With the Brexit transition period ending on 31 December 2020, and no deal in sight, the future of cross-border data transfers between the European Economic Area (the EEA) and the United Kingdom remains unclear. On 1 January 2021, the United Kingdom will be considered as a “third country” and, unless a Brexit deal is proposed dealing with data protection and how data transfers between the EEA and the United Kingdom are to be treated, it could be significantly more difficult for European Union (EU)-based entities to transfer personal data to the United Kingdom.
On 7 September 2020, the European Data Protection Board (“EDPB”) initiated a public consultation on draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Any interested party could provide comments by 19 October 2020 using the dedicated form.
Cymone Gosnell |
In 2016, the European Union (“EU”) created heightened data privacy rights for its citizens by enacting the General Data Privacy Regulation (“GDPR”). The most drastic change from the previous regulation, enacted in 1995, lies within the expanded territorial scope. The change now subjects companies to fines for violations of the regulation, even if those companies are not domiciled in the EU. Data privacy has always been considered a fundamental human right in the EU; however, within the United States, there is no fundamental right to privacy. Rather, the country’s privacy laws are based on a complicated sectoral structure that often leads the country’s citizens confused as to what rights they actually have. This paper will review the EU and United States’ fundamental differences in privacy laws, the changes implemented by the GDPR (including the expanded territorial scope), the compliance plans of some major players within the United States, and what the future looks like for American businesses that hold or process the data of EU citizens under the GDPR. |
Vagelis Papakonstantinou | Paul de Hert |
In this article, we provide an overview of the literature on chilling effects and corporate profiling, while also connecting the two topics. We start by explaining how profiling, in an increasingly data-rich environment, creates substantial power asymmetries between users and platforms (and corporations more broadly). Inferences and the increasingly automated nature of decision-making, both based on user data, are essential aspects of profiling. We then connect chilling effects theory and the relevant empirical findings to corporate profiling. In this article, we first stress the relationship and similarities between profiling and surveillance. Second, we describe chilling effects as a result of state and peer surveillance, specifically. We then show the interrelatedness of corporate and state profiling, and finally spotlight the customization of behaviour and behavioural manipulation as particularly significant issues in this discourse. This is complemented with an exploration of the legal foundations of profiling through an analysis of European and US data protection law. We find that while Europe has a clear regulatory framework in place for profiling, the US primarily relies on a patchwork of sector-specific or state laws. Further, there is an attempt to regulate differential impacts of profiling via anti-discrimination statutes, yet few policies focus on combating generalized harms of profiling, such as chilling effects. Finally, we devise four concise propositions to guide future research on the connection between corporate profiling and chilling effects. |
This report summarizes economic analyses of the consequences of GDPR for investment in new technology ventures in the European Union (EU). The analyses distinguish between the impacts on foreign and non-foreign investment, between younger and more established ventures, and between more and less data-reliant ventures. The results, utilizing global venture data, indicate that GDPR’s effects on investment in EU ventures are broadly negative, and particularly so for foreign investments, younger ventures, and data-reliant firms. The findings demonstrate a post-GDPR average reduction of 26.10% in the overall number of monthly EU deals and a 33.80% reduction in the average dollar amount raised per deal. |
The right to data protection set out in Article 8 of the EU Charter of Fundamental Rights had played a pioneering role in the development of EU fundamental rights jurisprudence. Schecke and Eifert became the first to deal a fatal blow to specific legislative provisions that were deemed incompatible with the Charter requirements. Digital Rights Ireland led to the annulment of an entire legislative instrument on the same basis. Moreover, in Schrems, the Court elaborated on the essence of the related right to respect for private life, indicating that it was this level of fundamental rights protection that served as the benchmark to assess the adequacy of the data protection offered by third countries.
[#article] In the wake of the adoption of the European Union’s General Data Protection Regulation (GDPR) in May 2018, other countries and jurisdictions have contemplated personal data privacy legislation. In August 2018, the former president of Brazil, Michel Temer, signed the country’s comprehensive data privacy regulation, Lei Geral de Proteção de Dados Pessoais (LGPD), into law. Temer, however, vetoed many of the enforcement provisions. Shortly before leaving office, Temer signed an executive order creating a regulatory agency as the bill initially called for, but situated the agency under executive control instead of creating a wholly independent agency. This Note provides a brief history of the evolution of data privacy protections in both the European Union and Brazil and compares the GDPR and LGPD. This Note argues that the agency created by Temer is not enough to insure compliance with Brazil’s new law and proposes adoption of the GDPR’s enforcement mechanisms to compel compliance in Brazil.
The register of one-stop-shop decisions is now live on the EDPB website. It contains access to summaries and final decisions adopted by the Lead Supervisory Authorities (LSAs), working together with other concerned authorities. The decisions concern a range of data protection compliance issues, in particular, data subject rights; lawfulness of processing, data breaches, security, and transparency requirements. In many cases, the LSAs concluded there was no violation of the GDPR. In the event there was a violation, the LSAs, for the most part, issued reprimands or compliance orders, rather than fines.
The Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) recently announced that it levied a €600,000 fine on banking institution UniCredit for several violations of the Italian Personal Data Protection Code, in its pre-General Data Protection Regulation (“GDPR”) form.
Today, just over two years after its entry into application, the European Commission published an evaluation report on the General Data Protection Regulation (GDPR). The report shows the GDPR has met most of its objectives, in particular by offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement. The GDPR proved to be flexible to support digital solutions in unforeseen circumstances such as the Covid-19 crisis. The report also concludes that harmonisation across the Member States is increasing, although there is a certain level of fragmentation that must be continually monitored. It also finds that businesses are developing a compliance culture and increasingly use strong data protection as a competitive advantage. The report contains a list of actions to facilitate further the application of the GDPR for all stakeholders, especially for Small and Medium Sized companies, to promote and further develop a truly European data protection culture and vigorous enforcement.