Your search keyword '"GENERAL Data Protection Regulation, 2016"' showing total 144 results

1. Adapting non-medical applications for medical use: Ethical limits, coverage, and validation.

Author

Giordano, Vincenzo, Kojima, Kodi Edson, Valderrama-Molina, Carlos Oliver, Azi, Matheus Lemos, Bidolegui, Fernando, and Pires, Robinson Esteves

Subjects

*HEALTH Insurance Portability & Accountability Act, *GENERAL Data Protection Regulation, 2016, *INSTANT messaging, *MEDICAL personnel, *ARTIFICIAL implants, *PHYSICAL fitness mobile apps

Abstract

• Adapting non-medical applications, such as messaging apps, social media, videoconference platforms, and non-medical devices for medical use, present potential limitations, barriers, and risks, which should be fully recognized to reduce crossing the fine line between ethical and unethical. • Most non-medical applications are not adequate tools to share clinical information due to their non-compliance with the European General Data Protection Regulation (GDPR) and the United States Health Insurance Portability and accountability act (HIPAA) rules. • Outside Europe and the United States, non-medical applications have been widely used in medical practice, following the policies of federal medical councils or associations in each country or region. • Regardless of the absence of a universally accepted recommendation, several authors have demonstrated the benefits of using non-medical instant messaging, communication tools, and devices with intended medical purposes in medical practice. • It must be assumed that no non-medical application is 100% secure, so its use must always balance risks and benefits to minimize potential ethical concerns. The widespread adoption of smartphones and other mobile devices amongst healthcare providers opened new possibilities arising from the use of non-medical apps, social media, meeting platforms, and non-medical devices with intended medical purposes, thus expanding the communication and imaging chat systems between these professionals and their patients, as well as amongst healthcare professionals. However, adapting non-medical applications, social media, videoconference platforms and devices for medical use present potential limitations, barriers, and risks, which should be fully recognized to reduce crossing the fine line between ethical and unethical. In the herein study, we analyse the ethical limits, coverage, and validation of non-medical applications adapted for medical use. Level of evidence: IV (evidence from well-designed case-control or cohort studies). [ABSTRACT FROM AUTHOR]

Published

2023

2. Secure Multi-Party Computation for Magnetic Resonance Imaging Classification.

Author

Lytvyn, Oleksandr and Nguyen, Giang

Subjects

MAGNETIC resonance imaging, CONVOLUTIONAL neural networks, GENERAL Data Protection Regulation, 2016, TECHNOLOGICAL innovations, MACHINE learning

Abstract

Accessing private data always requires a complex negotiation process. This process becomes even more challenging under privacy regulations such as the General Data Protection Regulation and the California Consumer Privacy Act. However, in most cases, the availability of greater amounts of data leads to significant technological breakthroughs. The perfect example is the ImageNet classification challenge, which leads to significant improvements in the image recognition area. The combination of these concerns raises the question of performing computations on data that cannot be seen, and a whole new research field that consolidates privacy-preserving concepts and modern data mining techniques comes into place. This is also the purpose of the work presented in this paper, the discovery of Secure Multi-Party Computation (SMPC) capabilities on protecting privacy during the machine learning process. The main attention is paid towards the combination of SMPC and image classification approach based on the convolutional neural network, especially the secure inference process on the encrypted magnetic resonance images. [ABSTRACT FROM AUTHOR]

Published

2023

3. Exploring the Impact of GDPR on Big Data Analytics Operations in the E-Commerce Industry.

Author

Haddara, Moutaz, Salazar, A, and Langseth, Marius

Subjects

BIG data, VIRTUAL communities, GENERAL Data Protection Regulation, 2016, ELECTRONIC commerce, DATA protection laws, RIGHT of privacy

Abstract

This research explores the impact of data privacy and protection laws on e-commerce companies in the Netherlands. Specifically, this study focuses on the General Data Protection Regulation (GDPR). The purpose of this regulation is to refine privacy laws and emphasize the importance of consumer protection and consent. GDPR might challenge enterprises, especially data-driven organizations. Notably, the e-commerce industry is known for relying heavily on big data analytics, business intelligence, and other data-related technologies. Multiple semi-structured interviews with e-commerce professionals and consumers were conducted to gain a deeper understanding of the impact of GDPR based on the strategies employed by e-commerce companies and the online user experience of customers in the Netherlands. The main findings show that while GDPR compliance incurred additional costs for companies, it also improved data security and increased customer trust. Furthermore, the results also suggest that GDPR affects the e-commerce analytics operations in organizations after its adoption. Thus, many organizations have altered their practices to achieve compliance with the laws. The findings of this research contribute to the ongoing exploration of the effects of GDPR on online retail businesses that utilize (big) data analytics. [ABSTRACT FROM AUTHOR]

Published

2023

4. 89P The LGMD2A/Calpainopathy Registry: a patient-powered natural history study and trial recruitment tool.

Author

Levy, J., Boslego, J., Guglieri, M., Martin, A., Mathews, K., and Wrubel, M.

Subjects

*LIMB-girdle muscular dystrophy, *GENERAL Data Protection Regulation, 2016, *WEB-based user interfaces, *PATIENT participation, *DATA privacy

Abstract

In September 2023, Coalition to Cure Calpain 3 launched the LGMD2A/Calpainopathy Registry. This global, patient-reported registry collects longitudinal data on individuals living with Calpainopathy (including limb-girdle muscular dystrophy type 2A/LGMDR1 and limb-girdle muscular dystrophy type 1I/LGMDD4). The Registry utilizes the TREAT-NMD LGMD Core Dataset, the ACTIVLIM questionnaire, and the PROMIS Global-10 measure, as well as additional disease-specific items. Participants are encouraged to upload a digital copy of their genetic report. The registry curator reaches out to participants annually via email, requesting that they update their data on the platform. Participants can enter their own data, or, in the case of minors, Legally Authorized Representatives can enter data on their behalf. The LGMD2A/Calpainopathy Registry collects patient-entered data through a secure web-based application developed and maintained by the National Organization for Rare Disorders (NORD). It is compliant with U.S. Health Information Privacy Laws, FDA regulations on electronic records, and security requirements of General Data Protection Regulation (GDPR). There are no geographic restrictions to joining this Registry. All patient-facing documents have been reviewed and approved by the North Star Review Board. A Steering Committee governs the Registry. The Registry creates a platform to bring the Calpainopathy community together and collect patient data that is an essential requirement for policy makers, academic researchers, and pharmaceutical companies to advance treatments for this disease. Additionally, the study will help identify individuals with Calpainopathy who might be willing to take part in research studies or clinical trials. In the first seven months after opening, data was entered by over 250 participants. Efforts around patient engagement and promotion of the registry are ongoing to increase global participation. Data will be available for use with approval from the Steering Committee. [ABSTRACT FROM AUTHOR]

Published

2024

5. Consumer data protection laws and their impact on business models in the tech industry.

Author

Farhad, Mohsin Ali

Subjects

*DATA protection laws, *BUSINESS models, *MIXED methods research, *GENERAL Data Protection Regulation, 2016, *TECHNOLOGICAL innovations

Abstract

This study investigates the impact of consumer data protection laws on the business models of technology companies through a mixed methods research (MMR) approach. In an era where data privacy concerns are paramount and regulatory landscapes are rapidly evolving, understanding how businesses adapt their models for compliance while fostering innovation is crucial. This paper offers a detailed examination of the legislative requirements imposed by prominent global data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as frameworks from Asia and Africa, such as Singapore's Personal Data Protection Act (PDPA) and South Africa's Protection of Personal Information Act (POPIA). This inclusive perspective enhances our understanding of how technology businesses strategically adapt across various regulatory environments and explores the operational, financial, and strategic impacts of these laws on tech companies. Utilizing a dual-phase mixed methods research (MMR) design, the study initially analyzes quantitative data from surveys conducted with a wide range of technology firms, assessing the direct effects of data protection legislation on business operations and financial performance. This is complemented by qualitative insights drawn from in-depth interviews with business leaders and legal experts, shedding light on the strategic adaptations, challenges, and opportunities these laws present. The findings reveal a multifaceted impact, highlighting not only the compliance challenges but also the strategic opportunities for innovation and competitive differentiation that data protection laws offer. Integrated analysis of the quantitative and qualitative data provides a nuanced understanding of how tech companies navigate the complex interplay between legal compliance and business model innovation. This study contributes to the existing literature by offering empirical evidence and practical insights into the adaptation processes of tech companies in response to consumer data protection laws. It also provides valuable recommendations for both policymakers and business leaders, aiming to foster an environment where legal compliance coexists with technological innovation and business growth. • Analyzes GDPR and CCPA's impact on tech industry business models. • Combines surveys and interviews using mixed methods for broader insights. • Reveals tech companies' compliance challenges and innovation opportunities. • Identifies data protection laws as catalysts for business innovation. • Offers recommendations for blending legal compliance with innovation. [ABSTRACT FROM AUTHOR]

Published

2024

6. How might the GDPR evolve? A question of politics, pace and punishment.

Author

Buckley, Gerard, Caulfield, Tristan, and Becker, Ingolf

Subjects

*GENERAL Data Protection Regulation, 2016, *DIGITAL technology, *PERSONALLY identifiable information, *FINES (Penalties), *INFORMATION technology

