With the recently adopted General Data Protection Regulation by the European Union, replacing the Data Protection Directive from 1995, the nature of the data protection rules is changing rapidly. New rights, such as the right to be forgotten, the right to data portability and the right to resist profiling are introduced; obligations for data controllers are specified in detail, among others to appoint a Data Protection Officer, to conduct Data Protection Impact Assessements and to nofify the authorities of data leaks; new fines and penalties are introduced for those violating the data protection principles. At the same time, there are new developments with respect to transnational data flows, especially from the European Union to the United States.
This article analyzes in how far legal persons can claim a right to professional secrecy under the right to privacy and data protection in Europe.
Privacy and data protection rules are usually said to protect the individual against intrusive governments and nosy companies. These rights guarantee the individual’s freedom, personal autonomy and human dignity, among others. More and more, however, legal persons are also allowed to invoke the rights to privacy and data protection. Prima facie, it seems difficult to reconcile this trend with the standard interpretation of those rights, as legal persons do not enjoy freedom, personal autonomy or human dignity and it seems uncertain why business interests should be protected under privacy and data protection rules. On second thoughts, however, it appears rather unproblematic.
Data mining and profiling offer great opportunities, but also involve risks related to privacy and discrimination. Both problems are often addressed by implementing data minimization principles, which entail restrictions on gathering, processing and using data. Although data minimization can sometimes help to minimize the scale of damage that may take place in relation to privacy and discrimination, for example when a data leak occurs or when data are being misused, it has several disadvantages as well. Firstly, the dataset loses a rather large part of its value when personal and sensitive data are filtered from it. Secondly, by deleting these data, the context in which the data were gathered and had a certain meaning is lost.
This chapter will argue that this loss of contextuality, which is inherent to data mining as such but is aggravated by the use of data minimization principles, gives rise to or aggravates already existing privacy and discrimination problems. Thus, an opposite approach is suggested, namely that of data minimummization, which requires a minimum set of data being gathered, stored and clustered when used in practice.
This article critically reflects on the role of the individual, his interests, his rights and the notion of Informed Consent in the European Data Protection law.
The GDPR intorudces a number of specific obligations and rights in order to protect the interests of the citizen and consumer and provides far-reaching powers for governmental agencies to enforce these rules.
However, not only is this directly against the original purpose of and ratio behind data protection rules, moreover, an increased emphasis on consumer interests and rights to control personal data seems an inadequate tool for solving the current problems involved with Big Data.
The European Union, in its texts and communications, has mostly avoided using the terms ‘natural rights’ and ‘human rights’, instead adopting the phrase ‘fundamental rights’. The question is, however, what this concept actually entails and whether, and if so, how it differs from the more classic understanding of human rights. This question is important because data protection has been disconnected from the right to privacy in EU legislation and has been coined a fundamental right itself. The Charter of Fundamental Rights of the European Union grants citizens the right to privacy in Article 7 and the right to data protection in Article 8. The question is what this means and whether protecting personal data should in fact be qualified as ‘fundamental’.
This chapter discusses whether data protection should be viewed as a fundamental right proper.