The aim of the article is to explain the relationship between the ethical evaluation of scientific research involving personal data and the assessment of compliance with data protection law. The article presents the mutual relationship between the protection of personal data and scientific activity from a dogmatic perspective, the legal regulation of the processing of personal data in scientific research, and the so-called research exceptions that apply when data are processed (...) for scientific research. It also covers the importance of meeting the ethical requirements of scientific research in order to profit from the indicated exceptions. Finally, it provides a comparison between the ethical and the legal systems of personal data protection in research (objectives, criteria, authorities, and procedures). (shrink)

Since the 1970s and more rigorously since the 1990s, many countries have regulated data protection and privacy laws in order to ensure the safety and privacy of personal data. First, a comparison is made of different acts regarding genetic information that are in force in the EU, the USA, and China. In Turkey, changes were adopted only recently following intense debates. This study aims to explore the experts’ opinions on the regulations of the health information systems, (...) data security, privacy, and confidentiality in Turkey, with a particular focus on genetic data, which is more sensitive than other health data as it is a permanent identifier that is inherited to next of kin and shared with other family members. Two focus groups with 18 experts and stakeholders were conducted, discussing topics such as central data collection, legalized data sharing, and the management of genetic information in health information systems. The article concludes that the new Turkish personal data protection law is problematic as the frame of collectible data is wide-ranging, and the exceptions are extensive. Specific laws or articles dedicated to genetic data that also overlook the dimension of discrimination based on genetic differences in Turkey should be taken into consideration. In broader terms, it is intended to put up for discussion that in addition to ethical aspects, economic aspects and legal aspects of health should be included in the discussion to be carried out within the framework of socio-political analyses with culture-specific approaches and cross-culture boundaries simultaneously. (shrink)

Personal data protection is an ethical issue. In this study we analyzed how research ethics committees (RECs) and data protection officers (DPOs) handle personal data protection issues in research protocols. We conducted a mixed-methods study. We included heads (or delegated representatives) of RECs and DPOs from universities and public research institutes in Croatia. The participants provided information about data protection issues in research and their mutual collaboration on those issues through (...) structured interviews that contained closed and open-ended questions. Qualitative description was used to analyze open-ended questions. The results showed that 55% of the REC representatives were not aware who was DPO in their institution. Among RECs, 65% never contacted the DPO. There were 61% of RECs who reported that they received no training from the organization on personal data protection. When asked about barriers to personal data protection in their institutions, 26% of REC members highlighted the lack of a clear protocol for assessing personal data protection issues, while 30% of DPOs mentioned lack of knowledge among researchers about personal data. In conclusion, we found that when it came to protecting personal data in research protocols, RECs and DPOs hardly ever worked together. When developing future personal data protection policies for academic and scientific research institutions, it is essential that RECs and DPOs should collaborate and both continue to expand/update their knowledge on personal data protection procedures. (shrink)

This paper undertakes a comparative legal study to analyze the challenges of privacy and personal data protection posed by Artificial Intelligence embedded in Robots, and to offer policy suggestions. After identifying the benefits from various AI usages and the risks posed by AI-related technologies, I then analyze legal frameworks and relevant discussions in the EU, USA, Canada, and Japan, and further consider the efforts of Privacy by Design originating in Ontario, Canada. While various AI usages provide great (...) convenience, many issues, including profiling, discriminatory decisions, lack of transparency, and impeding consent, have emerged. The unpredictability arising from the AI machine learning function poses further difficulties, which have only been partially addressed by legal frameworks in the aforementioned jurisdictions. However, analyzing the relevant discussions yielded several suggestions. The first priority is adopting PbD as the most flexible, soft-legal, and preferable approach toward AI-oriented issues. Implementing PbD will protect individual privacy and personal data without specific efforts, and achieve both the development of AI and the advancement of privacy and personal data protection. Technical measures that can adapt to an individual’s dynamic choices according to the “context” should be further developed. Furthermore, alternative technical measures, including those to solve the “algorithmic black box” or achieve differential privacy, warrant thorough examination. If AI surpasses human intelligence, a terminating function, such as a “kill switch” will be the last resort to preserve individual choice. Despite numerous difficulties, we must prepare for the coming AI-prevalent society by taking a flexible approach. (shrink)

The corona pandemic altered many traditional and historical norms of society and law. COVID-19 created a humanitarian crisis in some parts of globe, while pandemic privacy and civil liberties were under threat all over world. To combat the deadly virus, individual liberty and equality were compromised. This paper focuses on how India’s health problem has compromised people’s right to privacy. It will highlight how strict executive policies led to the creation of a massive surveillance system in the name of combating (...) the COVID-19 pandemic, as well as how the absence of any policy or legal framework led to the exclusion of individuals and their families who were suspected of having the virus or caring for those who were infected with the deadly virus. The paper uses case studies and data collected from primary as well as secondary sources. The authors will also point out how the absence of privacy regulation puts millions of citizens’ private information at risk of being compromised or exploited against their will. (shrink)

RESUMEN: En la era de las tecnologías digitales, el Derecho se enfrenta al objetivo de afrontar la protección de los datos personales en un universo global donde las fronteras se diluyen y el principio de territorialidad ha dejado de tener aplicación. Este trabajo pretende plantear el reto que supone, para el ordenamiento jurídico español, la adaptación a la nueva regulación europea en esta materia.ABSTRACT: At the digital´s technologies age, Law faces with the aim to address the personal data (...) protection in a global universe where blurring the borders, and the territoriality principle has ceased to be applied. This paper aims to poset he challenge that supposes, to the Spanish legal system, the adaptation to the new European Union regulation on this matter.PALABRAS CLAVE: universo digital, protección de datos personales, reglamento europeo, constitución española, conflictos de competenciaKEYWORDS: digital universe, personal data protection, european regulation, spanish constitution, competence´s conflicts. (shrink)

