Clicks, comments, transactions, and physical movements are being increasingly recorded and analyzed by Big Data processors who use this information to trace the sentiment and activities of markets and voters. While the benefits of Big Data have received considerable attention, it is the potential social costs of practices associated with Big Data that are of interest to us in this paper. Prior research has investigated the impact of Big Data on individual privacy rights, however, there is (...) also growing recognition of its capacity to be mobilized for surveillance purposes. Our paper delineates the underlying issues of privacy and surveillance and presents them as in tension with one another. We postulate that efforts at controlling Big Data may create a trade-off of risks rather than an overall improvement in data protection. We explore this idea in relation to the principles of the European Union’s General Data Protection Regulation as it arguably embodies the new ‘gold standard’ of cyber-laws. We posit that safeguards advocated by the law, anonymization and pseudonymization, while representing effective counter measures to privacy concerns, also incentivize the use, collection, and trade of behavioral and other forms of de-identified data. We consider the legal status of these ownerless forms of data, arguing that data protection techniques such as anonymization and pseudonymization raise significant concerns over the ownership of behavioral data and its potential use in the large-scale modification of activities and choices made both on and offline. (shrink)

Since approval of the EU General Data Protection Regulation (GDPR) in 2016, it has been widely and repeatedly claimed that the GDPR will legally mandate a ‘right to explanation’ of all decisions made by automated or artificially intelligent algorithmic systems. This right to explanation is viewed as an ideal mechanism to enhance the accountability and transparency of automated decision-making. However, there are several reasons to doubt both the legal existence and the feasibility of such a right. (...) In contrast to the right to explanation of specific automated decisions claimed elsewhere, the GDPR only mandates that data subjects receive meaningful, but properly limited, information (Articles 13-15) about the logic involved, as well as the significance and the envisaged consequences of automated decision-making systems, what we term a ‘right to be informed’. Further, the ambiguity and limited scope of the ‘right not to be subject to automated decision-making’ contained in Article 22 (from which the alleged ‘right to explanation’ stems) raises questions over the protection actually afforded to data subjects. These problems show that the GDPR lacks precise language as well as explicit and well-defined rights and safeguards against automated decision-making, and therefore runs the risk of being toothless. We propose a number of legislative and policy steps that, if taken, may improve the transparency and accountability of automated decision-making when the GDPR comes into force in 2018. (shrink)

In previous works (Floridi 2018) I introduced the distinction between hard ethics (which may broadly be described as what is morally right and wrong independently of whether something is legal or illegal), and soft or post-compliance ethics (which focuses on what ought to be done over and above existing legislation). This paper analyses the applicability of soft ethics to the General Data Protection Regulation and advances the theory that soft ethics has a dual advantage—as both an (...) opportunity strategy and a risk management solution. (shrink)

Before the EU General Data Protection Regulation entered into force in May 2018, we witnessed an intense struggle of actors associated with data-dependent fields of science, in particular health-related academia and biobanks striving for legal derogations for data reuse in research. These actors engaged in a similar line of argument and formed issue alliances to pool their collective power. Using descriptive coding followed by an interpretive analysis, this article investigates the argumentative repertoire of these (...) actors and embeds the analysis in ethical debates on data sharing and biobank-related data governance. We observe efforts to perform a paradigmatic shift of the discourse around the General Data Protection Regulation-implementation away from ‘protecting data’ as key concern to ‘protecting health’ of individuals and societies at large. Instead of data protection, the key risks stressed by health researchers became potential obstacles to research. In line, exchange of information with data subjects is not a key concern in the arguments of biobank-related actors and it is assumed that patients want ‘their’ data to be used. We interpret these narratives as a ‘reaction’ to potential restrictions for data reuse and in line with a broader trend towards Big Data science, as the very idea of biobanking is conceptualized around long-term use of readily prepared data. We conclude that a sustainable implementation of biobanks needs not only to comply with the General Data Protection Regulation, but must proactively re-imagine its relation to citizens and data subjects in order to account for the various ways that science gets entangled with society. (shrink)

In this article, we consider the possible application of the European General Data Protection Regulation to “citizen scientist”-led health research with mobile devices. We argue that the GDPR likely does cover this activity, depending on the specific context and the territorial scope. Remaining open questions that result from our analysis lead us to call for lex specialis that would provide greater clarity and certainty regarding the processing of health data by for research purposes, including these (...) non-traditional researchers. (shrink)

The General Data Protection Regulation is a European Union regulation that will replace the existing Data Protection Directive on 25 May 2018. The most significant change is a huge increase in the maximum fine that can be levied for breaches of the regulation. Yet fewer than half of UK companies are fully aware of GDPR—and a number of those who were preparing for it stopped doing so when the Brexit vote was announced. (...) A last-minute rush to become compliant is therefore expected, and numerous companies are starting to offer advice, checklists and consultancy on how to comply with GDPR. In such an environment, artificial intelligence technologies ought to be able to assist by providing best advice; asking all and only the relevant questions; monitoring activities; and carrying out assessments. The paper considers four areas of GDPR compliance where rule based technologies and/or machine learning techniques may be relevant: Following compliance checklists and codes of conduct; Supporting risk assessments; Complying with the new regulations regarding technologies that perform automatic profiling; Complying with the new regulations concerning recognising and reporting breaches of security. It concludes that AI technology can support each of these four areas. The requirements that GDPR state for explanation and justification of reasoning imply that rule-based approaches are likely to be more helpful than machine learning approaches. However, there may be good business reasons to take a different approach in some circumstances. (shrink)

