Brendan Van Alsenoy

The Accountability Principle in Data Protection Regulation: Origin, Development and Future Directions

Accountability made its formal debut in the field of international data protection more than 30 years ago, when it was adopted as a data protection principle in the Organization for Economic Cooperation and Development (OECD) Guidelines.4 As of late, the policy discourse on the regulation of data protection has been rife with references to accountability. Most notably, in 2010, the Article 29 Data Protection Working Party issued an Opinion on the principle of accountability in which it elaborated upon the possibility of including a general provision on accountability in the revised Data Protection Directive.5 The European Commission has also made a reference to the possibility of introducing a principle of accountability in its subsequent Communication outlining a strategy for modernising the EU data protection framework.6 Within the context of these documents, the introduction of an accountability principle is seen mainly as a way to help ensure ‘that data controllers put in place effective policies and mechanisms to ensure compliance with data protection rules’.7 While this objective is in line with previous iterations of the principle of accountability, important nuances exist among the various documents which have promulgated accountability as a data protection principle.

Privacy notices versus informational self-determination: Minding the gap

Privacy notices are instruments that intend to inform individuals of the processing of their personal data, their rights as data subjects, as well as any other information required by data protection or privacy laws. The goal of this paper is to clarify the current discourse regarding the (in)utility of privacy notices, particularly in the context of online transactions. The perspective is a European one, meaning that the analysis shall be geared towards the European Data protection framework, particularly the European Data Protection Directive. The paper discusses the role that privacy notices play under the European data protection framework today, summarizes the main critiques regarding the use of privacy notices in practice and develops a number of recommendations.

Extracting Access Control and Conflict Resolution Policies from European Data Protection Law

This paper presents the extraction of a legal access control policy and a conflict resolution policy from the EU Data Protection Directive [1]. These policies are installed in a multi-policy authorization infrastructure described in [2, 3]. A Legal Policy Decision Point (PDP) is constructed with a legal access control policy to provide automated decisions based on the relevant legal provisions. The legal conflict resolution policy is configured into a Master PDP to make sure that the legal access control policy gets priority over access control policies provided by other authorities i.e. the data subject, the data issuer and the data controller. We describe how clauses of the Directive are converted into access control rules based on attributes of the subject, action, resource and environment. There are currently some limitations in the conversion process, since the majority of provision require additional interpretation by humans. These provisions cannot be converted into deterministic rules for the PDP. Other provisions do allow for the extraction of PDP rules but need to be tailored to the application environment before they are configured into the Legal PDP.

Due processing of personal data in eGovernment?: A case study of the Belgian electronic identity card

In this article, the authors are evaluating the current authentication mechanisms for eGovernment employed in Belgium. Particular focus is placed on the Belgian electronic identity card (eID) and the use of national identification numbers. After evaluating the current situation the authors proceed to highlight possible alternative.

Privacy and Data Protection Aspects of e-Government Identity Management

European Commission 2003, p. 7. E-Government initiatives are being witnessed at all levels of government (local and federal governments, including legislative bodies, the judiciary, the tax administration, in the health sector, etc.). These initiatives can be grouped into four main categories: (1) the disseminating (passive or active) of relevant general public information to citizens, for example through websites, (2) the use of electronic processing and networks to improve the management of activities inside and across governmental departments, (3) the use of ICT to increase citizen participation in decision-making processes (e.g., e-petitions), and (4) the use of ICT for interaction with the citizen and service delivery (e.g., filing of tax return, access to personal file at the National Registry or on an e-health platform, filing of declarations in social security, etc.). For this Chapter, we focus on the activities in group (2) and (4).