"I was pleased to see that the new journal is aimed at managers in the field to better understand the benefits of supply chain management thinking. The journal is focused on delivering these developing best practices to practicing managers. There is a vast gulf between academic’s theory and managerial practice [and] your journal should be a timely addition."
Volume 7 (2024-25)
Each volume of Journal of Data Protection & Privacy consists of four 100-page issues published both in print and online.
The articles published in Volume 7 are listed below.
Volume 7 Number 1
-
Editorial
The multifaceted challenges and opportunities inherent in data protection and privacy regulation
Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy -
Practice Papers
Recognising personal data as a digital asset in Dubai
Michael Clark, Data Scholar and Industry Advisor, and Lori Baker, Member of Editorial Board, JDPP
Data is misunderstood and misused as the commodity it could be. It is humankind's greatest asset; in short, it is potential. Add to this rapid development of powerful technology, from smartphones to wearables, and the world becomes smaller. People feel more connected, yet personal data feels further away from their control of it. Technology has largely dominated the perspective of how the future is viewed and shaped, and while data has never been elevated as the driving force behind technology, it is undeniably the heartbeat of (digital) economies globally. Data privacy law and regulation, often seen as the remaining hope for supporting rights of data owners, has become more fragmented and difficult to implement and with the emergence of the power of processing personal data via autonomous systems such as generative artificial intelligence (AI), it is reaching a pivotal moment. As virtual and physical worlds merge, autonomous processing of data becomes more prevalent and dominant, and people will seek agency while also desiring the trust to express themselves freely, without the fear of compromising their data and identity. This is perhaps the moment where the collective change of the commonly accepted model of data is needed, to view it instead as a multidimensional, identifiable and ownable thing. Certain countries such as China and the UAE are providing a basis for developing this concept further. The general discussion herein provides the foundations to conclude that Dubai is one of the few cities in the world that can and does change the way the use and ethical processing of personal data is considered, particularly as an asset to the data subject themselves.
Keywords: personal data; digital asset; digital economy; data analytics -
Bridging compliance and innovation: A comparative analysis of the EU AI Act and GDPR for enhanced organisational strategy
Sean Musch, CEO/Founder, Michael Charles Borrelli, Director, AI & Partners, and Charles Kerrigan, Partner, CMS
This paper conducts a comparative analysis of the GDPR and the EU AI Act, focusing on their approaches to innovation, compliance and risk management. It examines how the GDPR's data protection framework intersects with the AI Act's broader ethical considerations, highlighting their complementary roles in fostering responsible technology use. Key findings reveal that while both regulations aim to protect individuals and promote ethical practices, harmonising these frameworks is crucial for effective compliance, despite inherent differences between the two. The paper underscores the need for integrated strategies and adaptive policy-making, in a global context, to navigate the complex regulatory landscape, ensuring both innovation and accountability in AI development.
Keywords: GDPR; EU AI Act; data protection; ethical AI; innovation; compliance; risk management; regulatory harmonisation; transparency; bias detection -
Changes to the Federal Trade Commission (FTC) Health Breach Notification Rule closes some gaps but adds some ambiguity
Trinity Car, Managing Counsel, Privacy, Syneos Health, and Brad Rostolsky, Shareholder, Greenberg Traurig
On 26th April, 2024, the Federal Trade Commission (FTC) issued a final rule amending the 2009 Health Breach Notification Rule (HBNR). The primary aim of the Final Rule is to close gaps between the preceding version of the FTC's breach notification rule and the protections offered by the breach notification regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The FTC focused on the personal data regularly processed by direct-to-consumer Health Apps, which represent a growing segment of the healthcare industry not regulated by HIPAA. This paper provides an in-depth analysis of the changes introduced by the Final Rule, the implications for businesses not regulated by HIPAA, and the potential operational ripple effects for many businesses now regulated under the Final Rule. It also discusses the updated individual notification obligations and the need for impacted individuals to be made aware of potential risks while balancing issues related to notice fatigue.
Keywords: Health Breach Notification Rule; Federal Trade Commission; personal health records; HIPAA; data privacy; mobile health apps -
Research Papers
Medical privacy: Aligning the need to breach patient confidentiality with data protection in the public interest
Andrew Harvey, Director of Information Governance, Cyber and Compliance/Data Protection Officer, Graphnet Health Ltd
This paper takes an overview of case law legislation and professional guidance to assess when it may be acceptable for medical practitioners to breach patient confidentiality and data protection law in the public interest. It looks at the implications of making such decisions in both a positive and negative light because of what happens if confidentiality is breached in the public interest, but also the implication, on occasion, if it is not. The paper synthesises the often contradictory considerations of the Data Protection Act 2018 and UK General Data Protection Regulation with the wider implications of breaching the common law duty of confidentiality and professional guidance offered by the likes of the British Medical Association, General Medical Council and right back to the Hippocratic Oath. In doing so, it creates a framework in which it is acceptable in many circumstances to breach patient confidentiality while demonstrating that due care and attention are required to ensure the appropriate decisions are made.
