Your search keyword '"general data protection regulation"' showing total 1,694 results

1. Factors determining the extent of GDPR implementation within organizations: empirical evidence from Czech Republic

Author

Adam Faifr and Martin Januška

Subjects

general data protection regulation, gdpr, smes, implementation, organizations, compliance, public administration, Business, HF5001-6182

Abstract

In this paper, the key factors that affect the extent of GDPR implementation in enterprises are analysed. Since 2018, all organizations operating in the European Union or processing personal data of EU citizens have had to incorporate a new regulation in their work. After three years of experience, possible key factors that significantly affect the cost of the entire project have been theoretically identified. However, a research gap remains whether the factors thus defined actually have a real impact on the implementation within organizations. Therefore, this study focuses on an empirical investigation of those characteristics using quantitative approach combining Chi-squared tests and the Classification and Regression Tree method. Based on a survey of organizations in the Czech Republic, this paper outlines that the size of the organization, the typology of personal data processed and the way GDPR is implemented determine the scope of the implementation project within organizations. On the other hand, there is no clear evidence that there is significant role in whether it is a public or private organization.

Published

2021

2. General Data Protection Regulation (GDPR) Implementation: What was the Impact on the Market Value of European Financial Institutions?

Author

Maria Cristina ARCUR

Subjects

data protection, financial institutions, general data protection regulation, personal data, stock market, Business, HF5001-6182

Abstract

Personal data protection (PDP) is a big concern for political leaders, IT managers, information security consultants, the financial services industry, and the millions of people currently online. This paper analyses the impact that the most important European data protection regulation, the General Data Protection Regulation (GDPR), had on the market value of European financial institutions. Financial institutions collect and manage large amounts of personal data. Data protection is thus a key issue, and risks of non-compliance include financial, legal, and reputational risks. It is, therefore, interesting to find out whether stockholders recognized the real value and scope of GDPR. In order to examine the financial institution stockholder reaction to GDPR, we apply the event study methodology. We analyse a sample of 357 European listed financial companies, and we use daily market prices. In general, we find a significant positive reaction and note differences among European countries, showing that perception of GDPR impacts differed, probably because of uncertainty and worries about complying with new provisions, which required economic and organizational investment.

Published

2020

3. How Individuals Care for Personal Data Protection When Using Online Services

Author

Benjamin Lesjak and Mojca Čretnik

Subjects

privacy, personal data, protection, information technology, individuals, General Data Protection Regulation, Education, Business, HF5001-6182

Abstract

Individuals have more mechanisms for personal data protection according to new EU General Data Protection Regulation. Therefore, we researched the actions of individuals in relation to the protection of their personal data when using online services. We wanted to assess the awareness of individuals about the importance of personal data protection and if there are any differences regarding age, education and gender in relation to personal data protection when using online services. We examined the individuals' rights in connection to personal data and in connection to ICT use. In the empirical part, we collected several data regarding the behaviour of individuals, related to the protection of personal data. We emphasised that at least age is one of the factors influencing the behaviour and added recommendations for improvement of protection of personal data in conclusions.

Published

2021

4. Design of a Compliance Index for Privacy Policies: A Study of Mobile Wallet and Remittance Services

Author

Rohit Valecha, H. Raghav Rao, and Oluwafemi Akanfe

Subjects

Information privacy, business.industry, Strategy and Management, Privacy policy, media_common.quotation_subject, 05 social sciences, Internet privacy, Privacy laws of the United States, Information privacy law, Payment, Latent Dirichlet allocation, symbols.namesake, General Data Protection Regulation, 0502 economics and business, Mobile payment, symbols, Electrical and Electronic Engineering, business, 050203 business & management, media_common

Abstract

Many nations have adopted comprehensive data privacy laws to protect customers’ data. However, privacy policies of mobile wallet digital payment systems (DPS), and particularly the mobile wallet and remittance services that are part of DPS, are often not compliant with privacy laws. There is a lack of measures to assess how adequate the policies are in addressing data privacy issues. To address this problem, this article develops a compliance index to help DPS organizations assess the compliance of their privacy policies with the general data protection regulation (GDPR). The compliance index is created through a natural language process that includes term frequency-inverse document frequency matrix and topic modeling using latent Dirichlet allocation, to compute 1) an emphasis density score that indicates the level of emphasis a privacy policy places on GDPR dimensions, and 2) a privacy score that identifies the level of compliance of a privacy policy with GDPR. The compliance index is validated by assessing its effectiveness at the country level in comparison with an international publicly available data privacy benchmark.

Published

2023

5. Project Management in the Implementation of General Data Protection Regulation (GDPR)

Author

Ivan Todorović, Stefan Komazec, Đorđe Krivokapić, and Danilo Krivokapić

Subjects

general data protection regulation, gdpr, data protection, personal data, privacy, eu legislation, compliance, project management, Business, HF5001-6182

Abstract

Technology development and digitalization have reshaped business models and made data one of the key resources in business ecosystem. Organizations have become more focused on gathering and processing personal data for the purpose of gaining competitive advantage and profit. Consequently, the importance of personal data protection has significantly grown, since one of the fundamental civil rights, the right of privacy, has become more jeopardized than ever before. This caused major changes in the European Union (EU) legislation related to personal data protection, which resulted in the introduction of General Data Protection Regulation (GDPR). The new regime significantly increases the protection of EU data subjects, but also demands all controllers and processors of personal data to adjust their business in order to avoid huge fines for non-compliance. This paper deals with project management in the process of implementing GDPR provisions.

Published

2018

6. Ethical and normative challenges of identification in the internet of things

Author

Sandra Wachter

Subjects

Identification (information), law, Computer science, business.industry, General Data Protection Regulation, Internet privacy, Normative, Linkage (mechanical), business, Internet of Things, Transparency (behavior), law.invention

Abstract

A defining characteristic of the Internet of Things (IoT) is pervasive collection and linkage of user data to provide personalised experiences. To enable this functionality, IoT devices and services must be connected and share data about users' interactions with multiple nodes in the network. Consistent identification of users and devices across the network is likewise necessary. These aspects of the IoT can pose risks to user privacy. Potentially invasive inferences can be drawn from linked datasets, including data generated through usage of connected devices and services. The forthcoming General Data Protection Regulation (GDPR) contains numerous provisions relevant to the risks posed by identification technologies. However, the strict legal requirements defined in the Articles of the GDPR may be insufficient to ensure a fair balance is struck between user's interests in privacy and the interests of IoT developers and data controllers. To address this gap, this paper proposes a three-step transparency model based on known privacy risks of the IoT, weaknesses in relevant legally binding provisions in the GDPR, and the GDPR's governing principles. Eleven guidelines aimed at IoT developers and data controllers are described addressing how information about the functionality of IoT devices and services should be shared with users. The guidelines describe ethically desirable standards to be adhered to in addition to the GDPR's legally binding requirements. To demonstrate how the guidelines could apply in practice and alter the design choices and practices of IoT developers and data controllers, connected cars are considered as a use case.

Published

2023

7. Proportionate response to the COVID‐19 threat? Use of apps and other technologies for monitoring employees under the European Union's data protection framework

Author

Andra Siibak and Seili Suder

Subjects

data protection, Organizational Behavior and Human Resource Management, digital contact tracing, Coronavirus disease 2019 (COVID-19), business.industry, Strategy and Management, media_common.quotation_subject, Internet privacy, Context (language use), Original Articles, Data Protection Directive, Upload, COVID‐19, Management of Technology and Innovation, General Data Protection Regulation, Employee monitoring, Data Protection Act 1998, Original Article, Business, employee monitoring, GDPR, Function (engineering), contact‐tracing apps, media_common

Abstract

The aim of the article is to explore potential ways employers could use contact‐tracing apps and other monitoring technologies to mitigate the spread of COVID‐19 and potential concerns in the context of the EU GDPR (General Data Protection Regulation). The analysis indicates that, due to the imbalance of power in the employment relationship, national laws are needed to strengthen employees' ability to reject downloading contact‐tracing apps or similar monitoring technologies after the end of the COVID‐19 pandemic. When the need for such technological means for keeping employees safe has receded, additional regulations and guidance are necessary to prevent future problems, such as function creep, and similar misuse by employers.

Published

2022

8. CPFinder: Finding an unknown caller's profession from anonymized mobile phone data

Author

Hui Chen, Xiaoming Yao, Xiaoming Fu, and Jiaquan Zhang

Subjects

050210 logistics & transportation, 0303 health sciences, Computer Networks and Communications, business.industry, Computer science, Mobile broadband, 05 social sciences, Internet privacy, 03 medical and health sciences, Identification (information), Information sensitivity, Hardware and Architecture, Mobile phone, Phone, General Data Protection Regulation, 0502 economics and business, Data Protection Act 1998, business, Personally identifiable information, 030304 developmental biology

Abstract

Identifying an unfamiliar caller's profession is important to protect citizens' personal safety and property. Owing to the limited data protection of various popular online services in some countries, such as taxi hailing and ordering takeouts, many users presently encounter an increasing number of phone calls from strangers. The situation may be aggravated when criminals pretend to be such service delivery staff, threatening the user individuals as well as the society. In addition, numerous people experience excessive digital marketing and fraudulent phone calls because of personal information leakage. However, previous works on malicious call detection only focused on binary classification, which does not work for the identification of multiple professions. We observed that web service requests issued from users' mobile phones may exhibit their applications preferences, spatial and temporal patterns, and other profession-related information. This offers researchers and engineers a hint to identify unfamiliar callers. In fact, some previous works already leveraged raw data from mobile phones (which includes sensitive information) for personality studies. However, accessing users' mobile phone raw data may violate the more and more strict private data protection policies and regulations (e.g., General Data Protection Regulation). We observe that appropriate statistical methods can offer an effective means to eliminate private information and preserve personal characteristics, thus enabling the identification of the types of mobile phone callers without privacy concerns. In this paper, we develop CPFinder —- a system that exploits privacy-preserving mobile data to automatically identify callers who are divided into four categories of users: taxi drivers, delivery and takeouts staffs, telemarketers and fraudsters, and normal users (other professions). Our evaluation over an anonymized dataset of 1,282 users with a period of 3 months in Shanghai City shows that the CPFinder can achieve accuracies of more than 75.0% and 92.4% for multiclass and binary classifications, respectively.

