The aim of the article is to explain the relationship between the ethical evaluation of scientific research involving personal data and the assessment of compliance with data protection law. The article presents the mutual relationship between the protection of personal data and scientific activity from a dogmatic perspective, the legal regulation of the processing of personal data in scientific research, and the so-called research exceptions that apply when data are processed (...) for scientific research. It also covers the importance of meeting the ethical requirements of scientific research in order to profit from the indicated exceptions. Finally, it provides a comparison between the ethical and the legal systems of personal data protection in research (objectives, criteria, authorities, and procedures). (shrink)

Since the 1970s and more rigorously since the 1990s, many countries have regulated data protection and privacy laws in order to ensure the safety and privacy of personal data. First, a comparison is made of different acts regarding genetic information that are in force in the EU, the USA, and China. In Turkey, changes were adopted only recently following intense debates. This study aims to explore the experts’ opinions on the regulations of the health information systems, (...) data security, privacy, and confidentiality in Turkey, with a particular focus on genetic data, which is more sensitive than other health data as it is a permanent identifier that is inherited to next of kin and shared with other family members. Two focus groups with 18 experts and stakeholders were conducted, discussing topics such as central data collection, legalized data sharing, and the management of genetic information in health information systems. The article concludes that the new Turkish personal data protection law is problematic as the frame of collectible data is wide-ranging, and the exceptions are extensive. Specific laws or articles dedicated to genetic data that also overlook the dimension of discrimination based on genetic differences in Turkey should be taken into consideration. In broader terms, it is intended to put up for discussion that in addition to ethical aspects, economic aspects and legal aspects of health should be included in the discussion to be carried out within the framework of socio-political analyses with culture-specific approaches and cross-culture boundaries simultaneously. (shrink)

Personal data protection is an ethical issue. In this study we analyzed how research ethics committees (RECs) and data protection officers (DPOs) handle personal data protection issues in research protocols. We conducted a mixed-methods study. We included heads (or delegated representatives) of RECs and DPOs from universities and public research institutes in Croatia. The participants provided information about data protection issues in research and their mutual collaboration on those issues through (...) structured interviews that contained closed and open-ended questions. Qualitative description was used to analyze open-ended questions. The results showed that 55% of the REC representatives were not aware who was DPO in their institution. Among RECs, 65% never contacted the DPO. There were 61% of RECs who reported that they received no training from the organization on personal data protection. When asked about barriers to personal data protection in their institutions, 26% of REC members highlighted the lack of a clear protocol for assessing personal data protection issues, while 30% of DPOs mentioned lack of knowledge among researchers about personal data. In conclusion, we found that when it came to protecting personal data in research protocols, RECs and DPOs hardly ever worked together. When developing future personal data protection policies for academic and scientific research institutions, it is essential that RECs and DPOs should collaborate and both continue to expand/update their knowledge on personal data protection procedures. (shrink)

The corona pandemic altered many traditional and historical norms of society and law. COVID-19 created a humanitarian crisis in some parts of globe, while pandemic privacy and civil liberties were under threat all over world. To combat the deadly virus, individual liberty and equality were compromised. This paper focuses on how India’s health problem has compromised people’s right to privacy. It will highlight how strict executive policies led to the creation of a massive surveillance system in the name of combating (...) the COVID-19 pandemic, as well as how the absence of any policy or legal framework led to the exclusion of individuals and their families who were suspected of having the virus or caring for those who were infected with the deadly virus. The paper uses case studies and data collected from primary as well as secondary sources. The authors will also point out how the absence of privacy regulation puts millions of citizens’ private information at risk of being compromised or exploited against their will. (shrink)

RESUMEN: En la era de las tecnologías digitales, el Derecho se enfrenta al objetivo de afrontar la protección de los datos personales en un universo global donde las fronteras se diluyen y el principio de territorialidad ha dejado de tener aplicación. Este trabajo pretende plantear el reto que supone, para el ordenamiento jurídico español, la adaptación a la nueva regulación europea en esta materia.ABSTRACT: At the digital´s technologies age, Law faces with the aim to address the personal data (...) protection in a global universe where blurring the borders, and the territoriality principle has ceased to be applied. This paper aims to poset he challenge that supposes, to the Spanish legal system, the adaptation to the new European Union regulation on this matter.PALABRAS CLAVE: universo digital, protección de datos personales, reglamento europeo, constitución española, conflictos de competenciaKEYWORDS: digital universe, personal data protection, european regulation, spanish constitution, competence´s conflicts. (shrink)

Public policies designed to regulate the use of information technology to protect personal data have been based on different theoretical assumptions in different states, depending on whether the problem is defined in technological, civil libertarian, or bureaucratic terms. However, the rapid development, dispersal, and decentralization of information technology have facilitated a range of new surveillance practices that have in turn rendered the approaches of the 1960s and 1970s obsolete. The networking of the postindustrial state will require a reconceptualization (...) of the dynamic relationship between organizational practices and information technology and a more comprehensive appreciation of the privacy problem. With the call for the development of a more coherent information policy in a number of countries, there is evidence that policymakers have been taking this more holistic view. (shrink)

