879 resultados para Data Protection Directive
Resumo:
The development of the Internet has made it possible to transfer data ‘around the globe at the click of a mouse’. Especially fresh business models such as cloud computing, the newest driver to illustrate the speed and breadth of the online environment, allow this data to be processed across national borders on a routine basis. A number of factors cause the Internet to blur the lines between public and private space: Firstly, globalization and the outsourcing of economic actors entrain an ever-growing exchange of personal data. Secondly, the security pressure in the name of the legitimate fight against terrorism opens the access to a significant amount of data for an increasing number of public authorities.And finally,the tools of the digital society accompany everyone at each stage of life by leaving permanent individual and borderless traces in both space and time. Therefore, calls from both the public and private sectors for an international legal framework for privacy and data protection have become louder. Companies such as Google and Facebook have also come under continuous pressure from governments and citizens to reform the use of data. Thus, Google was not alone in calling for the creation of ‘global privacystandards’. Efforts are underway to review established privacy foundation documents. There are similar efforts to look at standards in global approaches to privacy and data protection. The last remarkable steps were the Montreux Declaration, in which the privacycommissioners appealed to the United Nations ‘to prepare a binding legal instrument which clearly sets out in detail the rights to data protection and privacy as enforceable human rights’. This appeal was repeated in 2008 at the 30thinternational conference held in Strasbourg, at the 31stconference 2009 in Madrid and in 2010 at the 32ndconference in Jerusalem. In a globalized world, free data flow has become an everyday need. Thus, the aim of global harmonization should be that it doesn’t make any difference for data users or data subjects whether data processing takes place in one or in several countries. Concern has been expressed that data users might seek to avoid privacy controls by moving their operations to countries which have lower standards in their privacy laws or no such laws at all. To control that risk, some countries have implemented special controls into their domestic law. Again, such controls may interfere with the need for free international data flow. A formula has to be found to make sure that privacy at the international level does not prejudice this principle.
Resumo:
In light of the recent European Court of Justice ruling (ECJ C-131/12, Google Spain v Spanish Data Protection Agency),the “right to be forgotten” has once again gained worldwide media attention. Already in 2012, whenthe European Commission proposed aright to be forgotten,this proposal received broad public interest and was debated intensively. Under certain conditions, individuals should thereby be able todelete personal data concerning them. More recently – in light of the European Parliament’s approval of the LIBE Committee’samendments onMarch 14, 2014 – the concept seems tobe close to its final form.Although it remains, for the most part,unchanged from the previously circulated drafts, it has beenre-labelled as a“right of erasure”. This article argues that, despite its catchy terminology, the right to be forgotten can be understood as a generic term, bringing together existing legal provisions: the substantial right of oblivion and the rather procedural right to erasure derived from data protection. Hereinafter, the article presents an analysis of selected national legal frameworks and corresponding case law, accounting for data protection, privacy, and general tort law as well as defamation law. This comparative analysis grasps the practical challenges which the attempt to strengthen individual control and informational self-determination faces. Consequently, it is argued that narrowing the focus on the data protection law amendments neglects the elaborate balancing of conflicting interests in European legal tradition. It is shown thatthe attemptto implement oblivion, erasure and forgetting in the digital age is a complex undertaking.
Resumo:
In Europe, roughly three regimes apply to the liability of Internet intermediaries for privacy violations conducted by users through their network. These are: the e-Commerce Directive, which, under certain conditions, excludes them from liability; the Data Protection Directive, which imposes a number of duties and responsibilities on providers processing personal data; and the freedom of expression, contained inter alia in the ECHR, which, under certain conditions, grants Internet providers several privileges and freedoms. Each doctrine has its own field of application, but they also have partial overlap. In practice, this creates legal inequality and uncertainty, especially with regard to providers that host online platforms and process User Generated Content.
Resumo:
La gestion des données du patient occupe une place significative dans la pratique de l’art de guérir. Il arrive fréquemment que des personnes participent à la production ou à la gestion des données du patient alors que, praticiens de la santé ou non, elles ne travaillent pas sous l’autorité ou la direction du praticien ou de l’équipe en charge du patient. Au regard de la directive 95/46/CE relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel, ces tiers revêtent la qualité de sous–traitant lorsqu’ils traitent des données pour compte du responsable du traitement de données. Ce dernier doit choisir un sous–traitant qui apporte des garanties suffisantes au regard des mesures de sécurité technique et d’organisation relatives aux traitements à effectuer, et il doit veiller au respect de ces mesures. L’existence de labels de sécurité pourrait faciliter le choix du sous–traitant. S’agissant de données très sensibles comme les données génétiques, il serait opportun d’envisager un contrôle préalable par l’autorité de contrôle ou par un détaché à la protection des données. Il demeure alors à déterminer le véritable responsable du traitement des données du patient, ce qui dépend fortement du poids socialement reconnu et attribué aux différents acteurs de la relation thérapeutique.