The emergence of a global industry of digital health platforms operated by Big Tech corporations, and its growing entanglements with academic and pharmaceutical research networks, raise pressing questions on the capacity of current data governance models, regulatory and legal frameworks to safeguard the sustainability of the health research ecosystem. In this article, we direct our attention toward the challenges faced by the European General Data Protection Regulation in regulating the potentially disruptive engagement of Big Tech (...) platforms in health research. The General Data Protection Regulation upholds a rather flexible regime for scientific research through a number of derogations to otherwise stricter data protection requirements, while providing a very broad interpretation of the notion of “scientific research”. Precisely the breadth of these exemptions combined with the ample scope of this notion could provide unintended leeway to the health data processing activities of Big Tech platforms, which have not been immune from carrying out privacy-infringing and socially disruptive practices in the health domain. We thus discuss further finer-grained demarcations to be traced within the broadly construed notion of scientific research, geared to implementing use-based data governance frameworks that distinguish health research activities that should benefit from a facilitated data protection regime from those that should not. We conclude that a “re-purposing” of big data governance approaches in health research is needed if European nations are to promote research activities within a framework of high safeguards for both individual citizens and society. (shrink)

Clinical biobanks processing data of participants in the European Union fall under the scope of the General Data Protection Regulation, which among others includes requirements for consent. These requirements are further specified by the Article 29 Working Party —an EU advisory body currently known as the European Data Protection Board. Unfortunately, their guidance is cause for some confusion. While the GDPR allows participants to give broad consent for research when specific research purposes are (...) still unknown, the WP29 guidelines suggest that additional consent for specific uses should be obtained in addition to broad consent when this becomes applicable. This discrepancy elicits the question whether clinical biobanks can fail the requirement of consent if they obtain broad consent, but not a specific consent for each biomedical study. We analysed this discrepancy within the framework of contextual integrity, in order to describe the context-relative informational norms that govern information flows in clinical biobanks. However, our analysis demonstrates that there is no uniform set of norms that can be applied to all clinical biobanks. As such, neither the GDPR nor the WP29 guidance can act as a “one size fits all” approach to all clinical biobanks. Rather, differences between clinical biobanks—especially regarding the scientific aims and patient populations—make the case for context-relative norms that determine the appropriate type of consent. (shrink)

BackgroundData processing of health research databases often requires a Data Protection Impact Assessment to evaluate the severity of the risk and the appropriateness of measures taken to comply with the European Union General Data Protection Regulation. We aimed to define and apply a comprehensive method for the evaluation of privacy, data governance and ethics among research networks involved in the EU Project Bridge Health.MethodsComputerised survey among associated partners of main EU Consortia, using a (...) targeted instrument designed by the principal investigator and progressively refined in collaboration with an international advisory panel. Descriptive measures using the percentage of adoption of privacy, data governance and ethical principles as main endpoints were used for the analysis and interpretation of the results.ResultsA total of 15 centres provided relevant information on the processing of sensitive data from 10 European countries. Major areas of concern were noted for: data linkage, access and accuracy of personal data and anonymisation procedures. A high variability was noted in the application of privacy principles.ConclusionsA comprehensive methodology of Privacy and Ethics Impact and Performance Assessment was successfully applied at international level. The method can help implementing the GDPR and expanding the scope of Data Protection Impact Assessment, so that the public benefit of the secondary use of health data could be well balanced with the respect of personal privacy. (shrink)

This paper is aimed to understand the state of the art and the resulting consequences of the legal framework in Europe, with regard to the protection of children's data. Especially when they interact with networked and robotic toys, like in 'My friend Cayla' case. In order to evaluate the practical implications of the use of IoT devices by children or teenager users, the first part of the paper presents an analysis of the international guiding principles of the (...) class='Hi'>protection of minors, a category which enjoys a higher level of protection of their fundamental rights, due to their condition of lack of physical and psychological maturity. Secondly, the focus is moved upon the protection of personal data of children. Only after confronting previous data protection legal instruments and having compared them with the novelties set forth in General Data Protection Regulation, it is reasonable to assume that new provisions such as "privacy by design" principle, adequacy of security measures and codes of conduct, can support data controllers in ensuring compliance in the field of IoT toys. In conclusion, the paper supports a view of Data Protection Authorities as a relevant player in enhancing these renovated tools in order to achieve the protection of children's rights, as to ensure their substantial protection against the threats of the interconnected world. (shrink)