This paper undertakes a comparative legal study to analyze the challenges of privacy and personal data protection posed by Artificial Intelligence embedded in Robots, and to offer policy suggestions. After identifying the benefits from various AI usages and the risks posed by AI-related technologies, I then analyze legal frameworks and relevant discussions in the EU, USA, Canada, and Japan, and further consider the efforts of Privacy by Design originating in Ontario, Canada. While various AI usages provide great (...) convenience, many issues, including profiling, discriminatory decisions, lack of transparency, and impeding consent, have emerged. The unpredictability arising from the AI machine learning function poses further difficulties, which have only been partially addressed by legal frameworks in the aforementioned jurisdictions. However, analyzing the relevant discussions yielded several suggestions. The first priority is adopting PbD as the most flexible, soft-legal, and preferable approach toward AI-oriented issues. Implementing PbD will protect individual privacy and personal data without specific efforts, and achieve both the development of AI and the advancement of privacy and personal data protection. Technical measures that can adapt to an individual’s dynamic choices according to the “context” should be further developed. Furthermore, alternative technical measures, including those to solve the “algorithmic black box” or achieve differential privacy, warrant thorough examination. If AI surpasses human intelligence, a terminating function, such as a “kill switch” will be the last resort to preserve individual choice. Despite numerous difficulties, we must prepare for the coming AI-prevalent society by taking a flexible approach. (shrink)

This paper explores some key discrepancies between two sets of normative requirements applicable to the research use of personal data and human biological materials: the data protection regime which follows the application of the European Union General Data Protection Regulation, and the Declaration of Helsinki, CIOMS guidelines and other research ethics regulations. One source of this controversy is that the GDPR requires consent to process personal data to be clear, concise, specific and (...) granular, freely given and revocable and therefore has challenged the concept of ‘broad consent’, which has been widely applied in the context of biobanking. Another source of controversy is the interplay between regulations of research ethics and protection of personal data related to the secondary use of personal data and biological materials. In this case, the GDPR ‘research condition’ provides an alternative to re-consent for the use of previously collected personal data and biological materials. Although the mentioned controversies have been raised in the legal literature, they have not been explicitly addressed from the research ethics perspective. Should consent be regarded as a priority legal basis for personal data processing in health data research? Can broad consent still be a suitable legal ground for biobanking? What should be the role of research ethics provisions that differ from the GDPR standards, and what should be the role and function of research ethics committees in the changing environment of health data research? These are the ongoing controversies to be explored in the paper. (shrink)

Background Sharing anonymized/de-identified clinical trial data and publishing research outcomes in scientific journals, or presenting them at conferences, is key to data-driven scientific exchange. However, when data from scientific publications are linked to other publicly available personal information, the risk of reidentification of trial participants increases, raising privacy concerns. Therefore, we defined a set of criteria allowing us to determine and minimize the risk of data reidentification. We also implemented a review process at Takeda for (...) clinical publications prior to submission for publication in journals or presentation at medical conferences. Methods Abstracts, manuscripts, posters, and oral presentations containing study participant information were reviewed and the potential impact on study participant privacy was assessed. Our focus was on direct and indirect identifiers, such as sex, age or geographical indicators in rare disease studies or studies with small sample size treatment groups. Risk minimization was sought using a generalized presentation of identifier-relevant information and decision-making on data sharing for further research. Additional risk identification was performed based on study participant/personnel parameters present in materials destined for the public domain. The potential for participant/personnel identification was then calculated to facilitate presentation of meaningful but de-identified information. Results The potential for reidentification was calculated using a risk ratio of the exposed versus available individuals, with a value above the threshold of 0.09 deemed an unacceptable level of reidentification risk. We found that in 13% of Takeda clinical trial publications reviewed, either individuals could potentially be reidentified or inappropriate data sharing plans could pose a data privacy risk to study participants. In 1/110 abstracts, 58/275 manuscripts, 5/87 posters and 3/58 presentations, changes were necessary due to data privacy concerns/rules. Despite the implementation of risk-minimization measures prior to release, direct and indirect identifiers were found in 11% and 34% of the analysed documents, respectively. Conclusions Risk minimization using de-identification of clinical trial data presented in scientific publications and controlled data sharing conditions improved privacy protection for study participants. Our results also suggest that additional safeguards should be implemented to ensure that higher data privacy standards are met. (shrink)

I have argued elsewhere that in past history, freedom of speech, whether granted to few or many, was granted as bestowing some important benefit. John Stuart Mill, for example, in On Liberty, saw it as enabling us to learn from each other through discussion. By the test of benefit, I here argue that social media that are funded through trade in our personal data with advertisers, including propagandists, cannot claim to be supporting free speech. We lose our freedoms, (...) if the personal data we entrust to online social media are used to target us with information, or disinformation, tailored as persuasive to different personalities, in order to maximize revenue from advertisers or propagandists. Among the serious consequences described, particularly dangerous because of its effect on democracy, is the use of such targeted advertisements to swing voting campaigns. Control is needed both of the social media and of any political parties that pay social media for differential targeting of voters based on personality. Using UK government documents, I recommend legislation for reform and enforcement. (shrink)

This paper is aimed to understand the state of the art and the resulting consequences of the legal framework in Europe, with regard to the protection of children's data. Especially when they interact with networked and robotic toys, like in 'My friend Cayla' case. In order to evaluate the practical implications of the use of IoT devices by children or teenager users, the first part of the paper presents an analysis of the international guiding principles of the (...) class='Hi'>protection of minors, a category which enjoys a higher level of protection of their fundamental rights, due to their condition of lack of physical and psychological maturity. Secondly, the focus is moved upon the protection of personal data of children. Only after confronting previous data protection legal instruments and having compared them with the novelties set forth in General Data Protection Regulation, it is reasonable to assume that new provisions such as "privacy by design" principle, adequacy of security measures and codes of conduct, can support data controllers in ensuring compliance in the field of IoT toys. In conclusion, the paper supports a view of Data Protection Authorities as a relevant player in enhancing these renovated tools in order to achieve the protection of children's rights, as to ensure their substantial protection against the threats of the interconnected world. (shrink)

