Your search keyword '"GENERAL Data Protection Regulation, 2016"' showing total 309 results

1. An effective cloud computing model enhancing privacy in cloud computing.

Author

Chawki, Mohamed

Subjects

*DATA privacy, *GENERAL Data Protection Regulation, 2016, *TECHNOLOGICAL innovations, *LITERATURE reviews, *GEOGRAPHIC boundaries, *CLOUD computing

Abstract

Cloud computing revolutionizes global software, system, infrastructure, and storage accessibility, offering flexibility and cost-effectiveness. This paper explores the pivotal intersection of cloud computing and privacy, presenting a model to enhance cloud privacy. Beginning with an insightful introduction, the paper conducts a comprehensive exploration. A meticulous literature review addresses data privacy intricacies in the cloud context. The study navigates international dimensions of personal data processing, revealing global implications beyond geographical boundaries. Delving into cloud computing's impact on user privacy, it emphasizes the delicate balance between convenience and safeguarding sensitive information. The examination of inherent cloud computing challenges, both technical and legal. A deep dive into recent privacy concerns is complemented by dissecting legal challenges, emphasizing the General Data Protection Regulation's (GDPR) far-reaching impact on the cloud industry. Contributions include a legal and technological overview, technologies for privacy protection, and a global legal framework. The paper identifies challenges and offers information on resolving legal intricacies. Proposed strategies provide a roadmap for industry stakeholders to ensure compliance and mitigate risks. The manuscript concludes with a future perspective on cloud computing's evolving landscape, offering insights into shaping technological advancements. [ABSTRACT FROM AUTHOR]

Published

2024

2. THE RIGHT TO BE FORGOTTEN REGARDING GENETIC DATA: A LEGAL AND ETHICAL ANALYSIS.

Author

Correia, Mónica, Rego, Guilhermina, and Nunes, Rui

Subjects

*RIGHT to be forgotten, *DATA privacy, *GENETIC privacy, *GENERAL Data Protection Regulation, 2016, *RIGHT of privacy

Abstract

This article investigates an under-discussed provision of the European Union's (EU's) General Data Protection Regulation (GDPR) regarding genetic data, i.e., the right to be forgotten. The debate on this right came from the commercerelated side of data protection instead of the medical side. Thus, this article addresses the implications of the RTBF for the lawful processing of familial genetic data. The article develops a normative, ethically focused principles argument about interpreting genetic data's right to be forgotten. It gives due consideration to autonomy, privacy, and human dignity. It argues that the individualistic approach of genetic privacy materialised through the extreme solution of data erasure is challenging to combine with familial and scientific research interests. The article suggests an interpretation of the GDPR according to bioethical principles and the inclusion of a specific exception regarding genetic data to prevent patients from claiming the right to be forgotten. [ABSTRACT FROM AUTHOR]

Published

2024

3. A study on privacy and security aspects of personalised apps.

Author

Gerasimou, Stylianos and Limniotis, Konstantinos

Subjects

*DATA protection, *GENERAL Data Protection Regulation, 2016, *DESIGN protection, *PERSONAL security, *MOBILE apps

Abstract

This paper studies personalised smart apps, from a data protection and security point of view. More precisely, having as a reference model the provisions stemming from the General Data Protection Regulation, we investigate whether such apps, whose philosophy is based on the provision of personalised services, adopt appropriate data protection techniques, focusing especially on aspects from the data protection by design and by default principles, as well as on their security features. Our analysis over ten popular such Android apps illustrates the existence of several privacy concerns, including the facts that several data processes are by default enabled without requesting users' consent, as well as that several data processes are not well justified or sufficiently transparent to the users. Moreover, interestingly enough, the apps studied are not free of known security weaknesses. [ABSTRACT FROM AUTHOR]

Published

2024

4. Biobanking, digital health and privacy: the choices of 1410 volunteers and neurological patients regarding limitations on use of data and biological samples, return of results and sharing.

Author

Giannella, Emilia, Bauça, Josep Miquel, Di Santo, Simona Gabriella, Brunelli, Stefano, Costa, Elisabetta, Di Fonzo, Sergio, Fusco, Francesca Romana, Perre, Antonio, Pisani, Valerio, Presicce, Giorgia, Spanedda, Francesca, Scivoletto, Giorgio, Formisano, Rita, Grasso, Maria Grazia, Paolucci, Stefano, De Angelis, Domenico, and Sancesario, Giulia

Subjects

GENERAL Data Protection Regulation, 2016, PATIENTS' attitudes, DATA privacy, BIOMATERIALS, CENTRAL nervous system

Abstract

Background: The growing diffusion of artificial intelligence, data science and digital health has highlighted the role of collection of data and biological samples, thus raising legal and ethical concerns regarding its use and dissemination. Further, the expansion of biobanking, from the basic collection of frozen specimens to the virtual biobanks of specimens and associated data that exist today, has given a revolutionary potential on healthcare systems, particularly in the field of neurological diseases, due to the inaccessibility of central nervous system and the need of non-invasive investigation approaches. Informed Consent (IC) is considered mandatory in all research studies and specimen collections, and must specifically take into account the ethical respect to the individuals to whom the used biological material and data belong. Methods: We evaluated the attitudes of patients with neurological diseases (NP) and healthy volunteers (HV) towards the donation of biological samples to a biobank for future research studies on neurological diseases, and limitations on the use of data, related to the requirements set by the General Data Protection Regulation (GDPR). The study involved a total of 1454 subjects, including 502 HVs and 952 NPs, recruited at Santa Lucia Foundation IRCCS, Rome, from 2020 to 2024. Results: We found that (i) almost all subjects agreed with the participation in biobanking (ii) and authorization to genetic studies (HV = 99.1%; NP = 98.3%); Regarding the return of results, (iii) we found a statistically significant difference between NP and HV, the latter preferring not to be informed of potential results (HV = 43%; NP = 11.3%; p < 0.0001); (iv) a small number limited the sharing inside European Union (EU) (HV = 4.6%; NP = 6.6%), whereas patients were more likely to refuse transfer outside EU (HV = 7.4%; NP = 10.7% p = 0.05); (v) nearly all patients agreed with the use of additional health data from EMR for research purposes (98.9%). Conclusions: Consent for the donation of material for research purposes is crucial for biobanking and biomedical research studies that use biological material of human origin. Here, we have shown that choices regarding participation in a neurological biobank can be different between HVs and NPs, even if the benefit for research and scientific progress is recognized. NP have a strong interest in being informed of possible results but limit sharing of samples, highlighting a perception of greater individual or relative benefit, while HV prefer a wide dissemination and sharing of data but not to have the return of the results, favoring a possible benefit for society and knowledge. The results underline the need to carefully manage biological material and data collected in biobanks, in compliance with the GDPR and the specific requests of donors. [ABSTRACT FROM AUTHOR]

Published

2024

5. Putting Interests of Digital Nagriks First: Digital Personal Data Protection (DPDP) Act 2023 of India.

Author

Malhotra, Charru and Malhotra, Udbhav

Subjects

DATA protection, DATA privacy, GENERAL Data Protection Regulation, 2016, RIGHT of privacy, PERSONALLY identifiable information, DATA security laws

Abstract

The increasing application of artificial intelligence (AI) and the extensive collection, storage and analysis of personal data by service providers have heightened privacy concerns. To address unauthorised use and potential misuse of personal information, the Government of India introduced the Digital Personal Data Protection (DPDP) Act on 11 August 2023 aimed at enhancing the living standards of its digital citizens, termed as 'digital nagriks ' in this study. This research evaluates the DPDP Act's impact on digital nagriks across six sections, starting with an introduction to the necessity of privacy legislation and an overview of global privacy laws from countries like Singapore, the European Union and China. It then explores the origin and fundamental aspects of the DPDP Act, leveraging the literature to critically analyse its implications for privacy. The study presents observations on the Act's current state, recommends adjustments for balancing privacy with innovation and security and highlights the need for stronger enforcement mechanisms to protect digital nagriks effectively. It concludes that while the DPDP Act is a positive advancement, explicit exceptions in future regulations could further refine this balance. [ABSTRACT FROM AUTHOR]

Published

2024

6. ПРАВОВЕ РЕГУЛЮВАННЯ ЗАХИСТУ ПЕРСОНАЛЬНИХ ДАНИХ: GDPR ТА ЗАКОНОДАВСТВО США, КАНАДИ Й УКРАЇНИ

Author

Н. Т., Головацький

Subjects

DATA protection, STATE laws, PERSONALLY identifiable information, LAW reform, GENERAL Data Protection Regulation, 2016, CITIZENS

