Cross-border Access to E-Evidence: Framing the Evidence. CEPS in Liberty and Security in Europe No. 2020-02, February 2020

This paper aims at situating the policy discourse accompanying current European Union (EU) initiatives on facilitating access by public authorities to data held by private companies, including in scenarios regarded as crossing jurisdictional borders. More concretely, it contextualises these initiatives in light of the absence of publicly available statistical information on some of the issues which are at the very core of these matters. Firstly, the paper presents the three main current developments, that is, the proposed ‘E-evidence package’, the negotiation of an EU-United States (US) agreement facilitating access to e-evidence for the purpose of judicial cooperation in criminal matters, and the participation of the EU in the negotiations in the Council of Europe on a second additional protocol to the Cybercrime Convention, analysing some of the recurrent messages associated with defending the necessity of all these different measures. The Brief then reviews some of the information upon which are being constructed arguments used to purport the need for these developments, by granting particular attention to the Impact Assessment that accompanied the publication of the ‘E-evidence package’. Finally, it suggests that the absence of statistical data might have implications for the assessment of the proportionality of eventual legislative measures

Equilibrio entre propiedad intelectual y protección de datos: el peso oscilante de un nuevo derecho

Les autoritats nacionals que imposen un processament sistemàtic de dades personals a subministradors de serveis d'internet en nom de la protecció de la propietat intel·lectual no troben un equilibri just entre l'interès dels titulars dels drets d'autor a l'hora d'assegurar el seu dret a la propietat intel·lectual amb la protecció de dades personals de les persones afectades per aquest processament. El Tribunal de Justícia de la Unió Europea (UE) ha ratificat dues vegades aquesta idea, en els judicis del 24 de novembre de 2011, en el cas C-70/10, Scarlet Extended SA contra SABAM, i del 16 de febrer de 2011, en el cas C-360/10, SABAM contra Netlog NV. Tanmateix, el postul·lat es basa en una interpretació sense precedents del dret a la protecció de dades personals com a dret fonamental de la UE, i en un enfocament innovador per a equilibrar aquest dret i altres interessos. Aquest article en primer lloc presenta els judicis esmentats. En segon lloc, els ubica en el context de la jurisprudència del Tribunal de Luxemburg de dades personals, posant ènfasi en el poc freqüent reconeixement per part de la institució  de l'existència d'un dret de la UE per a aquesta protecció, que salvaguarda l'article 8 de la Carta dels Drets Fonamentals de la UE, i la seva interpretació canviant de l'objecte de la llei de protecció de dades de la UE. En tercer lloc, l'article descriu la tendència del Tribunal a afirmar la necessitat d'equilibrar els drets fonamentals aplicables al mateix temps que traspassa la responsabilitat de fer-ho. Amb aquest teló de fons, descriu les peculiaritats més sorprenents dels judicis esmentats.National authorities that impose the systematic processing of personal data on Internet service providers in the name of the protection of intellectual property do not strike a fair balance between copyright holders' interest in ensuring their right to intellectual property and the right to personal data protection of those affected by such processing. That idea has twice been upheld by the Court of Justice of the European Union (EU), in its judgements of 24 November 2011, in Case C-70/10, Scarlet Extended SA v SABAM, and of 16 February 2012, in Case C‑360/10, SABAM v Netlog NV. The postulate, however, is based on an unprecedented understanding of the right to the protection of personal data as an EU fundamental right, and on an innovative approach to balancing that right and any other interests. This paper firstly introduces both the aforementioned judgements. Secondly, it places them in the context of the Luxembourg Court's case law on the protection of personal data, emphasising the institution's infrequent recognition of the existence of an EU right to such protection, as safeguarded by Article 8 of the EU Charter of Fundamental Rights, and its changing interpretation of the object of EU data protection law. Thirdly, the paper describes the Court's tendency to affirm the need to balance the applicable fundamental rights while deferring responsibility for actually doing so. Against that backdrop, it describes the most striking peculiarities of the aforementioned judgements.        Las autoridades nacionales que imponen el tratamiento sistemático de datos personales a proveedores de servicios de internet en el nombre de la protección de la propiedad intelectual no garantizan un justo equilibrio entre el interés de los titulares de los derechos de autor de asegurar su derecho a la propiedad intelectual y el derecho a la protección de datos de carácter personal de las personas afectadas por el tratamiento. El Tribunal de Justicia de la Unión Europea (UE) ha mantenido en dos ocasiones esta idea, en sus sentencias del 24 de noviembre de 2011, en el asunto C-70/10, Scarlet Extended SA contra SABAM, y del 16 de febrero de 2011, en el asunto C-360/10, SABAM contra Netlog NV. Sin embargo, el postulado se basa en una interpretación sin precedentes del derecho a la protección de datos de carácter personal como un derecho fundamental de la UE, así como en un enfoque innovador sobre la ponderación entre este derecho y otros intereses. Este artículo presenta en primer lugar los fallos citados. En segundo lugar, los ubica en el contexto de la jurisprudencia del Tribunal de Luxemburgo sobre la protección de datos personales, poniendo énfasis en el poco frecuente reconocimiento por parte de la institución de la existencia de un derecho de la UE de protección de datos de carácter personal, establecido por el artículo 8 de la Carta de los Derechos Fundamentales de la UE, y sobre su cambiante interpretación sobre el objeto de la legislación de protección de datos de la UE. En tercer lugar, se describe la tendencia del Tribunal a afirmar la necesidad de equilibrar los derechos fundamentales aplicables pero delegando al mismo tiempo la responsabilidad de hacerlo. Con este telón de fondo, el artículo describe las peculiaridades más llamativas de las sentencias mencionadas