The processing of sensitive information in the health field is subject to rigorous standards that guarantee the protection of information confidentiality. Recently, the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) stated their formal opinion on a standard procedure in dental offices involving the submission of a questionnaire that includes the patient's health status. HIV infection status is included on the form. The Authority has stated that all health data collection must be in (...) accordance with the current Italian normative framework for personal data protection and respect the patient's freedom. This freedom allows the patient to decide, in a conscious and responsible way, whether to share health information with health personnel without experiencing any prejudice in the provision of healthcare requested. Moreover, data collection must be relevant and cannot exceed the principles of treatment goals with reference to the specific care of the concerned person. However, the need for recording information regarding HIV infection at the first appointment, regardless of the clinical intervention or therapeutic plan that needs to be conducted, should not alter the standard protection measures of the healthcare staff. In fact, these measures are adopted for every patient. (shrink)

Once upon a time, they managed to bring Neverland into the bedrooms; they were seen as the heroes of a new era. However, as heroes always tend to walk a fine line between good and evil, it does not come as a surprise that a decade later the perception has dramatically changed; the fairy tale turned into a nightmare. Are Internet Service Providers (ISPs) no more than data-guzzling monsters that need to be tamed? In November, the European Commission published (...) a “Comprehensive approach on personal data protection in the European Union” which seems to nod approval. The approach seeks to strengthen the individual’s rights regarding the use of data by ISPs. The Commission notes that children deserve specific protection in this context due to the fact that their awareness of risks and consequences is usually underdeveloped. Both a general principle of transparent processing and specific obligations for data controllers regarding the type of information to be provided and the modalities for providing it had to be taken into account. Not only legal but also self-regulatory initiatives should contribute to a better enforcement of data protection rules. This approach is both applauded and heavily criticized by the European Data Protection Supervisor. In particular, he argues that children’s particular interests have not been sufficiently addressed presenting a long list of suggestions for improvement including specific provisions against behavioral advertising, the exclusion of some data categories, an age threshold or special requirements on the issue of informed consent and a reinforcement of data controllers’ accountability. Is there really a need for a new magic formula? This paper reviews the current options for addressing the challenges of the use of personal data of minors by ISPs. (shrink)

This article focuses on whether a certain form of consent used by biobanks – open consent – is compatible with the Proposed Data Protection Regulation. In an open consent procedure, the biobank requests consent once from the data subject for all future research uses of genetic material and data. However, as biobanks process personal data, they must comply with data protection law. Data protection law is currently undergoing reform. The Proposed (...) Data Protection Regulation is the culmination of this reform and, if voted into law, will constitute a new legal framework for biobanking. The Regulation puts strict conditions on consent – in particular relating to information which must be given to the data subject. It seems clear that open consent cannot meet these requirements. 4 categories of information cannot be provided with adequate specificity: purpose, recipient, possible third country transfers, data collected. However, whilst open consent cannot meet the formal requirements laid out by the Regulation, this is not to say that these requirements are substantially undebateable. Two arguments could be put forward suggesting the applicable consent requirements should be rethought. First, from policy documents regarding the drafting process, it seems that the informational requirements in the Regulation are so strict in order to protect the data subject from risks inherent in the use of the consent mechanism in a certain context – exemplified by the online context. There are substantial differences between this context and the biobanking context. Arguably, a consent transaction in the biobanking does not present the same type of risk to the data subject. If the risks are different, then perhaps there are also grounds for a reconsideration of consent requirements? Second, an argument can be made that the legislator drafted the Regulation based on certain assumptions as to the nature of ‘data’. The authors argue that these assumptions are difficult to apply to genetic data and accordingly a different approach to consent might be preferable. Such an approach might be more open consent friendly. (shrink)

BackgroundData processing of health research databases often requires a Data Protection Impact Assessment to evaluate the severity of the risk and the appropriateness of measures taken to comply with the European Union General Data Protection Regulation. We aimed to define and apply a comprehensive method for the evaluation of privacy, data governance and ethics among research networks involved in the EU Project Bridge Health.MethodsComputerised survey among associated partners of main EU Consortia, using a targeted instrument (...) designed by the principal investigator and progressively refined in collaboration with an international advisory panel. Descriptive measures using the percentage of adoption of privacy, data governance and ethical principles as main endpoints were used for the analysis and interpretation of the results.ResultsA total of 15 centres provided relevant information on the processing of sensitive data from 10 European countries. Major areas of concern were noted for: data linkage, access and accuracy of personal data and anonymisation procedures. A high variability was noted in the application of privacy principles.ConclusionsA comprehensive methodology of Privacy and Ethics Impact and Performance Assessment was successfully applied at international level. The method can help implementing the GDPR and expanding the scope of Data Protection Impact Assessment, so that the public benefit of the secondary use of health data could be well balanced with the respect of personal privacy. (shrink)

The second-wave feminist critique of privacy defies the liberal opposition between the public-political and the private-personal. Feminist thinkers such as Hanisch, Young or Fraser note that, according to this liberal conception, public institutions often keep asymmetric power relations between private agents away from political discussion and action. The resulting subordination of some agents to others tends, therefore, to be naturalised and redefined as a «personal problem». Drawing on these contributions, this article reviews the social and political implications of (...) big data exploitation and questions whether personal data protection must remain a matter of «privacy self-management». It aims to show that feminist political theory can decidedly help to identify and tackle the root causes of what I call «data domination».La crítica feminista de segunda ola a la privacidad desafía la oposición liberal entre lo público-político y lo privado-personal. Pensadoras feministas como Hanisch, Young o Fraser señalan que, de acuerdo con esta concepción liberal, las instituciones públicas a menudo dejan fuera de la discusión y la acción política las relaciones de poder asimétricas entre agentes privados. La resultante subordinación de unos agentes a otros tiende, por tanto, a ser naturalizada y redefinida como un «problema personal». Basándose en estas contribuciones, este artículo revisa las implicaciones sociales y políticas de la explotación de datos masivos y cuestiona si la protección de los datos personales debe continuar siendo una cuestión de «auto-gestión de la privacidad». Su objetivo es mostrar que la teoría política feminista puede ayudar decididamente a identificar y enfrentar las causas de lo que llamo «dominación a través de los datos». (shrink)

Open science has recently gained traction as establishment institutions have come on-side and thrown their weight behind the movement and initiatives aimed at creation of information commons. At the same time, the movement's traditional insistence on unrestricted dissemination and reuse of all information of scientific value has been challenged by the movement to strengthen protection of personal data. This article assesses tensions between open science and data protection, with a focus on the GDPR.