Public policies designed to regulate the use of information technology to protect personal data have been based on different theoretical assumptions in different states, depending on whether the problem is defined in technological, civil libertarian, or bureaucratic terms. However, the rapid development, dispersal, and decentralization of information technology have facilitated a range of new surveillance practices that have in turn rendered the approaches of the 1960s and 1970s obsolete. The networking of the postindustrial state will require a reconceptualization (...) of the dynamic relationship between organizational practices and information technology and a more comprehensive appreciation of the privacy problem. With the call for the development of a more coherent information policy in a number of countries, there is evidence that policymakers have been taking this more holistic view. (shrink)

This paper explores some key discrepancies between two sets of normative requirements applicable to the research use of personal data and human biological materials: the data protection regime which follows the application of the European Union General Data Protection Regulation, and the Declaration of Helsinki, CIOMS guidelines and other research ethics regulations. One source of this controversy is that the GDPR requires consent to process personal data to be clear, concise, specific and (...) granular, freely given and revocable and therefore has challenged the concept of ‘broad consent’, which has been widely applied in the context of biobanking. Another source of controversy is the interplay between regulations of research ethics and protection of personal data related to the secondary use of personal data and biological materials. In this case, the GDPR ‘research condition’ provides an alternative to re-consent for the use of previously collected personal data and biological materials. Although the mentioned controversies have been raised in the legal literature, they have not been explicitly addressed from the research ethics perspective. Should consent be regarded as a priority legal basis for personal data processing in health data research? Can broad consent still be a suitable legal ground for biobanking? What should be the role of research ethics provisions that differ from the GDPR standards, and what should be the role and function of research ethics committees in the changing environment of health data research? These are the ongoing controversies to be explored in the paper. (shrink)

I have argued elsewhere that in past history, freedom of speech, whether granted to few or many, was granted as bestowing some important benefit. John Stuart Mill, for example, in On Liberty, saw it as enabling us to learn from each other through discussion. By the test of benefit, I here argue that social media that are funded through trade in our personal data with advertisers, including propagandists, cannot claim to be supporting free speech. We lose our freedoms, (...) if the personal data we entrust to online social media are used to target us with information, or disinformation, tailored as persuasive to different personalities, in order to maximize revenue from advertisers or propagandists. Among the serious consequences described, particularly dangerous because of its effect on democracy, is the use of such targeted advertisements to swing voting campaigns. Control is needed both of the social media and of any political parties that pay social media for differential targeting of voters based on personality. Using UK government documents, I recommend legislation for reform and enforcement. (shrink)

The second-wave feminist critique of privacy defies the liberal opposition between the public-political and the private-personal. Feminist thinkers such as Hanisch, Young or Fraser note that, according to this liberal conception, public institutions often keep asymmetric power relations between private agents away from political discussion and action. The resulting subordination of some agents to others tends, therefore, to be naturalised and redefined as a «personal problem». Drawing on these contributions, this article reviews the social and political implications of (...) big data exploitation and questions whether personal data protection must remain a matter of «privacy self-management». It aims to show that feminist political theory can decidedly help to identify and tackle the root causes of what I call «data domination».La crítica feminista de segunda ola a la privacidad desafía la oposición liberal entre lo público-político y lo privado-personal. Pensadoras feministas como Hanisch, Young o Fraser señalan que, de acuerdo con esta concepción liberal, las instituciones públicas a menudo dejan fuera de la discusión y la acción política las relaciones de poder asimétricas entre agentes privados. La resultante subordinación de unos agentes a otros tiende, por tanto, a ser naturalizada y redefinida como un «problema personal». Basándose en estas contribuciones, este artículo revisa las implicaciones sociales y políticas de la explotación de datos masivos y cuestiona si la protección de los datos personales debe continuar siendo una cuestión de «auto-gestión de la privacidad». Su objetivo es mostrar que la teoría política feminista puede ayudar decididamente a identificar y enfrentar las causas de lo que llamo «dominación a través de los datos». (shrink)

The processing of sensitive information in the health field is subject to rigorous standards that guarantee the protection of information confidentiality. Recently, the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) stated their formal opinion on a standard procedure in dental offices involving the submission of a questionnaire that includes the patient's health status. HIV infection status is included on the form. The Authority has stated that all health data collection must be in (...) accordance with the current Italian normative framework for personal data protection and respect the patient's freedom. This freedom allows the patient to decide, in a conscious and responsible way, whether to share health information with health personnel without experiencing any prejudice in the provision of healthcare requested. Moreover, data collection must be relevant and cannot exceed the principles of treatment goals with reference to the specific care of the concerned person. However, the need for recording information regarding HIV infection at the first appointment, regardless of the clinical intervention or therapeutic plan that needs to be conducted, should not alter the standard protection measures of the healthcare staff. In fact, these measures are adopted for every patient. (shrink)