Cross-border Access to Electronic Data through Judicial Cooperation in Criminal Matters. State of the art and latest developments in the EU and the US. CEPS Liberty and Security in Europe Papers No. 2018-07, November 2018

In the digital age, access to data sought in the framework of a criminal investigation often entails the exercise of prosecuting powers over individuals and material that fall under another jurisdiction. Mutual legal assistance treaties, and the European Investigation Order allow for the lawful collection of electronic information in cross-border proceedings. These instruments rely on formal judicial cooperation between competent authorities in the different countries concerned by the investigative measure. By subjecting foreign actors’ requests for data to domestic independent judicial scrutiny, they guarantee that the information sought during an investigation is lawfully obtained and admissible in court. At the same time, pressure is mounting within the EU and in the US to allow law enforcement authorities’ access to data outside existing judicial cooperation channels. Initiatives such as the European Commission’s proposals on electronic evidence and the CLOUD Act in the US foster a model of direct private–public crossborder cooperation under which service providers receive, assess and respond directly to a foreign law enforcement order to produce or preserve electronic information. This paper scrutinises these recent EU and US initiatives in light of the fundamental rights standards, rule of law touchstones, and secondary norms that, in the EU legal system, must be observed to ensure the lawful collection and exchange of data for criminal justice purposes. A series of doubts are raised as to the Commission e-evidence proposal and the CLOUD Act’s compatibility with the legality, necessity and proportionality benchmarks provided under EU primary and secondary law

Huber, Marper and Others: Throwing new light on the shadows of suspicion. INEX Policy Brief No. 8, June 2010

The proliferation of large-scale databases containing personal information, and the multiple uses to which they can be put, can be highly problematic from the perspective of fundamental rights and freedoms. This paper discusses two landmark decisions that illustrate some of the risks linked to these developments and point to a better framing of such practices: the Heinz Huber v. Germany judgement, from the European Court of Justice, and the S. and Marper v. United Kingdom ruling, from the European Court of Human Rights. The paper synthesises the lessons to be learnt from such decisions. Additionally, it questions the impact of the logic of pure prevention that is being combined with other rationales in the design and management of databases. This Policy Brief is published in the context of the INEX project, which looks at converging and conflicting ethical values in the internal/external security continuum in Europe, and is funded by the Security Programme of DG Enterprise of the European Commission’s Seventh Framework Research Programme. For more information visit: www.inexproject.e

¿Hasta qué punto está desinformada la persona interesada? Una búsqueda de parámetros en la protección de datos personales de la UE