The presented paper focuses on the analysis of strategic documents at the level of the European Union concerning the regulation of artificial intelligence as one of the so-called disruptive technologies. In the first part of the article, we outline the basic terminology. Subsequently, we focus on the summarizing and systemizing of the key documents adopted at the EU level in terms of artificial intelligence regulation. The focus of the paper is devoted to issues of personal data protection (...) and cyber security included in these strategic documents. The final part contains recommendations for future research and evaluation of its key features. (shrink)

The potential for biases being built into algorithms has been known for some time, yet literature has only recently demonstrated the ways algorithmic profiling can result in social sorting and harm marginalised groups. We contend that with increased algorithmic complexity, biases will become more sophisticated and difficult to identify, control for, or contest. Our argument has four steps: first, we show how harnessing algorithms means that data gathered at a particular place and time relating to specific persons, can be (...) used to build group models applied in different contexts to different persons. Thus, privacy and data protection rights, with their focus on individuals, do not protect from the discriminatory potential of algorithmic profiling. Second, we explore the idea that anti-discrimination regulation may be more promising, but acknowledge limitations. Third, we argue that in order to harness anti-discrimination regulation, it needs to confront emergent forms of discrimination or risk creating new invisibilities, including invisibility from existing safeguards. Finally, we outline suggestions to address emergent forms of discrimination and exclusionary invisibilities via intersectional and post-colonial analysis. (shrink)

It has become increasingly difficult for individuals to exercise meaningful control over the personal data they disclose to companies or to understand and track the ways in which that data is exchanged and used. These developments have led to an emerging consensus that existing privacy and data protection laws offer individuals insufficient protections against harms stemming from current data practices. However, an effective and ethically justified way forward remains elusive. To inform policy in this (...) area, we propose the Ethical Data Practices framework. The framework outlines six principles relevant to the collection and use of personal data—minimizing harm, fairly distributing benefits and burdens, respecting autonomy, transparency, accountability, and inclusion—and translates these principles into action-guiding practical imperatives for companies that process personal data. In addition to informing policy, the practical imperatives can be voluntarily adopted by companies to promote ethical data practices. (shrink)

The paper has three parts. First, a survey and analysis is given ofthe structure of individual rights in the recent EU Directive ondata protection. It is argued that at the core of this structure isan unexplicated notion of what the data subject can `reasonablyexpect' concerning the further processing of information about himor herself. In the second part of the paper it is argued thattheories of privacy popular among philosophers are not able to shed much light on the issues (...) treated in the Directive, whichare, arguably, among the central problems pertaining to theprotection of individual rights in the information society. Inthe third part of the paper, some suggestions are made for a richerphilosophical theory of data protection and privacy. It is arguedthat this account is better suited to the task of characterizingthe central issues raised by the Directive. (shrink)

Concerns have been raised around the alleged commercialisation of South African genetic material by various research institutes nationally and abroad. We consider whether the Protection of Personal Information Act in South Africa will conflict with or complement existing protections in health law and research ethics. The Act is not applicable to de‐identified samples that cannot be re‐identified but we question whether genetic samples can ever be truly de‐identified. The research participants in this matter provided consent for use of (...) their samples for research but did not consent to commercialisation by global research institutions, and neither did the researchers. We suggest that consent models incorporating broad consent as an option should include explicit discussions around benefit sharing and commercialisation. Mistrust between researchers and participants impedes scientific research and can harm relationships built up over the years between South African researchers and local communities. (shrink)

This book is about power and freedoms in our technological world and has two main objectives. The first is to demonstrate that a theoretical exploration of the algorithmic governmentality hypothesis combined with the capability approach is useful for a better understanding of power and freedoms in Ambient Intelligence, a world where information and communication technologies are invisible, interconnected, context aware, personalized, adaptive to humans and act autonomously. The second is to argue that these theories are useful for a better comprehension (...) of privacy and data protection concepts and the evolution of their regulation. Having these objectives in mind, the book outlines a number of theses based on two threads: first, the elimination of the social effects of uncertainty and the risks to freedoms and, second, the vindication of rights. Inspired by and building on the outcomes of different philosophical and legal approaches, this book embodies an effort to better understand the challenges posed by Ambient Intelligence technologies, opening paths for more effective realization of rights and rooting legal norms in the preservation of the potentiality of human capabilities. (shrink)

The European Union Data Protection Regulation will have profound implications for public health, health services research and statistics in Europe. The EU Commission's Proposal was a breakthrough in balancing privacy rights and rights to health and healthcare. The European Parliament, however, has proposed extensive amendments. This paper reviews the amendments proposed by the European Parliament Committee on Civil Liberties, Justice and Home Affairs and their implications for health research and statistics. The amendments eliminate most innovations brought by the (...) Proposal. Notably, derogation to the general prohibition of processing sensitive data shall be allowed for public interests such as the management of healthcare services, but not health research, monitoring, surveillance and governance. The processing of personal health data for historical, statistical or scientific purposes shall be allowed only with the consent of the data subject or if the processing serves an exceptionally high public interest, cannot be performed otherwise and is legally authorised. Research, be it academic, government, corporate or market research, falls under the same rule. The proposed amendments will make difficult or render impossible research and statistics involving the linkage and analysis of the wealth of data from clinical, administrative, insurance and survey sources, which have contributed to improving health outcomes and health systems performance and governance; and may illegitimise efforts that have been made in some European countries to enable privacy-respectful data use for research and statistical purposes. If the amendments stand as written, the right to privacy is likely to override the right to health and healthcare in Europe. (shrink)

