Schrems II and Surveillance: Third Countries’ National Security Powers in the Purview of EU Law, European Law Blog external link

2020

Abstract

On 16 July 2020 the Court of Justice of the European Union (CJEU) composed as Grand Chamber delivered its landmark ruling Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (case C-311/18, “Schrems II”). The focus of my commentary will be on the aspect that EU law on cross-border transfers of personal data to a third country is not deferential to national security powers of that third country. This judgment is remarkable provided that electronic surveillance conducted by Member States’ intelligence authorities for the purpose of national security is off limits for EU law and that exceptions in international agreement are fairly regularly made for national security. This contribution will deal with the embedded assessment of a third country’s national security powers under the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and will address the criticism that a third country is held to stricter standards than a Member State of the Union.

adequacy decision, C-311/18, Charter of Fundamental Rights, Facebook, frontpage, GDPR, General Data Protection Regulation, national security, Privacy Shield, Schrems II, Standard Contractual Clauses, Surveillance, united states

Bibtex

Online publication{Irion2020c, title = {Schrems II and Surveillance: Third Countries’ National Security Powers in the Purview of EU Law, European Law Blog}, author = {Irion, K.}, url = {https://europeanlawblog.eu/2020/07/24/schrems-ii-and-surveillance-third-countries-national-security-powers-in-the-purview-of-eu-law/}, year = {0724}, date = {2020-07-24}, abstract = {On 16 July 2020 the Court of Justice of the European Union (CJEU) composed as Grand Chamber delivered its landmark ruling Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (case C-311/18, “Schrems II”). The focus of my commentary will be on the aspect that EU law on cross-border transfers of personal data to a third country is not deferential to national security powers of that third country. This judgment is remarkable provided that electronic surveillance conducted by Member States’ intelligence authorities for the purpose of national security is off limits for EU law and that exceptions in international agreement are fairly regularly made for national security. This contribution will deal with the embedded assessment of a third country’s national security powers under the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and will address the criticism that a third country is held to stricter standards than a Member State of the Union.}, keywords = {adequacy decision, C-311/18, Charter of Fundamental Rights, Facebook, frontpage, GDPR, General Data Protection Regulation, national security, Privacy Shield, Schrems II, Standard Contractual Clauses, Surveillance, united states}, }

Third Annual Detlev F. Vagts Roundtable on Transnational Law: Data Protection in a Global World external link

Proceedings of the Annual Meeting - American Society of International Law, vol. 112, pp: 220-226, 2019

Data protection law, free data flow, frontpage, General Data Protection Regulation, Internet, transnational law

Bibtex

Article{Irion2019, title = {Third Annual Detlev F. Vagts Roundtable on Transnational Law: Data Protection in a Global World}, author = {Irion, K.}, url = {https://www.cambridge.org/core/services/aop-cambridge-core/content/view/4DAD3CA357D2483729CD38B52ED6A612/S027250371900123Xa.pdf/remarks_by_kristina_irion.pdf}, doi = {https://doi.org/https://doi.org/10.1017/amp.2019.123}, year = {0411}, date = {2019-04-11}, journal = {Proceedings of the Annual Meeting - American Society of International Law}, volume = {112}, pages = {220-226}, keywords = {Data protection law, free data flow, frontpage, General Data Protection Regulation, Internet, transnational law}, }

The Golden Age of Personal Data: How to Regulate an Enabling Fundamental Right? external link

Oostveen, M. & Irion, K.
In: Bakhoum M., Conde Gallego B., Mackenrodt MO., Surblytė-Namavičienė G. (eds) Personal Data in Competition, Consumer Protection and Intellectual Property Law. MPI Studies on Intellectual Property and Competition Law, vol 28. Springer, Berlin, Heidelberg, 1120

Abstract

New technologies, purposes and applications to process individuals’ personal data are being developed on a massive scale. But we have not only entered the ‘golden age of personal data’ in terms of its exploitation: ours is also the ‘golden age of personal data’ in terms of regulation of its use. Understood as an enabling right, the architecture of EU data protection law is capable of protecting against many of the negative short- and long-term effects of contemporary data processing. Against the backdrop of big data applications, we evaluate how the implementation of privacy and data protection rules protect against the short- and long-term effects of contemporary data processing. We conclude that from the perspective of protecting individual fundamental rights and freedoms, it would be worthwhile to explore alternative (legal) approaches instead of relying on EU data protection law alone to cope with contemporary data processing.

