Dissertations / Theses on the topic 'Data protection – Europe'

It has been well documented that the unprecedented use of computerized technology to process personal information in the 1960s in Europe and the US led to concerns about individual privacy, which resulted in the introduction of a branch of law regulating the processing of personal data, known today as personal data protection law. Over the years, this relatively new domain of law has introduced rights and obligations which appear to have the capacity to regulate a vast variety of domains of activity as long as they involve processing information about humans. This publication-based thesis regroups five published/accepted articles which generally seek to appreciate the significance of rights and obligations of this branch of law within the EU and Africa. The Chapters in this thesis focus on a limited variety of selected themes in data protection law. The first Chapter addresses the lack of clarification of the meaning of a breach of security in EU data protection law, and the second Chapter examines the level of personal data security protection guaranteed by African regional data protection instruments. The third and fourth Chapters both explore the potential effect of the transposition of EU data protection legal standards into African soil, respectively focusing on the processing of public examination results and on curtailing the prevalence of teacher-student abuses on university campuses. The fifth and final Chapter presents a comparative analysis between the EU GDPR, the Ghanaian Data Protection Act 2012 and Kenyan Data Protection Act 2019 in their approaches to consolidate the OECD data protection principles. The thesis conclusively finds that transposing EU data protection standards into Africa could help regulate some under-regulated domains of activity. But the continent's institutions still need to do a lot in terms of harmonising and promoting personal data protection law among its countries.

Le commerce électronique B to C se popularise de plus en plus et le nombre de ses adeptes ne cesse de croître d'année en année. Ses avantages, pour les consommateurs, en termes de rapidité, de commodité et de proximité ne sont plus à prouver. Néanmoins, la particularité du medium utilisé pour effectuer des transactions en ligne et les spécificités de l'environnement électronique, notamment l'immatérialité, l'interactivité et l'internationalité influent considérablement sur la confiance des cyberconsommateurs en même temps qu'elles accroissent leur vulnérabilité, d'où la nécessité d'un cadre juridique adapté afin que l'essor du commerce électronique B to C ne néglige pas la protection des cyberconsommateurs. Conscients de cet impératif, les législateurs communautaire, français et tunisien, ont mis en place un certain nombre de mesures de nature à rassurer ces derniers et leur permettre de s'engager dans des transactions de commerce en ligne en toute confiance. Ces mesures sont de deux ordres : les unes sont destinées à assurer au cyberconsommateur une protection intrinsèque au processus de la transaction en ligne ; cette protection se manifeste en amont de la transaction, lors de la phase précontractuelle, mais également pendant la période contractuelle, c'est-à-dire au moment de la finalisation de la transaction en ligne et de son exécution. Les autres ont pour objectif de garantir au consommateur une protection extrinsèque au processus de la transaction du commerce électronique. Deux aspects sont, à cet égard, pris en compte : la protection des données à caractère personnel traitées dans le cadre d'une transaction en ligne et les aspects du droit international privé de la protection du cyberconsommateur
B to C e-commerce is increasingly gaining popularity. The number of its followers has seen a drastic surge throughout the few recent years. Its advantages in terms of speed, convenience and proximity are not any more questionable by consumers. Nevertheless, the characteristic of this medium used to carry out online transactions as well as the specificities of the electronic environment - in particular the immateriality, the interactivity and internationality - influence considerably cyber-consumers confidence. Simultaneously, they increase their vulnerability. Thus, the need for an appropriate legal framework to regulate the rise of B to C e-commerce and protect cyber-consumers. Taking into account these requirement, community, French and Tunisian legislators set up a number of measures to reassure the latter and allow them to engage confidently in online commerce transactions. These measures have two targets: some of them were intended to grant cyber-consumers an intrinsic protection in the process of the online transaction. This protection is set to be an upstream transaction protection at the pre-contractual phase as well as during the contractual period; i.e. at the level of on line transaction finalization and execution. The others aim to guarantee the consumer an extrinsic protection throughout the process of e-commerce transaction. In this respect, two aspects are taken into account, namely: personal data processed during transactions and the aspects of private international law of cyber-consumer protection

Esta tesis doctoral reflexiona sobre el impacto social y político de la explotación de datos masivos a nivel europeo. Cumple dos objetivos principales. En primer lugar, define el contexto general en el que se produce esta explotación, a través del análisis de cinco factores: a) la lógica de generación, recopilación y procesamiento de los datos masivos; b) el modelo de negocio de las grandes corporaciones de servicios digitales; c) el discurso mediático dominante acerca de las tecnologías big data; d) las reacciones sociales y formas de resistencia ante este nuevo escenario; y e) el reglamento europeo de protección de datos personales, incluyendo su fundamentación conceptual. En segundo lugar, discute en qué medida estos cinco factores favorecen u obstaculizan la privacidad, la libertad y el control sobre los datos, desde una perspectiva fundamentada en la teoría crítica del capitalismo, la filosofía republicana, la teoría política feminista y la teoría del framing. La investigación se compone de cinco publicaciones: 1. La conversación sobre big data en Twitter. Una primera aproximación al análisis del discurso dominante. 2. Tay is you. The attribution of responsibility in the algorithmic culture. 3. Big social data: límites del modelo notice and choice para la protección de la privacidad. 4. Your likes, your vote? Big personal data exploitation and media manipulation in the US presidential election campaign of Donald Trump in 2016. 5. Personal data are political. A feminist view on privacy and personal data protection. Esta memoria contextualiza, organiza y relaciona las aportaciones principales de estos artículos.
This doctoral thesis reflects on the social and political impact of big data exploitation at the European level. The research fulfils two main objectives. Firstly, it defines the general context in which this exploitation is embedded, through the analysis of five factors: a) the logic of big data generation, gathering and processing; b) the business model of digital services corporations; c) the dominant media discourse on big data technologies; d) the social reactions and forms of resistance to this new scenario; and e) the European regulation on personal data protection, including its conceptual foundations. Secondly, it discusses to what extent these five factors favour or hinder privacy, freedom and control over data, from the lens of critical theory of capitalism, republican philosophy, feminist political theory and framing theory. The study consists of five publications: 1. La conversación sobre big data en Twitter. Una primera aproximación al análisis del discurso dominante. 2. Tay is you. The attribution of responsibility in the algorithmic culture. 3. Big social data: límites del modelo notice and choice para la protección de la privacidad. 4. Your likes, your vote? Big personal data exploitation and media manipulation in the US presidential election campaign of Donald Trump in 2016. 5. Personal data are political. A feminist view on privacy and personal data protection. This report contextualizes, organizes and connects the main contributions of these papers.
Aquesta tesi doctoral reflexiona sobre l'impacte social i polític de l'explotació de dades massives a escala europea. Compleix dos objectius principals. En primer lloc, defineix el context general en el qual es produeix aquesta explotació, a través de l'anàlisi de cinc factors: a) la lògica de generació, recopilació i processament de les dades massives; b) el model de negoci de les grans corporacions de serveis digitals; c) el discurs mediàtic dominant al voltant de les tecnologies big data; d) les reaccions socials i formes de resistència davant d’aquest nou escenari; i e) el reglament europeu de protecció de dades personals, incloent-hi la seva fonamentació conceptual. En segon lloc, discuteix en quina mesura aquests cinc factors afavoreixen o obstaculitzen la privacitat, la llibertat i el control sobre les dades, des d'una perspectiva fonamentada en la teoria crítica del capitalisme, la filosofia republicana, la teoria política feminista i la teoria del framing. La recerca es composa de cinc publicacions: 1. La conversación sobre big data en Twitter. Una primera aproximación al análisis del discurso dominante. 2. Tay is you. The attribution of responsibility in the algorithmic culture. 3. Big social data: límites del modelo notice and choice para la protección de la privacidad. 4. Your likes, your vote? Big personal data exploitation and media manipulation in the US presidential election campaign of Donald Trump in 2016. 5. Personal data are political. A feminist view on privacy and personal data protection. Aquesta memòria contextualitza, organitza i relaciona les aportacions principals d'aquests articles.

The starting point of the dissertation is the relevance of data in today’s society and the rapid growth of the data-driven economy in the recent years. The common thread will be the General Data Protection Regulation (GDPR), starting from the discussion of the background that has led to the regulatory framework, to the analysis of the GDPR principles and concluding with the practical application of the Regulation within a company and the evaluation of its repercussions. The aim is to evaluate the impacts and the effectiveness of the Regulation, to understand whether the GDPR represents an adding value instrument for the European Union. The first chapter will present the data-driven society focusing on the social and economic problems connected with personal data disclosure and the economic evaluation of data. The second chapter will discuss the specific principles of the GDPR and the entities compliance requirements. The last chapter will consider a case study to examine the application of the Regulation within an insurance company, especially with regards to the business organisation, analysing the internal audit procedures and cost implications. Finally, the fitness check of the Regulation will be conducted, evaluating the impacts and the effectiveness of the GDPR. Key words: GDPR, data-driven, personal data, disclosure, economic valuation, privacy

Il presente elaborato viene focalizzato sul diritto alla privacy nel nuovo “Pacchetto protezione dati”, soprattutto nel Regolamento (UE) 2016/679 del Parlamento Europeo e del Consiglio del 27 aprile 2016 relativo alla protezione delle persone fisiche con riguardo al trattamento dei dati personali, obbligando l’adeguamento della normativa nazionale di ogni Stato membro entro il 24 maggio 2018. Il GDPR (General Data Protection Regulation) introduce delle significative novità in tema di privacy, come ad esempio il principio dell’accountability (responsabilizzazione) in capo al Titolare del trattamento dati e al responsabile del trattamento dati, la figura del Responsabile Protezione Dati (RPD o DPO), il diritto alla portabilità dei dati, il diritto all’oblio, la protezione dei dati fin dalla progettazione (Privacy by design) e protezione per impostazione predefinita (Privacy by Default), cambiando completamente la prospettiva della Direttiva 95/46/CE – la cosiddetta Direttiva “madre”. Ma il cuore dell’intera dissertazione è l’articolo 35 del GDPR, ai sensi del quale viene prevista la valutazione d’impatto sulla protezione dei dati, o la c.d. Data Protection Impact Assessment (DPIA). Tale valutazione è un processo finalizzato a valutare il rispetto dei principi privacy – come i principi di necessità e proporzionalità – e a valutare e gestire i rischi inerenti al trattamento. In merito, si terrà conto delle Linee guida del Gruppo di Lavoro articolo 29, in special modo dei criteri per stabilire se un trattamento “possa presentare un rischio elevato” in base al Regolamento UE n. 2016/679. Al riguardo verrà sviluppato un modello di valutazione di impatto sulla protezione dei dati, nonché la sua applicazione all'interno di cinque realtà diverse, ovvero la videosorveglianza sul posto di lavoro, i dati medici in azienda ospedaliera, la richiesta del casellario giudiziario a fini assuntivi, il trattamento dei dati nel settore del telemarketing, il trattamento dei dati nell'ambito bancario.

