Alison Cool

DOI: https://doi.org/10.1177/0306312719846557

2019-05-06

Social Studies of Science

Abstract:On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) came into force. EU citizens are granted more control over personal data while companies and organizations are charged with increased responsibility enshrined in broad principles like transparency and accountability. Given the scope of the regulation, which aims to harmonize data practices across 28 member states with different concerns about data collection, the GDPR has significant consequences for individuals in the EU and globally. While the GDPR is primarily intended to regulate tech companies, it also has important implications for data use in scientific research. Drawing on ethnographic fieldwork with researchers, lawyers and legal scholars in Sweden, I argue that the GDPR’s flexible accountability principle effectively encourages researchers to reflect on their ethical responsibility but can also become a source of anxiety and produce unexpected results. Many researchers I spoke with expressed profound uncertainty about ‘impossible’ legal requirements for research data use. Despite the availability of legal texts and interpretations, I suggest we should take researchers’ concerns about ‘unknowable’ data law seriously. Many researchers’ sense of legal ambiguity led them to rethink their data practices and themselves as ethical subjects through an orientation to what they imagined as the ‘real people behind the data’, variously formulated as a Swedish population desiring data use for social benefit or a transnational public eager for research results. The intentions attributed to people, populations and publics – whom researchers only encountered in the abstract form of data – lent ethical weight to various and sometimes conflicting decisions about data security and sharing. Ultimately, researchers’ anxieties about their inability to discern the desires of the ‘real people’ lent new appeal to solutions, however flawed, that promised to alleviate the ethical burden of personal data.

history & philosophy of science

Elif Erdemoglu

DOI: https://doi.org/10.1007/978-94-6265-144-9_7

2016-01-01

Abstract:The discussion on the regulation on citizens’ right to privacy grows parallel to the widespread usage and collection of Big Data. This chapter analyses from a law and economics perspective the discussion on the European Union (EU) citizens’ rights to privacy with regards to collection, retention, analysis and transfer of personal data in light of the EU General Data Protection Regulation (GDPR). The GDPR is drafted in coherence with the EU Digital Market Strategy, which aims to create the correct incentives for digital networks and services to flourish by providing trustworthy infrastructure supported by the right regulations. A significant part of achieving this aim would require the EU citizens to trust in using digital services. The GDPR is designed to increase the citizens’ trust to use online and digital services by obliging the service providers to comply with the GDPR. This chapter analyses two key compliance requirements of the GDPR through the economic analysis lens and proposes possible changes to the GDPR in line with the Digital Single Market Strategy of the EU. The scope of this chapter’s analysis is limited to how to cure information asymmetries between the citizens and the data collectors in order to increase the citizens’ trust in using digital services given the fast-changing and delicate legal issues arising from collecting the personal data of the EU citizens. This chapter concludes by suggesting three improvements to the GDPR; more frequent controls for issuing the EU Data Protection Seal, increased independence of the Data Protection Controller and issuance of publicly available, frequent privacy ratings.

Alex Bowyer,Jack Holt,Josephine Go Jefferies,Rob Wilson,David Kirk,Jan David Smeddinck

DOI: https://doi.org/10.1145/3491102.3501947

2022-03-10

Abstract:In our data-centric world, most services rely on collecting and using personal data. The EU's General Data Protection Regulation (GDPR) aims to enhance individuals' control over their data, but its practical impact is not well understood. We present a 10-participant study, where each participant filed 4-5 data access requests. Through interviews accompanying these requests and discussions scrutinising returned data, it appears that GDPR falls short of its goals due to non-compliance and low-quality responses. Participants found their hopes to understand providers' data practices or harness their own data unmet. This causes increased distrust without any subjective improvement in power, although more transparent providers do earn greater trust. We propose designing more effective, data-inclusive and open policies and data access systems to improve both customer relations and individual agency, and also that wider public use of GDPR rights could help with delivering accountability and motivating providers to improve data practices.

