Volume 6 (2023-24)

Each volume of Journal of Data Protection & Privacy consists of four 100-page issues published both in print and online. 

The articles published in Volume 6 are listed below. 

Volume 6 Number 1

  • Editorial
    Third time lucky for the European Commission? Let's hope so
    Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy
  • Practice paper
    As interest in using artificial intelligence increases, can UK and EU compliance legislation keep pace with the rate of change?
    Steve Wilkinson, Freelance Data Protection Officer

    Legislation usually follows technological developments, in this case the advancement of artificial intelligence (AI). AI could assist predictions of case outcomes for litigators by methodically reviewing vast data lakes related to previous judgments, reviewing the issues in each related case along with conclusions the judge reached. Therefore, draft proposals such as the EU's Artificial Intelligence Act (AIA), the EU's AI Liability Directive (AILD), guidance from the UK's Information Commissioner's Office (ICO) as well as recommendations from organisations such as the Organisation for Economic Co-operation and Development (OECD) regulating the use of AI from both the UK and EU will be discussed. The development of common AI definitions, technical standards and related tools can assist in the requirement for international harmonisation through other mechanisms as well as judicial awareness of the impending issue. The key areas of research will focus on the following: proposed legislation, existing legislation, journals and books. Case law will also be reviewed to ascertain any awareness from the judiciary as to the complexities related to AI.
    Keywords: artificial intelligence; risk assessment; UK General Data Protection Regulation (GDPR); liability; tort

  • A reflection on the UAE's new data protection law: A comparative approach with GDPR
    Laroussi Chemlali, Ajman University, Leila Benseddik, Canadian University Dubai, and Abdesselam Salmi, Ajman University

    On 2nd January, 2022, the United Arab Emirates' (UAE) new Federal Decree-Law on the Protection of Personal Data came into force and became the first federal-level law to address processing of personal data. This law, which is largely influenced by major international privacy and data protection legislation, in particular the European General Data Protection Regulation (GDPR), is intended to align UAE data protection standards with global standards and principles and also follows the recent trend in legislation for privacy and data protection in the Golf Corporation Council region. This paper follows a comparative approach by highlighting the key aspects of this law through the lens of the GDPR, in attempt to provide an overview of requirements that should be taken into consideration by companies operating or wishing to settle in the UAE.
    Keywords: data protection; data protection law; data processing; General Data Protection Regulation (GDPR); privacy; United Arab Emirates (UAE)

  • Japan's PrivacyMark system as a good illustration of certification mechanisms
    Masao Horibe, Hitotsubashi University

    Privacy and data protection certification mechanisms have increasingly been attracting great interest. Japan was one of the first countries in the world to introduce privacy and data protection certification mechanisms and privacy and data protection seals and marks. At the prefectural level, this began in 1990, and at the national level, in 1998. JIPDEC (then the Japan Information Processing and Development Corporation) launched the PrivacyMark system in April 1998. Applications from private enterprises are assessed by JIPDEC or one of 19 designated assessment bodies. There were 1,380 registered assessors (391 lead assessors, 282 assessors and 707 provisional assessors) as at 1st April, 2022. There are three assessor training bodies. The number of registered entities has been increasing year by year, and as at 10th May, 2023, the number of PrivacyMark Entities is 17,447.
    Keywords: privacy; data protection; PrivacyMark; JIS Q 15001; JIPDEC; granting body; designated assessment bodies; assessors

  • Pilot project lighthouse: A proposed GDPR compliant methodology for analysing special categories of personal data
    Collin R. Walke, Estill Hall

    The General Data Protection Regulation (GDPR) is designed, in part, to prevent discrimination in algorithmic decision making. However, the GDPR's requirements, as well as EU member states' implementing laws, often make testing for bias using special categories of data, such as race, either impractical or impossible. This paper argues that the pilot project lighthouse methodology is a GDPR compliant method for bias-testing special categories of data in algorithms. This paper finds that the pilot project lighthouse methodology is permissible in the majority of EU member states and argues that to the extent pilot project lighthouse methodology would be prohibited by either the GDPR or an individual member state's implementing laws, the same are contrary to the letter and intent of the GDPR.
    Keywords: General Data Protection Regulation (GDPR); algorithmic bias; EU; special categories of data

  • What is left of consent when it is deemed consent: A data protection experiment in India
    Indranath Gupta and Paarth Naithani, Jindal Global Law School

    Recently, the latest draft data protection legislation in India, the Digital Personal Data Protection Bill, 2022, introduced the concept of deemed consent. Among other situations, consent can be deemed to be given through voluntary participation rather than an express statement. This paper positions deemed consent by situating it in recent discussions around consent. Deemed consent, as it stands, sits uncomfortably within the data protection rubric. The paper suggests that the proposed structure of deemed consent in India needs alteration and may be adequately amended with effective learning emanating from jurisdictions like the UK, Canada and Singapore.
    Keywords: deemed consent; consent; data protection; India; Digital Personal Data Protection Bill; Personal Data Protection Bill

  • Ethics is nothing other than reverence for life . . . and data
    Sascha Francis Schneider, Alight Solutions

    Ethics may be, by far, the most overlooked aspect of data protection programmes, and not because people do not consider ‘being ethical’ important when processing data but because the regulator does not require processing to be ethical and omits its presence in data protection and privacy regulations, keeping this to non-binding guidance or general recommendations. Not surprising considering that it is neither actively taught to legal professionals during law school, nor explicitly detailed in the applicable code of conducts. When referring to ethical or moral behaviour in a legal framework, religious morals and ethics should be avoided and instead it should be linked to present-day society and the world that surrounds us, taking into consideration modern practices and technologies that each and every one of us is confronted with on a daily basis, plus the fact that this technology is yet to be further evolved. This paper focuses on just a couple of those modern scenarios where ethics should be a key component when it relates to data processing yet is somehow overlooked. When thinking of marketing practices, the days of the salesperson knocking on our doors are long gone, and everything is virtual now. No matter where you go on the Internet, you are confronted with banners and pop-ups, never-ending sections which ask you about your date of birth, your address, or the last time you enjoyed a hot coffee. Sometimes one does not even realise how much data is requested or how one can suddenly feel bad about not providing certain information. Whereas the salesperson knocking on your door talked you into buying stuff you did not need, marketing these days has taken another approach to sell you something, which consists of collecting considerable amounts of data from individuals, exploiting social engineering procedures and thereby manipulating the individual's actual will. In EU legislation, under the GDPR, ‘consent’ must be ‘freely given, specific, informed and unambiguous’, but it is not established how this consent may be induced or collected, leading to obscure practices that would be against that ‘free’ will and are commonly known as ‘dark patterns’. Ethics is not widely considered, legislatively speaking, to generally protect data, but there is one area in which ethics is not only considered but also made a key component and a fundamental aspect to take into account: artificial intelligence (AI). Certain principles are expected to be introduced into any AI system for it to be deemed trustworthy, and from the field of AI, and its focus on ethics, it is possible to learn how to improve, not only automated interactions with a machine, but also how to protect data in general.
    Keywords: ethics; consent; GDPR; dark patterns; AI

  • Book reviews:
    Handbook on Crime and Technology
    Don Hummer and James M. Bryne (eds)
  • California Privacy Law: Practical Guide and Commentary: US Federal and California Law, Fifth Edition
    Lothar Determann
  • The Fight for Privacy: Protecting Dignity, Identity and Love in the Digital Age
    Danielle Keats Citron
  • Regulating Social Network Sites: Data Protection, Copyright and Power
    Asma Vranaki
  • Reviewed by Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy