ArticlePDF Available

The challenges of implementing General Data Protection Law (GDPR)

Authors:
Albi Dode at Ulm University
Albi Dode
Download full-text PDF
Read full-text
Download citation

Abstract

The vast majority and complexity of big data being processed by the companies, imposes a need for a common guideline among all the data stakeholders regarding the personal data controlling and processing. The European General Data Protection Regulation (GDPR) imposes more restrictions towards data handling and gives the data subjects more freedom on how to share their personal data. The complexity of such law, to be implemented towards all the companies which hold European citizen data has a lot of grey areas. In this article we will see what changes are needed between data subjects, data controllers and data processors to be fully GDPR compliant. The aim is to see how GDPR really fits with recent technology processes which are in continuous evolvement.
Content uploaded by Albi Dode
Author content
All content in this area was uploaded by Albi Dode on Sep 23, 2018
Content may be subject to copyright.
14th International Conference in “STANDARDIZATION, PROTYPES AND QUALITY: A MEANS OF
BALKAN COUNTRIES’ COLLABORATION”, September 21 - 22, 2018, Tirana, Albania
The challenges of implementing General Data
Protection Law (GDPR)
Albi Dode1
1qPharmetra LLC. Stockholm, Sweden
info@albidode.info
Abstract
The vast majority and complexity of big data being processed by the companies, imposes a
need for a common guideline among all the data stakeholders regarding the personal data
controlling and processing. The European General Data Protection Regulation (GDPR)
imposes more restrictions towards data handling and gives the data subjects more freedom
on how to share their personal data. The complexity of such law, to be implemented towards
all the companies which hold European citizen data has a lot of grey areas. In this article we
will see what changes are needed between data subjects, data controllers and data
processors to be fully GDPR compliant. The aim is to see how GDPR really fits with recent
technology processes which are in continuous evolvement.
Key Words: GDPR, data subject, data controller, data processor.
1. Introduction
It was in 1995 when the European Commission introduced the Data Protection Directive and
it was in 2012 when a reform was proposed to adapt to it to the latest technical development.
This can be considered as a huge progress, since jumping from a directive to a regulation is
the right way of reducing legal fragmentations. This legal movement makes it applicable to all
member states [1], and not only, and prevents legal inconsistencies. In most parts of it, GDPR
can be considered as a Directive ’95 version 2.0 as the changes in its generality are minor
and do follow the same path. On 4 May 2016, it was published on the Official Journal of the
European Union, The General Data Protection Regulation (GDPR or Regulation 2016/679)
and is now already in place not only in the European states but also on those states which
process European residents’ data.
Things have changed since 1995 when the Data protection directive first appeared. With
GDPR, the European Commission made certain updates in the context of the data processor
and data controller establishments and added more criteria regarding data safety. The GDPR
now has many new definitions and rights such as the consent, compensation which have been
expanded into a wider scope. In the GDPR document, the usage of certain terminologies is
bound to bring legal clarity. It is interesting to note that in the directive, recourse to remedy
has been mentioned in the recitals and it is the national law of individual member states, which
shall regulate the enforceability. GDPR, on the other hand, mentions this under its articles
together with the jurisdiction of courts and exceptions to this right.
14th International Conference in “STANDARDIZATION, PROTYPES AND QUALITY: A MEANS OF
BALKAN COUNTRIES’ COLLABORATION”, September 21 - 22, 2018, Tirana, Albania
2. State legislation
Still, the member states to have freedom of taking provision when it comes to facts not covered
by the GDPR or its recitals. Under recital 10 this is made clear:” for the performance of a task
carried out in the public interest or in the exercise of official authority vested in the controller,
the Member States should be allowed to maintain or introduce national provisions to further
specify the application of the rules of this regulation” [2]. Regardless, GDPR lacs on
terminology explanation. What is public interest is not yet defined and as such a lawful miss
interpretation between cases and between member states can make part of the regulation
null. An example to illustrate future examples can be: Data of a German resident has to be
erased as he has filled the right of erasure in Germany as his resident country, but the data
are processed in Belgium and the company uses the public Belgian interest justification to
keep them. As long there is no clear definition of this, case by case this will shape its definition.