Human-Computer Interaction

Katarzyna Kolasa,W Ken Redekop,Alexander Berler,Vladimir Zah,Carl V Asche

DOI: https://doi.org/10.1007/s40273-020-00927-1

PharmacoEconomics

Abstract:The development of evidence to demonstrate 'value for money' is regarded as an important step in facilitating the search for the optimal allocation of limited resources and has become an essential component in healthcare decision making. Real-world evidence collected from de-identified individuals throughout the continuum of healthcare represents the most valuable source in technology evaluation. However, in the European Union, the value assessment based on real-world data has become challenging as individuals have recently been given the right to have their personal data erased in the case of consent withdrawal or when the data are regarded as being no longer necessary. This act may limit the usefulness of data in the future as it may introduce information bias. Among healthcare stakeholders, this has become an important topic of discussion because it relates to the importance of data on one side and to the need for personal data protection on the other side, especially when it comes to "personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about his or her health status". At the forefront of these discussions are data protection issues as well as the population's trust in digital services. It seems that the new era has begun, where citizens and patients will have the ability to manage their personal or self-generated data. The European Commission has laid the groundwork for this paradigm shift that will steadily emerge in the coming years. To prepare for this change, we believe attention should be given to data security and other rules of data privacy. It has become increasingly important to ensure that individuals are properly introduced into complex environments with multiple sources of Big Data for clinical and behavioral purposes to provide an optimal balance between societal and individual benefits. In this article, a number of issues are considered and discussed, based upon the authors' experience, with the aim of helping the reader better understand the implications of the use of Big Data and the importance of data protection in the coming years.

Asia J. Biega,Michèle Finck

DOI: https://doi.org/10.48550/arXiv.2101.06203

2021-01-15

Computers and Society

Abstract:This paper determines whether the two core data protection principles of data minimisation and purpose limitation can be meaningfully implemented in data-driven systems. While contemporary data processing practices appear to stand at odds with these principles, we demonstrate that systems could technically use much less data than they currently do. This observation is a starting point for our detailed techno-legal analysis uncovering obstacles that stand in the way of meaningful implementation and compliance as well as exemplifying unexpected trade-offs which emerge where data protection law is applied in practice. Our analysis seeks to inform debates about the impact of data protection on the development of artificial intelligence in the European Union, offering practical action points for data controllers, regulators, and researchers.

Serge Abiteboul,Julia Stoyanovich

DOI: https://doi.org/10.48550/arXiv.1903.03683

2019-03-09

Abstract:The data revolution continues to transform every sector of science, industry and government. Due to the incredible impact of data-driven technology on society, we are becoming increasingly aware of the imperative to use data and algorithms responsibly -- in accordance with laws and ethical norms. In this article we discuss three recent regulatory frameworks: the European Union's General Data Protection Regulation (GDPR), the New York City Automated Decisions Systems (ADS) Law, and the Net Neutrality principle, that aim to protect the rights of individuals who are impacted by data collection and analysis. These frameworks are prominent examples of a global trend: Governments are starting to recognize the need to regulate data-driven algorithmic technology. Our goal in this paper is to bring these regulatory frameworks to the attention of the data management community, and to underscore the technical challenges they raise and which we, as a community, are well-equipped to address. The main take-away of this article is that legal and ethical norms cannot be incorporated into data-driven systems as an afterthought. Rather, we must think in terms of responsibility by design, viewing it as a systems requirement.

Databases,Computers and Society

Regina Becker,Davit Chokoshvili,Adrian Thorogood,Edward S Dove,Fruzsina Molnár-Gábor,Alexandra Ziaka,Olga Tzortzatou-Nanopoulou,Giovanni Comandè

DOI: https://doi.org/10.1093/jlb/lsae001

IF: 3.4

2024-01-01

Journal of Law and the Biosciences

Abstract:Abstract The General Data Protection Regulation (GDPR) of the European Union, which became applicable in 2018, contains a new accountability principle. Under this principle, controllers (ie parties determining the purposes and the means of the processing of personal data) are responsible for ensuring and demonstrating the overall compliance with the GDPR. However, interpretive uncertainties of the GDPR mean that controllers must exercise considerable judgement in designing and implementing an appropriate compliance strategy, making GDPR compliance both complex and resource-intensive. In this article, we provide conceptual clarity around GDPR compliance with respect to one core aspect of the law: the determination and relevance of the purpose of personal data processing. We derive from the GDPR’s text concrete requirements for purpose specification, which we subsequently apply to the area of secondary use of personal data for scientific research. We offer guidance for correctly specifying purposes of data processing under different research scenarios. To illustrate the practical necessity of purpose specification for GDPR compliance, we then show how our proposed approach can enable controllers to meet their compliance obligations, using the example of the overarching GDPR principle of lawfulness to highlight the relevance of purpose specification for the identification of a suitable legal basis.