BackgroundData processing of health research databases often requires a Data Protection Impact Assessment to evaluate the severity of the risk and the appropriateness of measures taken to comply with the European Union General Data Protection Regulation. We aimed to define and apply a comprehensive method for the evaluation of privacy, data governance and ethics among research networks involved in the EU Project Bridge Health.MethodsComputerised survey among associated partners of main EU Consortia, using a targeted instrument (...) designed by the principal investigator and progressively refined in collaboration with an international advisory panel. Descriptive measures using the percentage of adoption of privacy, data governance and ethical principles as main endpoints were used for the analysis and interpretation of the results.ResultsA total of 15 centres provided relevant information on the processing of sensitive data from 10 European countries. Major areas of concern were noted for: data linkage, access and accuracy of personal data and anonymisation procedures. A high variability was noted in the application of privacy principles.ConclusionsA comprehensive methodology of Privacy and Ethics Impact and Performance Assessment was successfully applied at international level. The method can help implementing the GDPR and expanding the scope of Data Protection Impact Assessment, so that the public benefit of the secondary use of health data could be well balanced with the respect of personal privacy. (shrink)

This paper is aimed to understand the state of the art and the resulting consequences of the legal framework in Europe, with regard to the protection of children's data. Especially when they interact with networked and robotic toys, like in 'My friend Cayla' case. In order to evaluate the practical implications of the use of IoT devices by children or teenager users, the first part of the paper presents an analysis of the international guiding principles of the (...) class='Hi'>protection of minors, a category which enjoys a higher level of protection of their fundamental rights, due to their condition of lack of physical and psychological maturity. Secondly, the focus is moved upon the protection of personal data of children. Only after confronting previous data protection legal instruments and having compared them with the novelties set forth in General Data Protection Regulation, it is reasonable to assume that new provisions such as "privacy by design" principle, adequacy of security measures and codes of conduct, can support data controllers in ensuring compliance in the field of IoT toys. In conclusion, the paper supports a view of Data Protection Authorities as a relevant player in enhancing these renovated tools in order to achieve the protection of children's rights, as to ensure their substantial protection against the threats of the interconnected world. (shrink)

Once upon a time, they managed to bring Neverland into the bedrooms; they were seen as the heroes of a new era. However, as heroes always tend to walk a fine line between good and evil, it does not come as a surprise that a decade later the perception has dramatically changed; the fairy tale turned into a nightmare. Are Internet Service Providers (ISPs) no more than data-guzzling monsters that need to be tamed? In November, the European Commission published (...) a “Comprehensive approach on personal data protection in the European Union” which seems to nod approval. The approach seeks to strengthen the individual’s rights regarding the use of data by ISPs. The Commission notes that children deserve specific protection in this context due to the fact that their awareness of risks and consequences is usually underdeveloped. Both a general principle of transparent processing and specific obligations for data controllers regarding the type of information to be provided and the modalities for providing it had to be taken into account. Not only legal but also self-regulatory initiatives should contribute to a better enforcement of data protection rules. This approach is both applauded and heavily criticized by the European Data Protection Supervisor. In particular, he argues that children’s particular interests have not been sufficiently addressed presenting a long list of suggestions for improvement including specific provisions against behavioral advertising, the exclusion of some data categories, an age threshold or special requirements on the issue of informed consent and a reinforcement of data controllers’ accountability. Is there really a need for a new magic formula? This paper reviews the current options for addressing the challenges of the use of personal data of minors by ISPs. (shrink)

Open science has recently gained traction as establishment institutions have come on-side and thrown their weight behind the movement and initiatives aimed at creation of information commons. At the same time, the movement's traditional insistence on unrestricted dissemination and reuse of all information of scientific value has been challenged by the movement to strengthen protection of personal data. This article assesses tensions between open science and data protection, with a focus on the GDPR.

This article focuses on whether a certain form of consent used by biobanks – open consent – is compatible with the Proposed Data Protection Regulation. In an open consent procedure, the biobank requests consent once from the data subject for all future research uses of genetic material and data. However, as biobanks process personal data, they must comply with data protection law. Data protection law is currently undergoing reform. The Proposed (...) Data Protection Regulation is the culmination of this reform and, if voted into law, will constitute a new legal framework for biobanking. The Regulation puts strict conditions on consent – in particular relating to information which must be given to the data subject. It seems clear that open consent cannot meet these requirements. 4 categories of information cannot be provided with adequate specificity: purpose, recipient, possible third country transfers, data collected. However, whilst open consent cannot meet the formal requirements laid out by the Regulation, this is not to say that these requirements are substantially undebateable. Two arguments could be put forward suggesting the applicable consent requirements should be rethought. First, from policy documents regarding the drafting process, it seems that the informational requirements in the Regulation are so strict in order to protect the data subject from risks inherent in the use of the consent mechanism in a certain context – exemplified by the online context. There are substantial differences between this context and the biobanking context. Arguably, a consent transaction in the biobanking does not present the same type of risk to the data subject. If the risks are different, then perhaps there are also grounds for a reconsideration of consent requirements? Second, an argument can be made that the legislator drafted the Regulation based on certain assumptions as to the nature of ‘data’. The authors argue that these assumptions are difficult to apply to genetic data and accordingly a different approach to consent might be preferable. Such an approach might be more open consent friendly. (shrink)

The paper has three parts. First, a survey and analysis is given ofthe structure of individual rights in the recent EU Directive ondata protection. It is argued that at the core of this structure isan unexplicated notion of what the data subject can `reasonablyexpect' concerning the further processing of information about himor herself. In the second part of the paper it is argued thattheories of privacy popular among philosophers are not able to shed much light on the issues (...) treated in the Directive, whichare, arguably, among the central problems pertaining to theprotection of individual rights in the information society. Inthe third part of the paper, some suggestions are made for a richerphilosophical theory of data protection and privacy. It is arguedthat this account is better suited to the task of characterizingthe central issues raised by the Directive. (shrink)

