Personal Data Stores and the GDPR’s lawful grounds for processing personal data

Personal Data Stores and the GDPR’s lawful grounds for processing personal data

Janssen, H., Cobbe, J., Norval, C. & Singh, J.

2019

Abstract

Personal Data Stores (‘PDSs’) entail users having a (physical or virtual) device within which they themselves can, in theory, capture, aggregate, and control the access to and the transfer of personal data. Their aim is to empower users in relation to their personal data, strengthening their opportunities for data protection, privacy, and/or to facilitate trade and monetisation. As PDS technologies develop, it is important to consider their role in relation to issues of data protection. The General Data Protection Regulation requires that the processing of user data be predicated on one of its defined lawful bases, whereby the Regulation does not favour any one basis over another. We explore how PDS architectures relate to these lawful bases, and observe that they tend to favour the bases that require direct user involvement. This paper considers issues that the envisaged architectural choices surrounding the lawful grounds may entail.

Links

DOI: https://doi.org/10.5281/zenodo.3234902

Data protection, decentralisation, lawful grounds for processing, personal data stores, Privacy, Transparency

RIS

TY  - CPAPER
AU  - Janssen, H.
AU  - Cobbe, J.
AU  - Norval, C.
AU  - Singh, J.
PY  - 2019
DA  - 2019-05-29
T1  - Personal Data Stores and the GDPR’s lawful grounds for processing personal data
DO  - https://doi.org/10.5281/zenodo.3234902
AB  - Personal Data Stores (‘PDSs’) entail users having a (physical or virtual) device within which they themselves can, in theory, capture, aggregate, and control the access to and the transfer of personal data. Their aim is to empower users in relation to their personal data, strengthening their opportunities for data protection, privacy, and/or to facilitate trade and monetisation. As PDS technologies develop, it is important to consider their role in relation to issues of data protection. The General Data Protection Regulation requires that the processing of user data be predicated on one of its defined lawful bases, whereby the Regulation does not favour any one basis over another. We explore how PDS architectures relate to these lawful bases, and observe that they tend to favour the bases that require direct user involvement. This paper considers issues that the envisaged architectural choices surrounding the lawful grounds may entail.
K1  - Data protection
K1  - decentralisation
K1  - lawful grounds for processing
K1  - personal data stores
K1  - Privacy
K1  - Transparency
ER  -

Save .RIS

Bibtex

Conference paper{nokey,
	title = {Personal Data Stores and the GDPR’s lawful grounds for processing personal data},
	author = {Janssen, H. and Cobbe, J. and Norval, C. and Singh, J.},
	doi = {https://doi.org/10.5281/zenodo.3234902},
	year = {2019},
	date = {2019-05-29},
	abstract = {Personal Data Stores (‘PDSs’) entail users having a (physical or virtual) device within which they themselves can, in theory, capture, aggregate, and control the access to and the transfer of personal data. Their aim is to empower users in relation to their personal data, strengthening their opportunities for data protection, privacy, and/or to facilitate trade and monetisation. As PDS technologies develop, it is important to consider their role in relation to issues of data protection. The General Data Protection Regulation requires that the processing of user data be predicated on one of its defined lawful bases, whereby the Regulation does not favour any one basis over another. We explore how PDS architectures relate to these lawful bases, and observe that they tend to favour the bases that require direct user involvement. This paper considers issues that the envisaged architectural choices surrounding the lawful grounds may entail.},
	keywords = {Data protection, decentralisation, lawful grounds for processing, personal data stores, Privacy, Transparency},
}

Save .bib

The right to encryption: Privacy as preventing unlawful access external link

van Daalen, O.

