Expert perspectives on GDPR compliance in the context of smart homes and vulnerable persons

Information & Communications Technology Law, 2023

Abstract

This article introduces information gathered through 21 semi-structured interviews conducted with UK, EU and international professionals in the field of General Data Protection Regulation (GDPR) compliance and technology design, with a focus on the smart home context and vulnerable people using smart products. Those discussions gave various insights and perspectives into how the two communities (lawyers and technologists) view intricate practical data protection challenges in this specific setting. The variety of interviewees allowed to compare different approaches to data protection compliance topics. Answers to the following questions were provided: when organisations develop and/or deploy smart devices that use personal data, do they take into consideration the needs of vulnerable groups of people to comply with the GDPR? What are the underlying issues linked to the practical data protection law challenges faced by organisations working on smart devices used by vulnerable persons? How do experts perceive data protection law-related problems in this context?

Data protection, GDPR, Internet of Things, smart devices

Bibtex

Article{nokey, title = {Expert perspectives on GDPR compliance in the context of smart homes and vulnerable persons}, author = {Piasecki, S.}, doi = {https://doi.org/10.1080/13600834.2023.2231326}, year = {2023}, date = {2023-07-07}, journal = {Information & Communications Technology Law}, abstract = {This article introduces information gathered through 21 semi-structured interviews conducted with UK, EU and international professionals in the field of General Data Protection Regulation (GDPR) compliance and technology design, with a focus on the smart home context and vulnerable people using smart products. Those discussions gave various insights and perspectives into how the two communities (lawyers and technologists) view intricate practical data protection challenges in this specific setting. The variety of interviewees allowed to compare different approaches to data protection compliance topics. Answers to the following questions were provided: when organisations develop and/or deploy smart devices that use personal data, do they take into consideration the needs of vulnerable groups of people to comply with the GDPR? What are the underlying issues linked to the practical data protection law challenges faced by organisations working on smart devices used by vulnerable persons? How do experts perceive data protection law-related problems in this context?}, keywords = {Data protection, GDPR, Internet of Things, smart devices}, }

Personal Data Stores and the GDPR’s lawful grounds for processing personal data

Janssen, H., Cobbe, J., Norval, C. & Singh, J.
2019

Abstract

Personal Data Stores (‘PDSs’) entail users having a (physical or virtual) device within which they themselves can, in theory, capture, aggregate, and control the access to and the transfer of personal data. Their aim is to empower users in relation to their personal data, strengthening their opportunities for data protection, privacy, and/or to facilitate trade and monetisation. As PDS technologies develop, it is important to consider their role in relation to issues of data protection. The General Data Protection Regulation requires that the processing of user data be predicated on one of its defined lawful bases, whereby the Regulation does not favour any one basis over another. We explore how PDS architectures relate to these lawful bases, and observe that they tend to favour the bases that require direct user involvement. This paper considers issues that the envisaged architectural choices surrounding the lawful grounds may entail.

Data protection, decentralisation, lawful grounds for processing, personal data stores, Privacy, Transparency

Bibtex

Conference paper{nokey, title = {Personal Data Stores and the GDPR’s lawful grounds for processing personal data}, author = {Janssen, H. and Cobbe, J. and Norval, C. and Singh, J.}, doi = {https://doi.org/10.5281/zenodo.3234902}, year = {2019}, date = {2019-05-29}, abstract = {Personal Data Stores (‘PDSs’) entail users having a (physical or virtual) device within which they themselves can, in theory, capture, aggregate, and control the access to and the transfer of personal data. Their aim is to empower users in relation to their personal data, strengthening their opportunities for data protection, privacy, and/or to facilitate trade and monetisation. As PDS technologies develop, it is important to consider their role in relation to issues of data protection. The General Data Protection Regulation requires that the processing of user data be predicated on one of its defined lawful bases, whereby the Regulation does not favour any one basis over another. We explore how PDS architectures relate to these lawful bases, and observe that they tend to favour the bases that require direct user involvement. This paper considers issues that the envisaged architectural choices surrounding the lawful grounds may entail.}, keywords = {Data protection, decentralisation, lawful grounds for processing, personal data stores, Privacy, Transparency}, }

Fundamental rights assessment of the framework for detection orders under the CSAM proposal download

