field and risks to the rights of data subjects.

Published

2020

36. THE EXTRATERRITORIAL APPLICATION OF EUROPEAN UNION DATA PROTECTION LAW

Author

Ana Gascón

Subjects

European Union law, Scope (project management), business.industry, Right to be forgotten, ComputingMilieux_LEGALASPECTSOFCOMPUTING, General Data Protection Regulation, Law, Political science, media_common.cataloged_instance, Data Protection Act 1998, The Internet, European union, business, media_common

Abstract

This paper will examine the extraterritorial application of European Union Law regarding the Internet in three particular cases that exemplify a current trend and make apparent the advantages and challenges of this approach. The examples relate to the protection of personal data and, in particular, the scope of the General Data Protection Regulation, the right to be forgotten and cross-border access to electronic evidence. The paper will end with some recommendations on how to avoid the problems that the extraterritorial application of the law in this field may entail.

Published

2019

37. Privacy engineering and the techno-regulatory imaginary.

Author

Rommetveit, Kjetil and van Dijk, Niels

Subjects

DATA protection, GENERAL Data Protection Regulation, 2016, PRIVACY

Abstract

The European Union's General Data Protection Regulation (GDPR), in force since 2018, has introduced design-based approaches to data protection and the governance of privacy. In this article we describe the emergence of the professional field of privacy engineering to enact this shift in digital governance. We argue that privacy engineering forms part of a broader techno-regulatory imaginary through which (fundamental) rights protections become increasingly future-oriented and anticipatory. The techno-regulatory imaginary is described in terms of three distinct privacy articulations, implemented in technologies, organizations, and standardizations. We pose two interrelated questions: What happens to rights as they become implemented and enacted in new sites, through new instruments and professional practices? And, focusing on shifts to the nature of boundary work, we ask: What forms of legitimation can be discerned as privacy engineering is mobilized for the making of future digital markets and infrastructures? [ABSTRACT FROM AUTHOR]

Published

2022

38. Forbidden fruit or soured grapes? Long-term effects of the temporary unavailability and rationing of US news websites on their consumption from the European Union.

Author

Thurman, Neil, Sly, James, Wilczek, Bartosz, and Fletcher, Richard

Subjects

DATA protection, NEWS websites, NEWS consumption, RATIONING, GRAPES, PRODUCT elimination

Abstract

In May 2018, hundreds of websites located outside the European Union (EU), including USAToday.com, became completely or partially unavailable to EU citizens as a number of publishers decided to comply with an EU data protection regulation (GDPR) by blocking access. Several of the sites that started to exclude EU users continued to do so for months or years, even though some of their competitors, like the New York Times, never adopted a policy of exclusion. These differing strategies allowed us to conduct a quasi-experimental study on the effects of temporary product unavailability and temporary rationing. We find that both temporary product withdrawal and temporary rationing can have long-term effects. In our case, monthly unique visitors in the months and even years after full access was restored were between 44% and 61% lower than they had been before the restrictions were imposed, with a wider market contraction explaining only part of these falls. We also find distinct differences between the effects of temporarily rationing and temporarily withdrawing websites. Although both strategies lead to a long-term loss in visitors, rationing appears to increase a website's desirability for some consumers. After rationing was lifted, USAToday.com's reduced audience consumed the title more deeply and frequently than had been the case before rationing was imposed. [ABSTRACT FROM AUTHOR]

Published

2022

39. Case Study on the Interaction Between the General Data Protection Regulation and Artificial Intelligence Technologies

Author

Gizem Gültekin dr. Várkonyi

Subjects

business.industry, Political science, General Data Protection Regulation, Perspective (graphical), Data Protection Act 1998, media_common.cataloged_instance, Fundamental rights, Legislation, Artificial intelligence, European union, business, Ai systems, media_common

Abstract

This paper presents a general overview of the problems regarding the regulation of artificial intelligence (AI) raised in the official published works of the European Union (EU) and interprets these problems from the perspective of the Hungarian experts as a case study. Even though a new regulation on AI has already been proposed at the EU level, the paper evaluates specific rules and principles regarding data protection since data is the lifeblood of AI systems and the protection of such data is a fundamental right enshrined in the EU legislation via the General Data Protection Regulation (GDPR). The result of the study shows that the application of the GDPR on AI systems in an efficient and uniform way might be at stake since different outputs were generated by the experts to the same legal questions deriving from a scenario presented.