automated decision making, Big data, Data protection, frontpage, General Data Protection Regulation, Privacy, profiling

Bibtex

Chapter{Oostveen2018, title = {The Golden Age of Personal Data: How to Regulate an Enabling Fundamental Right?}, author = {Oostveen, M. and Irion, K.}, url = {https://link.springer.com/chapter/10.1007/978-3-662-57646-5_2}, year = {1120}, date = {2018-11-20}, abstract = {New technologies, purposes and applications to process individuals’ personal data are being developed on a massive scale. But we have not only entered the ‘golden age of personal data’ in terms of its exploitation: ours is also the ‘golden age of personal data’ in terms of regulation of its use. Understood as an enabling right, the architecture of EU data protection law is capable of protecting against many of the negative short- and long-term effects of contemporary data processing. Against the backdrop of big data applications, we evaluate how the implementation of privacy and data protection rules protect against the short- and long-term effects of contemporary data processing. We conclude that from the perspective of protecting individual fundamental rights and freedoms, it would be worthwhile to explore alternative (legal) approaches instead of relying on EU data protection law alone to cope with contemporary data processing.}, keywords = {automated decision making, Big data, Data protection, frontpage, General Data Protection Regulation, Privacy, profiling}, }

Dream of Californication: welcome to the Californian Consumer Privacy Act external link

Williams, J. & Irion, K.
Internet Policy Review, vol. 2018, 2018

Abstract

The California Consumer Privacy Act (CCPA), slated to enter into force on 1 January 2020, borrows some cutting edge ideas from the EU and others’ privacy regimes while also experimenting with new approaches to data privacy. Importantly, the CCPA envisages an online advertisement market in which business are prevented from “getting high on information,” 1 breaches are promptly notified, and consumers are autonomous participants with the ability to sell their data at will. Where the CCPA breaks new ground is in protecting consumers from retaliation for opting out of the sale of their data. Thus, if it lives up to its potential, the CCPA could catalyse a permanent restructuring of the online data mining business. Our contribution will shed light on the new CCPA and offer some observations in comparing it with EU’s General Data Protection Regulation (GDPR).

California, Consumer Privacy, frontpage, General Data Protection Regulation, Internet

Bibtex

Article{Williams2018, title = {Dream of Californication: welcome to the Californian Consumer Privacy Act}, author = {Williams, J. and Irion, K.}, url = {https://policyreview.info/articles/news/dream-californication-welcome-californian-consumer-privacy-act/1351}, year = {2018}, date = {2018-10-16}, journal = {Internet Policy Review}, volume = {2018}, pages = {}, abstract = {The California Consumer Privacy Act (CCPA), slated to enter into force on 1 January 2020, borrows some cutting edge ideas from the EU and others’ privacy regimes while also experimenting with new approaches to data privacy. Importantly, the CCPA envisages an online advertisement market in which business are prevented from “getting high on information,” 1 breaches are promptly notified, and consumers are autonomous participants with the ability to sell their data at will. Where the CCPA breaks new ground is in protecting consumers from retaliation for opting out of the sale of their data. Thus, if it lives up to its potential, the CCPA could catalyse a permanent restructuring of the online data mining business. Our contribution will shed light on the new CCPA and offer some observations in comparing it with EU’s General Data Protection Regulation (GDPR).}, keywords = {California, Consumer Privacy, frontpage, General Data Protection Regulation, Internet}, }

The European Union General Data Protection Regulation: What It Is And What It Means external link

Information & Communications Technology Law, vol. 2019, 2019

Abstract

This article introduces U.S. lawyers and academics to the normative foundations, attributes, and strategic approach to regulating personal data advanced by the European Union’s General Data Protection Regulation (“GDPR”). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s short and medium-term implications. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed and protective regulatory regime, which will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.

