Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
The GDPR: New Horizons Kapitel lesen Erstes Kapitel lesen

2017 | OriginalPaper | Buchkapitel

2. The General Data Protection Regulation: A Law for the Digital Age?

verfasst von : Lilian Mitrou

Erschienen in: EU Internet Law

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

In 2016, the General Data Protection Regulation has opened a new chapter for the protection of informational privacy in Europe. More than a simple revision of the Data Protection Directive (1995) and less than a regulatory paradigm shift, the Regulation attempts to keep path with technological and socio-economic changes while guaranteeing the persons’ fundamental rights and enabling the control over their data. This contribution aims at examining whether this reform deals adequately with the challenges of the digital era.
The analysis gives an overview of the new framework, its background and goals, focusing on some issues that are Internet relevant. In this respect, we discuss the provisions regarding the extended material and territorial scope of the Regulation and the implementation issues that may arise. We also addressed the consent and the way the European legislator tries to foster it as a legal ground of data processing and core manifestation of the right to protection of personal data. Further, we examine the new rights (right to be forgotten, right to data portability) that are introduced in the data protection law to reinforce the individuals’ rights as digital users. By assessing the new framework, we conclude that the changes introduced in combination with innovative regulatory elements, such as privacy by design or data protection impact assessments, constitute an important improvement in the sustaining and maturing of data protection law and may serve to respond to face technological challenges and mitigate risks.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel The GDPR: New Horizons
Nächstes Kapitel Developing a Right to be Forgotten
Fußnoten
1
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281/31). In this text we refer to this Directive as Directive 95/46/EC to avoid the confusion with “Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA” (Directive).
 
2
Robinson et al. (2009), pp. 6 f., 22 f.
 
3
“Never before hence the behaviour of individuals was so closely observed and recorded, the attempts to expand the use of the data collected so persistent, the proliferation of ever more detailed personal profiles so intensive”. See Simitis (1999), p. 5ff.
 
4
About the notion of “omniveillance” see Blackman (2009), p. 313 ff.
 
5
Skouma and Léonard (2015), p. 35f.
 
6
Froomkin (2000), p. 1486.
 
7
Regarding the definition and notion of personal data according to EU law see Article 29 Data Protection Working Party (hereafter Article 29 Working Party), Opinion 4/2007.
 
8
Data aggregation is understood as any process in which information is gathered from various sources and expressed in a summary form.
 
9
Data mining is understood as the automated processing of digital materials, which may include texts, data, sounds, images or other elements, or a combination of these, to uncover new knowledge or insights.
 
10
The General Data Protection Regulation (EU) 2016/679/EU (hereafter GDPR or Regulation) includes a definition of profiling in Article 4(4) that states that profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
 
11
This practice is characterized as “behavioral tracking” that leads to “behavioral/targeted advertising”. See Hotaling (2008), p. 529ff; Skouma and Léonard (2015), p. 37f.
 
12
See Nevrla (2010), p. 5ff.
 
13
Tokunaga (2011), pp. 705–713.
 
14
Whitaker (1999), p. 139ff.
 
15
See Kandias et al. (2013), pp. 1ff.
 
16
Andrejevic (2002), p. 481 ff.
 
17
Castelluccia et al. (2011), p. 17; Gritzalis et al. (2014), p. 283ff.
 
18
Kandias et al. (2013), p. 229ff.
 
19
As noted in Recital 7 of the GDPR.
 
20
About data mining for purposes of predicting public opinion and attitudes, see Sobkowicz et al. (2012), p. 470ff.
 
21
Rubinstein (2012), p. 3ff.
 
22
See Simitis (2014), p. 82 ff. 134 ff.
 
23
See Kiss and Szoke (2014), p. 311 ff.
 
24
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ L.
 
25
See Warso (2013), p. 496ff., who dealt with the question of whether the proposal for a GDPR meets the criteria of a new generation of regulation.
 
26
Article 29 Working Party, Opinion 4/2007, p. 12f.
 
27
As noted by Synodinou and co-authors (2016), p. 66 ff.
 
28
Working Party Opinion 4/2007, p.11. See also Article 29 Working Party, Opinion 5/2014, p. 8f.
 
29
European Network and Information Security Agency - ENISA-(2012a), p. 1.
 
30
See van Eecke and Truyens (2010), pp. 536, 540 with reference to “Rome memorandum” of the International Working Group on Data Protection in Telecommunications, 4 March 2008.
 
31
Wong and Savirimuthu (2007), p. 242ff.
 
32
See Xanthoulis (2013), p. 139.
 
33
See Kotschy (2014), p. 277.
 
34
CJEU, Bodil Lindqvist Case C-101/01, Judgment of 6 November 2003.
 
35
Dammann and Simitis noted that an extended data processing might be an evidence to suggest that processing involves professional activities. See Dammann and Simitis (1996), p. 123f.
 
36
See Xanthoulis (2013), p. 139ff who points out that the CJEU has not drawn the line between public and private purposes. See also Wong and Savirimuthu (2007), p.256.
 
