What drives the European Parliament? The Case of the General Data Protection Regulation. Bruges Political Research Papers 47/2015.

This paper evaluates which factors influence the European Parliament’s decision-making, based on a case study: the 2012 proposal for a General Data Protection Regulation. Following a ‘competitive testing’ approach, six different hypotheses are successively challenged in order to explain why the EP adopted a fundamental rights- oriented position. The first three factors relate to the internal organization of the EP’s work, i.e. the role played by the lead committee, by the rapporteur and by secretariat officials. The last three factors are external-related, i.e. lobbying activities, outside events and institutional considerations. Based on the empirical findings, it is argued that even though the EP’s position is due to a range of various factors, some of them prove to be more relevant than others, in particular the rapporteur and lead committee’s roles. New institutionalism theories also provide a comprehensive explanation for the EP’s willingness to achieve a fundamental rights oriented outcome.

Report on data protection and privacy in seven selected states /

"US 84-10/8."

Data Protection and Packet Mode in the Distributed Information Measurement and Control System for Research in Physics

The present paper is devoted to creation of cryptographic data security and realization of the packet mode in the distributed information measurement and control system that implements methods of optical spectroscopy for plasma physics research and atomic collisions. This system gives a remote access to information and instrument resources within the Intranet/Internet networks. The system provides remote access to information and hardware resources for the natural sciences within the Intranet/Internet networks. The access to physical equipment is realized through the standard interface servers (PXI, CАМАC, and GPIB), the server providing access to Ethernet devices, and the communication server, which integrates the equipment servers into a uniform information system. The system is used to make research task in optical spectroscopy, as well as to support the process of education at the Department of Physics and Engineering of Petrozavodsk State University.

Platform Privacy: The Missing Piece of Data Protection Legislation

After years of deliberation, the EU commission sped up the reform process of a common EU digital policy considerably in 2015 by launching the EU digital single market strategy. In particular, two core initiatives of the strategy were agreed upon: General Data Protection Regulation and the Network and Information Security (NIS) Directive law texts. A new initiative was additionally launched addressing the role of online platforms. This paper focuses on the platform privacy rationale behind the data protection legislation, primarily based on the proposal for a new EU wide General Data Protection Regulation. We analyse the legislation rationale from an Information System perspective to understand the role user data plays in creating platforms that we identify as “processing silos”. Generative digital infrastructure theories are used to explain the innovative mechanisms that are thought to govern the notion of digitalization and successful business models that are affected by digitalization. We foresee continued judicial data protection challenges with the now proposed Regulation as the adoption of the “Internet of Things” continues. The findings of this paper illustrate that many of the existing issues can be addressed through legislation from a platform perspective. We conclude by proposing three modifications to the governing rationale, which would not only improve platform privacy for the data subject, but also entrepreneurial efforts in developing intelligent service platforms. The first modification is aimed at improving service differentiation on platforms by lessening the ability of incumbent global actors to lock-in the user base to their service/platform. The second modification posits limiting the current unwanted tracking ability of syndicates, by separation of authentication and data store services from any processing entity. Thirdly, we propose a change in terms of how security and data protection policies are reviewed, suggesting a third party auditing procedure.

The Feasibility of Applying EU Data Protection Law to Biological Materials: Challenging ‘Data’ as Exclusively Informational

Though controversial the question of applying data protection laws to biological materials has only gotten a little attention in data privacy discourse. This article aims to contribute to this dearth by arguing that despite absence of positive intention from the architects to apply the EU Data privacy law to biological materials, a range of developments in Molecular Biology and nano-technology—usually mediated by advances in ICT—may provide persuasive grounds to do so. In addition, paucity of sufficient explication of key terms like ‘data/information’ in these legislations may fuel such tendency whereby laws originally intended for the informational world may end up applying to the biological world. The article also analyzes various predicaments that may arise from applying data privacy laws to biological materials. A focus is made on legislative sources at the EU level though national laws are relied on when pertinent.

Personal Data and Encryption in the European General Data Protection Regulation

Encryption of personal data is widely regarded as a privacy preserving technology which could potentially play a key role for the compliance of innovative IT technology within the European data protection law framework. Therefore, in this paper, we examine the new EU General Data Protection Regulation’s relevant provisions regarding encryption – such as those for anonymisation and pseudonymisation – and assess whether encryption can serve as an anonymisation technique, which can lead to the non-applicability of the GDPR. However, the provisions of the GDPR regarding the material scope of the Regulation still leave space for legal uncertainty when determining whether a data subject is identifiable or not. Therefore, we inter alia assess the Opinion of the Advocate General of the European Court of Justice (ECJ) regarding a preliminary ruling on the interpretation of the dispute concerning whether a dynamic IP address can be considered as personal data, which may put an end to the dispute whether an absolute or a relative approach has to be used for the assessment of the identifiability of data subjects. Furthermore, we outline the issue of whether the anonymisation process itself constitutes a further processing of personal data which needs to have a legal basis in the GDPR. Finally, we give an overview of relevant encryption techniques and examine their impact upon the GDPR’s material scope.

