Pitching trade against privacy: reconciling EU governance of personal data flows with external trade external link

International Data Privacy Law, vol. 10, num: 3, pp: 201-221, 2020

Abstract

This article positions EU’s external governance of personal data flows against the backdrop of the international controversy on digital trade versus strict privacy laws. Now that the EU has defined its position on horizontal provisions on cross-border data flows and personal data protection, it is both timely and essential to reassess its strategy on the international transfers of personal data in the purview of its future trade agreements. For its own normative approach and regulatory autonomy, the EU has a pivotal role to play in shaping the interface between trade and privacy before the ‘free trade leviathan’ can restrict the policy choices not only of individual states but also of the EU itself. Our contribution aims to break through the present compartmentalization of privacy scholarship and trade lawyers because it situates personal data flows in both disciplines.

Cross-border data flow, Digital trade, EU law, frontpage, GDPR, international trade law, Personal data, Privacy

Bibtex

Article{Irion2020bb, title = {Pitching trade against privacy: reconciling EU governance of personal data flows with external trade}, author = {Irion, K. and Yakovleva, S.}, doi = {https://doi.org/https://doi.org/10.1093/idpl/ipaa003}, year = {0401}, date = {2020-04-01}, journal = {International Data Privacy Law}, volume = {10}, number = {3}, pages = {201-221}, abstract = {This article positions EU’s external governance of personal data flows against the backdrop of the international controversy on digital trade versus strict privacy laws. Now that the EU has defined its position on horizontal provisions on cross-border data flows and personal data protection, it is both timely and essential to reassess its strategy on the international transfers of personal data in the purview of its future trade agreements. For its own normative approach and regulatory autonomy, the EU has a pivotal role to play in shaping the interface between trade and privacy before the ‘free trade leviathan’ can restrict the policy choices not only of individual states but also of the EU itself. Our contribution aims to break through the present compartmentalization of privacy scholarship and trade lawyers because it situates personal data flows in both disciplines.}, keywords = {Cross-border data flow, Digital trade, EU law, frontpage, GDPR, international trade law, Personal data, Privacy}, }

Access and Reuse of Machine-Generated Data for Scientific Research external link

Erasmus Law Review, num: 2, pp: 155-165, 2019

Abstract

Data driven innovation holds the potential in transforming current business and knowledge discovery models. For this reason, data sharing has become one of the central points of interest for the European Commission towards the creation of a Digital Single Market. The value of automatically generated data, which are collected by Internet-connected objects (IoT), is increasing: from smart houses to wearables, machine-generated data hold significant potential for growth, learning, and problem solving. Facilitating researchers in order to provide access to these types of data implies not only the articulation of existing legal obstacles and of proposed legal solutions but also the understanding of the incentives that motivate the sharing of the data in question. What are the legal tools that researchers can use to gain access and reuse rights in the context of their research?

frontpage, GDPR, Internet of Things, machine-generated data, Personal data, Privacy, scientific research

Bibtex

Article{Giannopoulou2019bb, title = {Access and Reuse of Machine-Generated Data for Scientific Research}, author = {Giannopoulou, A.}, url = {https://www.ivir.nl/publicaties/download/Erasmus_Law_Review_2019.pdf}, doi = {https://doi.org/10.5553/ELR.000136}, year = {1220}, date = {2019-12-20}, journal = {Erasmus Law Review}, number = {2}, abstract = {Data driven innovation holds the potential in transforming current business and knowledge discovery models. For this reason, data sharing has become one of the central points of interest for the European Commission towards the creation of a Digital Single Market. The value of automatically generated data, which are collected by Internet-connected objects (IoT), is increasing: from smart houses to wearables, machine-generated data hold significant potential for growth, learning, and problem solving. Facilitating researchers in order to provide access to these types of data implies not only the articulation of existing legal obstacles and of proposed legal solutions but also the understanding of the incentives that motivate the sharing of the data in question. What are the legal tools that researchers can use to gain access and reuse rights in the context of their research?}, keywords = {frontpage, GDPR, Internet of Things, machine-generated data, Personal data, Privacy, scientific research}, }

Fundamental rights review of EU data collection instruments and programmes external link

Fondazione Giacomo Brodolini & Irion, K.
2019

Abstract

This report is the result of a Pilot Project requested by the European Parliament, managed by the Commission and carried out by a group of independent experts. The scope of the project was to establish and support an independent experts’ group to carry out a fundamental rights review of existing EU legislation and instruments in the Area of Freedom, Security and Justice (AFSJ) that involve the collection, retention, storage or transfer of personal data. One outcome of the project is a database of AFSJ legislation and instruments with individual fundamental rights assessments (at http://brodolini.mbs.it/). The final report concludes that that fundamental rights safeguards need to be more consistently considered and applied in the AFSJ. The conclusions highlight five broad issues for further consideration: ambiguous definitions and open terms; law enforcement access to migration databases; the expansion of centralised databases; data retention periods; and information rights and duties.