Les obligacions d’informació sempre han estat un element essencial de les lleis de protecció de dades personals. Reforçar aquestes obligacions és una de les prioritats del paquet legislatiu introduït el 2012 per la Comissió Europea per tal de definir el panorama legal en matèria de protecció de dades personals de la Unió Europea (UE). Els responsables del tractament de dades personals (els controladors de dades) han de transmetre obligatòriament determinada informació a les persones de qui es processen aquestes dades (les persones interessades) i s’espera que ho facin d’una manera cada cop més «transparent». Tanmateix, més enllà d’aquests requisits d’informació puntual, les persones interessades sempre sembla que es troben –i inevitablement hi romanen– en un estat de relativa ignorància, gairebé en una necessitat constant de noves orientacions. Actualment, se solen descriure com consumidors desinformats que desconeixen el funcionament dels serveis en línia, serveis que s’apoderen subreptíciament de dades personals considerades valuoses. Tenint en compte tot això, aquest article explora críticament la manera com la legislació de la UE concep les persones interessades en termes de coneixement, analitza l’origen i l’evolució de les obligacions d’informació en la legislació europea sobre protecció de dades personals i es pregunta si el fet de concebre les persones interessades com a consumidores és conseqüent amb la noció de consumidor mitjà que funciona en la legislació sobre consum de la UE. En darrer lloc, afirma que potser ha arribat el moment d’aclarir obertament quan les persones interessades estan il·lícitament mal informades i assenyala que, mentrestant, podrien no solament beneficiar-se d’accedir a una informació més «transparent» sinó també de conèixer millor les limitacions de la informació que tenen a la seva disposició.Information obligations have always been crucial in personal data protection law. Reinforcing these obligations is one of the priorities of the legislative package introduced in 2012 by the European Commission to redefine the personal data protection legal landscape of the European Union (EU). Those responsible for processing personal data (the data controllers) must imperatively convey certain pieces of information to those whose data is processed (the data subjects), and they are expected to do so in an increasingly transparent manner. Beyond these punctual information requirements, however, data subjects appear to always be and inevitably remain in a state of relative ignorance, as in almost constant need of further guidance. Data subjects are nowadays often depicted as unknowing consumers of online services, services which surreptitiously take away from them personal data thus conceived as a valuable asset. In light of these developments, this contribution critically investigates how EU law is envisaging data subjects in terms of knowledge. The paper reviews the birth and evolution of information obligations as an element of European personal data protection law, and asks whether thinking of data subjects as consumers is consistent with the notion of average consumer functioning in EU consumer law. Finally, it argues that the time might have come to openly clarify when data subjects are unlawfully misinformed, and that, in the meantime, individuals might benefit not only from accessing more transparent information, but also from being made more aware of the limitations of the information available to them.   Las obligaciones de información siempre han sido un elemento esencial de las leyes de protección de datos personales. Reforzar estas obligaciones es una de las prioridades del paquete legislativo introducido en 2012 por la Comisión Europea para definir el panorama legal en materia de protección de datos personales de la Unión Europea (UE). Los responsables del tratamiento de datos personales (los controladores de datos) tienen que transmitir obligatoriamente determinada información a las personas de quienes se procesan estos datos (las personas interesadas) y se espera que lo hagan de forma cada vez más «transparente». Sin embargo, más allá de estos requisitos de información puntual, las personas interesadas siempre parece que se encuentran –e inevitablemente permanecen– en un estado de relativa ignorancia, casi en una necesidad constante de nuevas orientaciones. Actualmente, suelen describirse como consumidores desinformados que desconocen el funcionamiento de los servicios en línea, servicios que se apoderan subrepticiamente de datos personales considerados valiosos. Teniendo en cuenta todo esto, este artículo explora críticamente la manera como la legislación de la UE concibe a las personas interesadas en términos de conocimiento, analiza el origen y la evolución de las obligaciones de información en la legislación europea sobre protección de datos personales y se pregunta si el hecho de concebir a las personas interesadas como consumidoras es consecuente con la noción de consumidor mediano que funciona en la legislación sobre consumo de la UE. En último lugar, sostiene que quizás ha llegado el momento de aclarar abiertamente cuándo las personas interesadas están ilícitamente mal informadas y señala que, mientras, podrían beneficiarse no tan solo de acceder a una información más «transparente» sino también de conocer mejor las limitaciones de la información que tienen a su disposición