La tesi si propone di affrontare le questioni legate all'impatto dei big data sui diritti fondamentali, concentrando l'attenzione sulla funzione costituzionale del diritto alla protezione dei dati personali nel contesto italiano ed europeo. Dopo aver dato conto del percorso svolto dal diritto internazionale ed europeo per definire i fondamenti di tale disciplina e le implicazioni costituzionali delle garanzie che propone, viene esaminato con particolare attenzione il quadro normativo interno, analizzando come il Giudice delle leggi e il legislatore nel tempo abbiano affrontato il rapporto tra diritti e informazioni. Specifica attenzione è rivolta soprattutto all'individuazione dei molteplici interessi intercettati da questa disciplina e ai criteri di bilanciamento da essa indicati per procedere alla ricomposizione dei conflitti tra prerogative confliggenti. L'analisi si sofferma inoltre sul sistema di tutele elaborato a livello comunitario, concentrandosi inizialmente sul primo c.d. data protection package, per poi passare a considerare la nuova strategia di data-governance europea e i contenuti del reg. 679/2016. Facendo ciò, si approfondiscono in particolare il percorso che ha portato il legislatore europeo a riconoscere la protezione dei dati personali come diritto fondamentale dell'UE (art. 8 CDFUE) e le implicazioni che questo ha avuto sul piano delle competenze comunitarie (art. 16 TFUE). Da ultimo, alla luce delle considerazioni appena accennate, viene proposto un case-study in cui si affrontano i problemi che vengono emergendo da questa progressiva comunitarizzazione della disciplina sulla protezione dei dati personali, soprattutto nei rapporti tra la Corte di giustizia UE e i giudici costituzionali nazionali. Chiude il lavoro una riflessione circa le prospettive che si aprono per il c.d. costituzionalismo tecnologico europeo a il ruolo che spetta all'Unione e agli Stati membri nel promuovere questa trasposizione delle tradizionali garanzie a favore dei diritti fondamentali.
The dissertation aims to tackle the issues emerging by the use of big data analytics on fundamental rights. The attention focuses on the constitutional analysis of the fundamental right to the protection of personal data, and the goal is to compare the different approaches developed by EU law and national law on this topic. The first part gives a short introduction to the overall outline of the study, defining the structure and the methodology. After that, the second part provides a brief overview of the gist of the international and European data protection strategies, then it analyses on the national legal framework. In particular, the core of this chapter focuses on the approach developed by the Italian Constitutional Court about the issues concerning privacy and data protection. Furthermore, it pays precise attention to the many interests intertwined by personal data analytics and to the standards developed by the domestic constitutional case-law to balance the opposite prerogatives involved these processings. In light of the recent Italian case-law on the relation between the national and the European legal systems, the third part develops the evolution of the EU discipline on data protection. As first, it focuses on the first data protection package launched in the 90s. It then addresses the issues concerning the ongoing debate on the current EU strategies on data-governance, highlighting on the novelties introduced by the regulation 2016/679/EU. So doing, the study devotes particular attention the constitutionalization process of data protection in the supranational legal system. In particular, it focuses on article 8 of the Charter of Nice and article 16 TFEU. Finally, the last part provides a case study focused on the EUCJ case-law on data and fundamental rights. This section aims to address the issues emerging in this progressive shift of the constitutional guarantees on data protection towards the Luxemburg Court. In particular, the research focuses on the institutional dialogue developed between the EUCJ and the national constitutional courts on these themes. The work concludes providing some provisional disclosures on this complicate evolution of the EU technological constitutionalism, remarking on the contact points that animate this multilevel system of protection.

The object of study of this research is the right to Personal Data Protection within the framework of the EU-US E-Market legal regime. Its characteristics, as well as the features of the main actors participating into that E-Market, make possible to consider it as a proper basis for the development of an International/Universal legal system treaty-based. The Actors and Relations included by the research are the duty bearers of Personal Data Protection law, both State and Private Entity Activities. Nonetheless, the Informal Power Relation between State and Private organization is also taken into account since there are some informal agreements or coordination between State Agencies and IT Corporations on data sharing and processing. The time frame of the research is 2001-2016 (after the terrorist’s attack in USA on 9/11 until the most recent reform of the EU-US E-Market regime in 2016). The research’s point of departure is International Human Rights Law, as far as it recognizes a general framework to support and regulate personal data protection on cyberspace realm. Nonetheless, the distinctive characters of cyberspace demand a well designed, at universal level, specific regulation and mechanisms to guarantee such fundamental rights relating personal data protection internationally. Accordingly, Research Hypothesis is represented in double issues: first, effective personal data protection on cyberspace needs the establishment of an International/Universal legal system treaty-based; second, EU Regime on personal data protection in cyberspace and current EU-US agreements on this issue can be used as a model for initiating such International/Universal Treaty. The structure of the thesis is divided into six chapters, being Chapter 1 the research design and Chapter 6 the conclusions and recommendations coming from the research. So, Chapter 2 analyzes Universal Legal Instruments, EU Laws and EU-US Agreements in force before 5th June 2013 (critical turning point date because of the revelations of Mass Electronic Surveillance presented then on World Wide Web). Within this legal framework, Chapter 3 studies hard cases about personal data protection in US domestic courts and in the Court of Justice of European Union, in order to search for precise interpretation of the right to personal data protection in cyberspace that, later, had to be taken into account by US and EU in their further legal reforms. Chapter 4 analyses and reviews the legal instruments enacted through the reform of the EU personal data protection regime and the new EU-US Bilateral Agreements currently in force. Finally, Chapter 5 evaluates the possibility to initiate an International Treaty for regulating data using across borders. Considering the initiatives of either international governmental organizations or non-governmental movements in the field, the chapter shows how a set of principles can be extracted from the reforms in the EU and EU-US regime and how they can be used to create an International Regime for protection of personal data in cyberspace.
L'objecte d'estudi d'aquesta recerca és el dret a la protecció de les dades personals en el marc del règim jurídic aplicable al mercat electrònic UE-Estats Units. Les seves característiques, així com les dels principals actors que intervenen en aquest mercat, permeten considerar aquest règim jurídic com una base adequada per al possible desenvolupament d'un tractat internacional de vocació universal sobre protecció de dades personals en el ciberespai. Els actors i les relacions incloses en la recerca són els responsables de les obligacions jurídiques en matèria de protecció de dades personals, tant entitats públiques com a privades. Malgrat això, també es tenen en compte les ‘relacions informals de poder’ entre Estat i organitzacions privades, donada l'existència d'acords informals o coordinació entre tots dos per a l'intercanvi i processament de dades. El marc temporal de la recerca és 2001-2016 (després dels atemptats del 9/11 a Estats Units i fins a la més recent reforma del règim UE-EUA culminada en 2016). El punt de partida d’aquesta recerca és el Dret Internacional dels Drets Humans, que conté el marc general per al suport i regulació de la protecció de dades personals en el ciberespai. Ara bé, els caràcters distintius del ciberespai exigeixen una regulació i mecanismes específics ben dissenyats, a nivell universal, per garantir internacionalment els esmentats drets fonamentals relatius a la protecció de dades personals. Conseqüentment, la hipòtesi de recerca es formula de la següent manera: en primer lloc, la protecció eficaç de les dades personals en el ciberespai necessita l'establiment d'un sistema jurídic internacional d'abast universal basat en tractats; en segon lloc, el règim de la UE sobre protecció de dades personals en el ciberespai i els actuals acords UE- Estats Units sobre aquesta qüestió poden utilitzar-se com a model per a l'elaboració d'aquest Tractat Internacional. L'estructura de la tesi es divideix en sis capítols, essent el Capítol 1 el disseny de la recerca i el Capítol 6 les conclusions i recomanacions que es desprenen de la recerca. Així, el Capítol 2 analitza els Instruments Jurídics Universals, les normes de la UE i els acords UE-EUA vigents abans 5 de juny de 2013 (data crítica a causa de les revelacions sobre Vigilància Electrònica en massa, presentades mundialment aquest dia). Dins d'aquest marc jurídic, el Capítol 3 realitza una anàlisi jurisprudencial i analitza una selecció de casos sobre protecció de dades personals suscitades davant els tribunals interns d'Estats Units i davant el Tribunal de Justícia de la Unió Europea, amb l'objectiu d'identificar la interpretació precisa del dret a la protecció de dades personals en el ciberespai que, posteriorment, ha hagut de tenir en compte la reforma normativa a Estats Units i en la UE sobre aquesta matèria. El Capítol 4 analitza i revisa els instruments jurídics promulgats en virtut de la reforma del règim de protecció de dades personals de la UE i els nous acords bilaterals entre la UE i els Estats Units actualment en vigor. Finalment, el Capítol 5 avalua la possibilitat d'elaborar un Tractat Internacional d'abast universal que garanteixi el dret a la protecció de dades personals que ‘circulen’ pel ciberespai. Tenint en compte les iniciatives formulades per organitzacions governamentals internacionals i pels moviments no governamentals especialitzats, el capítol mostra com es poden extreure un conjunt de principis de les reformes de la UE i del règim aplicable a l'espai UE-EUA i com aquests principis poden utilitzar-se per a la creació d'un règim internacional de protecció de dades personals en el ciberespai.
El objeto de estudio de esta investigación es el derecho a la protección de los datos personales en el marco del régimen jurídico aplicable al mercado electrónico UE- Estados Unidos. Sus características, así como las de los principales actores que intervienen en este mercado, permiten considerar este régimen jurídico como una base adecuada para el posible desarrollo de un tratado internacional de vocación universal sobre protección de datos personales en el ciberespacio. Los actores y las relaciones incluidas en la investigación son los responsables de las obligaciones jurídicas en materia de protección de datos personales, tanto entidades públicas como privadas. No obstante, también se tienen en cuenta las ‘relaciones informales de poder’ entre Estado y organizaciones privadas, dada la existencia de acuerdos informales o coordinación entre ambos para el intercambio y procesamiento de datos. El marco temporal de la investigación es 2001-2016 (después de los atentados del 9/11 en Estados Unidos y hasta la más reciente reforma del régimen UE-EEUU culminada en 2016). El punto de partida de la investigación es el Derecho Internacional de los Derechos Humanos, que contiene el marco general para el apoyo y regulación de la protección de datos personales en el ciberespacio. Sin embargo, los caracteres distintivos del ciberespacio exigen una regulación y mecanismos específicos bien diseñados, a nivel universal, para garantizar internacionalmente tales derechos fundamentales relativos a la protección de datos personales. Consecuentemente, la hipótesis de investigación se formula del siguiente modo: en primer lugar, la protección eficaz de los datos personales en el ciberespacio necesita el establecimiento de un sistema jurídico internacional de alcance universal basado en tratados; en segundo lugar, el régimen de la UE sobre protección de datos personales en el ciberespacio y los actuales acuerdos UE-Estados Unidos sobre esta cuestión pueden utilizarse como modelo para la elaboración de dicho Tratado Internacional. La estructura de la tesis se divide en seis capítulos, siendo el Capítulo 1 el \diseño de la investigación y el Capítulo 6 las conclusiones y recomendaciones que se desprenden de la investigación. Así, el Capítulo 2 analiza los Instrumentos Jurídicos Universales, las normas de la UE y los acuerdos UE-EEUU vigentes antes del 5 de junio de 2013 (fecha crítica debido a las revelaciones sobre Vigilancia Electrónica en Masa presentadas mundialmente ese día). Dentro de ese marco jurídico, el Capítulo 3 realiza un análisis jurisprudencial y analiza una selección de casos sobre protección de datos personales suscitados ante los tribunales internos de Estados Unidos y ante el Tribunal de Justicia de la Unión Europea, con el objetivo de identificar la interpretación precisa del derecho a la protección de datos personales en el ciberespacio que, posteriormente, ha debido tener en cuenta la reforma normativa en Estados Unidos y en la UE sobre esta materia. El Capítulo 4 analiza y revisa los instrumentos jurídicos promulgados en virtud de la reforma del régimen de protección de datos personales de la UE y los nuevos acuerdos bilaterales entre la UE y los Estados Unidos actualmente en vigor. Por último, el Capítulo 5 evalúa la posibilidad de elaborar un Tratado Internacional de alcance universal que garantice el derecho a la protección de datos personales que ‘circulan’ en el ciberespacio. Teniendo en cuenta las iniciativas formuladas por organizaciones gubernamentales internacionales y por los movimientos no gubernamentales especializados, el capítulo muestra cómo se pueden extraer un conjunto de principios de las reformas de la UE y del régimen aplicable en el espacio UE-EEUU y cómo esos principios pueden utilizarse para la creación de un régimen internacional de protección de datos personales en el ciberespacio.

This research had two main purposes. Firstly it aimed at showing the regulatory framework of both data protection and intellectual property in the European Union and thus making the privacy complications of Digital Rights Managements systems clear in the developed world. This research also aimed at disclosing the complications of employment of DRMs systems in developing countries. To that end Turkey&rsquo
s copyright framework has been reviewed. It was found out that DRMs systems employed in Turkey went beyond the scope of Turkish Copyright Legislation and restricted also legitimate acts which fall within the scope of fair use. DRMs also have hindered development since it restricted availability of educational and cultural works. The review of Turkey&rsquo
s Data Protection regime disclosed that the most important reason behind the non adoption of the draft law was related to the legislators&rsquo
confusion of first pillar and third pillar data protection. It was concluded that Turkey lacked a data protection policy and the lack of such a policy led to the surveillance of the people to such a degree that almost no private space is left for them. The main finding of the research was that Turkey has been one of the best markets for the employment of DRMs with its current copyright regime and lack of data protection rules. The research concluded with proposals of action concerning data protection and DRMs.

