Volume 4 (2021)

Each volume of Journal of Data Protection & Privacy consists of four 100-page issues.

The articles published in Volume 4 are listed below.

Volume 4 Number 4

  • Editorial: Is it time to refresh our understanding of ‘privacy’ post-COVID-19?
    Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy
  • Practice papers:
    Protection of children’s personal data and where reforms are needed
    Susan Raab, Managing Partner, Customer Data Platform Institute

    This paper explores the world of children’s data. This area is garnering global attention due to its complexity and is rapidly changing. We will look at children’s data laws and collection in the United States as an example of how longtime child protective laws are compared with newer legislation in the European Union (EU), United Kingdom and other jurisdictions. This microcosm offers a window into many aspects of data governance, which affects adults as well. This is because data collected on children touches all aspects of society, education, healthcare, sports and recreation, and also impacts what is known about their families. Children’s data is an especially vulnerable link in the data ecosystem and is often misappropriated and used to access large amounts of consumer data without the knowledge of those consumers. Ignoring this is risky, and regulating this area is complex. The paper looks at how children’s rights have been viewed historically, including by the United Nations Convention on the Rights of the Child (UNCRC), which established core principles and by example, the United States, which has overlapping laws in key youth sectors, education, online entertainment and health. We look at newer laws and guidance, including California Consumer Privacy Act (CCPA), EU’s General Data Protection Regulation (GDPR), UK’s Age Appropriate Design Code (AADC) and others in terms of how they perceive children’s rights and are addressing privacy threats that children face. While it is not comprehensive, this looks at how children’s privacy rights are regulated, what mechanisms can be used to support their rights and recommends what needs to be addressed going forwards.
    Keywords: children’s privacy, privacy, data protection

  • Dubai International Financial Centre’s Updated Data Protection Law, Part 2: Implementing a modern, global law in a UAE financial free zone
    Lori Baker, VP, Legal Affairs and Director of Data Protection, DIFC Authority

    The Dubai International Financial Centre (DIFC), purveyor of Data Protection Law, DIFC Law No. 5 of 2020, is the result of a legislative overhaul aimed at creating an environment of ethical data management. The Updated DP Law combines international data protection standards of the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act and others with innovative, new concepts that work for the DIFC’s FinTech/X-tech incubator. Ultimately, the goal is to obtain adequacy recognition by the European Commission. This paper is Part 2 in a series that tells us how such a law was created and how a small jurisdiction in the United Arab Emirates is making big strides in data protection.
    Keywords: data protection, DIFC, Middle East, UAE, adequacy

  • The EU GDPR and Nigeria’s NDPR: A comparative analysis
    Olumide Babalola, Managing Partner, Olumide Babalola LP, School of Law, University of Reading

    It is almost undeniable that the Nigeria Data Protection Regulation (NDPR) derives its inspiration from the European Union General Data Protection Regulation (GDPR). From its title to the contents, the NDPR mirrors its European counterpart in every material respect. Placing both legislation side by side, this paper attempts a comparative review of the similar yet asymmetric regulations. The paper critically analyses the NDPR’s scope, objectives and compliance mechanism vis-à-vis the GDPR’s by interrogating the draftsmen’s intention to arrive at a conclusion on the aptitude of the former.
    Keywords: data protection, European Union, GDPR, NDPR, Nigeria, privacy

  • General Data Protection Regulation (GDPR) ambiguity, national diversity and data protection officer certification: Implementing Art. 39(1) GDPR in France, Italy, Luxembourg and Spain
    Jacob Kornbeck, Policy Officer, European Commission, Youth Unit

    The General Data Protection Regulation (GDPR) of the European Union (EU) does not always make legally binding provisions with unambiguous implications. The implementation of Art. 39(1) GDPR regarding the certification of Data Protection Officers (DPOs) is left to the discretion of Member States. This paper will show what action has been taken by the national data protection authorities (DPAs) of France, Italy, Luxembourg and Spain. Insights gained from examining the four national frameworks, which are quite dissimilar in many ways, will be compared and contrasted. This will lead to a systematic and teleological interpretation, as well as to a more general discussion of GDPR ambiguity and the prospect of fragmentation through national implementation diversity. The paper will conclude with some thoughts on the need for controllers to invest in qualified staff to perform DPO roles, as well as some reflection on the human resources (HR) policies of DPAs.
    Keywords: Data Protection Officer, European Union, European Economic Area, access to professional practice, General Data Protection Regulation, national implementation, uniform application of Union law, formal learning, nonformal learning, (professional) competencies, skills, validation, recognition, mobility, free movement

