Charlotte Tschider,Marcelo Corrales Compagnucci,Timo Minssen

DOI: https://doi.org/10.1093/jlb/lsae022

2024-09-27

Abstract:In July 2023, the United States and the European Union introduced the Data Privacy Framework (DPF), introducing the third generation of cross-border data transfer agreements constituting adequacy with respect to personal data transfers under the General Data Protection Regulation (GDPR) between the European Union (EU) and the US. This framework may be used in cross-border healthcare and research relationships, which are highly desirable and increasingly essential to innovative health technology development and health services deployment. A reliable model meeting EU adequacy requirements could enhance the transfer of patient and research participant data. While the DPF might present a familiar terrain for US organizations, it also brings unique challenges. A notable concern is the ability of individual EU Member States to establish individual and additional requirements for health data that are more restrictive than GDPR requirements, which are not anticipated by the DPF. This article highlights the DPF's potential impact on the healthcare and research sectors, finding that the DPF may not provide the degree of lawful health data transfer desirable for healthcare entities. We examine the DPF against a background of existing Health Insurance Portability and Accountability Act obligations and other GDPR transfer tools to offer alternatives that can improve the likelihood of reliable, lawful health data transfer between the US and EU.

Chao Wu

DOI: https://doi.org/10.1016/j.techsoc.2024.102457

IF: 6.879

2024-01-01

Technology in Society

Abstract:In recent years, data privacy has attracted increasing public concerns, especially with public scandals from top Internet companies, emerging over inappropriate data collection, lack of transparency in data usage, and manipulation of users' preferences. This has led to responsive efforts from multiple sectors of society to constrain the violation of individuals’ data privacy. Among these efforts, the regulations like GDPR are the most influential, which are believed to be able to change the foundation of the whole data ecosystem. The main concern of current regulation is data transparency, designed to enable individuals to make rational decisions about their data. However, I argue that transparency cannot mitigate a key issue of data privacy, which is the right of receiving benefits from data. This issue is getting severe with the rapid development of the data economy and will become the essential problem of social welfare and fairness in the AI era. I further point out that the key to solving this issue is to migrate the current centralized data utilization paradigm to a new decentralized paradigm. Based on the recent technical advancements, I propose an applicable pathway to implement such a paradigm. And to realize a fair and sustainable data eco-system, joint efforts should be made within this paradigm.

Oliver Patel,Nathan Lea

DOI: https://doi.org/10.2139/ssrn.3618937

2020-01-01

SSRN Electronic Journal

Abstract:This report analyses the issues raised by EU-U.S. commercial data flows, including the future status of the Privacy Shield framework and standard contractual clauses (SCCs). It begins by comparing the systems of data protection in the EU and the U.S., highlighting key philosophical, legal and practical differences.The next section assesses the history of EU-U.S. data flows and the upcoming judgement in the Schrems II case. It then outlines why a clash between U.S. national security laws and mass surveillance on the one hand, and EU data protection and fundamental rights law on the other, renders all transatlantic data transfer mechanisms vulnerable, with few alternative options.The final section focuses on EU-UK data flows post-Brexit and the UK’s quest for an EU adequacy decision, highlighting the key lessons which can be learnt from the EU-U.S. case study and the challenges which lie ahead. The main argument is that the EU-UK data flows relationship will be complex and could remain unresolved for years. Policy makers, businesses and data protection officers should prepare for a rocky few years ahead, not least due to the high possibility of any adequacy decision facing concerted legal challenges.Methodology: The findings were informed by analysis of primary documents, an extensive literaturereview and over sixty anonymous interviews with EU, U.S. and UK politicians, civil servants, ambassadors, regulators, lawyers, business leaders, data protection officers and researchers conducted between 2018 and 2020.