This paper explores some key discrepancies between two sets of normative requirements applicable to the research use of personal data and human biological materials: the data protection regime which follows the application of the European Union General Data Protection Regulation, and the Declaration of Helsinki, CIOMS guidelines and other research ethics regulations. One source of this controversy is that the GDPR requires consent to process personal data to be clear, concise, specific and (...) granular, freely given and revocable and therefore has challenged the concept of ‘broad consent’, which has been widely applied in the context of biobanking. Another source of controversy is the interplay between regulations of research ethics and protection of personal data related to the secondary use of personal data and biological materials. In this case, the GDPR ‘research condition’ provides an alternative to re-consent for the use of previously collected personal data and biological materials. Although the mentioned controversies have been raised in the legal literature, they have not been explicitly addressed from the research ethics perspective. Should consent be regarded as a priority legal basis for personal data processing in health data research? Can broad consent still be a suitable legal ground for biobanking? What should be the role of research ethics provisions that differ from the GDPR standards, and what should be the role and function of research ethics committees in the changing environment of health data research? These are the ongoing controversies to be explored in the paper. (shrink)

The European Union Data Protection Regulation will have profound implications for public health, health services research and statistics in Europe. The EU Commission's Proposal was a breakthrough in balancing privacy rights and rights to health and healthcare. The European Parliament, however, has proposed extensive amendments. This paper reviews the amendments proposed by the European Parliament Committee on Civil Liberties, Justice and Home Affairs and their implications for health research and statistics. The amendments eliminate most innovations brought by (...) the Proposal. Notably, derogation to the general prohibition of processing sensitive data shall be allowed for public interests such as the management of healthcare services, but not health research, monitoring, surveillance and governance. The processing of personal health data for historical, statistical or scientific purposes shall be allowed only with the consent of the data subject or if the processing serves an exceptionally high public interest, cannot be performed otherwise and is legally authorised. Research, be it academic, government, corporate or market research, falls under the same rule. The proposed amendments will make difficult or render impossible research and statistics involving the linkage and analysis of the wealth of data from clinical, administrative, insurance and survey sources, which have contributed to improving health outcomes and health systems performance and governance; and may illegitimise efforts that have been made in some European countries to enable privacy-respectful data use for research and statistical purposes. If the amendments stand as written, the right to privacy is likely to override the right to health and healthcare in Europe. (shrink)

The corona pandemic altered many traditional and historical norms of society and law. COVID-19 created a humanitarian crisis in some parts of globe, while pandemic privacy and civil liberties were under threat all over world. To combat the deadly virus, individual liberty and equality were compromised. This paper focuses on how India’s health problem has compromised people’s right to privacy. It will highlight how strict executive policies led to the creation of a massive surveillance system in the name of combating (...) the COVID-19 pandemic, as well as how the absence of any policy or legal framework led to the exclusion of individuals and their families who were suspected of having the virus or caring for those who were infected with the deadly virus. The paper uses case studies and data collected from primary as well as secondary sources. The authors will also point out how the absence of privacy regulation puts millions of citizens’ private information at risk of being compromised or exploited against their will. (shrink)

The General Data Protection Regulation (GDPR) was introduced in 2018 to harmonize data privacy and security laws across the European Union (EU). It applies to any organization collecting personal data in the EU. To date, service-level consent has been used as a proportionate approach for clinical trials, which implement low-risk, routine, service-wide interventions for which individual consent is considered inappropriate. In the context of public health research, GDPR now requires that individuals have the option (...) to choose whether their data may be used for research, which presents a challenge when consent has been given by the clinical service and not by individual service users. We report here on development of a pragmatic opt-out solution to this consent paradox in the context of a partner notification intervention trial in sexual health clinics in the UK. Our approach supports the individual’s right to withhold their data from trial analysis while routinely offering the same care to all patients. (shrink)

This paper explores the legal and ethical concept of human subject research in order to determine whether genetic research with already available biosamples and data falls within this concept. Although the ethical concept seems to have evolved to recognize research based on data as human research, from a supranational legal perspective this form of research is not considered human subject research. Thus human subject research regulations do not apply and therefore do not invoke the requirement of obtaining consent (...) prior to using an individual’s biosample or genetic data in research. Furthermore, it remains ambiguous in both the legal and ethical realm whether the use of biosamples or genetic data without additional links to the individual would invoke the same safeguards as research involving additional or specific identifiers. Seeing that research based on already available biosamples and genetic data is not governed by rules concerning human subject research, the second part of the paper analyses whether any consent requirements apply for the further use of already available bio‐samples or genetic data in research. Whereas further use of biosamples is subject to considerably lax consent requirements under Article 22 of the Oviedo Convention, under the General Data Protection Regulation further use of genetic data might not be subject to a prior consent requirement at all, unless it is stipulated in national laws. When it comes to clinical trials, however, sponsors will have the possibility under Article 28(2) of Regulation 536/2014 to obtain open consent for further use of data in any kind of future research. (shrink)