  • Research papers
    Statistical analysis of relationships of US organisations’ size, popularity, age and location to frequency of data breaches
    Ohud Saud Alqahtani, Department of Information Systems, King Khalid University and Zhiyuan Chen, Department of Information Systems, University of Maryland Baltimore County

    Given the widespread occurrence of data breaches, it is useful for consumers to learn which factors of an organisation, for example, size, popularity or location, will contribute to increased data breach risks. Existing work on risk assessment requires detailed internal information of an information system, which is not available to the public. Furthermore, organisations typically do not want results of such analysis of their IT systems to be made public. This paper conducts comprehensive statistical analyses of the relationships between publicly available information to frequency of data breaches. The publicly available information includes size-related characteristics such as revenue, number of employees, population served and enrolment, popularity-related characteristics such as number of Google Search results, age of the organisation and location of the organisation. We used Pearson, Spearman and Kendall correlation analysis methods to test whether these characteristics are indicators for frequent data breaches for different types of US organisations. We also used linear regression to predict the frequency of data breaches. The results verified that many of these indicators have significant correlation to organisations’ frequency of data breaches. The result of this paper can help consumers make more informed decisions with respect to risks of data breaches.
    Keywords: data breaches; statistical analysis, correlation and multiple regression models, security and privacy

  • Reaching the tipping point: A critical analysis of the #deletefacebook movement
    Laura F. Bright, Associate Professor of Media Analytics, Kristen Leah Sussman, PhD Student and Gary B. Wilcox, John A. Beck Centennial Professor in Communication, Stan Richards School of Advertising & Public Relations, University of Texas at Austin

    Social media platforms have sustained increased scrutiny for their data management practices, spread of misinformation and the creation of consumer echo chambers. Chief among these platforms is Facebook. Yet, consumption of Facebook continues to grow. To understand this paradox, we use a dataset of unstructured text data to identify patterns within user-generated content (UGC) using the #deletefacebook hashtag. Nearly 1.5 million observations were used to identify themes and help paint a picture of the broader consumer concern relating to Facebook. The results show a continuing interest in the #deletefacebook topic as measured by volume over time. Using machine learning techniques, the text miner results identified topics which include privacy, consumer trust and wellbeing and politics of data security. Fear of missing out (FoMO) is provided as a theoretical explanation for why people continue using social media sites like Facebook. Themes related to social media fatigue, data management and ethics were also found in the UGC.
    Keywords: Social media consumption, social media usage, Facebook, language, user-generated content, natural language processing, computational social science

  • Book review
    ‘The Right to Be Forgotten: A Comparative Study of the Emergent Right’s Evolution and Application in Europe, the Americas, and Asia’
    Reviewed by Dr Jacob Kornbeck

     

Volume 4 Number 3

  • Editorial: Adequate sufficiency? The European Commission is about to decide to grant adequacy status to the United Kingdom, but concerns remain
    Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy
  • Practice papers:
    China’s draft Personal Information Protection Law
    Lothar Determann, Baker McKenzie, San Francisco, Zhenyu (Jay) Ruan and Tingting Gao, Baker McKenzie FenXun (FTZ) Joint Operation Office and Jonathan Tam, Baker McKenzie, San Francisco