Published

2022

9. Consumer consent and firm targeting after GDPR

Author

Idris Adjerid and Miguel Godinho de Matos

Subjects

Focus (computing), business.industry, Strategy and Management, Instrumental variable, General data protection regulation, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Instrumental variables, Management Science and Operations Research, Field experiment, Consent, Privacy, General Data Protection Regulation, Business, Telecommunications, Panel data

Abstract

The general data protection regulation (GDPR) represents a dramatic shift in global privacy regulation. We focus on GDPR’s enhanced consumer consent requirements that aim to provide transparent and active elicitation of data allowances. We evaluate the effect of enhanced consent on consumer opt-in behavior and on firm behavior and outcomes after consent is solicited. Utilizing an experiment at a large telecommunications provider with operations in Europe, we find that opt-in for different data types and uses increased once GDPR-compliant consent was elicited. However, consumers did not uniformly increase data allowances and continued to generally restrict permissions for more sensitive or tangential uses of their personal information. We also find that sales, the efficacy of marketing communications, and contractual lock-in increased after consumers provided new data allowances. Additional analysis suggests that these gains to the firm emerged because new data allowances enabled them to increase their use of targeted marketing for households that were amenable to these marketing efforts. These results have significant implications for firms and policymakers and suggest that enhanced consent provided via GDPR may be effective for increasing consumer privacy protection while also allowing firms reliant on consumers’ personal information to improve outcomes. This paper was accepted by Chris Forman, information systems.

Published

2022

10. TollsOnly Please—Homomorphic Encryption for Toll Transponder Privacy in Internet of Vehicles

Author

Hassan Karim and Danda B. Rawat

Subjects

biology, Computer Networks and Communications, business.industry, Computer science, Homomorphic encryption, Computer security, computer.software_genre, Computer Science Applications, Data sharing, 13. Climate action, Hardware and Architecture, General Data Protection Regulation, Toll, 11. Sustainability, Signal Processing, biology.protein, Consumer privacy, The Internet, business, computer, Intelligent transportation system, Information Systems, Transponder

Abstract

Cities have circumvented privacy norms and deployed sensors to track vehicles via toll transponders (like E-Zpass tags). The ethical problems regarding these practices have been highlighted by various privacy advocacy groups. The industry however, has yet to implement a standard privacy protection regime to protect users’ data. Further, existing risk management models do not adequately address user-controlled data sharing requirements. In this paper, we consider the challenges of protecting private data in the Internet of Vehicles (IoV) and mobile edge networks. Specifically, we present a privacy risk reduction model for electronic toll transponder data. We seek to preserve driver privacy while contributing to intelligent transportation infrastructure congestion automation schemes. We thus propose TollsOnly, a fully homomorphic encryption protocol. TollsOnly is expected to be a post-quantum privacy preservation scheme. It enables users to share specific data with smart cities via blockchain technology. TollsOnly protects driver privacy in compliance with the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act.

Published

2022

11. Developing a national database for higher education student counselling services: the importance of collaborations

Author

Barbara Dooley, Emma Howard, Chuck Rashleigh, and Zahra Tayer Farahani

Subjects

Medical education, Data collection, Higher education, business.industry, media_common.quotation_subject, Mental health, language.human_language, Psychiatry and Mental health, History and Philosophy of Science, Irish, Political science, General Data Protection Regulation, Sustainability, language, Aggregate data, business, Applied Psychology, Autonomy, media_common

Abstract

Student counselling services are at the forefront of providing mental health support to Irish Higher Education students. Since 1996, the Psychological Counsellors in Higher Education in Ireland (PCHEI) association, through their annual survey collection, has collected aggregate data for the sector. However, to identify national trends and effective interventions, a standardised non-aggregate sectoral approach to data collection is required. The Higher Education Authority funded project, 3SET, builds on the PCHEI survey through the development of a national database. In this paper, we outline the steps followed in developing the database, identify the parties involved at each stage and contrast the approach taken to the development of similar databases. Important factors shaping the development have been the autonomy of counselling services, compliance with General Data Protection Regulation, and the involvement of practitioners. This is an ongoing project with the long-term sustainability of the database being a primary objective.

Published

2021

12. Sekundäre Nutzung von hausärztlichen Routinedaten ist machbar – Bericht vom RADAR Projekt

Author

Ramin Yahyapour, Iris Demmer, Stephanie Heinemann, Roland Groh, Arne Blumentritt, Wolfgang Hoffmann, Thomas Bahls, Philipp Wieder, Johannes Pung, Johannes Drepper, Eva Hummers, Johannes Hauswaldt, Falk Schlegelmilch, Otto Rienhoff, and Valérie Kempter

Subjects

Privacy by Design, Computer science, business.industry, Medical record, Public Health, Environmental and Occupational Health, Health services research, Information repository, medicine.disease, 030210 environmental & occupational health, 3. Good health, 03 medical and health sciences, 0302 clinical medicine, Ambulatory care, Informed consent, General Data Protection Regulation, Health care, medicine, 030212 general & internal medicine, Medical emergency, business

Abstract

ZusammenfassungZiel der Studie „Real world“-Daten aus der ambulanten Gesundheitsversorgung sind in Deutschland nur schwer systematisch und longitudinal zu erlangen. Unsere Vision ist eine permanente Datenablage mit repräsentativen, de-identifizierten Patienten- und Versorgungsdaten, längsschnittlich, fortwährend aktualisiert und von verschiedenen Versorgern, mit der Möglichkeit zur Verknüpfung mit weiteren Daten, etwa aus Patientenbefragungen oder biologischer Forschung, zugänglich für andere Forscher. Wir berichten methodische Vorgehensweisen und Ergebnisse aus dem RADAR Projekt.Methodik Untersuchung des Rechtsrahmens, Entwicklung prototypischer technischer Abläufe und Lösungen, mit Machbarkeitsstudie zur Evaluation von technischer und inhaltlicher Funktionalität sowie Eignung für Fragestellungen der Versorgungsforschung.Ergebnisse Ab 2016 entwickelte ein interdisziplinäres Wissenschaftlerteam ein Datenschutzkonzept für Exporte von Versorgungsdaten aus elektronischen Praxisverwaltungssystemen. Eine technische und organisatorische Forschungsinfrastruktur im ambulanten Sektor wurden entwickelt und im Anwendungsfall „Orale Antikoagulation“ (OAK) umgesetzt. In 7 niedersächsischen Hausarztpraxen wurden 100 Patienten gewonnen und nach informierter Einwilligung ihre ausgewählten Behandlungsdaten, reduziert auf 40 relevante Datenfelder, über die Behandlungsdatentransfer-Schnittstelle extrahiert, unmittelbar vor Ort in identifizierende bzw. medizinische Daten getrennt und verschlüsselt zur Treuhandstelle (THS) bzw. an den Datenhalter übertragen. 75 Patienten, die die Einschlusskriterien erfüllten (mind. 1 Jahr Behandlung mit OAK), erhielten einen Lebensqualitäts-Fragebogen über die THS per Post. Von 66 Rücksendungen wurden 63 Fragebogenergebnisse mit den Behandlungsdaten in der Datenablage verknüpft.Schlussfolgerung Die rechtskonforme Machbarkeit der Gewinnung von pseudonymisierten hausärztlichen Routinedaten mit expliziter informierter Patienteneinwilligung und deren wissenschaftliche Nutzung einschließlich Re-Kontaktierung und Einbindung von Fragebogendaten konnte nachgewiesen werden. Die Schutzkonzepte Privacy by design und Datenminimierung (Artikel 25 mit Erwägungsgrund 78 DSGVO) wurden systematisch in das RADAR Projekt integriert und begründen wesentlich, dass der Machbarkeitsnachweis rechtskonformer Primärdatengewinnung und sekundärer Nutzung für Forschungszwecke gelang. Eine Nutzung hinreichend anonymisierter, aber noch sinnvoller hausärztlicher Gesundheitsdaten ohne individuelle Einwilligung ist im bestehenden Rechtsrahmen in Deutschland schwerlich umsetzbar.

Published

2021

13. Architecture of solution for panoramic image blurring in GIS project application

Author

Ivan Radosavljević, Đorđe Obradović, Dejan Vasić, and Marina Davidović

Subjects

Atmospheric Science, Laser scanning, Computer science, business.industry, QC801-809, Geophysics. Cosmic physics, Point cloud, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Geology, Oceanography, Object (computer science), Pipeline (software), Object detection, Data set, General Data Protection Regulation, media_common.cataloged_instance, Computer vision, Artificial intelligence, European union, business, media_common

Abstract

Panoramic images captured using laser scanning technologies, which principally produce point clouds, are readily applicable in colorization of point cloud, detailed visual inspection, road defect detection, spatial entities extraction, diverse map creation, etc. This paper underlines the importance of images in modern surveying technologies and different GIS projects at the same time having regard to their anonymization in accordance with law. The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Namely, it is a legislative requirement that faces of persons and license plates of vehicles in the collected data are blurred. The objective of this paper is to present a novel architecture of the solution for a particular object blurring. The architecture is designed as a pipeline of object detection algorithms that progressively narrows the search space until it detects the objects to be blurred. The methodology was tested on four data sets counting 5000, 10 000, 15 000 and 20 000 panoramic images. The percentage of accuracy, i.e., successfully detected and blurred objects of interest, was higher than 97 % for each data set. Additionally, our aim was to achieve efficiency and broad use.