This essay explores the process and issues related to community collaborative research that involves Native Americans generally, and specifically examines the Navajo Nation’s efforts to regulate research within its jurisdiction. Researchers need to account for both the experience of Native Americans and their own preconceptions about Native Americans when conducting research about Native Americans. The Navajo Nation institutionalized an approach to protecting members of the nation when it took over Institutional Review Board (IRB) responsibilities from the US Indian Health Service (...) (IHS) in 1996. While written regulations for the Navajo Nation IRB are not dissimilar, and in some ways are less detailed than those of the IHS IRB, in practice the Navajo Nation allows less flexibility. Primary examples of this include not allowing expedited review and requiring prepublication review of all manuscripts. Because of its broad mandate, the Navajo Nation IRB may also require review of some projects that would not normally be subject to IRB approval, including investigative journalism and secondary research about Navajo People that does not involve direct data collection from human subjects. (shrink)

The application of the latest technologies in biology and medicine has brought them to a qualitatively new level of possibilities. Worldwide, biobanking is actively developing through the creation of biobanks of various types and purposes, whose resources are used to solve therapeutic or scientific problems. Legal science remains an open question concerning the boundary that runs between the right to data protection and the scope of disclosure of data needed for medical purposes. In this article, the author (...) considers peculiarities of data processing in the context of biobanking activity on the example of Austria and its national legislation. In addition, the article reveals features of the approaches of the European Court of Human Rights (ECtHR) and the Council of Europe to the issue of biobanking in general, its characteristics in the context of data, and legal regulation of this phenomenon in the national law of states. The author devoted an important part of the study to the role of Austria’s experience in the context of data processing for scientific purposes and the development of biobanking for a number of other European states. The aim of the article is to analyze the Austrian legislation on data processing for scientific research and biobanking, the attitude of the Council of Europe to this phenomenon, and the practice of the ECtHR, as well as to consider the impact of the current world situation on these activities. The leading method of research used in the article is the formal-legal method. The article analyzes the Austrian law in the context of data processing in medical research, the relationship of the specifics of personal data protection, and the need to disclose them for scientific purposes. The author pays special attention to the influence of Austrian law on the legislation of other countries, which is reflected in the conclusions to the article. In addition, based on an analysis of the application of the Austrian experience to the legislation of Poland and Ukraine, the author points out the necessary changes that should be made in the laws of these countries. (shrink)

The General Data Protection Regulation imposes, at European level, a need to seek express or explicit consent for the processing of health data. In the framework of biomedical research, some favor the use of express ‘broad’ consent, whereas other maintain, or wish to maintain the use of presumed or implicit consent, often referred to as ‘non-opposition’ in conditions in which such consent is still authorized. In our view, broad consent and presumed consent are likely to (...) prove to be easy solutions in the short term but much less relevant in the long term, for both hospital and patients, if the bioethical objective remains the improvement of patient quality of life and/or survival, regardless of the disease considered. Dynamic consent could be the best way to achieve this objective because only this type of consent could improve hospital transparency and increase patient confidence by allaying certain fears. (shrink)

Vietnam is home to a prospering technology community and numerous enterprises that range from small start-ups to development giants. Virtually all public services are offered online. In fact, the country even has a system for e-residency and “data embassies.” This achievement derives in part from the nation’s transparent and enduring political preferences, but more importantly from Vietnamese law and its regulatory system regarding information, the digital general public, and intellectual property rights (IPR) protection. In this examination of (...) the most pertinent aspects of Vietnam’s digital economy legislation, this study explores the nation’s regulatory structure regarding copyright and patents within the context of digital transformation. The study discusses the relationship between foreign and national regulations in terms of IPR protection and the advancement of digitalization. Research on Vietnamese regulations and the practical application of major patent and copyright regulations has revealed that in many respects, the nation is highly reliant on the effective operation of a broader foreign institutional and legal framework. Thus, in the near future, technological advancement will necessitate the establishment of additional transnational regulatory systems. (shrink)

ICTs, personal data, digital rights, the GDPR, data privacy, online security… these terms, and the concepts behind them, are increasingly common in our lives. Some of us may be familiar with them, but others are less aware of the growing role of ICTs and data in our lives - and the potential risks this creates. These risks are even more pronounced for vulnerable groups in society. People can be vulnerable in different, often overlapping, ways, which place them (...) at a disadvantage to the majority of citizens; Table 3 in this guide presents some of the many forms and causes of vulnerability. As a result, vulnerable people need greater support to navigate the digital world, and to ensure that they are able to exercise their rights. This guide explains where such support can be found, and also answers the following questions: - What are the main ethical and legal issues around ICTs for vulnerable citizens? - Who is vulnerable in Europe? - How do issues around ICTs affect vulnerable people in particular? This guide is a resource for members of vulnerable groups, people who work with vulnerable groups, and citizens more broadly. It is also useful for data controllers1 who collect data about vulnerable citizens. While focused on citizens in Europe, it may be of interest to people in other parts of the world. It forms part of the Citizens’ Information Pack produced by the PANELFIT project, and is available in English, French, German, Italian and Spanish. You are welcome to translate this guide into other languages. Please send us a link to online versions in other languages, so that we can add them to the project website. (shrink)