    In October 2020, China published a draft of the Personal Information Protection Law of the People’s Republic of China (PRC) for public comment. The draft law is intended to be the first consolidated and comprehensive law targeting the protection of personal information in China. If enacted in its current form, the law would introduce a suite of obligations that apply to organisations in both the private and public sectors and individuals that process Chinese residents’ personal information. The scope, structure and substance of the draft law not only resemble that of the European Union (EU) General Data Protection Regulation (GDPR) in a number of key ways but also diverge from the GDPR in many respects. The draft Chinese law also has some similarities with various US privacy laws, although the United States has not enacted a comprehensive federal privacy law that applies across the country. Despite the variations among the regimes of China, the EU and the United States, organisations that do business in these geographies can leverage the privacy compliance programmes they may have established for the United States and EU to prepare for the implementation of the draft Chinese Personal Information Protection Law. This paper summarizes the key requirements of the draft Chinese law and provides high-level observations regarding its similarities to and differences from the GDPR and key US privacy laws.
    Keywords: China, PRC, Personal Information Protection Law of the PRC, PRC Cybersecurity Law, PRC Data Security Law, Chinese privacy laws, Cyberspace Administration of China, comparative analysis, EU General Data Protection Regulation, California Consumer Privacy Act, Virginia Consumer Data Protection Act, US Health Insurance Portability and Accountability Act

  • International personal data transfer: An analysis of Brazil’s legal system and new LGPD under the adequacy standard of the EU GDPR
    Alexandre Serrano Rajagopalan, Imperial College Healthcare NHS Trust

    The international transfer of personal data is an issue of fundamental importance in data protection. The General Data Protection Regulation (GDPR) has conditioned all data flow to third countries to stringent alternative requirements, the most important of which being the existence of an adequacy decision made by the European Commission finding the level of data protection afforded by that third country to be equivalent to the one provided by the GDPR. This study aims to apply the adequacy standard, as established by the GDPR and interpreted by the Court of Justice of the European Union (CJEU), the Article 29 Working Party and the European Commission, in order to determine whether Brazil has the potential of obtaining a favourable decision from the European Commission. The country’s legal system and new Lei Geral de Proteção de Dados Pessoais (LGPD) were analysed, in depth, with a focus on the three elements the GDPR requires to be taken into account in the course of adequacy findings: a legal framework containing certain core elements, an independent supervisory authority and the international commitments of the country. The results indicate that Brazil’s legal system offers appropriate tools capable of providing data subjects with an adequate level of protection, which, subject to future regulation on the time limits for compliance with certain privacy rights, can be considered equivalent to the level of protection guaranteed by the GDPR. Such a finding, should it be confirmed by the European Commission in the future, would have the effect of allowing the transfer of personal data from Europe to Brazil.
    Keywords: data protection, GDPR, Brazil, LGPD, transfer adequacy

  • Effects of GDPR on the financial services sector in the Kingdom of Saudi Arabia
    Ali Polat, Department of Economics, College of Political Science, Ankara Yıldırım Beyazıt University

    Technological advances have enabled many traditional services to be transferred to an electronic environment, resulting in, among other things, an increasing number of communication channels between financial institutions and individuals. The upshot is that, individuals and entities have to share almost any kind of personal data. While the technology for data sharing and the demand for the data of both public and private sectors are increasing, the legislation on the protection of this data has not been able to grow at the same speed and scope. In the case of Saudi Arabia, there is an element of data protection under Sharia Principles in general, and there are some regulations punishing defined data breaches as per the related regulation. Although a new personal data protection law is under review by the Shura Council, it is not yet accepted. Meanwhile, in the European Union (EU), General Data Protection Regulation (GDPR) has been adopted as a regulation that will cover the whole EU and its citizens and corporates all over the world. While protecting personal data, this new framework imposes standards and certain sanctions for all individuals and institutions that process this data. This paper tries to provide a risk assessment of GDPR for the Kingdom of Saudi Arabia (KSA) and the requirement of a detailed data protection regulation that can be consistent with Sharia mainly due to the ‘maslahah’ principle and 2030 Vision.
    Keywords: GDPR, data protection, personal data protection law, European Union, Sharia, maslahah

  • Data breach liabilities of company directors
    Steve Wright, CEO and Partner, Privacy Culture and Ezgi Pilavci, Legal Counsel-Privacy, BCG and Certified Information Privacy Professional

    This paper shows that data protection falls under the fiduciary duties of board members, albeit they may not be expected to take an active part in the implementation phase; they must assure that employees are equipped with data protection and security awareness and their roles are allocated properly. It discusses how companies need to know how compliance management can be ‘reasonable, adequate, appropriate’ in practice. The first step is to know the needs of the organisation and address the risks. A simple oversight can cause material benefits, and therefore, data protection and privacy must be treated as a corporate governance issue.
    Keywords: data breach, security, directors’ liability, data protection, corporate governance