37
Working Party, Opinion 5/2009 on online social networking (Opinion 5/2009).
 
38
See Kosta et al. (2010), p. 197.
 
39
European Digital Rights (EDRi): Position on the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (2013) p. 6.
 
40
Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)—Brussels, 25.1.2012 COM (2012) 11 final.
 
41
According to the so-called General Approach of the EU Member States, reached in June 2015, exempted should be personal and household activities without any reference to “exclusively” in the text of the provision. However, in Recital (15) of the General Approach it was proposed to clarify that personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities.
 
42
See Van Eecke and Truyens (2010), pp. 536, 540.
 
43
See Warso (2013), p. 492; See also Xanthoulis (2013), p. 138.
 
44
At least before, it became frequently used and popular as a mass information and communication medium.
 
45
See Baño Fos (2014), p. 19f. In its initial proposal, concerning Directive 95/46/EC the Commission identified the location of the data file as a primary determining factor but in the course of discussion within European Parliament and the Council of the EU, there was a shift, from the criterion of the location of the file, to the criterion of the establishment of the controller.
 
46
CJEU, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González C-131/12, Judgment of 13 May 2014.
 
47
See Article 29 Working Party, Update of Opinion 8/2010 (2015).
 
48
See de Terwangne and Louveaux (1997), p. 237f.
 
49
Working Party, Opinion 8/2010, p. 8.
 
50
See Ross (2001); See also Goldsmith and Wu (2008).
 
51
See the comments of the US Council for International Business for the Review of the EU Data Protection Directive. It affirmed the position that the Article 29 Working Party’s assertion as to the jurisdictional reach of the Directive 95/46/EC on the Internet is unwarranted and contrary to international law and jurisprudence. http://​ec.​europa.​eu/​justice_​home/​fsj/​privacy/​docs/​lawreport/​paper/​uscib_​en.​pdf.
 
52
See the dispute between Google and the Article 29 Working Party regarding whether its data processing in Europe is subject to EU data protection law.
 
53
The Article 29 Working Party, while defending the extraterritoriality of EU data protection law against accusations, pointed to the fact that also “in other countries, for example in the United States of America, courts and laws apply similar reasoning in order to subject foreign websites to local rules”. See Working document (WP 56) (2002) p. 4.
 
54
In addition, Kuner (2010b), p. 229, who notes that the text of the Directive 95/46/EC is of little help in determining the meaning of “equipment”, and the Explanatory Memorandum gives only “‘terminals, questionnaires, etc.” as examples, which hardly provides much guidance.
 
55
See Dammann and Simitis (1996), p. 129. Directive 95/46/EC does not attach any relevance to the ownership of any equipment. According to Article 29 Working Party, it is not necessary that the controller exercise full control over the equipment. The crucial criterion is making the relevant decisions concerning the substance of the data and the procedure of their processing. See also Article 29 Working Party document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites (WP 56) (2002) p. 6f.
 
56
Article 29 Working Party, WP 56, p. 9f.
 
57
Cookies are text files installed on the hard drive of a computer, which receive, store and send back information to a server situated in another country, while a copy may be kept by the website. Cookies are small text files sent automatically by many Internet servers to users who access web pages, and are generally used to authenticate users. The European legislator attempted to regulate and restrict the use of cookies, regarded as “spyware” with the provisions of the e-Privacy Directive (2002/58/EC) and Directive 2009/136/EC that amended provisions of e-Privacy Directive.
 
58
Java Scripts are software applications sent by a web site to the computer of a user and allow remote servers to run applications on a user PC.
 
59
Defined by the Article 29 Working Party as pieces of software secretly installed on a computer, for instance at the occasion of the downloading of bigger software (e.g. a music player software) to send back personal information related to the data subject (e.g. the music titles the individual tends to listen to), Article 29 Working Party, WP 56, p. 12.
 
60
Article 29 Working Party, WP56, p. 9.
 
61
See Kuczerawy (2010), p. 80. See also Kuner (2010b), p. 9, who underlines that, with regard to data protection legislation, most protest does not come from states upset by other states’ or the EU’s extraterritorial actors, but from the data controllers themselves who are subject to extraterritorial regulation.
 
62
Ryngaert (2015a), p. 221 notes that “unbounded extraterritoriality, however, has serious adverse consequences for both businesses and states as it might increase transaction costs while vigorous assertions of extraterritorial jurisdiction could cause international competency conflicts between different states”.
 
63
Svantesson (2013a), p. 53 ff. identifies a causality between data protection’s evolution from economic necessity to autonomous, fundamental right and the EU’s territorial extension of its law to safeguard this right.
 