As reference [3] states, there are at least 37 cases in which a member state is given freedom
on interpretation. From the above reasoning, the national laws in some cases will still be
effective. This is since GDPR does not strengthen the legal bar. Consequently, local legislators
might not give the right importance to the territorial scope.
The GDPR introduces significant new requirements and challenges for legal and compliance
functions. This means changes to the ways in which technologies are designed and managed,
including a focus on profiling and security. GDPR requires clear and proactive oversight of
data storage and lineage. Regardless, companies and public entities that must deal with such
regulation need to be updated on the topic. Data protection authorities (DPA) in their
respective websites have published national information about GDPR and in most of cases
the information is not updated or does not cover all the legal aspects. This gap is filled by other
private sector companies which core business is on providing legal consultancies regarding
GDPR or certifying DPOs (data protection officers). There are also many other websites which
slightly discuss GDPR in general, but few of them motive their findings on the respective
regulation laws.
3. Roles and problems
GDPR is expected to reshape the hierarchical structure of both private and public sector. As
keeping track of the law and technological updates regarding privacy and protection also
requires some level of expertise, GDPR has introduced the DPO role, even though for certain
countries this role is not new. GDPR and its recitals define the DPO role as very important for
both public or private sector, both large or small scale of data being processed, even though
the scale is not defined, but if there are personal data, DPO is a must role for the company or
authority.
During his/her job, a DPO, being certified or not, should have enough knowledge to guide the
company towards problems that the company or public entity might have on the road towards
GDPR. DPO has several duties to complain the company with GDPR regulation. But as most
of the companies rely on automated decisions, their decisions sometimes can be objects of
complaints. This is an increased risk for the company but also more work for the DPO which
must guide the company towards more complex policies to satisfy such complaints. This right,
in the GDPR document [2] tend to be ambiguous. For example, articles 13 till 15 GDPR limits
somehow the information which can be shared regarding the logic that the automated system
uses. The contradiction continues also with article 22. There it is specified that after the made
decision which fulfills the contractual obligations or from given consent is finished, after that
human intervention or express views or contest that decision can be done. It is not mentioned
about getting details on the reached decision. Briefly, the word post explanation is mentioned
14th International Conference in “STANDARDIZATION, PROTYPES AND QUALITY: A MEANS OF
BALKAN COUNTRIES’ COLLABORATION”, September 21 - 22, 2018, Tirana, Albania
in recitals, but legally a recital does not have legal power rather than just guidance. Thus, as
long the automated decision meets the contractual bases, there is nothing the data subject
can do about it as it is lawfully a valid decision. In legal terms as said by [4] for a right to be
legal they have to be established first. For now, the data subjects can only use such “rights”
as duties.
Another critical sector which will be radically shaped under GDPR is digital marketing.
Regardless of fully applied legal changes or not, this sector in recent years has seen many
guides from institutions or even court decisions. Still, the changes from GDPR reside on the
duties aspect rather than full legal consequences as most of the processes reside under
reviews. Due to the way of work e-mail marketing seems to be vanishing as explicit consent
cannot be taken in such way. As a relative solution which is gaining terrain day after day seems
to be the social network. Taking explicit consent there might seem easy as the published
information resides under public. Greater use of social crawler tools for anticipating trends or
listening to customer comments and complaints seems to be a matter of easy click with this
manner. Getting data subjects behavior is a matter of scrapping public social media
publications. The legality and purpose in particular are key considerations before processing
personal data: many companies are not aware that if you track an individual’s movement
around your website it could well be personal data collection even if it is “just” an IP address.
If it can be attributed to an individual, then the user must be informed. Many people also forget
that when you interact with social media users, you must make it clear if their personal data
will be used for other things (such as analyses) even if that information is already publicly
available.
4. GDPR Documents
Knowing someone’s information because the data subject made it publicly available does not
mean free advertising rights. The term target ads under GDPR is not safe. Due to vogues
word definitions, the public interest can serve as a shelter in some cases, but not for everyone.