Abstract

The article provides a detailed analysis of the legal regulation of personal data protection in various jurisdictions, including the European Union, the United States, Canada, and Ukraine. Special attention is given to the General Data Protection Regulation (GDPR), which is one of the strictest international standards in this field. The main provisions of the GDPR are examined, such as the principles of lawfulness, fairness, transparency, purpose limitation, and data minimization, as well as the rights of data subjects, including the right to access, rectification, and erasure of data. The impact of GDPR on international businesses is analyzed, showing how it has forced companies worldwide to adapt their data processing systems to comply with European legal requirements. The section on the United States focuses on California state law, particularly the California Consumer Privacy Act (CCPA), which grants citizens rights over their personal data. Although the U.S. legislative framework is fragmented compared to GDPR, the CCPA is a significant step toward protecting the privacy of American citizens. Canadian legislation is represented by the Personal Information Protection and Electronic Documents Act (PIPEDA), which ensures the protection of personal data in commercial relationships. PIPEDA strikes a balance between business interests and citizens' rights, providing flexibility in the use of personal data while adhering to principles of transparency and consent. The article also analyzes the process of harmonizing Ukraine's legislation with the GDPR, which is a crucial step in the context of the country's integration into the European legal space. Ukrainian legal reforms focus on strengthening citizens' rights and improving mechanisms for controlling personal data processing. The article offers a comparative analysis of the discussed legal systems, highlighting key differences in data protection approaches. Unlike the EU, where regulation is comprehensive and stringent, U.S. laws are fragmented. In Canada, PIPEDA creates a more flexible system oriented toward the commercial sector. Ukraine, meanwhile, is on its way to full harmonization with European standards, which will enhance the legal protection of citizens in the digital economy. [ABSTRACT FROM AUTHOR]

Published

2024

7. In-Memory Perturbation Optimizer Algorithm for Data Privacy on an Anonymous Server.

Author

Jaroonsak Chaiprasitjinda and Chetneti Srisaan

Subjects

*DATA privacy, *GENERAL Data Protection Regulation, 2016, *DATA protection laws, *PERSONALLY identifiable information, *ALGORITHMS

Abstract

The emergence of data controllers as a novel term within data privacy laws, such as the General Data Protection Regulation (GDPR), has ushered in significant responsibilities. Stricter regulations prohibit the intentional sharing of personal records on the Internet. This research focuses on safeguarding data privacy, specifically in ubiquitous tabular formats across numerous websites. A novel approach employing a cell-key perturbation method is proposed, demonstrating efficacy in tabular formats. Addressing this challenge, we introduce the in-memory perturbation optimizer (IMPO) algorithm as a novel solution. The primary objective is to create and develop a platform that secures all personal data through a dispenser server, operating in near real-time. Also, it emphasizes the importance of balancing data utility with privacy protection to maintain the integrity and quality of the dataset. Experimental results reveal that the IMPO algorithm outperforms in terms of data accuracy. Additionally, the algorithm introduces an average time delay of 2 seconds, ensuring optimal time service for real-time datasets. [ABSTRACT FROM AUTHOR]

Published

2024

8. Privacy regulation and firm performance: Estimating the GDPR effect globally.

Author

Frey, Carl Benedikt and Presidente, Giorgio

Subjects

*ORGANIZATIONAL performance, *GENERAL Data Protection Regulation, 2016, *SMALL business, *PERSONALLY identifiable information, *PRIVACY

Abstract

This paper examines how privacy regulation shaped firm performance. Controlling for firm and country‐industry‐year unobserved characteristics, we compare the outcomes of firms at different levels of exposure to EU markets, before and after the enforcement of the General Data Protection Regulation (GDPR) in 2018. We find that the GDPR had the unintended consequence of harming the profitability of companies targeting European consumers through the cost channel. Technology firms experienced a 2.1% decline in profits, but not in sales. The GDPR increased extra expenses, added to firms wage bills, and accelerated patenting in GDPR‐related technology fields. The main burdens have been borne by smaller companies. [ABSTRACT FROM AUTHOR]

Published

2024

9. Digital Identity in the EU: Promoting eIDAS Solutions Based on Biometrics.

Author

Ruiu, Pietro, Saiu, Salvatore, and Grosso, Enrico

Subjects

BIOMETRIC identification, GENERAL Data Protection Regulation, 2016, DIGITAL technology, CLEARING of securities, TELEPHONE numbers

Abstract

Today, more than ever before, technological progress is evolving rapidly, and in the absence of adequate regulatory frameworks, the big players in the digital market (the so-called Big Techs) are exploiting personal data (name, address, telephone numbers) and private data (political opinions, religious beliefs, financial information, or health status) in an uncontrolled manner. A crucial role in this scenario is played by the weakness of international regulatory frameworks due to the slow response time of legislators who are incapable, from a regulatory point of view, of keeping pace with technological evolution and responding to the new requirements coming from the social context, which is increasingly characterized by the pervasive presence of new technologies, such as smartphones and wearable devices. At the European level, the General Data Protection Regulation (GDPR) and the Regulation on Electronic Identification, Authentication and Trust Services (eIDAS) have marked a significant turning point in the regulatory landscape. However, the mechanisms proposed present clear security issues, particularly in light of emerging concepts such as digital identity. Moreover, despite the centrality of biometric issues within the European regulatory framework and the practical introduction of biometric data within electronic national identity (eID) cards, there are still no efforts to use biometric features for the identification and authentication of a person in a digital context. This paper clarifies and precisely defines the potential impact of biometric-based digital identity and hypothesizes its practical use for accessing network-based services and applications commonly used in daily life. Using the Italian eID card as a model, an authentication scheme leveraging biometric data is proposed, ensuring full compliance with GDPR and eIDAS regulations. The findings suggest that such a scheme can significantly improve the security and reliability of electronic identification systems, promoting broader adoption of eIDAS solutions. [ABSTRACT FROM AUTHOR]

Published

2024

10. Addressing privacy concerns with wearable health monitoring technology.

Author

Sivakumar, C. L. V., Mone, Varda, and Abdumukhtor, Rakhmanov

Subjects

*MEDICAL technology, *GENERAL Data Protection Regulation, 2016, *DATA privacy, *INTERNET privacy, *PRIVACY

Abstract

The growing popularity of wearable health devices like fitness trackers and smartwatches enables continuous personal health monitoring but also raises significant privacy concerns due to the real‐time collection of sensitive data. Many users are unaware of vulnerabilities that could lead to unauthorized access or discrimination if health information is revealed without consent. However, even informed users may willingly share data despite understanding privacy risks. The recent implementation of the General Data Protection Regulation (GDPR) in the EU and states taking initiatives to regulate privacy shows growing regulatory efforts to address these threats. This paper evaluates the key privacy threats posed specifically by consumer wearable devices. It provides a focused analysis of how health data could be exploited or shared without users' knowledge and the security flaws that enable such risks. Potential solutions including improving protections, empowering user control, enhancing transparency, and strengthening regulations are examined. However, it is argued that effective change requires balancing privacy risks with health benefits while also considering human decision‐making behaviors. The paper concludes by proposing a multifaceted approach to enable informed choices about wearable health data. This article is categorized under:Application Areas > Health CareCommercial, Legal, and Ethical Issues > Fairness in Data MiningCommercial, Legal, and Ethical Issues > Legal Issues [ABSTRACT FROM AUTHOR]

Published

2024

11. Identifying undefined risks: A risk model and a privacy risk identification measure in the privacy impact assessment process.

Author

Kuroda, Yuki, Yamamoto, Goshiro, and Kuroda, Tomohiro

Subjects

*PRIVACY, *IDENTIFICATION, *DATA privacy, *GENERAL Data Protection Regulation, 2016

Abstract

Privacy impact assessment (PIA) has attracted the attention of privacy watchdogs and researchers for decades. This study focuses on a risk model and risk identification method, which are two crucial elements of the risk identification step in the PIA process. As a preparatory work, this article reviews national and international organizations’ current templates and guidelines and finds that PIA guidance includes multiple domains but rarely provide a risk model or a systematic risk identification method. Based on the analysis, our study offers a risk model that can capture various privacy risk realization processes. It further proposes a combination of risk identification methods that correspond to the main target domains in the PIA and the proposed risk model. This combination consists of privacy principles of a given personal information or privacy rule to check compliance with the rule, and our suggested list of risk factors is useful in inductively finding potential risk scenarios that violate social expectations of privacy. [ABSTRACT FROM AUTHOR]

Published

2024

12. EU-Drittländer und Einsatz von Cookies mit vorformulierter Einwilligungserklärung.

Subjects

DATA privacy, COOKIES (Computer science), GENERAL Data Protection Regulation, 2016, PRIVACY, BANNERS, CELL phones

Abstract

Copyright of Computer und Recht is the property of De Gruyter and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published

2024

13. European Union ∙ Security of Processing and Data Breach Notification: New Guidance in View of Decisions in the One-Stop-Shop Procedure.