Published

2021

40. A recommendation approach for user privacy preferences in the fitness domain

Author

Ilaria Torre, Yangyang He, Odnan Ref Sanchez, and Bart P. Knijnenburg

Subjects

Information privacy, Computer science, privacy preferences, fitness trackers, profiling, privacy-setting recommendations, privacy management, wearable IoT devices, privacy management, Internet privacy, privacy-setting recommendations, 02 engineering and technology, Education, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, privacy preferences, media_common.cataloged_instance, Profiling (information science), wearable IoT devices, European union, media_common, Fitness Trackers, business.industry, 05 social sciences, 050301 education, fitness trackers, Popularity, Computer Science Applications, Human-Computer Interaction, Data sharing, User privacy, General Data Protection Regulation, profiling, business, 0503 education

Abstract

Fitness trackers are undoubtedly gaining in popularity. As fitness-related data are persistently captured, stored, and processed by these devices, the need to ensure users’ privacy is becoming increasingly urgent. In this paper, we apply a data-driven approach to the development of privacy-setting recommendations for fitness devices. We first present a fitness data privacy model that we defined to represent users’ privacy preferences in a way that is unambiguous, compliant with the European Union’s General Data Protection Regulation (GDPR), and able to represent both the user and the third party preferences. Our crowdsourced dataset is collected using current scenarios in the fitness domain and used to identify privacy profiles by applying machine learning techniques. We then examine different personal tracking data and user traits which can potentially drive the recommendation of privacy profiles to the users. Finally, a set of privacy-setting recommendation strategies with different guidance styles are designed based on the resulting profiles. Interestingly, our results show several semantic relationships among users’ traits, characteristics, and attitudes that are useful in providing privacy recommendations. Even though several works exist on privacy preference modeling, this paper makes a contribution in modeling privacy preferences for data sharing and processing in the IoT and fitness domain, with specific attention to GDPR compliance. Moreover, the identification of well-identified clusters of preferences and predictors of such clusters is a relevant contribution for user profiling and for the design of interactive recommendation strategies that aim to balance users’ control over their privacy permissions and the simplicity of setting these permissions.

Published

2019

41. EU GDPR or APEC CBPR? A comparative analysis of the approach of the EU and APEC to cross border data transfers and protection of personal data in the IoT era

Author

Clare Sullivan

Subjects

Relation (database), Computer Networks and Communications, business.industry, 020207 software engineering, Context (language use), 02 engineering and technology, Certification, International trade, General Business, Management and Accounting, 020204 information systems, General Data Protection Regulation, Accountability, 0202 electrical engineering, electronic engineering, information engineering, media_common.cataloged_instance, Data Protection Act 1998, Business, European union, Law, Register of data controllers, media_common

Abstract

This article examines the two major international data transfer schemes in existence today – the European Union (EU) model which at present is effectively the General Data Protection Regulation (GDPR), and the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules system (CBPR), in the context of the Internet of Things (IoT). While IoT data ostensibly relates to things i.e. products and services, it impacts individuals and their data protection and privacy rights, and raises compliance issues for corporations especially in relation to international data flows. The GDPR regulates the processing of personal data of individuals who are EU data subjects including cross border data transfers. As an EU Regulation, the GDPR applies directly as law to EU member nations. The GDPR also has extensive extraterritorial provisions that apply to processing of personal data outside the EU regardless of place of incorporation and geographical area of operation of the data controller/ processor. There are a number of ways that the GDPR enables lawful international transfer of personal data including schemes that are broadly similar to APEC CBPR. APEC CBPR is the other major regional framework regulating transfer of personal data between APEC member nations. It is essentially a voluntary accountability scheme that initially requires acceptance at country level, followed by independent certification by an accountability agent of the organization wishing to join the scheme. APEC CBPR is viewed by many in the United States of America (US) as preferable to the EU approach because CBPR is considered more conducive to business than its counterpart schemes under the GDPR, and therefore is regarded as the scheme most likely to prevail. While there are broad areas of similarity between the EU and APEC approaches to data protection in the context of cross border data transfer, there are also substantial differences. This paper considers the similarities and major differences, and the overall suitability of the two models for the era of the Internet of Things (IoT) in which large amounts of personal data are processed on an on-going basis from connected devices around the world. This is the first time the APEC and GDPR cross-border data schemes have been compared in this way. The paper concludes with the author expressing a view as to which scheme is likely to set the global standard.