From the very outset of the EU data protection legislation, and hence from the 1995 Directive, international data transfer has been subject to strict requirements aimed at ensuring that protection travels with data. Although these rules have been widely criticized for their inability to deal with the complexity of modern international transactions, the GDPR has essentially inherited the same architecture of the Directive together with its structural limitations. This research aims to highlight the main weaknesses of the EU data export restrictions and identify what steps should be taken to enable a free, yet safe, data flow. This research first places EU data transfer rules in the broader debate about the challenges that the un-territorial cyberspace poses to States’ capabilities to exert their control over data. It then delves into the territorial scope of the GDPR to understand how far it goes in protecting data beyond the EU borders. The objectives underpinning data export restrictions (i.e., avoiding the circumvention of EU standards and protecting data from foreign public authorities) and their limitations in achieving such objectives are then identified. Lastly, three possible “solutions” for enabling data flow are tested. Firstly, it is shown that the adoption by an increasing number of non-EEA countries of GDPR-like laws and the implementation by many companies of GDPR-compliant policies is more likely to boost international data flow than internationally agreed standards. Secondly, the role that Article 3 GDPR may play in making data transfer rules “superfluous” is analysed, as well as the need to complement the direct applicability of the GDPR with cross-border cooperation between EU and non-EU regulators. Thirdly, the study finds that the principle of accountability, as an instrument of data governance, may boost international data flow by pushing most of the burden for ensuring GDPR compliance on organizations and away from resource-constrained regulators.

With the growth in social, political and economic importanceof the Internet, it has been recognized that the underlyingtechnology of the next generation Internet must not only meetthe many technical challenges but must also meet the socialexpectations of such a pervasive technology. As evidence ofthe strategic importance of the development of the Internet,the European Union has adopted a communication to the Counciland the European Parliament focusing on the next generationInternet and the priorities for action in migrating to the newInternet protocol IPv6 andalso a new Directive (2002/58/EC) on'processing of personal data and protection of privacy in theelectronic communication sector'. The Data Protection Directiveis part of a package of proposals for initiatives which willform the future regulatory framework for electroniccommunications networks and services. The new Directive aims toadapt and update the existing Data ProtectionTelecommunications Directive (97/66/EC) to take account oftechnological developments. However, it is not well undersoodhow this policy and the underlying Internet technology can bebrought into alignment.

This dissertation builds upon the results of my earlierlicentiate thesis by identifying three specific, timely, andimportant privacy areas in the next generation Internet: uniqueidentifiers and observability, privacy enhanced location basedservices, and legal aspects of data traffic.

Each of the three areas identified are explored in the eightpublished papers that form this dissertation. The paperspresent recommendations to technical standarization bodies andregulators concerning the next generation Internet so that thistechnology and its deployment can meet the specific legalobligations of the new European Union data protectiondirective.

The General Data Protection Regulation (GDPR) (2016/679) can be described as a comprehensive regulation that was adopted by the European Union (EU) with the purpose of regulating the protection of personal data in all EU member states. The regulation will take effect on May 25th 2018 and will apply to all organisations that process the personal data of  EU- citizens. This study will explore the implementation process of the General Data Protection Regulation (2016/679) through the lens of the phenomenon of Europeanization.  The context of the phenomenon for this study is that EU seeks to adapt the member states’ political and administrative institutions into a common judicial framework through the implementation of EU-law. However, this requires member states having the ability to adapt to the common framework. This study’s purpose is therefore to study a local municipality’s implementation process of the regulation to evaluate its ability adapting to EU- law. The study has been conducted through a case-study design where interviews have taken place with employed public officials who are in the process of planning the implementation process. Through the interviews that have been conducted and the documentation that has been available, material, informative, personal resources and preferences in the shape of objectives in the implementation process have been deducted through Lennart Lundquist’s model for analysis of an organisation’s capabilitites and priorities in the implementation process. In conclusion, resocurces have been extracted mainly to prepare for the implementation in the shape of educational measures and recruiting new employees with the intent of coordinating the process. Through local cooperation common resources have been extracted for judicial support and for the use of a common Data Protection Officer (DPO). It is difficult to estimate the municipality’s ability to adapt to EU- law due to the fact that the process is still in its initial stages, but since the municipality is still preparing to implement measures to increase and ensure safeguards of information, the municipality will not be able to reach the requirements as of May 25th 2018.

Defence date: 06 July 2021
Examining Board: Professor Giorgio Monti (Tilburg University); Professor Michal Gal (University of Haifa); Professor Orla Lynskey (London School of Economics); Professor Peter Drahos (European University Institute)
This thesis addresses the problem of individuals’ lack of control over personal data in the digital world. It sheds light on market and regulatory failures that lie behind the status quo and proposes a framework to improve regulatory responses. The two regulatory regimes that are at the core of this thesis are EU data protection regulation, which protects individuals’ fundamental rights over data, and EU competition law, which safeguards the sound functioning of the market and consumers’ economic interests. Despite the existence of these two regulatory regimes, individuals do not have sufficient control over personal data collected by digital firms, whose control over large datasets is a factor contributing to market monopolisation. The thesis argues that one reason for the shortcomings of today’s regulatory framework is that the market failure is composed of a combination of factors, which are currently addressed by the different regimes relatively independently. This dichotomy hinders the development of an effective strategy to tackle the market failure in its entirety. The approach taken in this thesis is that by integrating the two regimes, it might be possible to close the gaps deriving from a narrow perception of their regulatory spaces. Hence, the thesis formulates a holistic approach, encompassing data protection regulation and competition law, designed to increase the effectiveness of the regulatory framework as a whole. Different dimensions of the regimes’ interrelation are analysed, to uncover new ways to harness their complementarity and minimise their inconsistencies and overlaps. The thesis looks at how the regimes can incorporate elements from each other to inform their policies and application of their rules, as well as developing a complementary enforcement strategy. The holistic framework ultimately allows both regimes to better tailor their regulatory responses to the functioning of the digital market and take account of the diverse elements that constitute the market failure they seek to correct.

This thesis examines predictive modelling from the legal perspective. Predictive modelling is a technology based on applied statistics, mathematics, machine learning and artificial intelligence that uses algorithms to analyse big data collections, and identify patterns that are invisible to human beings. The accumulated knowledge is incorporated into computer models, which are then used to identify and predict human activity in new circumstances, allowing for the manipulation of human behaviour. Predictive models use big data to represent people. Big data is a term used to describe the large amounts of data produced in the digital environment. It is growing rapidly due mainly to the fact that individuals are spending an increasing portion of their lives within the on-line environment, spurred by the internet and social media. As individuals make use of the on-line environment, they part with information about themselves. This information may concern their actions but may also reveal their personality traits. Predictive modelling is a powerful tool, which private companies are increasingly using to identify business risks and opportunities. They are incorporated into on-line commercial decision-making systems, determining, among other things, the music people listen to, the news feeds they receive, the content people see and whether they will be granted credit. This results in a number of potential harms to the individual, especially in relation to personal autonomy. This thesis examines the harms resulting from predictive modelling, some of which are recognized by traditional law. Using the European legal context as a point of departure, this study ascertains to what extent legal regimes address the use of predictive models and the threats to personal autonomy. In particular, it analyses Article 8 of the European Convention on Human Rights (ECHR) and the forthcoming General Data Protection Regulation (GDPR) adopted by the European Union (EU). Considering the shortcomings of traditional legal instruments, a strategy entitled ‘empowerment’ is suggested. It comprises components of a legal and technical nature, aimed at levelling the playing field between companies and individuals in the commercial setting. Is there a way to strengthen humanity as predictive modelling continues to develop?

La protection des données à caractère personnel (DCP) constitue un droit fondamental autonome au sein de l’Union européenne (article 8 de la Charte des droits fondamentaux de l’Union européenne). En outre, la libre circulation de ces données et des services de la société de l’information, notamment des plateformes en ligne, est primordiale pour le développement de l’économie numérique dans le cadre du marché unique numérique européen. C’est dans ce contexte qu’un point d’équilibre entre la libre circulation et la protection des DCP fait l’objet du cadre juridique européen et français en matière de protection des DCP. Ainsi, dans cette étude, nous nous sommes intéressés en particulier aux enjeux liés à la mise en balance de ces deux intérêts. Ces enjeux suscitent une attention particulière notamment à l’ère des plateformes en ligne, du Big Data et de l’exploitation en masse des données à travers des algorithmes sophistiqués dotés de plus en plus d’autonomie et d’intelligence
Free flow of data and personal data protection on the Internet Protection of personal data is an autonomous fundamental right within the European Union (Article 8 of the Charter of Fundamental Rights of European Union). Moreover, free flow of personal data and free movement of information society services in particular online platforms is essential for the development of digital single market in European Union. The balance between free movement of data and personal data protection is subject of the European legal framework. However, the main challenge still remains to strike the right balance between effective personal data protection and free flow of this data and information society services. This balance is not an easy task especially in the age of online platforms, Big Data and processing algorithms like Machine Learning and Deep Learning

New privacy regulations bring new challenges to organizations that are handling and processing personal data regarding persons within the EU. These challenges come mainly in the form of policies and procedures but also with some opportunities to use technology often used in other sectors to solve problems. In this thesis, we look at the new General Data Protection Regulation (GDPR) in the EU that comes into full effect in May of 2018, we analyze what some of the requirements of the regulation means for the industry of processing personal data, and we look at the possible solution of using hardware security modules (HSMs) to reach compliance with the regulation. We also conduct an empirical study using the Delphi method to ask security professionals what they think the most important aspects of securing personal data, and put that data in relation to the identified compliance requirements of the GDPR to see what organizations should focus on in their quest for compliance with the new regulation. We found that a successful implementation of HSMs based on industry standards and best practices address four of the 35 identified GDPR compliance requirements, mainly the aspects concerning compliance with anonymization through encryption, and access control. We also deduced that the most important aspect of securing personal data according to the experts of the Delphi study is access control followed by data inventory and classification.

