| Preface |
|
v | |
|
|
|
xiii | |
|
1 EU Data Protection and `Treaty-base Games': When Fundamental Rights are Wearing Market-making Clothes |
|
|
1 | (32) |
|
|
|
|
|
1 | (4) |
|
A The Case for this Study |
|
|
1 | (1) |
|
B Policy Outcomes of the Rights-based and Market-oriented Approaches |
|
|
2 | (2) |
|
C Political Pragmatism and the Early History of Fundamental Rights in the EU |
|
|
4 | (1) |
|
II Rational Choice and Historical Institutionalism |
|
|
5 | (3) |
|
III The CJEU: Filling the Gap, but Why and How Far? Tracing Strategic Interests of the Constitutional Court |
|
|
8 | (5) |
|
A The Early Challenges to the CJEU Authority |
|
|
8 | (1) |
|
B The Challenges to the CJEU Status Quo in the Post-Lisbon Era |
|
|
9 | (2) |
|
C The Member States and the CJEU's Strategic Interests |
|
|
11 | (1) |
|
|
|
12 | (1) |
|
IV The Charter--A Victim of Domestic Politics? |
|
|
13 | (12) |
|
A EU Integration in the Field of Civic Interests |
|
|
13 | (1) |
|
B The Charter and the Member States' Sovereignty Concerns |
|
|
14 | (3) |
|
V Directive 95/46/EC, GDPR, and the Market Imprint |
|
|
17 | (1) |
|
A `Treaty-base Games': Explaining the Market-framing of the EU First Data Protection Instrument |
|
|
17 | (3) |
|
B The Development of the EU Data Protection Law and the Market-framing Implications |
|
|
20 | (5) |
|
|
|
25 | (8) |
|
|
|
26 | (7) |
|
2 The `Risk Revolution' in EU Data Protection Law: We can't Have Our Cake and Eat it, Too |
|
|
33 | (30) |
|
|
|
|
|
34 | (3) |
|
II The Role of `Risk' in the Risk-Based Approach |
|
|
37 | (5) |
|
III `Risk' and the Legal Obligations in the GDPR |
|
|
42 | (11) |
|
A The Link between `Theory' and `Practice' |
|
|
42 | (2) |
|
B `Taking into Account' the Risks |
|
|
44 | (1) |
|
i Scalable Compliance Measures |
|
|
44 | (1) |
|
ii Substantive Protection against Risks |
|
|
45 | (5) |
|
iii The Limits to Enforcement Action against Risk-Taking |
|
|
50 | (2) |
|
C The Risk-Based Approach and Legal Compliance |
|
|
52 | (1) |
|
IV Were the Data Protection Principles and the Data Subject Rights Risk-Based to Start With? |
|
|
53 | (10) |
|
A Obligations which Require a Risk-Oriented Result |
|
|
54 | (2) |
|
B Obligations which Require a Risk-Oriented Effort |
|
|
56 | (1) |
|
C Obligations which Are not Risk-Oriented |
|
|
56 | (2) |
|
D The Discretion of Controllers vs the Control Rights of Data Subjects |
|
|
58 | (1) |
|
|
|
59 | (1) |
|
|
|
60 | (3) |
|
3 No Privacy without Transparency |
|
|
63 | (26) |
|
|
|
|
|
63 | (1) |
|
II Describing the Harms from Loss of Privacy |
|
|
64 | (7) |
|
A Public Perceptions of the Privacy Related Harm |
|
|
65 | (3) |
|
B Insecure Use and Imprecise Use of Data |
|
|
68 | (3) |
|
III How Does Data Protection Protect against Insecure and Imprecise Use of Data? |
|
|
71 | (6) |
|
|
|
72 | (2) |
|
B Transparency, Consent and Fair Processing |
|
|
74 | (2) |
|
C Privacy vs Consumer Protection |
|
|
76 | (1) |
|
IV Measuring the Benefits and Risks of Data-driven Automated Decision-making (Surveillance) |
|
|
77 | (4) |
|
A Model Surveillance System |
|
|
78 | (1) |
|
B Estimating the Net Benefit of a Surveillance System |
|
|
79 | (1) |
|
C Risks of Surveillance Systems Resulting in Net Harm |
|
|
80 | (1) |
|
V How Might Regulators Ensure Reliable Information about the Impact of Surveillance Systems be Generated? |
|
|
81 | (3) |
|
|
|
83 | (1) |
|
|
|
84 | (5) |
|
|
|
85 | (4) |
|
4 Machine Learning with Personal Data' |
|
|
89 | (26) |
|
|
|
|
|
|
|
|
|
89 | (4) |
|
|
|
93 | (10) |
|
A Profiling as a Type of Processing |
|
|
93 | (1) |
|
i The Elements of the Profiling Process |
|
|
94 | (3) |
|
B The Decision and its Effects |
|
|
97 | (2) |
|
C Data Protection Impact Assessments (DPIA) |
|
|
99 | (2) |
|
D Derogations from the Rule |
|
|
101 | (1) |
|
E Potential Consequences of Non-Compliance |
|
|
102 | (1) |
|
|
|
103 | (3) |
|
|
|
106 | (4) |
|
|
|
110 | (5) |
|
|
|
112 | (3) |
|
5 Bridging Policy, Regulation and Practice? A Techno-Legal Analysis of Three Types of Data in the GDPR |
|
|
115 | (28) |
|
|
|
|
|
|
|
|
|
|
|
|
|
115 | (4) |
|
II The Three Types of Data |
|
|
119 | (6) |
|
|
|
119 | (2) |
|
|
|
121 | (1) |
|
ii Direct and Indirect Identifiers |
