Volume 4 (2021)

Each volume of Journal of Data Protection & Privacy consists of four 100-page issues. Articles scheduled for Volume 4 are available to view on the 'Forthcoming content' page.

The articles published in Volume 4 are listed below.

Volume 4 Number 2

  • Editorial: Working from home (WFH): The new privacy frontier
    Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy
  • Practice papers:
    The Data Trust Model Proposes Individuals Can Control Their Data for Profit
    Susan Raab, Managing Partner, Customer Data Platform Institute

    This paper explores the concept of the data trust model as a way of giving individuals control over their personal data and potentially being compensated for use. We will look at the benefits and challenges of this model and how it fits with current regulation. Finally, the paper provides examples of how this model can be used and explores the question of whether the European Union (EU) Trusts Project is considering the data trust model to create a marketplace using EU citizen data.
    Keywords: data trust, data marketplace, data trustee, privacy, data protection

  • Unregulated drones and an emerging threat to right to privacy: A critical overview
    Nehaluddin Ahmad, Professor of Law, Sultan Sharif Ali Islamic University (UNISSA), Saurabh Chaturvedi, Professor and Dean School of Law, NMIMS University Mumbai and Ahmad Masum, Sr Assistant Professor, Faculty of Sharia and Law, Sultan Sharif Ali Islamic University (UNISSA)

    There is a huge question of whether current laws in different jurisdictions around the globe can adequately protect a population’s fundamental rights from the threats presented by drone technology. The market for drones is expanding rapidly. They offer certain attractive services, but the mere operation of these airborne machines poses great threats to people’s privacy and safety. Drones — also called unmanned aerial vehicles (UAVs) — are planes without a human pilot. Drones have been used by military organisations for over a decade, but in recent years their use in commercial and recreational capacities has been growing. They are, however, becoming a serious risk to citizens’ fundamental rights. This paper discusses UAVs’ technological capabilities and how they are beginning to affect fundamental rights of privacy. The paper identifies possible future directions in the fields of civilian security and privacy.
    Keywords: drone technology, privacy and safety, UAVs, fundamental rights

  • Data-related legislation and its implications for a country’s competitiveness: The perspective of the People’s Republic of China
    Yihan Dai, Associate Research Fellow, Faculty of International Law, East China University of Political Science and Law

    Data protection legislation could have far-reaching implications for a country’s competitiveness in today’s global digital economy, especially for the People’s Republic of China, which is extremely data rich because of its large population and the substantial number of active internet users. Chinese legislators appear to have intentionally left a viable space for the development of Big Data and new technologies and adopt two contradictory approaches towards the liberalisation of cross-border data transfer in the context of trade globalisation. This paper discusses how the two contradictory approaches reflect a lack of policy coherence in the field of cross-border data transfer that will probably lead to ‘policy failures’.
    Keywords: data protection laws, PRC’s data privacy legislation, internet censorship

  • Personal data protection in the credit-scoring industry of China
    Arlene Zhang, Researcher, Data Law Research Center & Cyber Law Research Institute (Shanghai & Hangzhou)

    China accounts for nearly half of the global digital payment market and three quarters of online lending transactions. With personal data as the new collateral, leaders now use alternative data (traceable personal information related to e-commerce sites, apps) to make decisions on investing and lending, instead of relying only on the traditional credit record. Credit-scoring service providers have also begun adopting alternative data for creditworthiness evaluation. While offering many benefits, the use of alternative data for financial decisions also raises significant data protection and privacy concerns, including meaningless consent, excessive collection of personal information, lack of transparency, loss of control by individuals, and manipulation of human behaviour. These issues are common around the world, but with different laws and regulations and social development background. This paper will examine China’s Big Data credit-scoring industry’s personal data-protection status, current legislative supervision and innovative technology, and their drawbacks. The paper concludes with a discussion of responses and suggestions for the field.
    Keywords: personal data protection, use of alternative data, credit scoring, fintech, China

  • The California Consumer Privacy Act: The ethos, similarities and differences vis-a-vis the General Data Protection Regulation and the road ahead in light of California Privacy Rights Act
    Tripti Dhar, Partner, Reina Legal LLP