64
See Milanovic (2015), p. 134, citing the Judgment of ECHR Huvig v. France App No. 11105/84, 24 April 1990.
 
65
See Taylor (2015), p. 251 ff.
 
66
See Ryngaert (2015b), p. 187. See also Svantesson (2007) p. 244f.
 
67
See Hustinx (2014), p. 37, 42.
 
68
As well as to the processing by a controller or a processor not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.
 
69
See Svantesson (2013a), p. 58.
 
70
See Svantesson (2007), p. 87 with reference to Gerber (1984), p. 190.
 
71
Various authors who underline that in this case jurisdiction becomes open-ended have criticized the effects doctrine, as in principle all countries have a link to all websites by virtue of their accessibility and because in a globalized economy, everything has an effect on everything. See Kuner (2010a), p. 190 and Schultz (2008), p. 815.
 
72
Skouma and Léonard (2015), p. 52; argue that the on-line tracking was one of the key factors that was considered to decide on the need of legislative reshuffling.
 
73
ENISA (2012b), p. 3.
 
74
Without any direct reference to the process and methods. Hildebrandt (2009), p. 275, defines profiling as the process of discovering patterns in data that can be used to identify or represent a human or nonhuman subject (individual or group) and/or the application of profiles (sets of correlated data) to individuate and represent an individual subject or to identify a subject as a member of a group (which can be an existing community or a discovered category).
 
75
Article 4 (4) of the GDPR defines profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning a natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. This definition corresponds to that of Recommendation (2010)13 on the protection of individuals with regard to automatic processing of personal data in the context of profiling of the Council of Europe that focuses on the creation or use of profiles to evaluate, analyze or predict personal aspects such as performance at work, economic situation, health, personal preferences, or interests, reliability or behavior, location or movements.
 
76
See Borgesius (2016), p. 267, who suggests that people who expect being monitored might hesitate to read about diseases, politics, or other topics.
 
77
See Voss (2012), p. 17.
 
78
Svantesson (2013b), p. 279.
 
79
Kuner (2010b), p. 236.
 
80
See de Hert, et al. (2013), p. 142.
 
81
Albrecht (2015), p. 119, MEP and Rapporteur of the European Parliament for General Data Protection Regulation notes that “(t)he new EU law could bestow great benefits, particularly on users of Facebook and Google or smartphone owners, because up to now, they have in practice enjoyed hardly any protection”.
 
82
See Ryngaert (2015b), p. 187.
 
83
See Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Safeguarding Privacy in a Connected World—A European Data Protection Framework for the 21st Century, [COM (2012) 9 final—25.01.2012] with reference to the findings of Special Eurobarometer 359—Attitudes on Data Protection and Electronic Identity in the European Union, June 2011, p. 23.
 
84
Also in USA, consent has been for several decades the key principle of information privacy protection. See Schwartz and Solove (2009).
 
85
With regard to informational self- determination see Simitis (2014), pp. 92 f. but also the contractual-property approach of privacy relies on interactions between individuals and data controllers to determine appropriate collection and use of data thus accommodating the significance of consent as a factor to generate and maintain appropriate norms for information privacy. See Mitrou (2009), pp. 471 ff.
 
86
Article 8(2) of the Charter states that personal data can be processed “on the basis of the consent of the person concerned or some other legitimate basis laid down by law”. Two decades before (1981), Article 5§2 of the Convention 108 of the Council of Europe, stated that data processing may be carried out only based on free, specific, informed and unambiguous consent of the data subject or some other legitimate basis the law provides.
 
87
Article 29 Working Party, Opinion 15/2011, p. 3.
 
88
One issue is that the definition in Article 2 (h) of the Directive 95/46/EC did not include a reference to the requirement of unambiguity.
 
89
Article 29 Working Party, Opinion 15/2011, p. 37.
 
90
Article 29 Working Party, Opinion 15/2011 p. 10, notes that, beyond these elements, information to be given will also depend on when, and the circumstances in which, consent has been requested.
 
91
See Ciocchetti (2008), p. 7.
 
92
See Carolan (2016), p. 472.
 
93
See Schwartz (2000), p. 341 f.
 
94
Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM (2010) 609 final.
 
95
Skouma and Léonard (2015), p. 52.
 
96
The—principally prohibited—processing of special categories of personal data remains subject to explicit consent of the data subject (Article 9 par. 2 (a) of the GDPR). Because of the practical difficulties with regard to the definition of explicit consent and the proof of obtaining the consent, several Member States adopted, under the regime of Directive 95/46/EC, the solution of “written consent” in relation to the processing of “sensitive data”. See Van Alsenoy, et al. (2014), pp. 195–196.
 
97
This provision is consistent with the conditions set forth in the e-Privacy Directive (Article 5 par. 3 of Directive 2002/58/EC as amended by Directive 2009/136/EC) with regard to “cookies’ installation consent” that requests an affirmative action of the on-line user (through clicking on an “I accept” or “ok” box on a website banner or by use of another technique) before installing the tracking application.
 
98
See Johnson (2009), p. 105.
 
99
The GDPR provides for an exception with regard to the processing for scientific research purposes as it was accepted that is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. In this case, the data subject’s consenting statement may refer to areas of specific research (Recital 33).
 
100
As Skouma and Leonard note (Skouma and Léonard 2015, p. 55), companies deploying on-line tools on their websites will have to promote solutions explicitly supporting an “action” and change the content and level of detail in the majority of the privacy notices and statements, instead of the very general and all-inclusive language to describe on-line tracking activities, that they mostly use.
 
