Gloria González Fuster

Legal safeguards for privacy and data protection in ambient intelligence

To get the maximum benefit from ambient intelligence (AmI), we need to anticipate and react to possible drawbacks and threats emerging from the new technologies in order to devise appropriate safeguards. The SWAMI project took a precautionary approach in its exploration of the privacy risks in AmI and sought ways to reduce them. It constructed four “dark scenarios” showing possible negative implications of AmI, notably for privacy protection. Legal analysis of the depicted futures showed the shortcomings of the current legal framework in being able to provide adequate privacy protection in the AmI environment. In this paper, the authors, building upon their involvement in SWAMI research as well as the further advancement of EU privacy analysis, identify various outstanding issues regarding the legal framework that still need to be resolved in order to deal with AmI in an equitable and efficacious way. This article points out some of the lacunae in the legal framework and postulates several privacy-specific safeguards aimed at overcoming them.

SWIFT and the vulnerability of transatlantic data transfers

The ‘SWIFT affair’ eloquently illustrates the complexities of the protection of personal data in the context of global privacy-invading counterterrorist efforts. At the core of the issue there is not only the possibility for US authorities to secretly (and legally) access information on financial transactions taking place in the European Union (EU), as well as the concerns that this fact might raise regarding the effective protection of personal data guaranteed to European citizens. What is also at stake is the possibility for a European company not to comply with EU data protection legislation as interpreted by competent authorities without facing any sanctions. This paper reviews the developments of the ‘SWIFT affair’ assessing the system failures it portrays, particularly in the light of European data protection. It recalls how the facts were rendered public, focuses on the reactions from different European data protection authorities and bodies (the Belgian Privacy Commission, the Article 29 Working Party and the European Data Protection Supervisor) and offers a view of the ‘solutions’ discussed and implemented. By questioning their opportunity and convenience, it underlines that the major unsolved challenge of EU data protection is the need for a consistent approach to deal with transatlantic data transfers.

The fundamental right of data protection in the European Union: in search of an uncharted right

The entry into force of the EU Charter of Fundamental Rights and the ensuing introduction of the right to data protection as a new fundamental right in the legal order of the EU has raised some challenges. This article is an attempt to bring clarity on some of these questions. We will therefore try to address the issue of the place of the right to the protection of personal data within the global architecture of the Charter, but also the relationship between this new fundamental right and the already existing instruments. In doing so, we will analyse the most pertinent case law of the Court of Luxembourg, only to find out that it creates more confusion than clarity. The lesson we draw from this overview is that the reasoning of the Court is permeated by a ‘privacy thinking’, which consists not only in overly linking the rights to privacy and data protection, but also in applying the modus operandi of the former to the latter (which are different we contend). The same flawed reasoning seems to be at work in the EU Charter of Fundamental Rights. Therefore, it is crucial that the different modi operandi be acknowledged, and that any upcoming data protection instrument is accurately framed in relation with Article 8 of the Charter.

Inaccuracy as a privacy-enhancing tool

The accuracy principle is one of the key standards of informational privacy. It epitomises the obligation for those processing personal data to keep their records accurate and up-to-date, with the aim of protecting individuals from unfair decisions. Currently, however, different practices being put in place in order to enhance the protection of individuals appear to deliberately rely on the use of ‘inaccurate’ personal information. This article explores such practices and tries to assess their potential for privacy protection, giving particular attention to their legal implications and to related ethical issues. Ultimately, it suggests that the use of ‘inaccurate’ data can potentially play a useful role to preserve the informational autonomy of the individual, and that any understandings of privacy or personal data protection that would tend to unduly limit such potential should be critically questioned.

From Unsolicited Communications to Unsolicited Adjustments

The right to respect for private life is developed in European legal frameworks through different legal notions and instruments. One of such mechanisms for privacy protection, constantly backed up by the European Union (EU) legislator for already more than a decade, is the regulation of so-called unsolicited communications. This contribution explores this EU approach and argues that, in the light of current and upcoming developments, a profound revision of the notion might be needed. More concretely, it concludes that there is a need to move from a regulation of unsolicited communications to the regulation of unsolicited ‘adjustments’ (i.e., automatic adaptations of software or devices).