Area of Freedom, EU databases, EU law, frontpage, Fundamental rights, Personal data, Privacy, Security and Justice

Bibtex

Online publication{Brodolini2019, title = {Fundamental rights review of EU data collection instruments and programmes}, author = {Fondazione Giacomo Brodolini and Irion, K.}, url = {http://www.fondazionebrodolini.it/sites/default/files/final_report_0.pdf}, year = {1204}, date = {2019-12-04}, abstract = {This report is the result of a Pilot Project requested by the European Parliament, managed by the Commission and carried out by a group of independent experts. The scope of the project was to establish and support an independent experts’ group to carry out a fundamental rights review of existing EU legislation and instruments in the Area of Freedom, Security and Justice (AFSJ) that involve the collection, retention, storage or transfer of personal data. One outcome of the project is a database of AFSJ legislation and instruments with individual fundamental rights assessments (at http://brodolini.mbs.it/). The final report concludes that that fundamental rights safeguards need to be more consistently considered and applied in the AFSJ. The conclusions highlight five broad issues for further consideration: ambiguous definitions and open terms; law enforcement access to migration databases; the expansion of centralised databases; data retention periods; and information rights and duties.}, keywords = {Area of Freedom, EU databases, EU law, frontpage, Fundamental rights, Personal data, Privacy, Security and Justice}, }

Political micro-targeting: a Manchurian candidate or just a dark horse? external link

Bodó, B., Helberger, N. & Vreese, C.H. de
Internet Policy Review, vol. 2017, num: 4, 2018

Abstract

Political micro-targeting (PMT) has become a popular topic both in academia and in the public discussions after the surprise results of the 2016 US presidential election, the UK vote on leaving the European Union, and a number of general elections in Europe in 2017. Yet, we still know little about whether PMT is a tool with such destructive potential that it requires close societal control, or if it’s “just” a new phenomenon with currently unknown capacities, but which can ultimately be incorporated into our political processes. In this article we identify the points where we think we need to further develop our analytical capacities around PMT. We argue that we need to decouple research from the US context, and through more non-US and comparative research we need to develop a better understanding of the macro, meso, and micro level factors that affect the adoption and success of PMTs across different countries. One of the most under-researched macro-level factors is law. We argue that PMT research must develop a better understanding of law, especially in Europe, where the regulatory frameworks around platforms, personal data, political and commercial speech do shape the use and effectiveness of PMT. We point out that the incorporation of such new factors calls for the sophistication of research designs, which currently rely too much on qualitative methods, and use too little of the data that exists on PMT. And finally, we call for distancing PMT research from the hype surrounding the new PMT capabilities, and the moral panics that quickly develop around its uses.

democratie, frontpage, Online platforms, Personal data, political microtargeting, Regulation

Bibtex

Article{Bodó2018, title = {Political micro-targeting: a Manchurian candidate or just a dark horse?}, author = {Bodó, B. and Helberger, N. and Vreese, C.H. de}, url = {https://policyreview.info/articles/analysis/political-micro-targeting-manchurian-candidate-or-just-dark-horse}, year = {0119}, date = {2018-01-19}, journal = {Internet Policy Review}, volume = {2017}, number = {4}, pages = {}, abstract = {Political micro-targeting (PMT) has become a popular topic both in academia and in the public discussions after the surprise results of the 2016 US presidential election, the UK vote on leaving the European Union, and a number of general elections in Europe in 2017. Yet, we still know little about whether PMT is a tool with such destructive potential that it requires close societal control, or if it’s “just” a new phenomenon with currently unknown capacities, but which can ultimately be incorporated into our political processes. In this article we identify the points where we think we need to further develop our analytical capacities around PMT. We argue that we need to decouple research from the US context, and through more non-US and comparative research we need to develop a better understanding of the macro, meso, and micro level factors that affect the adoption and success of PMTs across different countries. One of the most under-researched macro-level factors is law. We argue that PMT research must develop a better understanding of law, especially in Europe, where the regulatory frameworks around platforms, personal data, political and commercial speech do shape the use and effectiveness of PMT. We point out that the incorporation of such new factors calls for the sophistication of research designs, which currently rely too much on qualitative methods, and use too little of the data that exists on PMT. And finally, we call for distancing PMT research from the hype surrounding the new PMT capabilities, and the moral panics that quickly develop around its uses.}, keywords = {democratie, frontpage, Online platforms, Personal data, political microtargeting, Regulation}, }

