A European perspective on data processing consent through the re-conceptualization of European data protection’s looking glass after the Lisbon Treaty: Taking rights seriously

Copyright @ 2012 Kluwer Law International. Reprinted from European Review of Private Law, 20(2): 473 - 506, 2012, with permission of Kluwer Law International.EU data protection law is undergoing a process of reform to meet the challenges of the modern economy and rapid technological developments. This study re-conceptualizes data protection in the EU in light of the enactment of the Treaty of Lisbon and the Charter of Fundamental Rights of the EU. It focuses on data subjects' consent as a key component of data processing legislation - alongside the principles of purpose specification and data quality - to reinforce the view that it is a necessary, though not sufficient, tool to guarantee the declared high level of protection of individuals. To prevent confusion, conflation, or abuse of consent and safeguard the fundamental values to which it is tied, this paper puts forward that additional legal constraints and qualifications would be necessary for the enhancement of its application and enforcement. Soft or libertarian paternalism may be the key to nudge individuals towards the desired social outcome while preserving their individual autonomy. The ultimate suggestion is that EU policy makers should take rights seriously and not be seduced by and surrender to conflicting economic interests

Face and emotion recognition on commercial property under EU data protection law

This paper integrates and cuts through domains of privacy law and biometrics. Specifically, this paper presents a legal analysis on the use of Automated Facial Recognition Systems (the AFRS) in commercial (retail store) settings within the European Union data protection framework. The AFRS is a typical instance of biometric technologies, where a distributed system of dozens of low-cost cameras uses psychological states, sociodemographic characteristics, and identity recognition algorithms on thousands of passers-by and customers. Current use cases and theoretical possibilities are discussed due to the technology’s potential of becoming a substantial privacy issue. First, this paper introduces the AFRS and EU data protection law. This is followed by an analysis of European Data protection law and its application in relation to the use of the AFRS, including requirements concerning data quality and legitimate processing of personal data, which, finally, leads to an overview of measures that traders can take to comply with data protection law, including by means of information, consent, and anonymization

Certain aspects of personal data protection in the social network: european experience and legislative regulation in Ukraine

The purpose of this study is to examine some aspects of personal data protection in the social network, a comparative analysis of the protection of personal data in the social network under Ukrainian and European legislation, namely the General Data Protection Regulation of the European Union. The methods used in this work are: dialectical, comparative-legal, formal-logical, analysis and dogmatic interpretation. Each of these methods was used in the study to understand and qualitatively explain to the audience categories the individual aspects of personal data protection on the social network. This article reveals the notion of: personal data in the social network, the features of their collection, storage and protection in accordance with European legislation and the development of proposals aimed at improving these processes in Ukraine. The research also addresses the following issues: Features of managing consent to the processing of personal data that have already been obtained; who can act as an "operator" under EU law and what actions he can take; who can act as "controller" and what functions it performs. The article concludes that there is an urgent need to streamline Ukrainian domestic legislation in line with EU law, which should result in a new law on personal data protection that complies with GDPR norms. As a result, a new law on personal data protection may soon emerge in Ukraine, replacing the outdated Law of Ukraine “On Personal Data Protection” of 01.06.2010, which is a “mirror” of   the repealed Directive 95/46/EC of the European Parliament and of the Council

"Hozzájárult. Vagy mégsem?" : a személyes adatok kezeléséhez történő hozzájárulás érvényességének szempontjai

Consent is one of the key principles in the protection of personal data. We may consider the consent of the data subject as a manifestation of the exercise of the right of informational self-determination, which means consent to the processing of the data subject's own personal data. This work seeks to examine what exactly the consent of the data subject covers and what key elements it has under the existing EU legislation and the conditions for its validity. The evaluation is based on the practice of the Hungarian data protection authority (NAIH) and on the most recent case law of the European Court of Justice. When a data controller chooses the consent of the data subject from among the possible legal bases, he/she must take into account several aspects in advance. Consent will only be a legitimate legal basis, if the controller is able to ensure that its conceptual elements are met and as a result the consent is valid. A consent is considered valid under the following conditions: it must reflect the wishes of the data subject; be voluntary, explicit, and informed; prior to processing the data subject is provided with the specific purpose for which the data are processed; it must be specific and actively stated. Besides, the given consent may be withdrawn by the data subject at any time during the processing. These are also cumulative criteria for a consent, because if any of them is missing, we cannot consider the consent valid. The content of some of these conceptual elements of a valid consent is not clarified by the General Data Protection Regulation. To explain these, we have called on the practice of the European Court of Justice, the European Data Protection Board and the NAIH. Through practical examples, we have also analyzed the new and specific data processing situations that can occur in the context of info-communication systems and technologies, which are creating new challenges for data controllers given to the rapid development of this field. Overall, this topic has a complex set of criteria, and it is therefore necessary to plan data processing operations carefully, before the consent as a legal basis is used