Laura Bradford,Mateo Aboy,Kathleen Liddell

DOI: https://doi.org/10.1093/jlb/lsaa055

2020-10-15

Abstract:International health research increasingly depends on collaboration and combination using medical data to advance treatment and drug discovery. The European Union (EU), through its General Data Protection Regulation, has tightened the rules for sharing data across borders to protect individual privacy. These new rules threaten cooperation between the EU and the USA, the two largest public funders of biomedical research. This article analyzes the primary pathway for sharing research data with the USA, the US-EU Privacy Shield, and argues that the Shield is ill-suited to support complex health studies. Its legitimacy is in question under both EU and US law, and its terms are too restrictive for the variety of exchanges underlying research, treatment, and care. As an alternative, we propose that the USA seek an additional sector-based adequacy determination based on the existing US health privacy law, the Health Insurance Portability and Accountability Act. A sector-specific approach to adequacy for health would avoid many of the most contentious issues that divide the USA and EU on data protection. It could also serve as a model for other third-party jurisdictions and facilitate international harmonization of health research practices.

W.Gregory Voss,

DOI: https://doi.org/10.17323/1996-7845-2022-01-03

2022-03-15

International Organisations Research Journal

Abstract:Today, cross-border data flows are an important component ofinternational trade and an element of digital service models. However, they are impededby restrictions on cross-border personal data transfers and data localization legislation. ThisArticle focuses primarily on these complexities and on the impact of the new EuropeanUnion (“EU”) legislation on personal data protection—the GDPR. First, this Articleintroduces its discussion of these flows by placing them in their economic and geopoliticalsetting, including a discussion of the results of a lack of international harmonization of lawin the area. In this framework, rule overlap and rival standards are relevant. Once thissituation is established, this Article turns to an analysis of the legal measures that havefilled the gap left by the lack of international regulation and the failure to harmonize law:extraterritorial laws in the European Union (regional legislation) and the United States(state legislation); and data localization laws in China and Russia. Specific provisionsrestricting cross-border personal data transfers are detailed under EU legislation, as are theinternational agreements that have been invaluable in allowing flows between the UnitedStates and the European Union to continue—first the Safe Harbor, and now the Privacy Shield. Finally, in this context, the role of data governance is investigated, both in thecontext of data controllers’ accountability for the actions of other actors in global supplychains under EU law and under the Privacy Shield. Thus, this Article goes beyond the lawitself, to place requirements in the context of the globalized business world of data flows,and to suggest ways that companies may improve their compliance position worldwide.

Edoardo Celeste,Federico Fabbrini

DOI: https://doi.org/10.1007/978-3-030-54660-1_3

2020-10-14

Abstract:Abstract Borderless cloud computing technologies are exacerbating tensions between European and other existing regulatory models for data privacy. On the one hand, in the European Union (EU), a series of data localisation initiatives are emerging with the objective of preserving Europe’s digital sovereignty, guaranteeing the respect of EU fundamental rights and preventing foreign law enforcement and intelligence agencies from accessing personal data. On the other hand, foreign countries are unilaterally adopting legislation requiring national corporations to disclose data stored in Europe, in this way bypassing jurisdictional boundaries grounded on physical data location. The chapter investigates this twofold dynamic by focusing particularly on the current friction between the EU data protection approach and the data privacy model of the United States (US) in the field of cloud computing.

Yinuo Yang,Yanya Zhao

DOI: https://doi.org/10.54254/2753-7048/36/20240458

2024-01-15

Abstract:In today's data-driven era, the governance of data rules has become a focal point for countries worldwide. This paper elucidates the significant differences between the United States and Europe, both major players in this domain, in terms of legislation and value positions. They also operate within distinct social data environments and possess varying national interest needs. These influence the direction and results of the game between the two sides in the data privacy framework. The paper also encompasses many far-reaching factors involved in this process, such as the political relationships between the United States and Europe, and the economic conditions on both sides. In the contest for dominance in data governance rules, the United States and Europe have been constantly interacting, refining regulations through ongoing friction, and to some extent, driving the development of the data industry. Meanwhile, the world still needs a more mature and stable regulatory framework for data governance rules, indicating the necessity for further significant progress in this area.