Author

Schmitz-Berndt, Sandra

Subjects

DATA security failures, DATA protection, GENERAL Data Protection Regulation, 2016, DATA security, PRIVACY

Abstract

The article focuses on the European Data Protection Board's (EDPB) new guidance regarding the security of processing and data breach notification under General Data Protection Regulation (GDPR). Topics include the assessment of technical and organizational measures (TOMs) for ensuring data security, the requirements for notifying supervisory authorities of data breaches, and the obligation to communicate breaches to affected individuals.

Published

2024

14. GDPR compliance through standard security controls: An automated approach.

Author

Granata, Daniele, Mastroianni, Michele, Rak, Massimiliano, Cantiello, Pasquale, and Salzillo, Giovanni

Subjects

*GENERAL Data Protection Regulation, 2016, *SMALL business

Abstract

Since 2018, the enactment of the General Data Protection Regulation (GDPR) has bestowed distinct privileges upon each person while imposing protocols to safeguard personal information. The GDPR effectively tackles an evident requirement within our interconnected, social media-driven society. However, its compliance poses a considerable challenge, particularly for small and medium-sized businesses. This work aims to identify and select the proper countermeasures in order to comply with GDPR, by using standard security controls. Thus, we designed a tool to handle some phases of the compliance process in an almost semi-automated way. The proposed approach relies on standard security control frameworks (namely NIST SP-800-53) and can be easily adapted to different frameworks. The proposed technique was validated using our university as a case study, through a simple demonstrator, although the solution can be transparently applied to different contexts. [ABSTRACT FROM AUTHOR]

Published

2024

15. A Reference Design Model to Manage Consent in Data Subjects-Centered Internet of Things Devices.

Author

Khatiwada, Pankaj, Yang, Bian, Lin, Jia-Chun, Mugurusi, Godfrey, and Underbekken, Stian

Subjects

INTERNET of things, DATA privacy, GENERAL Data Protection Regulation, 2016, DATA protection laws, CUSTOMER relations

Abstract

Internet of Things (IoT) devices have changed how billions of people in the world connect and interact with each other. But, as more people use IoT devices, many questions arise about how these devices handle private data and whether they properly ask for permission when using it. Due to information privacy regulations such as the EU's General Data Protection Regulation (GDPR), which requires companies to seek permission from data subjects (DS) before using their data, it is crucial for IoT companies to obtain this permission correctly. However, this can be really challenging in the IoT world because people often find it difficult to interact with and manage multiple IoT devices under their control. Also, the rules about privacy are not always clear. As such, this paper proposes a new model to improve how consent is managed in the world of IoT. The model seeks to minimize "consent fatigue" (when people get tired of always being asked for permission) and give DS more control over how their data are shared. This includes having default permission settings, being able to compare similar devices, and, in the future, using AI to give personalized advice. The model allows users to easily review and change their IoT device permissions if previous conditions are not met. It also emphasizes the need for easily understandable privacy rules, clear communication with users, and robust tracking of consent for data usage. By using this model, companies that provide IoT services can do a better job of protecting user privacy and managing DS consent. In addition, companies can more easily comply with data protection laws and build stronger relationships with their customers. [ABSTRACT FROM AUTHOR]

Published

2024

16. Security and Privacy in Digital Healthcare Systems: Challenges and Mitigation Strategies.

Author

Jawad, Lubna Abdel

Subjects

DATA privacy, DIGITAL health, HEALTH Insurance Portability & Accountability Act, MEDICAL ethics laws, DIGITAL technology, GENERAL Data Protection Regulation, 2016

Abstract

The digitisation of healthcare systems has brought numerous benefits, including improved accessibility, enhanced efficiency and the potential for personalised medicine, ushering in a new era of medical advancements and streamlined patient care. However, alongside these advantages, it has also introduced a host of security and privacy challenges. The widespread adoption of digital technologies in healthcare raises concerns regarding security and privacy. This article explores critical issues surrounding the security and privacy of healthcare data in the digital age, aiming to highlight potential risks and vulnerabilities that arise with the adoption of technology in healthcare. Key security and privacy issues associated with digitisation efforts in healthcare are examined, and potential strategies to mitigate these concerns are discussed. The findings emphasise the importance of implementing robust security measures, ensuring patient privacy and fostering trust in digital healthcare systems. Furthermore, the article delves into the various challenges faced by healthcare organisations, policymakers and stakeholders in safeguarding sensitive medical information. These challenges encompass data breaches, unauthorised access, ransomware attacks and the potential misuse of patient data. Understanding these threats is essential for developing effective strategies to protect patient privacy and maintain data integrity. To address these challenges, the article presents a range of strategies and best practices, including implementing robust encryption measures, adopting multi-factor authentication, establishing secure communication channels and training healthcare professionals to be vigilant against cyber threats. Moreover, the significance of complying with regulatory frameworks, such as the Health Insurance Portability and Accountability Act and the General Data Protection Regulation, is explored to ensure the legal and ethical handling of patient data. By exploring these challenges and presenting practical strategies, this article aims to raise awareness among healthcare professionals and policymakers about the importance of prioritising security and privacy in the digitisation of healthcare systems. Acknowledging and proactively addressing these concerns will enable the healthcare industry to fully harness the potential of digitisation while ensuring the trust and confidence of patients and stakeholders. [ABSTRACT FROM AUTHOR]

Published

2024

17. Balancing Privacy and Progress: A Review of Privacy Challenges, Systemic Oversight, and Patient Perceptions in AI-Driven Healthcare.

Author

Williamson, Steven M. and Prybutok, Victor

Subjects

PATIENTS' attitudes, NETWORK governance, GENERAL Data Protection Regulation, 2016, DATA integrity, ALGORITHMIC bias, PRIVACY, ARTIFICIAL intelligence

Abstract

Integrating Artificial Intelligence (AI) in healthcare represents a transformative shift with substantial potential for enhancing patient care. This paper critically examines this integration, confronting significant ethical, legal, and technological challenges, particularly in patient privacy, decision-making autonomy, and data integrity. A structured exploration of these issues focuses on Differential Privacy as a critical method for preserving patient confidentiality in AI-driven healthcare systems. We analyze the balance between privacy preservation and the practical utility of healthcare data, emphasizing the effectiveness of encryption, Differential Privacy, and mixed-model approaches. The paper navigates the complex ethical and legal frameworks essential for AI integration in healthcare. We comprehensively examine patient rights and the nuances of informed consent, along with the challenges of harmonizing advanced technologies like blockchain with the General Data Protection Regulation (GDPR). The issue of algorithmic bias in healthcare is also explored, underscoring the urgent need for effective bias detection and mitigation strategies to build patient trust. The evolving roles of decentralized data sharing, regulatory frameworks, and patient agency are discussed in depth. Advocating for an interdisciplinary, multi-stakeholder approach and responsive governance, the paper aims to align healthcare AI with ethical principles, prioritize patient-centered outcomes, and steer AI towards responsible and equitable enhancements in patient care. [ABSTRACT FROM AUTHOR]

Published

2024

18. EVROPSKA REGULACIJA ZAŠTITE PODATAKA NA INTERNETU.

Author

Vojisavljević, Marija

Subjects

EUROPEAN Convention on Human Rights, DATA protection, PERSONALLY identifiable information, DATA privacy, GENERAL Data Protection Regulation, 2016, RIGHT of privacy

Abstract

Copyright of Eudaimonia - Journal for Legal, Political & Social Theory & Philosophy is the property of University of Belgrade, Faculty of Law and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published

2024

19. Data Protection for Genomics and Brain Data: Personal Privacy Versus Scientific Innovation in the United States and European Union.

Author

I. Field, Robert

Subjects

DATA protection, GENOMICS, PRIVACY, GENERAL Data Protection Regulation, 2016

Abstract

Two powerful new technologies enable the collection of especially intimate personal information and pose special threats to privacy. These are technologies that collect and analyse data on the genomes and brain activity of individuals. Both technologies are enabling tremendous medical advances, but they come with new kinds of risks to the individuals whose information is compiled. The United States and European Union have so far taken different paths in their approach to balancing scientific innovation and individual privacy, with important implications for these technologies. While laws in both jurisdictions leave gaps in privacy protection, those is in the United States are especially porous, particularly with regard to data amassed by private companies that collect them from customers on a direct-to-consumer basis. However, even in the EU where the General Data Protection Regulation offers a single comprehensive regulatory scheme for residents of member states, privacy protection is incomplete and will likely be reduced by a subsequent regulatory proposal, the European Health Data Space. This article describes key privacy laws in both jurisdictions concerning health-related information, explains the implications of their shortcomings for genomic and brain data, and suggests reforms to address those shortcomings. These reforms would promote closer convergence of laws in the two jurisdictions, which could provide more consistent protection for individuals and clearer compliance standards for entities that use sensitive health data to advance new technologies. [ABSTRACT FROM AUTHOR]

Published

2024

20. Exploring the General Data Protection Regulation (GDPR) compliance in cloud services: insights from Swedish public organizations on privacy compliance.

