Volume 5 (2022)

Each volume of Journal of Data Protection & Privacy consists of four 100-page issues. Articles scheduled for Volume 5 will be available to view on the Forthcoming content page soon.

The articles published in Volume 5 are listed below.

Volume 5 Number 2

  • Editorial: Can blockchain technology protect organisations against the escalating threat of personal data and cyber security breaches?
    Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy
  • Practice papers
    The Indian DPB, California’s CCPA and the European GDPR: A comparative analysis
    Mathew Chacko, Head of the Technology, Media & Telecommunications practice group and Shambhavi Mishra, Associate, Data Protection, Privacy and Cybersecurity practice, Spice Route Legal, India

    This paper intends to critically analyse the major substantive areas of divergence between India’s latest version of their draft data protection law (the Data Protection Bill, 2021), the European General Data Protection Regulation and the California Consumer Privacy Act, 2018. The paper further identifies aspects of the General Data Protection Regulation and the California Consumer Privacy Act, 2018 that must be adopted in the Indian context from a business perspective.
    Keywords: GDPR, CCPA, Data Protection Bill, 2021

  • A decade after the Personal Data Protection Act 2010 (PDPA): Compliance of communications companies with the notice and choice principle
    Ali Alibeigi, Faculty of Law, Abu Bakar Munir, Holder of Tun Ismail Ali Chair, Faculty of Law, Malaysia and Adeleh Asemi, Faculty of Computer Science and IT, University of Malaya

    The massive and implausible advancements in the fields of information and communications technology, and especially the internet, have increased both the value and threats to the information privacy of individuals. The Malaysian Personal Data Protection Act 2010 (PDPA) was a governmental endeavour to protect the information privacy of the citizens. However, the Act’s output and the level of compliance by the data users are in a halo of ambiguity. This qualitative study using the document analysis aimed to find out to what extent the communications companies comply with the Act. Hence, the privacy policies of these companies were evaluated in line with the requirements of the Act. The results indicated that more or less all samples failed to satisfy the PDPA requirements. The solutions provided by this research can be used as practical guidelines to draft a Standard Privacy Policy. The suggestions also would benefit the Personal Data Protection Commissioner in performing his duties and functions.
    Keywords: data protection officer, data user, Malaysia, PDPA, personal data, privacy

  • New directions for data governance in health data? Examining the role of anonymisation and pseudonymisation
    Anna Aurora Wennäkoski, Senior Specialist, Data Business Unit, Finnish Ministry of Transport and Communications

    Data governance can be considered a commonly shared priority for many organisations. This paper examines the roles of anonymisation and pseudonymisation as privacy-enhancing technologies (‘PETs’) as part of data governance focusing on the health and medical sector. Ultimately, it asks whether organisations should reframe their data governance to favour anonymisation or pseudonymisation respectively. To that, the paper concludes that while both anonymisation and pseudonymisation appear important technical tools, they ought to be understood as part of the wider frame of data governance, where no stand-alone tool seems to suffice. Rather, a wider outlook that also includes organisational and legal measures is needed. Regarding the latter, the guidance seems to proliferate, and in those, reasonable protective measures, along with risk-based approaches, appear common.
    Keywords: data governance, health data, data protection law

  • Transparent communication under Article 12 of the GDPR: Advocating a standardised approach for universal understandability
    Indranath Gupta, Professor of law, Jindal Global Law School and Dean of Research, O.P. Jindal Global University and Paarth Naithani, Academic Tutor and Teaching & Research for Intellectual Pursuit (TRIP) Fellow, Jindal Global Law School, O.P. Jindal Global University

    This paper suggests the way forward for the transparency requirement under the GDPR for all data subjects in the context of two recent developments in 2021. The first was the decision of the Dutch DPA against TikTok, and the second was the release of the UK Children’s Code by the ICO. The paper positions understanding of terms of use and privacy policy as an essential attribute in the overall intelligible, clear and plain language requirement under the GDPR. It indicates that a standardised approach can guarantee that data subjects understand the information data controllers share. This approach will have a script with standardised and universal tools. Such an approach would overcome the limitations of a particular language, including the variable perception of ‘privacy’ among individuals.
    Keywords: transparency, intelligible, clear and plain language, standardised approach, GDPR