ethics,law,medicine, legal,medical ethics

Abstract:1. The digital economy holds many advantages for consumers and citizens. Online services offer unpreceden­ ted scope for social connections, innovation and efficient problem-solving. At the same time, users of these services disclose masses of information about themselves. The volume and variety of data generated cannot be handled by traditional data mining and analysis technologies, but control of this information is now increasingly possible thanks to the development known as ‘big data’ (1). Extracting value from big data has become a significant source of power for the biggest players in internet markets. Not all big data is per­ sonal, but for many online offerings which are presented or perceived as being ‘free’, personal information operates as a sort of indispensable currency used to pay for those services. As well as benefits, therefore, these growing markets pose specific risks to consumer welfare and to the rights to privacy and data protection.

Law,Political Science,Computer Science

Polonca Kovač,Grega Rudolf

DOI: https://doi.org/10.17573/cepar.2022.1.01

2022-05-30

Central European Public Administration Review

Abstract:Purpose: The primary objective of the present research is to identify the basic tools and restrictions concerning the protection of privacy and personal data in the EU and China as two fundamentally different cultural systems. Based on the socio-cultural analysis of backgrounds, trends and expert assessments, the research aims to examine whether privacy protection standards, such as those provided by the GDPR in the EU, are sufficiently robust to endure the digital age. Two different cultural frameworks have been analysed in order to understand their influence on practical behaviours regarding the democratic safeguards in privacy rights enforcement in the EU compared with China. This is accomplished by comparing social control in the EU and the social credit system in China. Design/Methodology/Approach: Considering the administrative context, a combined qualitative approach is applied, including normative and dogmatic methods, literature analysis, sociological and historical methods, expert interviews, and comparative and axiological methods. Findings: The results of both theoretical and empirical parts of the research suggest that the stricter regulation in the EU compared to China – in the sense of more consistent protection of privacy and personal data as well as transparency rights – can be attributed to its democratic protection of human rights and more definitive regulations, particularly the GDPR. These major differences seem to create an even deeper gap in the future, to be explored scientifically and in practice. The authors conclude that authorities must actively guarantee the rights related to privacy and personal data protection, or else effective governance will lead to a surveillance society and erosion of individuals’ freedom as a valuable civilizational asset. Academic contribution to the field: The research contributes to administrative science by addressing one of the key concepts of modern public governance, namely the collision between the principles of effectiveness and transparency on the one hand and privacy on the other. The use of scientific methods paves the way for further comparisons. Practical Implications: The article provides a concise overview of the relevant literature and an analysis of the rules that underpin the implementation, evaluation and improvement of regulations, especially in the light of ICT development, e.g. in times of the Covid-19 pandemic. Originality/Value: The paper bridges the gap created by the differences in the understanding of privacy and public governance in the field in the EU and China based on cultural differences. The usual general or merely law- or technology-based analyses are upgraded with a combination of various research methods.

Chris Jay Hoofnagle,Bart van der Sloot,Frederik Zuiderveen Borgesius

DOI: https://doi.org/10.1080/13600834.2019.1573501

2019-01-02

Abstract:This paper introduces the strategic approach to regulating personal data and the normative foundations of the European Union’s General Data Protection Regulation (‘GDPR’). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.