Published

2021

14. Numbers and statistics: data and cyber breaches under the General Data Protection Regulation

Author

Rhea Dennis and Julia Utzerath

Subjects

General Data Protection Regulation, Data security, media_common.cataloged_instance, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Data breach, Business, European union, Enforcement, Computer security, computer.software_genre, computer, Data Protection Directive, media_common

Abstract

Since the General Data Protection Regulation (GDPR) became effective in 2018, enforcement has been at the core of protecting personal data in the European Union (EU). The EU data protection authorities have imposed fines for various types of GDPR breach, and have targeted organisations in multiple sectors, including consumer, technology, media and telecom (TMT), healthcare and industry. The frequency and size of these fines have increased annually, and it is clear that the EU Data Protection Authorities (DPAs) are increasingly cracking down on non-compliance. This article focusses on the fines imposed for breaches of article 32 GDPR, which deals with security of data processing. Article 32 requires organisations to have sufficient technical and organisational measures (TOM) in place to protect them from data breaches, cyber breaches and data security incidents, both internally and externally. As of the end of June 2021, about one fifth of all GDPR fines were imposed for article 32 infringements.

Published

2021

15. Moral bureaucracies and social network research

Author

Stephen P. Borgatti and José Luis Molina

Subjects

Research ethics, 050402 sociology, Sociology and Political Science, Social network, business.industry, Corporate governance, media_common.quotation_subject, 05 social sciences, General Social Sciences, Public relations, 0506 political science, Social research, Scientific freedom, 0504 sociology, Anthropology, General Data Protection Regulation, 050602 political science & public administration, Relevance (law), Sociology, Bureaucracy, business, General Psychology, media_common

Abstract

In the wake of Europe’s General Data Protection Regulation (GDPR), research ethics governance does not just affect the ethical dimensions of social research but also the range of scientific decisions available to researchers. Because of the sensitive status of personal data and the aversion to even minimal risk by what we call “moral bureaucracies”, we are concerned that social network researchers will increasingly limit their research decisions to “safe” options, like reusing anonymized datasets, choosing target populations based on convenience rather than theoretical relevance, and routinely subcontracting fieldwork to professional data collection companies, among others. We also suggest that scientific associations and social scientists in general need to adopt a proactive role in preserving both scientific freedom and genuine ethics advice within this new regulatory framework.

Published

2021

16. Collision Between U.S. Discovery and EU General Data Protection Regulation

Author

Soo-Hye Cho

Subjects

business.industry, General Data Protection Regulation, Business, International trade, Collision

Published

2021

17. General data protection regulations (2018) and clinical research: perspectives of patients and doctors in an Irish university teaching hospital

Author

Nicola Miller, Cliona McMenamin, Peter McAnena, Michael J. Kerin, Elizabeth Maher, Aoife Lowery, John Phineas O’Donnell, and Matthew G Davey

Subjects

medicine.medical_specialty, Descriptive statistics, business.industry, Legislation, General Medicine, language.human_language, Clinical research, Irish, Family medicine, General Data Protection Regulation, language, media_common.cataloged_instance, Data Protection Act 1998, Medicine, University teaching, European union, business, media_common

Abstract

Background Europe’s General Data Protection Regulation, or GDPR, is a set of data protection rules on the acquisition, storage, use, and access of personal data. GDPR came into effect in May 2018 when it was introduced across all 27 European Union (EU) member states and the European Economic Area (EEA). Maintaining compliance with this legislation has presented significant new challenges for ongoing clinical research. Aims To evaluate the knowledge and expectations of patients and doctors regarding GDPR and implications for future clinical research. Methods An anonymous 12-item questionnaire was circulated to patients and doctors at a University Teaching Hospital. Data analysis included descriptive statistics. Results Five hundred nine participants were included: 261 females (51.3%) and 248 males (48.7%). Three hundred fifty were patients (68.8%) and 159 were doctors (31.2%). Three hundred thirty-four participants were aware of GDPR (65.7%): 116 doctors (73.0%) and 218 patients (62.3%, P = 0.018). 71.1% of doctors were willing to allow their personal data to be processed anonymously as part of a clinical research project compared to 43.4% of patients (P P P P P = 0.117). Conclusion GDPR has introduced complexity to the processing and sharing of personal data among researchers. This study has identified differences in the perception of GDPR and willingness to consent to data being used in clinical research between doctors and patients. Measures to adequately inform prospective research participants on data processing and the evolving landscape of data protection regulation should be prioritised.

Published

2021

18. The Provision by Public Authorities of Safe Environments for Particularly Sensitive Citizen Interaction: The Situation at the European Level

Author

Juan Francisco Rodríguez Ayuso

Subjects

Emerging, European level, business.industry, personal data, Internet privacy, menores de edad, public administrations, General Medicine, Reglamento General de Protección de Datos, Administraciones públicas, Public law, humanities, general data protection regulation, minors, General Data Protection Regulation, Digital rights, processing, tratamiento datos personales, business, K3150

Abstract

El objetivo principal del presente estudio de investigación es ofrecer un análisis sistemático del consentimiento en el tratamiento de datos personales de menores de edad al amparo del Reglamento General de Protección de Datos y en la Ley Orgánica de Protección de Datos Personales y de Garantía de Derechos Digitales. En concreto, además de profundizar en el consentimiento como base jurídica fundamental, se diseccionan los contornos esenciales de la firma electrónica como un instrumento más idóneo para garantizar la prestación de este consentimiento, haciendo especial énfasis en las singularidades que ello presenta cuando quienes intervienen como responsables del tratamiento son las Administraciones públicas.

Published

2021

19. Biomedical Data Identifiability in Canada and the European Union: From Risk Qualification to Risk Quantification?

Author

Alexander Bernier and Bartha Maria Knoppers

Subjects

Actuarial science, Biomedical data, General Data Protection Regulation, Identifiability, media_common.cataloged_instance, General Medicine, Privacy law, Business, European union, Risk quantification, media_common, Health data

Published

2021

20. Implications of GDPR on Emerging Technologies

Author

Surya Prakash Biswal and Mugdha S Kulkarni

Subjects

Process management, Data collection, Emerging technologies, Digital era, General Data Protection Regulation, media_common.cataloged_instance, Sustenance, Business, European union, Safeguarding, media_common

Abstract

In the present digital era, organizations worldwide are facing several opportunities and challenges in safeguarding and preserving significant data that are essential in the efficient functioning of organizational activities. Organizations have realized and understood the importance of data collection and analysis to influence target achievements and meet futuristic demands. Many small-scale enterprises and start-ups have also initiated decisions to implement technologies that enable a positive long-term impact. Due to these requirements, the General Data Protection Regulation (GDPR) implementation has become a necessity to ensure future sustenance and functionality of existing and growing organizations. The operational activities in the organizational environment are forced to comply with the general data protection regulation policies and framework. The European Union general data protection regulation, which was imposed in May 2018 (European Union General Data Protection Regulation, 2016), has proven to be effective, both within the country's internal boundaries and globally. However, many organizations are still not familiar with the general data protection regulation compliance policies. The emergence of general data protection regulation has been a recent interest in the activities of various organizational sectors as they are attempting to understand the policies and compliance requirements on the implementation of GDPR applications. The research intends to explore the implications between the GDPR and emerging technologies and suggests various recommendations for organizations to implement and follow the GDPR guidelines that could enhance organizational activities.

Published

2021

21. Getting under your skin(s): A legal-ethical exploration of Fortnite’s transformation into a content delivery platform and its manipulative potential

Author

Marijn Sax, Jef Ausloos, and IViR (FdR)

Subjects

Lifeworld, business.industry, Internet privacy, ComputingMilieux_PERSONALCOMPUTING, Intellectual property, Consumer protection, Freemium, Incentive, General Data Protection Regulation, Data Protection Act 1998, media_common.cataloged_instance, European union, business, Law, Video game, media_common

Abstract

This article investigates the ethical and legal implications of increasingly manipulative practices in the gaming industry by looking at one of the currently most popular and profitable video games in the world. Fortnite has morphed from an online game into a quasi-social network and an important cultural reference point in the lifeworld of many (young) people. The game is also emblematic of the freemium business model, with strong incentives to design the game in a manner which maximizes microtransactions. This article suggests that to properly understand Fortnite's practices – which we predict will become more widely adopted in the video game industry in the near future – we need an additional perspective. Fortnite is not only designed for hyper-engagement; its search for continued growth and sustained relevance is driving its transformation from being a mere video game into a content delivery platform. This means that third parties can offer non game-related services to players within Fortnite's immersive game experience. In this paper, we draw on an ethical theory of manipulation (which defines manipulation as an ethically problematic influence on a person's behaviour) to explore whether the gaming experience offered by Fortnite harbours manipulative potential. To legally address the manipulative potential of commercial video game practices such as the ones found in Fortnite, we turn to European data protection and consumer protection law. More specifically, we explore how the European Union's General Data Protection Regulation and Unfair Commercial Practices Directive can provide regulators with tools to address Fortnite's manipulative potential and to make Fortnite (more) forthright.

Published

2021

22. Signalling Standards for Progress: Bridging the Divide Between a Valid Consent to Use Patient Data Under Data Protection Law and the Common Law Duty of Confidentiality

Author

Edward S. Dove and Mark J. Taylor

Subjects

medicine, Common law, Medicine (miscellaneous), Context (language use), Disclosure, Medical Records, Informed consent, Health care, AcademicSubjects/LAW00490, Data Protection Act 1998, Confidentiality, patient data, data protection, Informed Consent, business.industry, Articles, confidentiality, United Kingdom, humanities, health research, Health Records, Personal, General Data Protection Regulation, Law, Duty of confidentiality, consent, Business

Abstract

In this article, we analyse the legal components of disclosing confidential patient information under the UK’s common law duty of confidentiality (CLDoC) and processing personal (health) data under the UK’s General Data Protection Regulation (GDPR) and Data Protection Act 2018. We describe the ostensible divide between the CLDoC and data protection law when it comes to the requirements of a valid signal of consent by a patient to use and disclose patient information, obtained by a health professional in the context of direct care, for health care and health research purposes. Ultimately, our analysis suggests that we are saddled, at least in the medium term, with two regimes operating with different standards of a valid consent—while putatively protecting similar interests. There is, however, opportunity for progress. It is possible to improve professional guidance on the interaction between the regimes and to achieve significant normative alignment without aligning the signalling standard for consent; this would promote consistent protection of reasonable expectations of patients across both regimes. Further coherence would require aligning not only the standard, but also the role played by consent under each regime. Here we argue that, in relation to direct care, any such shift should be away from consent as the normal justification. In relation to health research, on the contrary, it should be toward consent as the normal justification for use and disclosure of patient information under both the CLDoC and data protection law.