Abstract

The digital age has made personal data more valuable and less private. This paper explores the future of the European Union's General Data Protection Regulation (GDPR) by imagining a range of challenging scenarios and how it might handle them. We analyse United States', Chinese and European approaches (self-regulation, state control, arms-length regulators) and identify four key drivers shaping the future regulatory landscape: econopolitics, enforcement capacity, societal trust, and speed of technological development. These scenarios lead us to envision six resultant versions of GDPR, ranging from laxer protection than now to models empowering individuals and regulators. While our analysis suggests a minor update to the status quo GDPR is the most likely outcome, we argue a more robust implementation is necessary. This would entail meaningful penalties for non-compliance, harmonised enforcement, a positive case to counter the regulation-stifles-innovation narrative, defence of cross-border data rights, and proactive guidelines to address emerging technologies. Strengthening the GDPR's effectiveness is crucial to ensure the digital age empowers individuals, not just information technology corporations and governments. [ABSTRACT FROM AUTHOR]

Published

2024

7. Better alone than in bad company: Addressing the risks of companion chatbots through data protection by design.

Author

Dewitte, Pierre

Subjects

*CHATBOTS, *DATA protection, *ARTIFICIAL intelligence, *GENERAL Data Protection Regulation, 2016, *DATA privacy

Abstract

Recent years have seen a surge in the development and use of companion chatbots, conversational agents specifically designed to act as virtual friends, romantic partners, life coaches or even therapists. Yet, these tools raise many concerns, especially when their target audience is comprised of vulnerable individuals. While the recently adopted AI Act is expected to address some of these concerns, both compliance and enforcement are bound to take time. Since the development of companion chatbots involves the processing of personal data at nearly every step of the process, from training to fine-tuning to deployment, this paper argues that the General Data Protection Regulation ("GDPR"), and data protection by design more specifically, already provides a solid ground for regulators and courts to force controllers to mitigate these risks. In doing so, it sheds light on the broad material scope of Articles 24(1) and 25(1) GDPR, highlights the role of these provisions as proxies to Fundamental Rights Impact Assessments ("FRIAs"), and peels off the many layers of personal data processing involved in the companion chatbots supply chain. That reasoning served as the basis for a complaint lodged with the Belgian data protection authority, the full text and supporting evidence of which are provided as supplementary materials. [ABSTRACT FROM AUTHOR]

Published

2024

8. From brussels effect to gravity assists: Understanding the evolution of the GDPR-inspired personal information protection law in China.

Author

Li, Wenlong and Chen, Jiahong

Subjects

*DATA protection laws, *PERSONAL information management, *GENERAL Data Protection Regulation, 2016, *COMPARATIVE law, *DATA protection

Abstract

This paper explores the evolution of China's Personal Information Protection Law (PIPL) and situates it within the context of global data protection development. It draws inspiration from the theory of 'Brussels Effect' and provides a critical account of its application in non-Western jurisdictions, taking China as a prime example. Our objective is not to provide a comparative commentary on China's legal development but to illuminate the intricate dynamics between the Chinese law and the EU's GDPR. We argue that the trajectory of China's Personal Information Protection Law calls into question the applicability of the Brussels Effect: while the GDPR's imprint on the PIPL is evident, a deeper analysis unveils China's nuanced, non-linear adoption that diverges from many assumptions of the Brussels Effect and similar theories. The evolution of the GDPR-inspired PIPL is not as a straightforward outcome of the Brussels Effect but as a nuanced, intricate interplay of external influence and domestic dynamics. We introduce a complementary theory of 'gravity assist', which portrays China's strategic instrumentalisation of the GDPR as a template to shape its unique data protection landscape. Our theoretical framework highlights how China navigates through a patchwork of internal considerations, international standards, and strategic choices, ultimately sculpting a data protection regime that has a similar appearance to the GDPR but aligns with its distinct political, cultural and legal landscape. With a detailed historical and policy analysis of the PIPL, coupled with reasonable speculations on its future avenues, our analysis presents a pragmatic, culturally congruent approach to legal development in China. It signals a trajectory that, while potentially converging at a principled level, is likely to diverge significantly in practice, driven by China's broader socio-political and economic agendas rather than the foundational premises of EU data protection law and its global aspirations. It thus indicates the inherent limitations of applying Brussels Effect and other theoretical frameworks to non-Western jurisdictions, highlighting the imperative for integrating complementary theories to more accurately navigate complex legal landscapes. [ABSTRACT FROM AUTHOR]

Published

2024

9. Will the GDPR Restrain Health Data Access Bodies Under the European Health Data Space (EHDS)?

Author

Quinn, Paul, Ellyne, Erika, and Yao, Cong

Subjects

*GENERAL Data Protection Regulation, 2016, *DATA protection laws, *ELECTRONIC data processing, *RIGHT of privacy, *DATA security

Abstract

The plans for a European Health Data Space (EHDS) envisage an ambitious and radical platform that will inter alia make the sharing of secondary health data easier. It will encourage the systematic sharing of health data and provide a legal framework for it to be shared by Health Data Access Bodies (HDABs) based in each of the Member States. Whilst this promises to bring about major benefits for research and innovation, it also raises serious questions given the intrinsic sensitivity of health data. Fears concerning privacy harms on the individual level and detrimental effects on the societal level have been raised. This article discusses two of the main protective pillars designed to allay such concerns. The first is that the proposal clearly outlines several contexts for which a Health Data Access Permit (HDAP) should and should not be granted. The second is that a request for an HDAP must also be compliant with the GDPR (inter alia requiring a valid legal basis and respecting data processing principles such as 'minimization' and 'storage limitation'). As this article discusses, in some instances the need to have a valid legal basis under the GDPR may make it difficult to obtain a data access permit, in particular for some of the commercially orientated grounds outlined within the EHDS proposal. A further important issue concerns the ability of HDABs to analyse the compatibility permit requests under the GDPR and relevant national law at both speed and scale. [ABSTRACT FROM AUTHOR]

Published

2024

10. An automated consistency management approach for a privacy-aware electric vehicle architecture.

Author

Stancke, Jonathan, Plappert, Christian, and Jäger, Lukas

Subjects

*GENERAL Data Protection Regulation, 2016, *RIGHT of privacy, *EUROPEAN Union law, *ELECTRONIC control, *ELECTRIC vehicles

Abstract

Modern vehicles contain a number of highly connected embedded systems that generate, store, and process information and exchange it with their environment. Since a large part of this information is privacy-critical, privacy laws such as the GDPR of the European Union apply to it. In this work, we evaluate the privacy-criticality of exemplary data and data flows of the electric driving domain on a reference architecture. We categorize the ECUs of the architecture based on the criticality of the data they process and propose measures and technologies as building blocks that provide adequate privacy protection according to the requirements given by the GDPR. To ensure that all requirements are met by the reference architecture, we propose a more principled solution that simplifies the mapping between an architecture and the measures. For this purpose, we propose an architecture description template in JSON and an algorithm for automated consistency checks that outputs the measures and the security extension needed per Electronic Control Unit (ECU) to comply with derived privacy requirements. [ABSTRACT FROM AUTHOR]

Published

2024

11. Public Transportation Data Analysis to Estimate Road Status in Metropolitan Areas: The Case of İstanbul.

Author

Arifoğulları, Ömer and Alptekin, Gülfem Işıklar

Subjects

METROPOLITAN areas, HIGHWAY capacity, INTELLIGENT transportation systems, GENERAL Data Protection Regulation, 2016, TRAFFIC engineering

Abstract

Many types of systems that seek solutions to cities' mobility issues, such as traffic congestion and accidents, have recently been proposed worldwide. A bottleneck, which is defined as an occurrence of congestion at a highway segment, is one of the major causes of citizens' discontent in cities. Bottlenecks cause a decrease in vehicles' speeds, creating negative effects on the capacity of the highway segments and traffic jams. It is also an important research domain in traffic engineering that causes delays in road traffic. Within the concept of Intelligent Transportation System (ITS), this paper presents a method for investigating road state, speed, and road bottlenecks, without any extra investment and permissions for General Data Protection Regulation (GDPR) compliance procedures. The proposed analysis uses publicly available data of bus stations and buses. The analysis is performed on a chosen route as a numerical example, and the calculated speeds are illustrated on a map. [ABSTRACT FROM AUTHOR]

Published

2022

12. Pre-installed cameras in vehicles—New technology from a data protection law perspective.

Author

Christensen, Tanja Kammersgaard

Subjects

*TECHNOLOGY, *DATA protection laws, *GENERAL Data Protection Regulation, 2016, *PERSONALLY identifiable information, *CAMERAS

Abstract

This article assesses whether the rules of the General Data Protection Regulation (GDPR) apply to cameras installed in vehicles, as well as how their use can be GDPR compliant and who is ultimately responsible for this. With the adoption of the GDPR, citizens of the EU now benefit from increased protection of their privacy, as the purpose of the Regulation is to lay down rules on the protection of natural persons in connection with the processing of personal data. The Regulation sets out several conditions for when and how personal data may be processed. These are reviewed in the following with a focus on cameras in cars. [ABSTRACT FROM AUTHOR]