Genetics is a biomedical science that investigates heredity, variability, occurrence of genetic diseases and their prevention. Genetic science has many fields of science, which deal with different genetic processes, methods, aspects and fields of application. The genetic research in Europe related to the individual as the main subject of the research is exposed to a wide range of ethical and legal issues. From the developments in genetic science other sciences have evolved, thanks to which the modern world is able to (...) protect the genetic information of data, and to receive the sanction while ignoring the laws of such data. However, many problems still persist in the field of protection of personal genetic information, such as regulatory standards, the inviolability of an individual, the assurance of freedom and privacy of information. This manuscript attempts to reveal the main aspects of genetic human data protection, to research conduct regulations, ethics and issues related to the protection of individuals, such as protection of privacy, discrimination, confidentiality, etc. The article mainly focuses on the Conventions and Protocols elaborated by the Council of Europe because of its role in bioethics and focus on human rights. The author examined the documents such as the Convention on Human Rights and Biomedicine, the Additional Protocol to the Convention on Human Rights and Biomedicine concerning Biomedical Research, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and others. Genetic discrimination is strictly forbidden by international conventions and declarations, which means that discrimination on the grounds of personal genetic information (diseases, abnormalities) is not possible in all areas, including employment and insurance. However, individuals face some problems in getting a job due to the publicity and information disclosure to their employers, or in increasing the amount of insurance premiums. However, the disclosure of genetic information may have relevant, statutory consequences and the victims may apply to court for defending these rights. It is essential to protect genetic rights, as any form of discrimination against a person on the grounds of their genetic heritage is prohibited and intervention in the health field or disclosure of such information is only possible after the person concerned has given their free and informed consent. (shrink)

The World Bank estimates that over one billion people currently lack official identity documents. To tackle this crucial issue, the United Nations included the aim to provide legal identity for all by 2030 among the Sustainable Development Goals. Technology can be a powerful tool to reach this target. In the digital age, new technologies increasingly mediate identity verification and identification of individuals. Currently, State-led and public–private initiatives use technology to provide official identification, to control and secure external borders, and to (...) distribute humanitarian aid to populations in need. All of these initiatives have profound implications for the protection of human rights of those affected by them. Digital identity technologies may render individuals without legal documentation more visible and therefore less vulnerable to abuse and exploitation. However, they also present risks for the protection of individuals' human rights. As they build on personal data for identification and identity verification, data protection and privacy rights are most clearly affected. The prohibition of discrimination in the digital space is also of concern as these technological advances' societal impact is not yet fully understood. Accordingly, the article argues that emerging digital identity platforms will only contribute to the protection of human rights if the providers adequately mitigate any risks of potential discrimination and promote high standards of privacy and data protection. (shrink)

Directive 95/46/EC and implementing legislation define the respective obligations and liabilities of the different actors that may be involved in a personal data processing operation. There are certain exceptions to the scope of these regulations, among which processing which is carried out by natural persons in the course of activities that may be considered ‘purely personal’. The purpose of this article is to investigate the liability of users of social network sites under data protection and (...) to assess the extent to which the current data protection framework can sufficiently accommodate the new realities of web 2.0 and social networking applications. (shrink)

Risk management is a well-known method to face technological challenges through a win–win combination of protective and proactive approaches, fostering the collaboration of operators, researchers, regulators, and industries for the exploitation of new markets. In the field of autonomous and unmanned aerial systems, or UAS, a considerable amount of work has been devoted to risk analysis, the generation of ground risk maps, and ground risk assessment by estimating the fatality rate. The paper aims to expand this approach with a tool (...) for managing data protection risks raised by drones through the design of flight maps. The tool should allow UAS operators choosing the best air corridor for their drones based on the so-called privacy by design principle pursuant to Article 25 of the EU data protection regulation, the GDPR. Among the manifold applications of this approach, the design of fly zones for drones can be tailored for public authorities in the phase of authorization of new operations, much as for national Data Protection authorities that have to control the lawfulness of personal data processing by UAS operations. The overall aim is to present the first win–win approach to data protection issues, aerospace engineering challenges, and risk management methods for the threats posed by this technology. (shrink)

Risk management is a well-known method to face technological challenges through a win–win combination of protective and proactive approaches, fostering the collaboration of operators, researchers, regulators, and industries for the exploitation of new markets. In the field of autonomous and unmanned aerial systems, or UAS, a considerable amount of work has been devoted to risk analysis, the generation of ground risk maps, and ground risk assessment by estimating the fatality rate. The paper aims to expand this approach with a tool (...) for managing data protection risks raised by drones through the design of flight maps. The tool should allow UAS operators choosing the best air corridor for their drones based on the so-called privacy by design principle pursuant to Article 25 of the EU data protection regulation, the GDPR. Among the manifold applications of this approach, the design of fly zones for drones can be tailored for public authorities in the phase of authorization of new operations, much as for national Data Protection authorities that have to control the lawfulness of personal data processing by UAS operations. The overall aim is to present the first win–win approach to data protection issues, aerospace engineering challenges, and risk management methods for the threats posed by this technology. (shrink)