  • Freedom of expression and digital rights in social media: Challenges and risks
    Dr Konstantinos Kouroupis, Assistant Professor, European and Data Rights Law, Department of Law, Frederick University and Dimitrios Vagianos, Electrical and Computer Engineer, Laboratory Teaching Staff, Department of International and European Studies, University of Macedonia, Egnatia, Greece

    This paper deals with the issue of the growing powers of online platforms and social media in the new digital era and their impact on our privacy. Subsequently, on the occasion of the suspension of Donald Trump’s accounts by Facebook and Twitter, serious concerns arise regarding the protection of fundamental rights, such as the right to freedom of expression, in the online environment as well as the operational and organisational challenges in implementing and meeting privacy requirements. Through a comparative analysis of the European and international legal frameworks that cover the freedom of expression, this paper aims to demonstrate how to balance the rights, freedoms and interests of the individual against the challenges imposed by the ongoing technological evolutions. Moreover, ‘A Europe fit for the digital age’ is one of the most important priorities of the European Commission for the years 2019–24 and includes the promotion of technology and science in an open, democratic and sustainable digital society. Social media play a major role in the implementation of a fair and competitive digital economy as they constitute a forum of commerce and culture. The extent of their interference with our digital rights, however, is controversial. In addition, there is no complete and clear regulatory framework regarding their powers and operation. Therefore, the ultimate goal of the study is to propose fruitful solutions to the internet governance with respect to the consolidation of digital privacy and the deployment of technological tools, such as artificial intelligence.
    Keywords: freedom of expression, digital rights, social media, privacy, artificial intelligence, digital strategy, Digital Services Act

  • Research papers
    Exploring the privacy paradox among social media users in the United States
    Kelty Logan, Associate Professor, College of Media, Communication and Information, University of Colorado Boulder, Laura F. Bright, Associate Professor, Moody College of Communication, The University of Texas at Austin and Harsha Gangadharbatla, Associate Professor, College of Media, Communication and Information, University of Colorado Boulder

    Realising that voluntary compliance with online privacy disclosure increases access to consumer data, there is a need for marketers to better understand the key factors that contribute to the social media user’s tipping point — the point where a consumer would voluntarily adopt more stringent online privacy protocols or reduce engagement in social media. Adopting the theoretical framework of the protection motivation theory, this research tested existing cognitive measures (internet self-efficacy, content credibility, impression management and satisfaction with life) to determine if the measures mitigated or exacerbated social media users’ privacy concerns. The notion that personality correspondingly contributed to the personal assessment of privacy concerns was also tested. An online survey was fielded among 433 US participants. Observed variable multiple regressions were utilised to analyse the net effects of each variable on privacy concerns. The results of this study strongly suggest that there are user characteristics that align with the inclination to be concerned about privacy issues. Specifically, social media users who are sceptical regarding social media content and confident in their own abilities to protect their online data are likely to be more concerned about data privacy. The current research suggests that privacy concerns are attributable to rational concerns, which could include factors such as compensatory exchanges with advertisers and the amount of value placed on convenience and access over security. Implications for practitioners are provided.
    Keywords: privacy concerns, social media, protection motivation theory, value exchange, self-efficacy, credibility

  • The proportionality principle in privacy and data protection law
    Anna Popowicz – Pazdej, Privacy Lawyer, CIPP/E, Doctorate Researcher, University of Wroclaw

    The proportionality principle represents the most noticeable developments in contemporary privacy and data protection law serving as an effective tool to resolve conflicts with regard to fundamental rights. Although proportionality is a doctrinal tool, this mechanism can also serve as a precondition when implementing the new processing activities or law within the privacy and data protection area. It is undoubtedly a pervasive and familiar concept in European and, in particular, European Union (EU) Member State laws and within German legal theory and jurisprudence, proportionality is a well-developed principle. Therefore, this paper examines the application of the proportionality principle in German legal theory. Secondly, this framework will then broaden the perspective of interpretative challenges of proportionality principle within the ambit of the fundamental right to privacy and data protection in the EU framework. The aim is to assess the balance between these conflicting rights. Accordingly, this examination considers the mechanism of the proportionality test concerning the principle of data protection in EU law.
    Keywords: GDPR, privacy, data protection, proportionality principle, limitations, necessity test, Schrems II, Charter of Fundamental Rights