101
See Carolan (2016), p. 468.
 
102
European Data Protection Supervisor, Opinion 8/2016 on coherent enforcement of fundamental rights in the age of Big Data, 2016, p. 13.
 
103
See McDonald and Cranor (2008). See also Beales and Muris (2008), pp. 114–115.
 
104
See Van Alsenoy et al. (2014), p. 189.
 
105
It is the so called “privacy paradox” firstly defined as such by Barnes (2006). See also Gross and Acquisti (2005), p. 71ff.
 
106
Groom and Calo (2011), p. 16ff. See also Young and Quan-Haase (2013), pp. 487 ff.
 
107
See Hollenbaugh and Ferris (2014), pp. 50 ff.; Rouvroy (2016), p. 21, Rouvroy is referring to the “choice architecture” built by players whose interests do not coincide with those of the user; Carolan (2016), p. 472.
 
108
See Carolan (2016), p. 472. See also Li et al. (2011), p. 434 f.
 
109
See Groom and Calo (2011), p. 9. See also Taddicken (2014), p. 248ff.
 
110
Carolan (2016), p. 469.
 
111
See van Alsenoy et al. (2014), p. 189.
 
112
Noain Sanchez (2016), p. 134 f.
 
113
International Working Group on Data Protection in Telecommunications (2014), p. 3.
 
114
See Mantelero (2014), p. 652.
 
115
See Van Alsenoy et al. (2014), p. 190.
 
116
Freedom of alienation is the paramount characteristic of liberal property rights. The argumentation relies on the choice of individuals: “if they (the consumers) choose not to (prefer dignity), that is evidence that they do not want it in the first place”. See Kang and Buchner (2004), p. 231.
 
117
See Mitrou (2009), p. 477 f.
 
118
Mantelero (2014), p. 652.
 
119
See Calo (2013), p. 1027f.
 
120
See Carolan (2016), p. 473.
 
121
See Van Alsenoy et al. (2014), p. 192.
 
122
See Noain Sanchez (2016), p. 136.
 
123
This participation may take the form of exercising the rights granted by the Charter and the GDPR to the data subject as the right to delete/erasure, the right to be forgotten or the right to object.
 
124
See Cranor (2012), p. 304ff.
 
125
Piskopani and Mitrou (2009).
 
126
See Rouvroy (2016), p. 7 who refers to the inertia that occurs when erasing our “digital footprint” demands an effort whose rewards are not certain or clear”.
 
127
Article 29 Working Group Opinion 5/2009 p. 7ff.
 
128
See Noain Sanchez (2016), p. 130.
 
129
See Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Safeguarding Privacy in a Connected World -A European Data Protection Framework for the 21st Century, (25.01.2012) COM (2012), p. 6.
 
130
Expressed at first by Westin (1967), who defended the right of persons “to determine for themselves when, how, and to what extent information about them is communicated to others”. An approach that has been adopted also on European level with the German Federal Constitutional Court affirming in 1983 (Census case) the right to informational self-determination.
 
131
With regard to this right see Ausloos (2012), De Terwangne (2012).
 
132
Or correcting the ‘(un)forgetfulness’ deficiency of the web ‘brain’. See Markou (2015), p. 204. Markou seems to share the assessment of Ambrose and Ausloos who casts doubts on the idea of permanently available information. See Ambrose and Ausloos (2013), p. 3.
 
133
See Solove (2007), p. 32, 37, 49.
 
134
De Terwangne (2012), p. 112.
 
135
Also, Ambrose and Ausloos (2013) p. 3 that underline that in our age “you are what Google says you are”.
 
136
Mitrou and Karyda (2012), p. 9.
 
137
Novotny and Spiekermann (2014), p. 1.
 
138
de Hert et al. (2013), p. 135.
 
139
Moreover, it relates and applies to everyone and not just to convicted criminals who may object to the publication of the facts of their conviction once they have served their sentence.
 
140
Rees and Heywood (2014), p. 577.
 
141
See Iglezakis (2014), p. 2.
 
142
See the comments of Hustinx (2014), p. 31. The former European Data Protection Supervisor points out that the CJEU in case Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González goes in the same direction at 73–74, 88, 93–94 and 98–99. This was the approach of the European Commission as expressed in the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union” COM (2010) 609 final, p. 8.
 
143
Schwartz (2013), p. 1995.
 
144
Bartolini and Siry (2016), p. 229.
 
145
It is interesting to note that data controllers are no more required to take “all reasonable steps” but simply “reasonable steps”. Another significant change is that the expiration of the retention period consented is no more included in the legal grounds that may result to data erasure on request of the data subject while the requirement to abstain from further disseminating of erased data has also been deleted.
 
