Data protection and the legitimate interest of data controllers: much ado about nothing or the winter of rights?

EU data protection law is in a process of reform to meet the challenges of the modern economy and rapid technological developments. This study analyses the legitimate interest of data controllers as a legal basis for processing personal data under both the current data protection legislation and its proposed reform. The relevant provision expands the scope of lawful processing, but is formulated ambiguously, creating legal uncertainty and loopholes in the law. The new proposed regime does not resolve the problem.Taking a“rights” perspective, the paper aims to show that the provision should be narrowly interpreted in light of the ECJ case law, and to give effect to the Charter of Fundamental Rights; a rephrasing of the norm is desirable. The provision on the legitimate interest of data controllers weakens the legal protection of data subjects

Law Firm Cybersecurity: The State of Preventative and Remedial Regulation Governing Data Breaches in the Legal Profession

With the looming threat of the next hacking scandal, data protection efforts in law firms are becoming increasingly crucial in maintaining client confidentiality. This paper addresses ethical and legal issues arising with data storage and privacy in law firms. The American Bar Association’s Model Rules present an ethical standard for cybersecurity measures, which many states have adopted and interpreted. Other than state legislation mandating timely disclosure after a data breach, few legal standards govern law firm data breaches. As technology advances rapidly, the law must address preventative and remedial measures more effectively to protect clients from data breaches caused by outdated or ineffective cybersecurity procedures in law firms. These measures should include setting a minimum standard of care for data security protection and creating a private cause of action for individuals whose personal information has been improperly accessed because of a failure to comply with those standards

Cross-border data protection: Applicable law and territorial powers of national data protection supervisors

An analysis of the European Court of Justice preliminary ruling in Case C-230/14 Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, on the interpretation of two important aspects of Directive 95/46/EC, namely, the applicable law, and territorial reach of national data protection authorities. The Court ruled that the data protection legislation of a member state may be applied by the national data protection authority to a foreign registered company which exercises, through stable arrangements, real and effective (albeit minimal) activity in that member state; a ruling that potentially increases compliance costs for entities operating across multiple European jurisdictions pending the introduction of the proposed General Data Protection Regulation

Legal Origin, Shareholder Protection and the Stock Market: New Challenges from Time Series Analysis

This paper uses a new time series dataset of shareholder protection consisting of 60 annual legal indicators for the period 1970-2005 for France, Germany, the UK and the US. On the basis of these data it examines developments in shareholder protection and reassesses the claims that common-law countries have better shareholder protection than civil law countries. Furthermore it examines the relationship between legal changes and stock market development. It casts serious doubt on the claim that common-law countries have better shareholder protection which in turn leads to more stock market development.Stock Market, Corporate Governance, Financial Development, Leximetrics

Technology, privacy and identity: a Hong Kong perspective

This article explores the concepts of privacy and identity in Hong Kong in relation to the law relating to data protection. It first considers the notions of privacy and identity in the light of Hong Kong's socioeconomic situation and recent postcolonial heritage. It then highlights the importance of identity management and considers the distinctions and overlaps between identity management and privacy protection. With this conceptual framework in mind, the article then considers the various laws in Hong Kong pertaining to data protection, with a focus on the aspects relating to identity management. It observes that while there is some legal protection in respect of the data relating to an individual's identity, there are other priorities which may take precedence in determining the extent of identity management under the legal system in Hong Kong. Finally, recommendations are made as to how to improve identity management within the context of data protection in Hong Kong

The 'Europeanisation' of data protection law

EU data protection law has, to date, been monitored and enforced in a decentralised way by independent supervisory authorities in each Member State. While the independence of these supervisory authorities is an essential element of EU data protection law, this decentralised governance structure has led to competing claims from supervisory authorities regarding the national law applicable to a data processing operation and the national authority responsible for enforcing the data protection rules. These competing claims, evident in investigations conducted into the data protection compliance of Google and Facebook, jeopardise the objectives of the EU data protection regime. The new General Data Protection Regulation will revolutionise data protection governance by providing for a centralised decision-making body, the European Data Protection Board. While this agency will ensure the ‘Europeanisation’ of data protection law, given the nature and the extent of this Board’s powers it marks another significant shift in the EU’s agency-creating process and must therefore also be considered in its broader EU context

The internal and external constraints of data protection on competition law in the EU

Personal data has both an economic and a dignitary value. This begs the question of whether competition law should respect the dual nature of personal data, given that the regulation of competition is chiefly dictated by economic concerns. This article addresses that question by mapping the potential intersections between EU data protection law and competition law. In particular, it argues that data protection law exercises an internal and an external constraint on competition law. On the one hand, competition law involves judgments about ‘normal competition’ and consumer welfare which may require a normative contribution by data protection law. Using data protection as a normative benchmark in this way does not depart from the logic of competition law as data protection still requires a competitive concern hook on which to hang. Data protection would thus act as an ‘internal constraint’ on competition law. On the other hand, regardless of such logic, competition authorities are bound to respect the fundamental right to data protection. This requires them to restrict the scope of competition law and to guarantee the effectiveness of that fundamental right. In this way, data protection acts as an ‘external constraint’ on competition law. Recognising these constraints would pave the way for a more coherent EU law approach to consumer concerns in a digital society

From Space to Earth: assessing the legal framework of big data in the space technologies sector

The amount of data and information collected and processed by space technologies, in particular through Earth observation programs and telecommunication services, is increasing day by day. Meanwhile, the socio-economic environment surrounding such activities is rapidly changing: data are employed for new purposes, private actors are involved in the dissemination of these information and new users get access to space data. In this context, international law is required to addressed the new challenges deriving from such changes such as the protection of data protection and the right to privacy. The paper aims at analysing the state of the art, focusing on the main provisions of international space law, including both hard law and soft law instruments, covering the collection and dissemination of space data, especially those coming from remote sensing satellites. Then, the focus will shift on assessing the scope of application of new legal provisions which are applicable to this matter, in particular the recent regulation on data protection adopted by the European Union (GDPR). In conclusion, the research aims at assessing a legal framework for the big data, which represents a necessary step to minimize the risks and maximize the benefits stemming from those technologies

European Court of Human Rights : Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland

The Grand Chamber judgment of European Court of Human Rights (ECtHR) finds that a prohibition issued by the Finnish Data Protection Board that prohibited two media companies from publishing personal taxation data in the manner and to the extent they had published these data before, is to be considered as a legal, legitimate and necessary interference with the applicants’ right to freedom of expression and information. The ECtHR approves the approach of the Finnish authorities denying the applicants’ claim to rely on the exception of journalistic activities within the law of protection of personal data