Published

2024

13. The right to self-determination in the digital platform economy.

Author

Pisani, Giacomo

Subjects

*AUTONOMY (Psychology), *GENERAL Data Protection Regulation, 2016, *SUBSIDIARITY, *BIG data, *DATA protection

Abstract

The power wielded by platforms under "algorithmic governmentality" threatens people's ability to freely self-determine. The European data protection law and, in particular, the GDPR, provide the data subject with certain rights to exercise their own informational self-determination. However, the individual setting of these rights makes them very limited. I will outline a co-regulation proposal that allows subjects to actively participate in the definition of rules for the platform economy. This would allow subjects to self-determine themselves, while giving adequate representation to the collective interests implied in algorithmic relationships. [ABSTRACT FROM AUTHOR]

Published

2024

14. Data Protection Impact Assessment under the EU General Data Protection Regulation: A feminist reflection.

Author

Calvi, Alessandra

Subjects

*DATA protection, *GENERAL Data Protection Regulation, 2016, *INTERSECTIONALITY, *CIVIL rights, *FEMINISTS

Abstract

Can the Data Protection Impact Assessment (DPIA) under Article 35 General Data Protection Regulation (GDPR) address the power imbalances between those in control of information and the most vulnerable and marginalised persons to whom this information refers? Put another way, can DPIA be considered a feminist tool? Whilst data protection scholars and regulators consider DPIA a promising instrument for the protection of the fundamental rights threatened by personal data processing, particularly when performed by automated systems, a feminist critique thereof, essential to comprehensively evaluate whether such optimism is justified, is still missing. This contribution addresses this knowledge gap using a combination of doctrinal and non-doctrinal analysis, feminist legal methods and intersectionality. Building on the state of the art about DPIA, I revisit its advantages and drawbacks through feminist lenses, concluding that DPIA cannot be considered a feminist tool as such. Yet, it could still serve feminist goals and become an empowering instrument for data subjects. For that, my proposals are to incorporate feminist legal methods and intersectionality principles in the process and to conceptualise a "right to DPIA". [ABSTRACT FROM AUTHOR]

Published

2024

15. GDPR and data sharing: the Pediatric Cancer Data Commons experience.

Author

Wyatt, Kirk D, Minard-Colin, Véronique, Schleiermacher, Gudrun, Willi, Michaela, and Volchenboum, Samuel L

Subjects

*CHILDHOOD cancer, *INFORMATION sharing, *GENERAL Data Protection Regulation, 2016, *COMMONS

Published

2024

16. Understanding the protection of privacy when counting subway travelers through anonymization.

Author

Shafaeipour, Nadia, Stanciu, Valeriu-Daniel, van Steen, Maarten, and Wang, Mingshu

Subjects

*GENERAL Data Protection Regulation, 2016, *SUBWAYS, *PUBLIC transit, *CITIES & towns, *PRIVACY, *INFORMATION & communication technologies

Abstract

Public transportation, especially in large cities, is critical for livability. Counting passengers as they travel between stations is crucial to establishing and maintaining effective transportation systems. Various information and communication technologies, such as GPS, Bluetooth, and Wi-Fi, have been used to measure people's movements automatically. Regarding public transportation applications, the automated fare collection (AFC) system has been widely adopted as a convenient method for measuring passengers, mainly because it is relatively easy to identify card owners uniquely and, as such, the movements of their card holders. However, there are serious concerns regarding privacy infringements when deploying such technologies, to the extent that Europe's General Data Protection Regulation has forbidden straightforward deployment for measuring pedestrian dynamics unless explicit consent has been provided. As a result, privacy-preservation techniques (e.g., anonymization) must be used when deploying such systems. Against this backdrop, we investigate to what extent a recently developed anonymization technique, known as detection k-anonymity, can be adapted to count public transportation travelers while preserving privacy. In the case study, we tested our methods with data from Beijing subway trips. Results show different scenarios when detection k-anonymity can be effectively applied and when it cannot. Due to the complicated relationship between the detection k-anonymity parameters, setting the proper parameter values can be difficult, leading to inaccurate results. Furthermore, through detection k-anonymity, it is possible to count travelers between two locations with high accuracy. However, counting travelers from more than two locations leads to more inaccurate results. • A new anonymization technique, detection k-anonymity, is investigated for its suitability to count public transportation travelers. • The current privacy preservation strategies rely on replacing actual identifiers with pseudonyms, but more is needed to protect privacy. • K-anonymity can be effectively applied to count travelers between two locations with high accuracy. • A study on real-world data finds that setting proper parameter values can be difficult, leading to inaccurate results. [ABSTRACT FROM AUTHOR]

Published

2024

17. The impact of GDPR on data sharing for European cancer research.

Author

Lawlor, Rita T

Subjects

*INFORMATION sharing, *CANCER research, *GENERAL Data Protection Regulation, 2016

Published

2023

18. Integrated privacy decision in BPMN clinical care pathways models using DMN.

Author

Essefi, Intidhar, Rahmouni, Hanene Boussi, and Ladeb, Mohamed Fethi

Subjects

CLINICAL medicine, GENERAL Data Protection Regulation, 2016, SELF, PRIVACY, PERSONALLY identifiable information

Abstract

Personal data is highly affected by the witnessed digital transformation of healthcare processes. This process relies deeply on the connectivity and decentralization of healthcare systems and data repositories. In this context, value creation and quality enhancement are obviously leveraged, however both health providers and individuals could be exposed to many risks ranging from privacy violations to medical identity theft and personal harm. Hence, it is essential that healthcare stakeholders ensure privacy protection and systemic compliance to personal data regulations such as HIPPA (Health Insurance Portability and Accountability Act) and GDPR (General Data Protection Regulation). Taking clinical processes as a starting point is very important to highlight the personal data in use and to assess whether such usage is justifiable and subsequently allow privacy management decisions to be made. In this paper we combine BPMN (Business Process Model and Notation) and DMN (Decision Model and Notation) to model clinical care pathways as standard business processing constituting the hospital information system. Business process modelling presents a useful mean to model clinical care pathways. It allows a complete discovery of data processing scenarios. DMN (Decision Model and Notation) is implemented in BPMN models to present the rules that lead to a decision in easy-to-read tables which are executed directly by a decision engine. In addition, the integration of verifiable security labels of the manipulated data, we make sure compliance to legislation is ensured at the level of decision rules for each decision table of the DMN. [ABSTRACT FROM AUTHOR]

Published

2022

19. A Gender Perspective on GDPR and Information Privacy.

Author

Sørum, Hanne, Eg, Ragnhild, and Presthus, Wanda

Subjects

DATA privacy, GENERAL Data Protection Regulation, 2016, RIGHT of privacy, GENDER differences (Sociology)

Abstract

With the introduction of The General Data Protection Regulation (GDPR) in 2018, European citizens were granted stronger privacy protection. Despite privacy and GDPR being frequent topics of discussion, many consumers lack knowledge on how personal data are harvested for business purposes, and they are unaware of their rights. Drawing on a larger survey conducted in a Norwegian university college, this study investigates gender differences in privacy behaviour (n=444). We offer three insights. The results revealed that (1) respondents' concern for privacy does not differ across gender, but men claimed to experience slightly more control over their personal data compared to women. (2) Exercising privacy rights were comparable across gender as women and men reported the same inclination to act on rights granted by GDPR. (3) Willingness to share information in return for benefits depended on the information in question. Men and women agreed in their willingness to exchange name and e-mail. However, women were less willing than men to give up more sensitive information, yet more willing to give up date of birthday, TV viewing history and shopping history. Our insights bring attention to a possible link between experienced control over own data and willingness to exchange data for benefits, highlighting a potential mediating relationship that could be worthwhile pursuing. [ABSTRACT FROM AUTHOR]

Published

2022

20. Moral bureaucracies and social network research.

Author

Molina, José Luis and Borgatti, Stephen P.

Subjects

SOCIAL networks, SOCIAL science research, SOCIAL scientists, GENERAL Data Protection Regulation, 2016, BUREAUCRACY

Abstract

• Personal data laws convert social network research into a source of potential hazards. • Moral bureaucracies impose precautionary measures on research projects with even minimal risk. • Researchers will likely make "safe" research decisions (methods, populations, and sites). • Scientific societies should promote social-science-specialized ethics committees. In the wake of Europe's General Data Protection Regulation (GDPR), research ethics governance does not just affect the ethical dimensions of social research but also the range of scientific decisions available to researchers. Because of the sensitive status of personal data and the aversion to even minimal risk by what we call "moral bureaucracies", we are concerned that social network researchers will increasingly limit their research decisions to "safe" options, like reusing anonymized datasets, choosing target populations based on convenience rather than theoretical relevance, and routinely subcontracting fieldwork to professional data collection companies, among others. We also suggest that scientific associations and social scientists in general need to adopt a proactive role in preserving both scientific freedom and genuine ethics advice within this new regulatory framework. [ABSTRACT FROM AUTHOR]

Published

2021

21. Implementing local-explainability in Gradient Boosting Trees: Feature Contribution.

Author

Delgado-Panadero, Ángel, Hernández-Lorca, Beatriz, García-Ordás, María Teresa, and Benítez-Andrades, José Alberto

Subjects

*GENERAL Data Protection Regulation, 2016, *ARTIFICIAL intelligence, *DATA protection laws, *ETHICAL problems, *DECISION trees