The aim of this workshop was to ask potential end-users of the citizens’ information pack on legal and ethical issues around ICTs the following questions: What is your knowledge of the EU’s General Data Protection Regulation, and what actions have you taken in response to these regulations? What challenges are you experiencing in ensuring the protection and security of your project data, and compliance with the GDPR, within existing data management processes/systems? What information/tools/resources (...) do you need to overcome these challenges? What are the best formats/channels for receiving, sharing and acting upon this information? What is the most appropriate structure/format for the citizens’ information pack? (shrink)

The first few years of the 21st century were characterised by a progressive loss of privacy. Two phenomena converged to give rise to the data economy: the realisation that data trails from users interacting with technology could be used to develop personalised advertising, and a concern for security that led authorities to use such personal data for the purposes of intelligence and policing. In contrast to the early days of the data economy and internet surveillance, the (...) last few years have witnessed a rising concern for privacy. As bad data practices have come to light, citizens are starting to understand the real cost of using online digital technologies. Two events stamped 2018 as a landmark year for privacy: the Cambridge Analytica scandal, and the implementation of the European Union’s General Data Protection Regulation (GDPR). The former showed the extent to which personal data has been shared without data subjects’ knowledge and consent and many times for unacceptable purposes, such as swaying elections. The latter inaugurated the beginning of robust data protection regulation in the digital age. Getting privacy right is one of the biggest challenges of this new decade of the 21st century. The past year has shown that there is still much work to be done on privacy to tame the darkest aspects of the data economy. As data scandals continue to emerge, questions abound as to how to interpret and enforce regulation, how to design new and better laws, how to complement regulation with better ethics, and how to find technical solutions to data problems. The aim of the research project Data, Privacy, and the Individual is to contribute to a better understanding of the ethics of privacy and of differential privacy. The outcomes of the project are seven research papers on privacy, a survey, and this final report, which summarises each research paper, and goes on to offer a set of reflections and recommendations to implement best practices regarding privacy. (shrink)

The EDPS Ethics Advisory Group (EAG) has carried out its work against the backdrop of two significant social-political moments: a growing interest in ethical issues, both in the public and in the private spheres and the imminent entry into force of the General Data Protection Regulation (GDPR) in May 2018. For some, this may nourish a perception that the work of the EAG represents a challenge to data protection professionals, particularly to lawyers in the (...) field, as well as to companies struggling to adapt their processes and routines to the requirements of the GDPR. What is the purpose of a report on digital ethics, if the GDPR already provides all regulatory requirements to protect European citizens with regard to the processing of their personal data? Does the existence of this EAG mean that a new normative ethics of data protection will be expected to fill regulatory gaps in data protection law with more flexible, and thus less easily enforceable ethical rules? Does the work of the EAG signal a weakening of the foundation of legal doctrine, such as the rule of law, the theory of justice, or the fundamental values supporting human rights, and a strengthening of a more cultural approach to data protection? Not at all. The reflections of the EAG contained in this report are not intended as the continuation of policy by other means. It neither supersedes nor supplements the law or the work of legal practitioners. Its aims and means are different. On the one hand, the report seeks to map and analyse current and future paradigm shifts which are characterised by a general shift from analogue experience of human life to a digital one. On the other hand, and in light of this shift, it seeks to re-evaluate our understanding of the fundamental values most crucial to the well-being of people, those taken for granted in a data-driven society and those most at risk. The objective of this report is thus not to generate definitive answers, nor to articulate new norms for present and future digital societies but to identify and describe the most crucial questions for the urgent conversation to come. This requires a conversation between legislators and data protection experts, but also society at large - because the issues identified in this report concern us all, not only as citizens but also as individuals. They concern us in our daily lives, whether at home or at work and there isn’t a place we could travel to where they would cease to concern us as members of the human species. (shrink)

This article focuses on whether a certain form of consent used by biobanks – open consent – is compatible with the Proposed Data Protection Regulation. In an open consent procedure, the biobank requests consent once from the data subject for all future research uses of genetic material and data. However, as biobanks process personal data, they must comply with data protection law. Data protection law is currently undergoing reform. The Proposed (...) Data Protection Regulation is the culmination of this reform and, if voted into law, will constitute a new legal framework for biobanking. The Regulation puts strict conditions on consent – in particular relating to information which must be given to the data subject. It seems clear that open consent cannot meet these requirements. 4 categories of information cannot be provided with adequate specificity: purpose, recipient, possible third country transfers, data collected. However, whilst open consent cannot meet the formal requirements laid out by the Regulation, this is not to say that these requirements are substantially undebateable. Two arguments could be put forward suggesting the applicable consent requirements should be rethought. First, from policy documents regarding the drafting process, it seems that the informational requirements in the Regulation are so strict in order to protect the data subject from risks inherent in the use of the consent mechanism in a certain context – exemplified by the online context. There are substantial differences between this context and the biobanking context. Arguably, a consent transaction in the biobanking does not present the same type of risk to the data subject. If the risks are different, then perhaps there are also grounds for a reconsideration of consent requirements? Second, an argument can be made that the legislator drafted the Regulation based on certain assumptions as to the nature of ‘data’. The authors argue that these assumptions are difficult to apply to genetic data and accordingly a different approach to consent might be preferable. Such an approach might be more open consent friendly. (shrink)