Seun Solomon Bakare,Adekunle Oyeyemi Adeniyi,Chidiogo Uzoamaka Akpuokwe,Nkechi Emmanuella Eneh

DOI: https://doi.org/10.51594/csitrj.v5i3.859

2024-03-09

Computer Science & IT Research Journal

Abstract:This Review provides an overview of the comparative review of data privacy laws and compliance, focusing on the European Union's General Data Protection Regulation (EU GDPR) and data protection regulations in the United States. The analysis explores key similarities and differences, emphasizing their implications for businesses and individuals. The EU GDPR, implemented in 2018, stands as a landmark regulation governing data protection and privacy for individuals within the European Union and the European Economic Area. In contrast, the United States lacks a comprehensive federal data privacy law. Instead, it relies on a patchwork of sector-specific laws and state regulations, such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA). One major distinction lies in the overarching principles of these regulations. The EU GDPR adopts a comprehensive and rights-based approach, emphasizing individual rights to privacy, data portability, and the "right to be forgotten." In contrast, the U.S. system often focuses on specific industries or types of data, leading to a more fragmented regulatory landscape. Both regulatory frameworks incorporate principles of transparency, consent, and data breach notification. However, differences in enforcement mechanisms and penalties exist. The EU GDPR imposes significant fines for non-compliance, reaching up to 4% of a company's global annual revenue. In the U.S., penalties vary by state, and enforcement is often reactive, triggered by data breaches. Businesses operating globally must navigate these distinct regulatory landscapes, necessitating a nuanced approach to data privacy compliance. Multinational corporations must adhere to the more stringent requirements when handling EU citizens' data while also considering the diverse regulations within the U.S. This review underscores the ongoing evolution of data privacy laws worldwide and the critical importance for organizations to stay abreast of these developments. It emphasizes the need for a proactive and adaptive approach to data privacy compliance, taking into account the unique requirements and expectations of both the EU GDPR and U.S. regulations. Keywords: Data Privacy, Laws, Compliance, EU GDPR, Regulations.

Peter Traung

DOI: https://doi.org/10.9785/ovs-cri-2012-33

2012-01-01

Computer Law Review International

Abstract:Abstract Among other things, the proposed General Data Protection Regulation aims at substantially reducing fragmentation, administrative burden and cost and to provide clear rules, simplifying the legal environment. This article argues that considerable work is needed to achieve those goals and that the proposal fails to provide either substantial legal certainty or simplification, that it adds administrative burden while leaving ample risk of fragmentation. In particular, the proposal misses the opportunity of strengthening data protection while achieving substantial simplification through abolishing the controller/ processor distinction and allowing transfers with no reduction of the controller’s liability. Large parts of the proposal depend entirely on clarification through delegated acts issued by the Commission. Prospects for those being adopted look dire. Failing either delegated acts or substantial redrafting, those parts may become dead letter or worse. There is a highly problematic obligation to “demonstrate compliance” with the law. The proportionate alternative to a number of other obligations on controllers, such as to maintain various documentation, appoint data protection officers etc, is to include such obligations as possible behavioural sanctions in case of a proven breach of the law. The proposal also appears to raise issues regarding freedom of movement. The impact assessment largely fails to demonstrate a need and net benefit from the proposed additional obligations. It also appears to severely underestimate the costs of the proposals, partly due to what appears to be arithmetic errors. The proposal does interestingly and rudimentarily put a value on personal data, but the approach could be extended.

English Else

Luca Marelli,Marthe Stevens,Tamar Sharon,Ine Van Hoyweghen,Martin Boeckhout,Ilaria Colussi,Alexander Degelsegger-Márquez,Seliem El-Sayed,Klaus Hoeyer,Robin van Kessel,Dorota Krekora Zając,Mihaela Matei,Sara Roda,Barbara Prainsack,Irene Schlünder,Mahsa Shabani,Tom Southerington

DOI: https://doi.org/10.1016/j.healthpol.2023.104861

IF: 3.255

2023-06-28

Health Policy

Abstract:In May 2022, the European Commission issued the Proposal for a Regulation on the European Health Data Space (EHDS), with the aims of granting citizens increased access to and control of their (electronic) health data across the EU, and facilitating health data re-use for research, innovation, and policymaking. As the first in a series of European domain-specific "data spaces", the EHDS is a high-stakes development that will transform health data governance in the EU region. As an international consortium of experts from health policy, law, ethics and the social sciences, we are concerned that the EHDS Proposal will detract from, rather than lead to the achievement of, its stated aims. We are in no doubt on the benefits of using health data for secondary purposes, and we appreciate attempts to facilitate such uses across borders in a carefully curated manner. Based on the current draft Regulation, however, the EHDS risks undermining rather than enhancing patient control over data; hindering rather than facilitating the work of health professionals and researchers; and eroding rather than increasing the public value generated through health data sharing. Therefore, significant adjustments are needed if the EHDS is to realize its promised benefits. Besides analyzing the implications for key groups and European societies at large who will be affected by the implementation of the EHDS, this contribution advances targeted policy recommendations to address the identified shortcomings of the EHDS Proposal.