Computer Law & Security Review, vol. 49, 2023

Abstract

Encryption technologies are a fundamental building block of modern digital infrastructure, but plans to curb these technologies continue to spring up. Even in the European Union, where their application is by now firmly embedded in legislation, lawmakers are again calling for measures which would impact these technologies. One of the most important arguments in this debate are human rights, most notably the rights to privacy and to freedom of expression. And although some authors have in the past explored how encryption technologies support human rights, this connection is not yet firmly grounded in an analysis of European human rights case law. This contribution aims to fill this gap, developing a framework for assessing restrictions of encryption technologies under the rights to privacy and freedom of expression as protected under the European Convention of Human Rights (the Convention) and the Charter of Fundamental rights in the European Union (the Charter). In the first section, the relevant function of encryption technologies, restricting access to information (called confidentiality), is discussed. In the second section, an overview of some governmental policies and practices impacting these technologies is provided. This continues with a discussion of the case law on the rights to privacy, data protection and freedom of expression, arguing that these rights are not only about ensuring lawful access by governments to protected information, but also about preventing unlawful access by others. And because encryption technologies are an important technology to reduce the risk of this unlawful access, it is then proposed that this risk is central to the assessment of governance measures in the field of encryption technologies. The article concludes by recommending that states perform an in-depth assessement of this when proposing new measures, and that courts when reviewing them also place the risk of unlawful access central to the analysis of interference and proportionality.

Links

communications confidentiality, encryption, Freedom of expression, Human rights, Privacy, unlawful access

RIS

TY  - JOUR
AU  - van Daalen, O.
PY  - 2023
DA  - 2023-05-23
T1  - The right to encryption: Privacy as preventing unlawful access
JO  - Computer Law & Security Review
VL  - 49
UR  - https://www.sciencedirect.com/science/article/pii/S0267364923000146
DO  - https://doi.org/10.1016/j.clsr.2023.105804
AB  - Encryption technologies are a fundamental building block of modern digital infrastructure, but plans to curb these technologies continue to spring up. Even in the European Union, where their application is by now firmly embedded in legislation, lawmakers are again calling for measures which would impact these technologies. One of the most important arguments in this debate are human rights, most notably the rights to privacy and to freedom of expression. And although some authors have in the past explored how encryption technologies support human rights, this connection is not yet firmly grounded in an analysis of European human rights case law. This contribution aims to fill this gap, developing a framework for assessing restrictions of encryption technologies under the rights to privacy and freedom of expression as protected under the European Convention of Human Rights (the Convention) and the Charter of Fundamental rights in the European Union (the Charter). In the first section, the relevant function of encryption technologies, restricting access to information (called confidentiality), is discussed. In the second section, an overview of some governmental policies and practices impacting these technologies is provided. This continues with a discussion of the case law on the rights to privacy, data protection and freedom of expression, arguing that these rights are not only about ensuring lawful access by governments to protected information, but also about preventing unlawful access by others. And because encryption technologies are an important technology to reduce the risk of this unlawful access, it is then proposed that this risk is central to the assessment of governance measures in the field of encryption technologies. The article concludes by recommending that states perform an in-depth assessement of this when proposing new measures, and that courts when reviewing them also place the risk of unlawful access central to the analysis of interference and proportionality.
K1  - communications confidentiality
K1  - encryption
K1  - Freedom of expression
K1  - Human rights
K1  - Privacy
K1  - unlawful access
ER  -

Save .RIS

Bibtex

Article{nokey,
	title = {The right to encryption: Privacy as preventing unlawful access},
	author = {van Daalen, O.},
	doi = {https://doi.org/10.1016/j.clsr.2023.105804},
	year = {2023},
	date = {2023-05-23},
	journal = {Computer Law & Security Review},
	volume = {49},
	abstract = {Encryption technologies are a fundamental building block of modern digital infrastructure, but plans to curb these technologies continue to spring up. Even in the European Union, where their application is by now firmly embedded in legislation, lawmakers are again calling for measures which would impact these technologies. One of the most important arguments in this debate are human rights, most notably the rights to privacy and to freedom of expression. And although some authors have in the past explored how encryption technologies support human rights, this connection is not yet firmly grounded in an analysis of European human rights case law. This contribution aims to fill this gap, developing a framework for assessing restrictions of encryption technologies under the rights to privacy and freedom of expression as protected under the European Convention of Human Rights (the Convention) and the Charter of Fundamental rights in the European Union (the Charter). In the first section, the relevant function of encryption technologies, restricting access to information (called confidentiality), is discussed. In the second section, an overview of some governmental policies and practices impacting these technologies is provided. This continues with a discussion of the case law on the rights to privacy, data protection and freedom of expression, arguing that these rights are not only about ensuring lawful access by governments to protected information, but also about preventing unlawful access by others. And because encryption technologies are an important technology to reduce the risk of this unlawful access, it is then proposed that this risk is central to the assessment of governance measures in the field of encryption technologies. The article concludes by recommending that states perform an in-depth assessement of this when proposing new measures, and that courts when reviewing them also place the risk of unlawful access central to the analysis of interference and proportionality.},
	keywords = {communications confidentiality, encryption, Freedom of expression, Human rights, Privacy, unlawful access},
}

Save .bib

Fundamental rights assessment of the framework for detection orders under the CSAM proposal download

van Daalen, O.

