Nadezhda Purtova

Private Law Solutions in European Data Protection: Relationship to Privacy, and Waiver of Data Protection Rights

In this article a possibility of a private law approach to data protection is considered. The main thesis of the contribution is that the European legal order allows only a limited scope of contractual and property rights with regard to personal data, restricted by the consideration to preserve human rights. In the piece it is first proved that in the system of the ECHR data protection interests are treated under the umbrella of Article 8 right to privacy. As a result, the author concludes that Article 8 right to privacy does not imply a right to waive data protection but provides a legitimate ground to restrict freedom of contract in that area.

Illusion of Personal Data as No One's Property

This paper argues that it is an illusion to suppose that data protection regimes, in Europe and elsewhere, need not deal with the issue of property rights in personal data. Building on the work of John Umbeck, it is clear that, if property rights are not assigned by a legislative action, personal data will be appropriated in proportion to the de facto power of the data market participants to exclude others. It follows that, so long as personal data bears high economic value, the real question is not whether there should be property rights in personal data but whose rights they should be. The paper offers a new perspective on the nature of personal data as a resource, presenting it as a system resource comprising not merely individual pieces of information pertaining to identifiable individuals, but an entire ‘ecosystem’. So viewed, it can be seen that personal data is actually a rivalrous resource, thereby refuting one of the core grounds on which many of the anti-propertization arguments are built. Amongst the conclusions to be drawn from this analysis, the Proposal for a new data protection regulation in Europe can be criticized as a missed opportunity not only to strengthen the position of individuals against the Information Industry but also to open a public debate about the uses to which personal data are put.

Data Protection Reform and the Internet: The Draft Data Protection Regulation

This contribution critically examines the proposal for a new General Data Protection Regulation -- both the original Commission Proposal and the amendments adopted by the Parliament. It focuses on the proposed changes to some key traditional data protection concepts: the territorial scope, consent, purpose limitation principle, and on some novelties introduced by the draft Regulation: the principle of accountability, data portability and the principles of data protection by design and by default.The efforts to reform EU data protection have shown that the very concept of data protection as a right and as a regulatory regime is in crisis. The Commission Proposal seems to accept the bankruptcy of the idea to build data protection law around individual control over what is going on with his/her personal data, while tightening the tools for monitoring and ensuring compliance.The Parliament text turned the idea of the data protection reform around by introducing -- albeit in not too explicit way -- the individual autonomy back into the data protection discussion. It remains to be seen what the consequences of inclusion of the references to the individual autonomous choices would have for interpretation of the Regulation, if those references will make it to the final text. Even more importantly, the Parliament text seems to have made an attempt to divorce itself from the traditional ‘consent versus fair use’ dichotomy that has been used to describe dominant and conflicting approaches to data protection. The Parliament text seems to craft an alternative way for data protection by introducing a risk-based approach to data protection and by differentiating between ‘regular’ personal data and pseudonymous data that receive different degrees of protection.

Under Observation: The Interplay Between eHealth and Surveillance

The essays in this book clarify the technical, legal, ethical, and social aspects of the interaction between eHealth technologies and surveillance practices. The book starts out by presenting a theoretical framework on eHealth and surveillance, followed by an introduction to the various ideas on eHealth and surveillance explored in the subsequent chapters. Issues addressed in the chapters include privacy and data protection, social acceptance of eHealth, cost-effective and innovative healthcare, as well as the privacy aspects of employee wellness programs using eHealth, the use of mobile health app data by insurance companies, advertising industry and law enforcement, and the ethics of Big Data use in healthcare. A closing chapter draws on the previous content to explore the notion that people are under observation, bringing together two hitherto unrelated streams of scholarship interested in observation: eHealth and surveillance studies. In short, the book represents a first essential step towards cross-fertilization and offers new insights into the legal, ethical and social significance of being under observation.

The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law

Has the concept of personal data become too broad? Article 29 Working Party’s position facilitates a plausible argument that everything can be personal data, leading to the application of data protection law to unconventional situations, like observing weather and analysing wastewater. The reason goes beyond the rapid progress of technology towards perfect (re)identification of datasets. Datafication and advances in data analytics make everything (contain) information, and in increasingly ‘smart’ environments any information is likely to relate to an individual. The case-law of the EU Court of Justice, in particular Breyer, YS, and Nowak, is either in line with the broad approach of WP29, or has limited potential to avert the imminent explosion of the situations falling within the scope of data protection. The GDPR with its intensive compliance regime is on the verge of becoming the law of everything, well meant but impossible to comply with.

Health Data for Common Good: Defining the Boundaries and Social Dilemmas of Data Commons

The promises of Big Data Analytics in the area of health are grand and tempting. Access to the large pools of data, much of which is personal, is said to be vital if the Big Data health initiatives are to succeed. The resulting rhetoric is of data sharing. This contribution exposes ‘the other side’ of data sharing which often remains in the dark when the Information Industry and researchers advocate for more relaxed rules of data access: namely, the paper frames the issue of personal data use in terms of the commons, a resource shared by a group of appropriators and therefore subject to social dilemmas. The paper argues that the uncontrolled use of the data commons will ultimately result in a number of the commons problems, and elaborates on the two problems in particular: disempowerment of the individual vis-a-vis the Information Industry, and the enclosure of data by a few Information Industry actors. These key message is: if one chooses to approach data as commons and advocates data use for common good, one should also accept the commons problems that come with such sharing.

Laws and Regulations for Digital Health

Traditional healthcare is being transformed though mobile health delivery, personalized medicine, and social media health applications. The area of healthcare is heavily regulated. Hence, the design and implementation of the innovative eHealth solutions must account for conventional health law. Translating legal norms into features of design and implementation may prove difficult. The aim of this Chapter is to facilitate this process and make first steps towards a methodology for interpretation of legal and regulatory rules into engineering requirements. This Chapter has presented an integrated approach to legal requirements engineering in the context of eHealth, bringing together a methodology for mapping existing legal and regulatory landscape and the strategies to interface the identified rules into design of the eHealth technology and processes. Drawing on earlier work of Koops (2013), we provide the eHealth stakeholders with a toolkit to map, analyze and apply the laws and regulations in order to achieve compliance. The Chapter outlines a taxonomy for descriptive research in law and technology as a tool to map the regulatory field in their specific domain. It then proceeds to illustrate how the tool is to be applied and provides a non-exhaustive overview and analysis of the legal rules relevant for eHealth in Europe, with a focus on the safety and performance requirements to eHealth applications and platforms, and on data protection rights of the eHealth users. Further, we elucidate the role that the compliance-by-design strategies have in engineering legal requirements into the eHealth technology design and processes. It is suggested that the eHealth developers, sellers and service providers engage in compliance by design in order to ensure and demonstrate compliance with the regulatory landscape.