Published

2019

42. The General Data Protection Regulation in the Age of Surveillance Capitalism

Author

Jane Andrew and Max Baker

Subjects

Economics and Econometrics, Relation (database), business.industry, 05 social sciences, Big data, Internet privacy, 06 humanities and the arts, Capitalism, 0603 philosophy, ethics and religion, General Business, Management and Accounting, Arts and Humanities (miscellaneous), General Data Protection Regulation, 0502 economics and business, media_common.cataloged_instance, Data Protection Act 1998, 060301 applied ethics, Business and International Management, European union, Business ethics, Pseudonymization, business, Law, 050203 business & management, media_common

Abstract

Clicks, comments, transactions, and physical movements are being increasingly recorded and analyzed by Big Data processors who use this information to trace the sentiment and activities of markets and voters. While the benefits of Big Data have received considerable attention, it is the potential social costs of practices associated with Big Data that are of interest to us in this paper. Prior research has investigated the impact of Big Data on individual privacy rights, however, there is also growing recognition of its capacity to be mobilized for surveillance purposes. Our paper delineates the underlying issues of privacy and surveillance and presents them as in tension with one another. We postulate that efforts at controlling Big Data may create a trade-off of risks rather than an overall improvement in data protection. We explore this idea in relation to the principles of the European Union’s General Data Protection Regulation (GDPR) as it arguably embodies the new ‘gold standard’ of cyber-laws. We posit that safeguards advocated by the law, anonymization and pseudonymization, while representing effective counter measures to privacy concerns, also incentivize the use, collection, and trade of behavioral and other forms of de-identified data. We consider the legal status of these ownerless forms of data, arguing that data protection techniques such as anonymization and pseudonymization raise significant concerns over the ownership of behavioral data and its potential use in the large-scale modification of activities and choices made both on and offline.

Published

2019

43. '… They don’t really listen to people'

Author

Elvira Perez Vallejos, Christopher Woodard, Monica Cano, Ansgar Koene, Helen Creswick, Virginia Portillo, and Liz Dowthwaite

Subjects

Value (ethics), Sociology and Political Science, Computer Networks and Communications, business.industry, Communication, media_common.quotation_subject, 050901 criminology, 05 social sciences, 0507 social and economic geography, Public relations, Transparency (behavior), Philosophy, Feeling, Originality, General Data Protection Regulation, Agency (sociology), media_common.cataloged_instance, Social media, Sociology, 0509 other social sciences, European union, business, 050703 geography, media_common

Abstract

PurposeThe voices of children and young people have been largely neglected in discussions of the extent to which the internet takes into account their needs and concerns. This paper aims to highlight young people’s lived experiences of being online.Design/methodology/approachResults are drawn from the UnBias project’s youth led discussions, “Youth Juries” with young people predominantly aged between 13 and 17 years.FindingsWhilst the young people are able to use their agency online in some circumstances, many often experience feelings of disempowerment and resignation, particularly in relation to the terms and conditions and user agreements that are ubiquitous to digital technologies, social media platforms and other websites.Practical implicationsAlthough changes are afoot as part of the General Data Protection Regulation (herein the GDPR) to simplify the terms and conditions of online platforms (European Union, 2016), it offers little practical guidance on how it should be implemented to children. The voices and opinions of children and young people are put forward as suggestions for how the “clear communication to data subjects” required by Article 12 of the GDPR in particular should be implemented, for example, recommendations about how terms and conditions can be made more accessible.Originality/valueChildren and young people are an often overlooked demographic of online users. This paper argues for the importance of this group being involved in any changes that may affect them, by putting forward recommendations from the children and young people themselves.

Published

2019

44. Visual Surveillance Within the EU General Data Protection Regulation: A Technology Perspective

Author

Nadia Kanwal, Mamoona Naveed Asghar, Marco Herbst, Brian Lee, Martin Fleury, and Yuansong Qiao

Subjects

Blockchain, General Computer Science, Computer science, Parliament, media_common.quotation_subject, Internet privacy, Context (language use), Cryptography, ComputingMilieux_LEGALASPECTSOFCOMPUTING, 02 engineering and technology, Encryption, 0202 electrical engineering, electronic engineering, information engineering, Data Protection Act 1998, media_common.cataloged_instance, General Materials Science, CCTV, European union, GDPR, Pseudonymisation, Data protection-by-design, media_common, cryptography, business.industry, Information sharing, Perspective (graphical), General Engineering, 020207 software engineering, gdpr, Visual privacy, data protection-by-design, Video redaction, General Data Protection Regulation, Crytography, Reversible protection, pseudonymisation, 020201 artificial intelligence & image processing, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, lcsh:TK1-9971, Software Research Institute AIT