Luca Marelli,Giuseppe Testa,Ine Van Hoyweghen

DOI: https://doi.org/10.1177/20539517211018783

2021-01-01

Abstract:The emergence of a global industry of digital health platforms operated by Big Tech corporations, and its growing entanglements with academic and pharmaceutical research networks, raise pressing questions on the capacity of current data governance models, regulatory and legal frameworks to safeguard the sustainability of the health research ecosystem. In this article, we direct our attention toward the challenges faced by the European General Data Protection Regulation in regulating the potentially disruptive engagement of Big Tech platforms in health research. The General Data Protection Regulation upholds a rather flexible regime for scientific research through a number of derogations to otherwise stricter data protection requirements, while providing a very broad interpretation of the notion of “scientific research”. Precisely the breadth of these exemptions combined with the ample scope of this notion could provide unintended leeway to the health data processing activities of Big Tech platforms, which have not been immune from carrying out privacy-infringing and socially disruptive practices in the health domain. We thus discuss further finer-grained demarcations to be traced within the broadly construed notion of scientific research, geared to implementing use-based data governance frameworks that distinguish health research activities that should benefit from a facilitated data protection regime from those that should not. We conclude that a “re-purposing” of big data governance approaches in health research is needed if European nations are to promote research activities within a framework of high safeguards for both individual citizens and society.

social sciences, interdisciplinary

Divya Shanmugam,Samira Shabanian,Fernando Diaz,Michèle Finck,Asia Biega

DOI: https://doi.org/10.48550/arXiv.2107.08096

2022-06-13

Abstract:Modern machine learning systems are increasingly characterized by extensive personal data collection, despite the diminishing returns and increasing societal costs of such practices. Yet, data minimisation is one of the core data protection principles enshrined in the European Union's General Data Protection Regulation ('GDPR') and requires that only personal data that is adequate, relevant and limited to what is necessary is processed. However, the principle has seen limited adoption due to the lack of technical interpretation. In this work, we build on literature in machine learning and law to propose FIDO, a Framework for Inhibiting Data Overcollection. FIDO learns to limit data collection based on an interpretation of data minimization tied to system performance. Concretely, FIDO provides a data collection stopping criterion by iteratively updating an estimate of the performance curve, or the relationship between dataset size and performance, as data is acquired. FIDO estimates the performance curve via a piecewise power law technique that models distinct phases of an algorithm's performance throughout data collection separately. Empirical experiments show that the framework produces accurate performance curves and data collection stopping criteria across datasets and feature acquisition algorithms. We further demonstrate that many other families of curves systematically overestimate the return on additional data. Results and analysis from our investigation offer deeper insights into the relevant considerations when designing a data minimization framework, including the impacts of active feature acquisition on individual users and the feasability of user-specific data minimization. We conclude with practical recommendations for the implementation of data minimization.

Machine Learning,Computers and Society,Information Retrieval

Victoria Chico

DOI: https://doi.org/10.1093/bmb/ldy038

2018-11-17

British Medical Bulletin

Abstract:Background: On the May 25, 2018 the General Data Protection Regulation (hereafter the GDPR or the Regulation) came into force, replacing the Data Protection Directive 95/46/EC (upon which the Data Protection Act 1998 is based), and imposing new responsibilities on organizations which process the data of European Union citizens.Sources of data: This piece examines the impact of the Regulation on health research.Areas of agreement: The Regulation seeks to harmonize data privacy laws across Europe, to protect and empower all EU citizen's data privacy and to reshape the way that organizations approach data privacy (See the GDPR portal at: https://www.eugdpr.org/ (accessed 8 May 2018). As a Regulation the GDPR is directly applicable in all member states as opposed to a directive which requires national implementing measures (In the UK the Data Protection Act 1998 was the implementing legislation for the Data Protection Directive 95/46/EC.).Areas of controversy: The Regulation is sector wide, but its impact on organizations us sector specific. In some sectors, the Regulation inhibits the processing of personal data, whilst in others it enables that processing. The Regulation takes the position that the 'processing of data should be designed to serve mankind' (Recital 4). Whilst it does not spell out what exactly is meant by this, it indicates that a proportionate approach will be taken to the protection of personal data, where that data can be processed for common goods such as healthcare. Thus, the protection of personal data is not absolute, but considered in relation to its function in society and balance with other fundamental rights in accordance with the principle of proportionality (Recital 4). Differing interpretations of proportionality can detract from the harmonization objective of the Regulation.Growing points: Reflecting the commitment to proportionality, scientific research holds a privileged position in the Regulation. Throughout the Regulation provision is made for organizations that process personal data for scientific research purposes to avoid restrictive measures which might impede the increase of knowledge. However, the application of the Regulation differs across health research sectors and across jurisdictions. Transparency and engagement across the health research sector is required to promote alignment.Areas timely for developing research: Research which focuses on the particular problems which arise in the context of the regulation's application to health research would be welcome. Particularly in the context of the operation of the Regulation alongside the duty of confidentiality and the variation in approaches across Member States.