CSAM, Data protection, Freedom of expression, Privacy

Bibtex

Report{nokey, title = {Fundamental rights assessment of the framework for detection orders under the CSAM proposal}, author = {van Daalen, O.}, url = {https://www.ivir.nl/nl/publications/fundamental-rights-assessment-of-the-framework-for-detection-orders-under-the-csam-proposal/csamreport/}, year = {2023}, date = {2023-04-22}, keywords = {CSAM, Data protection, Freedom of expression, Privacy}, }

SLAPPed by the GDPR: protecting public interest journalism in the face of GDPR-based strategic litigation against public participation

Journal of Media Law, vol. 14, iss. : 2, pp: 378-405, 2022

Abstract

Strategic litigation against public participation is a threat to public interest journalism. Although typically a defamation claim underpins a SLAPP, the GDPR may serve as an alternative basis. This paper explores how public interest journalism is protected, and could be better protected, from abusive GDPR proceedings. The GDPR addresses the tension between data protection and freedom of expression by providing for a journalistic exemption. However, narrow national implementations of this provision leave the GDPR open for abuse. By analysing GDPR proceedings against newspaper Forbes Hungary, the paper illustrates how the GDPR can be instrumentalised as a SLAPP strategy. As European anti-SLAPP initiatives are finetuned, abusive GDPR proceedings need to be recognised as emerging forms of SLAPPs, requiring more attention to inadequate engagement with European freedom of expression standards in national implementations of the GDPR, data protection authorities’ role in facilitating SLAPPs, and the chilling effects of GDPR sanctions.

Data protection, Freedom of expression, GDPR, journalistic exemption, SLAPPS

Bibtex

Article{nokey, title = {SLAPPed by the GDPR: protecting public interest journalism in the face of GDPR-based strategic litigation against public participation}, author = {Rucz, M.}, doi = {https://doi.org/10.1080/17577632.2022.2129614}, year = {2022}, date = {2022-10-10}, journal = {Journal of Media Law}, volume = {14}, issue = {2}, pages = {378-405}, abstract = {Strategic litigation against public participation is a threat to public interest journalism. Although typically a defamation claim underpins a SLAPP, the GDPR may serve as an alternative basis. This paper explores how public interest journalism is protected, and could be better protected, from abusive GDPR proceedings. The GDPR addresses the tension between data protection and freedom of expression by providing for a journalistic exemption. However, narrow national implementations of this provision leave the GDPR open for abuse. By analysing GDPR proceedings against newspaper Forbes Hungary, the paper illustrates how the GDPR can be instrumentalised as a SLAPP strategy. As European anti-SLAPP initiatives are finetuned, abusive GDPR proceedings need to be recognised as emerging forms of SLAPPs, requiring more attention to inadequate engagement with European freedom of expression standards in national implementations of the GDPR, data protection authorities’ role in facilitating SLAPPs, and the chilling effects of GDPR sanctions.}, keywords = {Data protection, Freedom of expression, GDPR, journalistic exemption, SLAPPS}, }

EU Consumer Protection 2.0: Structural Asymmetries in Digital Consumer Markets external link

Helberger, N., Lynskey, O., Micklitz, H.-W., Rott, P., Sax, M. & Strycharz, J.
2021

Consumer law, Data protection, manipulation, unfair commercial practices

Bibtex

Report{Helberger2021, title = {EU Consumer Protection 2.0: Structural Asymmetries in Digital Consumer Markets}, author = {Helberger, N. and Lynskey, O. and Micklitz, H.-W. and Rott, P. and Sax, M. and Strycharz, J.}, url = {https://www.beuc.eu/publications/beuc-x-2021-018_eu_consumer_protection.0_0.pdf}, year = {0305}, date = {2021-03-05}, keywords = {Consumer law, Data protection, manipulation, unfair commercial practices}, }

Panel discussion at CPDP 2020: We need to talk about filters: algorithmic copyright enforcement vs data protection. external link

Quintais, J., Ducato, R., Mazgal, A., Zuiderveen Borgesius, F. & Hegladóttir, A.
2020