Personal ads rely on consent. Such cases can be the personalized ads from Microsoft under
Windows 10 system or personalized Google ads. Consent will not be assumed as a result of
a customer signing for a service unless that service specifically requires it. Adding to the
process, consent boxes should not be pre-ticked, there should be no improper suggestion to
tick the consent as mandatory or if not ticket the service will not be given at all. In the text of
the consent among other things, there should be the data handling name or any other third
parties which will access those data. Since GDPR is a continuous activity, eve ry step should
be saved. This documentation will detail what the data subject has consented to, the
information they were given which facilitated consent, and the method of consent.
Saving a lot of documents which verify that the GDPR processes are fulfilled will mean that
sooner or later big data will be present. Due to their nature, big data have the tendency to
target and profile data subjects. The concept of big data goes in a clash with that of data
minimization, which is required by GDPR. This problem might be guided by the code of
conduct, which are self-regulations that the company or public entity will follow in order to
respect the regulation. But the data authorities do not offer any initiatives to them in order to
adapt to this new business model: “rights first”. Code of conducts have to be approved by data
protection authorities, but there is no model to follow, they are seen case by case and that
takes time. Big data somehow makes possible the re-identification of the data subjects by
making use of non-personal data, such as metadata or other data forms. As such, even
anonymization might be an ineffective solution to this problem. In 2010, it was published by
EU Commission [5] that it is difficult to keep track of latest technological development. As
14th International Conference in “STANDARDIZATION, PROTYPES AND QUALITY: A MEANS OF
BALKAN COUNTRIES’ COLLABORATION”, September 21 - 22, 2018, Tirana, Albania
these changes do not keep track of how much time is needed for a regulation to be applied,
changes towards big data minimization will require big time.
Staying on the vast number of documents needed for the GDPR to happen, it can be
understood that without a proper consent data processing cannot happen. But before the data
subjects give that right, they have to be informed. There are changes yet to be implemented
by the data controllers. Data subjects have to visit data subject’s website and analyze their
privacy policies. Most of the services nowadays are given online and as such online is the
place where information can be found. This information, of a company or public entity which
shows that they will respect GDPR, should be made easy findable and easy to read. In [6] it
was found that offering such easiness was not a complaint and, in most cases, it took more
than 5 minutes to find GDPR related information. In the same article, it was found that besides
the fact that GDPR must apply same for all EU countries, making public such data, was better
fulfilled by Austrian websites and not others. Non-giving at this GDPR aspect the right attention
imposes the data subject to the risk of a time-consuming process considering their computer
handling abilities. So, maybe in GDPR v.2 among other updates, there should be a guide on
how to better make visible privacy policies and not only.
4.1 PIA-DPIA
Two other needed documents per project are PIA and DPIA. It takes time to write a document
for each project which imposes risks or deals with data, as it has to be: general description of
the envisaged processing operations, an assessment of the risks to the rights and freedoms
of data subjects, the measures envisaged to address the risks, safeguards, security measures,
and mechanisms to ensure the protection of personal data [7]. By analyzing the data protection
authorities’ websites, it can be understood that different countries have a different approach
for these document filling. For example, UK has made PIA mandatory for governmental
institutions, Spain the same. On May the 9, Nordic countries signed an agreement of
cooperation [8] will collaborate with the same path regarding GDPR steps and especially on
providing help for pia and dpia. So, again, even GDPR was thought to be common for every
state, in practice, there are derivations from the initial idea. But all agree that PIA is required
before the project is applied in order to save expenses later on. All should remember that PIA
is a document which when applied it should reduce privacy impacts not eliminate them.
The collaboration between data protection authorities and companies or public entities can be
clearly seen with the DPIA. DPIA resides on the obligations shown in Article 5, 24 and 35 [2].
But there is not written that DPIA should be published anywhere rather than consulted with
authorities as their text might include copyrighted information. A more evident problem here is
that yet there is no guide on what can be considered as screening questions. Those questions
can then make the publication of DPIA valid or categorize it is protected under copyrighted
information. If attention is paid to the article 35 [2], it mentions high risks but does not define
what risk is. Due to this, amendments have been added to the regulation. Again, cooperation
with data authorities is of high importance due to different interpretations that might arise. This
is also the case for the recital 89 [2], where it is said that PIA is required when there are
uncertainties in processing as an operation of a new kind. Again, new kind and how much is
considered high are yet to be defined.