The upcoming General Data Protection Regulation at EU level to be implemented in 2018 will represent a history achievement data time when the Europe is laying the foundations of a single digital market. In the context of Big Data and eHealth, it is convenient to tackle the influence of the current EU regulation related to health data. This research was conceived from the idea of assessing the influence of the right to personal data protection, born in Europe and projected in the last decades in other regions such as Latin America. Privacy and data protection in the era of Big Data are not per se guaranteed. lt is the citizens themselves who are asking for a harmonized protection within the EU; this health data regulatory framework can be regarded as a data protection model in eHealth internationally. 2016 represented the 10th anniversary of the international Data Protection Day, a celebration that was established by the committee of ministers of the Council of Europe and the European Commission to raise awareness amongst citizens. In order to contribute to this scientific progress, an undetermined number of databases and tools are deployed, with a varied and technically complex set of systems applied to several scientific disciplines. The use of these resources, diverse and fragmented in many cases, has led the EU to develop a number of initiatives to standardize the access and management of both information and systems, representing what I call a benchmark model. This research aims at shedding light on the engine of this model and its implications beyond Europe, looking at Latin America, based on the cultural, linguistic and commercial cooperation links with Spain. lt is about assessing the current magnitude of concepts such as Big Data, eHealth, data protection and electronic health records, after 50 years of progress in the area of data protection, when in the heart of Europe, first regulation of personal data protection was born. The European Union is the most regulated jurisdiction when it comes to data protection, and it is the European citizens themselves who have promoted legal changes and the defence of their rights. The law provides special privileges to health data. Scientific research and health care within the eHealth environment require a stable framework, with legal certainty, in which the European Commission has been working extensively. This doctoral research splits in three stages: -Stage one refers to a deep review of the former and state-of-the-art investigations on this matter to gain an integrated and global knowledge, focusing on the European framework, analysing the evolution of data protection towards full integration in the EU, surrounding health and new technologies, in the light of the attitudes of European citizens towards data protection and electronic identity, while comparing the personal data protection cultures, within the EU, related to a harmonized legal framework. -Latin America has no integrated regional legal system, but appears to be largely following the EU model of consumer privacy. To confirm the current tendency, in stage two I have compared the six largest EU economies and Latin America and analysed the advantages of convergence with the EU policy, while identifying the influence of the EU framework. -In stage three I have investigated the existing barriers towards alignment with the EU framework, from the Latin-American experience, in order to develop an international framework. Hence, healthcare data are very precious but they trigger colossal privacy and security issues, I conclude that the privacy policy appears to play a pivotal role within the future strategy of the businesses dealing with data of European citizens. The special protection that health data receive in Europe is trendsetting while the EU emerges as a model of global data protection regime.
A partir de 2018 se pone en práctica en la UE una nueva regulación de protección de datos, lo que representará un hito histórico, ahora que Europa sienta las bases legales del mercado único digital. En el entorno del Big Data en eHealth conviene evaluar la influencia de la actual regulación de la UE respecto a los datos de salud. Esta investigación surge de la idea de analizar la influencia del derecho a la protección de datos personales, nacido en Europa y proyectado en las últimas décadas en otras zonas geográficas como América Latina. La privacidad en tiempos del Big Data no está per se garantizada. El marco regulatorio de datos de salud en la UE se puede considerar un modelo de protección de datos a escala internacional. En 2016 se celebró el décimo aniversario del Día Internacional de la Protección de Datos, establecido a iniciativa del Comité de Ministros del Consejo de Europa y la Comisión Europea para concienciar a todos los ciudadanos. Para contribuir a estos avances en la ciencia, se despliegan múltiples bases de datos y herramientas, con sistemas que son variados y complejos técnicamente, aplicados a diferentes disciplinas científicas. El uso de estos recursos, diversos y fragmentados en muchas ocasiones, ha conducido a la UE a desarrollar distintas iniciativas para la normalización del acceso y el tratamiento de la información y los sistemas, dando lugar a lo que podemos calificar como un modelo de referencia. Esta investigación pretende arrojar luz en cuanto al motor de este modelo y sus implicaciones fuera del territorio europeo, especialmente teniendo en consideración la experiencia en América Latina. Se trata de valorar la magnitud que hoy tienen conceptos como Big Data, eHealth, protección de datos e historia clínica electrónica, después de casi 50 años de avances en materia de protección de datos, desde que, en el seno de Europa, apareció la primera regulación de protección de datos de carácter personal. La Unión Europea es la jurisdicción más regulada en materia de protección de datos y son los propios ciudadanos europeos los que han impulsado los cambios legislativos y la defensa de sus derechos. La ley protege de forma especial los datos de salud. La investigación científica y la atención sanitaria en el entorno de eHealth también requieren un marco de trabajo estable, con seguridad jurídica, en el que ha trabajado la Comisión Europea. Las fases de esta investigación son tres:-Partiendo de una amplia revisión del estado del arte para obtener una visión integral, esta primera fase se ha centrado en el marco europeo analizando la evolución de la protección de datos hacia su plena integración en el seno de la UE, en el contexto de la salud y las nuevas tecnologías, a través de las actitudes sobre protección de datos e identidad electrónica de los ciudadanos europeos, y comparando la cultura sobre datos de carácter personal, dentro de la UE, hacia la adaptación a un marco legal armonizado.-En la segunda fase se analizan las seis principales economías de la UE, y se compara con las seis mayores economías de Latinoamérica, para atender a las ventajas de la convergencia de terceros países con la política europea, y concluir con la influencia de la regulación de la UE.-Una vez analizada la interrelación del marco europeo (UE) y latinoamericano, se abordan en una tercera fase las dificultades a las que se enfrentan terceros países, desde el ejemplo latinoamericano, a la hora de desarrollar un marco armonizado. Se concluye que los datos de salud son muy preciados, pero conllevan enormes problemas relativos a la privacidad y la seguridad, por lo que la política sobre privacidad se presenta como una materia que va a desempeñar un papel estratégico especialmente en las empresas que traten datos de ciudadanos europeos. La especial protección que reciben los datos de salud en Europa marca tendencia a la vez que la UE se erige como modelo internacional de protección de datos.

The main goal of this research is to define a complete human rights framework which could be relevant in the context of cyberspace, therefore to analyze how this kind of rights are enforced and protected under European Union law. Furthermore, my thesis would like to underline any deficit of the European legislation in this respect, thus proposing any improvements to guarantee effective enforcement of the human rights framework in the context of cyberspace. The first part of the thesis aims to address a preliminary issue, namely what is cyberspace and how this new ‘environment’ can be defined. Furthermore, to evaluate the actual human rights enforcement in this context, it is necessary to answer a very important question: what rules should govern cyberspace? In other words, the thesis intends to analyze the topic of cyber governance, with the purpose of individuating what entities can establish their rules over this new domain. The second introduces the several human rights relevant into the cyberspace, proposing also a complete analysis of each one of them, to evaluate their effectiveness and enforcement.

Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2018.
This study recognises that, regardless of information security policies, information about institutions continues to be leaked due to the lack of employee compliance. The problem is that information leakages have serious consequences for institutions, especially those that rely on information for its sustainability, functionality and competitiveness. As such, institutions ensure that information about their processes, activities and services are secured, which they do through enforcement and compliance of policies. The aim of this study is to explore the extent of non-compliance with information security policy in an institution. The study followed an interpretive, qualitative case study approach to understand the meaningful characteristics of the actual situations of security breaches in institutions. Qualitative data was collected from two universities, using semi-structured interviews, with 17 participants. Two departments were selected: Human Resources and the Administrative office. These two departments were selected based on the following criteria: they both play key roles within an institution, they maintain and improve the university’s policies, and both departments manage and keep confidential university information (Human Resources transects and keeps employees’ information, whilst the Administrative office manages students’ records). This study used structuration theory as a lens to view and interpret the data. The qualitative content analysis was used to analyse documentation, such as brochures and information obtained from the websites of the case study’s universities. The documentation was then further used to support the data from the interviews. The findings revealed some factors that influence non-compliance with regards to information security policy, such as a lack of leadership skills, favouritism, fraud, corruption, insufficiency of infrastructure, lack of security education and miscommunication. In the context of this study, these factors have severe consequences on an institution, such as the loss of the institution’s credibility or the institution’s closure. Recommendations for further study are also made available.

Il lavoro di ricerca approfondisce il tema del diritto alla protezione dei dati personali nell’Unione europea dei non-EU citizens, nell’ambito delle politiche UE di gestione dell’immigrazione e controllo delle frontiere. Muovendo dall’esame del quadro giuridico di riferimento, si evidenzia la natura di diritto fondamentale sancita dall’art. 8 Carta dei diritti fondamentali dell’Unione europea e meglio precisata dalla giurisprudenza della Corte di giustizia dell'UE. La ricerca illustra, in seguito, l’applicazione del diritto in questione nel contesto settoriale prescelto ed approfondisce, in particolare, due principali tematiche: l’ampio e controverso utilizzo dei large-scale databases previsti dalla disciplina UE in tali ambiti – dal sistema Schengen, istitutivo del SIS, ai più recenti VIS, EURODAC, EES, ETIAS; il tema della prevista interoperabilità dei databases, la cui realizzazione, anche alla luce del Nuovo Patto UE sulla Migrazione e l’Asilo, sembra porre in discussione l’effettiva tutela dell’art. 8 Carta per i non-EU citizens. Infine, si propongono alcune riflessioni critiche sul bilanciamento degli interessi in gioco (tutela dei dati personali vs. gestione efficace del fenomeno migratorio, tutela della sicurezza e dell’ordine pubblico), attraverso l’analisi di alcune pronunce della Corte di giustizia e dell’esempio concreto dei sistemi di riconoscimento facciale automatico.
The research focuses on the EU right to data protection of non-EU citizens in the fields of migration and borders control. Once outlined the current legal framework of such right in the EU, it is highlighted the nature of fundamental right enshrined by Article 8 of the EU Charter of Fundamental Rights and better defined by the EU Court of justice case law. The application of right to data protection in the mentioned fields is scrutinized from two different perspectives: the use of sectoral large-scale databases (SIS, VIS, EURODAC, EES, ETIAS); the controversial interoperability of such databases, which appears extremely challenging for the actual respect of Article 8 also within the framework of the EU New Pact on Migration and Asylum. Finally, some critical remarks on the balancing between data protection and other general interests of the EU (efficient management of migration and borders control) are offered, through the analysis of certain EU Court of Justice rulings and the case of automatic facial recognition techniques.

In questa tesi mi sono occupato di Big Data. Che cosa sono, perchè sono importanti, che prospettive di utilizzo e di crescita hanno, da chi vengono utilizzati e a quali scopi. In particolare poi, mi sono soffermato sulle leggi che ne regolamentano gli usi. Quali norme in vigore ed in via di adozione sono presenti nel contesto nazionale e continentale. Un'attenzione particolare l'ho dedicata ad alcune grandi forze economiche che perseguono i propri interessi grazie alla rete. Di queste ultime ho raccontato in che modo si agevolano grazie ai Big Data rispetto alle concorrenti e di come, a volte, non ne facciano un utilizzo pienamente etico, anche se (non sempre) all'interno dei limiti di legge. Nel testo affronto le problematiche delle persone comuni nell'era digitale. Come la tutela dei loro diritti personali fondamentali, compresi sommariamente nel diritto alla privacy, sia messa a dura prova dalle nuove tecnologie in costante sviluppo. I pericoli che possono scaturire da pericolosi accentramenti di potere, dovuti al possesso di grosse quantità di dati da parte di pochi soggetti. Infine ho provato a suggerire alcuni approcci al tema che possano in qualche modo risolvere o quantomeno ridurre il problema del controllo sui propri dati. Riassumendo, considero questo lavoro come una visione ad ampio raggio delle possibilità e dei rischi che l'utilizzo dei Big Data comporta e comporterà in un futuro prossimo.

La révolution numérique est ambivalente. Si elle constitue un moyen de renforcer la capacité de l'Etat à réaliser ses missions et celle des individus à exercer certains de leurs droits, elle permet simultanément l'enregistrement et la conservation d'une part croissante de l'existence individuelle quotidienne. Face au renforcement des possibilités de contrôle de l'individu, il est régulièrement proposé d'inscrire, dans les textes situés au sommet d, la hiérarchie des normes, un droit fondamental à la protection des données personnelles car l'existence d'un tel droit améliorerait la protection offerte à l'individu. La thèse procède à une analyse descriptive, explicative et évaluative du droit fondamental à la protection des données personnelles. Afin de démontrer la construction d'un tel droit par la jurisprudence constitutionnelle française et les jurisprudences européennes, l'étude s'est d'abord attaché à découvrir les soubassements de celui-ci. Ce droit a ensuite pu être précisé et distingué des autres droits fondamentaux tels que le droit au respect de la vie privée. Afin de mesurer la portée de ce droit, l'étude s'est ensuite attachée à analyser les restrictions dont il peut faire l'objet lorsqu'il entre en conflit avec d'autres intérêts individuels également protégés ou avec des contraintes collectives relevant de l'intérêt général. L'amélioration de la protection offerte à l'individu n'est donc pas aussi évidente qu'il pourrait paraitre. Elle pourrait cependant résulter de la restructuration du processus normatif que ce droit fondamental à la protection des données personnelles implique
The digital revolution is ambivalent. On the one hand, it empowers the State to strengthen its ability to fulfil its responsibilities and the individuals to exercise some of their rights, yet on the other hand, it enables the capturing and storing of an increasing part of day to day personal life. In order to address the increased surveillance of individuals, proposals are regularly put forward to incorporate, at the very highest judicial level, a human right to personal data protection, as the existence of such a right would improve the protection afforded to individuals. This thesis undertakes a descriptive, explanatory and evaluative analysis of the human right to personal data protection. In order to examine the making of such a right by the French constitutional court, the European Court of Human Rights and the Court of Justice of the European Union, this study sets out first to reveal its foundations. The right to data protection is then clearly identified and distinguished from other human rights such as the right to privacy. In order to measure the extent of such a right, the study then focusses on analysing the restrictions to which it may be subject when in conflict with other equally protected individual rights or with collective constraints of general interest. The enhancement of the protection afforded to the individual is therefore not as straightforward as it may initially seem. Such enhancement could however arise from the restructuring of the normative process which this human right to data protection implies

The European Union has introduced a new General Data Protection Regulation that regulates all aspects of privacy and data protection for the data of European citizens. To transition to the new rules, companies and public institutions were given two years to adapt their systems and controls. Due to the large area of changes the GDPR requires, many companies are facing severe problems to adapt the rules to be ready for enforcement. This marks the purpose of this study which is to look into compliance practices in the implementation of GDPR requirements. This includes a prospect of compliance mechanisms that may remain insufficiently addressed when the regulation comes into force on May 25, 2018. The study is conducted in Sweden and aims to investigate the situation in corporations and not in public institutions. Mixed methods have been applied by surveying and interviewing Swedish GDPR experts and consultants to gain an understanding of their view by using capability maturity scales to assess a variety of security processes and controls. The analysis shows a low implementation in GDPR requirements while having seen improvements over the past two years of transition. It points out that a holistic strategy towards compliance is mostly missing and many companies face obstacles that are difficult to overcome in a short period. This may result in non-compliance in many Swedish corporations after the regulation comes into force on May 25.