Data sharing – broadly defined as the exchange of health-related data among multiple controllers and processors – has gained increased relevance in the health sciences over recent years as the need and demand for collaboration has increased. This includes data obtained through healthcare provisions, clinical trials, observational studies, public health surveillance programs, and other data collection methods. The practice of data sharing presents several notable challenges, however. Compliance with a complex and dynamic regulatory framework is (...) essential, with the General Data Protection Regulation being a prominent example in a European context. Recent regulatory developments related to clinical trial transparency, trade secrecy, data access, AI training data, and health data spaces further contribute to the difficulties. Simultaneously, government initiatives often encourage scientists to embrace principles of “open data” and “open innovation.” The variety of regulations in this domain has the potential to impede widespread data sharing and hinder innovation. This edited volume, therefore, compiles comparative case studies authored by leading scholars from diverse disciplines and jurisdictions. The book aims to outline the legal complexities of data sharing. By examining real-world scenarios from diverse disciplines and a global perspective, it explores the normative, policy, and ethical dilemmas that surround data sharing in the health sciences today. Chapter Patient Perspectives on Data Sharing, Chapter Supplementary Measures and Appropriate Safeguards for International Transfers of Health Data after Schrems II are available open access under a Creative Commons Attribution 4.0 International License via link.springer.com. (shrink)

Large-scale linkage of international clinical datasets could lead to unique insights into disease aetiology and facilitate treatment evaluation and drug development. Hereto, multi-stakeholder consortia are currently designing several disease-specific translational research platforms to enable international health data sharing. Despite the recent adoption of the EU General Data Protection Regulation, the procedures for how to govern responsible data sharing in such projects are not at all spelled out yet. In search of a first, basic outline (...) of an ethical governance framework, we set out to explore relevant ethical principles and norms. We performed a systematic review of literature and ethical guidelines for principles and norms pertaining to data sharing for international health research. We observed an abundance of principles and norms with considerable convergence at the aggregate level of four overarching themes: societal benefits and value; distribution of risks, benefits and burdens; respect for individuals and groups; and public trust and engagement. However, at the level of principles and norms we identified substantial variation in the phrasing and level of detail, the number and content of norms considered necessary to protect a principle, and the contextual approaches in which principles and norms are used. While providing some helpful leads for further work on a coherent governance framework for data sharing, the current collection of principles and norms prompts important questions about how to streamline terminology regarding de-identification and how to harmonise the identified principles and norms into a coherent governance framework that promotes data sharing while securing public trust. (shrink)

Recent algorithmic technologies have challenged law’s anthropocentric assumptions. In this article, we develop a set of theoretical tools drawn from new materialisms and the philosophy of information to unravel the complex intra-actions between law and computer code. Accordingly, we first propose a framework for understanding the enmeshing of law and code based on a diffractive reading of Barad’s agential realism and Simondon’s theory of information. We argue that once law and code are understood as material entities that intra-act through in-formation, (...) the concept of transduction allows us to trace how they push each other towards change. After developing the theoretical tools, we deploy them to make sense of how law and code have changed in response to increasing automation of decision-making and the appearance of unexplainable artificial intelligence (AI) code. Thus, we employ a case study to trace transformations of the right to explanation under the European data protection regulations. This provides the backdrop for our account of how law transduces into code (and vice versa) and a proving ground for our framework. (shrink)

Background Regulations on research ethics in France have evolved considerably over the past four years: the implementation of the Jardé law and of the General Data Protection Regulations have changed the landscape of research ethics for research involving or not involving human persons. In a context of creation of an Institutional Review Board at the University of Bordeaux, France, we sought to explore research ethics practices and perceptions in the medical community of our University Hospital. Methods A (...) short questionnaire was sent to all physicians of the University Hospital of Bordeaux. The questionnaire included closed questions and main topics were: physicians’ education in research ethics, ethics practices concerning researches non implying human persons, and physicians’ perceptions about current regulations. Results 86 questionnaires were sent back. If a majority of physicians have validated Good Clinical Practices trainings, there was a low rate of specific training on fundamental references in research ethics and a high proportion of responders do not consider themselves as educated in research ethics after completion of GCPs. Regulations on research ethics have many implications on medical research, especially by inducing changes in protocols in order to alleviate ethical requirements. Malpractices were acknowledged like false mention of positive opinion from an ethics committee. If If a majority of responders considers regulations as a positive answer to research ethics, a large majority considers it as a constraint and a complexification of research process. For 58%, regulations in research ethics are perceived as a hindrance for research initiatives. Conclusion Because of their impact on research process, regulations seem to constitute a scarecrow for physicians. Lack of training, bad representations and questionable practices highlight the need to improve education and to propose concrete guidance for medical researchers. (shrink)