  • Book reviews:
    ‘Determann’s Field Guide to Data Privacy Law: International Corporate Compliance’
    Reviewed by Richard Preece
  • ‘Of Privacy and Power: The Transatlantic Struggle over Freedom and Security’
    Reviewed by Dr Jacob Kornbeck
  • ‘Data Protection Law in the EU: Roles, Responsibilities and Liability’
    Reviewed by Ardi Kolah

     

Volume 4 Number 2

  • Editorial: Working from home (WFH): The new privacy frontier
    Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy
  • Practice papers:
    The Data Trust Model Proposes Individuals Can Control Their Data for Profit
    Susan Raab, Managing Partner, Customer Data Platform Institute

    This paper explores the concept of the data trust model as a way of giving individuals control over their personal data and potentially being compensated for use. We will look at the benefits and challenges of this model and how it fits with current regulation. Finally, the paper provides examples of how this model can be used and explores the question of whether the European Union (EU) Trusts Project is considering the data trust model to create a marketplace using EU citizen data.
    Keywords: data trust, data marketplace, data trustee, privacy, data protection

  • Unregulated drones and an emerging threat to right to privacy: A critical overview
    Nehaluddin Ahmad, Professor of Law, Sultan Sharif Ali Islamic University (UNISSA), Saurabh Chaturvedi, Professor and Dean School of Law, NMIMS University Mumbai and Ahmad Masum, Sr Assistant Professor, Faculty of Sharia and Law, Sultan Sharif Ali Islamic University (UNISSA)

    There is a huge question of whether current laws in different jurisdictions around the globe can adequately protect a population’s fundamental rights from the threats presented by drone technology. The market for drones is expanding rapidly. They offer certain attractive services, but the mere operation of these airborne machines poses great threats to people’s privacy and safety. Drones — also called unmanned aerial vehicles (UAVs) — are planes without a human pilot. Drones have been used by military organisations for over a decade, but in recent years their use in commercial and recreational capacities has been growing. They are, however, becoming a serious risk to citizens’ fundamental rights. This paper discusses UAVs’ technological capabilities and how they are beginning to affect fundamental rights of privacy. The paper identifies possible future directions in the fields of civilian security and privacy.
    Keywords: drone technology, privacy and safety, UAVs, fundamental rights

  • Data-related legislation and its implications for a country’s competitiveness: The perspective of the People’s Republic of China
    Yihan Dai, Associate Research Fellow, Faculty of International Law, East China University of Political Science and Law

    Data protection legislation could have far-reaching implications for a country’s competitiveness in today’s global digital economy, especially for the People’s Republic of China, which is extremely data rich because of its large population and the substantial number of active internet users. Chinese legislators appear to have intentionally left a viable space for the development of Big Data and new technologies and adopt two contradictory approaches towards the liberalisation of cross-border data transfer in the context of trade globalisation. This paper discusses how the two contradictory approaches reflect a lack of policy coherence in the field of cross-border data transfer that will probably lead to ‘policy failures’.
    Keywords: data protection laws, PRC’s data privacy legislation, internet censorship

  • Personal data protection in the credit-scoring industry of China
    Arlene Zhang, Researcher, Data Law Research Center & Cyber Law Research Institute (Shanghai & Hangzhou)

    China accounts for nearly half of the global digital payment market and three quarters of online lending transactions. With personal data as the new collateral, leaders now use alternative data (traceable personal information related to e-commerce sites, apps) to make decisions on investing and lending, instead of relying only on the traditional credit record. Credit-scoring service providers have also begun adopting alternative data for creditworthiness evaluation. While offering many benefits, the use of alternative data for financial decisions also raises significant data protection and privacy concerns, including meaningless consent, excessive collection of personal information, lack of transparency, loss of control by individuals, and manipulation of human behaviour. These issues are common around the world, but with different laws and regulations and social development background. This paper will examine China’s Big Data credit-scoring industry’s personal data-protection status, current legislative supervision and innovative technology, and their drawbacks. The paper concludes with a discussion of responses and suggestions for the field.
    Keywords: personal data protection, use of alternative data, credit scoring, fintech, China