Access to Electronic Data by Third-Country Law Enforcement Authorities, Challenges to EU Rule of Law and Fundamental Rights. Center for European Policy Studies, 2015

This study examines the challenges posed to European law by third country access to data held by private companies for the purposes of law enforcement. It pays particular attention to the implications for rule of law and fundamental rights of foreign authorities’ direct access to electronic information falling outside pre-established channels of supranational cooperation. A special focus is given to EU-US relations and the practical issues emerging in transatlantic relations covering mutual legal assistance and evidence gathering for law enforcement purposes in criminal proceedings

Water bodies typology system: a Chilean case of scientific stakeholders and policy makers dialogue

The aim of this project was to obtain a scientists-validated Typology System, which would allow to classify the surface waters bodies in Chile and, therefore, to facilitate the environmental institutional water management in the country. For this, during the years 2009 and 2011, a Typology System for the surface freshwater bodies was developed for Chile based on the methodology described by the Water Framework Directive of the European Union, which was adapted to local features through the knowledge of limnologist experts in the country, as well as policy makers' experience and their management requirements . In a first stage, national ecoregions were developed and abiotic variables were defined to compose the Typology System. The resulted Typology System for lakes and rivers was generated following an a priori and top down approach to difference biocenosis, based on geomorphologic, hydrologic and physic criteria. In a second stage, the proposed Typology System was validated by experts and policy makers, in which process new arrangements were included in the system. The working methodology used for both stages was bibliographic review, interviews to local experts in biocenosis and workshops. It is specially highlighted the participative processes and discussions in which all the agents involved were present, all of which resulted in the creation of a valid system from a scientific point of view and a product that is applicable to the necessities of the environmental institutions of the country. This work represents a successful experience in the improvement of the communication between scientists and politicians in Chile, which is a relevant factor for the elaboration of more efficient and effective environmental policies, integrating not only management and economic issues, but also more technical aspects that can influence in the final success of any long term strategy. For this reason, the replication of this kind of experiences, as well as the stimulation of new instances of communication between these actors, can contribute to reduce the gap between science and politic

Constitutionalising the Security Union: Effectiveness, Rule of Law and Rights on Countering Terrorism and Crime. CEPS Paperback, 21 November 2017

This collective volume offers a multidisciplinary examination of the critical issues and challenges associated with the EU’s initiative to build a Security Union, particularly in relation to common policies adopted at the member state level aimed at countering terrorism and crime. It delves into the EU’s efforts to support cross-border investigations, the exchange of information and international cooperation, taking stock of the effects on freedom and privacy. The various authors offer key research findings, which contributed to the European Commission’s 2017 Comprehensive Assessment of EU Security Policy. They identify and explore the main constitutional dilemmas facing the Security Union concerning EU standards enshrined in the Lisbon Treaty and the commitments undertaken in the context of the EU Better Regulation agenda. Hence, this timely examination of EU security policies sheds light on their effectiveness, proportionality, fundamental rights and societal implications

Magnetic resonance imaging reference values for cardiac morphology, function and tissue composition in adolescents.