  • Research papers
    Artificial intelligence and automated decision making: The new frontier of privacy challenges and opportunities
    Joseph Srouji, Avocat à la cour and Founding Partner, Srouji Avocats and Stefano Bellè, Graduate law student at Université Paris-Panthéon-Assas

    This paper addresses the privacy component of broader artificial intelligence (AI) ethical considerations. We begin with an overview of the regulatory landscape, or lack thereof, and then call out the specific provisions of EU data protection law applicable to AI while focusing on examples of country-specific approaches, including some recent regulatory action. This regulatory action is particularly insightful since it identifies the key challenges that companies face, or will eventually face, when adopting AI-based solutions. These challenges include how to anticipate and prevent bias in automated decision making (ADM) and how to provide transparency to data subjects, despite the complexity of machine learning processes, while protecting business secrets and know-how.
    Keywords: artificial intelligence, AI, data protection, data privacy, machine learning, regulations, European Union, GDPR, Artificial Intelligence Act, automated decision making, digital ethics, enforcement

  • Worthy of trust: Protecting minority privacy in diversity reporting
    Matthew Bellringer, Meaningbit Ltd, The Old Casino

    This paper highlights potential risks to privacy in diversity monitoring and reporting. It explores the reputational drivers behind reporting, and the specific challenges presented when reporting on ‘hidden’ or ‘invisible’ aspects of diversity. It raises operational considerations that come about as a result of these challenges and suggests that an integrated approach aimed at increased trust among all stakeholders is likely to yield the greatest business benefits from reporting activities.
    Keywords: environmental, social and governance (ESG), diversity, equity and inclusion (DEI), GDPR, hidden minorities, reporting, employee data, sensitive data, accidental disclosure, disability, sexual orientation, gender

  • The UK’s Online Safety Bill: The day we took a stand against serious online harms or the day we lost our freedoms to platforms and the state?
    Alexander Dittel, Partner in Technology, Wedlake Bell

    This paper discusses the UK’s Online Safety Bill, which is intended to protect vulnerable individuals online, although at the risk of promoting surveillance techniques and mandating proactive content removal by platforms. It analyses how the Bill, a very ambitious project, tries to safeguard vulnerable people through means which could be easily abused, and asks whether the risk of abuse that could affect everyone is worth the protection of a minority of online users. Recently demonstrated authoritarian approaches to solving the COVID-19 crisis make this concern palpable. The paper concludes by saying that once we take a path, it will be difficult to walk it back.
    Keywords: online harms, Online Safety Bill, lawful but harmful, user-generated content, content monitoring, user, monitoring, cyber offences

  • Book review
    Determann’s Field Guide to Data Privacy Law: International Corporate Compliance
    Reviewed by Ardi Kolah

Volume 5 Number 1

  • Editorial: Why International Holocaust Remembrance Day is more relevant than ever in a world where privacy and data protection are increasingly rare
    Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy
  • Research papers
    China’s PIPL and DSL: Is China following the EU’s approach to data protection?
    Ziwen Tan, LL.M. Candidate, China University of Political Science and Law and Channing Zhang, Privacy Protection Manager, Kingnet Network

    On 20th August, 2021, China, a market with over one billion consumers, passed the Personal Information Protection Law (PIPL), effective as of 1st November, 2021. The PIPL aims to provide individuals with comprehensive sets of data protection rights and will unquestionably impact how businesses ensure compliance in the upcoming years. Not surprisingly, like many other jurisdictions, the PIPL resembles the General Data Protection Regulation (GDPR) to a great extent, but it also diverges from the GDPR in many regards. Therefore, many companies, having already built a GDPR-compliant program, still face the challenge of demonstrating compliance with the PIPL. Also noteworthy is the recently enacted Data Security Law (DSL), a unique law (if not the only one) around the world targeting data security individually. The DSL not only supplements the PIPL, but also has a distinctive aim regarding national security, which exposes companies to obligations beyond those imposed by the PIPL. Furthermore, there is no denying that there are still some ambiguous parts of the PIPL and the DSL. However, China is enacting other laws, industry-specific regulations, guidelines and standards to complement the application of the two laws, which are also worth attention. This paper discusses the material differences between the GDPR and the PIPL (as well as the DSL when applicable) and creates a roadmap to achieve compliance with the PIPL and the DSL.
    Keywords: Personal information protection law, data security law, china, data protection, privacy