Risk management is a well-known method to face technological challenges through a win–win combination of protective and proactive approaches, fostering the collaboration of operators, researchers, regulators, and industries for the exploitation of new markets. In the field of autonomous and unmanned aerial systems, or UAS, a considerable amount of work has been devoted to risk analysis, the generation of ground risk maps, and ground risk assessment by estimating the fatality rate. The paper aims to expand this approach with a tool (...) for managing data protection risks raised by drones through the design of flight maps. The tool should allow UAS operators choosing the best air corridor for their drones based on the so-called privacy by design principle pursuant to Article 25 of the EU data protection regulation, the GDPR. Among the manifold applications of this approach, the design of fly zones for drones can be tailored for public authorities in the phase of authorization of new operations, much as for national Data Protection authorities that have to control the lawfulness of personal data processing by UAS operations. The overall aim is to present the first win–win approach to data protection issues, aerospace engineering challenges, and risk management methods for the threats posed by this technology. (shrink)

The power exercised by technology companies is attracting the attention of policymakers, regulatory bodies and the general public. This power can be categorized in several ways, ranging from the “soft power” of technology companies to influence public policy agendas to the “market power” they may wield to exclude equally efficient competitors from the marketplace. This Article is concerned with the “data power” exercised by technology companies occupying strategic positions in the digital ecosystem. This data power is a multifaceted (...) power that may overlap with economic (market) power but primarily entails the power to profile and the power to influence opinion formation. While the current legal framework for data protection and privacy in the EU imposes constraints on personal data processing by technology companies, it ostensibly does so without regard to whether or not they have “data power.” This Article probes this assumption. It argues that although this legal framework does not explicitly impose additional legal responsibilities on entities with “data power,” it provides a clear normative indication to do so. The volume and variety of data and the reach of data-processing operations seem to be relevant when assessing both the extent of obligations on technology companies and the impact of data processing on individual rights. The Article suggests that this finding provides the normative foundation for the imposition of a “special responsibility” on such firms, analogous to the “special responsibility” imposed by competition law on dominant companies with market power. What such a “special responsibility” might entail in practice will be briefly outlined and relevant questions for future research will be identified. (shrink)

On October 6, 2015, in Schrems v. Data Protection Commissioner, the European Court of Justice, the European Union's highest court, held that the fifteen-year-old Safe Harbor Framework Agreement with the United States was invalid. Under the agreement, about forty-five hundred American companies each year self-certified to the U.S. Department of Commerce that they were in compliance with the essential privacy protections of the European Union, and therefore it was permissible for entities in the European Union to send (...) class='Hi'>personal data to these American companies. According to the court, because some American companies were making the personal data of E.U. citizens available to U.S. government agencies, such as the National Security Agency, the fundamental privacy interests of E.U. citizens were not being protected. As a result of this court decision there has been considerable speculation about what, if any, effect the case has on international collaboration in health research, in particular, the sharing of personal data by E.U. researchers with their U.S. colleagues. (shrink)

The Personal Data Protection Act was enacted in 1997; it imposed some obligations on all the administrators of personal data regardless if acting as private or public establishments. The Act was intended to guarantee the safety of personal data and to ensure the right to controlling the data processing. However, since the enacting of the Act, there have been reported instances of its infringement, especially by private entrepreneurs. The numerous appealed complaints show (...) that the entrepreneurs neglect their duty of ensuring the safety of personal data (e.g. documents or media with such personal data), which results in unauthorised revealing the data to third parties. An especially serious case of the infringements of the Act and the rights of the persons concerned is selling the data without a person’s consent. In many cases the administrator only seemingly informs about the purposes of processing the data and then, in this or any other insidious way (among them an inacceptable presumption of consent), beguiles the necessary acceptance. The occurrences of neglecting duties imposed by the Act are to be considered not only as infringement of law, but also as unethical actions resulting in undermining customers’ confidence in entrepreneurs. For example: The unprotected data can be viewed and used by unauthorised parties to the detriment of the persons concerned (e. g. identity theft). The selling of the data is also a source of an unjustifiable profit for an entrepreneur and makes controlling of the processing of personal data impossible. Even if there are no negative consequences for the customer, the cases of infringement the Personal Data Protection Act bring about to undermine confidence not only in the entrepreneur (the source of personal data) but also in private establishments in general. (shrink)

Advances in neurotechnologies, artificial intelligence (AI) and Big Data analytics are allowing interpretation of patterns from brain data to identify and even predict and manipulate mental states. Furthermore, there are avenues through which brain data can move into the consumer sphere, be reidentified and brokered. In response to these developments, there have been a number of approaches proposed to strengthen protections of brain data. To better understand the landscape of brain data protection discussions, we (...) conducted a scoping review to identify the rationales for establishing brain data protections and the proposals for protecting brain data offered in the ethics and neuroscience literature. To draw comparisons, we also surveyed the rationales given in the literature for the protection of sensitive behavioral inferences drawn from other types of personal data and associated approaches to achieving protection. This systematic examination of the rationale behind heightened protection for brain data should be useful to clarify the functional and conceptual bases given for brain data protection and to provide a better grounding for evaluating how the different approaches to brain data protection address these concerns. (shrink)