The potential for biases being built into algorithms has been known for some time, yet literature has only recently demonstrated the ways algorithmic profiling can result in social sorting and harm marginalised groups. We contend that with increased algorithmic complexity, biases will become more sophisticated and difficult to identify, control for, or contest. Our argument has four steps: first, we show how harnessing algorithms means that data gathered at a particular place and time relating to specific persons, can be (...) used to build group models applied in different contexts to different persons. Thus, privacy and data protection rights, with their focus on individuals, do not protect from the discriminatory potential of algorithmic profiling. Second, we explore the idea that anti-discrimination regulation may be more promising, but acknowledge limitations. Third, we argue that in order to harness anti-discrimination regulation, it needs to confront emergent forms of discrimination or risk creating new invisibilities, including invisibility from existing safeguards. Finally, we outline suggestions to address emergent forms of discrimination and exclusionary invisibilities via intersectional and post-colonial analysis. (shrink)

It has become increasingly difficult for individuals to exercise meaningful control over the personal data they disclose to companies or to understand and track the ways in which that data is exchanged and used. These developments have led to an emerging consensus that existing privacy and data protection laws offer individuals insufficient protections against harms stemming from current data practices. However, an effective and ethically justified way forward remains elusive. To inform policy in this (...) area, we propose the Ethical Data Practices framework. The framework outlines six principles relevant to the collection and use of personal data—minimizing harm, fairly distributing benefits and burdens, respecting autonomy, transparency, accountability, and inclusion—and translates these principles into action-guiding practical imperatives for companies that process personal data. In addition to informing policy, the practical imperatives can be voluntarily adopted by companies to promote ethical data practices. (shrink)

This book is about power and freedoms in our technological world and has two main objectives. The first is to demonstrate that a theoretical exploration of the algorithmic governmentality hypothesis combined with the capability approach is useful for a better understanding of power and freedoms in Ambient Intelligence, a world where information and communication technologies are invisible, interconnected, context aware, personalized, adaptive to humans and act autonomously. The second is to argue that these theories are useful for a better comprehension (...) of privacy and data protection concepts and the evolution of their regulation. Having these objectives in mind, the book outlines a number of theses based on two threads: first, the elimination of the social effects of uncertainty and the risks to freedoms and, second, the vindication of rights. Inspired by and building on the outcomes of different philosophical and legal approaches, this book embodies an effort to better understand the challenges posed by Ambient Intelligence technologies, opening paths for more effective realization of rights and rooting legal norms in the preservation of the potentiality of human capabilities. (shrink)

The presented paper focuses on the analysis of strategic documents at the level of the European Union concerning the regulation of artificial intelligence as one of the so-called disruptive technologies. In the first part of the article, we outline the basic terminology. Subsequently, we focus on the summarizing and systemizing of the key documents adopted at the EU level in terms of artificial intelligence regulation. The focus of the paper is devoted to issues of personal data protection (...) and cyber security included in these strategic documents. The final part contains recommendations for future research and evaluation of its key features. (shrink)

Concerns have been raised around the alleged commercialisation of South African genetic material by various research institutes nationally and abroad. We consider whether the Protection of Personal Information Act in South Africa will conflict with or complement existing protections in health law and research ethics. The Act is not applicable to de‐identified samples that cannot be re‐identified but we question whether genetic samples can ever be truly de‐identified. The research participants in this matter provided consent for use of (...) their samples for research but did not consent to commercialisation by global research institutions, and neither did the researchers. We suggest that consent models incorporating broad consent as an option should include explicit discussions around benefit sharing and commercialisation. Mistrust between researchers and participants impedes scientific research and can harm relationships built up over the years between South African researchers and local communities. (shrink)

Genetics is a biomedical science that investigates heredity, variability, occurrence of genetic diseases and their prevention. Genetic science has many fields of science, which deal with different genetic processes, methods, aspects and fields of application. The genetic research in Europe related to the individual as the main subject of the research is exposed to a wide range of ethical and legal issues. From the developments in genetic science other sciences have evolved, thanks to which the modern world is able to (...) protect the genetic information of data, and to receive the sanction while ignoring the laws of such data. However, many problems still persist in the field of protection of personal genetic information, such as regulatory standards, the inviolability of an individual, the assurance of freedom and privacy of information. This manuscript attempts to reveal the main aspects of genetic human data protection, to research conduct regulations, ethics and issues related to the protection of individuals, such as protection of privacy, discrimination, confidentiality, etc. The article mainly focuses on the Conventions and Protocols elaborated by the Council of Europe because of its role in bioethics and focus on human rights. The author examined the documents such as the Convention on Human Rights and Biomedicine, the Additional Protocol to the Convention on Human Rights and Biomedicine concerning Biomedical Research, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and others. Genetic discrimination is strictly forbidden by international conventions and declarations, which means that discrimination on the grounds of personal genetic information (diseases, abnormalities) is not possible in all areas, including employment and insurance. However, individuals face some problems in getting a job due to the publicity and information disclosure to their employers, or in increasing the amount of insurance premiums. However, the disclosure of genetic information may have relevant, statutory consequences and the victims may apply to court for defending these rights. It is essential to protect genetic rights, as any form of discrimination against a person on the grounds of their genetic heritage is prohibited and intervention in the health field or disclosure of such information is only possible after the person concerned has given their free and informed consent. (shrink)

