The 'Europeanisation' of data protection law

EU data protection law has, to date, been monitored and enforced in a decentralised way by independent supervisory authorities in each Member State. While the independence of these supervisory authorities is an essential element of EU data protection law, this decentralised governance structure has led to competing claims from supervisory authorities regarding the national law applicable to a data processing operation and the national authority responsible for enforcing the data protection rules. These competing claims, evident in investigations conducted into the data protection compliance of Google and Facebook, jeopardise the objectives of the EU data protection regime. The new General Data Protection Regulation will revolutionise data protection governance by providing for a centralised decision-making body, the European Data Protection Board. While this agency will ensure the ‘Europeanisation’ of data protection law, given the nature and the extent of this Board’s powers it marks another significant shift in the EU’s agency-creating process and must therefore also be considered in its broader EU context

The ICO Consults on the Future of Information Rights Regulation

The Information Commissioner’s Office (ICO) is asking for input on the future regulation of information rights in the UK. LSE’s Orla Lynskey looks at the draft document put out for consultation and points out what in particular merits notice and response

Looking through a legal PRISM at UK and US intelligence agency surveillance

The uncovering of the PRISM programme has concerned many that the UK authorities are circumventing the legal framework and gathering data on its own citizens via US surveillance agencies. Orla Lynskey describes the statutory controls that exist regarding data sharing with the US and explores whether they are adequate to protect UK citizens’ privacy. She concludes that there are little safeguards and redress opportunities for non-US persons, and that EU Data Protection regulation is, at present, toothless once international data transfers have been made. On the bright side, the revelation has brought the issue of government surveillance to the fore

Control over personal data in a digital age: Google Spain v AEPD and Mario Costeja Gonzalez

In the Google Spain judgment, the Grand Chamber of the EU Court of Justice determined the circumstances in which a search engine is obliged to remove links to data pertaining to an individual from the results displayed. The Court also considered the material and territorial scope of the EU data protection rules. This note argues that the Court's findings, which have been heavily criticised, are normatively coherent. The broad scope of application of data protection rules and the right of individuals to have their data deleted when certain conditions are fulfilled both play a part in granting individuals effective control over their personal data – an objective of EU data protection law

Grappling with "data power": normative nudges from data protection and privacy

The power exercised by technology companies is attracting the attention of policymakers, regulatory bodies and the general public. This power can be categorized in several ways, ranging from the "soft power" of technology companies to influence public policy agendas to the "market power" they may wield to exclude equally efficient competitors from the marketplace. This Article is concerned with the "data power" exercised by technology companies occupying strategic positions in the digital ecosystem. This data power is a multifaceted power that may overlap with economic (market) power but primarily entails the power to profile and the power to influence opinion formation. While the current legal framework for data protection and privacy in the EU imposes constraints on personal data processing by technology companies, it ostensibly does so without regard to whether or not they have "data power." This Article probes this assumption. It argues that although this legal framework does not explicitly impose additional legal responsibilities on entities with "data power," it provides a clear normative indication to do so. The volume and variety of data and the reach of data-processing operations seem to be relevant when assessing both the extent of obligations on technology companies and the impact of data processing on individual rights. The Article suggests that this finding provides the normative foundation for the imposition of a "special responsibility" on such firms, analogous to the "special responsibility" imposed by competition law on dominant companies with market power. What such a "special responsibility" might entail in practice will be briefly outlined and relevant questions for future research will be identified

Towards a holistic approach to effective data protection

Existing data protection frameworks are premised on the belief that individuals should have certain rights in relation to this personal data. However, the complexities and scale of online data use mean that the control of personal data and key decisions regarding its processing cannot be left to individuals. Orla Lynskey writes that competition law should be applied in a way that assists in developing a more holistic approach to effective data protection

Automation in education - is EdTech a threat to public values?

Educational technology (EdTech) plays a growing part in education across Europe. Orla Lynskey writes that while this technology has the potential to help students learn more effectively, it also presents serious challenges for public values such as equality and proportionality

Regulating 'platform power'

Increasing regulatory and doctrinal attention has recently focused on the problem of ‘platform power’. Yet calls for regulation of online platforms fail to identify the problems such regulation would target, and as a result appear to lack merit. In this paper, two claims are advanced. First, that the concept of ‘platform power’ is both an under and over-inclusive regulatory target and, as such, should be replaced by the broader concept of a ‘digital gatekeeper’. Second, that existing legal mechanisms do not adequately reflect the power over information flows and individual behaviour that gatekeepers can exercise. In particular, this gatekeeper power can have implications for individual rights that competition law and economic regulation are not designed to capture. Moreover, the technological design, and complexity, of digital gatekeepers renders their operations impervious to scrutiny by individual users, thereby exacerbating these potential implications

Deficient by design? The transnational enforcement of the GDPR

Four years following the entry into force of the EU data protection framework (the GDPR), serious questions remain regarding its enforcement, particularly in transnational contexts. While this transnational under-enforcement is often attributed to the role of key national authorities in the GDPR’s procedures, this paper identifies more systemic flaws. It examines whether the GDPR procedures are deficient-by-design and, if not, how these flaws might be addressed. The conclusions reached inform our understanding of how to secure effective protection of the EU Charter right to data protection. They are also of significance to EU law enforcement more generally given the increasing prevalence of composite decision-making as the mechanism of choice to administer EU law

Family ties: the intersection between data protection and competition in EU Law

Personal data has become the object of trade in the digital economy, and companies compete to acquire and process this data. This rivalry is subject to the application of competition law. However, personal data also has a dignitary dimension which is protected through data protection law and the EU Charter rights to data protection and privacy. This paper maps the relationship between these legal frameworks. It identifies the commonalities that facilitate their intersection, whilst acknowledging their distinct methods and aims. It argues that when the material scope of these legal frameworks overlap, competition law can incorporate data protection law as a normative yardstick when assessing non-price competition. Data protection can thus act as an internal constraint on competition law. In addition, it advocates that following the legal and institutional changes brought about by the Lisbon Treaty, data protection and other fundamental rights also exercise an external constraint on competition law and, in certain circumstances, can prevent or shape its application. As national and supranational regulators grapple with the challenge of developing a dynamic information economy that respects fundamental rights, recognition of these constraints would pave the way for a more coherent EU law approach to a digital society