Keywords: case law; confidentiality; consent; direct care; health care; public health; public interest -
Cross-border flow of personal data (digital trade) ought to have data protection
Vandana Gyanchandani, Lecturer, Jindal Global University, NCR Delhi
The paper provides three specific arguments in support of the two key claims to promote an interface between data protection and digital trade law. It engages in the current academic debate among scholars to understand the role of digital trade law in coordinating the regulatory thicket of national data protection regulations (NDPRs) among states. In pursuance, it proposes a rebuttal to the critique that digital trade law is fundamentally ill-suited to engage in data protection policy debates. The paper argues that data protection and digital trade law cannot remain in separate silos as they both are fundamentally intertwined with the governance of cross-border flow of personal data. Data protection issues should form an indispensable consideration in the context of digital trade liberalisation and vice versa. The paper concludes that the standards regime in international trade law can be considered as a blueprint for the necessary regulatory interface between data protection and digital trade. The paper consists of five main sections. This introduction is the first section. The second section titled ‘Interconnected structural blocks of a data protection regulation in general’ provides the general structural elements of a data protection regulation and how the data protection principles and practices combine to actualise the mechanisms which govern the cross-border flow of personal data in a jurisdiction. It highlights that the structural elements of a data protection regulation are interconnected, which necessitates policy coherence between data protection and digital trade law. The third section titled ‘Three arguments against and in favour of an interface between data protection and digital trade law’ provides an outline of the critiques by Irion, Kaminski and Yakovleva to the proposals by Chander and Schwartz to promote a legal interface between data protection and digital trade law. Notably, it provides a rebuttal to the critiques by supporting the proposals by Chander and Schwartz. It supports the proposal for an international agreement on data privacy among states in the future which can bring coherence in the governance of cross-border flow of personal data. The fourth section titled ‘Future interface between data protection and digital trade law’ underscores the need for a self-standing agreement on data privacy in the context of international trade law. This is due to the fact that traditional trade law approaches need readjustment to cohesively tackle the realities of digital economy, especially data protection issues. In pursuance, it proposes that the trade standards regime, ie the Technical Barriers to Trade (TBT) and Sanitary and Phytosanitary (SPS) Agreement in the World Trade Organization’s (WTO) provide a unique blueprint to envision a self-standing legal agreement and forum on data protection concerns as it relates to cross-border flow of personal data in international trade law. The section briefly highlights the relevance of the WTO trade standards regime as a blueprint for the future international data privacy agreement in international trade law. The fifth section concludes the paper by raising two key challenges for a policy coherence between data protection and digital trade law — (a) progressive coordination and (b) a reasonable legal interface between the two regimes in both theory and practice.
Keywords: data protection; data privacy; digital trade; WTO; cross-border flow of personal data; adequacy decision; Joint Statement Initiative on E-commerce -
Key data protection and cybersecurity considerations in the mergers and acquisitions context through the lens of regulatory and judicial enforcement
Farrhah Khan, Senior Privacy Counsel, Johannesburg
With mergers and acquisitions being an integral part of the commercial landscape, the vast amounts of personal data implicit in such transactions cannot be overstated. It has become increasingly apparent, particularly given the advent and evolution of data privacy laws across the world, that it is crucial to incorporate key data protection and cybersecurity assessments into the due diligence process to identify and mitigate potential data protection and cybersecurity risks. Where companies fail to do so, the implications are often severe and extend to both exposure to enforcement risk and reputational damage. This paper will examine the status of the current mergers and acquisitions market and why it is necessary for data protection and cybersecurity considerations to be at the forefront of such transactions; thereafter, the risks implicit in neglecting to incorporate the necessary mechanisms and compliance checks into the due diligence process will be assessed. The focus of this paper will then turn to considering relevant regulatory and judicial enforcement actions to assess the precedent that exists for the view that failing to consider data protection and cybersecurity matters ultimately poses a significant commercial and compliance risk to both the acquiring company and the target company. Finally, this paper will conclude with a review of various strategies available to companies to mitigate such commercial and compliance risk from the perspective of safeguarding against undue post-acquisition liability.
Keywords: mergers and acquisitions; due diligence; cybersecurity; data protection; enforcement; liability -
Caught in the whirlwind of market power: The impact of WhatsApp’s 2021 update on users’ privacy in India
Nikita Shah, Assistant Professor of Law at Institute of Law, Nirma University
WhatsApp's entrenched market power has culminated in Indians being obliged to give up their privacy. This paper reports on an empirical study of WhatsApp to prove that it has been able to infringe consumers' privacy because of its market power, which has become insidious due to network effects, consumer inertia and asymmetry of information. Throughout this study, the author has not tried to quantify privacy or develop parameters of privacy, since the responses would have been flawed by subjectivity. Instead, the author has conducted this quantitative study to prove that consumers value privacy on paper but not when faced with the counteraction of free services. The researcher used questionnaires to understand the behaviour of Indian users towards privacy. The respondents were chosen based on a stratified sampling method, and analysis was done using descriptive statistics to quantitatively summarise the challenges faced by the respondents in switching away from WhatsApp. The study concluded that users cannot exercise constraints due to the privacy paradox, consumer inertia and asymmetry of information. WhatsApp has the largest consumer base in India, and hence, its pervasiveness is considered extensively in this paper.
Keywords: asymmetry of information; WhatsApp; consumer inertia; Indian Competition Act; market power; privacy paradox; privacy - Book Reviews
- An Advanced Introduction to U.S. Data Privacy Law by Ari Ezra Waldman
- Technology and Security for Lawyers and Other Professionals: The Basics and Beyond by W. Kuan Hon
-
Research Handbook on EU Internet Law (Second Edition) Edited by Andrej Savin and Jan Trzaskowski
Reviewed by Ardi Kolah, Founding Editor-in-Chief, Journal of Data Protection & Privacy