The European Union Data Protection Regulation will have profound implications for public health, health services research and statistics in Europe. The EU Commission's Proposal was a breakthrough in balancing privacy rights and rights to health and healthcare. The European Parliament, however, has proposed extensive amendments. This paper reviews the amendments proposed by the European Parliament Committee on Civil Liberties, Justice and Home Affairs and their implications for health research and statistics. The amendments eliminate most innovations brought by the (...) Proposal. Notably, derogation to the general prohibition of processing sensitive data shall be allowed for public interests such as the management of healthcare services, but not health research, monitoring, surveillance and governance. The processing of personal health data for historical, statistical or scientific purposes shall be allowed only with the consent of the data subject or if the processing serves an exceptionally high public interest, cannot be performed otherwise and is legally authorised. Research, be it academic, government, corporate or market research, falls under the same rule. The proposed amendments will make difficult or render impossible research and statistics involving the linkage and analysis of the wealth of data from clinical, administrative, insurance and survey sources, which have contributed to improving health outcomes and health systems performance and governance; and may illegitimise efforts that have been made in some European countries to enable privacy-respectful data use for research and statistical purposes. If the amendments stand as written, the right to privacy is likely to override the right to health and healthcare in Europe. (shrink)

Risk management is a well-known method to face technological challenges through a win–win combination of protective and proactive approaches, fostering the collaboration of operators, researchers, regulators, and industries for the exploitation of new markets. In the field of autonomous and unmanned aerial systems, or UAS, a considerable amount of work has been devoted to risk analysis, the generation of ground risk maps, and ground risk assessment by estimating the fatality rate. The paper aims to expand this approach with a tool (...) for managing data protection risks raised by drones through the design of flight maps. The tool should allow UAS operators choosing the best air corridor for their drones based on the so-called privacy by design principle pursuant to Article 25 of the EU data protection regulation, the GDPR. Among the manifold applications of this approach, the design of fly zones for drones can be tailored for public authorities in the phase of authorization of new operations, much as for national Data Protection authorities that have to control the lawfulness of personal data processing by UAS operations. The overall aim is to present the first win–win approach to data protection issues, aerospace engineering challenges, and risk management methods for the threats posed by this technology. (shrink)

Risk management is a well-known method to face technological challenges through a win–win combination of protective and proactive approaches, fostering the collaboration of operators, researchers, regulators, and industries for the exploitation of new markets. In the field of autonomous and unmanned aerial systems, or UAS, a considerable amount of work has been devoted to risk analysis, the generation of ground risk maps, and ground risk assessment by estimating the fatality rate. The paper aims to expand this approach with a tool (...) for managing data protection risks raised by drones through the design of flight maps. The tool should allow UAS operators choosing the best air corridor for their drones based on the so-called privacy by design principle pursuant to Article 25 of the EU data protection regulation, the GDPR. Among the manifold applications of this approach, the design of fly zones for drones can be tailored for public authorities in the phase of authorization of new operations, much as for national Data Protection authorities that have to control the lawfulness of personal data processing by UAS operations. The overall aim is to present the first win–win approach to data protection issues, aerospace engineering challenges, and risk management methods for the threats posed by this technology. (shrink)

Risk management is a well-known method to face technological challenges through a win–win combination of protective and proactive approaches, fostering the collaboration of operators, researchers, regulators, and industries for the exploitation of new markets. In the field of autonomous and unmanned aerial systems, or UAS, a considerable amount of work has been devoted to risk analysis, the generation of ground risk maps, and ground risk assessment by estimating the fatality rate. The paper aims to expand this approach with a tool (...) for managing data protection risks raised by drones through the design of flight maps. The tool should allow UAS operators choosing the best air corridor for their drones based on the so-called privacy by design principle pursuant to Article 25 of the EU data protection regulation, the GDPR. Among the manifold applications of this approach, the design of fly zones for drones can be tailored for public authorities in the phase of authorization of new operations, much as for national Data Protection authorities that have to control the lawfulness of personal data processing by UAS operations. The overall aim is to present the first win–win approach to data protection issues, aerospace engineering challenges, and risk management methods for the threats posed by this technology. (shrink)

On October 6, 2015, in Schrems v. Data Protection Commissioner, the European Court of Justice, the European Union's highest court, held that the fifteen-year-old Safe Harbor Framework Agreement with the United States was invalid. Under the agreement, about forty-five hundred American companies each year self-certified to the U.S. Department of Commerce that they were in compliance with the essential privacy protections of the European Union, and therefore it was permissible for entities in the European Union to send (...) class='Hi'>personal data to these American companies. According to the court, because some American companies were making the personal data of E.U. citizens available to U.S. government agencies, such as the National Security Agency, the fundamental privacy interests of E.U. citizens were not being protected. As a result of this court decision there has been considerable speculation about what, if any, effect the case has on international collaboration in health research, in particular, the sharing of personal data by E.U. researchers with their U.S. colleagues. (shrink)

The power exercised by technology companies is attracting the attention of policymakers, regulatory bodies and the general public. This power can be categorized in several ways, ranging from the “soft power” of technology companies to influence public policy agendas to the “market power” they may wield to exclude equally efficient competitors from the marketplace. This Article is concerned with the “data power” exercised by technology companies occupying strategic positions in the digital ecosystem. This data power is a multifaceted (...) power that may overlap with economic (market) power but primarily entails the power to profile and the power to influence opinion formation. While the current legal framework for data protection and privacy in the EU imposes constraints on personal data processing by technology companies, it ostensibly does so without regard to whether or not they have “data power.” This Article probes this assumption. It argues that although this legal framework does not explicitly impose additional legal responsibilities on entities with “data power,” it provides a clear normative indication to do so. The volume and variety of data and the reach of data-processing operations seem to be relevant when assessing both the extent of obligations on technology companies and the impact of data processing on individual rights. The Article suggests that this finding provides the normative foundation for the imposition of a “special responsibility” on such firms, analogous to the “special responsibility” imposed by competition law on dominant companies with market power. What such a “special responsibility” might entail in practice will be briefly outlined and relevant questions for future research will be identified. (shrink)