Abstract

• Introduce a new algorithm for Gradient Boosting Decision Trees. • The method allows the exact sequence of decisions of the ensemble to be calculated. • This method allows the thresholds and features of each decision to be obtained. Gradient Boost Decision Trees (GBDT) is a powerful additive model based on tree ensembles. Its nature makes GBDT a black-box model even though there are multiple explainable artificial intelligence (XAI) models obtaining information by reinterpreting the model globally and locally. Each tree of the ensemble is a transparent model itself but the final outcome is the result of a sum of these trees and it is not easy to clarify. In this paper, a feature contribution method for GBDT is developed. The proposed method takes advantage of the GBDT architecture to calculate the contribution of each feature using the residue of each node. This algorithm allows to calculate the sequence of node decisions given a prediction. Theoretical proofs and multiple experiments have been carried out to demonstrate the performance of our method which is not only a local explicability model for the GBDT algorithm but also a unique option that reflects GBDTs internal behavior. The proposal is aligned to the contribution of characteristics having impact in some artificial intelligence problems such as ethical analysis of Artificial Intelligence (AI) and comply with the new European laws such as the General Data Protection Regulation (GDPR) about the right to explain and nondiscrimination. [ABSTRACT FROM AUTHOR]

Published

2022

22. Tell me something new: data subject rights applied to inferred data and profiles.

Author

Custers, Bart and Vrabec, Helena

Subjects

*PERSONALLY identifiable information, *GENERAL Data Protection Regulation, 2016, *DATA protection, *DIGITAL technology, *ONLINE profiling

Abstract

The EU General Data Protection Regulation (GDPR) contains several data subject rights, but for many of these rights it is not entirely clear how they should work in practice, especially in digital environments. Most data subject rights apply to personal data obtained directly or indirectly from the data subject. This is often personal data that data subjects already are familiar with, i.e., things they already know about themselves. Unclear, however, is to what extent ascribed personal data, such as inferred data and categories or profiles in which data subjects are placed by data controllers, are within the scope of these rights. Such ascribed personal data often concerns novel information, generated by data controllers, and includes insights into how controllers view and assess them, which may have practical and legal impact on data subjects. Given these characteristics, the ascribed personal data may be much more interesting to data subjects, so it appears beneficial, from the policy perspective, to have this novel information included in the scope of data subject rights. If data subject rights do not apply to inferred data and profiles, invoking these rights is unlikely to be informative and provide meaningful information for data subjects, particularly in complex, digital environments. However, if data subject rights do apply to inferred data and profiles, the scope of these rights may be hard to delineate and they may quickly interfere with rights and freedoms of others, including trade secrets of data controllers and privacy rights of other data subjects. In this article, we investigate the implications of applying data subject rights to inferred data and profiles. For each data subject right in the GDPR, we assess which types of personal data could and perhaps should be in scope, based on grammatical and teleological legal analyses as well as practical considerations. While the area of data subject rights received significant academic attention in the past years, our article contributes to the discussion by providing a systematic, holistic framework to consider the scope of the rights in relation to ascribed data. [ABSTRACT FROM AUTHOR]

Published

2024

23. Privacy icons as a component of effective transparency and controls under the GDPR: effective data protection by design based on art. 25 GDPR.

Author

von Grafenstein, Max, Kiefaber, Isabel, Heumüller, Julie, Rupp, Valentin, Graßl, Paul, Kolless, Otto, and Puzst, Zsófia

Subjects

*DATA protection, *DATA privacy, *GENERAL Data Protection Regulation, 2016, *INFORMATION technology, *COOKIES (Computer science)

Abstract

Understandable privacy information builds trust with users and therefore provides an important competitive advantage for the provider. However, designing privacy information that is both truthful and easy for users to understand is challenging. There are many complex balancing decisions to be made, not only with respect to legal but also visual and user experience design issues. This is why designing understandable privacy information requires combining at least three disciplines that have had little to do with each other in current practice: law, visual design, and user experience design research. The challenges of combining all three disciplines actually culminate in the design and use of Privacy Icons, which are expected to make lengthy legal texts clear and easy to understand (see Art. 12 sect. 7 of the EU General Data Protection Regulation). However, that is much easier said than done. In this paper, we summarise our key learnings from a five years research process on how to design Privacy Icons as a component of effective transparency and user controls. We will provide examples of information and control architectures for privacy policies, forms of consent (especially in the form of cookie banners), privacy dashboards and consent agents in which Privacy Icons may be embedded, 2) a non-exhaustive set of more than 150 Privacy Icons, and above all 3) a concept and process model that can be used to implement the requirements of the GDPR in terms of transparency and user controls in an effective way, according to the data protection by design approach in Art. 25 sect. 1 GDPR. The paper will show that it is a rocky road to the stars and we still haven't arrived – but at least we know how to go. [ABSTRACT FROM AUTHOR]

Published

2024

24. Substantive fairness in the GDPR: Fairness Elements for Article 5.1a GDPR.

Author

Häuselmann, Andreas and Custers, Bart

Subjects

*GENERAL Data Protection Regulation, 2016, *FAIRNESS, *PERSONALLY identifiable information, *DATA protection laws, *ANTITRUST law

Abstract

According to the fairness principle in Article 5.1a of the EU General Data Protection Regulation (GDPR), data controllers must process personal data fairly. However, the GDPR fails to explain what is fairness and how it should be achieved. In fact, the GDPR focuses mostly on procedural fairness: if personal data are processed in compliance with the GDPR, for instance, by ensuring lawfulness and transparency, such processing is assumed to be fair. Because some forms of data processing can still be unfair, even if all the GDPR's procedural rules are complied with, we argue that substantive fairness is also an essential part of the GDPR's fairness principle and necessary to achieve the GDPR's goal of offering effective protection to data subjects. Substantive fairness is not mentioned in the GDPR and no guidance on substantive fairness is provided. In this paper, we provide elements of substantive fairness derived from EU consumer law, competition law, non-discrimination law, and data protection law that can help interpret the substantive part of the GDPR's fairness principle. Three elements derived from consumer protection law are good faith, no detrimental effects, and autonomy (e.g., no misleading or aggressive practices). We derive the element of abuse of dominant position (and power inequalities) from competition law. From other areas of law, we derive non-discrimination, vulnerabilities, and accuracy as elements relevant to interpreting substantive fairness. Although this may not be a complete list, cumulatively these elements may help interpret Article 5.1a GDPR and help achieve fairness in data protection law. [ABSTRACT FROM AUTHOR]

Published

2024

25. Clarifying "personal data" and the role of anonymisation in data protection law: Including and excluding data from the scope of the GDPR (more clearly) through refining the concept of data protection.

Author

Rupp, Valentin and von Grafenstein, Max

Subjects

*DATA protection laws, *GENERAL Data Protection Regulation, 2016, *DATA protection, *PERSONALLY identifiable information, *DATA privacy

Abstract

In a data-driven society, the collection and processing of data is essential to the operation of existing technologies and the development of new ones. Data protection law protects individuals against risks associated with the processing of "personal data". However, despite an intensive legal debate, there is still considerable uncertainty as to when data is personal data and when it is not. The reason for this is that data such as technical data or geo-location data usually is not "personal" per se but only when it is used for a specific purpose and in a specific way, or to be more precise, when the data processing causes a specific risk to a fundamental right of an individual. In our paper, we demonstrate that by focusing on these risks when assessing the scope of application, the question whether data falls into the scope of the General Data Protection Regulation (GDPR) or not becomes much clearer. The about, purpose, and result elements, introduced by the Art. 29 Working Party, thereby turn out to be a powerful set of analytical tools to determine which rights are specifically affected by data processing and, thus, to what extent a data subject is identified or identifiable in the processing context. While the about element addresses different risks to the right to privacy, the purpose element specifically reveals risks to the autonomy status of an individual. Finally, the result element focuses on the negative effect data processing can have on any other fundamental rights of the individual. On this basis, it is also possible to define more precisely the legal requirements for anonymising personal data. First of all, we illustrate that anonymisation mainly affects the about element and can do little "against" the purpose and result element. At least, however, by assessing which sphere of privacy is specifically concerned, it is possible to more precisely define when an individual is identified in a dataset and, thus, what the requirements for anonymization are. [ABSTRACT FROM AUTHOR]

Published

2024

26. From insight to compliance: Appropriate technical and organisational security measures through the lens of cybersecurity maturity models.

Author

Koolen, Christof, Wuyts, Kim, Joosen, Wouter, and Valcke, Peggy

Subjects

*INTERNET security, *GENERAL Data Protection Regulation, 2016, *INTELLECTUAL property, *RISK assessment, *INFORMATION technology

Abstract

Cybersecurity is a much-debated topic in both technical and legal scholarship. With contemporary business models hinging on highly performant information systems, there is increased awareness among entrepreneurs that security incidents often have devastating consequences on undertakings' revenue streams, intellectual property, and brand reputation. As a result, there is an increased focus on the obligation to implement cybersecurity measures. In the context of the GDPR, cybersecurity obligations seem to converge on the requirement to deploy 'appropriate technical and organisational measures' in order to ensure a level of security commensurate with the risks posed to an organisation. Yet, given the complex and rapidly evolving nature of the subject matter, the precise meaning and scope of these obligations remain unclear. This contribution offers guidance on how to assess the concept of 'appropriate technical and organisational measures' by considering it through the lens of cybersecurity maturity models. Accordingly, this article provides anchorage to scholarly audiences when scrutinizing the extent to which privacy and security measures qualify as 'appropriate' in the context of liability claims and actions for damages, thereby creating an opportunity to move from technical insight to legal compliance. [ABSTRACT FROM AUTHOR]

Published

2024

27. In principle vs in practice: User, expert and policymaker attitudes towards the right to data portability in the internet of things.