Consumer Privacy, Data protection, European Union, frontpage, General Data Protection Regulation, Privacy

Bibtex

Article{Hoofnagle2018, title = {The European Union General Data Protection Regulation: What It Is And What It Means}, author = {Hoofnagle, C.J. and van der Sloot, B. and Zuiderveen Borgesius, F.}, url = {https://www.tandfonline.com/doi/full/10.1080/13600834.2019.1573501}, year = {0212}, date = {2019-02-12}, journal = {Information & Communications Technology Law}, volume = {2019}, pages = {}, abstract = {This article introduces U.S. lawyers and academics to the normative foundations, attributes, and strategic approach to regulating personal data advanced by the European Union’s General Data Protection Regulation (“GDPR”). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s short and medium-term implications. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed and protective regulatory regime, which will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.}, keywords = {Consumer Privacy, Data protection, European Union, frontpage, General Data Protection Regulation, Privacy}, }

The freely given consent and the "bundling" provision under the GDPR external link

Computerrecht, vol. 2017, num: 4, pp: 217-222, 2017

Abstract

Under European data protection law, consent of the data subject is one of the six grounds for lawful processing of personal data. It is such an important ground that lawmakers considered it necessary to provide a legal definition of consent. One of the conditions under this definition is that it needs to be “freely given.” The General Data Protection Regulation (GDPR) 3 has further expanded on this concept in Article 7(4). It refers to a situation under which consent might not be considered “freely given.” If consent is invalid because it is not freely given, the processing is usually unlawful. Consequently, a legal basis for processing is missing. Therefore, this is an important provision. Yet the wording of this new provision is vague and its scope is unclear. Thus, the question arises as to how Article 7(4) should be applied. In this paper, the authors tease out the assessment criteria for the application of this provision on the basis of its text, structure and history. These criteria will then be applied to hypothetical cases in the final section.

bundling, consent, frontpage, General Data Protection Regulation, Privacy

Bibtex

Article{Kostić2017, title = {The freely given consent and the "bundling" provision under the GDPR}, author = {Kostić, B. and Vargas Penagos, E.}, url = {https://www.ivir.nl/publicaties/download/Computerrecht_2017_4.pdf}, year = {0915}, date = {2017-09-15}, journal = {Computerrecht}, volume = {2017}, number = {4}, pages = {217-222}, abstract = {Under European data protection law, consent of the data subject is one of the six grounds for lawful processing of personal data. It is such an important ground that lawmakers considered it necessary to provide a legal definition of consent. One of the conditions under this definition is that it needs to be “freely given.” The General Data Protection Regulation (GDPR) 3 has further expanded on this concept in Article 7(4). It refers to a situation under which consent might not be considered “freely given.” If consent is invalid because it is not freely given, the processing is usually unlawful. Consequently, a legal basis for processing is missing. Therefore, this is an important provision. Yet the wording of this new provision is vague and its scope is unclear. Thus, the question arises as to how Article 7(4) should be applied. In this paper, the authors tease out the assessment criteria for the application of this provision on the basis of its text, structure and history. These criteria will then be applied to hypothetical cases in the final section.}, keywords = {bundling, consent, frontpage, General Data Protection Regulation, Privacy}, }

Online Price Discrimination and EU Data Privacy Law external link

Journal of Consumer Policy, vol. 2017, 2017

Abstract

Online shops could offer each website customer a different price. Such personalized pricing can lead to advanced forms of price discrimination based on individual characteristics of consumers, which may be provided, obtained, or assumed. An online shop can recognize customers, for instance through cookies, and categorize them as price-sensitive or price-insensitive. Subsequently, it can charge (presumed) price-insensitive people higher prices. This paper explores personalized pricing from a legal and an economic perspective. From an economic perspective, there are valid arguments in favour of price discrimination, but its effect on total consumer welfare is ambiguous. Irrespectively, many people regard personalized pricing as unfair or manipulative. The paper analyses how this dislike of personalized pricing may be linked to economic analysis and to other norms or values. Next, the paper examines whether European data protection law applies to personalized pricing. Data protection law applies if personal data are processed, and this paper argues that that is generally the case when prices are personalized. Data protection law requires companies to be transparent about the purpose of personal data processing, which implies that they must inform customers if they personalize prices. Subsequently, consumers have to give consent. If enforced, data protection law could thereby play a significant role in mitigating any adverse effects of personalized pricing. It could help to unearth how prevalent personalized pricing is and how people respond to transparency about it.

behavioural targeting, cookies, Data protection law, frontpage, General Data Protection Regulation, personalized communication, Price discrimination