Published

2021

23. Cookie Banners and Privacy Policies: Measuring the Impact of the GDPR on the Web

Author

Michael Kretschmer, Klaus Wehrle, and Jan Pennekamp

Subjects

Computer Networks and Communications, business.industry, Computer science, Privacy policy, 020206 networking & telecommunications, Context (language use), 02 engineering and technology, Service provider, Opt-out, World Wide Web, User experience design, 020204 information systems, General Data Protection Regulation, 0202 electrical engineering, electronic engineering, information engineering, Data Protection Act 1998, Privacy law, business

Abstract

The General Data Protection Regulation (GDPR) is in effect since May of 2018. As one of the most comprehensive pieces of legislation concerning privacy, it sparked a lot of discussion on the effect it would have on users and providers of online services in particular, due to the large amount of personal data processed in this context. Almost three years later, we are interested in revisiting this question to summarize the impact this new regulation has had on actors in the World Wide Web. Using Scopus, we obtain a vast corpus of academic work to survey studies related to changes on websites since and around the time the GDPR went into force. Our findings show that the emphasis on privacy increased w.r.t. online services, but plenty potential for improvements remains. Although online services are on average more transparent regarding data processing practices in their public data policies, a majority of these policies still either lack information required by the GDPR (e.g., contact information for users to file privacy inquiries) or do not provide this information in a user-friendly form. Additionally, we summarize that online services more often provide means for their users to opt out of data processing, but regularly obstruct convenient access to such means through unnecessarily complex and sometimes illegitimate interface design. Our survey further details that this situation contradicts the preferences expressed by users both verbally and through their actions, and researchers have proposed multiple approaches to facilitate GDPR-conform data processing without negatively impacting the user experience. Thus, we compiled reoccurring points of criticism by privacy researchers and data protection authorities into a list of four guidelines for service providers to consider.

Published

2021

24. The Right to Data Portability: conception, status quo, and future directions

Author

Stefan Mager, Jens Grossklags, Emmanuel Syrmoudis, Sophie Kuebler-Wachendorff, Susanne Mayr, Johann Kranz, and Robert Luzsa

Subjects

Service (business), 0209 industrial biotechnology, business.industry, Status quo, media_common.quotation_subject, 05 social sciences, Internet privacy, Hauptbeitrag, Computer Science, general, Computer Hardware, Computer Systems Organization and Communication Networks, Software Engineering/Programming and Operating Systems, Data Structures and Information Theory, 02 engineering and technology, Direct transfer, Service provider, ddc, Computer Science Applications, Consumer Bill of Rights, 020901 industrial engineering & automation, General Data Protection Regulation, 0502 economics and business, media_common.cataloged_instance, Business, 050207 economics, European union, Data portability, Information Systems, media_common

Abstract

For almost three years, the General Data Protection Regulation (GDPR) has been granting citizens of the European Union the right to obtain personal data from companies and to transfer these data to another company. The so-called Right to Data Portability (RtDP) promises to significantly reduce switching costs for consumers in digital service markets, provided that its potential is effectively translated into reality. Thus, of all the consumer rights in the GDPR, the RtDP has the potential to be the one with the most significant implications for digital markets and privacy. However, our research shows that the RtDP is barely known among consumers and can currently only be implemented in a fragmented manner—especially with regard to the direct transfer of data between online service providers. We discuss several ways to improve the implementation of this right in the present article.

Published

2021

25. The Short-Run Effects of the General Data Protection Regulation on Technology Venture Investment

Author

Liad Wagman, Jian Jia, and Ginger Zhe Jin

Subjects

Marketing, 050208 finance, Short run, 05 social sciences, International economics, Investment (macroeconomics), General Data Protection Regulation, 0502 economics and business, media_common.cataloged_instance, Business, 050207 economics, Business and International Management, European union, media_common

Abstract

Jia et al. study the effects of the General Data Protection Regulation on technology venture investment in the European Union.

Published

2021

26. Privacy-Aware Cloud Auditing for GDPR Compliance Verification in Online Healthcare

Author

Rajiv Rajan, Omer Rana, Madeline Carr, Gagangeet Singh Aujla, Masoud Barati, Kwabena Adu Duodu, and Jose Tomas Llanos

Subjects

Service (systems architecture), Information privacy, business.industry, Computer science, Cloud computing, Audit, Computer security, computer.software_genre, Computer Science Applications, Public-key cryptography, Control and Systems Engineering, General Data Protection Regulation, Data Protection Act 1998, Electrical and Electronic Engineering, business, computer, Information Systems, Private network

Abstract

Emerging multi-tenant cloud computing ecosystems allow multiple applications to share virtualised pool of computing and networking resources. As a result such ecosystems are becoming increasingly prone to data privacy concerns (personal data leakages and unauthorised access). While cloud computing providers support robust security and privacy mechanisms (e.g, public key cryptography, firewalls, virtual private networks, among many others), they lack mechanisms and frameworks to monitor, audit and verify these data privacy concerns. The emergence of data protection regulations around the world, such as General Data Protection Regulation (GDPR) in Europe and the Data Protection Act (DPA) in the UK, further emphasise the need to overcome these privacy limitations. A novel technique for monitoring, auditing and verifying the operations carried out on a users personal data in cloud computing ecosystems is proposed. Our research methodology leverages distributed ledger technologies (e.g., Blockchain, Smart Contracts) for developing an immutable recording technique, which transparently logs, monitors and verifies the operations carried out on user data. Using a healthcare pharmacy scenario and extensive real-world experiments, we validate the feasibility of the proposed technique. The proposed work handles a large pool of requests (> 13K) ensuring minimal latency (approx. 50-60 ms) and overheads for three different service packages varied with respect to the number of actors and operations).

Published

2022

27. Information Privacy Assimilation in IT Organizations

Author

Vijayan Sugumaran, V S Prakash Attili, and Saji K. Mathew

Subjects

Information privacy, Knowledge management, Computer Networks and Communications, business.industry, Organizational culture, Information technology, Survey sampling, Theoretical Computer Science, General Data Protection Regulation, Information system, Strategic management, Business, Senior management, Software, Information Systems

Abstract

Information privacy concerns have been rising over a few decades. As per the recent General Data Protection Regulation, organizations need to implement the highest-possible privacy settings by design and default. Following the neo-institutional theory, this study develops a model for understanding the mechanism of information privacy assimilation in Information Technology (IT) organizations. This study treats information privacy as a distinct dimension separate from security. After analyzing a sample survey data of 214 respondents from the IT industry, privacy capability and organizational culture emerged as influencing factors with a statistically significant influence on information privacy assimilation. The findings from this study support the mediating role of senior management participation between the external coercive forces and privacy-related business strategy. Business strategy also plays a mediating role between coercive/normative forces and privacy-related activities within an organization. Here the mimetic forces show a direct influence on privacy-related activities. A positive moderating effect of organizational culture on normative forces and privacy-related activities relationship; and a negative moderating effect of privacy capability on mimetic forces and privacy-related activities relationship are observed. These findings could enable senior managers to respond to institutional pressures by focusing on appropriate factors within an organization for developing effective privacy strategies and actions. This work is an extension of the pilot work that was published in Communications of the Association for Information Systems (CAIS), 2018. The prior work focuses on developing the propositions qualitatively. Building on that, we have formally defined the hypotheses, developed the appropriate survey instrument and collected the primary data which is large enough to do adequate analysis. Adopted a quantitative approach using an extensive sample survey of IT organizations, followed a more rigorous process for data collection, analysis, and discussion of the results. In addition, based on the lessons learned from the pilot study, we have updated the research model and hypotheses with a focus on privacy-related business strategy and activities.

Published

2021

28. THE RIGHT TO PRIVACY IN THE AGE OF PANDEMICS 'A STUDY IN GERMAN AND EUROPEAN LAW'

Author

Mohamed Aboubakr Abdelhadi

Subjects

business.industry, General Data Protection Regulation, Internet privacy, The Right to Privacy, media_common.cataloged_instance, Data Protection Act 1998, Proportionality (law), Fundamental rights, Legislation, Business, European union, Safeguarding, media_common

Abstract

The right to protection of personal data arises where personal data requires processing, usage ad storage. It is therefore a process requiring extracting of personal data from an individual and processing it without infringing on the person’s rights to protection of data as well as privacy. Contact tracing technology is used at the time of epidemics, and it is a technique by which people can be monitored to find out their interactions with a person who has tested positive for a specific infectious disease. This process was previously done as a means of managing infectious diseases so as to shorten the response time. Specifically, for the Covid-19 pandemic, the process has been digitized across the globe. In dealing with covid-19, the state should take into consideration the need to balance between the right of individuals to good health and the right to protection of data as contact tracing and following up on infections is paramount in managing the corona virus pandemic. This can be through setting out legislation that limits the use of information collected for the purposes of corona-virus for that limited purpose in the required institutions. Since Coronavirus is an emerging problem, more needs to be done in terms of research to understand how to deal with it effectively and in balance while protecting the rights and freedoms of individuals. The Paper discuss the legal principles on the right to personal privacy in both Germany and the European Union, through a comparative study between European Union General Data Protection Regulation (GDPR) which came into force on 25th May 2018, and German Federal Data Protection Act (BDSG) of 30 June 2017, amended by Article 12 of the Act of November 20, 2019. it will delve deeper on the relationship between the protection of personal data and other fundamental rights and freedoms. Lastly it studies the balancing between measures that could help track and contain the virus while safeguarding the privacy of individuals.