Abstract

From an individual's perspective, technological advancement has merits and demerits. Video captured by surveillance cameras while a person goes about their daily life may improve their personal safety but the images collected may also represent an invasion of their privacy. Because of the ease of digital information sharing, there exists a need to protect that visual information from illegal utilization by untrusted parties. The European parliament has ratified the General Data Protection Regulation (GDPR), which has been effective since May 2018 with a view to ensuring the privacy of European Union (EU) citizens' and visitors' personal data. The regulation has introduced data safeguards through Pseudonymisation, Encryption, and Data protection-by-design. However, the regulation does not assist with technical and implementation procedures, such as video redaction, to establish those safeguards. This paper refers to the GDPR term “personal data” as “visual personal data” and aims to discuss regulatory safeguards of visual privacy, such as reversible protection, from the technological point-of-view. In the context of GDPR, the roles of machine learning (i.e. within computer vision), image processing, cryptography, and blockchain are explored as a way of deploying Data Protection-by-Design solutions for visual surveillance data. The paper surveys the existing market-based data protection solutions and provides suggestions for the development of GDPR-compliant Data Protection-by-Design video surveillance systems. The paper is also relevant for those entities interacting with EU citizens from outside the EU and for those regions not currently covered by such regulation that may soon implement similar provisions.

Published

2019

45. The GDPR enforcement fines at glance

Author

Kalle Hjerppe and Jukka Ruohonen

Subjects

FOS: Computer and information sciences, business.product_category, Accounting, Simple machine, 0603 philosophy, ethics and religion, 01 natural sciences, Computer Science - Computers and Society, 010104 statistics & probability, Computers and Society (cs.CY), media_common.cataloged_instance, 0101 mathematics, European union, Enforcement, National data, media_common, business.industry, Regression analysis, 06 humanities and the arts, Information security, 16. Peace & justice, Hardware and Architecture, General Data Protection Regulation, 060301 applied ethics, Business, Software, Statistical evidence, Information Systems

Abstract

The General Data Protection Regulation (GDPR) came into force in 2018. After this enforcement, many fines have already been imposed by national data protection authorities in Europe. This paper examines the individual GDPR articles referenced in the enforcement decisions, as well as predicts the amount of enforcement fines with available meta-data and text mining features extracted from the enforcement decision documents. According to the results, three articles related to the general principles, lawfulness, and information security have been the most frequently referenced ones. Although the amount of fines imposed vary across the articles referenced, these three particular articles do not stand out. Furthermore, a better statistical evidence is available with other meta-data features, including information about the particular European countries in which the enforcements were made. Accurate predictions are attainable even with simple machine learning techniques for regression analysis. Basic text mining features outperform the meta-data features in this regard. In addition to these results, the paper reflects the GDPR's enforcement against public administration obstacles in the European Union (EU), as well as discusses the use of automatic decision-making systems in judiciary., Information Systems, published online in August 2021, pp. 1-11. Substantial overlap expected with arXiv:2003.05151; accepted by venue (i.e., extended conference paper)

Published

2022

46. Over the shoulder enforcement in European regulatory networks:the role of arbitrage mitigation mechanisms in the General Data Protection Regulation.

Author

Li, Siyao and Newman, Abraham L.

Subjects

GENERAL Data Protection Regulation, 2016, ARBITRAGE, FREE will & determinism

Abstract

Across many domains, the European Union relies on a system of regulatory network-based enforcement. National agencies work with peers to carry out on-the-ground implementation of supranational law. Network-based enforcement, however, raises concerns including regulatory capture and shirking. We explore how a novel governance tool – arbitrage mitigation mechanisms – may address some of these issues. These mechanisms are formal institutional procedures, which attempt to generate equivalent application of EU law for cross border regulation, and include horizontal checks among regulatory peers as well as vertical checks that allow civil society to voice accountability concerns. To demonstrate the validity of our argument, we examine the General Data Protection Regulation (GDPR) and European privacy enforcement. Our study contributes to the understanding of enforcement and compliance in European regulatory networks and offers a more fine grained understanding of when and how European citizens' civil liberties will be upheld. [ABSTRACT FROM AUTHOR]