medicine, general & internal

Mirosław Tokarski

DOI: https://doi.org/10.37105/sd.86

2020-11-19

Abstract:The process of establishing normative acts in the European Union does not occur out of nowhere, but in the context of specific social needs. That was the case of the genesis of establishing legal regulations regarding the protection of personal data in the European Union. Socio-economic integration, which resulted from the functioning of internal market in the European Union, has led to a significant increase in cross-border transfers of personal data. It led to situation in which various economic operators or state institutions of the Member States have increasingly processed the personal data of the EU citizens. Within time, these data have become an equally valuable commodity - not to say even more valuable – compared to goods and services (Costa-Cabral, and Lynskey Orla, 2017, p. 11). Making use of personal data on a large scale especially by public and private entities, associations and companies over time has posed a threat to the security of personal data. This has made it necessary to introduce legal protection measures for personal data in the European Union that would eliminate the negative effects of any form of personal data processing. The purpose of this article is to evaluate legal regulations regarding legislative protection of personal data in the European Union against the background of EU Regulation 2016/679 of the European Parliament and the Council with respect to the protection of individuals due to processing personal data, its free movement and repealing Directive 95/46/EC (hereinafter referred to as Regulation 2016/679). Due to initially adopted purpose of the considerations there arose a problem which was formulated in the form of a question: Do the legal measures introduced by the Regulation constitute an effective tool for the protection of personal data in the event of a violation of the law by personal data administrators and entities while processing such data? The presented purpose of the considerations and the research problem determined the order of the analysis.

English Else

Wenlong Li,Zihao Li,Wenkai Li,Yueming Zhang,Aolan Li

2024-07-19

Abstract:In the realm of data protection, a striking disconnect prevails between traditional domains of doctrinal, legal, theoretical, and policy-based inquiries and a burgeoning body of empirical evidence. Much of the scholarly and regulatory discourse remains entrenched in abstract legal principles or normative frameworks, leaving the empirical landscape uncharted or minimally engaged. Since the birth of EU data protection law, a modest body of empirical evidence has been generated but remains widely scattered and unexamined. Such evidence offers vital insights into the perception, impact, clarity, and effects of data protection measures but languishes on the periphery, inadequately integrated into the broader conversation. To make a meaningful connection, we conduct a comprehensive review and synthesis of empirical research spanning nearly three decades (1995- March 2022), advocating for a more robust integration of empirical evidence into the evaluation and review of the GDPR, while laying a methodological foundation for future empirical research.

Computers and Society,Artificial Intelligence,Human-Computer Interaction,Information Theory

Elena Gil González,Paul de Hert

DOI: https://doi.org/10.1007/s12027-018-0546-z

2019-02-05

ERA Forum

Abstract:This contribution looks at the legal grounds for data processing (‘when is one allowed to collect and use data on others?’) according to the General Data Protection Regulation (GDPR). It then addresses the specific regime for profiling both by solely automated and non-automated means. What is the most suitable lawful basis for this specific, sometimes controversial kind of processing?The vagueness and subjectivity of various relevant GDPR provisions in this matter can undermine legal certainty. Data protection principles such as transparency and overall fairness as enshrined in Article 5 GDPR may in this case serve as a resort to identify appropriate checks and balances. Additional understanding can be found outside data protection legislation—for instance, in competition law.