Author

Issaoui, Awatef, Örtensjö, Jenny, and Islam, M. Sirajul

Subjects

GENERAL Data Protection Regulation, 2016, DATA privacy, LITERATURE reviews, PRIVACY, SOVEREIGNTY

Abstract

The adoption of cloud services offers manifold advantages to public organizations; however, ensuring data privacy during data transfers has become increasingly complex since the inception of the General Data Protection Regulation (GDPR). This study investigates privacy concerns experienced by public organizations in Sweden, focusing on GDPR compliance. A qualitative interpretative approach was adopted, involving semi-structured interviews with seven employees from five public organizations in Sweden. Additionally, secondary data were gathered through an extensive literature review. The collected data were analyzed and classified using the seven privacy threat categories outlined in the LINDDUN framework. The key findings reveal several significant privacy issues when utilizing public cloud services, including unauthorized access, loss of confidentiality, lack of awareness, lack of trust, legal uncertainties, regulatory challenges, and loss of control. The study underscores the importance of implementing measures such as anonymization, pseudonymization, encryption, contractual agreements, and well-defined routines to ensure GDPR compliance. The findings emphasize the importance of implementing measures such as anonymization, pseudonymization, encryption, contractual agreements, and well-defined routines to ensure GDPR compliance. Furthermore, this research highlights the critical aspect of digital sovereignty in addressing privacy challenges associated with public cloud service adoption by public organizations in Sweden. [ABSTRACT FROM AUTHOR]

Published

2023

21. Blockchain, Legal Interpretation, and Contextuality as Tools to Establish Privacy and Fundamental Rights Protection Amid Geopolitical and Legal Uncertainty.

Author

Blandino, Pierangelo

Subjects

*RIGHT of privacy, *CIVIL rights, *DATA privacy, *GENERAL Data Protection Regulation, 2016, *BLOCKCHAINS, *PERSONALLY identifiable information

Abstract

This summary explores the degree of rights' protection when it comes to States forms of surveillance under a concise legal comparative outline. Given today's interdependence put into being first by Global Governance patterns and then by exchange on platforms, attention will be drawn to the Chinese Personal Information Protection Law (PIPL), American Clarifying Lawful Overseas Use of Data Act (Cloud Act) and the EU General Data Protection Regulation (GDPR), along with the recently adopted Data Privacy Framework (DPF). At a second stage, new possible techniques are considered to properly tackle these unprecedented changes that challenge traditional legal patterns. [ABSTRACT FROM AUTHOR]

Published

2023

22. An Analytical Review of Industrial Privacy Frameworks and Regulations for Organisational Data Sharing.

Author

Ghorashi, Seyed Ramin, Zia, Tanveer, Bewong, Michael, and Jiang, Yinhao

Subjects

INFORMATION sharing, GENERAL Data Protection Regulation, 2016, DATA protection, RIGHT of privacy, PRIVACY

Abstract

This study examines the privacy protection challenges in data sharing between organisations and third-party entities, focusing on changing collaborations in the digital age. Utilising a mixed-method approach, we categorise data-sharing practices into three business models, each with unique privacy concerns. The research reviews legal regulations like the General Data Protection Regulation (GDPR), highlighting their emphasis on user privacy protection but noting a lack of specific technical guidance. In contrast, industrial privacy frameworks such as NIST and Five Safes are explored for their comprehensive procedural and technical guidance, bridging the gap between legal mandates and practical applications. A key component of this study is the analysis of the Facebook–Cambridge Analytica data breach, which illustrates the significant privacy violations and their wider implications. This case study demonstrates how the principles of the NIST and Five Safes frameworks can effectively mitigate privacy risks, enhancing transparency and accountability in data sharing. Our findings highlight the dynamic nature of data sharing and the vital role of both privacy regulations and industry-specific frameworks in protecting individual privacy rights. This study contributes insights into the development of robust privacy strategies, highlighting the necessity of integrating comprehensive privacy frameworks into organisational practices for improved decision making, operational efficiency, and privacy protection in collaborative data environments. [ABSTRACT FROM AUTHOR]

Published

2023

23. 2024 CN 100.

Subjects

GENERAL Data Protection Regulation, 2016, DATA protection laws, PERSONALLY identifiable information, METROPOLIS, PRIVACY

Published

2024

24. "There's always a cost involved, and this cost is related to privacy".

Author

WINDER, DAVEY

Subjects

COMPUTER passwords, PASSWORD software, GENERAL Data Protection Regulation, 2016, PRIVACY, DATA encryption

Abstract

The article discusses the trade-off between privacy and convenience when using Gmail as an email client. While Gmail is popular due to its ease of use and integration with other Google services, it collects user data for personalized ads and experiences. The article suggests that Proton Mail is a better choice for those prioritizing security and privacy, as it offers end-to-end encryption, zero-access encryption for stored data, and is based in Switzerland with strict privacy laws. Proton Mail also provides additional features such as dark web monitoring and advanced protection for high-risk accounts. However, it is noted that Proton Mail's free version has limited features compared to Gmail's free version. [Extracted from the article]

Published

2024

25. PRIVACY-SHIELDING AUTONOMOUS SYSTEMS FOR NATURAL DISASTER MANAGEMENT (NDM): Targeted Regulation of the use of Autonomous Systems for Natural Disaster Management Goals before the Materialization of the Privacy Harm.

Author

BOUCHAGIAR, Georgios, MYGDALIS, Vasileios, and PITAS, Ioannis

Subjects

*EMERGENCY management, *MATERIALIZATION, *DATA protection, *GENERAL Data Protection Regulation, 2016

Abstract

This contribution aims to recommend a fully-fledged privacy-assessment applicable to future uses of Autonomous Systems (AS) for Natural Disaster Management (NDM) purposes. It claims that certain implementations may interfere with the right to privacy and the protection of personal data and analyses challenges stemming from (non-) compliance with the General Data Protection Regulation (GDPR). Moreover, it subjects the use of autonomous systems to the European Court of Human Rights’(ECtHR) Legality – Legitimacy – Necessity testing (LLN-check). On this basis, it proposes a targeted and ex ante privacy-assessment to address legal uncertainty, resulting from the GDPR’s tech-neutrality and case law’s ex post (after the harm) adjudication. The recommended scheme, ideally involving experts from various disciplines who would moreover be independent, could apply before the actual use of any AS and give a ‘proceed’, a ‘proceed with conditions’ or a ‘do not proceed’ decision. [ABSTRACT FROM AUTHOR]

Published

2023

26. Understanding Website Privacy Policies—A Longitudinal Analysis Using Natural Language Processing.

Author

Belcheva, Veronika, Ermakova, Tatiana, and Fabian, Benjamin

Subjects

*GENERAL Data Protection Regulation, 2016, *PRIVACY, *NATURAL language processing

Abstract

Privacy policies are the main method for informing Internet users of how their data are collected and shared. This study aims to analyze the deficiencies of privacy policies in terms of readability, vague statements, and the use of pacifying phrases concerning privacy. This represents the undertaking of a step forward in the literature on this topic through a comprehensive analysis encompassing both time and website coverage. It characterizes trends across website categories, top-level domains, and popularity ranks. Furthermore, studying the development in the context of the General Data Protection Regulation (GDPR) offers insights into the impact of regulations on policy comprehensibility. The findings reveal a concerning trend: privacy policies have grown longer and more ambiguous, making it challenging for users to comprehend them. Notably, there is an increased proportion of vague statements, while clear statements have seen a decrease. Despite this, the study highlights a steady rise in the inclusion of reassuring statements aimed at alleviating readers' privacy concerns. [ABSTRACT FROM AUTHOR]

Published

2023

27. GDPR and the cloud: examining readability deficiencies in cloud computing providers' privacy policies.

Author

Gao, Lei, Eller, C. Kevin, and Eggers, Austin F.