2023

Links

CSAMreport

CSAM, Data protection, Freedom of expression, Privacy

RIS

Save .RIS

Bibtex

Save .bib

Shielding citizens? Understanding the impact of political advertisement transparency information

Dobber, T., Kruikemeier, S., Helberger, N. & Goodman, E.

New Media & Society, 2023

Abstract

Online targeted advertising leverages an information asymmetry between the advertiser and the recipient. Policymakers in the European Union and the United States aim to decrease this asymmetry by requiring information transparency information alongside political advertisements, in the hope of activating citizens’ persuasion knowledge. However, the proposed regulations all present different directions with regard to the required content of transparency information. Consequently, not all proposed interventions will be (equally) effective. Moreover, there is a chance that transparent information has additional consequences, such as increasing privacy concerns or decreasing advertising effectiveness. Using an online experiment (N = 1331), this study addresses these challenges and finds that two regulatory interventions (DSA and HAA) increase persuasion knowledge, while the chance of raising privacy concerns or lowering advertisement effectiveness is present but slim. Results suggest transparency information interventions have some promise, but at the same time underline the limitations of user-facing transparency interventions.

Links

DOI: https://doi.org/10.1177/14614448231157640

information disclosures, online advertising, persuasion knowledge, political attitudes, Privacy, Transparency

RIS

TY  - JOUR
AU  - Dobber, T.
AU  - Kruikemeier, S.
AU  - Helberger, N.
AU  - Goodman, E.
PY  - 2023
DA  - 2023-04-21
T1  - Shielding citizens? Understanding the impact of political advertisement transparency information
JO  - New Media & Society
DO  - https://doi.org/10.1177/14614448231157640
AB  - Online targeted advertising leverages an information asymmetry between the advertiser and the recipient. Policymakers in the European Union and the United States aim to decrease this asymmetry by requiring information transparency information alongside political advertisements, in the hope of activating citizens’ persuasion knowledge. However, the proposed regulations all present different directions with regard to the required content of transparency information. Consequently, not all proposed interventions will be (equally) effective. Moreover, there is a chance that transparent information has additional consequences, such as increasing privacy concerns or decreasing advertising effectiveness. Using an online experiment (N = 1331), this study addresses these challenges and finds that two regulatory interventions (DSA and HAA) increase persuasion knowledge, while the chance of raising privacy concerns or lowering advertisement effectiveness is present but slim. Results suggest transparency information interventions have some promise, but at the same time underline the limitations of user-facing transparency interventions.
K1  - information disclosures
K1  - online advertising
K1  - persuasion knowledge
K1  - political attitudes
K1  - Privacy
K1  - Transparency
ER  -

Save .RIS

Bibtex

Article{nokey,
	title = {Shielding citizens? Understanding the impact of political advertisement transparency information},
	author = {Dobber, T. and Kruikemeier, S. and Helberger, N. and Goodman, E.},
	doi = {https://doi.org/10.1177/14614448231157640},
	year = {2023},
	date = {2023-04-21},
	journal = {New Media & Society},
	abstract = {Online targeted advertising leverages an information asymmetry between the advertiser and the recipient. Policymakers in the European Union and the United States aim to decrease this asymmetry by requiring information transparency information alongside political advertisements, in the hope of activating citizens’ persuasion knowledge. However, the proposed regulations all present different directions with regard to the required content of transparency information. Consequently, not all proposed interventions will be (equally) effective. Moreover, there is a chance that transparent information has additional consequences, such as increasing privacy concerns or decreasing advertising effectiveness. Using an online experiment (N = 1331), this study addresses these challenges and finds that two regulatory interventions (DSA and HAA) increase persuasion knowledge, while the chance of raising privacy concerns or lowering advertisement effectiveness is present but slim. Results suggest transparency information interventions have some promise, but at the same time underline the limitations of user-facing transparency interventions.},
	keywords = {information disclosures, online advertising, persuasion knowledge, political attitudes, Privacy, Transparency},
}

Save .bib

Annotatie bij Hoge Raad 25 februari 2022 (Google) download

Dommering, E.