  • Teleology: The missing piece to solving the GDPR puzzle
    Paweł Kuch, Attorney-at-Law, University of Zurich

    The Court of Justice of the European Union (CJEU) plays an essential role as the supreme interpreter of primary and secondary European law. Since its inception, the CJEU adopted four methods of interpretation — grammatical, contextual, historical and teleological — and often used all of them to clarify a provision in question. For many reasons, the teleological method is often avoided or misunderstood by many. Regardless of personal opinions, however, the teleological method’s significant impact on the legal interpretation of European Union (EU) legislation must be acknowledged. Rightly or not, the majority of interested parties perceive the provisions of the General Data Protection Regulation (GDPR) as ambiguous. The EU’s 24 official languages hinder the use of the grammatical method of interpretation as the primary and absolute one. The contextual and historical methods are often inconclusive. Consequently, the teleological method of legal interpretation, focusing on the goals and objectives of the legislation, allows the CJEU to adjudicate coherently with the whole EU legal system and its objectives. Recognising that the goals and objectives are part of the GDPR complements the grammatical, contextual and historical interpretation methods and help see the regulation in its intended light: a legal framework for personal data processing, which respects everyone’s fundamental right to personal data protection, aiming to balance it with other fundamental rights. This paper aims to draw attention to the often forgotten or only reluctantly applied teleological interpretation method in implementing the GDPR.
    Keywords: Teleology, GDPR, data protection, EU legislation

  • On the advent of environmental, social and governance reporting and its intersection with privacy
    Martijn ten Bloemendal, Global Privacy Counsel, AbbVie

    An emerging area of regulation in the form of environmental, social and governance (ESG) reporting is aimed at long-term sustainability and addressing the challenges of climate change and social inequality. This paper explores how ESG reporting intersects in interesting ways with well-established privacy principles under the European Union (EU) General Data Protection Regulation. The paper analyses these privacy implications in the context of the first formal ESG law of comprehensive scope — the EU Sustainable Finance Disclosure Regulation — as well as existing global ESG disclosure standards. In particular the ‘S’ of ESG encompasses issues in the employment context relating to gender equality and diversity and inclusion (D&I), thereby implicating sensitive personal data and complicating the collection of such data. In addition, the paper looks towards the question of whether there is, or should be, a ‘P’ of privacy incorporated in ESG and considers the potential development of measurable privacy metrics for this purpose.
    Keywords: ESG, GDPR, Sustainable Finance Disclosure Regulation (SFDR), Sustainability Accounting Standards Board (SASB), Global Reporting Initiative (GRI), gender, race, ethnicity, diversity and inclusion, sensitive data, employee data

  • Practice papers
    Enforcing the right to be forgotten as a human right
    Saheed Alabi, Director of Legal Research, Alidson Global Network

    This paper examines the application of the right to be forgotten as a human right by analysing the provisions of the GDPR, the jurisprudence of the Court of Justice of the European Union (CJEU) and the European Court of Human Rights (ECtHR). Furthermore, the implication of Brexit as a result of the United Kingdom exiting the European Union in the context of the application of the GDPR is analysed generally.
    Keywords: Right to be Forgotten, Human Rights, GDPR, Court of Justice of the European Union (CJEU), European Court of Human Rights (ECtHR), Brexit

  • The new EU Standard Contractual Clauses as a type of appropriate safeguard in the international transfer of personal data
    Anna Popowicz-Pazdej, Privacy Lawyer, Dentons, CIPP/E and doctorate researcher, University of Wroclaw