Bibtex

Article{Borgesius2017b, title = {Online Price Discrimination and EU Data Privacy Law}, author = {Zuiderveen Borgesius, F. and Poort, J.}, url = {https://www.ivir.nl/publicaties/download/JCP_2017.pdf}, doi = {https://doi.org/DOI 10.1007/s10603-017-9354-z}, year = {0725}, date = {2017-07-25}, journal = {Journal of Consumer Policy}, volume = {2017}, pages = {}, abstract = {Online shops could offer each website customer a different price. Such personalized pricing can lead to advanced forms of price discrimination based on individual characteristics of consumers, which may be provided, obtained, or assumed. An online shop can recognize customers, for instance through cookies, and categorize them as price-sensitive or price-insensitive. Subsequently, it can charge (presumed) price-insensitive people higher prices. This paper explores personalized pricing from a legal and an economic perspective. From an economic perspective, there are valid arguments in favour of price discrimination, but its effect on total consumer welfare is ambiguous. Irrespectively, many people regard personalized pricing as unfair or manipulative. The paper analyses how this dislike of personalized pricing may be linked to economic analysis and to other norms or values. Next, the paper examines whether European data protection law applies to personalized pricing. Data protection law applies if personal data are processed, and this paper argues that that is generally the case when prices are personalized. Data protection law requires companies to be transparent about the purpose of personal data processing, which implies that they must inform customers if they personalize prices. Subsequently, consumers have to give consent. If enforced, data protection law could thereby play a significant role in mitigating any adverse effects of personalized pricing. It could help to unearth how prevalent personalized pricing is and how people respond to transparency about it.}, keywords = {behavioural targeting, cookies, Data protection law, frontpage, General Data Protection Regulation, personalized communication, Price discrimination}, }

The Golden Age of Personal Data: How to Regulate an Enabling Fundamental Right? external link

Oostveen, M. & Irion, K.
2016

Abstract

New technologies, purposes and applications to process individual’s personal data are developed on a massive scale. But we have not only entered the ‘golden age of personal data’ in terms of its exploitation: ours is also the ‘golden age of personal data’ in terms of regulation of its use. In this contribution, we explain how regulating the processing of an individual’s personal data can be a proxy of intervention, which directly or indirectly could benefit other individual rights and freedoms. Understood as an enabling right, the architecture of EU data protection law is capable of protecting against many of the negative short- and long-term effects of contemporary data processing. The new General Data Protection Regulation certainly strengthens aspects of this core architecture but certain regulatory innovations to cope with technological advancements and the data-driven economy appear less capably of yielding broad protection for individuals fundamental rights and freedoms. We conclude that from the perspective of protecting individual fundamental rights and freedoms, it would be worthwhile to explore alternative (legal) approaches of individual protection in contemporary data processing.

Big data, Data protection, enabling fundamental rights, EU law, General Data Protection Regulation, Privacy

Bibtex

Article{Oostveen2016b, title = {The Golden Age of Personal Data: How to Regulate an Enabling Fundamental Right?}, author = {Oostveen, M. and Irion, K.}, year = {1215}, date = {2016-12-15}, abstract = {New technologies, purposes and applications to process individual’s personal data are developed on a massive scale. But we have not only entered the ‘golden age of personal data’ in terms of its exploitation: ours is also the ‘golden age of personal data’ in terms of regulation of its use. In this contribution, we explain how regulating the processing of an individual’s personal data can be a proxy of intervention, which directly or indirectly could benefit other individual rights and freedoms. Understood as an enabling right, the architecture of EU data protection law is capable of protecting against many of the negative short- and long-term effects of contemporary data processing. The new General Data Protection Regulation certainly strengthens aspects of this core architecture but certain regulatory innovations to cope with technological advancements and the data-driven economy appear less capably of yielding broad protection for individuals fundamental rights and freedoms. We conclude that from the perspective of protecting individual fundamental rights and freedoms, it would be worthwhile to explore alternative (legal) approaches of individual protection in contemporary data processing.}, keywords = {Big data, Data protection, enabling fundamental rights, EU law, General Data Protection Regulation, Privacy}, }

Profiling the European Citizen in the Internet of Things: How Will the General Data Protection Regulation Apply to this Form of Personal Data Processing, and How Should It? external link

2016

Data protection, Directive 95/46/EC, General Data Protection Regulation, Grondrechten, Internet of Things, Privacy, profiling

Bibtex

Other{nokey, title = {Profiling the European Citizen in the Internet of Things: How Will the General Data Protection Regulation Apply to this Form of Personal Data Processing, and How Should It?}, author = {Eskens, S.}, url = {http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2752010}, year = {0329}, date = {2016-03-29}, keywords = {Data protection, Directive 95/46/EC, General Data Protection Regulation, Grondrechten, Internet of Things, Privacy, profiling}, }