|
|
122 | (1) |
|
iii Data Sanitisation Techniques |
|
|
123 | (1) |
|
|
|
123 | (1) |
|
B Re-Identification Risks |
|
|
124 | (1) |
|
III A Risk-based Analysis of the Three Types of Data |
|
|
125 | (5) |
|
A Local, Global and Domain Linkability |
|
|
125 | (1) |
|
|
|
126 | (1) |
|
|
|
126 | (2) |
|
|
|
128 | (2) |
|
IV Data Sanitisation Techniques and Contextual Controls |
|
|
130 | (10) |
|
A Effectiveness of Data Sanitisation Techniques |
|
|
130 | (4) |
|
B Improving Data Utility with Contextual Controls |
|
|
134 | (5) |
|
C Improving Data Utility with Dynamic Sanitisation Techniques and Contextual Controls |
|
|
139 | (1) |
|
|
|
140 | (3) |
|
|
|
141 | (2) |
|
6 Are We Prepared for the 4th Industrial Revolution? Data Protection and Data Security Challenges of Industry 4.0 in the EU Context |
|
|
143 | (24) |
|
|
|
|
|
143 | (2) |
|
II Defining IND 4.0--The Regulatory Use and Key Features of a Sui Generis Concept |
|
|
145 | (4) |
|
A IND 4.0 as a Regulatory Tool and as a Sui Generis Concept |
|
|
145 | (2) |
|
B Conceptual Features of IND 4.0 |
|
|
147 | (2) |
|
III Data Protection Challenges of IND 4.0 and the EU Legal Context |
|
|
149 | (10) |
|
A Data Protection Challenges in regard to Customer Data in the IND 4.0 Context |
|
|
149 | (6) |
|
B Data Protection Challenges in relation to Employee Data in an IND 4.0 Context |
|
|
155 | (4) |
|
IV Data Security Challenges of IND 4.0 and the EU Legal Context |
|
|
159 | (4) |
|
|
|
163 | (4) |
|
|
|
164 | (3) |
|
7 Reasonable Expectations of Data Protection in Telerehabilitation---A Legal and Anthropological Perspective on Intelligent Orthoses |
|
|
167 | (26) |
|
|
|
|
|
|
|
167 | (3) |
|
A Telerehabilitation: A Challenge for Data Protection |
|
|
167 | (1) |
|
B Research Context and Methods |
|
|
168 | (1) |
|
C Research Focus: The Orthoses Project |
|
|
169 | (1) |
|
II The Legal Angle: Reasonable Expectations and Privacy by Design |
|
|
170 | (6) |
|
A Reasonable Expectations and Privacy by Design in the GDPR |
|
|
171 | (1) |
|
B Gaining Legal Certainty with `Katz Content' |
|
|
172 | (2) |
|
C Reasonable Expectations and the Use of Intelligent Systems in Telerehabilitation |
|
|
174 | (2) |
|
III The Anthropological Angle: Reasonable Expectations of Minors in Brace Therapy |
|
|
176 | (11) |
|
A Methods and Overview of Findings |
|
|
176 | (1) |
|
B Analytical Framework: The Concept of `Territories of the Self (Erving Goffrnan)' |
|
|
177 | (3) |
|
C Discussion of Empirical Findings |
|
|
180 | (1) |
|
i Attitudes Regarding Data Sharing |
|
|
181 | (1) |
|
a) Minimization of Data Disclosure |
|
|
181 | (1) |
|
b) Data-Sharing as Trade-Off |
|
|
181 | (1) |
|
c) Impracticality of Controlling Personal Data |
|
|
182 | (1) |
|
d) Data-Sharing without Concern |
|
|
182 | (1) |
|
ii Information Preserves Concerning `Data Especially Worthy of Protection' |
|
|
182 | (2) |
|
iii Attitudes and Expectations of Handling Data Concerning Health |
|
|
184 | (3) |
|
|
|
187 | (6) |
|
|
|
189 | (4) |
|
8 Considering the Privacy Design Issues Arising from Conversation as Platform |
|
|
193 | (20) |
|
|
|
|
|
|
|
193 | (3) |
|
II Conversation as Platform |
|
|
196 | (3) |
|
III The Privacy Impact of Sensed Conversation; A Focus on Child-Facing Technology |
|
|
199 | (3) |
|
A Privacy of Child and Adult Communications |
|
|
200 | (1) |
|
B Privacy of Children's Play |
|
|
201 | (1) |
|
|
|
201 | (1) |
|
D Introduction of Third Parties |
|
|
202 | (1) |
|
IV The Problem of Intelligent Systems |
|
|
202 | (6) |
|
A Learning, Error and the Importance of Social Context |
|
|
204 | (1) |
|
B Opacity, Comprehension and Informing |
|
|
205 | (2) |
|
|
|
207 | (1) |
|
V Conclusions and Recommendations |
|
|
208 | (3) |
|
A Rethinking the Design of Consent Mechanism for Conversational Systems |
|
|
209 | (1) |
|
B Create New Boundary Objects and Privacy Grammars to Support User Understanding and Trust |
|
|
210 | (1) |
|
C Undertake Research on the Potential Increase and Normalisation of Child Surveillance |
|
|
210 | (1) |
|
|
|
211 | (2) |
|
9 Concluding remarks at the 10th Computers, Privacy and Data Protection Conference: 27 January 2017 |
|
|
213 | (6) |
|
|
| Index |
|
219 | |