    Personal data flow more freely across borders and represent one of the most significant forces behind the process of globalisation. Although this process is inevitable, it has to respect human rights, especially the right to data protection. One of the most commonly used transfer tools under the General Data Protection Regulation are standard contractual clauses. These tools are used in case of the transfer of personal data to third countries in the absence of adequacy decision. In June 2021 the European Commission adopted the new Standard Contractual Clauses. There is a multifaceted change concerning the new law’s scope, structure and substance compared with the previous versions. This change reflects the new requirements in light of the technological development and the Schrems II judgment. Above all, this was an opportunity to articulate all data protection requirements for international data transfers expressly. Especially, to capture lacking relations between data controllers and data processors by way of a modular approach. This paper summarises the functionality of the new standard contractual clauses in light of the content and rationale of the international transfer of personal data and provides an in-depth oversight of its scope and structure. The ultimate aim is to reach a compromise in order to both ascertain a sufficient level of data protection on the one hand, and not create unnecessary obstacles to cross-border data flows on the other. Hence, it also attempts to answer the question as to whether these standard contractual clauses will stand the test of time, especially bearing in mind some burdensome obligations.
    Keywords: GDPR, standard contractual clauses, international data transfer, appropriate safeguards, transfer adequacy

  • Getting connected: Providing IT services to the German healthcare sector subject to ecclesiastical data protection law
    Tamara Bukatz, Data protection and privacy consultant

    Due to the pandemic, digitisation is advancing at a quicker pace in Germany, especially in the healthcare sector. Many institutions in the German healthcare sector are owned by religious associations or church bodies. Software providers that consider entering into a contractual relationship, in particular with hospitals, may find themselves faced with ecclesiastical data protection laws of the different churches in Germany as well as the corresponding system of ecclesiastical courts and supervisory authorities. European countries generally have one supervisory authority for data protection. Germany, however, has not one but a myriad of supervisory authorities on both, a secular and ecclesiastical level, which are explored in this paper. This paper aims to give businesses interested in the opportunities arising from the digitisation development an overview of what it entails to conclude a contract for processing personal data of German entities in the healthcare and related sectors and points out the differences between the General Data Protection Regulation (GDPR) and the Catholic as well as Evangelical data protection law.
    Keywords: Article 91 GDPR, Evangelical and Catholic data protection laws, system of secular and ecclesiastical data protection supervisory authorities in Germany, digitisation of the healthcare sector

  • GDPR Glasnost: Spain’s AEPD raises the transparency bar and sanctions two banks
    Philipp Fischer, Partner, Banking & Finance/Data Protection Department, Oberson Abels and Julien Levis, Head of Data Privacy at an International Group

    This paper is a commentary on two recent decisions issued by the Spanish data protection authority (DPA): the AEPD (Agencia Española de Protección de Datos). Both decisions — issued one month apart — developed similar motives and grievances primarily arising from the alleged lack of clarity in the two banks’ privacy notifications to their clients as well as in the consent-collection process and in the formulation of their legitimate interest in processing personal data. These two decisions combined with one issued just a couple of months earlier by the French DPA (CNIL [Commission Nationale de l’Informatique et des Libertés]) appear to draw a new trend: one towards a heightened scrutiny on the details of the data protection documentation set forth by data controllers. Sanctions issued over General Data Protection Regulation’s (GDPR) first two years of implementation had largely focused on penalising manifest disregard for GDPR (primarily in the form of a lack of appropriate technical and organisational measures or the absence of a lawful basis for personal data processing). In each of the three decisions, the data controller was a bank (Banco Bilbao Vizcaya Argentaria, SA [BBVA] and CaixaBank in the two AEPD decisions under review, Carrefour Banque in the CNIL decision previously commented by the co-authors). In the two Spanish decisions, the fines issued were, respectively, for €5m and €6m against BBVA and CaixaBank. Privacy professionals in the banking sector will need to factor in these regulatory developments and reassess the formulation of their privacy notifications. The industry has thus been invited to reassess its duty of privacy information from a new, more rigorous perspective. What degree of detail regarding the specifics of the data processing do regulators expect in a privacy notice? How should data controllers structure the collection of data subject consent to ensure it may constitute a legitimate basis for data processing? What are the elements they need to demonstrate to validly invoke a legitimate interest in the data processing? The two recent AEPD decisions under review set a high bar. While the two decisions are primarily remarkable in their substantive motivation (I), we will also highlight some particularly interesting procedural developments (II).
    Keywords: GDPR, duty of information, consent, legitimate interest, impartiality, due process

  • Book review
    Data Protection Around the World: Privacy Laws in Action
    Reviewed by Dr Jacob Kornbeck, Policy Officer, European Commission, Youth Unit
  • Book review
    Privacy is Hard and Seven Other Myths: Achieving Privacy Through Careful Design
    Reviewed by Ardi Kolah