The World Bank estimates that over one billion people currently lack official identity documents. To tackle this crucial issue, the United Nations included the aim to provide legal identity for all by 2030 among the Sustainable Development Goals. Technology can be a powerful tool to reach this target. In the digital age, new technologies increasingly mediate identity verification and identification of individuals. Currently, State-led and public–private initiatives use technology to provide official identification, to control and secure external borders, and to (...) distribute humanitarian aid to populations in need. All of these initiatives have profound implications for the protection of human rights of those affected by them. Digital identity technologies may render individuals without legal documentation more visible and therefore less vulnerable to abuse and exploitation. However, they also present risks for the protection of individuals' human rights. As they build on personal data for identification and identity verification, data protection and privacy rights are most clearly affected. The prohibition of discrimination in the digital space is also of concern as these technological advances' societal impact is not yet fully understood. Accordingly, the article argues that emerging digital identity platforms will only contribute to the protection of human rights if the providers adequately mitigate any risks of potential discrimination and promote high standards of privacy and data protection. (shrink)

Directive 95/46/EC and implementing legislation define the respective obligations and liabilities of the different actors that may be involved in a personal data processing operation. There are certain exceptions to the scope of these regulations, among which processing which is carried out by natural persons in the course of activities that may be considered ‘purely personal’. The purpose of this article is to investigate the liability of users of social network sites under data protection and (...) to assess the extent to which the current data protection framework can sufficiently accommodate the new realities of web 2.0 and social networking applications. (shrink)

As with many other countries, Malaysia is also developing and promoting biomedical research to increase the understanding of human diseases and possible interventions. To facilitate this development, there is a significant growth of biobanks in the country to ensure continuous collection of biological samples for future research, which contain extremely important personal information and health data of the participants involved. Given the vast amount of samples and data accumulated by biobanks, they can be considered as reservoirs of (...) precious biomedical big data. It is therefore imperative for biobanks to have in place regulatory measures to ensure ethical use of the biomedical big data. Malaysia has yet to introduce specific legislation for the field of biobanking. However, it can be argued that its existing Personal Data Protection Act 2010 has laid down legal principles that can be enforced to protect biomedical big data generated by the biobanks. Consent is a mechanism to enable data subjects to exercise their autonomy by determining how their data can be used and ensure compliance with legal principles. However, there are two main concerns surrounding the current practice of consent in biomedical big data in Malaysia. First, it is uncertain that the current practice would be able to respect the underlying notion of autonomy, and second, it is not in accordance with the legal principles of the PDPA. Scholars have deliberated on different strategies of informed consent, and a more interactive approach has recently been introduced: dynamic consent. It is argued that a dynamic consent approach would be able to address these concerns. (shrink)

The never ending growth of digital information and the availability of low-cost storage facilities and networks capacity is leading users towards moving their data to remote storage resources. Since users’ data often holds identity-related information, several privacy issues arise when data can be stored in untrusted domains. In addition digital identity management is becoming extremely complicated due to the identity replicas proliferation necessary to get authentication in different domains. GMail and Amazon Web Services, for instance, are two (...) examples of online services adopted by million of users throughout the world which hold huge amounts of sensitive users data. State-of-the-art encryption tools for large-scale distributed infrastructures allow users to encrypt content locally before storing it on a remote untrusted repository. This approach can experience performance drawbacks, when very large data-sets must be encrypted/decrypted on a single machine. The proposed approach extends the existing solutions by providing two additional features: (1) the encryption can also be delegated to a pool of remote trusted computing resources, and (2) the definition of the encryption context which drives the tool to select the best strategy to process the data. The performance benchmarks are based on the results of tests carried out both on a local workstation and on the Grid INFN Laboratory for Dissemination Activities (GILDA) testbed. (shrink)

Advances in neurotechnologies, artificial intelligence (AI) and Big Data analytics are allowing interpretation of patterns from brain data to identify and even predict and manipulate mental states. Furthermore, there are avenues through which brain data can move into the consumer sphere, be reidentified and brokered. In response to these developments, there have been a number of approaches proposed to strengthen protections of brain data. To better understand the landscape of brain data protection discussions, we (...) conducted a scoping review to identify the rationales for establishing brain data protections and the proposals for protecting brain data offered in the ethics and neuroscience literature. To draw comparisons, we also surveyed the rationales given in the literature for the protection of sensitive behavioral inferences drawn from other types of personal data and associated approaches to achieving protection. This systematic examination of the rationale behind heightened protection for brain data should be useful to clarify the functional and conceptual bases given for brain data protection and to provide a better grounding for evaluating how the different approaches to brain data protection address these concerns. (shrink)

Answering important public health questions often requires collection of sensitive information about individuals. For example, our understanding of how HIV is transmitted and how to prevent it only came about with people's willingness to share information about their sexual and drug-using behaviors. Given the scientific need for sensitive, personal information, researchers have a corresponding ethical and legal obligation to maintain the confidentiality of data they collect and typically promise in consent forms to restrict access to it and not (...) to publish identifying data.The interests of others, however, can threaten researchers' promises of confidentiality when legal demands are made to access research data. In some cases, the subject of the litigation is tightly connected to the research questions, and litigants' interest in the data is not surprising. Researchers conducting studies on tobacco or occupational or other chemical exposures, for example, are relatively frequent targets of subpoenas. (shrink)

