Volume 5 (2022)

Each volume of Journal of Data Protection & Privacy consists of four 100-page issues. Articles scheduled for Volume 5 will be available to view on the Forthcoming content page soon.

The articles published in Volume 5 are listed below.

Volume 5 Number 1

  • Editorial: Why International Holocaust Remembrance Day is more relevant than ever in a world where privacy and data protection are increasingly rare
    Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy
  • Research papers
    China’s PIPL and DSL: Is China following the EU’s approach to data protection?
    Ziwen Tan, LL.M. Candidate, China University of Political Science and Law and Channing Zhang, Privacy Protection Manager, Kingnet Network

    On 20th August, 2021, China, a market with over one billion consumers, passed the Personal Information Protection Law (PIPL), effective as of 1st November, 2021. The PIPL aims to provide individuals with comprehensive sets of data protection rights and will unquestionably impact how businesses ensure compliance in the upcoming years. Not surprisingly, like many other jurisdictions, the PIPL resembles the General Data Protection Regulation (GDPR) to a great extent, but it also diverges from the GDPR in many regards. Therefore, many companies, having already built a GDPR-compliant program, still face the challenge of demonstrating compliance with the PIPL. Also noteworthy is the recently enacted Data Security Law (DSL), a unique law (if not the only one) around the world targeting data security individually. The DSL not only supplements the PIPL, but also has a distinctive aim regarding national security, which exposes companies to obligations beyond those imposed by the PIPL. Furthermore, there is no denying that there are still some ambiguous parts of the PIPL and the DSL. However, China is enacting other laws, industry-specific regulations, guidelines and standards to complement the application of the two laws, which are also worth attention. This paper discusses the material differences between the GDPR and the PIPL (as well as the DSL when applicable) and creates a roadmap to achieve compliance with the PIPL and the DSL.
    Keywords: Personal information protection law, data security law, china, data protection, privacy

  • Teleology: The missing piece to solving the GDPR puzzle
    Paweł Kuch, Attorney-at-Law, University of Zurich

    The Court of Justice of the European Union (CJEU) plays an essential role as the supreme interpreter of primary and secondary European law. Since its inception, the CJEU adopted four methods of interpretation — grammatical, contextual, historical and teleological — and often used all of them to clarify a provision in question. For many reasons, the teleological method is often avoided or misunderstood by many. Regardless of personal opinions, however, the teleological method’s significant impact on the legal interpretation of European Union (EU) legislation must be acknowledged. Rightly or not, the majority of interested parties perceive the provisions of the General Data Protection Regulation (GDPR) as ambiguous. The EU’s 24 official languages hinder the use of the grammatical method of interpretation as the primary and absolute one. The contextual and historical methods are often inconclusive. Consequently, the teleological method of legal interpretation, focusing on the goals and objectives of the legislation, allows the CJEU to adjudicate coherently with the whole EU legal system and its objectives. Recognising that the goals and objectives are part of the GDPR complements the grammatical, contextual and historical interpretation methods and help see the regulation in its intended light: a legal framework for personal data processing, which respects everyone’s fundamental right to personal data protection, aiming to balance it with other fundamental rights. This paper aims to draw attention to the often forgotten or only reluctantly applied teleological interpretation method in implementing the GDPR.
    Keywords: Teleology, GDPR, data protection, EU legislation

  • On the advent of environmental, social and governance reporting and its intersection with privacy
    Martijn ten Bloemendal, Global Privacy Counsel, AbbVie

    An emerging area of regulation in the form of environmental, social and governance (ESG) reporting is aimed at long-term sustainability and addressing the challenges of climate change and social inequality. This paper explores how ESG reporting intersects in interesting ways with well-established privacy principles under the European Union (EU) General Data Protection Regulation. The paper analyses these privacy implications in the context of the first formal ESG law of comprehensive scope — the EU Sustainable Finance Disclosure Regulation — as well as existing global ESG disclosure standards. In particular the ‘S’ of ESG encompasses issues in the employment context relating to gender equality and diversity and inclusion (D&I), thereby implicating sensitive personal data and complicating the collection of such data. In addition, the paper looks towards the question of whether there is, or should be, a ‘P’ of privacy incorporated in ESG and considers the potential development of measurable privacy metrics for this purpose.
    Keywords: ESG, GDPR, Sustainable Finance Disclosure Regulation (SFDR), Sustainability Accounting Standards Board (SASB), Global Reporting Initiative (GRI), gender, race, ethnicity, diversity and inclusion, sensitive data, employee data

  • Practice papers
    Enforcing the right to be forgotten as a human right
    Saheed Alabi, Director of Legal Research, Alidson Global Network

    This paper examines the application of the right to be forgotten as a human right by analysing the provisions of the GDPR, the jurisprudence of the Court of Justice of the European Union (CJEU) and the European Court of Human Rights (ECtHR). Furthermore, the implication of Brexit as a result of the United Kingdom exiting the European Union in the context of the application of the GDPR is analysed generally.
    Keywords: Right to be Forgotten, Human Rights, GDPR, Court of Justice of the European Union (CJEU), European Court of Human Rights (ECtHR), Brexit