Upon Brexit, the United Kingdom chose to follow the path of EU data protection and remain tied to the requirements of the General Data Protection Regulation (GDPR). It even enacted the GDPR into its domestic law. This Article evaluates five models relating to preference change, demonstrating how they identify different dimensions of Brexit while providing a rich explanation of why a legal system may or may not reject an established transnational legal order. While market (...) forces and a “Brussels Effect” played the most significant role in the decision of the UK government to accept the GDPR, important nonmarket factors were also present in this choice. This Article’s models of preference change are also useful in thinking about the likely extent of the UK’s future divergence from EU data protection. (shrink)

BackgroundIncreasingly, hospitals and research institutes are developing technical solutions for sharing patient data in a privacy preserving manner. Two of these technical solutions are homomorphic encryption and distributed ledger technology. Homomorphic encryption allows computations to be performed on data without this data ever being decrypted. Therefore, homomorphic encryption represents a potential solution for conducting feasibility studies on cohorts of sensitive patient data stored in distributed locations. Distributed ledger technology provides a permanent record on all transfers and (...) processing of patient data, allowing data custodians to audit access. A significant portion of the current literature has examined how these technologies might comply with data protection and research ethics frameworks. In the Swiss context, these instruments include the Federal Act on Data Protection and the Human Research Act. There are also institutional frameworks that govern the processing of health related and genetic data at different universities and hospitals. Given Switzerland’s geographical proximity to European Union (EU) member states, the General Data Protection Regulation (GDPR) may impose additional obligations.MethodsTo conduct this assessment, we carried out a series of qualitative interviews with key stakeholders at Swiss hospitals and research institutions. These included legal and clinical data management staff, as well as clinical and research ethics experts. These interviews were carried out with two series of vignettes that focused on data discovery using homomorphic encryption and data erasure from a distributed ledger platform.ResultsFor our first set of vignettes, interviewees were prepared to allow data discovery requests if patients had provided general consent or ethics committee approval, depending on the types of data made available. Our interviewees highlighted the importance of protecting against the risk of reidentification given different types of data. For our second set, there was disagreement amongst interviewees on whether they would delete patient data locally, or delete data linked to a ledger with cryptographic hashes. Our interviewees were also willing to delete data locally or on the ledger, subject to local legislation.ConclusionOur findings can help guide the deployment of these technologies, as well as determine ethics and legal requirements for such technologies. (shrink)

Low levels of public trust in data practices have led to growing calls for changes to data-driven systems, and in the EU, the General Data Protection Regulation provides a legal motivation for such changes. Data management is a vital component of data-driven systems, but what constitutes ‘good’ data management is not straightforward. Academic attention is turning to the question of what ‘good data’ might look like more generally, but public views (...) are absent from these debates. This paper addresses this gap, reporting on a survey of the public on their views of data management approaches, undertaken by the authors and administered in the UK, where departure from the EU makes future data legislation uncertain. The survey found that respondents dislike the current approach in which commercial organizations control their personal data and prefer approaches that give them control over their data, that include oversight from regulatory bodies or that enable them to opt out of data gathering. Variations of data trusts – that is, structures that provide independent stewardship of data – were also preferable to the current approach, but not as widely preferred as control, oversight and opt out options. These features therefore constitute ‘good data management’ for survey respondents. These findings align only in part with principles of good data identified by policy experts and researchers. Our findings nuance understandings of good data as a concept and of good data management as a practice and point to where further research and policy action are needed. (shrink)

In May 2021, the UK National Health Service (NHS) proposed a scheme—called General Practice Data for Planning Research (GPDPR)—for sharing patients’ data. Under that system, a patient who does not wish to participate must actively opt out of their data being shared with third parties for research and other purposes. In this paper, we analyse the lessons that can be learned for the responsible and ethical governance of health data from the NHS’ new scheme. More (...) specifically, we explore the extent to which the opt-out within the planned scheme complies with the requirements stemming from the General Data Protection Regulation (GDPR), particularly in relation to the principles of lawfulness and transparency. We then evaluate, from an ethical perspective, this opt-out ‘nudge’ and whether it is sufficiently resistible, reversible, and has appropriate goals. In light of the above, we then propose improvements for the scheme’s legal and ethical acceptability. (shrink)

Social media data hold considerable potential for predicting health-related conditions. Recent studies suggest that machine-learning models may accurately predict depression and other mental health-related conditions based on Instagram photos and Tweets. In this article, it is argued that individuals should have a sui generis right not to be subjected to AI profiling based on publicly available data without their explicit informed consent. The article (1) develops three basic arguments for a right to protection of personal data (...) trading on the notions of social control and stigmatization, (2) argues that a number of features of AI profiling make individuals more exposed to social control and stigmatization than other types of data processing (the exceptionalism of AI profiling), (3) considers a series of other reasons for and against protecting individuals against AI profiling based on publicly available data, and finally (4) argues that the EU General Data Protection Regulation does not ensure that individuals have a right not to be AI profiled based on publicly available data. (shrink)