BACKGROUND Cardiovascular magnetic resonance (CMR) is a precise tool for the assessment of cardiac anatomy, function, and tissue composition. However, studies providing CMR reference values in adolescence are scarce. We aim to provide sex-specific CMR reference values for biventricular and atrial dimensions and function and myocardial relaxation times in this population. METHODS Adolescents aged 15-18 years with no known cardiovascular disease underwent a non-contrast 3-T CMR scan between March 2021 and October 2021. The imaging protocol included a cine steady-state free-precession sequence for the analysis of chamber size and function, as well as T2-GraSE and native MOLLI T1-mapping for the characterization of myocardial tissue. FINDINGS CMR scans were performed in 123 adolescents (mean age 16 ± 0.5 years, 52% girls). Mean left and right ventricular end-diastolic indexed volumes were higher in boys than in girls (91.7 ± 11.6 vs 78.1 ± 8.3 ml/m2, p < 0.001; and 101.3 ± 14.1 vs 84.1 ± 10.5 ml/m2, p < 0.001), as was the indexed left ventricular mass (48.5 ± 9.6 vs 36.6 ± 6.0 g/m2, p < 0.001). Left ventricular ejection fraction showed no significant difference by sex (62.2 ± 4.1 vs 62.8 ± 4.2%, p = 0.412), whereas right ventricular ejection fraction trended slightly lower in boys (55.4 ± 4.7 vs. 56.8 ± 4.4%, p = 0.085). Indexed atrial size and function parameters did not differ significantly between sexes. Global myocardial native T1 relaxation time was lower in boys than in girls (1215 ± 23 vs 1252 ± 28 ms, p < 0.001), whereas global myocardial T2 relaxation time did not differ by sex (44.4 ± 2.0 vs 44.1 ± 2.4 ms, p = 0.384). Sex-stratified comprehensive percentile tables are provided for most relevant cardiac parameters. INTERPRETATION This cross-sectional study provides overall and sex-stratified CMR reference values for cardiac dimensions and function, and myocardial tissue properties, in adolescents. This information is useful for clinical practice and may help in the differential diagnosis of cardiac diseases, such as cardiomyopathies and myocarditis, in this population. FUNDING Instituto de Salud Carlos III (PI19/01704).Instituto de Salud Carlos III (PI19/01704). The authors are indebted to the adolescents who participated in this study. Rodrigo Fernández-Jiménez is recipient of grant PI19/01704 by the Instituto de Salud Carlos III (ISCIII) - Fondo de Investigación Sanitaria and the European Regional Development Fund/European Social Fund (A way to make Europe/Investing in your future), which funded the EnIGMA (Early ImaGing Markers of unhealthy lifestyles in Adolescents) study. Jesús Martínez-Gómez was a postgraduate fellow of the Ministerio de Ciencia e Innovación at the Residencia de Estudiantes (2020–2022) and is a recipient of grant FPU21/04891 (Ayudas para la formación de profesorado universitario, FPU-2021) from the Ministerio de Educación, Cultura y Deporte Gloria Santos-Beneit is recipient of grant LCF/PR/MS19/12220001 funded by ““la Caixa” Foundation (ID 100010434). The SHE Foundation is supported by “la Caixa” Foundation (LCF/PR/CE16/10700001). The CNIC is supported by the ISCIII, the Ministerio de Ciencia e Innovación (MCIN) and the Pro CNIC Foundation and is a Severo Ochoa Center of Excellence (grant CEX2020-001041-S funded by MICIN/AEI/10.13039/501100011033). Simon Bartlett (CNIC) provided English editing.S

The right to lodge a data protection complaint : ok, but then what? : an empirical study of current practices under the GDPR

Access to data protection remedies constitutes a core element of the enforcement of the General Data Protection Regulation (GDPR). Individuals confronted with a data protection infringement have the right to turn directly to the judiciary (Article 79 of the GDPR), but they have also the right to lodge a complaint with a Data Protection Authority (DPA) (Article 77 of the GDPR). They can lodge a complaint at the Member State of their habitual residence, of their place of work, or of the Member State of the place of the alleged data protection infringement. Data subjects also have the right to an effective judicial remedy against the decisions of DPAs, as well as in case of lack of action or lack of information about the outcome or progress of their complaint (Article 78 of the GDPR). Individuals can decide to mandate certain civil society organisations to represent them in front of DPAs, or in front of courts (Article 80 of the GDPR). This study examines current DPA practices related to their obligation to facilitate the submission of complaints, granting special attention to the connection between this obligation and the right to an effective judicial remedy against DPAs. It combines legal analysis and the observation of DPA websites, together with insights obtained from the online public register of decisions adopted under the ‘one-stop-shop’ mechanism.Published in June 202