The Japan EU Economic Partnership Agreement: Flows of Personal Data to the Land of the Rising Sun external link

Bartl, M. & Irion, K.
2017

Abstract

At the EU-Japan Summit in July this year the European Union (EU) and Japan have achieved a political agreement in principle on the content of the Japan EU Economic Partnership Agreement. For Japan including data flows in the trade deal with the EU has been an important political goal besides mutual recognition of their privacy laws. The EU is currently not favorably disposed to allow data flows provisions into trade deals. Building a ‘state of the art’ digital economy between Japan and the EU is certainly possible in conformity with their data privacy laws and the classical trade law disciplines. Our brief unpacks how flows of personal data will governed in the relationship between Japan and the EU. As a point of departure we look at the extent to which the prospective trade deal between the two economies would already cover data flows, including personal data. Next, we will take a look at the prospects for a regulatory handshake between Japan and EU providing for mutual recognition of data privacy and flows of personal data. The brief concludes with findings and recommendations on the future directions of Japan EU Economic Partnership Agreement.

Data protection law, frontpage, Japan, Personal data, trade agreements

Bibtex

Other{Bartl2017, title = {The Japan EU Economic Partnership Agreement: Flows of Personal Data to the Land of the Rising Sun}, author = {Bartl, M. and Irion, K.}, url = {https://www.ivir.nl/publicaties/download/Transfer-of-personal-data-to-the-land-of-the-rising-sun-FINAL.pdf}, year = {1025}, date = {2017-10-25}, abstract = {At the EU-Japan Summit in July this year the European Union (EU) and Japan have achieved a political agreement in principle on the content of the Japan EU Economic Partnership Agreement. For Japan including data flows in the trade deal with the EU has been an important political goal besides mutual recognition of their privacy laws. The EU is currently not favorably disposed to allow data flows provisions into trade deals. Building a ‘state of the art’ digital economy between Japan and the EU is certainly possible in conformity with their data privacy laws and the classical trade law disciplines. Our brief unpacks how flows of personal data will governed in the relationship between Japan and the EU. As a point of departure we look at the extent to which the prospective trade deal between the two economies would already cover data flows, including personal data. Next, we will take a look at the prospects for a regulatory handshake between Japan and EU providing for mutual recognition of data privacy and flows of personal data. The brief concludes with findings and recommendations on the future directions of Japan EU Economic Partnership Agreement.}, keywords = {Data protection law, frontpage, Japan, Personal data, trade agreements}, }

Unfair Commercial Practices: A Complementary Approach to Privacy Protection external link

van Eijk, N., Hoofnagle, C.J. & Kannekens, E.
European Data Protection Law Review, vol. 2017, num: 3, pp: 325-337, 2017

Abstract

Millions of European internet users access online platforms where their personal data is being collected, processed, analysed or sold. The existence of some of the largest online platforms is entirely based on data driven business models. In the European Union, the protection of personal data is considered a fundamental right. Under Article 8(3) of the EU Charter of Fundamental Rights, compliance with data protection rules should be subject to control by an independent authority. In the EU, enforcement of privacy rules almost solely takes place by the national data protection authorities. They typically apply sector-specific rules, based on the EU Data Protection Directive. In the United States, the Federal Trade Commission is the primary enforcer of consumers’ (online) privacy interests. The agency’s competence is not based on the protection of fundamental rights, but on the basis that maintenance of a competitive, fair marketplace will provide the right choices for consumers to take. In this Article the US legal framework will be discussed and compared to the EU legal framework, which forms our finding that in the EU rules on unfair commercial practices could be enforced in a similar manner to protect people’s privacy. In the EU, the many frictions concerning the market/consumer-oriented use of personal data form a good reason to actually deal with these frictions in a market/consumer legal framework.

frontpage, Fundamental rights, Online platforms, Personal data, Privacy, unfair commercial practices