Author

Turner, Sarah and Tanczer, Leonie Maria

Subjects

*INTERNET of things, *DATA protection, *GENERAL Data Protection Regulation, 2016, *DIGITAL technology, *DATA privacy

Abstract

The right to data portability (RtDP) was enshrined in law with the introduction of the EU's General Data Orotection Regulation (GDPR, Article 20) in 2018. RtDP gives a user the right to obtain and transfer their data to a different service, and the data controller the obligation to facilitate this transfer. Since GDPR's implementation, RtDP has been highlighted in the Digital Markets Act (DMA; 2022) and the proposed Data Act. Despite these reinforcements, there are gaps in understanding of RtDP amongst digital service users. Additionally, many organisations struggle to facilitate data transfer, particularly when it comes to the Internet of Things (IoT). This study examines the attitudes towards IoT data portability by conducting semi-structured interviews with users of consumer IoT devices (n = 28), academics/industry experts (n = 11) and policymakers (n = 8). Results indicate that whilst policymakers and consumers value this right in principle , it is rendered meaningless without a data subject's ability to exercise it in practice. A lack of guidance for data controllers and consumers has created an atmosphere of uncertainty which urgently needs to be addressed. [ABSTRACT FROM AUTHOR]

Published

2024

28. The European Health Data Space: An expanded right to data portability?

Author

Li, Wenkai and Quinn, Paul

Subjects

*ELECTRONIC health records, *ELECTRONIC data processing, *GENERAL Data Protection Regulation, 2016, *MEDICAL records, *INTERNETWORKING

Abstract

The European Commission recently released its proposal for a Regulation giving rise to a European Health Data Space (EHDS), as the first domain-specific common European data space under the European Union's data strategy. The proposed EHDS aims to improve access to and control by individuals of their personal electronic health data in primary use and increase data availability for secondary use purposes. This article is primarily concerned with the ambition to enhance the right of natural persons to data portability and promote interoperability in the health sector. This article seeks to delineate to what extent they represent a new and expanded right alongside the right to data portability provided in the General Data Protection Regulation (GDPR). In comparing this new expanded right to the original right outlined in Article 20 of the GDPR, the authors argue that Article 3(8) of the EHDS proposal represents an important expansion with the potential to allow individuals more possibility to control and mobilise their electronic health data, especially those elements located within Electronic Health Records (EHRs). This will also be facilitated by the strengthened interoperability requirements foreseen by the EHDS proposal. However, this paper also identifies several limitations and inconsistencies in the new data portability right which could potentially hinder its functioning. This notably includes the proposal's failure to take into account the need for data portability for secondary use purposes, and the unclear relationship of Article 3(8) of the proposal with Article 9 of the GDPR. It is recommended that these points should be considered carefully in future versions of the EHDS proposal. [ABSTRACT FROM AUTHOR]

Published

2024

29. Licensing high-risk artificial intelligence: Toward ex ante justification for a disruptive technology.

Author

Malgieri, Gianclaudio and Pasquale, Frank

Subjects

*ARTIFICIAL intelligence, *DIGITAL technology, *GENERAL Data Protection Regulation, 2016, *DATA protection, EUROPEAN law

Abstract

The regulation of artificial intelligence (AI) has heavily relied on ex post, reactive tools. This approach has proven inadequate, as numerous foreseeable problems arising out of commercial development and applications of AI have harmed vulnerable persons and communities, with few (and sometimes no) opportunities for recourse. Worse problems are highly likely in the future. By requiring quality control measures before AI is deployed, an ex ante approach would often mitigate and sometimes entirely prevent injuries that AI causes or contributes to. Licensing is an important tool of ex ante regulation, and should be applied in many high-risk domains of AI. Indeed, policymakers and even some leading AI developers and vendors are calling for licensure in the area. To substantiate licensing proposals, this article specifies optimal terms of licensure for AI necessary to justify its use. Given both documented and potential harms arising out of high-risk AI systems, licensing agencies should require firms to demonstrate that their AI meets clear requirements for security, non-discrimination, accuracy, appropriateness, and correctability before being deployed. Under this ex ante model of regulation, AI developers would bear the burden of proof to demonstrate that their technology is not discriminatory, not manipulative, not unfair, not inaccurate, and not illegitimate in its lawful bases and purposes. While the European Union's General Data Protection Regulation (GDPR) can provide key benchmarks here for ex post regulation, the proposed AI Act (AIA) offers a first regulatory attempt towards an ex ante licensure regime in high-risk areas, but it should be strengthened through an expansion of its scope and substantive content and through greater transparency of the ex ante justification process. [ABSTRACT FROM AUTHOR]

Published

2024

30. How the GDPR can contribute to improving geographical research.

Author

Meijering, Louise, Osborne, Tess, Hoorn, Esther, and Montagner, Cristina

Subjects

GENERAL Data Protection Regulation, 2016, DATA management, DATA protection

Abstract

As geographers, we often work with personal data, meaning that the European Union's General Data Protection Regulation (GDPR) can have a major impact upon our research. The GDPR is a set of legal requirements that serves to ensure the protection of personal data. In this paper, we reflect on our experiences of how the GDPR impacts upon the planning and conduct of (international) geographical research; and develop good data protection practices for geography. In so doing, we explore the Data Protection Impact Assessment (DPIA) as a method to explore data protection and privacy issues and discuss three relevant issues for geographers in relation to the GDPR: (1) informing research participants; (2) data management; and (3) international collaboration. Although it is time-consuming to make a project 'GDPR proof', the process helps researchers to thoroughly think through its privacy implications at an early stage. Thus, the GDPR does not make geographical research impossible, but rather contributes to making it more effective and fairer. [ABSTRACT FROM AUTHOR]

Published

2020

31. Associations between genomic merit for daughter pregnancy rate of Holstein cows and metabolites postpartum and estrus characteristics.

Author

Chebel, Ricardo C. and Veronese, Anderson

Subjects

*ESTRUS, *OVULATION, *FREE fatty acids, *HOLSTEIN-Friesian cattle, *PREGNANCY, *COWS, *GENERAL Data Protection Regulation, 2016

Abstract

Genetic selection of Holstein cattle in the past 2 decades has seen an increased attention to fertility traits. Our hypotheses were that genomic merit for daughter pregnancy rate (GDPR) is positively associated with metabolic responses, hazard of estrus, and estrus characteristics. Pregnant heifers (n = 821) from one herd that were genotyped within 2 mo of birth (Clarifide, Zoetis, Parsippany, NJ) were fitted with automated monitoring devices (SCR Inc., Netanya, Israel) −21 ± 14 d relative to calving. Estrus characteristics recorded from calving to 62 d postpartum were evaluated. Blood samples were collected weekly from a subsample (n = 499) of cows, from 7 to 28 d postpartum, for determination of insulin-like growth factor-1, glucose, and nonesterified fatty acids. Cows received artificial insemination or embryo transfer following detected estrus and those not detected in estrus were submitted to an ovulation synchronization protocol starting at 75 d in milk. Linear and quadratic associations between GDPR and outcomes were analyzed, but when appropriate, results are presented according to GDPR quartile (Q1 = −1.8 to 0.8; Q2 = 0.9 to 1.7; Q3 = 1.8 to 2.5; Q4 = 2.6 to 5.9) based on the parameter estimates of the multivariable models. Genomic merit for daughter pregnancy rate was positively associated with insulin-like growth factor-1 (Q1 = 24.3 ± 0.2; Q2 = 26.8 ± 0.2; Q3 = 28.2 ± 0.2; Q4 = 30.6 ± 0.3 ng/mL) and glucose (Q1 = 67.0 ± 0.1; Q2 = 69.1 ± 0.2; Q3 = 69.6 ± 0.2; Q4 = 70.8 ± 0.2 mg/dL) concentrations, but GDPR was negatively associated with nonesterified fatty acid concentration (Q1 = 281.2 ± 4.9; Q2 = 262.0 ± 5.9; Q3 = 239.3 ± 5.0; Q4 = 221.6 ± 4.7 μmol/L). A positive association was observed between GDPR and hazard of estrus [adjusted hazard ratio and 95% confidence interval = 1.16 (1.06, 1.28)] and number of estrus events (Q1 = 0.50 ± 0.03; Q2 = 0.62 ± 0.04; Q3 = 0.74 ± 0.05; Q4 = 0.86 ± 0.06) within 62 d postpartum, duration of estrus (Q1 = 14.10 ± 0.04; Q2 = 14.48 ± 0.04; Q3 = 14.67 ± 0.04; Q4 = 14.98 ± 0.04 h), probability of activity peak (0 = no estrus, 100 = maximum activity) ≥86 (Q1 = 0.80 ± 0.03; Q2 = 0.83 ± 0.02; Q3 = 0.83 ± 0.03; Q4 = 0.85 ± 0.2), and probability of heat index ≥86 (Q1 = 0.77 ± 0.04; Q2 = 0.81 ± 0.05; Q3 = 0.83 ± 0.03; Q4 = 0.86 ± 0.03). Conversely, GDPR was negatively associated with rumination nadir at estrus (Q1 = −35.5 ± 0.1; Q2 = −37.0 ± 0.1; Q3 = −38.0 ± 0.1; Q4 = −39.6 ± 0.1 min). We detected a positive association between GDPR and hazard of pregnancy (adjusted hazard ratio = 1.11, 95% confidence interval = 1.03, 1.19). Selection for GDPR may improve the hormonal and metabolic status of cows postpartum, leading to earlier resumption of cyclicity, and may improve detection of estrus in commercial herds because it was positively associated with estrus characteristics. [ABSTRACT FROM AUTHOR]

Published

2020

32. Éthique de la recherche : réglementations françaises et applications en oncologie radiothérapie.