Resumo:
Data breach notification laws require organisations to notify affected persons or regulatory authorities when an unauthorised acquisition of personal data occurs. Most laws provide a safe harbour to this obligation if acquired data has been encrypted. There are three types of safe harbour: an exemption; a rebuttable presumption and factor-based analysis. We demonstrate, using three condition-based scenarios, that the broad formulation of most encryption safe harbours is based on the flawed assumption that encryption is the silver bullet for personal information protection. We then contend that reliance upon an encryption safe harbour should be dependent upon a rigorous and competent risk-based review that is required on a case-by-case basis. Finally, we recommend the use of both an encryption safe harbour and a notification trigger as our preferred choice for a data breach notification regulatory framework.
Resumo:
Public and private sector organisations are now able to capture and utilise data on a vast scale, thus heightening the importance of adequate measures for protecting unauthorised disclosure of personal information. In this respect, data breach notification has emerged as an issue of increasing importance throughout the world. It has been the subject of law reform in the United States and in other jurisdictions. This article reviews US, Australian and EU legal developments regarding the mandatory notification of data breaches. The authors highlight areas of concern based on the extant US experience that require further consideration in Australia and in the EU.
Resumo:
Mandatory data breach notification laws are a novel and potentially important legal instrument regarding organisational protection of personal information. These laws require organisations that have suffered a data breach involving personal information to notify those persons that may be affected, and potentially government authorities, about the breach. The Australian Law Reform Commission (ALRC) has proposed the creation of a mandatory data breach notification scheme, implemented via amendments to the Privacy Act 1988 (Cth). However, the conceptual differences between data breach notification law and information privacy law are such that it is questionable whether a data breach notification scheme can be solely implemented via an information privacy law. Accordingly, this thesis by publications investigated, through six journal articles, the extent to which data breach notification law was conceptually and operationally compatible with information privacy law. The assessment of compatibility began with the identification of key issues related to data breach notification law. The first article, Stakeholder Perspectives Regarding the Mandatory Notification of Australian Data Breaches started this stage of the research which concluded in the second article, The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal Developments (‘Mandatory Notification‘). A key issue that emerged was whether data breach notification was itself an information privacy issue. This notion guided the remaining research and focused attention towards the next stage of research, an examination of the conceptual and operational foundations of both laws. The second article, Mandatory Notification and the third article, Encryption Safe Harbours and Data Breach Notification Laws did so from the perspective of data breach notification law. The fourth article, The Conceptual Basis of Personal Information in Australian Privacy Law and the fifth article, Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of First Generation Information Privacy Laws did so for information privacy law. The final article, Contextualizing the Tensions and Weaknesses of Information Privacy and Data Breach Notification Laws synthesised previous research findings within the framework of contextualisation, principally developed by Nissenbaum. The examination of conceptual and operational foundations revealed tensions between both laws and shared weaknesses within both laws. First, the distinction between sectoral and comprehensive information privacy legal regimes was important as it shaped the development of US data breach notification laws and their subsequent implementable scope in other jurisdictions. Second, the sectoral versus comprehensive distinction produced different emphases in relation to data breach notification thus leading to different forms of remedy. The prime example is the distinction between market-based initiatives found in US data breach notification laws compared to rights-based protections found in the EU and Australia. Third, both laws are predicated on the regulation of personal information exchange processes even though both laws regulate this process from different perspectives, namely, a context independent or context dependent approach. Fourth, both laws have limited notions of harm that is further constrained by restrictive accountability frameworks. The findings of the research suggest that data breach notification is more compatible with information privacy law in some respects than others. Apparent compatibilities clearly exist as both laws have an interest in the protection of personal information. However, this thesis revealed that ostensible similarities are founded on some significant differences. Data breach notification law is either a comprehensive facet to a sectoral approach or a sectoral adjunct to a comprehensive regime. However, whilst there are fundamental differences between both laws they are not so great to make them incompatible with each other. The similarities between both laws are sufficient to forge compatibilities but it is likely that the distinctions between them will produce anomalies particularly if both laws are applied from a perspective that negates contextualisation.
Resumo:
'Data retention and the war against terrorism - a considered and proportionate response'. Journal of Information Law & Technology 2004 (3) RAE2008
Resumo:
The present dissertation has as object of study the right to be forgotten, a new right for increase the control of subject over their data. It’s analyzed the data protection on Internet, especially, some scenarios of processing and the regulation applicable to it (directive 95/46/CE and directive 2002/58/CE).