Published

2021

29. Sharing ICU Patient Data Responsibly Under the Society of Critical Care Medicine/European Society of Intensive Care Medicine Joint Data Science Collaboration

Author

Mihaela van der Schaar, Patrick Thoral, Matthew M. Churpek, Ari Ercole, Armand R. J. Girbes, Eric J.G. Sijbrands, Lewis J. Kaplan, Erwin J. O. Kompanje, Maurizio Cecconi, Ronald H. Driessen, Jan M. Peppink, Gilles Clermont, Heatherlee Bailey, Paul W. G. Elbers, Jozef Kesecioglu, Intensive care medicine, ACS - Diabetes & metabolism, Internal Medicine, and Intensive Care

Subjects

medicine.medical_specialty, Health Information Exchange, Databases, Factual, Privacy laws of the United States, data anonymization, Audit, Critical Care and Intensive Care Medicine, computer.software_genre, Hospitals, University, 03 medical and health sciences, 0302 clinical medicine, big data, Medicine, Humans, Critical Care Outcomes, Intensive care medicine, database, Societies, Medical, Netherlands, Health Insurance Portability and Accountability Act, Data anonymization, Database, business.industry, Online Clinical Investigations, 030208 emergency & critical care medicine, artificial intelligence, Data science, United States, Data sharing, Intensive Care Units, machine learning, 030228 respiratory system, General Data Protection Regulation, ComputingMethodologies_DOCUMENTANDTEXTPROCESSING, data science, Privacy law, business, computer, Algorithms, Confidentiality

Abstract

Supplemental Digital Content is available in the text., OBJECTIVES: Critical care medicine is a natural environment for machine learning approaches to improve outcomes for critically ill patients as admissions to ICUs generate vast amounts of data. However, technical, legal, ethical, and privacy concerns have so far limited the critical care medicine community from making these data readily available. The Society of Critical Care Medicine and the European Society of Intensive Care Medicine have identified ICU patient data sharing as one of the priorities under their Joint Data Science Collaboration. To encourage ICUs worldwide to share their patient data responsibly, we now describe the development and release of Amsterdam University Medical Centers Database (AmsterdamUMCdb), the first freely available critical care database in full compliance with privacy laws from both the United States and Europe, as an example of the feasibility of sharing complex critical care data. SETTING: University hospital ICU. SUBJECTS: Data from ICU patients admitted between 2003 and 2016. INTERVENTIONS: We used a risk-based deidentification strategy to maintain data utility while preserving privacy. In addition, we implemented contractual and governance processes, and a communication strategy. Patient organizations, supporting hospitals, and experts on ethics and privacy audited these processes and the database. MEASUREMENTS AND MAIN RESULTS: AmsterdamUMCdb contains approximately 1 billion clinical data points from 23,106 admissions of 20,109 patients. The privacy audit concluded that reidentification is not reasonably likely, and AmsterdamUMCdb can therefore be considered as anonymous information, both in the context of the U.S. Health Insurance Portability and Accountability Act and the European General Data Protection Regulation. The ethics audit concluded that responsible data sharing imposes minimal burden, whereas the potential benefit is tremendous. CONCLUSIONS: Technical, legal, ethical, and privacy challenges related to responsible data sharing can be addressed using a multidisciplinary approach. A risk-based deidentification strategy, that complies with both U.S. and European privacy regulations, should be the preferred approach to releasing ICU patient data. This supports the shared Society of Critical Care Medicine and European Society of Intensive Care Medicine vision to improve critical care outcomes through scientific inquiry of vast and combined ICU datasets.

Published

2021

30. Is the Expectation of Privacy a Dying Standard? The Government’s Access to Biological Data, Consumer Data and Bioinformatics – And the Limitations that Should be in Place

Author

Jose Angel Gutierrez

Subjects

Biological data, Government, business.industry, General Data Protection Regulation, Internet privacy, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Business, Expectation of privacy

Abstract

The Judicial System is by and large a backward-looking, rather than a forward-looking system. The rapid advancement of technology is creating a greater strain on our legal framework. The current legal system considers whether the Technology is in common use to determine the expectation of privacy, however, this legal standard will, and arguably already does, lack the flexibility to make timely and efficient determinations on the constitutionality of using certain technology for governmental searches and seizures. The solution is a proactive approach through a combination of Legislative and Judicial action that will ensure individual privacy is protected in an ever-advancing technological world.

Published

2021

31. Data Protection and Tech Startups: The Need for Attention, Support, and Scrutiny

Author

Jatinder Singh, Jennifer Cobbe, Chris Norval, Heleen Janssen, Janssen, Heleen [0000-0002-2785-5741], Cobbe, Jennifer [0000-0001-8912-4760], Singh, Jat [0000-0002-5102-6564], Apollo - University of Cambridge Repository, Norval, C [0000-0002-4331-7863], and IViR (FdR)

Subjects

Warrant, Health (social science), Scrutiny, Public Administration, Privacy by Design, Emerging technologies, ComputingMilieux_LEGALASPECTSOFCOMPUTING, 050801 communication & media studies, compliance, data subject rights, supervisory authorities, 0508 media and communications, Order (exchange), 050602 political science & public administration, Data Protection Act 1998, Marketing, data protection, emerging technology, Health Policy, 05 social sciences, 0506 political science, Computer Science Applications, Preparedness, General Data Protection Regulation, privacy by design, Business, tech-startups, General Data Protection Regulation (GDPR)

Abstract

While discussions of data protection have focused on the larger, more established organisations, startups also warrant attention. This is particularly so for tech startups, who are often innovating at the `cutting-edge' -- pushing the boundaries of technologies that typically lack established data protection best-practices. Initial decisions taken by startups could well have long-term impacts, and their actions may inform (for better or for worse) how particular technologies and the applications they support are implemented, deployed and perceived for years to come. Ensuring that the innovations and practices of tech startups are sound, appropriate and acceptable should therefore be a high priority. This paper explores the attitudes and preparedness of tech startups to issues of data protection. We interviewed a series of UK-based emerging tech startups as the EU's General Data Protection Regulation (GDPR) came into effect, which revealed areas in which there is a disconnect between the approaches of the startups and the nature and requirements of the GDPR. We discuss the misconceptions and associated risks facing innovative tech startups, and offer a number of considerations for the firms and supervisory authorities alike. In light of our discussions, and given what is at stake, we argue that more needs to be done in order to help ensure that emerging technologies and the practices of the companies that operate them better align with the regulatory obligations. We conclude that tech startups warrant increased attention, support, and scrutiny in order to raise the standard of data protection for the benefit of us all.

Published

2021

32. Privacy in the Era of Big Data: Unlocking the Blue Oceans of Data Paradigm in Malaysia

Author

Nurus Sakinatul Fikriah Mohd Shith Putera, Sherie Aneesa Binti Johary Al Bakry, Atiqah Azman, Hartini Saripan, Wan Nur Afiqah Binti Wan Daud, Nurul Sahira Binti Kamal Azwan, and Nur Shaura Azrin Binti Azman

Subjects

Data profiling, Analytics, business.industry, General Data Protection Regulation, Privacy policy, Internet privacy, Big data, Data Protection Act 1998, media_common.cataloged_instance, Business, European union, Transparency (behavior), media_common

Abstract

Big Data has revolutionized the process of online activities such as marketing and advertisement based on individual preferences in the eCommerce industry. In Malaysia, the integration of Big Data in the commercial and business environment is keenly felt by establishing the National Big Data Analytics Framework catalyzing further economic growth in all sectors. However, the distinct features of Big Data spawn issues relating to privacy, such as data profiling, lack of transparency regarding privacy policies, accidental disclosures of data, false data or false analytics results. Hence, this research provides an insight into the intersection between Big Data and an individual's fundamental rights. The trade-off between privacy breaching and preserving is becoming more intense due to the rapid advancement of Big Data. Suggesting comparative analysis method as the data analysis approach, the adequacy of the Malaysian Personal Data Protection Act 2010 (PDPA 2010) in governing the risks of Big Data is evaluated against the European Union General Data Protection Regulation (GDPR) in managing the risk arising from the integration of Big Data. This research is hoped to initiate the improvement to the legislative framework, provides fundamentals to the formulation of national policy, and creation of specific law on Big Data in Malaysia, which will subsequently benefit industrial players and stakeholders.

Published

2021

33. Challenges in Conducting Sexual Health and Violence Research in Older Adults Beyond the General Data Protection Regulation: A Belgian Case Study

Author

Ines Keygnaert, Laurent Nisen, Gilbert Lemmens, Adina Cismaru-Inescu, Christophe Vandeviver, Anne Nobels, and Bastien Hahaut

Subjects

Gerontology, sampling, medicine.medical_specialty, Pilot Projects, Human sexuality, Violence, elder abuse and neglect, Older population, Belgium, ELDER ABUSE, Medicine and Health Sciences, medicine, Humans, Computer Security, Applied Psychology, Aged, Reproductive health, Sexual violence, business.industry, Public health, methodology, Elder abuse, sexuality, PREVALENCE, Clinical Psychology, Privacy, ageing, General Data Protection Regulation, Sexual Health, Psychology, business

Abstract

Because of a growing older population, the sexual health (SH) of older adults, including sexual violence (SV), is becoming an increasingly important public health concern. Yet, reliable SV prevalence rates and risk factors are lacking, due to methodological shortcomings in current studies. SV research involves challenges regarding safety and disclosure, especially in older adults. In this paper, we reflect on the methods used in a sexual health and violence (SH&V) study in older adults balancing between privacy rules imposed by the General Data Protection Regulation (GDPR) and ethical and safety guidelines.To ensure the acceptability of the questionnaire, it was tested in a two-phase pilot study. To maximize SV disclosure, the questionnaire built up gradually towards the more sensitive SV modules. Interviewers were trained to approach participants in a non-judgmental manner. Due to GDPR, our data collection method was changed from a random sampling via the National Register to a cluster random probability sampling with a random walk finding approach.Older adults were willing to discuss SH&V during a structured face-to-face interview with trained interviewers. Following strict safety guidelines, no major incidents were reported. The cluster random probability sampling with random walk finding approach provided an adequate sampling frame, but was inefficient and time-consuming.Doing research on SH&V in older adults is feasible but requires a substantial investment of time and the challenges involved may incur greater costs. In order to guarantee further research on sensitive topics in older adults, we recommend that an interdisciplinary expert group consisting of researchers, donors, and policymakers investigates how GDPR and public health research in hard-to-reach populations can be better matched.