    Amidst the ongoing privacy concerns, legislations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have given individuals the insight into their personal data and a control thereof. These legislations, however, must not be viewed as impediment to business but as business enablers that ensure successful conduct of business while balancing the rights of the individuals vis-à-vis that of the businesses. This paper seeks to delve into the spirit and the most striking features of CCPA. The paper also aims to compare the GDPR and CCPA so as to ascertain the key similarities and key differences between the two. The paper finally attempts to trace the journey of global companies in the quest to achieve compliance before 1st January, 2020. As of today, businesses are faced with a peculiar circumstance. They have aligned their businesses in line with the GDPR and are now also required to align with the obligations under CCPA. The procedural aspect has the business taken by storm. To make matters complicated, businesses are now faced by the California Privacy Rights Act (CPRA) and the relevant compliances expected of them. The paper seeks to conclude with a roadmap for global businesses in such a factual matrix.
    Keywords: CCPA, GDPR, CPRA, data protection, data privacy

  • Comparison of notice requirements for consent between ISO/IEC 29184:2020 and General Data Protection Regulation
    Harshvardhan J. Pandit, Research Fellow, ADAPT SFI Centre, Trinity College Dublin and Georg Philip Krog, Cofounder and Chief of Legal Counsel, Signatu AS

    This paper analyses the ISO/IEC 29184:2020 standard and compares its requirements for notice and consent with those specified by the General Data Protection Regulation (GDPR). More specifically, it considers the extent to which the ISO/IEC 29184 standard can be applied to demonstrate compliance with the requirements of the GDPR and to identify the additional requirements in areas where it is not sufficient. The paper concludes with remarks on the potential role of ISO/IEC 29184 as a certification mechanism under the GDPR for consent and notice.
    Keywords: consent, notice, GDPR, regulatory compliance, privacy, ISO

  • The increase of SIM Swap Frauds and new risks on European costumers: Payment services and data protection in Italian law courts
    Fabio Di Resta, Avvocato, Italy

    This paper analyses consumers’ legal protection when they are victims of banking frauds through the internet banking systems. In the last decade, there was a strong increase in telematic frauds, also the COVID-19 pandemic and the consequent use of smart working by employees has been exploited by fraudsters. In this context, customers became the favourite victims of cybercriminals, who have found more complex telematic frauds based on social engineering, such as chief executive officer (CEO) frauds, but more often the SIM (Subscriber Identification Module) Swap Fraud, through the identification procedures employed by mobile operators and becoming the new owner of the SIM card of victims. In this respect, the recent legal reforms on payment services and the General Data Protection Regulation (GDPR) became the milestone of consumers’ legal protection. Italian leading cases on SIM Swap Frauds will be analysed in more detail, describing the main criteria and principles of European and Italian data protection laws applied to personal data processing of the victims.
    Keywords: SIM Swap Fraud, CEO frauds, GDPR, PDS2, RTS, EBA, Arbitro Bancario Finanziario (ABF), Alternative Disputes Resolution (ADR), Strong Customer Authentication (SCA)

  • Book reviews:
    Data Protection, Privacy Regulators and Supervisory Authorities
    Reviewed by Dr Jacob Kornbeck
  • ‘California Privacy Law: Practical Guide and Commentary US Federal and California Law’ (Fourth Edition)
    Reviewed by Richard Preece
  • Legal Challenges of Big Data
    Reviewed by Ardi Kolah

     

Volume 4 Number 1

  • Editorial: 2020 is the year we would all like to forget, it had some memorable moments for data privacy professionals and 2021 looks like going the same way
    Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy
  • Practice papers:
    The California Privacy Rights Act of 2020: A broad and complex data processing regulation that applies to businesses worldwide
    Lothar Determann, Partner and Jonathan Tam, Senior Associate, Baker McKenzie