  • The California Consumer Privacy Act: The ethos, similarities and differences vis-a-vis the General Data Protection Regulation and the road ahead in light of California Privacy Rights Act
    Tripti Dhar, Partner, Reina Legal LLP

    Amidst the ongoing privacy concerns, legislations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have given individuals the insight into their personal data and a control thereof. These legislations, however, must not be viewed as impediment to business but as business enablers that ensure successful conduct of business while balancing the rights of the individuals vis-à-vis that of the businesses. This paper seeks to delve into the spirit and the most striking features of CCPA. The paper also aims to compare the GDPR and CCPA so as to ascertain the key similarities and key differences between the two. The paper finally attempts to trace the journey of global companies in the quest to achieve compliance before 1st January, 2020. As of today, businesses are faced with a peculiar circumstance. They have aligned their businesses in line with the GDPR and are now also required to align with the obligations under CCPA. The procedural aspect has the business taken by storm. To make matters complicated, businesses are now faced by the California Privacy Rights Act (CPRA) and the relevant compliances expected of them. The paper seeks to conclude with a roadmap for global businesses in such a factual matrix.
    Keywords: CCPA, GDPR, CPRA, data protection, data privacy

  • Comparison of notice requirements for consent between ISO/IEC 29184:2020 and General Data Protection Regulation
    Harshvardhan J. Pandit, Research Fellow, ADAPT SFI Centre, Trinity College Dublin and Georg Philip Krog, Cofounder and Chief of Legal Counsel, Signatu AS

    This paper analyses the ISO/IEC 29184:2020 standard and compares its requirements for notice and consent with those specified by the General Data Protection Regulation (GDPR). More specifically, it considers the extent to which the ISO/IEC 29184 standard can be applied to demonstrate compliance with the requirements of the GDPR and to identify the additional requirements in areas where it is not sufficient. The paper concludes with remarks on the potential role of ISO/IEC 29184 as a certification mechanism under the GDPR for consent and notice.
    Keywords: consent, notice, GDPR, regulatory compliance, privacy, ISO

  • The increase of SIM Swap Frauds and new risks on European costumers: Payment services and data protection in Italian law courts
    Fabio Di Resta, Avvocato, Italy

    This paper analyses consumers’ legal protection when they are victims of banking frauds through the internet banking systems. In the last decade, there was a strong increase in telematic frauds, also the COVID-19 pandemic and the consequent use of smart working by employees has been exploited by fraudsters. In this context, customers became the favourite victims of cybercriminals, who have found more complex telematic frauds based on social engineering, such as chief executive officer (CEO) frauds, but more often the SIM (Subscriber Identification Module) Swap Fraud, through the identification procedures employed by mobile operators and becoming the new owner of the SIM card of victims. In this respect, the recent legal reforms on payment services and the General Data Protection Regulation (GDPR) became the milestone of consumers’ legal protection. Italian leading cases on SIM Swap Frauds will be analysed in more detail, describing the main criteria and principles of European and Italian data protection laws applied to personal data processing of the victims.
    Keywords: SIM Swap Fraud, CEO frauds, GDPR, PDS2, RTS, EBA, Arbitro Bancario Finanziario (ABF), Alternative Disputes Resolution (ADR), Strong Customer Authentication (SCA)

  • Book reviews:
    Data Protection, Privacy Regulators and Supervisory Authorities
    Reviewed by Dr Jacob Kornbeck
  • ‘California Privacy Law: Practical Guide and Commentary US Federal and California Law’ (Fourth Edition)
    Reviewed by Richard Preece
  • Legal Challenges of Big Data
    Reviewed by Ardi Kolah

     

Volume 4 Number 1

  • Editorial: 2020 is the year we would all like to forget, it had some memorable moments for data privacy professionals and 2021 looks like going the same way
    Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy
  • Practice papers:
    The California Privacy Rights Act of 2020: A broad and complex data processing regulation that applies to businesses worldwide
    Lothar Determann, Partner and Jonathan Tam, Senior Associate, Baker McKenzie

