Oxford Data Protection & Privacy Law – serie

Data protection law is often positioned as a regulatory solution to the risks posed by computational systems. Despite the widespread adoption of data protection laws, however, there are those who remain sceptical as to their capacity to engender change. Much of this criticism focuses on our role as 'data subjects'. It has been demonstrated repeatedly that we lack the capacity to act in our own best interests and, what is more, that our decisions have negative impacts on others. Our decision-making limitations seem to be the inevitable by-product of the technological, social, and economic reality. Data protection law bakes in these limitations by providing frameworks for notions such as consent and subjective control rights and by relying on those who process our data to do so fairly.Despite these valid concerns, Data Protection Law and Emotion argues that the (in)effectiveness of these laws are often more difficult to discern than the critical literature would suggest, while also emphasizing the importance of the conceptual value of subjective control. These points are explored (and indeed, exposed) by investigating data protection law through the lens of the insights provided by law and emotion scholarship and demonstrating the role emotions play in our decision-making. The book uses the development of Emotional Artificial Intelligence, a particularly controversial technology, as a case study to analyse these issues.Original and insightful, Data Protection Law and Emotion offers a unique contribution to a contentious debate that will appeal to students and academics in data protection and privacy, policymakers, practitioners, and regulators.

Vulnerability has traditionally been viewed through the lens of specific groups of people, such as ethnic minorities, children, the elderly, or people with disabilities. With the rise of digital media, our perceptions of vulnerable groups and individuals have been reshaped as new vulnerabilities and different vulnerable sub-groups of users, consumers, citizens, and data subjects emerge. Vulnerability and Data Protection Law not only depicts these problems but offers the reader a detailed investigation of the concept of data subjects and a reconceptualization of the notion of vulnerability within the General Data Protection Regulation. The regulation offers a forward-facing set of tools that-though largely underexplored-are essential in rebalancing power asymmetries and mitigating induced vulnerabilities in the age of artificial intelligence. Considering the new risks and potentialities of the digital market, the new awareness about cognitive weaknesses, and the new philosophical sensitivity about the condition of human vulnerability, the author looks for a more general and layered definition of the data subject's vulnerability that goes beyond traditional labels. In doing so, he seeks to promote a 'vulnerability-aware' interpretation of the GDPR. A heuristic analysis that re-interprets the whole GDPR, this work is essential for both scholars of data protection law and for policymakers looking to strengthen regulations and protect the data of vulnerable individuals.

This book examines the role of international law in securing privacy and data protection in the digital age. Driven mainly by the transnational nature of privacy threats involving private actors as well as States, calls are increasingly made for an international privacy framework to meet these challenges. Mapped against a flurry of global privacy initiatives, the book provides the first comprehensive analysis of the extent to which and whether international law attends to the complexities of upholding digital privacy. The book starts by exploring boundaries of international privacy law in upholding privacy and data protection in the digital ecosystem where threats to privacy are increasingly transnational, sophisticated and privatized. It then explores the potential of global privacy initiatives, namely Internet bills of rights, universalization of regional systems of data privacy protection, and the multi-level privacy discourse at the United Nations, in reimagining the normative contours of international privacy law. Having shown limitations of global privacy initiatives, the book proposes a pragmatic approach that could make international privacy law better-equipped in the digital age.

Governing Cross-Border Data Flows explores how the European Union can simultaneously reconcile and pursue two important legal and policy objectives, namely: protecting fundamental rights guaranteed under the EU Charter of Fundamental Rights (EU Charter) concerning privacy and personal data, while also maintaining and developing a binding, rules-based global trading system to ensure appropriate access to foreign digital markets for EU businesses.The book demonstrates a significant conflict between international trade law and European data privacy law when it comes to the governance of cross-border flows of personal data. To resolve the tensions caused by this clash, the book proposes concrete and detailed ways to ameliorate the situation from both ends (international trade and personal data protection), specifically through reforms of both international trade and chapter V of the General Data Protection Regulation (GDPR). To explain how such reforms could be effectuated, Yakovleva examines the role of discourse in the evolution of trade law in the last two decades. The book also paves the way for the further research necessary to design a fully-fledged reform proposal of the EU framework for the transfer of personal data outside the European Economic Area.

The concept of a risk-based approach to data protection came to the fore during the overhaul process of the EU's General Data Protection Regulation (GDPR). At its core, it consists of endowing the regulated organizations that process personal data with increased responsibility for complying with data protection mandates. Such increased compliance duties are performed through risk management tools. This book provides a comprehensive analysis of this legal and policy development, which considers a legal, historical, and theoretical perspective. By framing the risk-based approach as a sui generis implementation of a specific regulation model 'known as meta regulation, this book provides a recollection of the policy developments that led to the adoption of the risk-based approach in light of regulation theory and debates. It also discusses a number of salient issues pertaining to the risk-based approach, such as its rationale, scope, and meaning; the role for regulators; and its potential and limits. The book also looks at they way it has been undertaken in major statutes with a focus on key provisions, such as data protection impact assessments or accountability.Finally, the book devotes considerable attention to the notion of risk. It explains key terms such as risk assessment and management. It discusses in-depth the role of harms in data protection, the meaning of a data protection risk, and the difference between risks and harms. It also critically analyses prevalent data protection risk management methodologies and explains the most important caveats for managing data protection risks.