Les données à caractère personnel sont appréhendées par le droit comme des objets distincts de la personne à laquelle elles se rapportent. Ce statut particulier serait justifié par la transformation résultant du traitement de données. La loi du 6 janvier 1978 suggère pourtant un rattachement en définissant la donnée personnelle comme une « information relative à une personne physique identifiée ou qui peut être identifiée, directement ou indirectement ». Lesdites données sont donc des éléments identifiants, et en cela, par une interdépendance des éléments subjectifs et objectifs, des composantes de l’identité. Elles forment l’identité numérique de la personne, toujours plus sollicitée et collectée. L’hypothèse intuitive de l’identité est contrariée par le droit positif français, au sein duquel la loi Informatique et libertés marque son autonomie par rapport à l’article 9 du Code civil, matrice des droits de la personnalité. Le droit de l’Union européenne isole également, au sein de la Charte des droits fondamentaux, la protection des données à caractère personnel de la protection de la vie privée. Cette autonomisation permet l’accélération de la patrimonialisation des données à caractère personnel, visées comme éléments isolés par une multitude de contrats d’adhésion autorisant le traitement. Le sectionnement du lien entre la personne et ses données n’est toutefois pas inéluctable : la protection de l’autonomie de la personne peut maintenir cette connexion. La Cour européenne des droits de l’Homme, qui intègre la protection des données à celle de la vie privée, affirme le lien entre ces informations personnelles et l’identité. En outre, sa jurisprudence relative à la protection de l’autonomie personnelle peut constituer une réponse à l’objectivation des personnes. Dans le même sens, la jurisprudence du Conseil constitutionnel relative à la liberté personnelle, vecteur du droit au développement de la personnalité et de la protection de l’identité en France, a déjà accueilli favorablement la protection des données à caractère personnel. Une réflexion qui prend l’identité comme point de départ de l’étude d’un droit à la protection des données met en lumière le véritable enjeu de la collecte exponentielle des données à caractère personnel et du profilage qui s’en suit : l’autonomie des personnes, dont la préservation est assurée à travers le concept de personne humaine, sujet des droits fondamentaux
French law approaches personal data and the person they are related to as separated objects. This special status would be justified by the transformation resulting from the data processing. However, by defining personal data as "information relating to an identified or identifiable natural person, directly or indirectly", the law of 6 January 1978 suggests that they are in fact connected to each other. Therefore, those data are to be understood as identifying elements. Following the interdependence of subjective and objective elements, they are components of identity. They form the person’s digital identity, which is increasingly solicited and gathered. The intuitive assumption of personal data as components of identity is thwarted by French positive law, within which the Data Protection Act marks its autonomy in comparison to Article 9 of the Civil Code – the latter being the matrix of rights related to personality. The same way, protection of personal data is distinguished from protection of privacy in the European Union’s Charter of Fundamental Rights. This increasing autonomy allows the accelerated conversion of personal data into assets. In a multitude of conventions, they are regarded as isolated elements of which processing is allowed. Yet the split between the person and their data could be avoided: protection of the autonomy of the person can ensure a connexion. The European Court of Human Rights considers data protection as part of the right to privacy, hence asserting the existence of a link between personal data and identity of the individual. Moreover, its case law regarding the protection of personal autonomy may constitute an answer to the objectification of individuals. Correlatively, the French Constitutional Court has already taken data protection as a part of personal freedom, the latter being considered in its case law as the embryo of the right to the development of personality and the protection of identity. By taking identity as the starting point of a study examining a right to data protection, it is possible to reveal the stakes of exponential gathering of personal data and ensuing profiling: the autonomy of the individual. Therefore, the latter can be protected by the concept of human person as subject of fundamental rights

La problématique de la protection de la vie personnelle est très ancienne et a fait l'objet d'études dans diverses disciplines scientifiques. Un principe d'indifférence à la vie personnelle a été reconnu dans l'ensemble des systèmes étudiés à partir desannées 1980. Malgré l'existence d'un cadre juridique protecteur à première vue, avec la reconnaissance d'un droit à la protection de la vie personnelle - qui limite et rationalise indubitablement les pouvoirs de direction de l'employeur - la protection connaît des tempéraments et des restrictions, afin d'atteindre un équilibre avec les intérêts légitimes et les droits de l'employeur. La vie personnelle se trouve donc limitée par les pouvoirs patronaux, aspect très largement sous-estimé. Tant le législateur que la pratique et la jurisprudence cherchent à définir les conditions de cet équilibre, que cette étude s'attache à décrire, en soulignant les obstacles techniques et en proposant des solutions pour les résoudre. Son objectif est de démontrer qu'il y a une tendance claire et nette à reconnaître à l'employeur un droit de plus en plus poussé à la restriction de la vie personnelle du salarié et que ceci risque de mettre en péril l'ensemble de la construction.

L’intérêt d’une réflexion sur les échanges de données personnelles de sécurité entre l’Union européenne et les tiers est né d’une interrogation sur le cadre juridique auquel ces échanges se rattachent, et l’existence de garanties en matière de protection des données. En partant du constat que les États sont à l’origine de la création de réseaux de coopération policière et judiciaire, l’irruption de l’Union européenne et de ses Agences dans des sphères régaliennes a de quoi déconcerter. L’intervention de l’UE et de ses Agences doit également attirer l’attention sur le respect des conditions de ces échanges qui sont soumis à l’exigence de garanties adéquates de la part des États tiers et Cet avènement nécessite de déterminer au préalable comment les échanges de données avec les tiers sont devenues progressivement un instrument au service de l’espace de liberté de sécurité et de justice (ELSJ). En cela, la sécurité telle qu’elle est ici appréhendée, concerne la lutte contre le terrorisme, la criminalité organisée et l’immigration clandestine. Ainsi cette thèse vise, à travers un examen des accords conclus par l’UE et ses Agences avec les tiers, à déceler, analyser, et mettre en évidence les règles qui régissent ces échanges de données personnelles ainsi que la protection qui s’y rattache. Elle doit permettre de mieux cerner la fonction de l’Union européenne et le rôle des États membres dans ces échanges, d’évaluer les garanties apportées par l’UE et ses partenaires, et d’aboutir à l’émergence d’un régime d’ensemble hétérogène mais dont l’unité réside dans le souci d’assurer une protection adéquate
Enabling security between the European Union and third party personal data exchange leads one to reflect on the related legal framework and safeguards regarding data protection. As states are at the origin of police networks and judicial cooperation, the emergence of the EU and its agencies in sovereign spheres has been astonishing. For the EU,respecting the conditions of such exchanges requires adequate guarantees from third states. To better understand this, one should first analyze to which extent these exchanges have gradually become an instrument servicing the areas of freedom, security and justice (AFSJ, "security" here implies the fight against terrorism, organized crime and illegal immigration). This thesis aims to detect, analyze and highlight the rules governing the exchanges of personal data and the protection attached to them. Its goal is to understand the function of the EU and the role of member states in these exchanges, to assess the guarantees provided by the EU or its partners and to lead to the emergence of a system which could provide adequate protection. The first part will determine the modalities of cooperation between the EU and third parties in the field of personal data security exchanges; identifying the existence of safety data exchange networks before looking into the fight against terrorism and organized crime’s international dimension. A focus on external standards in the EU will lead the reader to grasp how safety within third party data exchange networks may be structured and to understand the role of international organizations such as the UN (or extraterritorial jurisdiction from third countries such as the USA). The EU having developed its cooperation regarding safety data exchanges, its foreign policy in terms of AFSJ gives one an overview of safety data exchange networks and their diversity, but it also shows the limits of their extension. These different forms of cooperation are the foundations of constituent EU treaties, yet they face legal and democratic issues as far as EU legitimacy is concerned. The EU integration process, on which safety with third party data exchanges is based, will also be studied; if this integration is a success overall, sovereignty issues have also brought their share of safety data protection alterations. This thesis’ second part focuses on the guarantees related to safety data exchanges, fundamental rights protection regarding this personal data and the need for adequate protection when transferring data to third parties. The adequacy of "normative" protection must be analyzed in global terms, that is to say within an international framework. The study of normative protection will be followed by a thorough examination of their effective protection. The reader will see how data exchange security transparency enables people to exercise their right to both access data and challenge decisions taken on the basis of data exchange safety. Effective protection leads to the identification of responsibilities related to safety data exchanges, the mechanisms of which may highlight that the EU or third parties have breaches in their obligations

La recherche vise à vérifier si et comment, au niveau de l’UE, la lutte contre la criminalité (surtout organisée) est conduite dans le respect de droits et libertés fondamentales, et si la coopération en matière entre les États membres peut promouvoir des standards de protection élevés et homogènes. La traditionnelle reluctance des États à confier les relatives compétences à l’Union a fortement entravé le développement d’un « espace de liberté, sécurité et justice » équilibré. Aujourd’hui le Traité de Lisbonne fournit des outils importants. Après avoir présenté la sécurité dans l’UE, j’aborde la coopération judiciaire pénale. J’analyse la riche production normative à finalité répressive, aussi que les mesures récemment adoptées à finalité protectrice et promotionnelle. Ensuite, je passe à la coopération policière et à l’intervention de l’EU en matière financière / patrimoniale, en tandem avec les droits à la protection des données personnelles et de la propriété privé
The research aims to verify whether and how, at the EU level, the fight against crime (particularly organized crime) is perpetuated in full respect of fundamental rights and freedoms, and whether cooperation among Member States in this field can promote high and homogeneous standards of protection.The historical reluctance of Member States to give the relative competences to the Union has strongly obstructed the development of an equilibrated “area of freedom, security and justice”. However, the Lisbon Treaty has provided important tools. After firstly presenting security in the EU, I discuss judicial cooperation in criminal matters. Both the rich normative production aimed at repression, and the more recently adopted measures finalized at guarantying and promoting individual rights are analyzed. Then, I pass to police cooperation and EU financial / patrimonial intervention, together with the right to protection of personal data and the right to property - the two most at stake

Imagine a world where someone’s personal information is constantly compromised, where federal government entities AKA Big Brother always knows what anyone is Googling, who an individual is texting, and their emoticons on Twitter. Government entities have been doing this for years; they never cared if they were breaking the law or their moral compass of human dignity. Every day the Federal government blatantly siphons data with programs from the original ECHELON to the new series like PRISM and Xkeyscore so they can keep their tabs on issues that are none of their business; namely, the personal lives of millions. Our allies are taking note; some are learning our bad habits, from Government Communications Headquarters’ (GCHQ) mass shadowing sharing plan to America’s Russian inspiration, SORM. Some countries are following the United States’ poster child pose of a Brave New World like order of global events. Others like Germany are showing their resolve in their disdain for the rise of tyranny. Soon, these new found surveillance troubles will test the resolve of the American Constitution and its nation’s strong love and tradition of liberty. Courts are currently at work to resolve how current concepts of liberty and privacy apply to the current conditions facing the privacy of society. It remains to be determined how liberty will be affected as well; liberty for the United States of America, for the European Union, the Russian Federation and for the people of the World in regards to the extent of privacy in today’s blurred privacy expectations.
B.S.
Bachelors
Health and Public Affairs
Legal Studies

