Vagelis Papakonstantinou

Smart Grid Security

This book on smart grid security is meant for a broad audience from managers to technical experts. It highlights security challenges that are faced in the smart grid as we widely deploy it across the landscape. It starts with a brief overview of the smart grid and then discusses some of the reported attacks on the grid. It covers network threats, cyber physical threats, smart metering threats, as well as privacy issues in the smart grid. Along with the threats the book discusses the means to improve smart grid security and the standards that are emerging in the field. The second part of the book discusses the legal issues in smart grid implementations, particularly from a privacy (EU data protection) point of view.

The new police and criminal justice data protection directive : A first analysis

Allegedly the Police and Criminal Justice Data Protection Directive (henceforth, the “Directive”) is the little-known, much overlooked part of the EU data protection reform package that stormed into the EU legislative agenda towards the end of 2015. Its counterpart, regulating all other personal data processing activities, the General Data Protection Regulation (henceforth, the “Regulation”), is undoubtedly the text that fascinated legislators, legal scholars and even journalists over the four years since their simultaneous release in first draft formats, with its numerous noteworthy novelties: the right to be forgotten, the right to data portability, data protection impact assessments, privacy by design, consistency and one-stop-shop mechanisms among EU Data Protection Authorities etc. Compared to this impressive list the text of the Directive indeed sounds mundane and unimaginative. However, we firmly believe that the repercussions it will have in the EU personal data processing scene surrounding the work of law enforcement authorities, once it comes into effect, will be fundamental and will be equally felt by everybody exactly in the same way that its famous sibling intends to do.

Google Spain : Addressing critiques and misunderstandings one year later

In the text that follows the authors will rst highlight some subjectively important facts that need to be kept under consideration while assessing the Court’s decision against the business model currently employed by US internet companies (section 1). In section 2 the authors will engage with Sartor’s concerns with regard to search engines being classi ed as ‘data controllers’. Section 3 will deal with the issue of extraterritoriality, attempting to assess both Wolf’s reservations and Hijmans’ enthusiasm. e Court’s balancing between economic interests and the right to data protection will be elaborated upon in section 4, while also attempting to address Peers’ and Solove’s criticism on the Court’s balancing method. Finally, in section 5, the authors, in response to Kuner’s idea of the globalization of constitutional clashes, will present their own thoughts on Google’s actual implementation of the Court’s decision for the past year and the DPAs’ reaction to it.

The future of privacy certification in Europe: an exploration of options under article 42 of the GDPR

The EU faces substantive legislative reform in data protection, specifically in the form of the General Data Protection Regulation (GDPR). One of the new elements in the GDPR is its call to establish data protection certification mechanisms, data protection seals and marks to help enhance transparency and compliance with the Regulation and allow data subjects to quickly assess the level of data protection of relevant products and services. To this effect, it is necessary to review privacy and data protection seals afresh and determine how data protection certification mechanisms, seals or marks might work given the role they will be called to play, particularly in Europe, in facilitating data protection. This article reviews the current state of play of privacy seals, the EU policy and regulatory thrusts for privacy and data protection certification, and the GDPR provisions on certification of the processing of personal data. The GDPR leaves substantial room for various options on data protection certification, which might play out in various ways, some of which are explored in this article.

Repeating the mistakes of the past will do little good for air passengers in the EU : The comeback of the EU PNR Directive and a lawyer’s duty to regulate profiling

On the 17th of February an old data protection acquaintance, the EU PNR Directive1, returned to life. On that date the Parliament’s LIBE Committee released its Report2 on its rst (re-)reading of a dra that was otherwise presumed dead since 2011, when that same Committee found it unacceptable because of fundamental rights concerns and asked the Commission to withdraw it. The fact remains that the general data protection environment has in the meantime substantially changed: the PNR Directive’s provisions must now be reconciled with the latest case law of the Court of Justice on acceptable surveillance and with the EU data protection reform package, in particular with its dra Police and Criminal Justice Directive8 that is to replace the 2008 Framework Decision. is applies both to substantive law and supervision model

Introduction: Privacy and Data Protection Seals

This chapter sets out some terminological guidance as well as the aims and scope of the book. It guides the reader through the structure and presents them with a flavor of the contents of the book.

Data protection policies in EU justice and home affairs

Data protection is an EU law field that has undergone substantial change over the past few years. In April 2016 a five-year law-making process finally came to an end, with the adoption of the General Data Protection Regulation and the Police and Criminal Justice Data Protection Directive. The Directive, upon which this analysis is focused, is an ambitious text, aimed at assuming the data protection standard-setting role within the EU Justice and Home Affairs field at Member State level. At EU level Regulation 45/2001/EC is generally applicable on personal data processing by most of the EU agencies and bodies in the field. Its provisions are “particularised” and “complemented” by ad hoc substantive data protection law per each such actor. All of them, however, are to be aligned with the provisions of the Directive. Although supervision tasks are uniformly entrusted to the EDPS, the different mandates for each of the actors continue to apply. This, unnecessarily, complex legal architecture is found detrimental to the data protection purposes and ultimately against the requirements of Article 16 TFEU

Legal Protection of Personal Data in Smart Grid and Smart Metering Systems from the European Perspective

Smart grids are slowly becoming the future of worldwide energy generation and distribution and they promise, among other things, numerous environmental, and energy efficiency benefits to society. At the same time, however, they are capable of severely invading the inviolability of the most privacy-sensitive place—the home. Therefore, these concerns must be duly taken into consideration while deploying smart grids. This chapter provides an overview, from the European legal perspective, smart grids challenges to the fundamental rights to privacy, personal data protection, and the way Europe has addressed them. It pays special attention to the relevant regulatory requirements and to the means available to properly address these challenges, especially the data protection impact assessment (DPIA). It concludes by a few observations on the efficiency of the European approach.