Nederlandse Jurisprudentie, iss. : 37/38/39, num: 259, pp: 4708-4709, 2022

Abstract

Privacyrecht. Algemene Verordening Gegevensbescherming (AVG); verzoek verwijdering zoekresultaten; gevoelige persoonsgegevens (art. 10 AVG); maatstaf. Proceskosten in AVG-zaken; doeltreffende voorziening (art. 79 AVG en art. 47 Handvest Grondrechten EU).

Links

Annotatie_NJ_2022_259

Annotaties, AVG, Privacy, zoekresultaten

RIS

Save .RIS

Bibtex

Save .bib

Annotatie Hoge Raad 3 december 2021 (Hoist Finance AB) download

Dommering, E.

Nederlandse Jurisprudentie, iss. : 37/38/39, num: 258, pp: 4640-4642, 2022

Abstract

Prejudiciële beslissing op voet art. 392 Rv. Algemene verordening gegevensbescherming (AVG). Rechtsgrond verwerking persoonsgegevens in kredietregistratiestelsel BKR; recht op gegevenswissing; recht op bezwaar.

Links

Annotatie_NJ_2022_258

Annotaties, AVG, Privacy

RIS

Save .RIS

Bibtex

Save .bib

Defining the scope of AI ADM system risk assessment external link

Janssen, H., Seng Ah Lee, M., Singh, J. & Cobbe, J.

Research handbook on EU data protection law, E. Kosta, R. Leenes & I. Kamara (ed.), Edgar Elgar Publishing, 0616, pp: 405-434

Links

frontpage, Privacy, Recht op gegevensbescherming

RIS

Save .RIS

Bibtex

Save .bib

A Matter of (Joint) control? Virtual assistants and the general data protection regulation external link

Mil, J. van & Quintais, J.

Computer Law & Security Review, vol. 45, 2022

Abstract

This article provides an overview and critical examination of the rules for determining who qualifies as controller or joint controller under the General Data Protection Regulation. Using Google Assistant – an artificial intelligence-driven virtual assistant – as a case study, we argue that these rules are overreaching and difficult to apply in the present-day information society and Internet of Things environments. First, as a consequence of recent developments in case law and supervisory guidance, these rules lead to a complex and ambiguous test to determine (joint) control. Second, due to advances in technological applications and business models, it is increasingly challenging to apply such rules to contemporary processing operations. In particular, as illustrated by the Google Assistant, individuals will likely be qualified as joint controllers, together with Google and also third-party developers, for at least the collection and possible transmission of other individuals’ personal data via the virtual assistant. Third, we identify follow-on issues relating to the apportionment of responsibilities between joint controllers and the effective and complete protection of data subjects. We conclude by questioning whether the framework for determining who qualifies as controller or joint controller is future-proof and normatively desirable.

Links

DOI: https://doi.org/https://doi.org/10.1016/j.clsr.2022.105689

frontpage, GDPR, Privacy, Recht op gegevensbescherming

RIS

TY  - JOUR
AU  - Mil, J. van
AU  - Quintais, J.
PY  - 0616
DA  - 2022-06-16
T1  - A Matter of (Joint) control? Virtual assistants and the general data protection regulation
JO  - Computer Law & Security Review
VL  - 45
DO  - https://doi.org/https://doi.org/10.1016/j.clsr.2022.105689
AB  - This article provides an overview and critical examination of the rules for determining who qualifies as controller or joint controller under the General Data Protection Regulation. Using Google Assistant – an artificial intelligence-driven virtual assistant – as a case study, we argue that these rules are overreaching and difficult to apply in the present-day information society and Internet of Things environments. First, as a consequence of recent developments in case law and supervisory guidance, these rules lead to a complex and ambiguous test to determine (joint) control. Second, due to advances in technological applications and business models, it is increasingly challenging to apply such rules to contemporary processing operations. In particular, as illustrated by the Google Assistant, individuals will likely be qualified as joint controllers, together with Google and also third-party developers, for at least the collection and possible transmission of other individuals’ personal data via the virtual assistant. Third, we identify follow-on issues relating to the apportionment of responsibilities between joint controllers and the effective and complete protection of data subjects. We conclude by questioning whether the framework for determining who qualifies as controller or joint controller is future-proof and normatively desirable.
K1  - frontpage
K1  - GDPR
K1  - Privacy
K1  - Recht op gegevensbescherming
ER  -