Author

Haaser, T., Berdaï, D., Trouette, R., Dupin, C., Marty, S., L'Azou, B., Berger, V., and Saux, M.-C.

Subjects

*HUMAN beings, *ONCOLOGY, *INFORMATION retrieval, *GENERAL Data Protection Regulation, 2016, *ETHICS

Abstract

La réglementation française en termes d'éthique de la recherche s'est structurée autour de la loi Jardé qui définit les recherches impliquant les personnes humaines. Les recherches impliquant la personne humaine nécessitent notamment une soumission des protocoles à un comité de protection des personnes avec une liste précise des documents à présenter en vue de l'obtention d'un avis favorable. La loi Jardé définit différentes catégories de recherches et conditionne les démarches éthiques à réaliser avant la mise en place d'un protocole de recherche. Cet enjeu de catégorisation est central et doit faire partie intégrante de la réflexion des chercheurs dès le début du processus de recherche. Les recherches considérées comme n'impliquant la personne humaine nécessitent-elles aussi un ensemble de précautions éthiques centrées sur l'information et le recueil de la non-opposition des personnes, en lien avec l'application du Règlement général sur la protection des données adopté par le Parlement européen ? Ainsi, de nombreuses références réglementaires existent et imposent un véritable travail en amont afin de respecter ces exigences en éthique de la recherche. Cet article a pour but de résumer les réglementations actuelles en se basant sur des exemples s'appliquant spécifiquement au champ de la recherche en oncologie radiothérapie. French regulations about research ethics are based on the so-called Jardé law, which defines researches involving human beings. Researches involving human beings require the submission of research protocols to a committee for protection of persons with a precise list of documents to submit for a favourable opinion. This law describes different categories of researches and determines the ethical procedures to apply before setting up a research protocol. This issue of categorisation is central and must be taken into account by researchers from the beginning of the research process. Researches considered as not involving human beings also require a set of ethical precautions focused on patients' information and the collection of their non-opposition (due to the application of the General Data Protection Regulation adopted by the European Parliament). Thus, many regulations exist and they require a real work for researchers to meet these requirements in research ethics. This article aims to summarise French regulations. Selected examples are specifically taken into the field of radiation oncology research. [ABSTRACT FROM AUTHOR]

Published

2020

33. Towards evaluating GDPR compliance in IoT applications.

Author

Kaneen, Christos Karageorgiou and Petrakis, Euripides G.M.

Subjects

GENERAL Data Protection Regulation, 2016, PERSONALLY identifiable information

Abstract

The General Data Protection Regulation (GDPR) was created for regulating how organizations that collect personal data process and protect it. In cases of digital handling of personal data, GDPR compliance must be proven by analyzing the actions that a system applies in order to gather, process and safeguard the data. We advocate that compliance must be considered in the design phase of the system, by analyzing the dependencies between system entities (e.g. personal data, users etc.) and the processes enacted upon them. Then, it is possible to generate a series of data reports that can be assessed by regulators who inspect the system for GDPR compliance. However, there can not be a universal methodology that covers all application domains and systems. To show proof of concept, we apply the methodology to a remote patient monitoring service that runs in the cloud. [ABSTRACT FROM AUTHOR]

Published

2020

34. The thin border between individual and collective ethics: the downside of GDPR.

Author

Cagnazzo, Celeste

Subjects

*GENERAL Data Protection Regulation, 2016, *ETHICS

Published

2021

35. Recherche en santé et protection des données personnelles à l'heure du Règlement général relatif à la protection des données.

Author

Lesaulnier, Frédérique

Subjects

*GENERAL Data Protection Regulation, 2016, *PERSONALLY identifiable information, *DATA protection, *RESEARCH, FRENCH law

Abstract

La France dispose d'un cadre juridique très riche qui définit les conditions d'accès, d'utilisation et de partage des données de santé à des fins de recherche scientifique et en assure la protection. Ce cadre juridique est aujourd'hui en cours de refonte. Le Règlement du 27 avril 2016 relatif à la protection des personnes physiques à l'égard du traitement des données à caractère personnel, directement applicable dans les États membres depuis le 25 mai 2018, doit être articulé avec les autres dispositions de l'UE applicables à la recherche et avec le droit national. Cela fait du RGPD un règlement sui generis à mi-chemin entre un règlement et une directive. France has a very rich legal framework, which defines the conditions of access and use of health data for scientific research purposes and ensures their protection. Currently, this legal framework is undergoing revision. The European regulation of April 27th 2016 on protection of natural persons in relation to the processing of personal data came into effect in EU member states since 25th May 2018 and substitute a rationale of administrative process for a rationale that empowers the researchers to document and prove compliance with the regulation ("accountability"). This regulation must be coordinated with the other regulation applicable to research in UE and with national law. [ABSTRACT FROM AUTHOR]

Published

2019

36. La protection des données personnelles des patients face à la modernisation de notre système de santé.

Author

Siranyan, Valérie

Subjects

*INTERNET, *ARTIFICIAL intelligence, *PERSONALLY identifiable information, *GENERAL Data Protection Regulation, 2016, *MEDICAL personnel

Abstract

À l'ère de l'internet et du déploiement de l'intelligence artificielle, la collecte et le traitement de données personnelles deviennent un élément stratégique pour le développement de l'économie numérique. Une particulière attention devra être portée sur le respect des droits des personnes lors du recueil de renseignements touchant à la santé ou au corps. Le Règlement général sur la protection des données (RGPD) est entré en vigueur le 25 mai 2018. L'exercice des professionnels de santé établis dans un État membre, sera impacté dans la mesure où il peut s'appuyer sur des éléments cliniques ou biologiques des patients. With the Internet and the artificial intelligence, the collection of personal data is becoming a strategic element for the digital economy. The collection of information touching the health or the body must respect the patients' rights. The GDPR came into effect on May 25th, 2018. The healthcare professionals who are established in a Member state, must be careful because they can base their exercise on clinical or biological elements of their patients. [ABSTRACT FROM AUTHOR]

Published

2019

37. EU Update.

Subjects

*DATA protection laws, *INTERNET security, *GENERAL Data Protection Regulation, 2016, *DATA security failures, *BREXIT Referendum, 2016

Abstract

The article offers news briefs concerning computer law & security around the world, as of August 2019. Topics discussed include release of first General Data Protection Regulation fine in Italy by the Garante for the lack of implementation of privacy security measures following a data breach; impact of Brexit on cybersecurity in Great Britain; and plans of British government to not apply these restrictions on transfers of personal data to the European Economic Area (EEA) following Brexit.

Published

2019

38. EU GDPR or APEC CBPR? A comparative analysis of the approach of the EU and APEC to cross border data transfers and protection of personal data in the IoT era.

Author

Sullivan, Clare

Subjects

*GENERAL Data Protection Regulation, 2016, *COMPARATIVE studies, *DATA protection, *INTERNET of things

Abstract

This article examines the two major international data transfer schemes in existence today – the European Union (EU) model which at present is effectively the General Data Protection Regulation (GDPR), and the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules system (CBPR), in the context of the Internet of Things (IoT). While IoT data ostensibly relates to things i.e. products and services, it impacts individuals and their data protection and privacy rights, and raises compliance issues for corporations especially in relation to international data flows. The GDPR regulates the processing of personal data of individuals who are EU data subjects including cross border data transfers. As an EU Regulation, the GDPR applies directly as law to EU member nations. The GDPR also has extensive extraterritorial provisions that apply to processing of personal data outside the EU regardless of place of incorporation and geographical area of operation of the data controller/ processor. There are a number of ways that the GDPR enables lawful international transfer of personal data including schemes that are broadly similar to APEC CBPR. APEC CBPR is the other major regional framework regulating transfer of personal data between APEC member nations. It is essentially a voluntary accountability scheme that initially requires acceptance at country level, followed by independent certification by an accountability agent of the organization wishing to join the scheme. APEC CBPR is viewed by many in the United States of America (US) as preferable to the EU approach because CBPR is considered more conducive to business than its counterpart schemes under the GDPR, and therefore is regarded as the scheme most likely to prevail. While there are broad areas of similarity between the EU and APEC approaches to data protection in the context of cross border data transfer, there are also substantial differences. This paper considers the similarities and major differences, and the overall suitability of the two models for the era of the Internet of Things (IoT) in which large amounts of personal data are processed on an on-going basis from connected devices around the world. This is the first time the APEC and GDPR cross-border data schemes have been compared in this way. The paper concludes with the author expressing a view as to which scheme is likely to set the global standard. [ABSTRACT FROM AUTHOR]

Published

2019

39. The impact of GDPR on European Name & Shame tax defaulter lists.

Author

Olivares Olivares, Bernardo D.