14th International Conference in “STANDARDIZATION, PROTYPES AND QUALITY: A MEANS OF
BALKAN COUNTRIES’ COLLABORATION”, September 21 - 22, 2018, Tirana, Albania
4.2 Out of EU zone
In a more interconnected world, keeping your privacy protected is becoming an impossible
mission. If we follow [9] regarding the main property of privacy, that of preventing disclosure
of personal information, every country has its own different approach on this, even though it
is a right by definition from Economic Co-operation Forum (OECD) as said in [10]. Regarding
boundaries, many different entities residing in different countries may process personal data.
It is also stated in [11] that there must be the same level of protection for protecting European
resident’s data when these last are exported out of EU zone.
4.2.2 Privacy Shield
When it comes to export those data to the USA, the laws there are different. It seems that until
this moment, there is no common regulation/law among states. As [12] states, that would make
difficult the free trade. Due to this different view of non-common protection, Privacy shield
comes in place. It is an updated version of the Safe harbor [13]. Free trade of data has
changed a lot and as long there is a legal basis or any valid form of consent, there is no need
for permission from a data authority and prove them that there will be no data disclosure, as
it was a practice back then [14].
But laws regulating this type of transfers have not been reviewed too much from courts in
connection to legal interpretations [15]. The legal interpretations given to specific cases and
later translated into regulations or law are indeed weak. The case of Lindqvist [16] made
relevant the fact that there is needed more precise definition regarding considering hosting
place as a third country and the way how the data are accessed from third parties. The current
interpretations may lead to the think that transfer to the third country, in the cloud or not, would
happen at the same time to all third countries which have access to the internet. This is not a
technical interpretation, so, cloud hosting providers now must make public where they save
the data and EU companies are advised to keep their data within EU zone.
Not everyone who processes EU residents’ data can keep with the EU laws. An interesting
case is that of USA. Updating from Safe Harbour to Safe Harbour v.2 (Privacy Shield) requires
that the companies have to be self-certified. Due to such legal updates, now US companies
dealing with EU data are totally reshaped and have to reconsider their data strategies. There
are a lot of documents to be filled, updated and newly created. One of them is the data flow
mapping. This was thought to help them somehow in their relocation steps if needed. But this
law does not make any distinguishing, at least declared officially, when it comes to data
transfers of very importance for the security such as transferring of data about criminals,
possible threatens to national security etc. US liberal mass surveillance Safe harbor v.1 was
contested two times by the Austrian activist Schrems [17]. During the process, US side
contested that data transfer would become complex, but the EU safety side won the cases
twice. Again, this is can be considered as an example, besides the fact that Austrian websites
are GDPR complaint, that Austria is serious in terms of e-privacy.
Yet, the risks that this change brought to US-EU data transfers was a big reason why the
Article 29 Working Party has seen several updates. Maybe inspired by Schrems, GDPR has
been updated several times. There have been court cases, which directly influenced in the
privacy shield, many article were changed as suggested by [18]. Due to their difficulty into
being applicable, it seems that extraterritorial laws, such as GDPR and Privacy Shield
somehow the idea to treat foreign countries as they were EU part seems more of a symbolic
value. GDPR was written upon cases, such as Pammer v Reederei Karl Schlu¨ter GmbH &
KG11 and Hotel Alpenhof GesmbH v Oliver Heller [18], and as such companies adhering to
14th International Conference in “STANDARDIZATION, PROTYPES AND QUALITY: A MEANS OF
BALKAN COUNTRIES’ COLLABORATION”, September 21 - 22, 2018, Tirana, Albania
the EU data market have to at least comply with the general regulations and recitals and what
is most important to interpret GDPR with their respective DPA.
5. Conclusions
GDPR can be considered as the end of DPA era and the beginning of a new one. It can be
considered as one set of rules which apply across EU and not only. As it is a new and ongoing
process, the risks are evident. Even before the data are being processed, both data controller
and data processor need to have in place a lot of policies which makes them compliant with
the regulation. Yet, it is difficult to predict what will happen at every step of data processing.