146
Cuijpers et al. (2014), p. 11.
 
147
Ibid, p. 11.
 
148
Bartolini and Siry (2016), p. 232.
 
149
Bartolini and Siry (Ibid, p. 231) point out that tracking of bounces is already a reality in several cases as major Internet services tend not to replicate shared content from an external source, but rather to create a link to it and keep track of the link (this is also more sustainable in terms of storage and performance). In the case of erasure of the original resource, all links would be invalidated, thus actually achieving the erasure. They propose a combination of the “distributed model” (keeping track of all links that reference a given content) with the “centralized model” (every dissemination of the data is simply a reference to the original data; invalidating the originally published data makes every copy inaccessible) will enable the enforcement of the respective provision.
 
150
It has to be clarified that this assessment of ENISA referred to the initial GDPR Proposal where the provision regarding the right to be forgotten was more ambitious. See ENISA (2012b), p. 2.
 
151
With the introduction of this new right, the European legislator aimed at strengthening, furthermore, the control (of the data subject) over his or her own data. See Recital 68 of GDPR.
 
152
Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data COM (2012) 11 final, p. 9.
 
153
This aspect of the right to data portability consists in allowing the data subjects to get a copy of the data for their proper use. As noted by Cuijpers et al. (2014), p. 11. whether this copy can be used on another platform is left on the provider’s discretion to invoke proprietary rights.
 
154
This was the approach of the European Parliament that amended the Commission’s Proposal by merging the right to data portability with the right of access.
 
155
See de Hert and Papakonstantinou (2016), p. 189f. Also, Costa and Poullet (2012), p. 527.
 
156
There was an explicit reference in the (initial) recital 55 (“from one application, such as a social network, to another one”), a reference that does not appear in the final text of Recital 68.
 
157
Impact Assessment Report—Commission Staff Working Paper—Impact Assessment accompanying the General Data Protection Regulation and the Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and the free movement of such data SEC (2012) 72 final, p. 28.
 
158
The applicability to cases of offline data processing has been from the beginning of drafting excluded.
 
159
Graef et al. (2013), p. 4.
 
160
Τhis restriction of the right has been criticized. See Cuijpers et al. (2014), p. 12. Further, the European Data Protection Supervisor suggested that the right of the data subject to data portability should be extended to all cases of processing of personal data [Opinion on the data protection reform package (2012), para. 151].
 
161
Cuijpers et al. (2014), p. 12.
 
162
Machine-readable data is data (or metadata), which is in a format that can be understood by a computer. There are two types; human-readable data that is marked up so that it can also be read by machines (microformats, RDFa) or data file formats intended principally for processing by machines (RDF, XML, JSON).
 
163
The use of these terms has been criticized and some authors expressed their concerns regarding the scope of application of this rule. See Graef et al. (2013), p. 4. See also Engels (2016), p. 150. It is the author’s opinion that these terms have to be principally interpreted with respect to the—current ‘state of the art”.
 
164
Swire and Lagos (2013), p. 346.
 
165
Article 29 Working Party, Opinion 8/2014, p. 20.
 
166
As noted by de Hert and Papakonstantinou (2016), p. 189 “internet social networks operate for the time-being as closed gardens for their users”, while Graef et al. (2013), p. 6 underline that social network providers do not allow third-party sites to directly acquire the user’s information resulting to a kind of lock-in, as in practice, users thus have to manually re-enter their profile information, photos, videos and other information in the new platform if they want to switch from one social network to another.
 
167
de Hert and Papakonstantinou (2016), p. 190 note that data portability is expected to affect in many and important ways the internet social networks market.
 
168
Ibid p. 180.
 
169
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA”.
 
170
Albrecht (2015), p. 129.
 
171
Koops (2014), p. 250. See also Irion and Luchetta (2013), p. 63.
 
172
The distinction seems to be more pragmatic and based on a case-by-case evaluation. See Cuijpers, et al. (2014), p. 6.
 
173
While under Directive 95/46/EC the processor is referred to solely in the provisions concerning definitions and data security measures, the GDPR establishes directly processor-specific obligations or “joint obligations” that refer both to controllers and processors (privacy by design, privacy impact assessment). This will enhance the position of data subjects and is positive regarding liability and accountability.
 
174
Concerns have been expressed regarding the difficulty in determining the roles of controllers and processors particularly in the context of cloud computing.
 
175
What is relevant is the factual influence on data processing. Furthermore, and especially in the context of cloud computing, processors are of significant importance. See Article 29 Working Party, Opinion 1/2010 and Οpinion 5/2012.
 
176
The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. (Recital 117). In comparison to Directive 95/46/EC the monitoring and compliance ensuring powers are tightened while the cooperation between DPAs has also been improved.
 
177
Blume (2014), p. 2, criticizes the choice to insist on imposing obligation to controllers instead of giving a leading role to data subjects while other authors indicate that the GDPR is based on false assumptions or “fallacies”. See Koops (2014), p. 256.
 
178
Such as the obligation provided in Article 17(2) with regard to the right to be forgotten or the obligation to carry out a data protection impact assessment (Article. 35 (1)).
 