Subjects

*GENERAL Data Protection Regulation, 2016, *CIVIL rights, *DATA protection, *TAXATION, *CITIZENS

Abstract

This research analyses and compares tax defaulters' lists in Europe from the legal perspective arising from the introduction of the General Data Protection Regulation. We examined various regulatory systems which reflect a cross section of these 'Name & Shame' lists in Greece, Ireland, Portugal, Spain and the United Kingdom. Our findings indicated some legal aspects that contravene the GDPR rules. As a solution we propose a minimum standard model that allows for the publication of tax defaulter information without impinging on citizens' fundamental rights. [ABSTRACT FROM AUTHOR]

Published

2019

40. Bitcoin and the GDPR: Allocating responsibility in distributed networks.

Author

Buocz, Thomas, Ehrke-Rabel, Tina, Hödl, Elisabeth, and Eisenberger, Iris

Subjects

*BITCOIN, *GENERAL Data Protection Regulation, 2016, *ELECTRONIC data processing, *CRYPTOCURRENCIES

Abstract

Abstract This article uses the example of the cryptocurrency Bitcoin and the General Data Protection Regulation (GDPR) to show how distributed networks challenge existing legal mechanisms of allocating responsibility. The Bitcoin network stores personal data by automated means. Furthermore, full nodes qualify as establishments and the network offers a service to citizens in the EU. The data processing within the Bitcoin network therefore falls into the material and territorial scope of the GDPR. To protect data subjects, the GDPR allocates responsibility to the controller, who determines the 'how' and the 'why' of the data processing. However, the distributed structure of the Bitcoin network blurs the lines between actors who are responsible and actors who are worth protecting. Neither the Bitcoin users running lightweight nodes or full nodes nor the miners determine the 'how' and the 'why' of the data processing. They carry out their network activities according to the Bitcoin protocol, which can only be adopted and enforced by a collective of full nodes and miners. Members of this collective are joint controllers under Article 26 GDPR, which obliges them to clearly and transparently determine their respective responsibilities for compliance with the GDPR. However, this mechanism fails because of the very structure it aims to eliminate. Therefore, a solution to allocating responsibility for data protection in distributed networks lies outside the GDPR. [ABSTRACT FROM AUTHOR]

Published

2019

41. Algorithms that forget: Machine unlearning and the right to erasure.

Author

Juliussen, Bjørn Aslak, Rui, Jon Petter, and Johansen, Dag

Subjects

*RIGHT to be forgotten, *MACHINE learning, *GENERAL Data Protection Regulation, 2016, *ELECTRONIC data processing, *DISCLOSURE laws

Abstract

Article 17 of the General Data Protection Regulation (GDPR) contains a right for the data subject to obtain the erasure of personal data. The right to erasure in the GDPR gives, however, little clear guidance on how controllers processing personal data should erase the personal data to meet the requirements set out in Article 17. Machine Learning (ML) models that have been trained on personal data are downstream derivatives of the personal data used in the training data set of the ML process. A characteristic of ML is the non-deterministic nature of the learning process. The non-deterministic nature of ML poses significant difficulties in determining whether the personal data in the training data set affects the internal weights and adjusted parameters of the ML model. As a result, invoking the right to erasure in ML and to erase personal data from a ML model is a challenging task. This paper explores the complexities of enforcing and complying with the right to erasure in a ML context. It examines how novel developments in machine unlearning methods relate to Article 17 of the GDPR. Specifically, the paper delves into the intricacies of how personal data is processed in ML models and how the right to erasure could be implemented in such models. The paper also provides insights into how newly developed machine unlearning techniques could be applied to make ML models more GDPR compliant. The research aims to provide a functional understanding and contribute to a better comprehension of the applied challenges associated with the right to erasure in ML. [ABSTRACT FROM AUTHOR]

Published

2023

42. Disentangling private classes through regularization.

Author

Tartaglione, Enzo, Gennari, Francesca, Quétu, Victor, and Grangetto, Marco

Subjects

*DEEP learning, *GENERAL Data Protection Regulation, 2016, *ARTIFICIAL intelligence, *ARTIFICIAL neural networks, *DATA privacy, *ELECTRONIC data processing

Abstract

Deep learning models are nowadays broadly deployed to solve an incredibly large variety of tasks. However, little attention has been devoted to connected legal aspects. In 2016, the European Union approved the General Data Protection Regulation which entered into force in 2018. Its main rationale was to protect the privacy and data protection of its citizens by the way of operating the so-called "Data Economy". As data is the fuel of modern Artificial Intelligence, it is argued that the GDPR can be partly applicable to a series of algorithmic decision-making tasks before a more structured AI Regulation enters into force. In the meantime, AI should not allow undesired information leakage deviating from the purpose for which is created. In this work, we propose DisP, an approach for deep learning models disentangling the information related to some classes we desire to keep private, from the data processed by AI. In particular, DisP is a regularization strategy de-correlating the features belonging to the same private class at training time, hiding the information about private class membership. Our experiments on state-of-the-art deep learning models show the effectiveness of DisP, minimizing the risk of extraction for the classes we desire to keep private. [Display omitted] • We show that neural networks learn information not bound to the target task. • We model the private information with a parameter of the model. • We propose DisP, a differentiable proxy that aims at removing private information. • We provide a scientific contribution in the context of the GDPR regulation. • We show the effectiveness of the proposed approach in real scenarios. • We compare our approach with the most closely-related literature. [ABSTRACT FROM AUTHOR]

Published

2023

43. The thin red line: Refocusing data protection law on ADM, a global perspective with lessons from case-law.

Author

Demetzou, Katerina, Zanfir-Fortuna, Gabriela, and Vale, Sebastião Barros

Subjects

*DATA protection, *JUDGE-made law, *GENERAL Data Protection Regulation, 2016, *LEGISLATION, *COMPARATIVE law

Abstract

This article explores existing data protection law provisions in the EU and in six other jurisdictions from around the world - with a focus on Latin America - that apply to at least some forms of the processing of data typically part of an Artificial Intelligence (AI) system. In particular, the article analyzes how data protection law applies to "automated decision-making" (ADM), starting from the relevant provisions of EU's General Data Protection Regulation (GDPR). Rather than being a conceptual exploration of what constitutes ADM and how "AI systems" are defined by current legislative initiatives, the article proposes a targeted approach that focuses strictly on ADM and how data protection law already applies to it in real life cases. First, the article will show how GDPR provisions have been enforced in Courts and by Data Protection Authorities (DPAs) in the EU, in numerous cases where ADM is at the core of the facts of the case considered. After showing that the safeguards in the GDPR already apply to ADM in real life cases, even where ADM does not meet the high threshold in its specialized provision in Article 22 ("solely" ADM which results in "legal or similarly significant effects" on individuals), the article includes a brief comparative law analysis of six jurisdictions that have adopted general data protection laws (Brazil, Mexico, Argentina, Colombia, China and South Africa) and that are visibly inspired by GDPR provisions or its predecessor, Directive 95/46/EC, including those that are relevant for ADM. The ultimate goal of this study is to support researchers, policymakers and lawmakers to understand how existing data protection law applies to ADM and profiling. 1 1 The authors thank the reviewers of the CPDP Latin America 2022 Conference and this journal for their suggestions to improve the draft paper. We also thank our colleague Stefania Medrano for her research and translation support into Latin American jurisdictions. [ABSTRACT FROM AUTHOR]

Published

2023

44. French legal approach to patient consent in clinical research.

Author

Toulouse, Elisabeth, Lafont, Brigitte, Granier, Sophie, Mcgurk, Gordon, and Bazin, Jean-Etienne

Subjects

*INFORMED consent (Medical law), *GENERAL Data Protection Regulation, 2016

Abstract

Keywords: Clinical research; Ethics; Consent; Law; France EN Clinical research Ethics Consent Law France 883 885 3 12/10/20 20201201 NES 201201 In France, any interventional research involving the human body must follow the "Jardé Law" which is based on general ethical principles [[1]]. 2) Patient information and consent: 2-1) Providing information to the patient and obtaining his (her) consent is required before participation (see Fig. When "Emergency" and "Vital Emergency" procedures have been used and the next of kin or the patient refuses to participate, the patient should be excluded and the data cannot be used. [Extracted from the article]

Published

2020

45. Legislation of forensic DNA analysis in Hungary - past, present and future.

Author

Nogel, Mónika, Pádár, Zsolt, Czebe, András, and Kovács, Gábor

Subjects

DNA analysis, CRIMINAL records, LAW enforcement, GENERAL Data Protection Regulation, 2016