The steps include new rights to be respected, joint responsibilities and mandatory notifications,
as a consequence, the company or public entity will be on alert and cooperate with their
respective DPA all the time.
A lot of uncertainties, a lot of documents and many departments are involved by the GDPR.
Finding the right interpretation of definitions and legal interpretations is not easy. These
uncertainties can be waived if all the collected data would be anonymized, as such avoid
GDPR in the first place, but in most of the cases that is not possible. How the real
implementation will proceed that will be seen case by case. Yet, GDPR will be updated soon
with e-privacy regulation [19]. Technology advances, law gets updated.
REFERENCES
[1] European Commission, “Proposal for a REGULATION OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the
processing of personal data and on the free movement of such data (General Data Protection
Regulation),”, pp. 5-6, January 2012.
[2] Council of the European Union, “REGULATION (EU) 2016/... OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL of on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data and repealing
Directive 95/46/EC (General Data Protection Regulation)”, 2016.
[3] Jiahong Chen, How the best-laid plans go awry: the (unsolved) issues of applicable law
in the General Data Protection Regulation, International Data Privacy Law, vol.6, issue 4, pp.
310323, 1 November 2016.
[4] Peter Jones, “Group Rights”, The Stanford Encyclopaedia of Philosophy, 2016.
[5] European Commission Communication, “A comprehensive approach on personal data
protection in the European Union”, 2010.
[6] Xavier Duncan L’Hoiry, Clive Norris and M. Young, “The honest data protection officer’s
guide to enable citizens to exercise their subject access rights: lessons from a ten-country
European study”, The Technical Writer’s Handbook. Mill Valley, CA: University Science, 1989.
[7] David Wright, Kush Wadhwa; Introducing a privacy impact assessment policy in the EU
member states, International Data Privacy Law, vol.3, Issue 1, pp. 1328, 1 February 2013.
14th International Conference in “STANDARDIZATION, PROTYPES AND QUALITY: A MEANS OF
BALKAN COUNTRIES’ COLLABORATION”, September 21 - 22, 2018, Tirana, Albania
[8] http://www.justitsministeriet.dk/nyt-og-
presse/pressemeddelelser/2018/copenhagen-declaration-echr-reform-adopted (Last
accessed: 13. June 2018).
[9] Jerry Kang, “Information privacy in cyberspace transactions”, Stanford Law Review, vol.4,
pp. 1198, 1998.
[10] Rolf H. Weber, “Transborder data transfers: concepts, regulatory approaches and new
legislative initiatives”, 2013.
[11] J. Kulesza, “Walled Gardens of Privacy or “Binding Corporate Rules”? A Critical Look at
International Protection of Online Privacy”, University of Arkansas at Little Rock Law Review,
pp. 747-765, 2012.
[12] American Bar Association Privacy and Computer Crime Committee Section of Science &
Technology Law, “International Guide to Privacy”, pp.94-95, 2004.
[13] Shara Monteleone and Laura Puccio, “From Safe Harbour to Privacy Shield”, European
Parliamentary Research Service, January 2017.
[14] Swedish Data Protection Act of 11 May 1973 (Datalog (1973:289)). Translation of: ‘Finns
get anledning antaga att personuppgift skill, 1973.
[15] Svantesson, D. J. B, “The regulation of cross-border data flows”, International Data
Privacy Law, 1(3), pp. 180-198, 2011.
[16] http://curia.europa.eu/juris/liste.jsf?num=C-101/01 (Last accessed: 13. June 2018).
[17] https://epic.org/privacy/intl/schrems/ (Last accessed: 13. June 2018).
[18] Yann Padova, “The Safe Harbour is invalid: what tools remain for data transfers and what
comes next?”, International Data Privacy Law, vol. 6, issue 2, pp. 139161, 1 May 2016.
[19] https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-
and-electronic-communications (Last accessed: 13. June 2018).
... They conclude that using ontologies to capture privacy requirements may be a viable solution. [11][12] discuss the large scope of data protection regulations and practical difficulties in implementing data protection. The survey [1] presents a large body of work on requirements elicitation generally and the strengths and limitations of requirements elicitation are discussed in [13]. ...