Save .RIS

Bibtex

Article{nokey,
	title = {A Matter of (Joint) control? Virtual assistants and the general data protection regulation},
	author = {Mil, J. van and Quintais, J.},
	doi = {https://doi.org/https://doi.org/10.1016/j.clsr.2022.105689},
	year = {0616},
	date = {2022-06-16},
	journal = {Computer Law & Security Review},
	volume = {45},
	abstract = {This article provides an overview and critical examination of the rules for determining who qualifies as controller or joint controller under the General Data Protection Regulation. Using Google Assistant – an artificial intelligence-driven virtual assistant – as a case study, we argue that these rules are overreaching and difficult to apply in the present-day information society and Internet of Things environments. First, as a consequence of recent developments in case law and supervisory guidance, these rules lead to a complex and ambiguous test to determine (joint) control. Second, due to advances in technological applications and business models, it is increasingly challenging to apply such rules to contemporary processing operations. In particular, as illustrated by the Google Assistant, individuals will likely be qualified as joint controllers, together with Google and also third-party developers, for at least the collection and possible transmission of other individuals’ personal data via the virtual assistant. Third, we identify follow-on issues relating to the apportionment of responsibilities between joint controllers and the effective and complete protection of data subjects. We conclude by questioning whether the framework for determining who qualifies as controller or joint controller is future-proof and normatively desirable.},
	keywords = {frontpage, GDPR, Privacy, Recht op gegevensbescherming},
}

Save .bib

Naar een algemeen transparantiebeginsel? : Bespreking van het preadvies van A.W.G.J. Buijze voor de VAR 2022 external link

Dommering, E.

Nederlands Tijdschrift voor Bestuursrecht, iss. : 5, num: 141, pp: 265-271, 2022

Links

https://www.ivir.nl/ntb_2022_5_141/

frontpage, openbaarheid, Overheidsinformatie, Privacy, transparantie

RIS

Save .RIS

Bibtex

Save .bib

Knock Knock Who’s There? Tussenpersonen, persoonsgegevens en de kunst van het juiste evenwicht external link

Alberdingk Thijm, Chr. A.

Ars Aequi, iss. : april, pp: 279-288, 2022

Abstract

Wat te doen als je op Twitter door een anoniem profiel voor rotte vis wordt uitgemaakt? Het Nederlandse recht biedt verschillende mogelijkheden om identificerende gegevens te verkrijgen van internettussenpersonen. Maar hoe wordt de afweging met de bescherming van de persoonsgegevens van de anonymus gemaakt? Hoe verhoudt het recht op een doeltreffende voorziening in rechte zich tot het gegevensbeschermingsrecht? Het Hof van Justitie schrijft voor dat bij botsende fundamentele rechten het ‘juiste evenwicht’ moet worden gevonden. Dat blijkt de Nederlandse rechter nog niet zo eenvoudig te vinden, zo wordt duidelijk bij de bespreking van het Dutch FilmWorks-arrest in dit artikel.

Links

https://www.ivir.nl/nl/aa_2022/

frontpage, persoonsgevens, Privacy

RIS

Save .RIS

Bibtex

Article{nokey,
	title = {Knock Knock Who’s There? Tussenpersonen, persoonsgegevens en de kunst van het juiste evenwicht},
	author = {Alberdingk Thijm, Chr. A.},
	year = {0408},
	date = {2022-04-08},
	journal = {Ars Aequi},
	issue = {april},
	pages = {279-288},
	abstract = {Wat te doen als je op Twitter door een anoniem profiel voor rotte vis wordt uitgemaakt? Het Nederlandse recht biedt verschillende mogelijkheden om identificerende gegevens te verkrijgen van internettussenpersonen. Maar hoe wordt de afweging met de bescherming van de persoonsgegevens van de anonymus gemaakt? Hoe verhoudt het recht op een doeltreffende voorziening in rechte zich tot het gegevensbeschermingsrecht? Het Hof van Justitie schrijft voor dat bij botsende
fundamentele rechten het ‘juiste evenwicht’ moet worden gevonden. Dat blijkt de Nederlandse rechter nog niet zo eenvoudig te vinden, zo wordt duidelijk bij de bespreking van het Dutch FilmWorks-arrest in dit artikel.},
	keywords = {frontpage, persoonsgevens, Privacy},
}

Save .bib