The tension between freedom of expression and European personal data protection regulation is unmistakable. Nowhere is this more apparent than in its interface with professional journalism and other traditional publishers including artists, writers and academics. This book systematically explores how that tension has been managed across thirty-one European States from the 1970s through to the 2010s including under the General Data Protection Regulation (GDPR). It is found that, notwithstanding confusing laws, data authorities have regulated journalism through contextual rights balancing. However, they have struggled to establish a clear standard of strictness or ensure consistent enforcement. Their stance regarding other publishers has been more confused - whilst academics have been subject to onerous restrictions developed for medical and related research, other writers and artists have been largely ignored. This book suggests that contextual rights balancing should be extended to all traditional publishers and systematically developed through robust co-regulation that draws on the strength of both statutory control and self-regulation.

This book critically investigates the role of data subject rights in countering information and power asymmetries online. It aims at dissecting 'data subject empowerment' in the information society through the lens of the right to erasure ("right to be forgotten") in Article 17 of the General Data Protection Regulation (GDPR). In doing so, it provides an extensive analysis of the interaction between the GDPR and the fundamental right to data protection in Art.8 of the Charter of Fundamental Rights of the EU (Charter), how data subject rights affect fair balancing of fundamental rights, and what the practical challenges are to effective data subject rights. The book starts with exploring the data-driven asymmetries that characterise individuals' relationship with tech giants. These commercial entities increasingly anticipate and govern how people interact with each other and the world around them, affecting core values such as individual autonomy, dignity and freedom. The book explores how data protection law, and data subject rights in particular, enable resisting, breaking down or at the very least critically engaging with these asymmetric relationships. It concludes that despite substantial legal and practical hurdles, the GDPR's right to erasure does play a meaningful role in furthering the fundamental right to data protection (Art. 8 Charter) in the face of power asymmetries online.

In digital markets, data protection and competition law affect each other in diverse and intricate ways. Their entanglement has triggered a global debate on how these two areas of law should interact to effectively address new harms and ensure that the digital economy flourishes. Coherence between Data Protection and Competition Law in Digital Markets offers a blueprint for bridging the disconnect between data protection and competition law and ensuring a coherent approach towards their enforcement in digital markets.Specifically, this book focuses on the evolution of data protection and competition law, their underlying rationale, their key features and common objectives, and provides a series of examples to demonstrate how the same empirical phenomena in digital markets pose a common challenge to protecting personal data and promoting market competitiveness. A panoply of theoretical and empirical commonalities between these two fields of law, as this volume shows, are barely mirrored in the legal, enforcement, policy, and institutional approaches in the EU and beyond, where the silo approach continues to prevail. The ideas that Majcher puts forward for a more synergetic integration of data protection and competition law are anchored in the concept of 'sectional coherence'. This new coherence-centred paradigm reimagines the interpretation and enforcement of data protection and competition law as mutually cognizant and reciprocal, allowing readers to explore, in an innovative way, the interface between these legal fields and identify positive interactions, instead of merely addressing inconsistencies and tensions. This book reflects on the conceptual, practical, institutional, and constitutional implications of the transition towards coherence and the relevance of its findings for other jurisdictions.

The monetization of personal data has become an increasingly common business practice, igniting global debate on the interface between data privacy law and competition law. Data Privacy and Competition Law in the Age of Big Data provides a comprehensive, novel, and interdisciplinary analysis of this nexus. Drawing insights from emergent properties and complexity science, the book exposes the commonalities and conflicts between how data privacy law and competition law address challenges resulting from the commercialization of personal data.Samson Y. Esayas begins by identifying key shifts in big data: the growing trend of processing personal data for diverse purposes, the aggregation of data across various operations, and the shift from offering stand-alone products and services to ecosystems of several, with personal data central in connecting the different markets. These shifts engender a complex economic landscape, marked by multiple actors, a web of interactions, and non-linear, emergent outcomes. Despite this complexity, the prevailing approach to data privacy law and competition law emphasises isolated units of analysis-whether a relevant market or a distinct processing operation. This approach overlooks system-wide (emergent) risks borne of cumulative processing operations and cross-market practices. Additionally, a mindset focused on either data privacy law or competition law overlooks the increasing intersection between the two regimes, missing opportunities for synergy.In light of these challenges, Esayas's volume calls for recalibrating data privacy law and competition law for a complex economy, emphasizing a holistic, systems-level perspective that addresses emergent harms and a polycentric strategy that leverages the strengths of each legal regime.