(Un)informed consent in Psychological Research: An empirical study on consent in psychological research and the GDPR

In many instances, psychological research requires the collection and processing of personal data collected directly from research subjects. In principle, the General Data Protection Regulation (GDPR) applies to psychological research which involves the collection and processing of personal data in the European Eco- nomic Area (EEA). Further, the GDPR includes provisions elaborating the types of information which should be offered to research subjects when personal data are collected directly from them. Given the general norm that informed consent should be obtained before psychological research involving the collection of personal data directly from research participants should go ahead, the information which should be provided to subjects according to the GDPR will usually be communicated in the context of an informed consent process. Unfortunately, there is reason to believe that the GDPR’s obligations concerning information provision to research subjects may not always be fulfilled. This paper outlines the results of an empirical investigation into the degree to which these information obligations are fulfilled in the context of psychological research consent procedures to which European data protection law applies. Significant discrepancies between the legal obligations to provide information to research subjects, and the information actually provided, are identified

El derecho a la protección de datos personales y su reflejo en el consentimiento del interesado

Abstract:The General Data Protection Regulation and the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights have brought a new regulation to the field of data protection; giving, thus, compliance and effectiveness to the right to the protection of personal data, or right to informational self-determination, which content has been constantly evolving in order to face the constant technological advances. This evolution of the right to data protection will be minimal in the case law of the Court of Justice of the European Union and of the European Court of Human Rights, but not in the case of the Constitutional Court of Spain, which resolutions have developed the content of this right, with no stop, staying between the Anglo-Saxon and German doctrinal stream of this fundamental right. As part of the content of the right, in addition, we will have the consent of the data subject, which will be the key piece of data protection, but it is possible that we may find some weakness in the current data protection regulations as far as consent is concerned.Summary:1. Introduction. 2. The right to data protection in the case law of the Court of Justice of the European Union and the European Court of Human Rights: 2.1. The Court of Justice of the European Union. 2.2. TheEuropean Court of Human Rights: respect for the private and family life. 3. The evolution of the right to data protection or informational self-determination: the American or Anglo-saxon stream, the German or European stream and the case law of the Constitutional Court of Spain: 3.1. The right to data protection in the American or Anglo-saxon stream. 3.2. The right to data protection in the German or European stream. 3.3. The evolution of the right to data protection in the case law of the Constitutional Court of Spain. 3.4. Personal data subject to protection. 4. The consent of the data subject as a reflection of the right to the protection of personal data: 4.1. The consent of the data subject in the data protection regulations. 4.2. The consent of the data subject in the Spanish legal framework: between the GDPR and the Spanish Civil Code. 5. Cases outside the consent of the data subject as a mere «indication of the individual’s wishes»: contractual clause and subject matter of contract. 6. Conclusion. El Reglamento General de Protección de Datos y de la Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales han traído una nueva regulación al ámbito de la protección de datos; dándole, así, cumplimiento y efectividad al derecho de protección de datos, o autodeterminación informativa, cuyo contenido ha estado en constante evolución para poder hacerle frente a los constantes avances tecnológicos. Esta evolución del derecho a la protección de datos será mínima en la jurisprudencia del Tribunal de Justicia de la Unión Europea y del Tribunal Europeo de Derechos Humanos, pero no en el caso del Tribunal Constitucional, cuyas resoluciones han ido desarrollando, sin parar, el contenido de este derecho, manteniéndose entre la corriente anglosajona y germana de este derecho fundamental. Como parte del contenido mismo del derecho, además, tendremos el consentimiento del interesado, que será la pieza clave de la protección de datos, pero puede que encontremos algún punto débil en la actual normativa sobre protección de datos en lo que al consentimiento respecta

Patients\u27 genetic data protection in Polish law and EU law

The article entitled "Patients\u27 genetic data protection in Polish law and EU law - selected issues" presents issues related to the protection of patients\u27 rights and focuses on the legal basis for genetic testing and genetic data protection. Based on a comparison of regulations of international law and regulations on genetic tests introduced in foreign legal systems, the text analyzes the assumptions for the draft of the Polish act on genetic tests performed for health purposes. It presents the patient\u27s consent to testing, the scope of information provided to the patient, the right to disclose research results to related persons and the protection of genetic data. In reference to the regulations set out in other acts, it was noted that they do not guarantee the protection of information obtained as a result of research. Due to the particular nature of genetic data, they require increased protection, which can be guaranteed through implementation of the Act on Genetic Research. In the final part, authors presented the most important achievements of the judicature of European Court of Human Rights in the field of genetic data protection

