@article{Bod\'{o}2021b,

title = {Personal data ordering in context: the interaction of meso-level data governance regimes with macro frameworks},

author = {Bod\'{o}, B. and Irion, K. and Janssen, H. and Giannopoulou, A.},

url = {https://policyreview.info/articles/analysis/personal-data-ordering-context-interaction-meso-level-data-governance-regimes},

doi = {10.14763/2021.3.1581},

year  = {2021},

date = {2021-10-11},

urldate = {2021-10-11},

journal = {Internet Policy Review},

volume = {10},

number = {3},

abstract = {The technological infrastructures enabling the collection, processing, and trading of data have fuelled a rapid innovation of data governance models. We differentiate between macro, meso, and micro level models, which correspond to major political blocks; societal-, industry-, or community level systems, and individual approaches, respectively. We focus on meso-level models, which coalesce around: (1) organisations prioritising their own interests over interests of other stakeholders; (2) organisations offering technological and legal tools aiming to empower individuals; (3) community-based data intermediaries fostering collective rights and interests. In this article we assess these meso-level models, and discuss their interaction with the macro-level legal frameworks that have evolved in the US, the EU, and China. The legal landscape has largely remained inconsistent and fragmented, with enforcement struggling to keep up with the latest developments. We argue, first, that the success of meso-logics is largely defined by global economic competition, and, second, that these meso-logics may potentially put the EU’s macro-level framework with its mixed internal market and fundamental rights-oriented model under pressure. We conclude that, given the relative absence of a strong macro level-framework and an intensive competition of governance models at meso-level, it may be challenging to avoid compromises to the European macro framework. },

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Janssen2021b,

title = {Personal Data Stores: a user-centric privacy utopia?},

author = {Janssen, H. and Cobbe, J. and Singh, J.},

year  = {2021},

date = {2021-01-04},

journal = {Internet Policy Review},

keywords = {},

pubstate = {forthcoming},

tppubtype = {article}

}

@article{Janssen2021,

title = {Decentralised Data Processing: Personal Data Stores and the GDPR},

author = {Janssen, H. and Cobbe, J. and Norval, C. and Singh, J.},

url = {https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3570895

https://www.ivir.nl/publicaties/download/IDPL-2021-4.pdf},

doi = {https://doi.org/10.1093/idpl/ipaa016},

year  = {2021},

date = {2021-01-04},

journal = {International Data Privacy Law},

volume = {10},

number = {4},

pages = {356-384},

abstract = {When it comes to online services, users have limited control over how their personal data is processed. This is partly due to the nature of the business models of those services, where data is typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data.

Personal Data Stores (“PDSs”) represent a class of these technologies; PDSs provide users with a device, enabling them to capture, aggregate and manage their personal data. The device provides tools for users to control and monitor access, sharing and computation over data on their device. The motivation for PDSs are described as (i) to assist users with their confidentiality and privacy concerns, and/or (ii) to provide opportunities for users to transact with or otherwise monetise their data.

While PDSs potentially might enable some degree of user empowerment, they raise interesting considerations and uncertainties in relation to the responsibilities under the General Data Protection Regulation (GDPR). More specifically, the designations of responsibilities among key parties involved in PDS ecosystems are unclear. Further, the technical architecture of PDSs appears to restrict certain lawful grounds for processing, while technical means to identify certain category data, as proposed by some, may remain theoretical.

We explore the considerations, uncertainties, and limitations of PDSs with respect to some key obligations under the GDPR. As PDS technologies continue to develop and proliferate, potentially providing an alternative to centralised approaches to data processing, we identify issues which require consideration by regulators, PDS platform providers and technologists.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Cobbe2020,

title = {Centering the Law in the Digital State},

author = {Cobbe, J. and Seng Ah Lee, M. and Singh, J. and Janssen, H.},

doi = {10.1109/MC.2020.3006623},

year  = {2020},

date = {2020-09-25},

journal = {Computer},

volume = {53},

number = {10},

pages = {47-58},

abstract = {Driven by the promise of increased efficiencies and cost-savings, the public sector has shown much interest in automated decision-making (ADM) technologies. However, the rule of law and fundamental principles of good government are being lost along the way.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{Janssen2020,

title = {An approach to a fundamental rights impact assessment to automated decision-making},

author = {Janssen, H.},

doi = {https://doi.org/10.1093/idpl/ipz028},

year  = {2020},

date = {2020-03-06},

journal = {International Data Privacy Law},

volume = {10},

number = {1},

pages = {76-106},

abstract = {Companies and other private institutions see great and promising profits in the use of automated decision-making (‘ADM’) for commercial-, financial- or efficiency in work processing purposes. Meanwhile, ADM based on a data subjects’ personal data may (severely) impact its fundamental rights and freedoms. The General Data Protection Regulation (GDPR) provides for a regulatory framework that applies whenever a controller considers and deploys ADM onto individuals on the basis of their personal data. In the design stage of the intended ADM, article 35 (3)(a) obliges a controller to apply a Data Protection Impact Assessment (DPIA), part of which is an assessment of ADM’s impact on individual rights and freedoms. Article 22 GDPR determines under what conditions ADM is allowed and endows data subjects with increased protection.



Research among companies of various sizes has shown that there is (legal) insecurity about the interpretation of the GDPR (including the provisions relevant to ADM). The first objective of the author is to detect ways forward by offering practical handles to execute a DPIA that includes a slidable assessment of impacts on data subjects’ fundamental rights. This assessment is based on four benchmarks that should help to assess the gravity of potential impacts, i.e. i) to determine the impact on the fundamental right(s) at stake, ii) to establish the context in which the ADM is used, iii) the establishment of who is beneficiary of the use of personal data in the ADM and iv) the establishment who is in control over the data flows in the ADM. From the benchmarks an overall fundamental rights impact assessment about ADM should arise. A second objective is to indicate potential factors and measures that a controller should consider in its risk management after the assessment. The proposed approach should help fostering fair, compliant and trustworthy ADM and contains directions for future research.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@phdthesis{Janssen2003,

title = {Constitutionele Interpretatie. Een rechtsvergelijkend onderzoek naar de vaststelling van de reikwijdte van het recht op persoonlijkheid},

author = {Janssen, H.},

url = {https://cris.maastrichtuniversity.nl/ws/portalfiles/portal/38414297/1637229.pdf},

year  = {2003},

date = {2003-02-07},

pages = {495},

publisher = {Sdu},

note = {Dissertatie Universiteit Maastricht},

keywords = {},

pubstate = {published},

tppubtype = {phdthesis}

}