The future of consumer data protection in the E.U. Rethinking the “notice and consent” paradigm in the new era of predictive analytics

The new E.U. proposal for a general data protection regulation has been introduced to give an answer to the challenges of the evolving digital environment. In some cases, these expectations could be disappointed, since the proposal is still based on the traditional main pillars of the last generation of data protection laws. In the field of consumer data protection, these pillars are the purpose specification principle, the use limitation principle and the “notice and consent” model. Nevertheless, the complexity of data processing, the power of modern analytics and the “transformative” use of personal information drastically limit the awareness of consumers, their capability to evaluate the various consequences of their choices and to give a free and informed consent. To respond to the above, it is necessary to clarify the rationale of the “notice and consent” paradigm, looking back to its origins and assessing its effectiveness in a world of predictive analytics. From this perspective, the paper considers the historical evolution of data protection and how the fundamental issues coming from the technological and socio-economic contexts have been addressed by regulations. On the basis of this analysis, the author suggests a revision of the “notice and consent” model focused on the opt-in and proposes the adoption of a different approach when, such as in Big Data collection, the data subject cannot be totally aware of the tools of analysis and their potential output. For this reason, the author sustains the provision of a subset of rules for Big Data analytics, which is based on a multiple impact assessment of data processing, on a deeper level of control by data protection authorities, and on the different opt-out model

Toward a New Approach to Data Protection in the Big Data Era

The complexity of data processing, the power of modern analytics, and the transformative use of personal information drastically limit the awareness of consumers about how their data is collected and used and preclude their ability to give free and informed consent. These elements lead us to reconsider the role of user’s self-determination in data processing and the “notice and consent” model

Il futuro regolamento EU sui dati personali e la valenza ‘politica’ del caso Google: ricordare e dimenticare nella digital economy

The decision of the European Court of Justice on the right to be forgotten seems to be oriented to anticipate some aspects of the ongoing reform of the EU data protection and to reopen the discussion on the right to erasure. In the same way, the «reaction» adopted by Google intends to point out the criticisms related to the decision, in the light of the future regulation. The solutions suggested by the court are consistent with the existing legal framework, but not adequate with regard to the state-of-the-art. For this reason, the future regulation should consider the peculiar nature of the search engine as data controller. From this perspective, a potential solution is represented by a specific provision that introduces a temporary removal of the link from the list of results, on the basis of the data subject’s request. If, in a given lapse of time, the data subject does not make a legal action, the link is reactivated

On the use of fingernail images as transient biometric identifiers

The significant advantages that biometric recognition technologies offer are in danger of being left aside in everyday life due to concerns over the misuse of such data. The biometric data employed so far focuses on the permanence of the characteristics involved. A concept known as ‘the right to be forgotten’ is gaining momentum in international law and this should further hamper the adoption of permanent biometric recognition technologies. However, a multitude of common applications are short-term and, therefore, non-permanent biometric characteristics would suffice for them. In this paper we discuss ‘transient biometrics,’ i.e. recognition via biometric characteristics that will change in the short term and show that images of the fingernail plate can be used as a transient biometric with a useful life-span of less than 6 months. A direct approach is proposed that requires no training and a relevant evaluation dataset is made publicly available

Responsabilità aquiliana per uso della Rete e responsabilità del provider

L'autore delinea in senso critico gli orientamenti emersi in Europa e negli Stati Uniti con riferimento alla responsabilità degli intermediari ed alla loro regolamentazione

Articolo 36 Consultazione preventiva

Commento all'art. 36 del Regolamento (UE) 2016/67

Articolo 35 Valutazione d'impatto sulla protezione dei dati

Valutazione d’impatto sulla protezione dei dati, analisi e commento dell'art. 35 del Regolamento (UE) 2016/67

Uranio impoverito: i danni da esposizione e le responsabilità

I danni correlati all’esposizione all’uranio impoverito che hanno colpito i militari italiani rivestono caratteristiche peculiari, tali da farli rientrare nella categoria dei danni di massa. Questa connotazione ha inciso sul coinvolgimento dello Stato nel far fronte a simili pregiudizi, specie alla luce degli orientamenti assunti dalle corti in materia. In tale prospettiva, lo scritto si sofferma sui diversi profili inerenti la responsabilità del Ministero della Difesa

Teens online and data protection in Europe

Based on the analysis of teenagers' online behavior, as described in empirical studies and in literature, the article focuses on how the related issues are addressed by the EU proposal for a new general data protection regulation