Subjects

*GENERAL Data Protection Regulation, 2016, *CLOUD computing, *PRIVACY, *LANGUAGE & languages, *INDUSTRIAL management

Abstract

There have been concerns about data privacy and protection internationally. This has led to the development of policy tools, such as the General Data Protection Regulations (GDPR), but there remains limited evaluation of the effectiveness of the policies. The purpose of this study is to examine cloud computing privacy policies in order to determine how they changed in response to GDPR. Specifically, we focus on the EU's mandate for "clear and plain language" by scrutinizing various content characteristics. In order to examine the response to the changes enacted by GDPR, we conduct a content analysis of cloud computing firm privacy policies from three periods. Results indicate that despite a mandate for "clear and plain language," the readability of the privacy policies post-GDPR did not improve. Surprisingly, many privacy policies examined showed a significant decrease in readability. Additionally, the use of uncertainty language and litigious language also increased in certain areas. The findings outlined in this study are informative for policy makers, businesses interested in minimizing risks associated with GDPR noncompliance, and individuals whose data is subject to GDPR. These findings also point to the challenges faced by organizations in developing effective policies in the realm of digital governance. [ABSTRACT FROM AUTHOR]

Published

2023

28. Privacy and Market Concentration: Intended and Unintended Consequences of the GDPR.

Author

Johnson, Garrett A., Shriver, Scott K., and Goldberg, Samuel G.

Subjects

INDUSTRIAL concentration, GENERAL Data Protection Regulation, 2016, PRIVACY

Abstract

We show that websites' vendor use falls after the European Union's (EU's) General Data Protection Regulation (GDPR), but that market concentration also increases among technology vendors that provide support services to websites. We collect panel data on the web technology vendors selected by more than 27,000 top websites internationally. The week after the GDPR's enforcement, website use of web technology vendors falls by 15% for EU residents. Websites are relatively more likely to retain top vendors, which increases the concentration of the vendor market by 17%. Increased concentration predominantly arises among vendors that use personal data, such as cookies, and from the increased relative shares of Facebook and Google-owned vendors, but not from website consent requests. Although the aggregate changes in vendor use and vendor concentration dissipate by the end of 2018, we find that the GDPR impact persists in the advertising vendor category most scrutinized by regulators. Our findings shed light on potential explanations for the sudden drop and subsequent rebound in vendor usage. This paper was accepted by Matthew Shum, marketing. Funding: Financial support from the Marketing Science Institute and the George Mason University Program on Economics & Privacy is gratefully acknowledged. Supplemental Material: The web appendix and data are available at https://doi.org/10.1287/mnsc.2023.4709. [ABSTRACT FROM AUTHOR]

Published

2023

29. Privacy-Preserving Solution for European Union Digital Vaccine Certificates.

Author

Dzurenda, Petr, Ricci, Sara, Ilgner, Petr, Malina, Lukas, and Anglès-Tafalla, Carles

Subjects

DIGITAL certificates, GENERAL Data Protection Regulation, 2016, ONLINE identities, SMART cards, SMART devices, IDENTIFICATION, SELF

Abstract

The recent COVID-19 pandemic situation highlights the importance of digital vaccine certificates. In response, the European Union (EU) developed EU Digital Vaccine Certificates to enable proof of non-infectivity and completed vaccinations. However, these solutions suffer from several shortcomings, such as ineffective certificate holder identification and a high violation of user privacy with the disclosure of sensitive information. In this work, we present a novel solution for privacy-preserving EU Digital Vaccine Certificates. Our solution solves the aforementioned privacy and security shortcomings and is in line with current EU legislation, i.e., the General Data Protection Regulation (GDPR), the upcoming revision of the electronic IDentification, Authentication, and trust Services (eIDAS), called regulation eIDAS 2.0, and the new tools that it envisages to be led by European digital identity. This identity is intended to allow citizens to prove their identity to access online services, share digital documents, or simply prove specific personal characteristics such as age without revealing their identity or other personal information. The core of our proposal is built on our novel attribute-based credential scheme, which can be easily implemented on various handheld devices, especially on Android smartphones and smartwatches. However, due to the lightweight nature of our scheme, it can also be implemented on constrained devices such as smart cards. In order to demonstrate the security, privacy, and practicality inherent in our proposal, we provide the security analysis of the cryptographic core along with a set of experimental results conducted on smartphones and smart cards. [ABSTRACT FROM AUTHOR]

Published

2023

30. Enhancing Data Protection in Dynamic Consent Management Systems: Formalizing Privacy and Security Definitions with Differential Privacy, Decentralization, and Zero-Knowledge Proofs.

Author

Khalid, Muhammad Irfan, Ahmed, Mansoor, and Kim, Jungsuk

Subjects

*DATA protection, *GENERAL Data Protection Regulation, 2016, *PRIVACY

Abstract

Dynamic consent management allows a data subject to dynamically govern her consent to access her data. Clearly, security and privacy guarantees are vital for the adoption of dynamic consent management systems. In particular, specific data protection guarantees can be required to comply with rules and laws (e.g., the General Data Protection Regulation (GDPR)). Since the primary instantiation of the dynamic consent management systems in the existing literature is towards developing sustainable e-healthcare services, in this paper, we study data protection issues in dynamic consent management systems, identifying crucial security and privacy properties and discussing severe limitations of systems described in the state of the art. We have presented the precise definitions of security and privacy properties that are essential to confirm the robustness of the dynamic consent management systems against diverse adversaries. Finally, under those precise formal definitions of security and privacy, we have proposed the implications of state-of-the-art tools and technologies such as differential privacy, blockchain technologies, zero-knowledge proofs, and cryptographic procedures that can be used to build dynamic consent management systems that are secure and private by design. [ABSTRACT FROM AUTHOR]

Published

2023

31. The significance of general data protection regulation in the compliant data contribution to the European Society of Thoracic Surgeons database.

Author

Bertolaccini, Luca, Falcoz, Pierre-Emmanuel, Brunelli, Alessandro, Batirel, Hasan, Furak, Jozsef, Passani, Stefano, and Szanto, Zalan

Subjects

*GENERAL Data Protection Regulation, 2016, *DATABASES, *DATA protection, *RIGHT of privacy, *DATA management

Abstract

Open in new tab Download slide The General Data Protection Regulation (GDPR), enacted in the European Union in 2018, has significantly transformed the landscape of personal data management and protection. This article provides an overview of GDPR's impact, focusing on its applicability, fundamental principles and influence on data management practices, particularly within the European Society of Thoracic Surgeons (ESTS) database. GDPR's reach extends to all entities collecting and processing personal data of European Union residents, regardless of their location. It encompasses various data types, emphasizing meticulous handling and protection of identifiable information. Special categories of data, such as health and sensitive attributes, require even more stringent protection. The regulation sets legal, fair and transparent data processing principles, emphasizing accuracy, purpose limitation and data minimization. It also stresses accountability, leading to the appointment of Data Protection Officers and significant penalties for non-compliance. The ESTS database, designed to enhance thoracic surgical research and care, collects data on European procedures. It follows GDPR principles by pseudonymizing data, ensuring secure data transmission and providing clear instructions for data submission. The database contributes to research, policymaking and practice improvement in thoracic surgery by offering a comprehensive dataset for analysis. Here, we aim to shed light on the complexities of GDPR implementation and emphasize the need for comprehensive data management strategies to ensure compliance and enhance privacy protection with the contribution to the ESTS database. GDPR compliance comes with challenges, including potential human dignity and privacy rights violations. Data breaches can result in unauthorized disclosures, and non-compliance can lead to substantial fines and reputational damage. The implementation of GDPR encourages organizations to prioritize ethical data practices, security measures and transparent data handling. In conclusion, GDPR has revolutionized personal data protection by emphasizing accountability, transparency and individual rights. It has impacted organizations globally, promoting responsible data management practices. Adhering to GDPR ensures privacy protection, trust-building and overall enhancement of data management in today's data-driven environment. [ABSTRACT FROM AUTHOR]

Published

2023

32. DATA PROTECTION AND PRIVACY AS A FUNDAMENTAL RIGHT: A COMPARATIVE STUDY OF BRAZIL AND INDIA.

Author

Campanha Santana, Paulo and Ansari, Faiz Ayat

Subjects

DATA privacy, RIGHT of privacy, PERSONALLY identifiable information, CIVIL rights, GENERAL Data Protection Regulation, 2016, FREEDOM of expression

Abstract

This paper aimed to analyze how Brazil and India faced the challenge of a large amount of personal information being exchanged, stored, and analyzed. The relevance lies in the fact that data protection and privacy were concepts discussed almost everywhere in the world since the era of Big Data highlighted the challenge of protecting these fundamental rights. Therefore, the research problem was to analyze to what extent these countries effectively faced the challenge presented. The methodology used was exploratory and hypothetical-deductive. As a result, it was identified that the rights to privacy and personal data were not absolute and had to be balanced with other social interests, such as public security, law enforcement, and freedom of expression. It was concluded that inspired by international standards on the subject, such as the Universal Declaration of Human Rights (UDHR), the International Covenant on Civil and Political Rights (ICCPR), and the General Data Protection Regulation (GDPR) of the European Union, both countries had legislative protection over these rights and a framework to address them. The legislation provided fundamental principles, but only time will show their effectiveness. [ABSTRACT FROM AUTHOR]

Published

2023

33. ACCESS TO FINANCIAL INFORMATION FOR TAX PURPOSES AND PROPORTIONALITY - BALANCING PUBLIC INTEREST WITH THE PROTECTION OF PRIVACY.