As with many other countries, Malaysia is also developing and promoting biomedical research to increase the understanding of human diseases and possible interventions. To facilitate this development, there is a significant growth of biobanks in the country to ensure continuous collection of biological samples for future research, which contain extremely important personal information and health data of the participants involved. Given the vast amount of samples and data accumulated by biobanks, they can be considered as reservoirs of (...) precious biomedical big data. It is therefore imperative for biobanks to have in place regulatory measures to ensure ethical use of the biomedical big data. Malaysia has yet to introduce specific legislation for the field of biobanking. However, it can be argued that its existing Personal Data Protection Act 2010 has laid down legal principles that can be enforced to protect biomedical big data generated by the biobanks. Consent is a mechanism to enable data subjects to exercise their autonomy by determining how their data can be used and ensure compliance with legal principles. However, there are two main concerns surrounding the current practice of consent in biomedical big data in Malaysia. First, it is uncertain that the current practice would be able to respect the underlying notion of autonomy, and second, it is not in accordance with the legal principles of the PDPA. Scholars have deliberated on different strategies of informed consent, and a more interactive approach has recently been introduced: dynamic consent. It is argued that a dynamic consent approach would be able to address these concerns. (shrink)

ICTs, personal data, digital rights, the GDPR, data privacy, online security… these terms, and the concepts behind them, are increasingly common in our lives. Some of us may be familiar with them, but others are less aware of the growing role of ICTs and data in our lives - and the potential risks this creates. These risks are even more pronounced for vulnerable groups in society. People can be vulnerable in different, often overlapping, ways, which place (...) them at a disadvantage to the majority of citizens; Table 3 in this guide presents some of the many forms and causes of vulnerability. As a result, vulnerable people need greater support to navigate the digital world, and to ensure that they are able to exercise their rights. This guide explains where such support can be found, and also answers the following questions: - What are the main ethical and legal issues around ICTs for vulnerable citizens? - Who is vulnerable in Europe? - How do issues around ICTs affect vulnerable people in particular? This guide is a resource for members of vulnerable groups, people who work with vulnerable groups, and citizens more broadly. It is also useful for data controllers1 who collect data about vulnerable citizens. While focused on citizens in Europe, it may be of interest to people in other parts of the world. It forms part of the Citizens’ Information Pack produced by the PANELFIT project, and is available in English, French, German, Italian and Spanish. You are welcome to translate this guide into other languages. Please send us a link to online versions in other languages, so that we can add them to the project website. (shrink)

Data subject rights provide data controllers with obligations that can help with transparency, giving data subjects some control over their personal data. To date, a growing number of researchers have used these data subject rights as a methodology for data collection in research studies. No one, however, has gathered and analysed different academic research studies that use data subject rights as a methodology for data collection. To this end, we conducted a (...) systematic literature review that searched, compiled, and analysed 32 academic studies that use data subject rights as a data collection method. We find that the right of access is the most commonly-used data subject right by researchers, most studies are interested in measuring data subject rights compliance, and that a variety of difficulties exist in conducting research studies with data subject rights. We conclude that researchers should explore other data subject rights for alternative purposes, ease the process of exercising data subject rights, and improve the scalability of these studies. (shrink)

This study concerns the ethical problems of personal data protection at work. The aim of this project is the analysis of the law structures, which determine the range of protection personal data of the employee and the candidate to work and the rights of data collecting and processing by the employer. The employee privacy protection at work is the principle of labour law expressed in Article 11 of the Labour Code. However (...) class='Hi'>personal data protection problem is directly regulated by Article 22 of the Labour Code, which entitle employers to demand certain personal data from the employees and the candidates to work. The regulation determine the list of data, which may be the subject of legal actions by employer in the field of collecting and processing of personal data. The most important issue is connected with the treatment of sensitive information, such as health data, drug testing and genetic testing, sex life, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership. Personal data protection means the necessity of cooperation between the employee and the employer not only in the field determined by the law but on the basis of ethical values as well. Hence the employer’s obligation to keep from actions which directly interfere in employee’s protected personal effects. But the employee is obliged to give true information about himself in order to protect his health and life at work. (shrink)

The first few years of the 21st century were characterised by a progressive loss of privacy. Two phenomena converged to give rise to the data economy: the realisation that data trails from users interacting with technology could be used to develop personalised advertising, and a concern for security that led authorities to use such personal data for the purposes of intelligence and policing. In contrast to the early days of the data economy and internet surveillance, (...) the last few years have witnessed a rising concern for privacy. As bad data practices have come to light, citizens are starting to understand the real cost of using online digital technologies. Two events stamped 2018 as a landmark year for privacy: the Cambridge Analytica scandal, and the implementation of the European Union’s General Data Protection Regulation (GDPR). The former showed the extent to which personal data has been shared without data subjects’ knowledge and consent and many times for unacceptable purposes, such as swaying elections. The latter inaugurated the beginning of robust data protection regulation in the digital age. Getting privacy right is one of the biggest challenges of this new decade of the 21st century. The past year has shown that there is still much work to be done on privacy to tame the darkest aspects of the data economy. As data scandals continue to emerge, questions abound as to how to interpret and enforce regulation, how to design new and better laws, how to complement regulation with better ethics, and how to find technical solutions to data problems. The aim of the research project Data, Privacy, and the Individual is to contribute to a better understanding of the ethics of privacy and of differential privacy. The outcomes of the project are seven research papers on privacy, a survey, and this final report, which summarises each research paper, and goes on to offer a set of reflections and recommendations to implement best practices regarding privacy. (shrink)

This essay examines issues involving personal privacy and informed consent that arise at the intersection of information and communication technology and population genomics research. I begin by briefly examining the ethical, legal, and social implications program requirements that were established to guide researchers working on the Human Genome Project. Next I consider a case illustration involving deCODE Genetics, a privately owned genetics company in Iceland, which raises some ethical concerns that are not clearly addressed in the current ELSI guidelines. (...) The deCODE case also illustrates some ways in which an ICT technique known as data mining has both aided and posed special challenges for researchers working in the field of population genomics. On the one hand, data-mining tools have greatly assisted researchers in mapping the human genome and in identifying certain “disease genes” common in specific populations. On the other hand, this technology has significantly threatened the privacy of research subjects participating in population genomics studies, who may, unwittingly, contribute to the construction of new groups that put those subjects at risk for discrimination and stigmatization. In the final section of this paper I examine some ways in which the use of data mining in the context of population genomics research poses a critical challenge for the principle of informed consent, which traditionally has played a central role in protecting the privacy interests of research subjects participating in epidemiological studies. (shrink)