La tesis se encarga de analizar, por un lado, la integración y el desarrollo de las nuevas tecnologías en la Administración de Justicia; y, por otro, los parámetros que constituyen la validez y eficacia del documento electrónico.
La primera cuestión se centra en la configuración de los Sistemas de Información de la Oficina Judicial y del Ministerio Fiscal, así como de la informatización de los Registros Civiles, donde el art. 230 LOPJ es la pieza clave. Se estudian sus programas, aplicaciones, la videoconferencia, los ficheros judiciales y las redes de telecomunicaciones que poseen la cobertura de la firma electrónica reconocida, donde cobran gran relevancia los convenios de colaboración tecnológica. La digitalización de las vistas quizá sea una de las cuestiones con más trascendencia, teniendo en cuenta que el juicio es el acto que culmina el proceso. Aunque no todos los proyectos adoptados en el ámbito de la e.justicia se han desarrollado de forma integral, ni han llegado a la totalidad de los órganos judiciales. El objetivo final es lograr una Justicia más ágil y de calidad, a lo cual aspira el Plan Estratégico de Modernización de la Justicia 2009-2012 aprobado recientemente.
En referencia a la segunda perspectiva, no cabe duda que el Ordenamiento jurídico y los tribunales, en el ámbito de la justicia material, otorgan plena validez y eficacia al documento electrónico. Nuestra línea de investigación se justifica porque cada vez son más los procesos que incorporan soportes electrónicos de todo tipo, ya sea al plantearse la acción o posteriormente como medio de prueba (art. 299.2 LEC). Entre otros temas examinamos el documento informático, la problemática que rodea al fax, los sistemas de videograbación y el contrato electrónico.
La tesi s'encarrega d'analitzar, per una part, la integració i el desenvolupament de les noves tecnologies dins l´Administració de Justícia; i, per l'altra, els paràmetres que constitueixen la validesa i l'eficàcia del document electrònic.
La primera qüestió es centra en la configuració dels Sistemes d´Informació de l´Oficina Judicial i del Ministeri Fiscal, així com de la informatització dels Registres Civils, on l'art. 230 LOPJ es la peça clau. S'estudien els seus programes, aplicacions, la videoconferència, el fitxers judicials i les xarxes de telecomunicacions que tenen la cobertura de la firma electrònica reconeguda, on cobren gran rellevància els convenis de col·laboració tecnològica. La digitalització de les vistes tal vegada sigui una de les qüestions amb més transcendència, tenint amb compte que el judici es l'acte que culmina el procés. Però no tots el projectes adoptats en l'àmbit de la e.justicia s'han desenvolupat d'una manera integral ni han arribat a la totalitat dels òrgans judicials. L'objectiu final es assolir una Justícia més àgil i de qualitat, al que aspira el Pla Estratègic de Modernització de la Justícia 2009-2012 aprovat recentment.
En referència a la segona perspectiva, no hi ha dubte que l´Ordenament jurídic i els tribunals, en l'àmbit de la justícia material, donen plena validesa i eficàcia al document electrònic. La nostra línia d'investigació es justifica perquè cada vegada son més el processos que incorporen suports electrònics de tot tipus, ja sigui quant es planteja l'acció o posteriorment como a medi de prova (art. 299.2 LEC). Entre altres temes examinem el document informàtic, la problemàtica que envolta al fax, els sistemes de videogravació i el contracte electrònic.
The thesis seeks to analyse, on the one hand, the integration and development of the new technologies in the Administration of Justice; and, on the other, the parameters which constitute the validity and efficiency of the electronic document.
The first question centres on the configuration of the Information Systems of the Judicial Office and the Public Prosecutor, as well as the computerisation of the Civil Registers, where the art. 230 LOPJ it's the part key. Their programmes, applications, the Video Conferencing, the judicial registers and the telecommunication networks which are covered by the recognised electronic signatures, are studied, where the agreements on technological collaboration gain great relevance. The digitalisation of evidence might perhaps be one of the questions with most consequence, bearing in mind that the judgment is the act by which the process is culminated. Although not all the projects adopted within the compass of e.justice have developed completely nor have reached all the judicial organs. The final objective is to achieve an agile, quality Justice, to which the recently approved Strategic Plan for the Modernisation of Justice aspires.
With reference to the second perspective, there is no doubt that the juridical Ordinance and the tribunals within the compass of material justice grant full validity and efficacy to the electronic document. Our line of investigation is justified because there are more and more processes which are sustained by electronic supports of all kinds, whether it be at the establishment of the action or later, as a proof of it (art. 299.2 LEC). Amongst other things, we examine the computerised document, the problems which surround the fax, the systems for video recording and the electronic contract.

碩士
南華大學
歐洲研究所
94
The tradition of human rights in Europe is always important. The theory and the idea of personal data protection, which belong to the idea of right of privacy, then become a new page of this European human rights tradition. Under the norm of Council of Europe''s "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" and "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data" of European Union, the position of the personal data protection and the free movement of such data in Europe then become the "European way". Moreover, these data become practicable on the actually enforcement and related judgments. 　 　　In the specific sector, owing to the potential sensitivity of medical data and police data, the balance of public welfare and private rights then obviously become more important than other kinds of personal data. Therefore, this thesis will discuss these two sectors and finds that the importance in Europe. On the other hand, due to the fast change of Internet trend, the tradition researches of personal data protection have become a defect. Hence, that is another sector we will discuss in this thesis. 　 　　In Taiwan, the conduct is not as advanced as that in Europe---both to legislation and carrying out. In addition, because of the conservative character of "Computer-processed Personal Data Protection Law" in Taiwan, the conduct in our country becomes less practicable and does not have enough protection. Taiwan should pay more attention to human rights besides considering the entirety economy or administration efficiency when making policy in order to avoid becoming the last of the past imperialism or autocratic period.

Defence date: 19 September 2016
Examining Board: Professor Sven Steinmo, European University Institute (Supervisor); Professor Alexander Trechsel, European University Institute; Professor Henry Farrell, George Washington University; Professor Bastiaan Van Apeldoorn, Vrije Universiteit Amsterdam
This dissertation is a collection of three stand-alone papers each making distinct contributions and addressing different, but closely related, empirical puzzles that contribute to the literature on Internet privacy. The first article starts by exploring some of the tangible consequences of the Snowden revelations and challenges the common-wisdom culturalist theories of Europe’s privacy regime. Then, the second article offers a new explanation of the origins of America’s privacy framework that also defies conventional culturalist explanations. Finally, the third article closes by offering a novel implementation and policy design analysis of the American and European privacy regimes. Each article employs slightly different research methods and uses different yet compatible and complementary theoretical frameworks. In general, this dissertation adopts an institutionalist perspective studying how and why certain institutions change, and “why some flourish in some context and/or why some die out in others” (Steinmo, 2003a). The first article focuses on institutional reform, and resistance to institutional reform by corporate actors, following Culpepper’s quiet politics framework (2011). The second article, borrowing from Steinmo (2003b) and Blyth (2002, 2011), discusses the interaction between ideas and institutions, following perhaps the clearest institutionalist narrative of all the pieces of this dissertation. The third article, building on Rothstein’s general theory on implementation (Rothstein, 1998) discusses the implementation and policy design of the European and American institutions for the protection of privacy.

Dissertação de mestrado em Direito dos Negócios Europeu e Transnacional
The theme of this dissertation refers to the convergence between competition and the legal environment of data protection: protecting startups through the study of a fair competition mechanism. The development of science is based on obtaining results that allow validating hypotheses about a given event or fact, present or not in society. The specific objectives seek to present and highlight the role of data in the economy and on the internet, as well as to highlight the right of jurisdiction according to the European Union, in addition to addressing data protection and competition law in the European Union, and finally, present the abuse of dominant position of the technology titans in the current context. Finally, the present work leaves the topic open, proposing that a new research be carried out in the future, in order to contextualize the themes addressed here. Along with this new research, it is suggested to carry out a case study, for which a comparative study between European legislation on data protection law with Brazilian law is proposed.
O tema deste trabalho refere-se à convergência entre a concorrência e o ambiente jurídico da proteção de dados: protegendo as startups através do estudo de um mecanismo de concorrência leal. O desenvolvimento da ciência baseia-se na obtenção de resultados que permitem validar hipóteses sobre um dado evento ou fato, presente ou não na sociedade. Os objetivos específicos buscam apresentar e destacar o papel dos dados na economia e na internet, bem como evidenciar e salientar o direito de competência segundo a União Europeia, além de abordar a proteção de dados e direito da concorrência na União Europeia, e por fim, apresentar o abuso de domínio dos titãs da tecnologia no contexto atual. Por fim, o presente trabalho deixa o tema em aberto, propondo que no futuro se realize uma nova pesquisa, com a finalidade de contextualizar os temas aqui abordados. Juntamente com esta nova pesquisa, sugere-se a realização de um estudo de caso, para o qual propõe-se um estudo comparativo entre as legislações europeias sobre o direito de proteção de dados com a legislação brasileira.

Defence date: 6 July 2011
Examining Board: Professor Giovanni Sartor, European University Institute (EUI Supervisor); Prof. Andrew Murray, London School of Economics and Political Science; Prof. Hans-W. Mickltz, European University Institute; Dr. Alfonso Scirocco European Economic and Social Committee
PDF of thesis uploaded from the Library digital archive of EUI PhD theses
In the context of the continuous advance of information technologies and biomedicine, and of the creation of economic blocs, this thesis is devoted to the analysis of the role data protection plays in the integration of markets, with a special emphasis on financial and insurance services. Moreover, it is also concerned with the identification of differences in the data protection systems of EU member states and with the development of common standards and principles of data protection that could help to build a data protection model for Mercosur, keeping in mind the need to establish a high level of data protection without creating unnecessary constraints for the flow of information. The thesis is divided into four parts. The first one deals with the evolution of the right to privacy, focusing on the last few decades, taking into account the development of new technologies. In this part an analysis of the European framework of data protection and of its standards developed is carried out. Then, in the second part, the interaction between data protection and the industries selected as case studies, namely insurance, bank and credit reporting, is discussed. This discussion concentrates on specific issues, such as generalisation and discrimination, adverse selection and the processing of sensitive and genetic data. The focus of the third part is the analysis of the legislation of three EU member states (France, Italy and UK). In order to perform this comparative exercise, some important issues are taken into account: the concepts of personal and anonymous data, data protection principles, the role of the data protection authorities, the role of the data protection officer, data subjects’ rights, the processing of sensitive data, the processing of genetic data and the experience of the case studies in processing data. Moreover, issues related to the specific member states are also considered. Subsequently to the comparative analysis, some recommendations are proposed for updating EU legislation on data protection, so as to reduce the barriers to the establishment of an internal market, mainly for financial and insurance services. Finally, the proposal of a model for data protection that could be adopted by Mercosur, taking into account the different levels of data protection that exist in its member states, is conducted in the last part. The thesis concludes by emphasising the important role data protection can play in the process of markets’ integration.

Defence date: 8 June 2015
Examining Board: Professor Marise Cremona, European University Institute (Supervisor); Professor Gregorio Garzón Clariana, Autonomous University of Barcelona; Dr. Maria O’Neill, University of Abertay Dundee; Professor Martin Scheinin, European University Institute.
This thesis seeks to examine the existing EU frameworks for data-sharing for law enforcement purposes, both within the EU and between the EU and third countries, the data protection challenges to which these give rise, and the possible responses to those challenges at both EU and global levels. The analysis follows a bottom-up approach, starting with an examination of the EU internal data-sharing instruments. After that, it studies the data transfers conducted under the scope of an international agreement; and finally, it concludes by discussing the current international initiatives for creating universal data protection standards. As for the EU data-sharing instruments, this thesis demonstrates that these systems present shortcomings with regard to their implementation and usage. Moreover, each instrument has its own provisions on data protection and, despite the adoption of a Framework Decision in 2008, this has not brought about a convergence of data protection rules in the JHA field. A similar multiplicity of instruments is also found when the EU transfers data to third countries for the purpose of preventing and combating crimes. This is evident from examining the existing data-sharing agreements between the EU and the US. Each agreement has a section on data protection and data security rules, which again differ from the general clauses of the 2008 Framework Decision. This study demonstrates the influence of US interests on such agreements, as well as on the ongoing negotiations for an umbrella EU-US Data Protection Agreement. One possible way to ensure a high level of EU data protection standards in the field of law enforcement in the face of US pressure is by enhancing the role of Europol. This EU Agency shares information with EU member states and third countries. This thesis demonstrates that Europol has a full-fledged data protection framework, which is stronger than most of the member states’ privacy laws. However, taking Europol rules as a reference for global standards would only partially achieve the desired result. The exchange of data for security purposes does not only involve law enforcement authorities, but also intelligence services. The recent NSA revelations have shown that the programmes used by these bodies to collect and process data can be far more intrusive and secretive than any current law enforcement system. In view of the above, this thesis explores the potential of CoE Convention 108 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and ii the Cybercrime Convention as the basis for a global regime for data protection in law enforcement. This thesis concludes that an optimum global data protection framework would entail a combination of the 108 CoE Data Protection Convention and the Cybercrime Convention. The cumulative effect of these two legal instruments would bind both law enforcement and intelligence services in the processing of data. In sum, by promoting the Europol approach to data protection and existing Council of Europe rules, the EU could play a crucial role in the creation of global data protection standards.