An E-government Interoperability Platform Supporting Personal Data Protection Regulations

Public agencies are increasingly required to collaborate with each other in order to provide high-quality e-government services. This collaboration is usually based on the service-oriented approach and supported by interoperability platforms. Such platforms are specialized middleware-based infrastructures enabling the provision, discovery and invocation of interoperable software services. In turn, given that personal data handled by governments are often very sensitive, most governments have developed some sort of legislation focusing on data protection. This paper proposes solutions for monitoring and enforcing data protection laws within an E-government Interoperability Platform. In particular, the proposal addresses requirements posed by the Uruguayan Data Protection Law and the Uruguayan E-government Platform, although it can also be applied in similar scenarios. The solutions are based on well-known integration mechanisms (e.g. Enterprise Service Bus) as well as recognized security standards (e.g. eXtensible Access Control Markup Language) and were completely prototyped leveraging the SwitchYard ESB product.

Henkilötietojen siirrot Euroopan unionista kolmansiin maihin erityisesti Euroopan unionin tuomioistuimen tuomion C-362/14 Maximillian Schrems v Data Protection Commissioner valossa

Tutkielman tarkoituksena on selvittää lukijalle, mistä syistä ja miten Euroopan unionin tietosuojainstrumentit – nykyinen tietosuojadirektiivi ja tuleva tietosuoja-asetus – asettavat rajoituksia EU:n kansalaisten henkilötietojen siirroille kolmansiin maihin kaupallisia tarkoituksia varten. Erityisen tarkastelun kohteena on henkilötietojen siirrot EU:n alueelta Yhdysvaltoihin mahdollistanut Safe Harbor-järjestelmä, jonka Euroopan unionin tuomioistuin katsoi pätemättömäksi asiassa C-362/14 Maximillian Schrems v Data Protection Commissioner. Tutkimusaiheen eli henkilötietojen rajat ylittävien siirtojen ollessa kansainvälisen oikeuden ja tietosuojaoikeuden leikkauspisteessä on tutkimuksessa käytetty molempien oikeudenalojen asiantuntijoiden tutkimuksia lähteenä. Kansainvälisen oikeuden peruslähteenä on käytetty Brownlien teosta Principles of Public International Law (6. painos), jota vasten on peilattu tutkimusaihetta tarkemmin käsittelevää kirjallisuutta. Erityisesti on syytä nostaa esille Bygraven tietosuojaoikeutta kansainvälisessä kontekstissa käsittelevä Data Privacy Law: An International Perspective sekä Kunerin nimenomaisesti henkilötietojen kansainvälisiä siirtoja käsittelevä Transborder Data Flows and Data Privacy Law. Uusien teknologioiden myötä nopeasti kehittyvästä tutkimusilmiöstä ja oikeudenalasta johtuen tutkimuksessa on käytetty lähdemateriaaleina runsaasti aihepiiriä käsitteleviä artikkeleita arvostetuista julkaisuista, sekä EU:n tietosuojaviranomaisten ja YK:n raportteja virallislähteinä. Keskeiset tutkimustulokset osoittavat EU:n ja sen jäsenvaltioiden intressit henkilötietojen siirroissa sekä EU:n asettamien henkilötietojen siirtosääntelyiden vaikutukset kolmansiin maihin. Globaalin konsensuksen saavuttamisen koskien henkilötietojen kansainvälisiä siirtosääntelyitä arvioitiin olevan ainakin lähitulevaisuudessa epätodennäköistä. Nykyisten alueellisten sääntelyratkaisujen osalta todettiin Euroopan neuvoston yleissopimuksen No. 108 eniten osoittavan potentiaalia maailmanlaajuiselle implementoinnille. Lopuksi arvioitiin oikeudellisen pluralismin mallin puitteissa tarkoituksenmukaisia keinoja EU:n kansalaisten perusoikeuksina turvattujen yksityisyyden ja henkilötietojen suojan parantamiseksi. Tarkastelu osoittaa EU:n kansalaisten sekä näiden henkilötietoja käsittelevien ja siirtävien yritysten välillä olleen tiedollinen ja voimallinen epätasapaino, joka ilmenee yksilön tiedollisen itseautonomian ja suostumuksen merkityksen heikentymisenä, joskin EU:n vuonna 2018 voimaan astuva tietosuoja-asetus organisaatioiden vastuuta korostamalla pyrkii poistamaan tätä ongelmaa.