Resumo:
Images have gained a never before seen importance. Technological changes have given the Information Society extraordinary means to capture, treat and transmit images, wheter your own or those of others, with or without a commercial purpose, with no boundaries of time or country, without “any kind of eraser”. From the several different ways natural persons may engage in image processing with no commercial purpose, the cases of sharing pictures through social networks and video surveillance assume particular relevance. Consequently there are growing legitimate concerns with the protection of one's image, since its processing may sometimes generate situations of privacy invasion or put at risk other fundamental rights. With this in mind, the present thesis arises from the question: what are the existent legal instruments in Portuguese Law that enable citizens to protect themselves from the abusive usage of their own pictures, whether because that image have been captured by a smartphone or some video surveillance camera, whether because it was massively shared through a blog or some social network? There is no question the one's right to not having his or her image used in an abusive way is protected by the Portuguese constitution, through the article 26th CRP, as well as personally right, under the article 79th of the Civil Code, and finally through criminal law, articles 192nd and 193rd of the Criminal Code. The question arises in the personal data protection context, considering that one's picture, given certain conditions, is personal data. Both the Directive 95/46/CE dated from 1995 as well as the LPD from 1998 are applicable to the processing of personal data, but both exclude situations of natural persons doing so in the pursuit of activities strictly personal or family-related. These laws demand complex procedures to natural persons, such as the preemptive formal authorisation request to the Data Protection National Commission. Failing to do so a natural person may result in the application of fines as high as €2.500,00 or even criminal charges. Consequently, the present thesis aims to study if the image processing with no commercial purposes by a natural person in the context of social networks or through video surveillance belongs to the domain of the existent personal data protection law. To that effect, it was made general considerations regarding the concept of video surveillance, what is its regimen, in a way that it may be distinguishable from Steve Mann's definition of sousveillance, and what are the associated obligations in order to better understand the concept's essence. The application of the existent laws on personal data protection to images processing by natural persons has been analysed taking into account the Directive 95/46/CE, the LPD and the General Regulation. From this analysis it is concluded that the regimen from 1995 to 1998 is out of touch with reality creating an absence of legal shielding in the personal data protection law, a flaw that doesn't exist because compensated by the right to image as a right to personality, that anyway reveals the inability of the Portuguese legislator to face the new technological challenges. It is urgent to legislate. A contrary interpretation will evidence the unconstitutionality of several rules on the LPD due to the obligations natural persons are bound to that violate the right to the freedom of speech and information, which would be inadequate and disproportionate. Considering the recently approved General Regulation and in the case it becomes the final version, the use for natural person of video surveillance of private spaces, Google Glass (in public and private places) and other similar gadgets used to recreational purposes, as well as social networks are subject to its regulation only if the images are shared without limits or existing commercial purposes. Video surveillance of public spaces in all situations is subject to General Regulation provisions.
Resumo:
Dans son texte, l’auteur répond à une question posée lors d’une Conférence organisée conjointement par l’US Department of Commerce et le Groupe de l’article 29 et qui appelle à déterminer la façon dont les règles de protection des données doivent s’appliquer lors des transferts de données personnelles dans une société globale, multi-économique et multiculturelle. La question est pertinente dans une telle société, caractérisée par le besoin, d’une part d’assurer, sans considération de frontières, un certain régime de protection des données et d’autre part, de respecter la diversité des réalités économiques et culturelles qui se côtoient de plus en plus. L’auteur rappelle d’abord comment l’Europe a progressivement mis en place le système du droit à la protection des données personnelles. Il explique ensuite comment l’Union européenne a considéré la question de la réglementation des flux transfrontières pour en arriver au développement d’un système de protection adéquat et efficace lors des transferts de données hors de l’Union européenne. Toutefois, un tel système mis en place ne semble plus répondre de nos jours à la réalité des flux transfrontières, d’où la nécessité éventuelle de le réformer.
Resumo:
La protection des données personnelles en Suisse trouve son fondement dans la constitution et se concrétise avant tout dans une loi fédérale adoptée avant l'avènement d'Internet et la généralisation de la transmission d'informations personnelles sur des réseaux numériques. Cette réglementation est complétée par les engagements internationaux de la Suisse et notamment la Convention européenne des Droits de l'Homme du Conseil de l'Europe. L'article délimite tout d'abord le champ d'application de la législation, qui joue un rôle pour le traitement de données personnelles par des particuliers comme par les autorités de l'administration fédérale. Suit une brève analyse des principes fondamentaux (licéité, bonne foi, proportionnalité, finalité, exactitude, communication à l'étranger, sécurité, droit d'accès) et de leur application sur Internet. Enfin, la protection du contenu des messages électroniques privés est brièvement abordée sous l'angle du secret des télécommunications et à la lumière d'une jurisprudence récente du Tribunal fédéral.
Resumo:
Thèse réalisée en cotutelle avec l'Université de Montréal et l'Université Panthéon-Assas Paris II