Dissertação de Mestrado em Direito apresentada à Faculdade de Direito
O presente trabalho vislumbra, por intermédio de pesquisa bibliográfica, cotejar as legislações gerais de proteção de dados pessoais existentes no contexto mercosulino com a experiência europeia e, especificamente, com o Regulamento (UE) 2016/679, do Parlamento Europeu e do Conselho. A sociedade contemporânea organiza-se em rede, é desprovida de relações verticais e centrais de poder e resta instrumentalizada pelas tecnologias de informação e comunicação. Explica-se. A tecnologia de informação “desintegrou” o Estado com a formação de redes e, por conseguinte, descentralizou as referências de controle e monitoração. Com a coleta de dados pessoais, empresas comerciais e organizações (sem se excluir os Estados) criam mercados para transferência dessas informações. Ora, os dados são considerados insumo da economia digital. Esses, disponibilizados voluntariamente ou coletados, expõem respectivos titulares a riscos ainda inimagináveis e imensuráveis. Pergunta-se: Qual a destinação desses dados? Quais os objetivos subscritos? Quem possui acesso às informações? Qual o valor da privacidade e da liberdade dos indivíduos? Por quanto vendem esses perfis de pessoas que sequer se percebem nesse mercado? O desconhecimento acerca dos responsáveis, dos gestores e dos fins dessa monitoração indiscriminada e velada permeiam questões relentes entre proteção à privacidade, eficiência do Mercado e democracia. Sob a perspectiva descentralizada de poder vigente, a dificuldade e a necessidade de se repensar a regulamentação aplicada a um ambiente partilhado por agentes públicos (governamentais) e particulares é urgente. Enquanto ambiente ubíquo, o ciberespaço desafia juristas na medida em que mitiga a soberania estatal. Para além, a preocupação com a sedimentação de pilares mínimos de proteção e com a fomentação de uma cultura com axiomas correspondentes faz-se presente. Isto posto, perante a perquirição de eventuais respostas e de desenlace desses obstáculos, somando-se possíveis dúvidas concernente aos benefícios de conglomeração e homogeneização de solução jurídica, analisar-se-ão os diplomas dedicados à proteção de dados pessoais junto aos países membros e associados do Mercosul, reitera-se, à luz do modelo europeu.
This thesis, through bibliographic research, intends to compare the prevalent general legislation of personal data in the Mercosur context with the European experience, particularly concerning the Regulation (EU) 2016/679 of the European Parliament and of the Council. The contemporary society organizes itself in a network, it is devoid of vertical relations and central power and remains instrumented by the technologies of information and communication. Explaining: information technology has "disintegrated" the state by building networks and, therefore, decentralizing the references of control and monitoring. Based on personal data collection, commercial companies and organizations (without excluding states) have created markets to transfer this information. Data are considered the main input of the digital economy; they can be provided voluntarily or not and may expose their holders to unimaginable and immeasurable risks. We should ask ourselves: What is the destination of this data? What are the objectives? Who has access to the information? What is the value of privacy and the freedom of individuals? How much do these profiles of people who do not even notice themselves in this market, economically worth? The lack of knowledge about the responsible parties, about the managers and the purposes of this indiscriminate and disguised monitoring, permeate issues that are between privacy protection, market efficiency, and democracy. From the decentralized perspective of effective power, the difficulty and the need to rethink the regulation applied to an environment shared by public (governmental) and private agents is urgent. As a ubiquitous environment, cyberspace challenges lawyers as far as it mitigates state sovereignty. Furthermore, there is a concern regarding the establishment of essential pillars of protection and to an incitement to a culture of a correspondent axiom. Therefore, in view of the possible answers and overcoming these obstacles, adding possible doubts concerning the benefits of conglomeration and homogenization of legal solution, we proposed to analyze the law dedicated to the protection of personal data in Mercosur member and associated countries, reiterates, in light of the European model.

Supervisor: Prof. Giovanni Sartor, EUI
Award date: 13 February 2012
PDF of thesis uploaded from the Library digital archive of EUI PhD theses
Cybercrime and cyber-security are attracting increasing attention, both for the relevance of Critical Information Infrastructure to the national economy, and the interplay of the policies tackling them with ‘ICT sensitive’ liberties, such as privacy and data protection. As such, the subject falls in the ‘security vs. privacy’ debate. The objective of this study is twofold. On the one hand, it is descriptive: it aims to cast light on the (legal substantive) nature of, and relationship between, cybercrime and cyber security, which are currently ‘terms of hype’. On the other, it explores the possibility of reconciling data protection and privacy with the prevention of cybercrime and the pursuit of a cyber-security policy, and therefore wishes to explore causation. The latter is a subset of the wider question of whether it is possible to build ‘human rights by design’, i.e. a security policy that reconciles both security and human rights. I argue that narrow or online crimes and broad or off-line crimes are profoundly different in terms of underlying logics while facing the same procedural challenges, and that only narrow cybercrime pertains to cyber-security, understood as a policy. Yet, the current policy debate is focussing too much on broad cybercrimes, thus biasing the debate over the best means to tackle ICT-based crimes and challenging the liberties involved. I then claim that the implementation of data protection principles in a cyber-security policy can act as a proxy to reduce cyber threats, and in particular (narrow) cybercrime, provided that the following caveats are respected: i) we privilege a technical computer security notion; ii) we update the data protection legislation (in particular the understanding of personal data); and iii) we adopt a core-periphery approach to human rights. The study focuses on the EU. Due to time constraints, the interaction between privacy and data protection and other liberties involved, as well as purely procedural issues are outside of the scope of this research.

In present-day society more and more personal information is being collected. The nature of the collection has also changed: more sensitive and potentially prejudicial information is collected. The advent of computers and the development of new telecommunications technology, linking computers in networks (principally the Internet) and enabling the transfer of information between computer systems, have made information increasingly important, and boosted the collection and use of personal information. The risks inherent in the processing of personal information are that the data may be inaccurate, incomplete or irrelevant, accessed or disclosed without authorisation, used for a purpose other than that for which they were collected, or destroyed. The processing of personal information poses a threat to a person's right to privacy. The right to identity is also infringed when incorrect or misleading information relating to a person is processed. In response to the problem of the invasion of the right to privacy by the processing of personal information, many countries have adopted "data protection" laws. Since the common law in South Africa does not provide adequate protection for personal data, data protection legislation is also required. This study is undertaken from a private law perspective. However, since privacy is also protected as a fundamental right, the influence of constitutional law on data protection is also considered. After analysing different foreign data protection laws and legal instruments, a set of core data protection principles is identified. In addition, certain general legal principles that should form the basis of any statutory data protection legislation in South Africa are proposed. Following an analysis of the theoretical basis for data protection in South African private law, the current position as regards data protection in South-Africa is analysed and measured against the principles identified. The conclusion arrived at is that the current South African acts can all be considered to be steps in the right direction, but not complete solutions. Further legislation incorporating internationally accepted data protection principles is therefore necessary. The elements that should be incorporated in a data protection regime are discussed.
Jurisprudence
LL. D. (Jurisprudence)

碩士
國立清華大學
科技法律研究所
93
Abstract The prevalence of internet and advanced telecommunication technology has cause a serious problem on personal data protection. In Taiwan, the problem of unwanted disclosure of personal data has caused a great social cost and drew the attention of all citizens recently. In Europe, the problem has been earlier noticed and certain laws and regulations have been established. The European Data Protection Directive is known as one of the most advanced regulations on the personal data protection all over the world. However, after ten years of enforcement, they still found a great insufficiency on the work of protecting personal data. In the assessment report published by the European Commission, it is indicated that the law itself indeed has an adequate level of norm, but the problems on the execution, on contrary, is the major factor caused the insufficiency. Concerning the importance of the personal data protection in modern society, this research would like to evaluate the personal data protection system in EU and take UK as and example on the implementation of EU Directive. We will mainly focus on the aspects of execution and supervision, and hope to find out better solutions on completing the personal data protection system. In order to obtain the latest information and practically observe the execution of Data Protection work, a great part of this research is done in Queen Mary, University of London, and the research program is supported by Ministry of Education of Taiwan. Here an explanation must be made. Due to the acquirement of EU Data Protection Directive 95/46/EC & UK Data Protection Act 1998 is relatively difficult in Taiwan, these two bills are enclosed in the appendix for readers’ convenience.

Digitisation had a profound impact on the creation, reproduction, and dissemination of works protected by copyright. Works in digital format are vulnerable to infringement, and technological protection measures are accordingly applied as protection. Technological protection measures can, however, easily be circumvented, and additional legal protection against circumvention was needed. Article 11 of the WIPO Copyright Treaty (the WCT) obliges Member States to provide adequate legal protection against the circumvention of technological measures applied to works protected by copyright. Contracting parties must refine the provisions of Article 11 and provide for exceptions on the prohibition. Article 11 does not specify whether it pertains to only certain types of technological measures, nor does it prohibit the trafficking in circumvention devices. The United States implemented the provisions of Article 11 of the WCT through the Digital Millennium Copyright Act of 1998 (the DMCA). Section 1201 of the DMCA prohibits the circumvention of technological measures. It is detailed and relates to two categories of technological measures - access control and copy control. It prohibits not only the act of circumvention, but also the trafficking in circumvention devices. Article 6 of the EC Directive on the Harmonisation of Certain Aspects of Copyright and Related Rights in the Information Society of 2001 implements Article 11 of the WCT. Article 6 seeks to protect Aeffective technological measures@. It prohibits both the act of circumvention and circumvention devices. Although Article 11 of the WCT is silent on the issue of access control, it seems as if the international trend is to provide legal protection to access controls, thus indirectly creating a right to control access. South Africa has not yet implemented Article 11 of the WCT. The South African Copyright Act of 1979 does not protect technological protection measures. The Electronic Communications and Transactions Act of 2002 (the ECT Act) provides protection against the circumvention of technological protection measures applied to digital data. The definition of Adata@ is such that it could include protected works. If applied to protected works, the anti-circumvention provisions of the ECT Act would be detrimental to user privileges. As developing country, it seems to be in South Africa's best interest to the implement the provisions of Article 11 in such a manner that it still allows users access to and legitimate use of works protected by copyright.
Jurisprudence
LL.D.

Defence date: 13 June 2012
Examining Board: Professor Martin Scheinin, European University Institute (EUI Supervisor); Professor Valsamis Mitsilegas, Queen Mary University of London; Professor Tuomas Ojanen, University of Helsinki; Professor Giovanni Sartor, European University Institute.
First made available online: 25 August 2021
This thesis examines the added value of the fundamental right to data protection within the EU legal order when law enforcement measures are at stake. It provides a comprehensive analysis of the concept of data protection, its underlying values and aims, and the approaches to this right. It discusses the current theories and the existing case-law on data protection by identifying their shortcomings. It introduces a new theory on data protection that reconstructs the right and reshapes in a clear and comprehensive manner its understanding. The thesis tests the added value of the ‘reconstructed’ right to data protection in the most difficult context: law enforcement and counter-terrorism. Three specific case-studies of data processing in the field of law enforcement are used: 1) the information collection 2) the information storage and, 3) the information transfer case. The information collection case discusses the EU Data Retention Directive and addresses the conceptual confusions between the rights to privacy and data protection that surround it, before turning to a substantive fundamental rights assessment of the Directive. The information storage case examines the added value of the fundamental right to data protection in the context of the access of law enforcement authorities to information stored on EU-scale databases such as the second generation Schengen Information System (SIS II), the Visa Information System (VIS) and Eurodac. Finally, the information transfer case discusses the role of the rights to privacy and data protection with regard to the transfer of data from the EU to the US for counterterrorism purposes. In this context, it addresses the EU-US PNR and TFTP cases.