Refocusing regulatory exclusivities: Regulatory data protection and marketing exclusivity as forms of pharmaceutical innovation policy

Protection of innovation in the pharmaceutical industry has traditionally been realised through protection of inventions via patents. However, in the European Union regulatory exclusivities restricting market entry of generic products confer tailored, industry specific protection for final, marketable products. This paper retraces the protection conferred by the different forms of exclusivity and assesses them in the light of recent transparency policies of the European Medicines Agency. The purpose of the paper is to argue for rethinking the role of regulatory data as a key tool of innovation policy and for refocusing the attention from patents to the existing regulatory framework. After detailed assessment of the exclusivity regime, the paper identifies key areas of improvement calling for reassessment so as to promote better functioning of the regime as an incentive for accelerated innovation. While economic and public health analysis necessarily provide final answers as to necessity of reform, this paper provides a legal perspective to the issue, appraising the current regulatory framework and identifying areas for further analysis.

The issue of data protection and data security in the (pre-Lisbon) EU third pillar

The key functional operability in the pre-Lisbon PJCCM pillar of the EU is the exchange of intelligence and information amongst the law enforcement bodies of the EU. The twin issues of data protection and data security within what was the EU’s third pillar legal framework therefore come to the fore. With the Lisbon Treaty reform of the EU, and the increased role of the Commission in PJCCM policy areas, and the integration of the PJCCM provisions with what have traditionally been the pillar I activities of Frontex, the opportunity for streamlining the data protection and data security provisions of the law enforcement bodies of the post-Lisbon EU arises. This is recognised by the Commission in their drafting of an amending regulation for Frontex , when they say that they would prefer “to return to the question of personal data in the context of the overall strategy for information exchange to be presented later this year and also taking into account the reflection to be carried out on how to further develop cooperation between agencies in the justice and home affairs field as requested by the Stockholm programme.” The focus of the literature published on this topic, has for the most part, been on the data protection provisions in Pillar I, EC. While the focus of research has recently sifted to the previously Pillar III PJCCM provisions on data protection, a more focused analysis of the interlocking issues of data protection and data security needs to be made in the context of the law enforcement bodies, particularly with regard to those which were based in the pre-Lisbon third pillar. This paper will make a contribution to that debate, arguing that a review of both the data protection and security provision post-Lisbon is required, not only in order to reinforce individual rights, but also inter-agency operability in combating cross-border EU crime. The EC’s provisions on data protection, as enshrined by Directive 95/46/EC, do not apply to the legal frameworks covering developments within the third pillar of the EU. Even Council Framework Decision 2008/977/JHA, which is supposed to cover data protection provisions within PJCCM expressly states that its provisions do not apply to “Europol, Eurojust, the Schengen Information System (SIS)” or to the Customs Information System (CIS). In addition, the post Treaty of Prüm provisions covering the sharing of DNA profiles, dactyloscopic data and vehicle registration data pursuant to Council Decision 2008/615/JHA, are not to be covered by the provisions of the 2008 Framework Decision. As stated by Hijmans and Scirocco, the regime is “best defined as a patchwork of data protection regimes”, with “no legal framework which is stable and unequivocal, like Directive 95/46/EC in the First pillar”. Data security issues are also key to the sharing of data in organised crime or counterterrorism situations. This article will critically analyse the current legal framework for data protection and security within the third pillar of the EU.

Encryption safe harbours and data breach notification laws

Data breach notification laws require organisations to notify affected persons or regulatory authorities when an unauthorised acquisition of personal data occurs. Most laws provide a safe harbour to this obligation if acquired data has been encrypted. There are three types of safe harbour: an exemption; a rebuttable presumption and factor-based analysis. We demonstrate, using three condition-based scenarios, that the broad formulation of most encryption safe harbours is based on the flawed assumption that encryption is the silver bullet for personal information protection. We then contend that reliance upon an encryption safe harbour should be dependent upon a rigorous and competent risk-based review that is required on a case-by-case basis. Finally, we recommend the use of both an encryption safe harbour and a notification trigger as our preferred choice for a data breach notification regulatory framework.