This paper addresses the question of delegation of morality to a machine, through a consideration of whether or not non-humans can be considered to be moral. The aspect of morality under consideration here is protection of privacy. The topic is introduced through two cases where there was a failure in sharing and retaining personal data protected by UK data protection law, with tragic consequences. In some sense this can be regarded as a failure in the (...) process of delegating morality to a computer database. In the UK, the issues that these cases raise have resulted in legislation designed to protect children which allows for the creation of a huge database for children. Paradoxically, we have the situation where we failed to use digital data in enforcing the law to protect children, yet we may now rely heavily on digital technologies to care for children. I draw on the work of Floridi, Sanders, Collins, Kusch, Latour and Akrich, a spectrum of work stretching from philosophy to sociology of technology and the “seamless web” or “actor–network” approach to studies of technology. Intentionality is considered, but not deemed necessary for meaningful moral behaviour. Floridi’s and Sanders’ concept of “distributed morality” accords with the network of agency characterized by actor–network approaches. The paper concludes that enfranchizing non-humans, in the shape of computer databases of personal data, as moral agents is not necessarily problematic but a balance of delegation of morality must be made between human and non-human actors. (shrink)

This article extends property-owning democracy to the digital realm and introduces “data-owning democracy,” a new political economic regime characterized by the wide distribution of data as capital among citizens. Drawing on republican theory and acknowledging data's unique role in the digital economy, it proposes a two-tier model that combines different modes of data ownership and corresponding rights. The first layer of “data-owning democracy” is characterized by a digital public infrastructure that enables citizens to collectively generate (...) data and have a say in how their citizen data are used. In the second layer, individuals automatically receive machine-readable copies of their data whenever they are generated—a slightly more advanced form of the European Union's existing right to data portability (Art. 20). With its focus on empowerment, data-owning democracy is designed to be complementary to existing data protection regulations. It also illustrates how political theory more broadly, and republican theory specifically, can be instructive for specifying the normative components of a new political economy dealing with questions of empowerment and digital rights. (shrink)

Introduction The paradigm shift to a knowledge‐based economy has incremented the use of personal information applied to health‐related activities, such as biomedical research, innovation, and commercial initiatives. The convergence of science, technology, communication and data technologies has given rise to the application of big data to health; for example through eHealth, human databases and biobanks. Methods In light of these changes, we enquire about the value of personal data and its appropriate use. In order to (...) illustrate the complex ground on which big data applied to health develops, we analyse the current situation of the European Union and two cases: the Catalan VISC+/PADRIS and the UK Biobank, as perspectives. Discussion and conclusions Personal health‐related data in the context of the European Union is being increasingly used for big data projects under diverse schemes. There, public and private sectors participate distinctively or jointly, pursuing very different goals which may conflict with individual rights, notably privacy. Given that, this paper advocates for stopping the unjustified accumulation and commercialisation of personal data, protecting the interests of citizens and building appropriate frameworks to govern big data projects for health. A core tool for achieving such goals is to develop consent mechanisms which allow truly informed but adaptable consent, conjugated with the engagement of donors, participants and society. (shrink)

Coronavirus disease 2019 (COVID‐19) has placed significant strain on United States’ health care and health care providers. While most Americans were sheltering in place, nurses headed to work. Many lacked adequate personal protective equipment (PPE), increasing the risk of becoming infected or infecting others. Some health care organizations were not transparent with their nurses; many nurses were gagged from speaking up about the conditions in their workplaces. This study used a descriptive phenomenological design to describe the lived experience of (...) acute care nurses working with limited access to PPE during the COVID‐19 pandemic. Unstructured interviews were conducted with 28 acute care nurses via telephone, WebEx, and Zoom. Data were analyzed using thematic analysis. The major theme, emotional roller coaster, describes the varied intense emotions the nurses experienced during the early weeks of the pandemic, encompassing eight subthemes: scared and afraid, sense of isolation, anger, betrayal, overwhelmed and exhausted, grief, helpless and at a loss, and denial. Other themes include: self‐care, ‘hoping for the best’, ‘nurses are not invincible’, and ‘I feel lucky’. The high levels of stress and mental assault resulting from the COVID‐19 crisis call for early stress assessment of nurses and provision of psychological intervention to mitigate lasting psychological trauma. (shrink)

This article is the result of an international research between law and ethics scholars from Universities in France and Switzerland, who have been closely collaborating with technical experts on the design and use of information and communication technologies in the fields of human health and security. The interdisciplinary approach is a unique feature and guarantees important new insights in the social, ethical and legal implications of these technologies for the individual and society as a whole. Its aim is to shed (...) light on the tension between secrecy and transparency in the digital era. A special focus is put from the perspectives of psychology, medical ethics and European law on the contradiction between individuals’ motivations for consented processing of personal data and their fears about unknown disclosure, transferal and sharing of personal data via information and communication technologies (named the “privacy paradox”). Potential benefits and harms for the individual and society resulting from the use of computers, mobile phones, the Internet and social media are being discussed. Furthermore, the authors point out the ethical and legal limitations inherent to the processing of personal data in a democratic society governed by the rule of law. Finally, they seek to demonstrate that the impact of information and communication technology use on the individuals’ well-being, the latter being closely correlated with a high level of fundamental rights protection in Europe, is a promising feature of the socalled “e-democracy” as a new way to collectively attribute meaning to large-scale online actions, motivations and ideas. (shrink)