179
Criticism has also been expressed with regard to the adequacy of location focused approach of the GDPR to solve the complexities in applying the transborder flow rules in operations of Internet enabled technologies such as cloud computing and the respective cloud transactions. Nwankwo (2014), p. 36. This criticism underestimates, however, the impact of the provisions concerning the territorial scope on the cloud computing relationships and transactions.
 
180
Α main concern is that the framework applies linear protection concepts to a world of ubiquitous and distributed personal data processing. Irion and Luchetta (2013), p. 53.
 
181
With the GDPR, the European legislator adheres explicitly to the technological neutrality approach as Recital 15 cites that the protection of natural persons should be technologically neutral and should not depend on the techniques used.
 
182
As stated in a Commission’s Communication, in 1999, technological neutrality means that “legislation should define the objectives to be achieved, and should neither impose, nor discriminate in favor of, the use of a particular type of technology to achieve those objectives”. Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, Towards a new Framework for Electronic Communications Infrastructure and Associated Services: the 1999 Communications Review COM (1999) 539 final, p. 14.
 
183
Hildebrandt and Tielemans (2013), p. 510.
 
184
Koops (2006), pp. 1., 21.
 
185
Ali (2009), p. 9, points out that technological neutrality of the law may result in regulations whose meaning is so vague that its application to the technology is often a matter of guesswork.
 
186
Although, as noted by Kiss and Szoke (2014), p. 328, the unprecedented lobby activities of different organizations show that many organizations also consider the proposed changes as a revolution in data protection legislation.
 