As the number of pensioners in Europe rises relative to the number of people in employment, the gap between the contributions and the benefit levels increases, and consequently ensuring adequate pensions on a sustainable basis has become a major challenge. This study aims to explore the potential of using the Data Envelopment Analysis (DEA) technique in order to access the efficiency of the income protection in old age, one of the most important branches of Social Security. To this effect, we collected data from the 27 European Union Member States regarding this branch. Our results show important differences among the Member States and stress the importance of identifying best practices to achieve more adequate, sustainable and modernised pension systems. Our results also highlight the importance of using DEA as a decision support tool for policy makers.
O aumento do número de pensionistas na Europa comparativamente com o número de pessoas empregadas, tem feito com que a diferença entre as contribuições para os sistemas de segurança social por parte dos trabalhadores e as pensões pagas por estes sistemas aos pensionistas tenha vindo a agravar-se. Consequentemente, garantir pensões adequadas numa base sustentável tornou-se um enorme desafio para os estados membros da União Europeia. Este estudo tem como objetivo principal explorar o potencial do Data Envelopment Analysis (DEA) para avaliar a eficiência dos sistemas de pensões, um dos ramos mais importantes da Segurança Social dos países industrializados. Para o efeito, foram recolhidos dados dos 27 países da União Europeia relativamente a esta área. Os resultados obtidos revelam diferenças significativas na eficiência dos sistemas de pensões dos 27 países da União Europeia e salientam a importância de se identificarem as melhores práticas nesta área a fim de se desenvolverem sistemas de pensões mais adequados, sustentáveis e modernos. Os resultados alcançados também denotam a importância do DEA como instrumento de apoio aos decisores politicos.

Dissertação de Mestrado em Ciências Jurídico-Forenses apresentada à Faculdade de Direito
This dissertation, made in an era when the technological development poses a challenge to fundamental rights, intends to frame and analyze the new Regulation (EU) 2016/679, from the European Parliament and the Council of 27th April 2016 (General Data Protection Regulation).For that purpose, the work was split in two parts. Upstream, data protection as a fundamental right, the target of a concise legislative evolution, from which GDPR was born.In fact, it was based on the ECHR and the Convention 108, amidst the Council of Europe, that the European Union and the European countries developed the right to data protection. In the Portuguese case, it was even constitutionally elevated (through article 35 of the Portuguese constitution), and in the European Union law through the Directive 95/46/CE, the basis of the current outlook of the data protection law.That directive, although with new solutions, was unable to achieve the harmonization that was wished for. The solution was for the European Parliament and Council to use article 16 TFEU to approve the General Data Protection Regulation, directly applicable in the Member-states, which had the main purpose of centralizing the rules insofar as to promote the protection of individual persons as to their personal data processing and free movement of those data. Hence, in a second moment the innovations brought by GDPR, which affect all the economic agents, are presented. GDPR encompasses much of what were already the rights and obligations enshrined in the former directive. The essential differences are found in the sanctions framework (20 Million euros or 4% of turnover) and accountability, which forced many companies to worry about the topic for the first time.Therefore, what GDPR demands is an attitude shift of all economic agents: Citizens, Organizations and State, in order to promote the awareness of a true right to personal data protection.
A presente dissertação, encetada numa época em que o desenvolvimento tecnológico desafia os direitos fundamentais, pretende enquadrar e analisar o novo Regulamento (UE) 2016/679 do Parlamento Europeu e do Conselho de 27 de abril de 2016 (Regulamento Geral de Proteção de Dados Pessoais).Para tanto foi levado a cabo a divisão em duas partes do presente trabalho. A montante, a proteção de dados enquanto direito fundamental e alvo de uma evolução legislativa concisa, por força da qual surgiu o RGPD.De facto, foi com base na CEDH e na Convenção 108, no contexto do Conselho da Europa, que a União Europeia e os países da Europa desenvolveram o direito à proteção de dados. No caso de Portugal, consagrando inclusive constitucionalmente (através do artigo 35.º da CRP), e no âmbito da Direito da União Europeia através da Diretiva 95/46/CE, a base para o atual panorama do direito da proteção de dados. Essa diretiva, embora inovatória, não conseguiu atingir a harmonização pretendida. A solução foi o Parlamento Europeu e o Conselho socorrem-se da base legal do art. 16.º do TFUE e aprovarem o Regulamento Geral de Proteção de Dados, diretamente aplicável nos Estados-Membros, que teve como objetivo primário a centralização normativa de modo a fomentar a proteção das pessoas singulares no que diz respeito ao tratamento de dados pessoais e à livre circulação desses dados.Daí que num segundo momento são apresentadas as inovações que o RGPD trouxe e que afetam todos os agentes económicos. O RGPD incorpora muito daquilo que já eram os direitos e obrigações consagrados na anterior diretiva. As diferenças essenciais encontram-se no modelo sancionatório (20 milhões de euros ou 4% da faturação anual) e a autorresponsabilização, que obrigaram muitas empresas a preocuparem-se com o tema pela primeira vez.Assim, o RGPD o que exige é uma mudança de atitude por parte de todos os agentes económicos: Cidadãos, Organizações e Estado, para que se consiga promover a sensibilização e a compreensão da existência de um verdadeiro direito à proteção de dados pessoais.

Technological developments and massive use of the Internet pose serious problems for the protection of people personal data. It is therefore necessary to delimitate and understand the right to protection of personal data, distinguishing it from the traditional right to privacy and defining it according to the legal sources of International Law, European Union Law and National Law. The evolution of the right to data protection in European Union Law has been progressive and deserves some emphasis and study, to better understand the current framework of the protection regime of personal data. The main focus of this analysis is the European context, since in 2018 the General Data Protection Regulation of the European Union will come into force, which will have a direct effect in the Member States. This investigation is enacted from a Fundamental Rights perspective, in which the nature of the right to data protection as a true Fundamental Right should be concretized. In this context, several questions and problems are raised, which are differently approached, by assorted sectors of the doctrine. Likewise, some case-law of the European Courts and the relevant legislation are analyzed. If there is a legitimate condition for a processing of personal data, the general guiding principles of these operations must be respected. The content of the right to data protection should therefore be examined, and encompasses, in general, several legal positions such as rights of the data subjects and obligations for data controllers.
A evolução tecnológica e a utilização maciça da Internet colocam graves problemas quanto à proteção dos dados pessoais das pessoas. Assim, urge delimitar e entender o direito à proteção de dados pessoais, distinguindo-o do tradicional direito à privacidade e definindo-o de acordo com as fontes jurídicas de Direito Internacional, Direito da União Europeia e Direito nacional. A evolução do direito à proteção de dados no Direito da União Europeu foi progressiva e merece algum destaque e estudo, para que melhor se compreenda o atual enquadramento do regime de proteção de dados pessoais. O principal foco desta análise prende-se com o contexto europeu, uma vez que, em 2018, entrará em vigor um Regulamento Geral da União Europeia sobre a proteção de dados pessoais, o qual terá efeito direto nos Estados-Membros. A investigação é efetuada de uma perspetiva de Direitos Fundamentais, na qual se deverá concretizar a natureza do direito à proteção de dados como verdadeiro Direito Fundamental. Neste âmbito, são suscitadas diversas questões e problemas, as quais são abordadas de modo diferente, por diversos setores da doutrina. Da mesma forma, é analisada alguma jurisprudência dos Tribunais europeus e a relevante legislação. Existindo uma condição legitimante de um tratamento de dados pessoais, devem respeitar-se todos os princípios gerais orientadores destas operações. Deve, então, analisar-se o conteúdo do direito à proteção de dados, que engloba, em geral, diversas posições jurídicas como direitos dos titulares dos dados e deveres para os responsáveis pelo tratamento.

Dissertação com vista à obtenção do grau de Mestre em Direito na especialidade de Direito Internacional e Europeu
Denominada “A Adequação do Sistema Brasileiro de Proteção de Dados Pessoais ao Regime das Transferências Europeu”, a presente dissertação tem por objetivo esclarecer, após os seus recentes esforços legislativos e diplomáticos, se é o Brasil merecedor de uma declaração de existência de grau de proteção adequado aos dados pessoais das pessoas singulares no âmbito da Comissão Europeia. A primeira parte do trabalho busca fundamentar a importância econômica dos fluxos internacionais de dados entre Brasil e Europa no contexto da Sociedade em Rede, analisando através de uma perspectiva histórica de que forma a tecnologia da informação deu origem a um modelo de sociedade baseado nos dados e alterou o que se entende por “valor” em um cenário econômico globalizado. A segunda parte pretende demonstrar como surgiram as bases principiológicas que originaram e conceituaram um Direito Fundamental Autônomo à Proteção de Dados Pessoais, mediante o embate entre os Direitos à Privacidade, Liberdade e Transparência, sendo explorados também riscos e limitações a esses direitos no Século XXI. A terceira parte descreve o percurso normativo do Direito à Proteção de Dados Pessoais na Europa, em Portugal e no Brasil, apontando fatores de convergência e divergência entre a legislação europeia e a brasileira. A quarta e última parte da presente dissertação objetiva responder a sua questão central por meio da análise comparativa entre o regime das transferências internacionais brasileiro e europeu. Além disso, são apresentados os principais desafios à livre circulação dos dados no contexto transnacional por meio de um estudo de caso da regulação euroamericana sobre a matéria e sua saga jurisprudencial, apontando aprendizados e perspectivas para a adequação do ordenamento brasileiro.
Entitled “The Adequacy of Brazilian Data Protection System to European Data Transfer Regulation”, the present dissertation aims to clarify if is Brazil worthy of an adequacy decision by the European Commission on Its degree of data protection of natural people after the recent legislative and diplomatic efforts. The first part of this work seeks to justify the economic importance of the transborder data flows between Brazil and European Union on the context of Network Society, analyzing on a historic perspective how the information technology gave birth to a model of society based on data and modified the concept of “value” on a globalized economic landscape. The second part intends to demonstrate how were design the principles that originate and defined an autonomous Fundamental Right to Data Protection, upon the clash of the Rights to Privacy, Liberty and Transparency, also exploring the risks and limitations to that Right on the Twenty-first Century. The Third Part describes the normative course of the Right to Data Protection on Europe, Portugal and Brazil, pointing convergence and divergence factors between European and Brazilian legislation. The Fourth and final part of this dissertation aims to answer Its central question using a comparative analysis of the European and the Brazilian Data Transfer Regulation. Besides that, there are presented the main challenges to free data flow on the transnational context through the case of study on Transatlantic Data Transfer Regulation and Its Jurisprudential saga, pointing lessons and perspectives to the adequacy of Brazilian legal order.

Data protection in the EU - Biometric data The main aim of this thesis is to deal with the data protection in connection with the biometric data. In the first chapter, the author of this work deals with the historical context. The right to privacy even nowadays represents the solid ground of the data protection. Therefore, its de- limitation and subsequent connection with the data privacy is of an upmost importance for a proper understanding of this problematics. The author also deals with the data protection not only in the european context, but also with the disunited legislation in the US, where a legisla- tion in the context of general data protection regulation is absent. The second chapter mainly dealt with stating the general legal principles and their rel- evance to the legal order as well as with the special principles laid down in the regulation, which are mandatory to be upheld. The third chapter dealt with the term of personal data. Moreover, it was also important to define the other terms, which goes hand in hand with the personal data term. Therefore, anonymous data as a personal data, which went through the anonymisation process, as well as the special category of personal data, which represents the fundament of the problematics of the biometric data and lastly also the term of data...

The purpose of my thesis is to analyse a development of technologies in comparison with the protection of personal data on the internet under law of the EU. However, it would not be possible to describe every single technology and its reflection in law of the EU. Therefore, the thesis is mainly focused on two most significant internet technologies - cookies and cloud computing. The key for selection of the most important representative technologies was especially a frequency of their use. The thesis is composed of two main chapters, each of them dealing with different aspects of the development of technologies in comparison with protection of personal data on the internet under law of the EU. Chapter One is introductory and defines basic terminology used in the thesis under applicable law of the EU. The chapter is subdivided into two parts. Part One describes personal data and its role in applicable law of the EU. Part Two deals with the specific technologies - cookies and cloud computing. This part particularly points out risks of these technologies and provides possible solutions. Chapter Two analyzes the upcoming reform of data protection in EU. The chapter is mainly focused on proposal for General Data Protection Regulation, which could dramatically change the protection of personal data on the...