  • The new EU Standard Contractual Clauses as a type of appropriate safeguard in the international transfer of personal data
    Anna Popowicz-Pazdej, Privacy Lawyer, Dentons, CIPP/E and doctorate researcher, University of Wroclaw

    Personal data flow more freely across borders and represent one of the most significant forces behind the process of globalisation.1 Although this process is inevitable, it has to respect human rights, especially the right to data protection. One of the most commonly used transfer tools under the General Data Protection Regulation are standard contractual clauses. These tools are used in case of the transfer of personal data to third countries in the absence of adequacy decision. In June 2021 the European Commission adopted the new Standard Contractual Clauses. There is a multifaceted change concerning the new law’s scope, structure and substance compared with the previous versions. This change reflects the new requirements in light of the technological development and the Schrems II judgment. Above all, this was an opportunity to articulate all data protection requirements for international data transfers expressly. Especially, to capture lacking relations between data controllers and data processors by way of a modular approach. This paper summarises the functionality of the new standard contractual clauses in light of the content and rationale of the international transfer of personal data and provides an in-depth oversight of its scope and structure. The ultimate aim is to reach a compromise in order to both ascertain a sufficient level of data protection on the one hand, and not create unnecessary obstacles to cross-border data flows on the other. Hence, it also attempts to answer the question as to whether these standard contractual clauses will stand the test of time, especially bearing in mind some burdensome obligations.
    Keywords: GDPR, standard contractual clauses, international data transfer, appropriate safeguards, transfer adequacy

  • Getting connected: Providing IT services to the German healthcare sector subject to ecclesiastical data protection law
    Tamara Bukatz, Data protection and privacy consultant

    Due to the pandemic, digitisation is advancing at a quicker pace in Germany, especially in the healthcare sector. Many institutions in the German healthcare sector are owned by religious associations or church bodies. Software providers that consider entering into a contractual relationship, in particular with hospitals, may find themselves faced with ecclesiastical data protection laws of the different churches in Germany as well as the corresponding system of ecclesiastical courts and supervisory authorities. European countries generally have one supervisory authority for data protection. Germany, however, has not one but a myriad of supervisory authorities on both, a secular and ecclesiastical level, which are explored in this paper. This paper aims to give businesses interested in the opportunities arising from the digitisation development an overview of what it entails to conclude a contract for processing personal data of German entities in the healthcare and related sectors and points out the differences between the General Data Protection Regulation (GDPR) and the Catholic as well as Evangelical data protection law.
    Keywords: Article 91 GDPR, Evangelical and Catholic data protection laws, system of secular and ecclesiastical data protection supervisory authorities in Germany, digitisation of the healthcare sector

  • GDPR Glasnost: Spain’s AEPD raises the transparency bar and sanctions two banks
    Philipp Fischer, Partner, Banking & Finance/Data Protection Department, Oberson Abels and Julien Levis, Head of Data Privacy at an International Group

    This paper is a commentary on two recent decisions issued by the Spanish data protection authority (DPA): the AEPD (Agencia Española de Protección de Datos). Both decisions — issued one month apart — developed similar motives and grievances primarily arising from the alleged lack of clarity in the two banks’ privacy notifications to their clients as well as in the consent-collection process and in the formulation of their legitimate interest in processing personal data. These two decisions combined with one issued just a couple of months earlier by the French DPA (CNIL [Commission Nationale de l’Informatique et des Libertés]) appear to draw a new trend: one towards a heightened scrutiny on the details of the data protection documentation set forth by data controllers. Sanctions issued over General Data Protection Regulation’s (GDPR) first two years of implementation had largely focused on penalising manifest disregard for GDPR (primarily in the form of a lack of appropriate technical and organisational measures or the absence of a lawful basis for personal data processing). In each of the three decisions, the data controller was a bank (Banco Bilbao Vizcaya Argentaria, SA [BBVA] and CaixaBank in the two AEPD decisions under review, Carrefour Banque in the CNIL decision previously commented by the co-authors). In the two Spanish decisions, the fines issued were, respectively, for €5m and €6m against BBVA and CaixaBank. Privacy professionals in the banking sector will need to factor in these regulatory developments and reassess the formulation of their privacy notifications. The industry has thus been invited to reassess its duty of privacy information from a new, more rigorous perspective. What degree of detail regarding the specifics of the data processing do regulators expect in a privacy notice? How should data controllers structure the collection of data subject consent to ensure it may constitute a legitimate basis for data processing? What are the elements they need to demonstrate to validly invoke a legitimate interest in the data processing? The two recent AEPD decisions under review set a high bar. While the two decisions are primarily remarkable in their substantive motivation (I), we will also highlight some particularly interesting procedural developments (II).
    Keywords: GDPR, duty of information, consent, legitimate interest, impartiality, due process

  • Book review
    Data Protection Around the World: Privacy Laws in Action
    Reviewed by Dr Jacob Kornbeck, Policy Officer, European Commission, Youth Unit
  • Book review
    Privacy is Hard and Seven Other Myths: Achieving Privacy Through Careful Design
    Reviewed by Ardi Kolah