Abstract

The new Copyright in the Digital Single Market (DSM) Directive was published in May 2019. Its most controversial provision is Article 17 (ex 13), which creates a new liability regime for user-generated content platforms, like YouTube and Facebook. The new regime makes these platforms directly liable for their users’ uploads, without the possibility of benefiting from the hosting safe-harbour. This forces platforms to either license all or most of the content uploaded by users (which is near impossible) or to adopt preventive measures like filters. The likely outcome is that covered platforms will engage in general monitoring of the content uploaded by their users. This panel will discuss the issues raised by Article 17 DSM Directive and the model of algorithmic enforcement it incentivizes, with a focus on the freedom of expression and data protection risks it entails. • Article 17 of the Copyright in the Digital Single Market Directive creates a new liability regime for user-generated content platforms. • Does this provision introduce de facto the controversial upload filtering systems and, as a result, general monitoring of information in content-sharing platforms? • Is Article 17 essentially in conflict with the GDPR and, in particular, the principle of minimisation and the right not to be subject to automated decision-making processes? What are the potential consequences of this provision on users’ freedom of expression? • If Article 17 can negatively affect data protection and freedom of expression what are the possible legal and extra-legal responses to neutralise the risk?

Copyright, Data protection, frontpage, Privacy

Bibtex

Presentation{Quintais2020, title = {Panel discussion at CPDP 2020: We need to talk about filters: algorithmic copyright enforcement vs data protection.}, author = {Quintais, J. and Ducato, R. and Mazgal, A. and Zuiderveen Borgesius, F. and Hegladóttir, A.}, url = {https://www.youtube.com/watch?v=SstHA1ALZoI}, year = {2020}, date = {2020-02-06}, abstract = {The new Copyright in the Digital Single Market (DSM) Directive was published in May 2019. Its most controversial provision is Article 17 (ex 13), which creates a new liability regime for user-generated content platforms, like YouTube and Facebook. The new regime makes these platforms directly liable for their users’ uploads, without the possibility of benefiting from the hosting safe-harbour. This forces platforms to either license all or most of the content uploaded by users (which is near impossible) or to adopt preventive measures like filters. The likely outcome is that covered platforms will engage in general monitoring of the content uploaded by their users. This panel will discuss the issues raised by Article 17 DSM Directive and the model of algorithmic enforcement it incentivizes, with a focus on the freedom of expression and data protection risks it entails. • Article 17 of the Copyright in the Digital Single Market Directive creates a new liability regime for user-generated content platforms. • Does this provision introduce de facto the controversial upload filtering systems and, as a result, general monitoring of information in content-sharing platforms? • Is Article 17 essentially in conflict with the GDPR and, in particular, the principle of minimisation and the right not to be subject to automated decision-making processes? What are the potential consequences of this provision on users’ freedom of expression? • If Article 17 can negatively affect data protection and freedom of expression what are the possible legal and extra-legal responses to neutralise the risk?}, keywords = {Copyright, Data protection, frontpage, Privacy}, }

Brief of EU Data Protection and Privacy Scholars as Amici Curiae in Support of Respondent external link

Brkan, M., Castets-Renard, C., Cole, M.D., Dommering, E., Forgo, N., Korff, D., Kosta, E., Ligeti, K., Mariottini, C.M., Metille, S., Mitrou, L., Pollicino, O., Pretschner, A., Robinson, G., Ryngaert, C., Spindler, G., Valcke, P., Van Calster, G., van Eijk, N., Weber, R. & Zuiderveen Borgesius, F.
2018

amicus brief, Data protection, Privacy

Bibtex

Article{Brkan2018, title = {Brief of EU Data Protection and Privacy Scholars as Amici Curiae in Support of Respondent}, author = {Brkan, M. and Castets-Renard, C. and Cole, M.D. and Dommering, E. and Forgo, N. and Korff, D. and Kosta, E. and Ligeti, K. and Mariottini, C.M. and Metille, S. and Mitrou, L. and Pollicino, O. and Pretschner, A. and Robinson, G. and Ryngaert, C. and Spindler, G. and Valcke, P. and Van Calster, G. and van Eijk, N. and Weber, R. and Zuiderveen Borgesius, F.}, url = {https://www.ivir.nl/publicaties/download/amicusbrief_2018.pdf}, year = {0118}, date = {2018-01-18}, keywords = {amicus brief, Data protection, Privacy}, }

International cooperation by (European) security and intelligence services: reviewing the creation of a joint database in light of data protection guarantees external link

Ryngaert, C.M.J. & van Eijk, N.
International Data Privacy Law, vol. 2019, num: 1, pp: 61-73, 2019