Daniar Supriyadi

DOI: https://doi.org/10.53955/jhcls.v3i1.71

2023-02-14

Abstract:Data protection laws provide minimum protections for personal data, as well as facilitate the free flow of such data, by setting out principles and rules for legitimate data processing. In the big data context, personal data may not be as easy to distinguish as in traditional data processing, and that makes policy-makers and businesses turn to the identifiability concept: in other words, what data are personal. This research is based on doctrinal legal researchon the legal theory (concepts, rules, and principles) concerning data protection in the EU and Indonesia. The results of the research show that the understand such paramount terminology in data protection law, relevant factors are presented to assess the direct or indirect identification of a natural person. In the EU data protection law, the test entails, for example, risk-based measures and technological development, whereas Indonesian law on data protection has not yet established such assessments. Data within big data operations traditionally falls under the scope of data protection laws only if it discloses the private life of individuals, such as names or other civil identities, but without further conditions to ascertain whether the data can be indirectly identified with an individual.

Radu-Mihai Dumitrescu

2018-07-01

Abstract:The protection of patients' personal and medical data has always been an important subject for medical practice, with explicit regulations being implemented. Whether we are talking about civil and criminal codes or laws governing the medical profession, they all seek to protect fundamental human rights. The confidentiality of medical data is maintained even after the death of the patient, this aspect being governed since the profiling of the physician profession through the Hippocratic Oath. Discussions on privacy and confidentiality occupy an important place in sociological, medical, legal, ethical and anthropological literature. There are references to the benefits gained by improving accessibility to data as they migrate to computer environments. Along with the technological evolution, all of this data has been transferred to electronic systems. A major concern with the trend towards electronic health records focuses on protecting privacy and patient confidentiality (Vanderminden and Potter, 2016). Data transfer, as well as their processing through many computer systems belonging to different public and private entities, brings new challenges at the individual and social level. Under the protection afforded by the right of individuals to access to information and the current tendency to ease access to information, a number of institutions have created online portals that manage a huge amount of data. The way these data are processed in accordance with the rights of the individual remains an issue that is not fully resolved. 1 Faculty of Sociology and Social Work, University of Bucharest, Bucharest, Romania, dum_mihu@yahoo.com Journal of Comparative Research in Anthropology and Sociology, Volume 9, Number 1, Summer 2018 2 On the occasion of a doctoral research on medical malpractice, I conducted the interrogation of the portal of Romanian courts (http://portal.just.ro). A huge amount of data can be obtained easily in a short time. In the context of the expected impact of the implementation of the GDPR (General Data Protection Regulation) in relation to the functioning of the public institutions, I conducted a qualitative research looking at how medical data and personal data are managed by the courts. Decisions of the courts published in the jurisprudence section have been analyzed. The paper analyzes the compliance of the judicial public institutions with the data protection legislation considered in the paradigm of institutional logic. We can assume that the individualistic principle exercised by the professional institution (the medical profession) can conflict and require a balancing with the utilitarian, collective principle, which can explain some of the state institution's actions (courts of justice). GDPR aims to reinforce existing legal provisions. GDPR does not seem to bring about changes in the substance of laws or doctrines on data confidentiality, but appears to be a form of supra-state control. The way in which GDPR will influence policies and practices regarding the processing of personal and medical data will be analyzed with the passage of time.

Law,Business

Kirill Belogubets

DOI: https://doi.org/10.1007/s12027-021-00663-9

2021-04-15

ERA Forum

Abstract:The article discusses recent judgments of the European Court of Human Rights on the collection of personal data for preventing, detecting or investigating criminal offences. The article delves into three national frameworks permitting the police to process, for a period or indefinitely, several categories of data in respect of persons who were suspected of the offences of varying gravity and were (not) convicted of them. It transpires from the case law that the States' margin of appreciation (i) was narrowed for indefinite processing of a convicted person's DNA profile, (ii) was not overstepped on account of processing – for several years – a non-convicted person's less sensitive data, where the decision-making was based on that person's previous criminal convictions and where the law contained adequate safeguards.

Bart Custers,Francien Dechesne,Alan M. Sears,Tommaso Tani,Simone van der Hof

DOI: https://doi.org/10.1016/j.clsr.2017.09.001

2018-04-01

Abstract:Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement. The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.

law