View
... It's not simple to come up with the proper definitions and legal interpretations. These concerns can be alleviated if all acquired data is anonymised, therefore avoiding GDPR in the first place, but this is not always achievable [1]. Data anonymisation is the process of protecting an individual's identity, such that the Personally Identifiable Information (PII) is irreversibly modified so that a data subject can no longer be identified directly or indirectly, either by the data controller alone or in collaboration with any other party. ...
A k-Anonymised Federated Learning Framework with Decision Trees
Chapter
Full-text available
  • Jan 2022
We propose a privacy-preserving framework using Mondrian k-anonymity with decision trees in a Federated Learning (FL) setting for the horizontally partitioned data. Data heterogeneity in FL makes the data non-IID (Non-Independent and Identically Distributed). We use a novel approach to create non-IID partitions of data by solving an optimization problem. In this work, each device trains a decision tree classifier. Devices share the root node of their trees with the aggregator. The aggregator merges the trees by choosing the most common split attribute and grows the branches based on the split values of the chosen split attribute. This recursive process stops when all the nodes to be merged are leaf nodes. After the merging operation, the aggregator sends the merged decision tree to the distributed devices. Therefore, we aim to build a joint machine learning model based on the data from multiple devices while offering k-anonymity to the participants.
View
... This, of course, necessitated the need for expertise and professionals such as data protection officers (DPOs). Unlike many western nations, this role is not new to Nigerians and many third world nations but the country also lacks practicing professionals (Dode, 2018). ...
An Analysis of Data Protection and Compliance in Nigeria
Article
Full-text available
  • May 2020
Contemporarily data protection and privacy has garnered increasing attention in recent years, majorly because data has become a ubiquitous asset in the global community, mirroring the transformation of our societies to data sharing age. Again, the regular and large-scale breaches of sensitive data around the globe have become a growing concern. In spite of these breaches and attacks, several countries of the world and organizations have not yet completely prioritized personal data protection particularly in the third world countries such as Nigeria. Thus it was on this note that this paper was set up to explore the data protection and compliance in Nigeria. The methodology was based on review of published articles, books and journals in order to draw a conclusion on the contemporary issues in data protection and compliance in Nigeria. The paper argued that the upsurge of data sharing and breaches in Nigeria is still hampered by inappropriate/inadequate data protection and privacy legislation, lack of enforcement drive, limited number of practicing professionals among others. In addition, it was observed that data protection and privacy are practically strange to the Nigerian society as data subjects are generally unaware of their privacy rights over personal data that belongs to them. The resultant effect is high level of data breaches and data privacy abuse in the country. In the light of the above, this paper concludes that it is clear that data has become a ubiquitous asset in the global community-Nigeria inclusive. Thus the paper recommends (amongst others) that there is need to strengthen the current legislation and enforcement procedures on data protection.
View
... Also mentions how tech organizations such as Yahoo and Google were vexed because of the large amount requests claiming the right to be forgotten. Challenges post enforcement were critically analysed by Albi Dode in Sweden (Dode, 2018), Legislation problems such as lacks of terminology explanation between members of the different states which could be very complex as each of them may have their own derivation or interpretation, many legal, storage requirements hard to fulfil leaving some gaps, articles contradictions, difficulty when mixed with Countries regulations, such as the laws in the USA which me mentions, leave yet some uncertainties. ...
Awareness of GDPR in Ireland
Presentation
Full-text available
  • Jul 2019
View
Analysis of the US Privacy Model: Implications of the GDPR in the US
Chapter
  • Jan 2021
The creation of the General Data Protection Regulation (GDPR) constituted an enormous advance in data privacy, empowering the online consumers, who were doomed to the complete loss of control of their personal information. Although it may first seem that it only affects companies within the European Union, the regulation clearly states that every company who has businesses in the EU must be compliant with the GDPR. Other non-EU countries, like the United States, have seen the benefits of the GDPR and are already developing their own privacy laws. In this article, the most important updates introduced by the GDPR concerning US corporations will be discussed, as well as how American companies can become compliant with the regulation. Besides, a comparison between the GDPR and the state of art of privacy in the US will be presented, highlighting similarities and disparities at the national level and in states of particular interest.