health care sciences & services,health policy & services

Joseph Liss,David Peloquin,Mark Barnes,Barbara E Bierer

DOI: https://doi.org/10.1093/jlb/lsab032

2021-10-23

Abstract:The Courts of Justice of the European Union (CJEU) held in its July 2020 Schrems II decision that, in order for entities in other countries to import personal data from the European Economic Area (EEA), the importer must be able to provide data protections 'essentially equivalent' to those the EEA offers under its General Data Protection Regulation. The CJEU expressed particular concern that United States' national security intelligence gathering laws prevent U.S.-based entities from providing such protections. This decision has sharply limited the sharing of clinical research data from the EEA to the United States. After describing the pertinent aspects of the Schrems II decision, this article evaluates U.S. national security intelligence gathering frameworks, including Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333. The article then leverages recent draft guidance from the European Data Protection Board to explain how entities may be able to adopt widely used contractual and technical measures, such as data pseudonymization, to provide 'essentially equivalent' protections in the clinical research context.

Simon Gunst,Ferdi De Ville

DOI: https://doi.org/10.54648/eerr2021036

2021-10-01

European Foreign Affairs Review

Abstract:In 2018, the Californian government adopted a new data protection framework. The flagship of this framework is the California Consumer Privacy Act (CCPA). As this new framework is widely considered to resemble the European Union’s (EU’s) General Data Protection Regulation (GDPR), this article intends to investigate whether the Brussels Effect could explain this resemblance. We apply process-tracing to test if the Brussels Effect causally connects the GDPR with the CCPA. The analysis is based on a careful evaluation of three sets of evidence. Firstly, privacy policies of Apple, Facebook, and Google are examined. Secondly, lobbying concerning the alignment of the implementation of the CCPA with the GDPR is scrutinized. Lastly, it is investigated whether the Californian government has used arguments linked to the Brussels Effect while drafting the CCPA and its subsequent implementing regulations. It is concluded that the Brussels Effect has indeed played a role in the adoption of the CCPA. Nevertheless, it has become clear that the impact of the Effect varies depending on exactly which provision of the GDPR is examined. Brussels Effect, process-tracing, California, CCPA, European Union, GDPR, Data Protection, Lobbying, Big Tech

Denis Horgan,Marian Hajduch,Marilena Vrana,Jeannette Soderberg,Nigel Hughes,Muhammad Imran Omar,Jonathan A. Lal,Marta Kozaric,Fidelia Cascini,Verena Thaler,Oriol Solà-Morales,Mário Romão,Frédéric Destrebecq,Edith Sky Gross

DOI: https://doi.org/10.3390/healthcare10091629

2022-08-27

Health Care

Abstract:The May 2022 proposal from the European commission for a 'European health data space' envisages advantages for health from exploiting the growing mass of health data in Europe. However, key stakeholders have identified aspects that demand clarification to ensure success. Data will need to be freed from traditional silos to flow more easily and to cross artificial borders. Wide engagement will be necessary among healthcare professionals, researchers, and the patients and citizens that stand to gain the most but whose trust must be won if they are to allow use or transfer of their data. This paper aims to alert the wider scientific community to the impact the ongoing discussions among lawmakers will have. Based on the literature and the consensus findings of an expert multistakeholder panel organised by the European Alliance for Personalised Medicine (EAPM) in June 2022, it highlights the key issues at the intersection of science and policy, and the potential implications for health research for years, perhaps decades, to come.