Published

2021

34. Beyond Privacy: Protecting Data Interests in the Age of Artificial Intelligence

Author

Matt Bartlett

Subjects

Value (ethics), business.industry, Process (engineering), Big data, Control (management), google, K1-7720, privacy, artificial intelligence, general data protection regulation, Law in general. Comparative and uniform law. Jurisprudence, data, General Data Protection Regulation, media_common.cataloged_instance, Frame (artificial intelligence), Data Protection Act 1998, Artificial intelligence, European union, business, facebook, media_common

Abstract

Serious challenges are raised by the way in which technology companies like Facebook and Google harvest and process user data. Companies in the modern data economy mine troves of data with sophisticated algorithms to produce valuable behavioural predictions. These data-driven predictions provide companies with a powerful capacity to influence and manipulate users, and these risks are increasing with the explosive growth of ‘Big Data’ and artificial intelligence machine learning. This article analyses the extent to which these challenges are met by existing regimes such as Australia and New Zealand’s respective privacy acts and the European Union’s General Data Protection Regime. While these laws protect certain privacy interests, I argue that users have a broader set of interests in their data meriting protection. I explore three of these novel interests, including the social dimension of data, control and access to predictions mined from data and the economic value of data. This article shows how existing frameworks fail to recognise or protect these novel interests. In light of this failure, lawmakers urgently need to frame new legal regimes to protect against the worst excesses of the data economy.

Published

2021

35. I’m all ears! Listening to software developers on putting GDPR principles into software development practice

Author

Nalin Asanka Gamagedara Arachchilage and Abdulrahman Alhazmi

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Computer science, Computer Science - Human-Computer Interaction, Mobile computing, 02 engineering and technology, Management Science and Operations Research, Human-Computer Interaction (cs.HC), Computer Science - Software Engineering, Software, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Secure software engineering, Active listening, Software system, GDPR, business.industry, Software development, Software developers, 020206 networking & telecommunications, Onboarding, Computer Science Applications, Software Engineering (cs.SE), Engineering management, Hardware and Architecture, Privacy, General Data Protection Regulation, Usable security, Original Article, Unavailability, business, Cryptography and Security (cs.CR)

Abstract

Previous research has been carried out to identify the impediments that prevent developers from incorporating privacy protocols into software applications. No research has been carried out to find out why developers are not able to develop systems that preserve-privacy while specifically considering the General Data Protection Regulation principles (GDPR principles). Consequently, this paper aims to examine the issues, which prevent developers from creating applications, which consider and include GDPR principles into their software systems. From our research findings, we identified the lack of familiarity with GDPR principles by developers as one of the obstacles that prevent GDPR onboarding. Those who were familiar with the principles did not have the requisite knowledge about the principles including their techniques. Developers focused on functional than on privacy requirements. Unavailability of resourceful online tools and lack of support from institutions and clients were also identified as issues inimical to the onboarding of GDPR principles., Comment: 18

Published

2021

36. Instant messaging apps and data protection: combining to improve hip fracture care?

Author

Keith Synnott, James Cashman, Geoff Crozier-Shaw, and Andrew J. Hughes

Subjects

medicine.medical_specialty, Telemedicine, Databases, Factual, Orthopaedics, 030204 cardiovascular system & hematology, Trauma, 03 medical and health sciences, 0302 clinical medicine, Health care, medicine, Humans, Data Protection Act 1998, Social media, 030212 general & internal medicine, Computer Security, Data protection, Service (business), Hip fracture, Hip Fractures, business.industry, Healthcare, General Medicine, medicine.disease, Hospitalization, Orthopedics, General Data Protection Regulation, Orthopedic surgery, Original Article, Medical emergency, business

Abstract

Introduction The General Data Protection Regulation (GDPR) continues to have implications for how healthcare information is managed and shared. This presents challenges as telemedicine plays a more central role in service healthcare service provision, particularly since the beginning of 2020. We aim to measure how improved communication through a GDPR-compliant messaging app can influence time-dependent key performance indicators for hip fracture management in a tertiary-referral trauma hospital. Methods Using an instant messaging service, a hip fracture group was created and access was provided to all stakeholders in hip fracture care—trainee and consultant emergency physicians and orthopaedic surgeons, as well as advanced nurse practitioners, bed managers, ward managers and theatre managers. Irish Hip Fracture Database (IHFD) standard compliance was compared from April to December 2017 and April to December 2018. Results Two periods in 2017 and 2018 saw 121 and 122 hip fracture patients admitted, respectively. Mean time to admission to an orthopaedic ward in 2017 was 47 ± 42.9 h and 33.3 ± 42 h in 2018 (P = 0.5). Mean time to surgery in 2017 was 83.66 ± 53.46 h and 39.11 ± 10.84 h in 2018 (p = 0.026). Conclusions Irish Hip Fracture Database Standards present a challenge to orthopaedic departments competing with other hospital specialties for access to beds and theatre space. The introduction of a GDPR-compliant social media messaging service has contributed to significantly reducing the time to surgery for these patients. Streamlining communication through messaging services has and continues to be vital to improving care for hip fracture patients, both in the healthcare environment and beyond.

Published

2021

37. A Lightweight Scheme Exploiting Social Networks for Data Minimization According to the GDPR

Author

Antonia Russo and Gianluca Lax

Subjects

Scheme (programming language), Authentication, Service (systems architecture), Computer science, business.industry, Control (management), 020206 networking & telecommunications, Access control, 02 engineering and technology, Computer security, computer.software_genre, Human-Computer Interaction, Modeling and Simulation, General Data Protection Regulation, 0202 electrical engineering, electronic engineering, information engineering, Cryptographic hash function, 020201 artificial intelligence & image processing, business, computer, Personally identifiable information, Social Sciences (miscellaneous), computer.programming_language

Abstract

In many application domains, there is a need to ensure that users satisfy some requirements to use a service: for example, there is a minimum age to buy alcoholic beverages or to watch some videos on YouTube. In these situations, organizations typically collect more personal information than necessary to provide a better service. The consequence is a personal data leakage that violates the data minimization principle stated by the General Data Protection Regulation 2016/679. This article proposes a new approach for allowing individuals to maintain control over the disclosure of their data, deciding which information to disclose and for how long. Our approach is based on the use of social networks, and implementation on Facebook is presented to show that the proposed solution is effective, cheap, friendly, and simple to adopt.

Published

2021

38. APLICABILIDADE DA LEI GERAL DE PROTEÇÃO DE DADOS PESSOAIS LEI 13.709/18 — SANÇÕES ADMINISTRATIVAS E CRIMINAIS

Author

Andrea Luiza Escarabelo Sotero and Laura Braga Maldonado

Subjects

Order (business), General Data Protection Regulation, Legal certainty, Private law, Fundamental rights, Business, Natural person, Law and economics

Abstract

A Lei de Geral de Proteção de dados Pessoais - Lei 13.709/18, foi sancionada em 14 de agosto de 2018. A LGPD tem como base a “General Data Protection Regulation” (GDPR), regulamentação europeia aprovada em maio do ano passado (2018), que tem origem no PLC 53/2018. Aprovada por unanimidade pelo Plenário do Senado em Julho/2018, a nova lei dispõe, sobre o tratamento de dados pessoais, de pessoa natural, jurídica de direito público e privado. Com o objetivo de proteger os direitos fundamentais, de liberdade e de privacidade, estabelecendo regras, e limites para empresas que utilizam, armazenam, e compartilham dados, favorecendo o desenvolvimento econômico de sua empresa, e consequentemente, expondo de forma inadequada os dados que possuem. Um dos princípios desta lei é assegurar que os dados serão utilizados apenas para uma finalidade específica, os dados coletados devem respeitar o princípio da minimização de coleta, os dados coletados devem ser apenas o necessário para a atingir a finalidade. A lei traz mais segurança jurídica para empresas e maior proteção aos direitos dos titulares dos dados, sendo essencial entender os conceitos relevantes desta norma, para compreensão dos seus impactos, na prática.

Published

2021

39. Is Time ‘on the Side of Change’? Incorporating the GDPR in (some of) our Research Practices

Author

Sophie Duchesne, Maylis Ferry, Centre Émile Durkheim (CED), and Université de Bordeaux (UB)-Centre National de la Recherche Scientifique (CNRS)-Sciences Po Bordeaux - Institut d'études politiques de Bordeaux (IEP Bordeaux)

Subjects

[SHS.SOCIO]Humanities and Social Sciences/Sociology, Process management, Sociology and Political Science, 05 social sciences, participatory science, 050401 social sciences methods, RGPD, 16. Peace & justice, projective methods, méthodes projectives, [SHS.SCIPO]Humanities and Social Sciences/Political science, 0506 political science, science participative ethics, GPDR, 0504 sociology, General Data Protection Regulation, nationalism, éthique, 050602 political science & public administration, Business, nationalisme

Abstract

International audience; The General Data Protection Regulation (GDPR) now serves as a framework for research, among other activities, when it involves collecting and using data which directly or indirectly allow the people in question to be identified. This therefore affects our research practice and, we believe, requires collective discussion. We suggest opening up the debate in this article by looking at what GDPR compliance means for our work in concrete terms, based on our own experience beginning a study on family transmission of banal nationalism (the ETPAF project). We also give an account of how, in our case, this new regulatory situation has afforded us the opportunity to add a (small) popular education dimension (or participatory science) to our work that was not part of the initial project and that we consider genuinely stimulating.; Le règlement général de protection des données personnelles encadre désormais la recherche – entre autres domaines d’activité – dès lors qu’elle implique le recueil et l’usage de données qui permettent directement ou indirectement d’identifier les personnes qu’elles concernent. Cela affecte nos pratiques de chercheur·es et il nous semble nécessaire d’en discuter collectivement. Nous proposons d’engager le débat dans cet article en revenant sur ce qu’implique concrètement la mise en conformité de nos enquêtes eu égard au RGPD, à partir de l’expérience qui est la nôtre : le lancement d’une recherche sur la transmission du nationalisme banal dans les familles (projet ETPAF). Nous y racontons par ailleurs comment, dans notre cas, cette nouvelle donne réglementaire a été l’occasion de développer une (petite) dimension d’éducation populaire, ou de science participative, qui n’était pas initialement prévue dans le projet et qui nous a semblé réellement stimulante.