Author

Teixeira, Glória, Pinho, Maria Filipa, and Teixeira, Hugo

Subjects

PUBLIC interest, TAXATION, HUMILIATION, GENERAL Data Protection Regulation, 2016, DATA protection laws

Abstract

The purpose of the article is to analyse how to balance public interests with the protection of privacy in the tax field. It has not been an easy task especially in the context of access to financial information. In this area, the compromise to achieve transparency needs to pay regard to the principle of proportionality, as reinforced by recent case law of the ECJ, and align with specific legislation such as the EU General Data Protection Regulation and recently enacted EU Digital Services Act. It is extremely important to investigate the possible consequences of acting against fundamental rights that are attributed to European citizens (and not only), such as the right to privacy and the protection of personal data. The paper aims to provide relevant and further insight to paths that lead to a fair way to handle such relevant information. Every citizen, every academically inclined and dedicated individual, every public official, every judicial agent, must question whether the public interest can ever, or at least, recurrently, surpass a fundamental right to privacy, specially, in a sensible area as the financial information of an individual. Such actions can often lead, if mistakes are made along the way, to dangerous outcomes, such as public humiliation, and can even harm the person's professional and personal life. Methodology. In the course of the paper, an analysis is made of public decisions taken in cases across the European continent. Additionally, some considerations are made about the recent legislation that is produced by competent authorities, particularly the European Institutions. Results of the research. The authors offer a personal insight regarding the information that has been gathered, confirming some significant concerns. What is of crucial importance, as stated in the title of this article, is a well established balance between the public interest and the protection of privacy, with explained and defined possible paths to follow. [ABSTRACT FROM AUTHOR]

Published

2023

34. Integrating privacy debt and VSE's software developments.

Author

Santamaria, Izaskun, Larrucea, Xabier, and Fernandez‐Gauna, Borja

Subjects

*COMPUTER software development, *GENERAL Data Protection Regulation, 2016, *NET present value, *PRIVACY, *DEBT

Abstract

With the advent of regulations protecting users such as the General Data Protection Regulation, security and privacy concerns are playing a new role in small settings such as in very small entities. Their relevance is increasing, and privacy is being considered a Troy horse in software developments. In fact, privacy is a part of software architectural decisions, and they must be considered as a technical debt. The contributions of this paper are the following: a privacy debt definition with a principal and an interest, privacy‐related activities to be considered within the ISO/IEC 29110 basic profile, and the use of the net present value within this context. All these contributions help us to integrate privacy debt and VSE's software developments. [ABSTRACT FROM AUTHOR]

Published

2023

35. Privacy Rights and Data Security: GDPR and Personal Data Markets.

Author

Ke, T. Tony and Sudhir, K.

Subjects

RIGHT of privacy, DATA privacy, PRICE discrimination, DATA security, PERSONALLY identifiable information, GENERAL Data Protection Regulation, 2016, DATA security insurance

Abstract

General Data Protection Regulation (GDPR)—the European Union's data protection regulation—has two key principles. It recognizes that individuals own and control their personal (but not contractual) data in perpetuity, leading to three critical privacy rights, namely, the rights to (i) explicit consent (data opt-in), (ii) to be forgotten (data erasure), and (iii) portability (data transfer). It also includes data security mandates against privacy breaches through unauthorized access. We study GDPR's equilibrium impact by including these features in a dynamic two-period model of forward-looking firms and consumers. Firms collect consumer data for personalization and price discrimination. Consumers trade off gains from personalization relative to potential losses from privacy breaches and price discrimination in their purchase, data opt-in, erasure, and transfer decisions. Though data security mandates impose fines on firms for privacy breaches, firms can benefit from higher opt-in given lower breach risk. Surprisingly, data security mandates can hurt consumers. The effect of privacy rights is nuanced. Since the right to opt in separates goods exchange from the provision of personal data, it prevents market failure under high breach risk. But it also reduces consumer opt-in and personal data availability. Erasure and portability rights reduce consumers' hold-up concerns by disciplining firms to provide ongoing value by limiting price discrimination and not slacking off on data security; but they also reduce the incentive to offer lower initial prices that encourages opt-in. Overall, privacy rights always benefit consumers in competitive markets, but they can surprisingly hurt consumers under monopoly, as monopolists have less incentives to subsidize consumer opt-in. They raise (reduce) firm profit and social welfare when breach risk is high (low). Finally, privacy rights increase firm profit most at moderate levels of data transferability. This paper was accepted by Dmitri Kuksov, marketing. Funding: T. T. Ke acknowledges financial support from the General Research Fund of the Hong Kong Research Grants Council [Grant 14500421]. Supplemental Material: The e-companion is available at https://doi.org/10.1287/mnsc.2022.4614. [ABSTRACT FROM AUTHOR]

Published

2023

36. Working with Aula: How teachers navigate privacy uncertainties.

Author

Jørgensen, Rikke Frank, Valtysson, Bjarki, and Pagh, Jesper

Subjects

*DATA privacy, *GENERAL Data Protection Regulation, 2016, *DATA protection, *PRIVACY, *INTERSTELLAR communication, *CITIES & towns

Abstract

Aula is a mandatory public school platform in Denmark with more than two million users. The idea behind Aula was to provide a shared space for communication and cooperation around children, both within the school/municipality setting and between teachers and parents, while adhering to the requirements of EU's General Data Protection Regulation. In this article we examine the incorporation of Aula in the daily practices of teachers, especially as they relate to children's privacy and data protection. Based on qualitative interviews with nine teachers and four experts, and drawing on practice theory, platform theory, and theories on children's privacy, we find that Aula – despite the intentions behind it – fails to support the complex nature of teachers' work practices and, therefore, to provide a solid data protection framework for the children. As such, the teachers mainly view the platform as being conducive to their non-sensitive communication with parents and deploy a range of other digital tools to support, for instance, cooperation with colleagues. Consequently, gaps in children's privacy and data protection arise. [ABSTRACT FROM AUTHOR]

Published

2023

37. THE CONCEPT OF DATA ALTRUISM IN COMPARISON OF THE DATA GOVERNANCE ACT AND THE GENERAL DATA PROTECTION REGULATION.

Author

PAAL, Boris. P. and CANTÜRK, Barış C.

Subjects

GENERAL Data Protection Regulation, 2016, DATA protection laws, ALTRUISM, DATA privacy, DATA security

Abstract

Copyright of Galatasaray Üniversitesi Hukuk Fakültesi Dergisi is the property of GALATASARAY UNIVERSITESI HUKUK FAKULTESI and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published

2023

38. THE UNWANTED PARADOXES OF THE RIGHT TO BE FORGOTTEN.

Author

VARDANYAN, LUSINE, KOCHARYAN, HOVSEP, HAMUL'ÁK, ONDREJ, MESARČÍK, MATÚŠ, KERIKMÄE, TANEL, and KOOKMAA, TEA

Subjects

RIGHT to be forgotten, GENERAL Data Protection Regulation, 2016, ARTIFICIAL intelligence

Published

2023

39. Consumer Preferences for Privacy Management Systems.

Author

Hanneke, Björn, Baum, Lorenz, Schlereth, Christian, and Hinz, Oliver

Subjects

GENERAL Data Protection Regulation, 2016, DISCRETE choice models, CONSUMER preferences, CONSUMER behavior, RIGHT of privacy

Abstract

This work presents insights into consumer preferences regarding Privacy Management Systems in the context of the General Data Protection Regulation (GDPR). The authors perform a Choice-Based Conjoint experiment with consumers (n = 589) to elicit preferences over four attributes and compute usage likelihoods for all product configurations. Results show that data sharing for marketing purposes and discounts are the most important attributes for consumers. Furthermore, consumers prefer digital access to privacy-related information, detailed rights management for data sharing and no data sharing for marketing purposes. Moreover, a cluster analysis reveals differing importance weights across clusters. The study concludes that incorporating consumer preferences into the design and development process of Privacy Management Systems could increase their use and effectiveness, ultimately strengthening consumers’ privacy rights and companies’ legal compliance. The authors suggest researching legal, business, and consumer requirements more holistically to converge these perspectives to improve Privacy Management Systems adoptions. [ABSTRACT FROM AUTHOR]