The first few years of the 21st century were characterised by a progressive loss of privacy. Two phenomena converged to give rise to the data economy: the realisation that data trails from users interacting with technology could be used to develop personalised advertising, and a concern for security that led authorities to use such personal data for the purposes of intelligence and policing. In contrast to the early days of the data economy and internet surveillance, (...) the last few years have witnessed a rising concern for privacy. As bad data practices have come to light, citizens are starting to understand the real cost of using online digital technologies. Two events stamped 2018 as a landmark year for privacy: the Cambridge Analytica scandal, and the implementation of the European Union’s General Data Protection Regulation (GDPR). The former showed the extent to which personal data has been shared without data subjects’ knowledge and consent and many times for unacceptable purposes, such as swaying elections. The latter inaugurated the beginning of robust data protection regulation in the digital age. Getting privacy right is one of the biggest challenges of this new decade of the 21st century. The past year has shown that there is still much work to be done on privacy to tame the darkest aspects of the data economy. As data scandals continue to emerge, questions abound as to how to interpret and enforce regulation, how to design new and better laws, how to complement regulation with better ethics, and how to find technical solutions to data problems. The aim of the research project Data, Privacy, and the Individual is to contribute to a better understanding of the ethics of privacy and of differential privacy. The outcomes of the project are seven research papers on privacy, a survey, and this final report, which summarises each research paper, and goes on to offer a set of reflections and recommendations to implement best practices regarding privacy. (shrink)

This essay examines issues involving personal privacy and informed consent that arise at the intersection of information and communication technology and population genomics research. I begin by briefly examining the ethical, legal, and social implications program requirements that were established to guide researchers working on the Human Genome Project. Next I consider a case illustration involving deCODE Genetics, a privately owned genetics company in Iceland, which raises some ethical concerns that are not clearly addressed in the current ELSI guidelines. (...) The deCODE case also illustrates some ways in which an ICT technique known as data mining has both aided and posed special challenges for researchers working in the field of population genomics. On the one hand, data-mining tools have greatly assisted researchers in mapping the human genome and in identifying certain “disease genes” common in specific populations. On the other hand, this technology has significantly threatened the privacy of research subjects participating in population genomics studies, who may, unwittingly, contribute to the construction of new groups that put those subjects at risk for discrimination and stigmatization. In the final section of this paper I examine some ways in which the use of data mining in the context of population genomics research poses a critical challenge for the principle of informed consent, which traditionally has played a central role in protecting the privacy interests of research subjects participating in epidemiological studies. (shrink)

ICTs, personal data, digital rights, the GDPR, data privacy, online security… these terms, and the concepts behind them, are increasingly common in our lives. Some of us may be familiar with them, but others are less aware of the growing role of ICTs and data in our lives - and the potential risks this creates. These risks are even more pronounced for vulnerable groups in society. People can be vulnerable in different, often overlapping, ways, which place (...) them at a disadvantage to the majority of citizens; Table 3 in this guide presents some of the many forms and causes of vulnerability. As a result, vulnerable people need greater support to navigate the digital world, and to ensure that they are able to exercise their rights. This guide explains where such support can be found, and also answers the following questions: - What are the main ethical and legal issues around ICTs for vulnerable citizens? - Who is vulnerable in Europe? - How do issues around ICTs affect vulnerable people in particular? This guide is a resource for members of vulnerable groups, people who work with vulnerable groups, and citizens more broadly. It is also useful for data controllers1 who collect data about vulnerable citizens. While focused on citizens in Europe, it may be of interest to people in other parts of the world. It forms part of the Citizens’ Information Pack produced by the PANELFIT project, and is available in English, French, German, Italian and Spanish. You are welcome to translate this guide into other languages. Please send us a link to online versions in other languages, so that we can add them to the project website. (shrink)

It has been argued that neural data are an especially sensitive kind of personal information that could be used to undermine the control we should have over access to our mental states, and therefore need a stronger legal protection than other kinds of personal data. The Morningside Group, a global consortium of interdisciplinary experts advocating for the ethical use of neurotechnology, suggests achieving this by treating legally ND as a body organ. Although the proposal is (...) currently shaping ND-related policies, it is not clear what its conceptual and legal basis is. Treating legally something as something else requires some kind of analogical reasoning, which is not provided by the authors of the proposal. In this paper, I will try to fill this gap by addressing ontological issues related to neurocognitive processes. The substantial differences between ND and body organs or organic tissue cast doubt on the idea that the former should be covered by bodily integrity. Crucially, ND are not constituted by organic material. Nevertheless, I argue that the ND of a subject s are analogous to neurocognitive properties of her brain. I claim that s’ ND are a ‘medium independent’ property that can be characterized as natural semantic personal information about her brain and that s’ brain not only instantiates this property but also has an exclusive ontological relationship with it: This information constitutes a domain that is unique to her neurocognitive architecture. (shrink)