View
Analysis of the US Privacy Model: Implications of the GDPR in the US
Article
  • Jan 2019
The creation of the General Data Protection Regulation (GDPR) constituted an enormous advance in data privacy, empowering the online consumers, who were doomed to the complete loss of control of their personal information. Although it may first seem that it only affects companies within the European Union, the regulation clearly states that every company who has businesses in the EU must be compliant with the GDPR. Other non-EU countries, like the United States, have seen the benefits of the GDPR and are already developing their own privacy laws. In this article, the most important updates introduced by the GDPR concerning US corporations will be discussed, as well as how American companies can become compliant with the regulation. Besides, a comparison between the GDPR and the state of art of privacy in the US will be presented, highlighting similarities and disparities at the national level and in states of particular interest.
View
View
View
The Honest Data Protection Officer’s Guide to Enable Citizens to exercise their Subject Access Rights: lessons from a ten-country European study
Article
  • Aug 2015
Key Points This article describes a ten-country European study investigating the practical aspects of exercising access rights from the perspective of data subjects. It uses a mixture of quantitative and qualitative methodology to illustrate the restrictions faced by data subjects in exercising their access rights. It concludes by making key recommendations to assist data subjects in their attempts to exercise access rights.
View
The regulation of cross-border data flows
Article
  • Jun 2011
The regulation of cross-border data flows represents one of the greatest challenges currently facing data protection authorities and legislators around the world. An excessively strict approach will be harmful to international cooperation, trade, and engagement, while at the same time, too lax an approach will fundamentally undermine the value of privacy protection as a whole. This article discusses the conundrum of regulating cross-border data flows. While it does so in general terms, some special attention is given to how such regulation applies to cross-border data flows on the Internet. Having provided some necessary background observations regarding the issues surrounding the regulation of cross-border data flows, the article provides a brief overview of how a selection of regulatory schemes seeks to address cross-border data flows. Those approaches are then analysed, resulting in the proposal of four fundamental principles that ought to guide the regulation of cross-border data flows.
View
View
View
Information Privacy in Cyberspace Transactions
Article
  • Dec 2004
  • STANFORD LAW REV
Cyberspace is the rapidly growing network of computing and communication technologies that have profoundly altered our lives. We already carry out myriad social, economic, and political transactions through cyberspace, and, as the technology improves, so will their quality and quantity. But the very technology that enables these transactions also makes detailed, cumulative, invisible observation of our selves possible. The potential for wide-ranging surveillance of all our cyber-activities presents a serious threat to information privacy. To help readers grasp the nature of this threat, Professor Jerry Kang starts with a general primer on cyberspace privacy. He provides a clarifying structure of philosophical and technological terms, descriptions, and concepts that will help analyze any problem at the nexus of privacy and computing-communication technologies. In the second half of the article, he focuses sharply on the specific problem of personal data generated in cyberspace transactions. The private sector seeks to exploit this data commercially, primarily for database marketing, but many individuals resist. The dominant approach to solving this problem is to view personal information as a commodity that interested parties should contract for in the course of negotiating a cyberspace transaction. But this approach has so far failed to address a critical question: Which default rules should govern the flow of personal information when parties do not explicitly contract about privacy? On economic efficiency and human dignity grounds, Professor Kang argues in favor of a default rule that allows only "functionally necessary" processing of personal information unless the parties expressly agree otherwise. The article concludes with a proposed statute, entitled the Cyberspace Privacy Act, which translates academic theory into legislative practice.
View
Binding Corporate Rules"? A Critical Look at International Protection of Online Privacy
  • Jan 2012
  • 747-765
  • J Kulesza
J. Kulesza, "Walled Gardens of Privacy or "Binding Corporate Rules"? A Critical Look at International Protection of Online Privacy", University of Arkansas at Little Rock Law Review, pp. 747-765, 2012.
From Safe Harbour to Privacy Shield
  • Jan 2017
  • Shara Monteleone
  • Laura Puccio
Shara Monteleone and Laura Puccio, "From Safe Harbour to Privacy Shield", European Parliamentary Research Service, January 2017.