Published

2023

40. GDPR PRIVACY TYPE CLUSTERING: MOTIVATIONAL FACTORS FOR CONSUMER DATA SHARING.

Author

Hanneke, Björn, Baum, Lorenz, and Hinz, Oliver

Subjects

GENERAL Data Protection Regulation, 2016, INFORMATION sharing, CONSUMER behavior, DATA management, INFORMATION storage & retrieval systems

Abstract

The GDPR introduced restrictive privacy-preserving measures, affecting the daily life of (online) consumers. Moreover, literature shows that privacy preferences are constantly evolving. This is the first study introducing a GDPR exercising-oriented approach to identify consumer privacy types. Based on a representative sample of the German online population, we cluster consumers according to their privacy importance ("intention to act") and GDPR knowledge ("ability to act") and derive four consumer privacy type clusters: fundamentalists, amateurs, pragmatists, and unconcerned. We investigate motivational factors for changing privacy settings and find significant differences between consumers' intentions and actions for selected factors. This provides evidence for the privacy paradox. Contrarily, intentions and actions align for other factors, which supports the hypothesis that actionbased consent might lower the privacy paradox. Finally, we suggest the development of standardized scales and corresponding clustering methodologies for consumer privacy type clustering to increase comparability over time and across populations. [ABSTRACT FROM AUTHOR]

Published

2023

41. Towards federated learning: An overview of methods and applications.

Author

Silva, Paula Raissa, Vinagre, João, and Gama, João

Subjects

*DEEP learning, *ARTIFICIAL intelligence, *GENERAL Data Protection Regulation, 2016, *MACHINE learning, *REPRESENTATIONS of graphs, *SMART devices

Abstract

Federated learning (FL) is a collaborative, decentralized privacy‐preserving method to attach the challenges of storing data and data privacy. Artificial intelligence, machine learning, smart devices, and deep learning have strongly marked the last years. Two challenges arose in data science as a result. First, the regulation protected the data by creating the General Data Protection Regulation, in which organizations are not allowed to keep or transfer data without the owner's authorization. Another challenge is the large volume of data generated in the era of big data, and keeping that data in one only server becomes increasingly tricky. Therefore, the data is allocated into different locations or generated by devices, creating the need to build models or perform calculations without transferring data to a single location. The new term FL emerged as a sub‐area of machine learning that aims to solve the challenge of making distributed models with privacy considerations. This survey starts by describing relevant concepts, definitions, and methods, followed by an in‐depth investigation of federated model evaluation. Finally, we discuss three promising applications for further research: anomaly detection, distributed data streams, and graph representation. This article is categorized under:Technologies > Machine LearningTechnologies > Artificial Intelligence [ABSTRACT FROM AUTHOR]

Published

2023

42. ЗАРУБІЖНИЙ ДОСВІД ЗАХИСТУ ПЕРСОНАЛЬНИХ ДАНИХ У СОЦІАЛЬНИХ МЕРЕЖАХ

Author

В. О., Кравчук

Subjects

PERSONALLY identifiable information, HEALTH Insurance Portability & Accountability Act, ONLINE social networks, DIGITAL technology, DATA privacy, GENERAL Data Protection Regulation, 2016, PRIVACY

Abstract

The article analyzes the protection of personal data based on foreign experience. Social networking has been identified as one of the most prominent cultural phenomena to emerge in the Web 2.0 era. They keep users connected and facilitate the exchange of information between them. The European Union has adopted a new personal data protection system called the General Data Protection Regulation (GDPR). Its main goals include providing individuals with tools to control their personal data, implementing modern standards for the protection of personal information, developing the digital space of the European Union to safeguard personal data, ensuring strict compliance by all parties, and providing legal support for the international transfer of personal information. United States legislative documents related to aspects of data protection and privacy were analyzed, namely: California Consumer Privacy Act (CCPA); Children's Online Privacy Protection Act (COPPA); Health Insurance Portability and Accountability Act (HIPAA); State data breach notification laws. It is noted that China has a comprehensive legal framework that regulates the protection of personal data, and includes the following legal acts: Personal Information Protection Law (PIPL) and Data Security Law (DSL). Conclusions were made that the urgency and importance of protecting personal data in social networks is due to rapid technological progress, the growth of cyber security threats and the spread of these platforms. By protecting personal data, people can maintain privacy, prevent abuse, maintain user trust, reduce risk, and comply with legal obligations. The issue of ensuring mobility and interoperability in social networks gives particular importance to the protection of personal data, as it relates to this particular data, and not just to technology, as it may be in the telecommunications sector. This requires additional thought and measures to ensure privacy and data security. Therefore, when developing legal protection mechanisms for online social networks, it is necessary to take into account and solve problems related to the protection of personal data. [ABSTRACT FROM AUTHOR]

Published

2023

43. Privacy considerations for online advertising: a stakeholder's perspective to programmatic advertising.

Author

Cooper, Dylan A., Yalcin, Taylan, Nistor, Cristina, Macrini, Matthew, and Pehlivan, Ekin

Subjects

INTERNET privacy, INTERNET advertising, CONSUMER preferences, GENERAL Data Protection Regulation, 2016, DATA protection laws, CROWDSOURCING, CONSUMER behavior

Abstract

Purpose: Privacy considerations have become a topic with increasing interest from academics, industry leaders and regulators. In response to consumers' privacy concerns, Google announced in 2020 that Chrome would stop supporting third-party cookies in the near future. At the same time, advertising technology companies are developing alternative solutions for online targeting and consumer privacy controls. This paper aims to explore privacy considerations related to online tracking and targeting methods used for programmatic advertising (i.e. third-party cookies, Privacy Sandbox, Unified ID 2.0) for a variety of stakeholders: consumers, AdTech platforms, advertisers and publishers. Design/methodology/approach: This study analyzes the topic of internet user privacy concerns, through a multi-pronged approach: industry conversations to collect information, a comprehensive review of trade publications and extensive empirical analysis. This study uses two methods to collect data on consumer preferences for privacy controls: a survey of a representative sample of US consumers and field data from conversations on web-forums created by tech professionals. Findings: The results suggest that there are four main segments in the US internet user population. The first segment, consisting of 26% of internet users, is driven by a strong preference for relevant ads and includes consumers who accept the premises of both Privacy Sandbox and Unified ID (UID) 2.0. The second segment (26%) includes consumers who are ambivalent about both sets of premises. The third segment (34%) is driven by a need for relevant ads and a strong desire to prevent advertisers from aggressively collecting data, with consumers who accept the premises of Privacy Sandbox but reject the premises of UID 2.0. The fourth segment (15% of consumers) rejected both sets of premises about privacy control. Text analysis results suggest that the conversation around UID 2.0 is still nascent. Google Sandbox associations seem nominally positive, with sarcasm being an important factor in the sentiment analysis results. Originality/value: The value of this paper lies in its multi-method examination of online privacy concerns in light of the recent regulatory legislation (i.e. General Data Protection Regulation and California Consumer Privacy Act) and changes for third-party cookies in browsers such as Firefox, Safari and Chrome. Two alternatives proposed to replace third-party cookies (Privacy Sandbox and Unified ID 2.0) are in the proposal and prototype stage. The elimination of third-party cookies will affect stakeholders, including different types of players in the AdTech industry and internet users. This paper analyzes how two alternative proposals for privacy control align with the interests of several stakeholders. [ABSTRACT FROM AUTHOR]

Published

2023

44. In/acceptable marketing and consumers' privacy expectations: four tests from EU data protection law.

Author

Malgieri, Gianclaudio

Subjects

DATA protection laws, GENERAL Data Protection Regulation, 2016, RIGHT of privacy, CONSUMERS, PRIVACY, SCHOLARSHIPS

Abstract

Purpose: This study aims to discover the legal borderline between licit online marketing and illicit privacy-intrusive and manipulative marketing, considering in particular consumers' expectations of privacy. Design/methodology/approach: A doctrinal legal research methodology is applied throughout with reference to the relevant legislative frameworks. In particular, this study analyzes the European Union (EU) data protection law [General Data Protection Regulation (GDPR)] framework (as it is one of the most advanced privacy laws in the world, with strong extra-territorial impact in other countries and consequent risks of high fines), as compared to privacy scholarship on the field and extract a compliance framework for marketers. Findings: The GDPR is a solid compliance framework that can help to distinguish licit marketing from illicit one. It brings clarity through four legal tests: fairness test, lawfulness test, significant effect test and the high-risk test. The performance of these tests can be beneficial to consumers and marketers in particular considering that meeting consumers' expectation of privacy can enhance their trust. A solution for marketers to respect and leverage consumers' privacy expectations is twofold: enhancing critical transparency and avoiding the exploitation of individual vulnerabilities. Research limitations/implications: This study is limited to the European legal framework scenario and to theoretical analysis. Further research is necessary to investigate other legal frameworks and to prove this model in practice, measuring not only the consumers' expectation of privacy in different contexts but also the practical managerial implications of the four GDPR tests for marketers. Originality/value: This study originally contextualizes the most recent privacy scholarship on online manipulation within the EU legal framework, proposing an easy and accessible four-step test and twofold solution for marketers. Such a test might be beneficial both for marketers and for consumers' expectations of privacy. [ABSTRACT FROM AUTHOR]

Published

2023

45. A GDPR Compliant Approach to Assign Risk Levels to Privacy Policies.

Author

Alshamsan, Abdullah R. and Chaudhry, Shafique A.