    The California Privacy Rights Act of 2020 (CPRA) introduces sweeping changes to the California Consumer Privacy Act of 2018 (CCPA), most of which will become operative as of 1st January, 2023, with a ‘look back’ to 1st January, 2022. Key revisions include a new definition of ‘sensitive personal information’ and detailed obligations regarding the processing of sensitive personal information for non-essential purposes; a new and counterintuitive definition of ‘sharing’ personal information and related restrictions aimed at the digital advertising industry; new data subject rights to correct inaccurate information and opt out of the use of automated decision-making technology; new requirements to include data protection and processing terms in contracts with data recipients and vendors; new requirements regarding what privacy notices must include and how they must be furnished to data subjects; and the establishment of a new privacy authority, the California Privacy Protection Agency. Although some requirements are similar to those in other jurisdictions, some are unique in their scope and even more onerous and detailed than those of the European Union General Data Protection Regulation. For example, CCPA also applies to ‘household data’ and will require companies to include California-specific language in their vendor contracts and privacy notices. This paper summarises some of the key revisions that CPRA makes to CCPA and offers practical recommendations on how companies subject to the law must comply. Companies that do business in California must comply not only with the revised CCPA but also detailed laws specific to particular sectors, industries, harms and activities.
    Keywords: California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), California Privacy Protection Agency (CPPA), cross-context behavioural advertising, right to know, right to access, right to deletion, right to correct inaccurate personal information, right to opt out of selling, right to opt out of sharing, right to restrict use and disclosure of sensitive personal information, right to opt out of automated decision-making technology, right to no retaliation

  • The end of the transition period: Implications for UK data protection after Brexit
    Oliver Butler, Research Fellow, Bonavero Institute of Human Rights

    This paper considers the implications for UK (United Kingdom) data protection after Brexit of the European Union (EU)–UK Withdrawal Agreement, the UK’s prospects of receiving, retaining and valuing a positive adequacy decision from the EU, and the decision of the Court of Justice of the European Union in Schrems II. It highlights that although these developments considerably narrow the scope for post-Brexit divergence from EU data protection law, there remain possibilities that cannot be dismissed as minimal. In particular, it cautions that the potential erosion of data subject rights post Brexit may disproportionately impact members of lower socio-economic groups and Black, Asian and Minority Ethnic individuals. Any adequacy decision will furthermore be subject to ongoing legal challenge and precarity. The UK Government is likely to engage in brinkmanship with the Commission and the CJEU regarding adequacy and its obligations in the Withdrawal Agreement. If the UK fails to gain, or loses, an adequacy decision, then the Standard Contractual Clauses will face a similar set of ongoing legal challenges. The picture is not a happy one.
    Keywords: Brexit, Withdrawal Agreement, adequacy, Standard Contractual Clauses

  • Implementation of the ECOWAS Supplementary Act on Personal Data Protection: Lessons from the EU GDPR
    Dennis Agelebe, Postdoctoral Research Fellow, Environmental Law Center, Faculty of Law of the University of Cologne

    The process of accessing information about any individual is fast becoming beyond the control of private individuals as long as internet technology continues to penetrate more areas of our routine lives. The question has always been how far private individuals can regulate how their private information is accessed, processed and for what purpose. The European Union (EU) has made the General Data Protection Regulation (GDPR) for the purpose of filling the regulatory gap in protecting the right to data privacy of Europeans under the Data Protection Directive (1995). For the EU as a supranational organisation, the regulatory system is designed to be protective of the privacy right of every citizen within and outside the EU because it has the institutional capacity to sanction business entities that breach the GDPR. The Economic Community of West African States (ECOWAS) has adopted the Supplementary Act on Personal Data Protection. Although the ECOWAS has the outlook of a supranational community, it lacks the institutional structure that should make its laws enforceable across the member states. With its present structure, however, the ECOWAS Act is still a model instrument for data protection in the African region and can be improved upon. This paper examines the ECOWAS Act and studies the structure and implementation of the GDPR to understand why the act may not effectively be enforced across the member states without the reform of the ECOWAS.
    Keywords: data privacy, data protection, GDPR, ECOWAS

  • Data protection and space: What challenges will the General Data Protection Regulation face when dealing with space based data?
    Shakila Bu-Pasha, Postdoctoral Researcher, Faculty of Law, University of Helsinki and Heidi Kuusniemi, Professor and Director of Digital Economy, University of Vaasa