Bibtex

Article{vanEijk2017b, title = {Unfair Commercial Practices: A Complementary Approach to Privacy Protection}, author = {van Eijk, N. and Hoofnagle, C.J. and Kannekens, E.}, url = {https://www.ivir.nl/publicaties/download/edpl_2017_03.pdf}, doi = {https://doi.org/https://doi.org/10.21552/edpl/2017/3/7}, year = {1019}, date = {2017-10-19}, journal = {European Data Protection Law Review}, volume = {2017}, number = {3}, pages = {325-337}, abstract = {Millions of European internet users access online platforms where their personal data is being collected, processed, analysed or sold. The existence of some of the largest online platforms is entirely based on data driven business models. In the European Union, the protection of personal data is considered a fundamental right. Under Article 8(3) of the EU Charter of Fundamental Rights, compliance with data protection rules should be subject to control by an independent authority. In the EU, enforcement of privacy rules almost solely takes place by the national data protection authorities. They typically apply sector-specific rules, based on the EU Data Protection Directive. In the United States, the Federal Trade Commission is the primary enforcer of consumers’ (online) privacy interests. The agency’s competence is not based on the protection of fundamental rights, but on the basis that maintenance of a competitive, fair marketplace will provide the right choices for consumers to take. In this Article the US legal framework will be discussed and compared to the EU legal framework, which forms our finding that in the EU rules on unfair commercial practices could be enforced in a similar manner to protect people’s privacy. In the EU, the many frictions concerning the market/consumer-oriented use of personal data form a good reason to actually deal with these frictions in a market/consumer legal framework.}, keywords = {frontpage, Fundamental rights, Online platforms, Personal data, Privacy, unfair commercial practices}, }

An Assessment of the Commission’s Proposal on Privacy and Electronic Communications external link

Abstract

This study, commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee, appraises the European Commission’s proposal for an ePrivacy Regulation. The study assesses whether the proposal would ensure that the right to the protection of personal data, the right to respect for private life and communications, and related rights enjoy a high standard of protection. The study also highlights the proposal’s potential benefits and drawbacks more generally.

e-Privacy regulation, frontpage, Personal data, Privacy

Bibtex

Other{Borgesius2017b, title = {An Assessment of the Commission’s Proposal on Privacy and Electronic Communications}, author = {Zuiderveen Borgesius, F. and van Hoboken, J. and Fahy, R. and Irion, K. and Rozendaal, M.}, url = {https://www.ivir.nl/publicaties/download/IPOL_STU2017583152_EN.pdf}, doi = {https://doi.org/10.2861/614076}, year = {0615}, date = {2017-06-15}, abstract = {This study, commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee, appraises the European Commission’s proposal for an ePrivacy Regulation. The study assesses whether the proposal would ensure that the right to the protection of personal data, the right to respect for private life and communications, and related rights enjoy a high standard of protection. The study also highlights the proposal’s potential benefits and drawbacks more generally.}, keywords = {e-Privacy regulation, frontpage, Personal data, Privacy}, }

Privacy, Freedom of Expression, and the Right to Be Forgotten in Europe external link

forthcoming in J. Polonetsky, O. Tene, E. Selinger (ed.), Cambridge Handbook of Consumer Privacy, 2017, 0302

Abstract

In this chapter we discuss the relation between privacy and freedom of expression in Europe. In principle, the two rights have equal weight in Europe – which right prevails depends on the circumstances of a case. We use the Google Spain judgment of the Court of Justice of the European Union, sometimes called the ‘right to be forgotten’ judgment, to illustrate the difficulties when balancing the two rights. The court decided in Google Spain that people have, under certain conditions, the right to have search results for their name delisted. We discuss how Google and Data Protection Authorities deal with such delisting requests in practice. Delisting requests illustrate that balancing privacy and freedom of expression interests will always remain difficult.