Published

2022

47. Your Identity is Yours: Take Back Control of Your Identity Using GDPR Compatible Self-Sovereign Identity

Author

Paul Jenkins and Nitin Naik

Subjects

Social computing, Identity management system, business.industry, General Data Protection Regulation, Internet privacy, Identity (object-oriented programming), media_common.cataloged_instance, Confidentiality, European union, business, Identity management, media_common, Digital identity

Abstract

Digital identity has importance in the digital world representing users in a comparable manner to that of the physical identity in the real world. Digital identity comprises certain personal and confidential attributes related to identity owners, managed through an Identity Management (IDM) system. In most IDM systems, identity owners do not control their own identity and its related personal data. However, Self-Sovereign Identity (SSI) is an emerging IDM system which offers users the ownership and full control over their personal data. In the European Union, General Data Protection Regulation (GDPR) is the basic regulatory environment for anyone involved in processing personal data, whilst SSI is concerned with the requirement of managing identity and its associated personal data. If an SSI system could comply with the key GDPR principles then it could become both a desirable and appropriate IDM solution legally and universally. This paper evaluates this aspect of SSI and analyses SSI compliance and alignment with the key principles of GDPR. Furthermore, it investigates two different types of SSI ecosystems public permissionless blockchain based SSI ecosystem uPort and public permissioned blockchain based SSI ecosystem Sovrin, according to the various defined roles and their compatibility with GDPR roles. Finally, this paper performs the comparative analysis of uPort and Sovrin to assess their compliance with the key principles of GDPR.

Published

2020

48. Designing a Data Governance Model to Implement GDPR in Sri Lankan Enterprises.

Author

Indhumini Ranathunga, P. A. and Wickramarachchi, Ruwan

Subjects

GENERAL Data Protection Regulation, 2016, DATA protection, DATA security, DATA management

Abstract

The volume and complexity of data have expanded while demanding the need for specialized data protection solutions for many data-driven enterprises. Personal data is the internet's new oil and the digital world's new currency, has a big impact on privacy and security. Various laws have been implemented in many nations to protect people's personal information. One of them is GDPR (General Data Protection Regulation), which is particularly relevant for EU data processing businesses. Though it does not apply directly to Sri Lanka, it is directly applied to European Union counterparties. To avoid losing business with the EU, Sri Lanka must also comply with GDPR. Although there aren't many resources for GDPR implementation guidance, the existing ones are not very comprehensive. To resolve the issue, we went through a series of processes to construct a comprehensive model, after which we were able to develop a data governance model to deploy. The data governance model provides extensive direction for data management. We established the indicators and drivers that must be observed while applying the GDPR principles through interviews with industry professionals and completing an extensive literature study. A data governance model is provided in this study for data-driven organizations to simply implement compliance. [ABSTRACT FROM AUTHOR]

Published

2021

49. PROTECTION OF CHILDREN’S PERSONAL DATA. A CRITICAL OVERVIEW FOLLOWING THE ENTRY INTO FORCE OF THE EUROPEAN UNION REGULATION ON PERSONAL DATA PROTECTION.

Author

Ortega Gómez, Marta

Subjects

DATA protection, PERSONALLY identifiable information, ELECTRONIC data processing, GENERAL Data Protection Regulation, 2016, CIVIL rights, DATABASES, CHILD welfare

Abstract

Copyright of Revista Catalana de Dret Públic is the property of Revista Catalana de Dret Public and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published

2022

50. Practical fundamental rights impact assessments.

Author

Janssen, Heleen, Lee, Michelle Seng Ah, and Singh, Jatinder

Subjects

DATA protection laws, CIVIL rights, ARTIFICIAL intelligence, RISK assessment

Abstract

The European Union's General Data Protection Regulation tasks organizations to perform a Data Protection Impact Assessment (DPIA) to consider fundamental rights risks of their artificial intelligence (AI) system. However, assessing risks can be challenging, as fundamental rights are often considered abstract in nature. So far, guidance regarding DPIAs has largely focussed on data protection, leaving broader fundamental rights aspects less elaborated. This is problematic because potential negative societal consequences of AI systems may remain unaddressed and damage public trust in organizations using AI. Towards this, we introduce a practical, four-Phased framework, assisting organizations with performing fundamental rights impact assessments. This involves organizations (i) defining the system's purposes and tasks, and the responsibilities of parties involved in the AI system; (ii) assessing the risks regarding the system's development; (iii) justifying why the risks of potential infringements on rights are proportionate; and (iv) adopt organizational and/or technical measures mitigating risks identified. We further indicate how regulators might support these processes with practical guidance. [ABSTRACT FROM AUTHOR]

Published

2022