Reconciling U.S. Banking and Securities Data Preservation Rules with European Mandatory Data Erasure Under GDPR

United States law, which requires financial institutions to retain customer data, conflicts with European Union law, which requires financial institutions to delete customer data on demand. A financial institution operating transnationally cannot comply with both U.S. and EU law. Financial institutions thus face the issue that they cannot possibly delete and retain the same data simultaneously. This Note will clarify the scope and nature of this conflict. First, it will clarify the conflict by examining (1) the relevant laws, which are Europe’s General Data Protection Regulation (GDPR), the U.S. Bank Secrecy Act, and Securities and Exchange Commission (SEC) regulations, (2) GDPR’s application to U.S. financial institutions, and (3) U.S. law’s extraterritorial application to financial institutions operating in Europe, under the U.S. Supreme Court’s Morrison-Kiobel two-step analysis. Second, it will propose a solution by examining international law and U.S. foreign relations law. United States law subjects financial institutions to multiple data retention requirements. Securities regulations require broker-dealers to retain customer account and complaint records. The Bank Secrecy Act of 1970 requires financial institutions to retain customer data for at least five years. Sometimes, banks must permanently retain certain records. GDPR empowers individuals to demand that companies erase their data. Couched in the theory of a right to erasure, GDPR lets customers withdraw their consent for a financial institution to process or retain their data. Violators may face fines of 4 percent of their worldwide revenue. GDPR applies broadly to U.S. data-processors that either (1) are established in the European Union, or (2) monitor or offer to sell goods or services to individuals in the European Union. Establishment is broadly construed by European courts and may be met by “a single representative in the European Union.” In U.S. law, a two-step analysis determines whether and to what extent federal statutes govern conduct abroad. First, courts analyze whether the presumption against extraterritoriality has been rebutted. The presumption derives from the canon that a statute, “unless a contrary intent appears, is meant to apply only within the territorial jurisdiction” of the United States. If the presumption is not rebutted, the court proceeds to the second step, when the court considers the statute’s “focus” and whether the case involves the statute’s domestic application. United States law has domestic application to data stored domestically, and sometimes possibly to data stored internationally; such data operations may also fall under GPDR’s jurisdiction. Then, if a customer asks a financial institution to delete data, the financial institution will face conflicting laws. This Note seeks to resolve the conflict, recommending that courts approach resolution from the framework of the Restatement (Third) of Foreign Relations Law

Suostumus henkilötietojen käsittelyn perusteena esineiden internetissä

The rise of the Internet of Things (IoT) has brought with itself an unimaginable ease to large-scale collection and sharing of personal data. Such large-scale collection and sharing are often done on the basis of data subject’s consent. Consent enjoys a prominent role in the European data protection framework. Consent has, however, been criticised for not providing individuals with adequate protection in online environments. This problem will only be exacerbated with the rise of IoT as IoT extends the data collection practices of the online environments also to offline environments. The purpose of this thesis is to explore the use of consent in the processing of personal data in the IoT. There are two research questions this thesis aims to answer: i) what are the problems and challenges related to the traditional consent based model in relation to IoT, and ii) is there an alternative way forward to user consent? This will be done through legal doctrinal methodology. However, this thesis will also take an interdisciplinary approach as it also draws from different disciplines than law such as technology, behavioural sciences and economics. This thesis shows that, in digitalized world, consent is neither freely given nor informed; thus, challenging the notion of valid consent. These problems arise from information and power asymmetries that are present between data subjects and controllers. However, IoT also brings with itself a unique set of problems as most IoT devices lack screens and input methods making it hard for individuals to access information and provide consent. Moreover, the unobtrusive and ubiquitous nature of IoT makes data collection activities invisible making it hard to apply transparency principle. It is also predicted that the presence of IoT in public spaces leads to the diminishment of private spaces. In light of this, this thesis discusses some alternative ways forward to user consent. The first approach focuses on improving consent, while the second approach aims to shift the focus away from consent by placing accountability on controllers. While both of these alternatives have appeal, they do not come without challenges. Therefore, more research is needed in the field of IoT and data protection