health care sciences & services,health policy & services

Paulius Jurcys,Marcelo Corrales Compagnucci,Mark Fenwick

2024-07-30

Abstract:The General Data Protection Regulation contains a blanket prohibition on the transfer of personal data outside of the European Economic Area unless strict requirements are met. The rationale for this provision is to protect personal data and data subject rights by restricting data transfers to countries that may not have the same level of protection as the EEA. However, the ubiquitous and permeable character of new technologies such as cloud computing, and the increased inter connectivity between societies, has made international data transfers the norm and not the exception. The Schrems II case and subsequent regulatory developments have further raised the bar for companies to comply with complex and, often, opaque rules. Many firms are, therefore, pursuing technology-based solutions in order to mitigate this new legal risk. These emerging technological alternatives reduce the need for open-ended cross-border transfers and the practical challenges and legal risk that such transfers create after Schrems. This article examines one such alternative, namely a user-held data model. This approach takes advantage of personal data clouds that allows data subjects to store their data locally and in a more decentralised manner, thus decreasing the need for cross-border transfers and offering end-users the possibility of greater control over their data.

Computers and Society

Federico Fabbrini,Edoardo Celeste

DOI: https://doi.org/10.1017/glj.2020.14

2020-03-01

German Law Journal

Abstract:Abstract This article explores the challenges of the extraterritorial application of the right to be forgotten and, more broadly, of EU data protection law in light of the recent case law of the ECJ. The paper explains that there are good arguments for the EU to apply its high data protection standards outside its borders, but that such an extraterritorial application faces challenges, as it may clash with duties of international comity, legal diversity, or contrasting rulings delivered by courts in other jurisdictions. As the article points out from a comparative perspective, the protection of privacy in the digital age increasingly exposes a tension between efforts by legal systems to impose their high standards of data protection outside their borders – a dynamic which could be regarded as ‘imperialist’ – and claims by other legal systems to assert their own power over data – a dynamic which one could name ‘sovereigntist’. As the article suggests, navigating between the Scylla of imperialism and the Charybdis of sovereigntism will not be an easy task. In this context, greater convergence in the data protection framework of liberal democratic systems worldwide appears as the preferable path to secure privacy in the digital age.

Alexander Bernier,Fruzsina Molnár-Gábor,Bartha M Knoppers,Pascal Borry,Priscilla M D G Cesar,Thijs Devriendt,Melanie Goisauf,Madeleine Murtagh,Pilar Nicolás Jiménez,Mikel Recuero,Emmanuelle Rial-Sebbag,Mahsa Shabani,Rebecca C Wilson,Davide Zaccagnini,Lauren Maxwell

DOI: https://doi.org/10.1038/s41431-023-01403-y

Abstract:The coming-into-force of the EU General Data Protection Regulation (GDPR) is a watershed moment in the legal recognition of enforceable rights to informational self-determination. The rapid evolution of legal requirements applicable to data use, however, has the potential to outstrip the capabilities of networks of biomedical data users to respond to the shifting norms. It can also delegitimate established institutional bodies that are responsible for assessing and authorising the downstream use of data, including research ethics committees and institutional data custodians. These burdens are especially pronounced for clinical and research networks that are of transnational scale, because the legal compliance burden for outbound international data transfers from the EEA is especially high. Legislatures, courts, and regulators in the EU should therefore implement the following three legal changes. First, the responsibilities of particular actors in a data sharing network should be delimited through the contractual allocation of responsibilities between collaborators. Second, the use of data through secure data processing environments should not trigger the international transfer provisions of the GDPR. Third, the use of federated data analysis methodologies that do not provide analysis nodes or downstream users access to identifiable personal data as part of the outputs of those analyses should not be considered circumstances of joint controllership, nor lead to the users of non-identifiable data to be considered controllers or processors. These small clarifications of, or modifications to, the GDPR would facilitate the exchange of biomedical data amongst clinicians and researchers.