187
See the assessment of Albrecht (2015), p. 137.
 
188
Blume (2014), p. 5.
 
189
About the risk of the multitude of supervisory and enforcement tasks see Mitrou (1993), p. 273.
 
190
Skouma and Léonard (2015), p. 56.
 
Literatur
Albrecht J (2015) Hands off our data. The Greens-EFA, p 191
Ali R (2009) Technological neutrality. Lex Electronica 14(2)
Ambrose ML, Ausloos J (2013) The right to be forgotten across the pond. J Inform Policy 3:1–23CrossRef
Andrejevic M (2002) The work of watching one another: Lateral surveillance, risk, and governance. Surveillance & Society” People Watching People”
Bartolini C, Siry L (2016) The right to be forgotten in the light of the consent of the data subject. Comput Law Secur Rev 32(2):218–237
Blackman J (2009) Omniveillance, google, privacy in public and the right to your digital identity: a tort for recording and disseminating an individual’s image over the internet. Santa Clara Law Rev 49:313 ff
Blume P (2014) The myths pertaining to the proposed General Data Protection Regulation. International Data Privacy Law, ipu017
Borgesius FJZ (2016) Singling out people without knowing their names–behavioural targeting, pseudonymous data, and the new data protection regulation. Comput Law Secur Rev 32(2):256–271CrossRef
Carolan E (2016) The continuing problems with online consent under the EU’s emerging data protection principles. Comput Law Secur Rev 32(3):462–473CrossRef
Castelluccia C, Druschel P, Hübner S, Pasic A, Preneel B, Tschofenig H (2011) Privacy, accountability and Trust-Challenges and opportunities. ENISA. [Online]. Available via http://​www.​enisa.​europa.​eu
Ciocchetti C (2008) Just click submit: the collection, dissemination and tagging of personally identifying information. Vanderbilt J Entertain Technol Law 10(Spring):553–642
Costa L, Poullet Y (2012) Privacy and the regulation of 2012. Comput Law Secur Rev 28(3):254–262CrossRef
Cranor LF (2012) Necessary but not sufficient: Standardized mechanisms for privacy notice and choice. J Telecomm High Technol Law 10:273–308
Cuijpers C, Purtova N, Kosta E (2014) Data protection reform and the internet: the draft data protection regulation. Forthcoming In: Savin A, Trzaskowski J (eds) Research handbook on EU internet law. Edward Elgar 2014 Tilburg Law School Research Paper No. 03/2014. Available at SSRN: https://​ssrn.​com/​abstract=​2373683
Dammann U, Simitis S (1996) EG-Datenschutzrichtlinie, Kommentar, Nomos Verlag, p 341
de Hert P, Papakonstantinou V, Wright D, Gutwirth S (2013) The proposed Regulation and the construction of a principles-driven system for individual data protection. Innov Eur J Soc Sci Res 26(1-2):133–144CrossRef
de Hert P, Papakonstantinou V (2016) The new general data protection regulation: still a sound system for the protection of individuals? Comput Law Secur Rev (2):179–194
de Terwangne C, Louveaux S (1997) Data protection and online networks. Comput Law Secur Rev 13(4):234–246CrossRef
de Terwangne C (2012) Internet privacy and the right to be forgotten/right to oblivion. In: VII international conference on internet, law & politics. Net neutrality and other challenges for the future of the internet. IDP. Revista de Internet, Derecho y Política. No.13, pp 109–121
Engels B (2016) Data Portability and Online Platforms - The Effects on Competition [Extended Abstract]. In: 29th Bled eConference- Digital Economy, Bled, Slovenia, 19–22 June, 2016
European Data Protection Supervisor (2016) Opinion 8/2016 on coherent enforcement of fundamental rights in the age of Big Data, 2016
Froomkin MA (2000) The death of privacy? Stanford Law Rev 52:1461–1543CrossRef
Gerber D (1984) Beyond balancing – international law restrains on the reach of national laws. Yale J Int Law 10:190
Goldsmith J, Wu T (2008) Who controls the internet? illusions of a borderless world. Oxford University Press, Oxford
Gritzalis D, Kandias M, Stavrou V, Mitrou L (2014) The social media in the history of information: privacy violations and security mechanisms. In: Proceedings of the History of Information Conference, pp 283–310
Gross R, Acquisti A (2005) Information revelation and privacy in online social networks. In: Proceedings of the 2005 ACM workshop on Privacy in the electronic society. ACM, 2005. pp 71–80
Hildebrandt M (2009) Profiling and AmI. In: Rannenberg K, Royer D, Deuker A (eds) The Future of Identity in the Information Society. Springer, Berlin, Heidelberg, pp 273–310
Hildebrandt M, Tielemans L (2013) Data protection by design and technology neutral law. Comput Law Secur Rev 29(5):509–521CrossRef
Hollenbaugh EE, Ferris AL (2014) Facebook self-disclosure: examining the role of traits, social cohesion, and motives. Comput Hum Behav 30:50–58CrossRef
Hotaling A (2008) Protecting personally identifiable information on the internet: notice and consent in the age of behavioral targeting. Commlaw Conspec 16:529–565
Hustinx P EDPS (2014) EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation
Iglezakis I, Mitrou L, Jougleux P, Synodinou T (2016) The legal regulation of cyberattacks. Kluwer, Netherlands, p 229
Johnson D (2009) Computer ethics. Pearson, Upper Saddle River, p 216
Kandias M, Galbogini K, Mitrou L, Gritzalis D (2013) Insiders trapped in the mirror reveal themselves in social media. In: International Conference on Network and System Security, Springer Berlin Heidelberg, pp 220–235
Kiss A, Szoke GL (2014) Evolution or revolution? Steps forward to a new generation of data protection regulation. In: Gutwirth S, Leenes R, de Hert P (eds) Reforming European data protection law. Springer, Netherlands, pp 311–331
Koops BJ (2014) The trouble with European data protection law. Int Data Priv Law 4(4):250–261CrossRef
Koops BJ (2006) Should ICT regulation be technology-neutral? In: Koops B-J, Lips M, Prins C, Schellekens M (eds) Starting points for ICT regulation. Deconstructing prevalent policy one-liners, it & law series. T.M.C. Asser Press, The Hague, pp 77–108. Available via https://​ssrn.​com/​abstract=​918746
Kosta E, Kalloniatis C, Mitrou L, Gritzalis S (2010) Data protection issuespertaining to social networking under EU law, transforming government: people. Process Policy 4(2):193–201
Kotschy W (2014) The proposal for a new general data protection regulation—problems solved? Int Data Priv Law 4(4):274–281CrossRef
Kuner C (2010b) Data protection law and international jurisdiction on the internet (Part 1). Int J Law Inform Technol 18:176–193CrossRef