Published

2021

40. How to address data privacy concerns when using social media data in conservation science

Author

Ritwik Kulkarni, Enrico Di Minin, Anna Hausmann, Jens Kremer, Christoph Fink, Department of Geosciences and Geography, Helsinki Institute of Sustainability Science (HELSUS), Helsinki Lab of Interdisciplinary Conservation Science, and Faculty of Law

Subjects

0106 biological sciences, Conservation of Natural Resources, Information privacy, human–nature interactions, Data management, Internet privacy, 010603 evolutionary biology, 01 natural sciences, general data protection regulation, big data, conservation culturomics, Humans, media_common.cataloged_instance, Data Protection Act 1998, Social media, European union, 1172 Environmental sciences, Ecology, Evolution, Behavior and Systematics, Nature and Landscape Conservation, media_common, Ecology, business.industry, Impact assessment, 010604 marine biology & hydrobiology, risk assessment, ethics, Metadata, Privacy, General Data Protection Regulation, legal basis, business, Social Media

Abstract

Social media data are being increasingly used in conservation science to study human-nature interactions. User-generated content, such as images, video, text, and audio, and the associated metadata can be used to assess such interactions. A number of social media platforms provide free access to user-generated social media content. However, similar to any research involving people, scientific investigations based on social media data require compliance with highest standards of data privacy and data protection, even when data are publicly available. Should social media data be misused, the risks to individual users' privacy and well-being can be substantial. We investigated the legal basis for using social media data while ensuring data subjects' rights through a case study based on the European Union's General Data Protection Regulation. The risks associated with using social media data in research include accidental and purposeful misidentification that has the potential to cause psychological or physical harm to an identified person. To collect, store, protect, share, and manage social media data in a way that prevents potential risks to users involved, one should minimize data, anonymize data, and follow strict data management procedure. Risk-based approaches, such as a data privacy impact assessment, can be used to identify and minimize privacy risks to social media users, to demonstrate accountability and to comply with data protection legislation. We recommend that conservation scientists carefully consider our recommendations in devising their research objectives so as to facilitate responsible use of social media data in conservation science research, for example, in conservation culturomics and investigations of illegal wildlife trade online.Cómo Abordar las Preocupaciones por Privacidad al Usar las Redes Sociales en las Ciencias de las Conservación Resumen Cada vez se usan más los datos de las redes sociales en las ciencias de la conservación para estudiar las interacciones humano-naturaleza. El contenido generado por usuarios (imágenes, videos, textos y audios) y los metadatos asociados a estos pueden usarse para evaluar dichas interacciones. Un gran número de redes sociales proporcionan acceso gratuito al contenido generado por usuarios en las redes sociales. Sin embargo, como con cualquier investigación que involucre personas, las investigaciones basadas en los datos obtenidos de la redes sociales requieren cumplir con los estándares más altos de privacidad de datos y protección de la información, incluso cuando éstos están disponibles públicamente. En caso de que se le dé un uso inapropiado a la información obtenida de las redes sociales, los riesgos para la privacidad del usuario y para su bienestar pueden ser sustanciales. Investigamos las bases legales para el uso de la información de redes sociales en conjunto con la garantía de derechos para los sujetos de la información por medio de un estudio de caso basado en la Regulación de la Protección de Datos Generales (GDPR) de la Unión Europea (EU). Los riesgos asociados con el uso de información de las redes sociales en la investigación incluyen la identificación errónea accidental o intencional, la cual tiene el potencial de ocasionar daño psicológico o físico a la persona identificada. Para recolectar, almacenar, proteger, compartir y administrar la información de las redes sociales de manera que se prevengan los riesgos potenciales para los usuarios involucrados, se deben minimizar los datos, volverlos anónimos y seguir un procedimiento estricto de manejo de datos. Las estrategias basadas en riesgos, como la evaluación del impacto de la privacidad de datos, pueden usarse para identificar y minimizar los riesgos de privacidad presentes para los usuarios de las redes, para demostrar responsabilidades y para cumplir con la legislación de protección de datos. Recomendamos a los científicos de la conservación que consideren con cuidado nuestras recomendaciones para el diseño de sus objetivos de investigación para así facilitar el uso responsable de la información de redes sociales en la investigación de las ciencias de la conservación, por ejemplo para las investigaciones sobre el mercado ilegal de fauna en línea y para la culturomia de la conservación.社交媒体数据正越来越多地用于保护科学, 以研究人类与自然的互动。用户发布的内容如图像、视频、文本、音频以及相关的元数据可用于评估此类互动。许多社交媒体平台都可以自由访问用户发布的社交媒体内容。然而, 与其它涉及人类的研究一样, 基于社交媒体数据的科学研究需要遵守数据隐私和数据保护的最高标准, 即使使用的是公开数据。如果社交媒体数据被滥用, 个人用户的隐私和福祉将面临巨大风险。我们通过基于欧盟《通用数据保护条例》的案例研究, 研究了在确保数据主体权利的同时使用社交媒体数据的法律依据。在研究中使用社交媒体数据的风险包括有意和无意的错误识别, 这有可能对被识别个体造成心理或身体上的伤害。在收集、存储、保护、共享和管理社交媒体数据时, 为了避免对用户的潜在风险, 应做到数据最小化、数据匿名化并遵守严格的数据管理流程。基于风险的方法, 如数据隐私影响评估, 也可用于识别和减少社交媒体用户的隐私风险、说明责任归属和遵从数据保护法规。我们建议从事保护的科学家在制定研究目标时仔细考虑我们的建议, 以便在保护科学研究中以负责任的方式使用社交媒体数据, 例如在保护文化组学和在线调查非法野生动物贸易等方面。【翻译 :胡怡思 ;审校 :聂永刚】.

Published

2021

41. Protection of privacy in the period of Covid-19 pandemic

Author

Denitza Toptchiyska

Subjects

Isolation (health care), business.industry, General Data Protection Regulation, Internet privacy, Pandemic, The Right to Privacy, Data Protection Act 1998, Legislature, Business, Directive, Administration (government)

Abstract

During the pandemic of COVID-19 in April 2020 the Ministry of Health in Bulgaria began the administration of the Virusafe contact tracking application. With the Law on Emergency Measures and Actions, declared by a decision of the National Assembly of 13th March 2020 amendments to the Electronic Communications Act were adopted. The purpose of the legislative amendments was to provide access of the competent authorities to the localization data from the public electronic communication networks of the individuals, who have refused or do not fulfill the obligatory isolation or treatment under art. 61 of the Health Act. This publication aims to analyze the main features of mobile applications for tracking the contacts of infected persons, as well as the adopted legislative changes, comparing them with the standards of personal data protection provided in the EU General Data Protection Regulation 2016/679 and Directive 2002/58/EC on the right to privacy and electronic communications.

Published

2021

42. Why and how does the regulation of emerging technologies occur? Explaining the adoption of the EU General Data Protection Regulation using the multiple streams framework

Author

Araz Taeihagh, Michael Howlett, and Nihit Goyal

Subjects

Information privacy, Entrepreneurship, Public Administration, Sociology and Political Science, Emerging technologies, Technological change, technology regulation, Legislature, Harmonization, policy innovation, multiple streams framework, policy entrepreneurship, General Data Protection Regulation, media_common.cataloged_instance, European Union, Business, European union, Law, Industrial organization, media_common

Abstract

Why and how the regulation of emerging technologies occurs is not clear in the literature. In this study, we adapt the multiple streams framework – often used for explaining agenda-setting and policy adoption – to examine the phenomenon. We hypothesize how technological change affects policy-making and identify conditions under which the streams can be (de-)coupled. We trace the formulation of the General Data Protection Regulation to show that the regulation occupied the legislative agenda when a policy window was exploited through policy entrepreneurship to frame technological change as a problem for data privacy and legislative harmonization within the European Union. Although constituencies interested in promoting internet technologies made every effort to stall the regulation, various actors, activities, and events helped the streams remain coupled, eventually leading to its adoption. We conclude that the alignment of problem, policy, politics, and technology – through policy entrepreneurship – influences the timing and design of technology regulation.

Published

2021

43. What does it mean for a data subject to make their personal data ‘manifestly public’? An analysis of GDPR Article 9(2)(e)

Author

Edward S. Dove and Jiahong Chen

Subjects

Article 9(2)(e), business.industry, Computer science, Internet privacy, Context (language use), open data sharing, EU data protection, special category personal data 2, Variety (cybernetics), Open data, Argument, General Data Protection Regulation, genetic data, Data Protection Act 1998, Social media, The Internet, business, Law

Abstract

• This article investigates an under-discussed and potentially significant provision in the EU General Data Protection Regulation (GDPR), namely Article 9(2)(e), which permits processing of special category personal data if the “processing relates to personal data which are manifestly made public by the data subject”. • This provision may be of increasing interest to data controllers in a variety of cloud-based, internet-related, and/or social media contexts. We specifically consider the application of this provision in the context of genetic data and open data sharing (i.e. data that can be freely used, re-used, and redistributed by anyone), illustrating this by way of several cases of initiatives that seek to share genetic data. We query whether by uploading one’s own genetic data onto the internet, a person has made their data “manifestly public” within the meaning of the GDPR. • Our response to this query is that in general, the answer should be no, but it remains possible. We argue that Article 9(2)(e) must be construed narrowly; outside of clearly defined contexts, it would be legally inappropriate to invoke and rely upon this manifestly public self-disclosure exception in data protection law. Our narrow interpretation of the provision aligns with the limited guidance made available from data protection authorities. As part of this argument, we propose a legal test that must be satisfied before

Published

2021

44. A Case Study on Data Portability

Author

Marlene Barth

Subjects

Computer science, Vendor, business.industry, 020207 software engineering, Cryptography, 02 engineering and technology, Data science, Maturity (finance), Capability Maturity Model, General Data Protection Regulation, 0202 electrical engineering, electronic engineering, information engineering, Business sector, Empirical evidence, business, Implementation

Abstract

Today, IoT solutions and IoT platforms are widespread and used every day to manage IoT devices and their diverse information. With a high volume of personal data processed, IoT pictures a business sector where the European General Data Protection Regulation (GDPR) is omnipresent and deeply rooted in the systems, processes, products and services. The ’right to data portability’ (RTDP) that is granted in the GDPR addresses the problem of vendor lock-in due to the low maturity of the transferability of the user’s personal data. Because of the missing empirical evidence and legislative implementation recommendations, providers of IoT solutions are uncertain about the requirements whose fulfillment would be necessary for compliance to the RTDP. This article contributes to a more precise understanding of how RTDP is currently implemented in IoT platforms by requesting data portability exports from today’s IoT platform providers. The results are used to develop a RTDP maturity model and assign risks to the existing implementations.

Published

2021

45. The evaluation of workers by customers as a method of control and monitoring in firms: Digital reputation and the European Union's General Data Protection Regulation

Author

Adrian Todolí-Signes

Subjects

Organizational Behavior and Human Resource Management, Freedom of information, Strategy and Management, media_common.quotation_subject, Control (management), Work (electrical), Management of Technology and Innovation, General Data Protection Regulation, Employee monitoring, media_common.cataloged_instance, Data Protection Act 1998, Business, European union, Marketing, media_common, Reputation

Abstract

As a method of surveillance and monitoring, the evaluation of workers by customers and employers and the disclosure of the results pose a series of challenges for the current legal framework of the European Union (EU). Employees subject to such evaluations are exposed to a far more intense and wider degree of monitoring of their work than traditional workers. The phenomenon arises from the adoption of a customer perspective, seeking to make work observable at all times, without any cost to firms. In this light, the author analyses the EU's General Data Protection Regulation, which establishes very specific restrictions when requesting and disclosing information about workers.

Published

2021

46. An Explanation Framework for Interpretable Credit Scoring

Author

Vince Vella, Vince Vella Lara Marie Demajo, Lara Marie Demajo, and Alexiei Dingli

Subjects

Probability of default, Actuarial science, business.industry, Computer science, Loan, General Data Protection Regulation, Transparency (graphic), Feature (machine learning), Home equity line of credit, business, FinTech, Interpretability

Abstract

With the recent boosted enthusiasm in Artificial Intelligence (AI) and Financial Technology (FinTech), applications such as credit scoring have gained substantial academic interest. However, despite the evergrowing achievements, the biggest obstacle in most AI systems is their lack of interpretability. This deficiency of transparency limits their application in different domains including credit scoring. Credit scoring systems help financial experts make better decisions regarding whether or not to accept a loan application so that loans with a high probability of default are not accepted. Apart from the noisy and highly imbalanced data challenges faced by such credit scoring models, recent regulations such as the `right to explanation' introduced by the General Data Protection Regulation (GDPR) and the Equal Credit Opportunity Act (ECOA) have added the need for model interpretability to ensure that algorithmic decisions are understandable and coherent. A recently introduced concept is eXplainable AI (XAI), which focuses on making black-box models more interpretable. In this work, we present a credit scoring model that is both accurate and interpretable. For classification, state-of-the-art performance on the Home Equity Line of Credit (HELOC) and Lending Club (LC) Datasets is achieved using the Extreme Gradient Boosting (XGBoost) model. The model is then further enhanced with a 360-degree explanation framework, which provides different explanations (i.e. global, local feature-based and local instance- based) that are required by different people in different situations. Evaluation through the use of functionally-grounded, application-grounded and human-grounded analysis shows that the explanations provided are simple and consistent as well as correct, effective, easy to understand, sufficiently detailed and trustworthy.

Published

2021

47. CURRENT ISSUES OF PERSONAL DATA PRIVACY IN MARKETING

Author

Lenka Hanáková

Subjects

Czech, Information privacy, General Data Protection Regulation, language, General Medicine, Business, Marketing, Focus group, Phase (combat), language.human_language, Research method

Abstract

Data privacy is a current issue that must be addressed by all entities when handling personal data. Although the General Data Protection Regulation (GDPR) has been effective for more than two years, it still poses challenges to businesses, especially small and medium-sized enterprises (SMEs). The aim of the paper was therefore to find out what SMEs in the Czech Republic in terms of their running consider and perceive as contemporary data privacy issues in marketing and why, because marketing is one of the areas that have been fundamentally affected by GDPR. The particular objective of this contribution was to introduce brief conclusions of the focus group with the managers of marketing activities, employees in charge of marketing issues and GDPR, or owners of SMEs. This focus group was the second in a row and its aiming corresponded to the declared goal of the paper. The chosen research method represents a necessary and important pre-research phase for the future planned qualitative and quantitative research. The main findings and conclusions showed that the issue of GDPR and the related necessity to ensure the protection of customers´ personal data is a topic that still actively employs business entities and presents persistent challenges for them.

Published

2021

48. Privacy-preserving Federated Deep Learning for Wearable IoT-based Biomedical Monitoring

Author

Yekta Said Can and Cem Ersoy

Subjects

Computer Networks and Communications, business.industry, Computer science, Big data, Wearable computer, 020206 networking & telecommunications, 02 engineering and technology, Health informatics, Data science, Smartwatch, General Data Protection Regulation, 0202 electrical engineering, electronic engineering, information engineering, Data Protection Act 1998, Consumer privacy, 020201 artificial intelligence & image processing, business, Affective computing

Abstract

IoT devices generate massive amounts of biomedical data with increased digitalization and development of the state-of-the-art automated clinical data collection systems. When combined with advanced machine learning algorithms, the big data could be useful to improve the health systems for decision-making, diagnosis, and treatment. Mental healthcare is also attracting attention, since most medical problems can be associated with mental states. Affective computing is among the emerging biomedical informatics fields for automatically monitoring a person’s mental state in ambulatory environments by using physiological and physical signals. However, although affective computing applications are promising to improve our daily lives, before analyzing physiological signals, privacy issues and concerns need to be dealt with. Federated learning is a promising candidate for developing high-performance models while preserving the privacy of individuals. It is a privacy protection solution that stores model parameters instead of the data itself and abides by the data protection laws such as EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). We applied federated learning to heart activity data collected with smart bands for stress-level monitoring in different events. We achieved encouraging results for using federated learning in IoT-based wearable biomedical monitoring systems by preserving the privacy of the data.

Published

2021

49. The general data protection regulation, the clinical trial regulation and some complex interplay in paediatric clinical trials

Author

H W Dalrymple

Subjects

0301 basic medicine, Information privacy, medicine.medical_specialty, Clinical Trials as Topic, business.industry, Review, 030105 genetics & heredity, Clinical trial, 03 medical and health sciences, 0302 clinical medicine, Privacy, 030225 pediatrics, Accidental, General Data Protection Regulation, Pediatrics, Perinatology and Child Health, Medicine, Humans, GDPR, business, Intensive care medicine, CTR, Child, Paediatric clinical trials, Computer Security

Abstract

Although a number of authors have commented upon the impact of the GDPR on clinical trial conduct, few have examined the specific setting of paediatric trials. Whilst the general principles are the same as those for adults, some additional considerations arise. The ages of consent relating to data privacy and clinical trial participation are different in a number of countries, but the distinction is often not recognised in non-drug trials. Accidental pregnancies in clinical trials always raise complexities, but these are amplified when the trial subject is a minor, and the processes described in clinical trial protocols rarely take account of GDPR requirements. This paper describes approaches which can be taken to ensure the rights of children are respected.Conclusion: The conduct of paediatric clinical trials within GDPR requirements is quite possible provided authors think carefully when drafting protocols. What is Known:•GDPR is applicable to clinical trials, including paediatric trials.•A number of challenges at the interface between the GDPR and CTR have been described. What is New:•The application of the GDPR to certain specific situations in paediatric trials does not appear to have been explored.•Three such situations are described and solutions offered.

Published

2021

50. Will EU’s GDPR Act as an Effective Enforcer to Gain Consent?

Author

Changsoo Lee, Jemin Justin Lee, Kyungho Lee, Jinhyoung Hong, Junhyoung Oh, and Simon S. Woo

Subjects

Structure (mathematical logic), General Computer Science, Computer science, business.industry, Privacy policy, 05 social sciences, Internet privacy, General Engineering, 050801 communication & media studies, 02 engineering and technology, Service provider, Python (programming language), computer.software_genre, 0508 media and communications, Order (business), 020204 information systems, General Data Protection Regulation, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), General Materials Science, Web service, business, computer, computer.programming_language

Abstract

Since the GDPR was implemented in 2018, organizations that collect data from the EU residents are required to receive the user’s consent. Organizational measures to ensure that the organizations are compliant to the recently enacted GDPR are still abstract and ambiguous. Moreover, data subjects and controllers have demanded the practice of obtaining consent from organizations. By observing the case law and guidelines related to the GDPR provisions, we deduced four consent conditions. Then, we examined how online service provider’s websites are making efforts to implement the GDPR framework. For this, we identified key characteristics of these websites, such as the existence of consent buttons. In order to help the data subjects obtain consent, we proposed an automatic tool that can check the consent conditions by checking the websites. Our study examined 10,000 websites for 26 days using the Python libraries with the tool automatically crawling the website information and analyzes the HTML structure according to the specified conditions. In addition, this tool crawls the privacy policy of each website. Moreover, it automatically determines whether it meets the four consent conditions by calculating it according to the formula defined in the consent condition. To evaluate the tool’s accuracy, the researchers manually analyzed 500 websites and compared the manual analysis with the results of the tool’s automatic analysis. We found that this tool differentiates itself through qualitative comparisons with other GDPR meters.

Published

2021