    The California Privacy Rights Act of 2020 (CPRA) introduces sweeping changes to the California Consumer Privacy Act of 2018 (CCPA), most of which will become operative as of 1st January, 2023, with a ‘look back’ to 1st January, 2022. Key revisions include a new definition of ‘sensitive personal information’ and detailed obligations regarding the processing of sensitive personal information for non-essential purposes; a new and counterintuitive definition of ‘sharing’ personal information and related restrictions aimed at the digital advertising industry; new data subject rights to correct inaccurate information and opt out of the use of automated decision-making technology; new requirements to include data protection and processing terms in contracts with data recipients and vendors; new requirements regarding what privacy notices must include and how they must be furnished to data subjects; and the establishment of a new privacy authority, the California Privacy Protection Agency. Although some requirements are similar to those in other jurisdictions, some are unique in their scope and even more onerous and detailed than those of the European Union General Data Protection Regulation. For example, CCPA also applies to ‘household data’ and will require companies to include California-specific language in their vendor contracts and privacy notices. This paper summarises some of the key revisions that CPRA makes to CCPA and offers practical recommendations on how companies subject to the law must comply. Companies that do business in California must comply not only with the revised CCPA but also detailed laws specific to particular sectors, industries, harms and activities.
    Keywords: California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), California Privacy Protection Agency (CPPA), cross-context behavioural advertising, right to know, right to access, right to deletion, right to correct inaccurate personal information, right to opt out of selling, right to opt out of sharing, right to restrict use and disclosure of sensitive personal information, right to opt out of automated decision-making technology, right to no retaliation

  • The end of the transition period: Implications for UK data protection after Brexit
    Oliver Butler, Research Fellow, Bonavero Institute of Human Rights

    This paper considers the implications for UK (United Kingdom) data protection after Brexit of the European Union (EU)–UK Withdrawal Agreement, the UK’s prospects of receiving, retaining and valuing a positive adequacy decision from the EU, and the decision of the Court of Justice of the European Union in Schrems II. It highlights that although these developments considerably narrow the scope for post-Brexit divergence from EU data protection law, there remain possibilities that cannot be dismissed as minimal. In particular, it cautions that the potential erosion of data subject rights post Brexit may disproportionately impact members of lower socio-economic groups and Black, Asian and Minority Ethnic individuals. Any adequacy decision will furthermore be subject to ongoing legal challenge and precarity. The UK Government is likely to engage in brinkmanship with the Commission and the CJEU regarding adequacy and its obligations in the Withdrawal Agreement. If the UK fails to gain, or loses, an adequacy decision, then the Standard Contractual Clauses will face a similar set of ongoing legal challenges. The picture is not a happy one.
    Keywords: Brexit, Withdrawal Agreement, adequacy, Standard Contractual Clauses

  • Implementation of the ECOWAS Supplementary Act on Personal Data Protection: Lessons from the EU GDPR
    Dennis Agelebe, Postdoctoral Research Fellow, Environmental Law Center, Faculty of Law of the University of Cologne

    The process of accessing information about any individual is fast becoming beyond the control of private individuals as long as internet technology continues to penetrate more areas of our routine lives. The question has always been how far private individuals can regulate how their private information is accessed, processed and for what purpose. The European Union (EU) has made the General Data Protection Regulation (GDPR) for the purpose of filling the regulatory gap in protecting the right to data privacy of Europeans under the Data Protection Directive (1995). For the EU as a supranational organisation, the regulatory system is designed to be protective of the privacy right of every citizen within and outside the EU because it has the institutional capacity to sanction business entities that breach the GDPR. The Economic Community of West African States (ECOWAS) has adopted the Supplementary Act on Personal Data Protection. Although the ECOWAS has the outlook of a supranational community, it lacks the institutional structure that should make its laws enforceable across the member states. With its present structure, however, the ECOWAS Act is still a model instrument for data protection in the African region and can be improved upon. This paper examines the ECOWAS Act and studies the structure and implementation of the GDPR to understand why the act may not effectively be enforced across the member states without the reform of the ECOWAS.
    Keywords: data privacy, data protection, GDPR, ECOWAS

  • Data protection and space: What challenges will the General Data Protection Regulation face when dealing with space based data?
    Shakila Bu-Pasha, Postdoctoral Researcher, Faculty of Law, University of Helsinki and Heidi Kuusniemi, Professor and Director of Digital Economy, University of Vaasa