Criminal Conviction, Dutch Law, Freedom of expression, Freedom of Speech, frontpage, Personal data, Privacy, right to be forgotten, Search Engine, Sensitive Data, Special Categories of Data

Bibtex

Chapter{Kulk2017, title = {Privacy, Freedom of Expression, and the Right to Be Forgotten in Europe}, author = {Kulk, S. and Zuiderveen Borgesius, F.}, url = {https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2923722}, year = {0302}, date = {2017-03-02}, abstract = {In this chapter we discuss the relation between privacy and freedom of expression in Europe. In principle, the two rights have equal weight in Europe – which right prevails depends on the circumstances of a case. We use the Google Spain judgment of the Court of Justice of the European Union, sometimes called the ‘right to be forgotten’ judgment, to illustrate the difficulties when balancing the two rights. The court decided in Google Spain that people have, under certain conditions, the right to have search results for their name delisted. We discuss how Google and Data Protection Authorities deal with such delisting requests in practice. Delisting requests illustrate that balancing privacy and freedom of expression interests will always remain difficult.}, keywords = {Criminal Conviction, Dutch Law, Freedom of expression, Freedom of Speech, frontpage, Personal data, Privacy, right to be forgotten, Search Engine, Sensitive Data, Special Categories of Data}, }

Identifiability and the applicability of data protection to big data external link

Oostveen, M.
International Data Privacy Law, 2016

Abstract

Big data holds much potential, but it can also have a negative impact on individuals, particularly on their privacy and data protection rights. Data protection law is the point of departure in the discussion about big data; it is widely regarded as the answer to big data’s negative consequences. Yet a closer look at the criteria for applicability of EU data protection law reveals a number of weaknesses in the data protection law approach. Because the material scope of EU data protection law is dependent on the identifiability of individual, data protection only partially applies to the big data process. Therefore, in spite of its importance, data protection law is insufficient to protect individuals from big data’s potential harms.

bescherming persoonsgegevens, Big data, Data protection, frontpage, Grondrechten, Personal data, Privacy

Bibtex

Article{Oostveen2016, title = {Identifiability and the applicability of data protection to big data}, author = {Oostveen, M.}, url = {http://idpl.oxfordjournals.org/content/early/2016/09/06/idpl.ipw012.extract}, doi = {https://doi.org/10.1093/idpl/ipw012}, year = {0927}, date = {2016-09-27}, journal = {International Data Privacy Law}, abstract = {Big data holds much potential, but it can also have a negative impact on individuals, particularly on their privacy and data protection rights. Data protection law is the point of departure in the discussion about big data; it is widely regarded as the answer to big data’s negative consequences. Yet a closer look at the criteria for applicability of EU data protection law reveals a number of weaknesses in the data protection law approach. Because the material scope of EU data protection law is dependent on the identifiability of individual, data protection only partially applies to the big data process. Therefore, in spite of its importance, data protection law is insufficient to protect individuals from big data’s potential harms.}, keywords = {bescherming persoonsgegevens, Big data, Data protection, frontpage, Grondrechten, Personal data, Privacy}, }

Big data: Finders keepers, losers weepers? external link

Ethics and Information Technology, vol. 18, num: 1, pp: 25-31, 2016

Abstract

This article argues that big data’s entrepreneurial potential is based not only on new technological developments that allow for the extraction of non-trivial, new insights out of existing data, but also on an ethical judgment that often remains implicit: namely the ethical judgment that those companies that generate these new insights can legitimately appropriate (the fruits of) these insights. As a result, the business model of big data companies is essentially founded on a libertarian-inspired ‘finders, keepers’ ethic. The article argues, next, that this presupposed ‘finder, keepers’ ethic is far from unproblematic and relies itself on multiple unconvincing assumptions. This leads to the conclusion that the conduct of companies working with big data might lack ethical justification.

Big data, ethics, finders-keepers, justice, libertarianism, Personal data, Privacy

Bibtex

Article{Sax2016, title = {Big data: Finders keepers, losers weepers?}, author = {Sax, M.}, url = {http://link.springer.com/article/10.1007/s10676-016-9394-0}, doi = {https://doi.org/10.1007/s10676-016-9394-0}, year = {0326}, date = {2016-03-26}, journal = {Ethics and Information Technology}, volume = {18}, number = {1}, pages = {25-31}, abstract = {This article argues that big data’s entrepreneurial potential is based not only on new technological developments that allow for the extraction of non-trivial, new insights out of existing data, but also on an ethical judgment that often remains implicit: namely the ethical judgment that those companies that generate these new insights can legitimately appropriate (the fruits of) these insights. As a result, the business model of big data companies is essentially founded on a libertarian-inspired ‘finders, keepers’ ethic. The article argues, next, that this presupposed ‘finder, keepers’ ethic is far from unproblematic and relies itself on multiple unconvincing assumptions. This leads to the conclusion that the conduct of companies working with big data might lack ethical justification.}, keywords = {Big data, ethics, finders-keepers, justice, libertarianism, Personal data, Privacy}, }