Elif Erdemoglu

DOI: https://doi.org/10.1007/978-94-6265-144-9_7

2016-01-01

Abstract:The discussion on the regulation on citizens’ right to privacy grows parallel to the widespread usage and collection of Big Data. This chapter analyses from a law and economics perspective the discussion on the European Union (EU) citizens’ rights to privacy with regards to collection, retention, analysis and transfer of personal data in light of the EU General Data Protection Regulation (GDPR). The GDPR is drafted in coherence with the EU Digital Market Strategy, which aims to create the correct incentives for digital networks and services to flourish by providing trustworthy infrastructure supported by the right regulations. A significant part of achieving this aim would require the EU citizens to trust in using digital services. The GDPR is designed to increase the citizens’ trust to use online and digital services by obliging the service providers to comply with the GDPR. This chapter analyses two key compliance requirements of the GDPR through the economic analysis lens and proposes possible changes to the GDPR in line with the Digital Single Market Strategy of the EU. The scope of this chapter’s analysis is limited to how to cure information asymmetries between the citizens and the data collectors in order to increase the citizens’ trust in using digital services given the fast-changing and delicate legal issues arising from collecting the personal data of the EU citizens. This chapter concludes by suggesting three improvements to the GDPR; more frequent controls for issuing the EU Data Protection Seal, increased independence of the Data Protection Controller and issuance of publicly available, frequent privacy ratings.

Weber Philip Andreas,Zhang Nan,Wu Haiming

DOI: https://doi.org/10.1007/s10660-020-09422-3

2020-01-01

Electronic Commerce Research

Abstract:The growth of e-commerce and other platforms has significantly increased the amount of personal data that is shared and submitted online; however, the adequate and secure collection and processing of these data is of great concern. With the EU’s implementation of a new data protection regulation in 2018, the development of personal data protection globally has reached an important turning point and has sparked the interest of scholars and businesses. Text coding was employed to compare the current personal data protection regulation landscape in the EU and in China to discover the differences between the General Data Protection Regulation and the personal data protection regulations of the fastest-growing economy in e-commerce. The results show that while there are several similarities in regard to general requirements, such as principles of data processing and basic rights for data subjects, China’s personal data protection regulations tend to lack specific operational requirements and strong legal enforcement. Based on the research results, implications and recommendations for the government and companies are provided.

Ellie Graeden,David Rosado,Tess Stevens,Mallory Knodel,Rachele Hendricks-Sturrup,Andrew Reiskind,Ashley Bennett,John Leitner,Paul Lekas,Michelle DeMooy

2023-08-25

Abstract:Under the current regulatory framework for data protections, the protection of human rights writ large and the corresponding outcomes are regulated largely independently from the data and tools that both threaten those rights and are needed to protect them. This separation between tools and the outcomes they generate risks overregulation of the data and tools themselves when not linked to sensitive use cases. In parallel, separation risks under-regulation if the data can be collected and processed under a less-restrictive framework, but used to drive an outcome that requires additional sensitivity and restrictions. A new approach is needed to support differential protections based on the genuinely high-risk use cases within each sector. Here, we propose a regulatory framework designed to apply not to specific data or tools themselves, but to the outcomes and rights that are linked to the use of these data and tools in context. This framework is designed to recognize, address, and protect a broad range of human rights, including privacy, and suggests a more flexible approach to policy making that is aligned with current engineering tools and practices. We test this framework in the context of open banking and describe how current privacy-enhancing technologies and other engineering strategies can be applied in this context and that of contract tracing applications. This approach for data protection regulations more effectively builds on existing engineering tools and protects the wide range of human rights defined by legislation and constitutions around the globe.

Computers and Society

Marco Cremonini

2023-08-03

Abstract:Privacy is an increasingly feeble constituent of the present datafied world and apparently the reason for that is clear: powerful actors worked to invade everyone's privacy for commercial and surveillance purposes. The existence of those actors and their agendas is undeniable, but the explanation is overly simplistic and contributed to create a narrative that tends to preserve the status quo. In this essay, I analyze several facets of the lack of online privacy and idiosyncrasies exhibited by privacy advocates, together with characteristics of the industry mostly responsible for the datafication process and why its asserted high effectiveness should be openly inquired. Then I discuss of possible effects of datafication on human behavior, the prevalent market-oriented assumption at the base of online privacy, and some emerging adaptation strategies. In the last part, the regulatory approach to online privacy is considered. The EU's GDPR is praised as the reference case of modern privacy regulations, but the same success hinders critical aspects that also emerged, from the quirks of the institutional decision process, to the flaws of the informed consent principle. A glimpse on the likely problematic future is provided with a discussion on privacy related aspects of EU, UK, and China's proposed generative AI policies.

Computers and Society