Data protection, frontpage, Privacy, veiligheidsdiensten

Bibtex

Article{Ryngaert2019, title = {International cooperation by (European) security and intelligence services: reviewing the creation of a joint database in light of data protection guarantees}, author = {Ryngaert, C.M.J. and van Eijk, N.}, url = {https://www.ivir.nl/publicaties/download/IDPL_2019_1.pdf}, doi = {https://doi.org/https://doi.org/10.1093/idpl/ipz001}, year = {0409}, date = {2019-04-09}, journal = {International Data Privacy Law}, volume = {2019}, number = {1}, pages = {61-73}, keywords = {Data protection, frontpage, Privacy, veiligheidsdiensten}, }

The Golden Age of Personal Data: How to Regulate an Enabling Fundamental Right? external link

Oostveen, M. & Irion, K.
In: Bakhoum M., Conde Gallego B., Mackenrodt MO., Surblytė-Namavičienė G. (eds) Personal Data in Competition, Consumer Protection and Intellectual Property Law. MPI Studies on Intellectual Property and Competition Law, vol 28. Springer, Berlin, Heidelberg, 1120

Abstract

New technologies, purposes and applications to process individuals’ personal data are being developed on a massive scale. But we have not only entered the ‘golden age of personal data’ in terms of its exploitation: ours is also the ‘golden age of personal data’ in terms of regulation of its use. Understood as an enabling right, the architecture of EU data protection law is capable of protecting against many of the negative short- and long-term effects of contemporary data processing. Against the backdrop of big data applications, we evaluate how the implementation of privacy and data protection rules protect against the short- and long-term effects of contemporary data processing. We conclude that from the perspective of protecting individual fundamental rights and freedoms, it would be worthwhile to explore alternative (legal) approaches instead of relying on EU data protection law alone to cope with contemporary data processing.

automated decision making, Big data, Data protection, frontpage, General Data Protection Regulation, Privacy, profiling

Bibtex

Chapter{Oostveen2018, title = {The Golden Age of Personal Data: How to Regulate an Enabling Fundamental Right?}, author = {Oostveen, M. and Irion, K.}, url = {https://link.springer.com/chapter/10.1007/978-3-662-57646-5_2}, year = {1120}, date = {2018-11-20}, abstract = {New technologies, purposes and applications to process individuals’ personal data are being developed on a massive scale. But we have not only entered the ‘golden age of personal data’ in terms of its exploitation: ours is also the ‘golden age of personal data’ in terms of regulation of its use. Understood as an enabling right, the architecture of EU data protection law is capable of protecting against many of the negative short- and long-term effects of contemporary data processing. Against the backdrop of big data applications, we evaluate how the implementation of privacy and data protection rules protect against the short- and long-term effects of contemporary data processing. We conclude that from the perspective of protecting individual fundamental rights and freedoms, it would be worthwhile to explore alternative (legal) approaches instead of relying on EU data protection law alone to cope with contemporary data processing.}, keywords = {automated decision making, Big data, Data protection, frontpage, General Data Protection Regulation, Privacy, profiling}, }

The European Union General Data Protection Regulation: What It Is And What It Means external link

Information & Communications Technology Law, vol. 2019, 2019

Abstract

This article introduces U.S. lawyers and academics to the normative foundations, attributes, and strategic approach to regulating personal data advanced by the European Union’s General Data Protection Regulation (“GDPR”). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s short and medium-term implications. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed and protective regulatory regime, which will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.

Consumer Privacy, Data protection, European Union, frontpage, General Data Protection Regulation, Privacy

Bibtex

Article{Hoofnagle2018, title = {The European Union General Data Protection Regulation: What It Is And What It Means}, author = {Hoofnagle, C.J. and van der Sloot, B. and Zuiderveen Borgesius, F.}, url = {https://www.tandfonline.com/doi/full/10.1080/13600834.2019.1573501}, year = {0212}, date = {2019-02-12}, journal = {Information & Communications Technology Law}, volume = {2019}, pages = {}, abstract = {This article introduces U.S. lawyers and academics to the normative foundations, attributes, and strategic approach to regulating personal data advanced by the European Union’s General Data Protection Regulation (“GDPR”). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s short and medium-term implications. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed and protective regulatory regime, which will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.}, keywords = {Consumer Privacy, Data protection, European Union, frontpage, General Data Protection Regulation, Privacy}, }