Abstract

Ever since the first application of DNA analysis in criminal casework in 1992, the conditions under which forensic DNA analysis is performed within the Hungarian law have been developed and subsequently approved, in parallel with the establishment of a national database report of forensic DNA. Act XLVII of 2009 (on the Criminal Records System, on the Records of EU Member State Court Rulings against Hungarian Citizens as well as on the Records of Biometric Criminal and Law Enforcement Data) constituted the legal framework for this. Moreover, Act XXIX of 2016 (on Judicial Experts), Act CXII of 2011 (on the Right of Informational Self-Determination and on Freedom of Information), as well as Regulation 12/2016. (V.4.) of the Minister of Interior (on Rules of Taking Fingerprints, Palm prints, Photographs and DNA samples), as well as the Provisions of 31/2008. (XII. 31.) of the Minister of Local Government (on the work of forensic experts, respectively) went on to specify the professional requirements necessary for forensic DNA analysis. The regulations of the EU must also be taken into consideration. Of particular significance, are the escalations undertaken by the EU for the purpose of combating transnational crime as developed in the Prüm Treaty, and, under Council Decision 2008/615/JHA and Council Decision 2008/616/JHA, became ratified into its partial transformation into an EU-wide tool for cooperation. The General Data Protection Regulation (GDPR) has also introduced a new and seemingly far-reaching exemption to the general prohibitive conditions applied to the processing of genetic data. The question of whether, and which kind of, consent is required remains left to other applicable EU and national laws. The aim of this study is to provide an overview on how Hungarian legislation of forensic DNA has changed over the past 27 years, to illustrate the current legal context in addition to providing a conceptual theoretical framework for future legislation, including the rules of forensic DNA typing and legal regulation connected to DNA-databases. [ABSTRACT FROM AUTHOR]

Published

2019

46. An international consideration of a standards-based approach to forensic genetic genealogy.

Author

Scudder, Nathan, Robertson, James, Kelty, Sally F., Walsh, Simon J., and McNevin, Dennis

Subjects

FORENSIC genetics, GENEALOGY, DNA analysis, ARTIFICIAL intelligence, GENERAL Data Protection Regulation, 2016

Abstract

Forensic genetic genealogy has moved into limited operational use in the United States, and received international attention following the arrest of a suspect alleged to be the notorious 'Golden State Killer'. The interest in this emerging area has seen the development of online courses to train investigators to pursue forensic genetic genealogy leads and the emergence of service providers marketing directly to law enforcement. Forensic genetic genealogy is an intelligence capability and can draw on existing intelligence doctrine. The power of genetic genealogy requires consideration of relevant standards, national or international. The development of these standards requires close consideration of public trust and privacy issues, including the application of the General Data Protection Regulation in Europe and constitutional issues in countries such as the United States. It also requires a consideration of potential regulatory mechanisms and options. [ABSTRACT FROM AUTHOR]

Published

2019

47. GDPR compliance verification through a user-centric blockchain approach in multi-cloud environment.

Author

Ahmad, Haris and Aujla, Gagangeet Singh

Subjects

*GENERAL Data Protection Regulation, 2016, *BLOCKCHAINS, *WEB-based user interfaces

Abstract

With cloud-hosted web applications becoming ubiquitous, the security risks presented for user personal data that is migrated to the cloud are at an all-time high. When using a cloud-hosted web application, users only ever interact with web interfaces of the web applications and are usually completely unaware of how their data is distributed amongst the multiple cloud service providers that the web application uses, making it difficult to verify the lawful use and ownership of personal data. The General Data Protection Regulation (GDPR) seeks to empower users to gain better control over their personal data. Blockchain-based approaches have risen in popularity over the recent years to tackle the challenge of verifying GDPR compliance in multi-cloud environments. By deploying smart contracts on the blockchain, we can create transparent and immutable logs of data processes in the hopes of automating GDPR compliance verification. However, the existing works are still limited to provide a user-centric compliance verification. To this end, we propose a user-centric, blockchain-based framework for data management in a cloud environment where all GDPR-relevant data operations take place on the blockchain through well-defined smart contracts. [Display omitted] • A cloud-based e-commerce application scenario is designed to demonstrate the importance of GDPR and analyse the GDPR requirements the deployed scenario. • GDPR-relevant data operations are encoded onto smart contracts to automate the monitoring and logging of data operations and detect compliance violations. • A web application is designed to enable the actors in our GDPR framework to interact with our smart contracts to carry out data operations and receive GDPR violation reports. • Thoroughly test the efficacy of our proposed solution using the Ganache and Ropsten testnets. [ABSTRACT FROM AUTHOR]

Published

2023

48. GDPR-compliant AI-based automated decision-making in the world of work.

Author

Lukács, Adrienn and Váradi, Szilvia

Subjects

*GENERAL Data Protection Regulation, 2016, *DECISION making, *EMPLOYMENT, *ARTIFICIAL intelligence, *DATA protection

Abstract

Artificial Intelligence is spreading fast in our everyday life and the world of work is no exception. AI is increasingly shaping the employment context: such emerging areas are augmented and automated decision-making. As AI-based decision-making is fuelled by personal data, compliance with data protection frameworks is inevitable. Even though automated decision-making is already addressed by the European norms on data protection – especially the GDPR –, their application in the world of work raises specific questions. The paper examines, in the light of the 'general' data protection background, what specific data protection challenges are raised in the field of AI-based automated decision-making in the context of employment. As a result of the research, the paper provides a detailed overview on the European legal framework on the data protection aspects of AI-based automated decision-making in the employment context. It identifies the main challenges, such as the applicability of the existing legal framework to the current use-cases and the specific questions relating to the lawful bases in the world of work, and provides guidelines on how to address these challenges. [ABSTRACT FROM AUTHOR]

Published

2023

49. Controlling lethal autonomous weapons systems: A typology of the position of states.

Author

Qerimi, Qerim

Subjects

*DECISION making, *PSYCHOLOGICAL typologies, *WEAPONS systems, *INTERNATIONAL law, *GENERAL Data Protection Regulation, 2016

Abstract

This paper seeks to understand the potential for robust global control of lethal autonomous weapons systems (LAWS). The paper seeks to uncover the predominant views and trends in global decision-making about such weapons systems by way of observing the positions and preferences of States inhabiting the international system as a realistic modality of a more probable normative outcome. Through a thorough examination of publicly available positions of United Nations (UN) Member States, it establishes a typology of varying positions maintained by States and reveals the argumentative rationale for the major positions advanced. This typology results to be far from unified and is composed of the following categories: (1) States that support the prohibition of LAWS; (2) States that support the prohibition of LAWS, but do not support calls for an international ban treaty; (3) States that do not support (or oppose) the prohibition of LAWS; (4) States with "flexible" positions over the LAWS: oppose use or use under certain circumstances, but not the development and production; (5) States that expressed support for multilateral talks, but have not expressed a position on the prohibition or not of LAWS; and (6) States that have called for a legally binding instrument (or legal regulation) on LAWS (inclusive of both prohibitions and regulations). Regulation and human control emerge as factors that have significant value in the equation. [ABSTRACT FROM AUTHOR]

Published

2023

50. Systematic construction of lawfulness of processing employees' personal information under China's personal information protection law.

Author

Zhang, Zhenxing and Zha, Yunfei

Subjects

*PERSONAL information management, *GENERAL Data Protection Regulation, 2016, *EMPLOYEES, *DIGITAL technology

Abstract

With the rapid development and widespread use of digital technologies in the workplace in China, employers' right to monitor and direct employees has often been abused, raising a number of disputes over the infringement of employees' right to privacy in terms of their personal information. China must urgently develop an appropriate approach to balancing these two conflicting interests. However, there is currently no coherent and uniform regime governing the protection of employees' personal information in China. The primary legal source on which employers can rely is the latest version of the Chinese Personal Information Protection Law (PIPL), which offers three lawful bases for employers' processing of their employees' personal information. These bases are employee consent; "necessity for the conclusion or performance of an employment contract"; and "necessity for conducting human resource management." Concerns have been expressed regarding the reasonableness and effectiveness of the three lawful bases under the PIPL. First, it is both legally and practically problematic for the PIPL to rely so heavily on employee consent. Second, it is unclear whether the other two lawful bases relieve employers of the duty of notification and, if so, how to safeguard employees' right to know. Third, the ambiguous standard of "necessity" requires clarification. This article argues that China should adopt many elements from EU law, while US law should be only followed in relation to the standard of "necessity". In relation to employee consent, the EU approach is preferable to the US approach. As the EU approach does not generally regard employees' consent as a lawful basis for the processing of their information and uses the other two lawful bases as alternatives to employee consent, this approach better reflects the customary practices of employee subordination and employer control in China. In contrast, US law deems employee consent to be an absolute general defense to the tort of privacy violation and adopts an employer favoritism approach to balancing these two conflicting interests, which is not appropriate in the Chinese context. In relation to the scope of necessity, three tests taken from the EU and US approaches should be considered by the Chinese courts. In addition, when processing personal information based on the other two lawful bases, employers should safeguard employees' right to know through collective contracts concluded with labor unions or employee representatives under the Chinese Labor Contract Law, which would effectively address employers' arbitrariness. Ultimately, these changes would produce a better balance between employees' right to privacy in terms of their personal information and employers' need to subordinate and control employees. [ABSTRACT FROM AUTHOR]

Published

2023