BackgroundThe SARS-CoV-2 pandemic has highlighted once more the great need for comprehensive access to, and uncomplicated use of, pre-existing patient data for medical research. Enabling secondary research-use of patient-data is a prerequisite for the efficient and sustainable promotion of translation and personalisation in medicine, and for the advancement of public-health. However, balancing the legitimate interests of scientists in broad and unrestricted data-access and the demand for individual autonomy, privacy and social justice is a great challenge for patient-based (...) medical research.MethodsWe therefore conducted two questionnaire-based surveys among North-German outpatients (n = 650) to determine their attitude towards data-donation for medical research, implemented as an opt-out-process.ResultsWe observed a high level of acceptance (75.0%), the most powerful predictor of a positive attitude towards data-donation was the conviction that every citizen has a duty to contribute to the improvement of medical research (> 80% of participants approving data-donation). Interestingly, patients distinguished sharply between research inside and outside the EU, despite a general awareness that universities and public research institutions cooperate with commercial companies, willingness to allow use of donated data by the latter was very low (7.1% to 29.1%, depending upon location of company). The most popular measures among interviewees to counteract reservations against commercial data-use were regulation by law (61.4%), stipulating in the process that data are not sold or resold (84.6%). A majority requested control of both the use (46.8%) and the protection (41.5%) of the data by independent bodies.ConclusionsIn conclusion, data-donation for medical research, implemented as a combination of legal entitlement and easy-to-exercise-right to opt-out, was found to be widely supported by German patients and therefore warrants further consideration for a transposition into national law. (shrink)

Confidentiality is a central bioethical principle governing the provider–patient relationship. Dating back to Hippocrates, new laws have interpreted it for the age of precision medicine and electronic medical records. This is where the discussion of privacy and technology often ends in the scientific health literature when Internet-related technologies have made privacy a much more complex challenge with broad psychological and clinical implications. Beyond the recognised moral duty to protect patients’ health information, clinicians should now advocate a basic right to privacy (...) as a means to safeguard psychological health. The article reviews empirical research into the functions of privacy, the implications for psychological development and the resigned sentiment taking hold regarding the ability to control personal data. The article concludes with a call for legislative, educational and research steps to readjust the equilibrium between the individual and ‘Big Data’. (shrink)

Data subject rights provide data controllers with obligations that can help with transparency, giving data subjects some control over their personal data. To date, a growing number of researchers have used these data subject rights as a methodology for data collection in research studies. No one, however, has gathered and analysed different academic research studies that use data subject rights as a methodology for data collection. To this end, we conducted a (...) systematic literature review that searched, compiled, and analysed 32 academic studies that use data subject rights as a data collection method. We find that the right of access is the most commonly-used data subject right by researchers, most studies are interested in measuring data subject rights compliance, and that a variety of difficulties exist in conducting research studies with data subject rights. We conclude that researchers should explore other data subject rights for alternative purposes, ease the process of exercising data subject rights, and improve the scalability of these studies. (shrink)

Coronavirus disease 2019 (COVID‐19) has placed significant strain on United States’ health care and health care providers. While most Americans were sheltering in place, nurses headed to work. Many lacked adequate personal protective equipment (PPE), increasing the risk of becoming infected or infecting others. Some health care organizations were not transparent with their nurses; many nurses were gagged from speaking up about the conditions in their workplaces. This study used a descriptive phenomenological design to describe the lived experience of (...) acute care nurses working with limited access to PPE during the COVID‐19 pandemic. Unstructured interviews were conducted with 28 acute care nurses via telephone, WebEx, and Zoom. Data were analyzed using thematic analysis. The major theme, emotional roller coaster, describes the varied intense emotions the nurses experienced during the early weeks of the pandemic, encompassing eight subthemes: scared and afraid, sense of isolation, anger, betrayal, overwhelmed and exhausted, grief, helpless and at a loss, and denial. Other themes include: self‐care, ‘hoping for the best’, ‘nurses are not invincible’, and ‘I feel lucky’. The high levels of stress and mental assault resulting from the COVID‐19 crisis call for early stress assessment of nurses and provision of psychological intervention to mitigate lasting psychological trauma. (shrink)

A recent project at the University of Denver Libraries used handwritten text recognition (HTR) software to create transcriptions of records from the Jewish Consumptives’ Relief Society (JCRS), a tuberculosis sanatorium located in Denver, Colorado from 1904 to 1954. Among a great many other potential uses, these type- and hand-written records give insight into the human experience of disease and epidemic, its treatment, its effect on cultures, and of Jewish immigration to and early life in the American West. Our intent is (...) to provide these transcripts as data so the text may be computationally analyzed, pursuant to a larger effort in developing capacity in services and infrastructure to support digital humanities as a library, and to contribute to the emerging HTR ecosystem in archival work. Just because we can, however, doesn’t always mean we should: the realities of publishing large datasets online that contain medical and personal histories of potentially vulnerable people and communities introduce serious ethical considerations. This paper both underscores the value of HTR and frames ethical considerations related to protecting data derived from it. It suggests a terms-of-use intervention perhaps valuable to similar projects, one that balances meeting the research needs of digital scholars with the care and respect of persons, their communities and inheritors, who lives produced the very data now valuable to those researchers. (shrink)

In recent years, due to factors such as rising sea levels, several island nations such as Maldives, Tuvalu, Kiribati, and the Marshall Islands are in danger of disappearing completely. When the land of an island country disappeared, the human rights protection of Environmentally Displaced Persons in the migration process and the possible loss of their unique culture, language, and lifestyle have aroused great concern. We call such Environmentally Displaced Persons as EDPs. This study selects the EDPs’ data of (...) 241 countries or regions from 2008 to 2018, establishes an ARIMA model, and predicts the future population of EDPs. By combining the influencing factors of cultural loss, the risk assessment model of cultural loss is established to evaluate the possibility of cultural loss during the migration process of EDPs. We have established a Bayesian Network and a Fault Tree Model to demonstrate the improvement brought about by the implementation of policy recommendations from both qualitative and quantitative perspectives and use the method of fault tree analysis to illustrate the importance of policies from the degree of probability reduction after policy changes. Finally, based on the above model establishment and data analysis, corresponding countermeasures are proposed to protect EDPs’ human rights from being violated and their culture will not be lost. (shrink)