Kuczerawy A (2010) Facebook and its EU users – Applicability of the EU data protection law to US based SNS. In: Bezzi M et al (eds) Privacy and identity. IFIP AICT, Vol 320, pp 75–85
Li H, Sarathy R, Xu H (2011) The role of affect and cognition on online consumers’ decision to disclose personal information to unfamiliar online vendors. Decis Support Syst 51(3):434–445CrossRef
Mantelero A (2014) The future of consumer data protection in the EU Re-thinking the “notice and consent” paradigm in the new era of predictive analytics. Comput Law Secur Rev 30(6):643–660CrossRef
Markou C (2015) The right to be forgotten: ten reasons why it should be forgotten. In: Gutwirth S et al (eds) Reforming European data protection law. Springer, Netherlands, pp 203–226
McDonald AM, Cranor LF (2008) Cost of reading privacy policies. J Law Policy Inform Soc 4:540–565
Milanovic M (2015) Human rights treaties and foreign surveillance: privacy in the digital age. Harv Int Law J 56:81–146
Mitrou L, Karyda M (2012) EU’s data protection reform and the right to be forgotten: a legal response to a technological challenge?. Paper presented at the 5th International Conference of Information Law and Ethics, Corfu-Greece, 29–30 June 2012. Available via https://​ssrn.​com/​abstract=​2165245
Mitrou L (2009) The commodification of the individual in the internet era: informational self-determination or “Self-alienation”? In: Proceedings of 8th international conference of computer ethics philosophical enquiry - CEPE 2009, pp 466–484
Mitrou E (1993) Die Entwicklung der institutionellen Kontrolle des Datenschutzes: Kontrollmodelle und Kontrollinstanzen in der Bundesrepublik und in Frankreich. Nomos Verlag, p 296
Nevrla J (2010) Voluntary surveillance: privacy, identity and the rise of social panopticism in the twenty-first century. In: Commentary - The UNH Journal of Communication Special Issue, pp 5–13
Noain Sanchez A (2016) ‘Privacy by default ’and active ‘informed consent by layers: essential measures to protect ICT users’ privacy. J Inform Commun Ethics Soc 14(2):124–138CrossRef
Nwankwo IS (2014) Missing links in the proposed EU data protection regulation and cloud computing scenarios: a brief overview. J Intellect Prop Inform Technol E-Comm Law 5(1):32–38
Rees C, Heywood D (2014) The “right to be forgotten” or the “principle that has been remembered”. Comput Law Secur Rev 30(5):574–578CrossRef
Rubinstein IS (2012) Big Data: The End of Privacy or a New Beginning? New York University Public Law and Legal Theory Working Papers. Paper 357
Ryngaert C (2015b) Jurisdiction in international law. Oxford University Press, Oxford, p 272
Schultz T (2008) Carving up the internet: jurisdiction, legal orders, and the private/public international law interface’. Eur J Int Law 19(4):799–839
Schwartz PM (2000) Privacy, participation and cyberspace – an American perspective. In: Simon D, Weiss P (Hrsg.) Zur Autonomie des Individuums – Liber Amicorum Spiros Simitis. Nomos Verlag, Baden-Baden, pp 337–352
Simitis S (1999) Die Erosion des Datenschutzes. Von der Abstumpfung deralten Regelungen und den Schwierigkeiten, neue Instrumente zu entwickeln. In: Bettina Sokol (Hrsg.): Neue Instrumente im Datenschutz. Wuppertal, pp 5–40
Simitis S (2014) Bundesdatenschutzgesetz – Kommentar. Nomos Verlag, pp 2072
Skouma G, Léonard L (2015) On-line behavioral tracking: what may change after the legal reform on personal data protection. In: Gutwirth S et al (eds) Reforming European data protection law. Springer, Netherlands, pp 35–60
Sobkowicz P, Kaschesky M, Bouchard G (2012) Opinion mining in social media: modeling, simulating, and forecasting political opinions in the web. Gov Inform Q 29(4):470–479CrossRef
Solove D (2007) The future of reputation – Gossip, Rumor and privacy on the internet. Yale University Press
Svantesson DJB (2007) Private international law and the internet. Kluwer Law International, Netherlands, p 464
Svantesson DJB (2013a) The extraterritoriality of EU data privacy law - its theoretical justification and its practical effect on U.S. businesses. Stanford J Int Law 50(1):53–117
Svantesson DJB (2013b) A “layered approach” to the extraterritoriality of data privacy laws. Int Data Priv Law 3(4):278–286CrossRef
Swire P, Lagos Y (2013) Why the right to data portability likely reduces consumer welfare: antitrust and privacy critique. Maryl Law Rev 72(2):335–380
Taddicken M (2014) The “Privacy Paradox” in the social web: the impact of privacy concerns, individual characteristics, and the perceived social relevance on different forms of self-disclosure. J Comput Mediat Comm 19:248–273CrossRef
Taylor M (2015) The EU’s human rights obligations in relation to its data protection laws with extraterritorial effect. Int Data Priv Law 5(4):246–256CrossRef
Tokunaga R (2011) Social networking site or social surveillance site? Understanding the use of interpersonal electronic surveillance in romantic relationships. Comput Hum Behav 27:705–713CrossRef
van Alsenoy B, Kosta E, Dumortier J (2014) Privacy notices versus informational self-determination: minding the gap. Int Rev Law Comput Technol 28(2):185–203CrossRef
van Eecke P, Truyens M (2010) Privacy and social networks. Comput Law Secur Rev 26:535–546CrossRef
Voss WG (2012) Preparing for the proposed EU general data protection regulation: with or without amendments. Bus Law Today 1
Warso Z (2013) There’s more to it than data protection fundamental rights, privacy and the personal/household exemption in the digital age. Comput Law Secur Rev (29):49, 1–500
Westin A (1967) Privacy and freedom. Athenaeum, New York, p 487
Whitaker R (1999) The end of privacy: how total surveillance in becoming a reality. New Press, p 195
Wong R, Savirimuthu J (2007) All or nothing: this is the question-the application of article 3 (2) Data Protection Directive 95/46/EC to the Internet. J Marshall J Comput Inform Law 25:241–266
Xanthoulis N (2013) Negotiating the EU data protection reform: reflections on the household exemption. In: International Conference on e-Democracy Springer International Publishing, pp 135–152
Young AL, Quan-Haase A (2013) Privacy protection strategies on facebook: the internet privacy paradox revisited. Inform Commun Soc 16(4):479–500CrossRef
Metadaten
Titel
The General Data Protection Regulation: A Law for the Digital Age?
verfasst von
Lilian Mitrou
Copyright-Jahr
2017
Buch
EU Internet Law

Print ISBN: 978-3-319-64954-2

Electronic ISBN: 978-3-319-64955-9

Copyright-Jahr: 2017

DOI
https://doi.org/10.1007/978-3-319-64955-9_2