All or nothing: this is the question? The application of article 3(2) Data Protection Directive 95/46/EC to the Internet

The Data Protection Directive 95/46/EC (hereinafter the “Directive”) was passed in 1995 to harmonise the national data protection laws within the European Community with the aim of protecting the fundamental rights and freedoms of individuals including their privacy as set out under Art. 1 of the Data Protection Directive. The rules governing the processing of personal data are deemed to be inapplicable in the two instances outlined by Art.3(2). Processing of personal data taking place as part of activities falling outside of Community law are excluded from the DPD. The Directive is also deemed to be inapplicable if the processing of personal data is undertaken by a natural person in the course of a purely personal or household activity. It is the second part of Art. 3(2), which is examined in more detail. The ruling by the European Court of Justice in Lindqvist provides us with a fresh opportunity to re-examine whether the policy justifications for the exclusion under Art 3(2) continue to remain relevant in the light of widespread use of new technologies such as blogs, podcasts and web pages for processing and distributing information. Greater clarity regarding the implication of new communication technologies for DPD policy is necessary if the laws on data protection are to evolve in a coherent and principled manner

Identity principles in the digital age: a closer view

Identity and its management is now an integral part of web-based services and applications. It is also a live political issue that has captured the interest of organisations, businesses and society generally. As identity management systems assume functionally equivalent roles, their significance for privacy cannot be underestimated. The Centre for Democracy and Technology has recently released a draft version of what it regards as key privacy principles for identity management in the digital age. This paper will provide an overview of the key benchmarks identified by the CDT. The focus of this paper is to explore how best the Data Protection legislation can be said to provide a framework which best maintains a proper balance between 'identity' conscious technology and an individual's expectation of privacy to personal and sensitive data. The central argument will be that increased compliance with the key principles is not only appropriate for a distributed privacy environment but will go some way towards creating a space for various stakeholders to reach consensus applicable to existing and new information communication technologies. The conclusion is that securing compliance with the legislation will prove to be the biggest governance challenge. Standard setting and norms will go some way to ease the need for centralised regulatory oversight

Do algorithms dream of ‘data’ without bodies?

The question whether algorithms dream of ‘data’ without bodies is asked with the intention of highlighting the material conditions created by wearables for fitness and health, reveal the underlying assumptions of the platform economy regarding individuals’ autonomy, identities and preferences and reflect on the justifications for intervention under the General Data Protection Regulation. The article begins by highlighting key features of platform infrastructures and wearables in the health and fitness landscape, explains the implications of algorithms automating, what can be described as ‘rituals of public and private life’ in the health and fitness domain, and proceeds to consider the strains they place on data protection law. It will be argued that technological innovation and data protection rules played a part in setting the conditions for the mediated construction of meaning from bodies of information in the platform economy

Datafication as Parenthesis: Reconceptualizing the Best Interests of the Child Principle in Data Protection Law

The objective of this article is to shed light on a question that has considerable policy significance for the child as a data subject under the General Data Protection Regulation 2016 (‘Regulation 2016/679’) – how can we better integrate the best interests of the child principle, including the emphasis placed by the United Nations Convention on the Rights of the Child (CRC) on respecting a child's autonomy and development in a datafied environment? This article lays the foundation to an answer in three steps. First, it questions whether the political act of integrating the lifeworlds of children into digital infrastructures of the personal data economy and structuring of responsibilities to be owed by data controllers through data protection rules and principles is truly empowering. Second, it uses the dialectical relationship between critical infrastructures in the datafied environment and data protection rules to explain the ramifications of the analytical shift from children's rights to information rights, for conceptions and understandings of autonomy, agency and best interests. Third, CRC provisions will be used to expose the incompatibility of the ontological turn initiated by data protection rules and platform infrastructures with received understandings of the best interests of the child principle. The article concludes with an account of how the present gulf that exists in the understanding of the role of CRC and their application in data protection policymaking in a datafied environment could be bridged