How Uninformed is the Average Data Subject? A Quest for Benchmarks in EU Personal Data Protection

Information obligations have always been crucial in personal data protection law. Reinforcing these obligations is one of the priorities of the legislative package introduced in 2012 by the European Commission to redefine the personal data protection legal landscape of the European Union (EU). Those responsible for processing personal data (the data controllers) must imperatively convey certain pieces of information to those whose data is processed (the data subjects), and they are expected to do so in an increasingly transparent manner. Beyond these punctual information requirements, however, data subjects appear to always be and inevitably remain in a state of relative ignorance, as in almost constant need of further guidance. Data subjects are nowadays often depicted as unknowing consumers of online services, services which surreptitiously take away from them personal data thus conceived as a valuable asset. In light of these developments, this contribution critically investigates how EU law is envisaging data subjects in terms of knowledge. The paper reviews the birth and evolution of information obligations as an element of European personal data protection law, and asks whether thinking of data subjects as consumers is consistent with the notion of average consumer functioning in EU consumer law. Finally, it argues that the time might have come to openly clarify when data subjects are unlawfully misinformed, and that, in the meantime, individuals might benefit not only from accessing more transparent information, but also from being made more aware of the limitations of the information available to them.

Working with Research Integrity—Guidance for Research Performing Organisations: The Bonn PRINTEGER Statement

AbstractThis document presents the Bonn PRINTEGER Consensus Statement: Working with Research Integrity—Guidance for research performing organisations. The aim of the statement is to complement existing instruments by focusing specifically on institutional responsibilities for strengthening integrity. It takes into account the daily challenges and organisational contexts of most researchers. The statement intends to make research integrity challenges recognisable from the work-floor perspective, providing concrete advice on organisational measures to strengthen integrity. The statement, which was concluded February 7th 2018, provides guidance on the following key issues: § 1.Providing information about research integrity§ 2.Providing education, training and mentoring§ 3.Strengthening a research integrity culture§ 4.Facilitating open dialogue§ 5.Wise incentive management§ 6.Implementing quality assurance procedures§ 7.Improving the work environment and work satisfaction§ 8.Increasing transparency of misconduct cases§ 9.Opening up research§ 10.Implementing safe and effective whistle-blowing channels§ 11.Protecting the alleged perpetrators§ 12.Establishing a research integrity committee and appointing an ombudsperson§ 13.Making explicit the applicable standards for research integrity

EU Data Protection and Future Payment Services

With the second Payment Services Directive, the European Union embraces new payment services by tackling some of the legal challenges they trigger. Personal data protection is one of the most critical of such challenges, and it is itself in a crucial transition period. A General Data Protection Regulation is indeed to replace the current Data Protection Directive, coinciding with a progressive consolidation of the EU right to personal data protection. This contribution explores the current and upcoming regulatory challenges in this field. After introducing the EU legal framework on personal data protection, it reviews the data protection provisions of the updated Payment Services Directive, and discusses them critically. The findings are then explored considering the wider context of mobile payments, as well as “alternative currencies”.

Privacy and the Protection of Personal Data Avant la Lettre

This chapter provides the background needed for the exploration of the emergence of the right to the protection of personal data as a fundamental right in European Union (EU) law by focusing on the notion of privacy. First, it offers an overview of divergent approaches to this multifaceted notion, noting inter alia how concurring views can be classified depending on whether they rely or not on the public/private distinction. Second, it introduces a detailed historical account of how the word ‘privacy’ was re-defined at the end of the 1960s in the United States (US) with the specific meaning of control upon personal information, and how this approach was developed and inscribed in US law as concerned with the doctrine of ‘fair information principles’. Third, the chapter examines developments taking place at the same time in Europe, where in some countries the word ‘privacy’ was soon adopted, but where other countries were instead busy analysing through other legal lenses the possible threats linked to increasing computerisation.

EU Fundamental Rights and Personal Data Protection

This chapter focuses on the construction of personal data protection as a fundamental right of the European Union (EU) by studying the surfacing of the notion of EU fundamental rights, and by exploring how could the right to the protection of personal appear among them. First, the chapter reviews the historical involvement of the EU in the field of fundamental rights protection, describing the sources of fundamental rights originally identified by the EU Court of Justice and later inscribed in EU law. Second, it proves the inexistence of a common constitutional approach among Member States in relation to the recognition of a right to the protection of personal data. Third, it reviews the appearance of personal data protection in the various tentative listings of fundamental rights produced by EU institutions up until 2000. Finally, it describes how the right came to be inscribed in Article 8 of the Charter of Fundamental Rights of the EU proclaimed in 2000, discussing also the major features of this recognition.