    Recently, space or satellite technology, as well as space data applications, is developing rapidly, resulting in a variety of uses. At the same time, related legal issues raise questions about how they can be handled efficiently. In addition to pointing out the importance of managing satellite activities in a legally sound environment, this paper explains the relevance of the General Data Protection Regulation and the challenges it will face in handling space-based data, as well as in managing threats to privacy and personal data regarding the outer space context.
    Keywords: satellite, GDPR, personal data, space-based data, privacy, technology

  • Personal information protection in Japan
    Christopher P Wells, Partner and Narumi Ito, Associate, Morgan Lewis

    In Japan, personal information protection is governed by the Act on Personal Information Protection (Act No. 57 of 2003, as amended). This paper summarises the main features of Japan’s personal information protection regime as it applies generally to corporate and individual enterprises that collect, retain and store certain personal information of residents of Japan directly, indirectly or incidentally in connection with (a) the conduct of an enterprise or business in Japan and (b) the conduct of an enterprise or business outside Japan when such collection could have an impact on residents of Japan. This paper also describes certain legislative amendments implemented in 2017, which were essential for Japan’s adequacy status under the General Data Protection Regulation.
    Keywords: PIPA, personal data, PIHBO, PIPC, special care-required personal information, SCRPI, Japan

  • Research paper:
    Data protection laws — one of the most important sources of competitive advantage in the context of international trade
    Yihan Dai, Associate Research Fellow, East China University of Political Science and Law

    The existing world’s international legal system in nearly all areas, including data protection and cross-border data transfers, is highly fragmented and hard to harmonise in the near future. The most important laws governing these issues still exist at the domestic level. Data protection legislation could have far-reaching implications for country’s competition in today’s global digital economy. For countries, data protection laws are one of the most important sources of competitive advantage in the context of international trade. Laying down the data protection law prudently and intelligently applying such law will allow countries to unlock the benefits of technological innovation and digital trade.
    Keywords: data protection laws, international trade, competitive advantage, data, most valuable resource

  • Practice paper:
    A year of change: An analysis of how COVID-19 has impacted the data privacy profession in 2020
    Sabrina Palme, Co-founder and CEO, Palqee Technologies

    COVID-19 has brought unprecedented change to countless occupations, and for privacy professionals it has been no exception. As we are approaching the end of the year, this paper summarises the main data privacy challenges faced by privacy professionals due to the pandemic in 2020 and how it has impacted the data privacy profession as such. Has COVID-19 resulted in a shift leading to a new normal for the profession, or has it been business as usual? Taking also into consideration other meaningful events that have shaped 2020, such as the Black Lives Matter movement, Schrems II and Brexit, the paper concludes with what this year has meant for data privacy and an outlook on what to expect next.
    Keywords: COVID-19, data privacy, data security, data ethics, the new normal, Black Lives Matter, Brexit, Schrems II, analysis, opinion

  • Case study:
    ICO fines Ticketmaster UK Limited £1.25m for failing to protect customers’ payment details
    Joanne Bennett, Commercial Lawyer and Data Protection Consultant

    This paper discusses the finding of the Information Commissioner’s Office (ICO) against Ticketmaster UK Limited (Ticketmaster), which was fined £1.25m by the ICO for failing to keep its customers’ personal data secure. The Information Commissioner determined that Ticketmaster’s failure constituted a breach of the General Data Protection Regulation. In its findings, the ICO held the company should have done more to reduce the risk of a cyber-attack, including in relation to its use of third-party JavaScript on the payment page of its website. Ticketmaster’s breach led to millions of individuals in the United Kingdom and Europe being exposed to potential fraud. The financial sanction sends a message to other organisations ‘that looking after customers’ personal data safely should be at the top of their agenda’. Ticketmaster has indicated that it will appeal the fine. This paper additionally provides some practical tips to data protection practitioners to mitigate against similar breaches.
    Keywords: data protection, JavaScript, cyber security, fines, GDPR

  • Book review: ‘EU Personal Data Protection in Policy and Practice’
    Reviewed by Dr Jacob Kornbeck
  • Book review: Data protection: A practical guide to UK law
    Reviewed by Ardi Kolah