    Recently, space or satellite technology, as well as space data applications, is developing rapidly, resulting in a variety of uses. At the same time, related legal issues raise questions about how they can be handled efficiently. In addition to pointing out the importance of managing satellite activities in a legally sound environment, this paper explains the relevance of the General Data Protection Regulation and the challenges it will face in handling space-based data, as well as in managing threats to privacy and personal data regarding the outer space context.
    Keywords: satellite, GDPR, personal data, space-based data, privacy, technology

  • Personal information protection in Japan
    Christopher P Wells, Partner and Narumi Ito, Associate, Morgan Lewis

    In Japan, personal information protection is governed by the Act on Personal Information Protection (Act No. 57 of 2003, as amended). This paper summarises the main features of Japan’s personal information protection regime as it applies generally to corporate and individual enterprises that collect, retain and store certain personal information of residents of Japan directly, indirectly or incidentally in connection with (a) the conduct of an enterprise or business in Japan and (b) the conduct of an enterprise or business outside Japan when such collection could have an impact on residents of Japan. This paper also describes certain legislative amendments implemented in 2017, which were essential for Japan’s adequacy status under the General Data Protection Regulation.
    Keywords: PIPA, personal data, PIHBO, PIPC, special care-required personal information, SCRPI, Japan

  • Research paper:
    Data protection laws — one of the most important sources of competitive advantage in the context of international trade
    Yihan Dai, Associate Research Fellow, East China University of Political Science and Law

    The existing world’s international legal system in nearly all areas, including data protection and cross-border data transfers, is highly fragmented and hard to harmonise in the near future. The most important laws governing these issues still exist at the domestic level. Data protection legislation could have far-reaching implications for country’s competition in today’s global digital economy. For countries, data protection laws are one of the most important sources of competitive advantage in the context of international trade. Laying down the data protection law prudently and intelligently applying such law will allow countries to unlock the benefits of technological innovation and digital trade.
    Keywords: data protection laws, international trade, competitive advantage, data, most valuable resource

  • Practice paper:
    A year of change: An analysis of how COVID-19 has impacted the data privacy profession in 2020
    Sabrina Palme, Co-founder and CEO, Palqee Technologies

    COVID-19 has brought unprecedented change to countless occupations, and for privacy professionals it has been no exception. As we are approaching the end of the year, this paper summarises the main data privacy challenges faced by privacy professionals due to the pandemic in 2020 and how it has impacted the data privacy profession as such. Has COVID-19 resulted in a shift leading to a new normal for the profession, or has it been business as usual? Taking also into consideration other meaningful events that have shaped 2020, such as the Black Lives Matter movement, Schrems II and Brexit, the paper concludes with what this year has meant for data privacy and an outlook on what to expect next.
    Keywords: COVID-19, data privacy, data security, data ethics, the new normal, Black Lives Matter, Brexit, Schrems II, analysis, opinion

  • Case study:
    ICO fines Ticketmaster UK Limited £1.25m for failing to protect customers’ payment details
    Joanne Bennett, Commercial Lawyer and Data Protection Consultant

    This paper discusses the finding of the Information Commissioner’s Office (ICO) against Ticketmaster UK Limited (Ticketmaster), which was fined £1.25m by the ICO for failing to keep its customers’ personal data secure.1 The Information Commissioner determined that Ticketmaster’s failure constituted a breach of the General Data Protection Regulation. In its findings, the ICO held the company should have done more to reduce the risk of a cyber-attack, including in relation to its use of third-party JavaScript on the payment page of its website. Ticketmaster’s breach led to millions of individuals in the United Kingdom and Europe being exposed to potential fraud. The financial sanction sends a message to other organisations ‘that looking after customers’ personal data safely should be at the top of their agenda’. Ticketmaster has indicated that it will appeal the fine. This paper additionally provides some practical tips to data protection practitioners to mitigate against similar breaches.
    Keywords: data protection, JavaScript, cyber security, fines, GDPR

  • Book review: ‘EU Personal Data Protection in Policy and Practice’
    Reviewed by Dr Jacob Kornbeck
  • Book review: Data protection: A practical guide to UK law
    Reviewed by Ardi Kolah