Subjects

DATA protection laws, GENERAL Data Protection Regulation, 2016, DRUG labeling, PRIVACY, COMPLIANT mechanisms, INTERNET privacy, WEB-based user interfaces

Abstract

Data privacy laws require service providers to inform their customers on how user data is gathered, used, protected, and shared. The General Data Protection Regulation (GDPR) is a legal framework that provides guidelines for collecting and processing personal information from individuals. Service providers use privacy policies to outline the ways an organization captures, retains, analyzes, and shares customers’ data with other parties. These policies are complex and written using legal jargon; therefore, users rarely read them before accepting them. There exist a number of approaches to automating the task of summarizing privacy policies and assigning risk levels. Most of the existing approaches are not GDPR compliant and use manual annotation/labeling of the privacy text to assign risk level, which is time-consuming and costly. We present a framework that helps users see not only data practice policy compliance with GDPR but also the risk levels to privacy associated with accepting that policy. The main contribution of our approach is eliminating the overhead cost of manual annotation by using the most frequent words in each category to create word-bags, which are used with Regular Expressions and Pointwise Mutual Information scores to assign risk levels that comply with the GDPR guidelines for data protection. We have also developed a web-based application to graphically display risk level reports for any given online privacy policy. Results show that our approach is not only consistent with GDPR but performs better than existing approaches by successfully assigning risk levels with 95.1% accuracy after assigning data practice categories with an accuracy rate of 79%. [ABSTRACT FROM AUTHOR]

Published

2023

46. Making Sense of Solid for Data Governance and GDPR.

Author

Pandit, Harshvardhan J.

Subjects

*GENERAL Data Protection Regulation, 2016, *PERSONAL information management, *CLOUD computing, *DATA protection

Abstract

Solid is a new radical paradigm based on decentralising control of data from central organisations to individuals that seeks to empower individuals to have active control of who and how their data is being used. In order to realise this vision, the use-cases and implementations of Solid also require us to be consistent with the relevant privacy and data protection regulations such as the GDPR. However, to do so first requires a prior understanding of all actors, roles, and processes involved in a use-case, which then need to be aligned with GDPR's concepts to identify relevant obligations, and then investigate their compliance. To assist with this process, we describe Solid as a variation of 'cloud technology' and adapt the existing standardised terminologies and paradigms from ISO/IEC standards. We then investigate the applicability of GDPR's requirements to Solid-based implementations, along with an exploration of how existing issues arising from GDPR enforcement also apply to Solid. Finally, we outline the path forward through specific extensions to Solid's specifications that mitigate known issues and enable the realisation of its benefits. [ABSTRACT FROM AUTHOR]

Published

2023

47. How to keep text private? A systematic review of deep learning methods for privacy-preserving natural language processing.

Author

Sousa, Samuel and Kern, Roman

Subjects

DEEP learning, NATURAL language processing, GENERAL Data Protection Regulation, 2016, DATA protection laws

Abstract

Deep learning (DL) models for natural language processing (NLP) tasks often handle private data, demanding protection against breaches and disclosures. Data protection laws, such as the European Union's General Data Protection Regulation (GDPR), thereby enforce the need for privacy. Although many privacy-preserving NLP methods have been proposed in recent years, no categories to organize them have been introduced yet, making it hard to follow the progress of the literature. To close this gap, this article systematically reviews over sixty DL methods for privacy-preserving NLP published between 2016 and 2020, covering theoretical foundations, privacy-enhancing technologies, and analysis of their suitability for real-world scenarios. First, we introduce a novel taxonomy for classifying the existing methods into three categories: data safeguarding methods, trusted methods, and verification methods. Second, we present an extensive summary of privacy threats, datasets for applications, and metrics for privacy evaluation. Third, throughout the review, we describe privacy issues in the NLP pipeline in a holistic view. Further, we discuss open challenges in privacy-preserving NLP regarding data traceability, computation overhead, dataset size, the prevalence of human biases in embeddings, and the privacy-utility tradeoff. Finally, this review presents future research directions to guide successive research and development of privacy-preserving NLP models. [ABSTRACT FROM AUTHOR]

Published

2023

48. Mobile app users' privacy concerns: different heuristics for privacy assurance statements in the EU and China.

Author

Hudson, Sarah and Liu, Yi

Subjects

MOBILE apps, GENERAL Data Protection Regulation, 2016, DATA privacy, PRIVACY, INTERNET privacy

Abstract

Purpose: As mobile apps request permissions from users, protecting mobile users' personal information from being unnecessarily collected and misused becomes critical. Privacy regulations, such as General Data Protection Regulation in the European Union (EU), aim to protect users' online information privacy. However, one's understanding of whether these regulations effectively make mobile users less concerned about their privacy is still limited. This work aims to study mobile users' privacy concerns towards mobile apps by examining the effects of general and specific privacy assurance statements in China and the EU. Design/methodology/approach: Drawing on ecological rationality and heuristics theory, an online experiment and a follow-up validation experiment were conducted in the EU and China to examine the effects of privacy assurance statements on mobile users' privacy concerns. Findings: When privacy regulation is presented, the privacy concerns of Chinese mobile users are significantly lowered compared with EU mobile users. This indicates that individuals in the two regions react differently to privacy assurances. However, when a general regulation statement is used, no effect is observed. EU and Chinese respondents remain unaffected by general assurance statements. Originality/value: This study incorporates notions from fast and frugal heuristics end ecological rationality – where seemingly irrational decisions may make sense in different societal contexts. [ABSTRACT FROM AUTHOR]

Published

2023

49. Consent Verification Monitoring.

Author

ROBOL, MARCO, BREAUX, TRAVIS D., PAJA, ELDA, and GIORGINI, PAOLO

Subjects

SCALABILITY, GENERAL Data Protection Regulation, 2016, DATA privacy

Abstract

Advances in personalization of digital services are driven by low-cost data collection and processing, in addition to the wide variety of third-party frameworks for authentication, storage, and marketing. New privacy regulations,such asthe General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, increasingly require organizations to explicitly state their data practices in privacy policies. When data practices change, a new version of the policy is released. This can occur a few times a year, when data collection or processing requirements are rapidly changing. Consent evolution raises specific challenges to ensuring GDPR compliance. We propose a formal consent framework to support organizations, data users, and data subjects in their understanding of policy evolution under a consent regime that supports both the retroactive and non-retroactive granting and withdrawal of consent. The contributions include (i) a formal framework to reason about data collection and access under multiple consent granting and revocation scenarios, (ii) a scripting language that implements the consent framework for encoding and executing different scenarios, (iii) five consent evolution use cases that illustrate how organizations would evolve their policies using this framework, and (iv) a scalability evaluation of the reasoning framework. The framework models are used to verify when user consent prevents or detects unauthorized data collection and access. The framework can be integrated into a runtime architecture to monitor policy violations as data practices evolve in real time. The framework was evaluated using the five use cases and a simulation to measure the framework scalability. The simulation results show that the approach is computationally scalable for use in runtime consent monitoring under a standard model of data collection and access and practice and policy evolution. [ABSTRACT FROM AUTHOR]

Published

2023

50. Privacy engineering and the techno-regulatory imaginary.

Author

Rommetveit, Kjetil and van Dijk, Niels

Subjects

*DATA protection, *GENERAL Data Protection Regulation, 2016, *PRIVACY

Abstract

The European Union's General Data Protection Regulation (GDPR), in force since 2018, has introduced design-based approaches to data protection and the governance of privacy. In this article we describe the emergence of the professional field of privacy engineering to enact this shift in digital governance. We argue that privacy engineering forms part of a broader techno-regulatory imaginary through which (fundamental) rights protections become increasingly future-oriented and anticipatory. The techno-regulatory imaginary is described in terms of three distinct privacy articulations, implemented in technologies, organizations, and standardizations. We pose two interrelated questions: What happens to rights as they become implemented and enacted in new sites, through new instruments and professional practices? And, focusing on shifts to the nature of boundary work, we ask: What forms of legitimation can be discerned as privacy engineering is mobilized for the making of future digital markets and infrastructures? [ABSTRACT FROM AUTHOR]

Published

2022