Data Protection & Dataflows

Bart van der Sloot

General Data Protection Regulation & Transnational Dataflows

With the recently adopted General Data Protection Regulation by the European Union, replacing the Data Protection Directive from 1995, the nature of the data protection rules is changing rapidly. New rights, such as the right to be forgotten, the right to data portability and the right to resist profiling are introduced; obligations for data controllers are specified in detail, among others to appoint a Data Protection Officer, to conduct Data Protection Impact Assessments and to notify the authorities of data leaks; new fines and penalties are introduced for those violating the data protection principles. At the same time, there are new developments with respect to transnational data flows, especially from the European Union to the United States. 

This paper introduces the strategic approach to regulating personal data and the normative foundations of the GDPR. We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s implications. We also highlight where the GDPR takes a different approach than U.S. privacy law.


The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. 

Download the article here.

Data mining and profiling offer great opportunities, but also involve risks related to privacy and discrimination. Both problems are often addressed by implementing data minimization principles, which entail restrictions on gathering, processing and using data. Although data minimization can sometimes help to minimize the scale of damage that may take place in relation to privacy and discrimination, for example when a data leak occurs or when data are being misused, it has several disadvantages as well. Firstly, the dataset loses a rather large part of its value when personal and sensitive data are filtered from it. Secondly, by deleting these data, the context in which the data were gathered and had a certain meaning is lost.

This chapter will argue that this loss of contextuality, which is inherent to data mining as such but is aggravated by the use of data minimization principles, gives rise to or aggravates already existing privacy and discrimination problems. Thus, an opposite approach is suggested, namely that of data minimummization, which requires a minimum set of data being gathered, stored and clustered when used in practice.

Buy the chapter here or download a draft here

The General Data Protection Regulation in Plain Language is a guide for anyone interested in the much-discussed rules of the General Data Protection Regulation. In this legislation, which came into force in 2018, the European Union meticulously describes what you can and cannot do with data about other people. Violating these rules can lead to a fine of up to 20 million euros.

This book sets out the most important obligations of individuals and organisations that process data about others. These include taking technical security measures, carrying out an impact assessment and registering all data-processing procedures within an organisation. It also discusses the rights of citizens whose data are processed, such as the right to be forgotten, the right to information and the right to data portability.

Buy the book here.

The European Union, in its texts and communications, has mostly avoided using the terms ‘natural rights’ and ‘human rights’, instead adopting the phrase ‘fundamental rights’. The question is, however, what this concept actually entails and whether, and if so, how it differs from the more classic understanding of human rights. This question is important because data protection has been disconnected from the right to privacy in EU legislation and has been coined a fundamental right itself. The Charter of Fundamental Rights of the European Union grants citizens the right to privacy in Article 7 and the right to data protection in Article 8. The question is what this means and whether protecting personal data should in fact be qualified as ‘fundamental’.

This chapter discusses whether data protection should be viewed as a fundamental right proper.

Buy the chapter here or download a draft here.

Other Scientific Contributions

Legal consistency after the General Data Protection Regulation and the Police Directive

Download the article here.