Organized immaturity refers to the capacity of widely institutionalized sociotechnical systems to challenge qualities of human enlightenment, autonomy, and self-determination. In the context of surveillance capitalism, where these qualities are continuously put at risk, data transparency is increasingly proposed as a means of restoring human maturity by allowing individuals insight and choice vis-à-vis corporate data processing. In this article, however, I draw on research on General Data Protection Regulation–mandated data transparency practices to argue (...) that transparency—while potentially fostering maturity—itself risks producing new forms of organized immaturity by facilitating user ignorance, manipulation, and loss of control of personal data. Considering data transparency’s relative “successes” and “failures” regarding the cultivation of maturity, I outline a set of possible remedies while arguing for a general need to develop more sophisticated ethical appreciations of transparency’s complex and potentially problematic implications for organized (im)maturity in the digital age. (shrink)

Directive 95/46/EC and implementing legislation define the respective obligations and liabilities of the different actors that may be involved in a personal data processing operation. There are certain exceptions to the scope of these regulations, among which processing which is carried out by natural persons in the course of activities that may be considered ‘purely personal’. The purpose of this article is to investigate the liability of users of social network sites under data protection and to assess (...) the extent to which the current data protection framework can sufficiently accommodate the new realities of web 2.0 and social networking applications. (shrink)

This edited collection brings together a series of interdisciplinary contributions in the field of Information Technology Law. The topics addressed in this book cover a wide range of theoretical and practical legal issues that have been created by cutting-edge Internet technologies, primarily Big Data, the Internet of Things, and Cloud computing. Consideration is also given to more recent technological breakthroughs that are now used to assist, and - at times - substitute for, human work, such as automation, robots, sensors, (...) and algorithms. The chapters presented in this edition address these issues from the perspective of different legal backgrounds. The first part of the book discusses some of the shortcomings that have prompted legislators to carry out reforms with regard to privacy, data protection, and data security. Notably, some of the complexities and salient points with regard to the new European General Data Protection Regulation (EU GDPR) and the new amendments to the Japan's Personal Information Protection Act (PIPA) have been scrutinized. The second part looks at the vital role of Internet intermediaries (or brokers) for the proper functioning of the globalized electronic market and innovation technologies in general. The third part examines an electronic approach to evidence with an evaluation of how these technologies affect civil and criminal investigations. The authors also explore issues that have emerged in e-commerce, such as Bitcoin and its blockchain network effects. The book aims to explain, systemize and solve some of the lingering legal questions created by the disruptive technological change that characterizes the early twenty-first century. (shrink)

As Next Generation Sequencing technologies are increasingly implemented in biomedical research and care, the number of study participants and patients who ask for release of their genomic raw data is set to increase. This raises the question whether research participants and patients have a legal and moral right to receive their genomic raw data and, if so, how this right should be implemented into practice. In a first step we clarify some central concepts such as “raw data”; (...) in a second step we sketch the international legal framework. The third step provides an extensive ethical analysis which comprehends two parts: an evaluation of whether there is a prima facie moral right to receive one’s raw data, and a contextualization and discussion of the right in light of potentially conflicting interests and rights of the data subject herself and third parties; in a last fourth step we emphasize the main practical consequences of the ethical analyses and propose recommendations for the release of raw data. In several legislations like the new European General Data Protection Regulation, patients do in principle have the right to receive their raw data. However, the procedural implementation of this right and whether it involves genetic counselling is at the discretion of the Member States. Even more questions remain with respect to the research context. The ethical analysis suggests that patients and research subjects have a moral right to receive their genomic raw data and addresses aspects which are also of relevance for the legal discussion such as the costs of release of raw data and its impact on academic freedom. Taking into account the specific nature and implications of genomic raw data and the contexts of research and health care, several concerns and potentially conflicting interests of the data subjects themselves and involved researchers, physicians, biomedical institutions and relatives arise. Instead of using them to argue in favor of restrictions of the data subjects’ legal and moral right to genomic raw data, the concerns should be addressed through provision of information and other measures. To this end, we propose relevant recommendations. (shrink)

PurposeWithin a larger mandate of reviewing the key global trends concerning consumer protection in the electronic commerce (e-commerce) literature, this study aims to study the legal framework concerning e-commerce and consumer protection in the Sultanate of Oman and to analyse the current regulations concerning e-commerce and consumer protection.Design/methodology/approachThis study followed the normative legal research approach and resorted to the desk research process to facilitate content analysis of literature containing consumer protection legislation and regulatory provisions in Oman (...) in particular and the rest of the world in general.FindingsThe study reveals that consumer protection initiatives in Oman are well entrenched for offline transactions, but are relatively new and limited for e-commerce. In spite of the promulgation of consumer protection laws, electronic transaction law and cybercrime law, consumer protection measures for e-commerce in Oman do not address a large number of the global concerns necessary to build consumer confidence and trust in the online environment.Research limitations/implicationsThere is a dearth of information concerning Oman on this topic in the extant literature. The research also witnessed the lack of empirical data on the issue of consumer protection and e-commerce in Oman that offer a detailed database of consumer complaints and associated outcomes.Practical implicationsThe mechanism of consumer protection in electronic transactions is not robust in many countries. Because of the lack of comprehensive and robust legislation, consumers remain vulnerable in the online contractual purchase process. Moving beyond the fragmented legislation, many countries are currently mulling an all-comprehensive e-commerce law, implications of this paper will help the policymakers in identifying the focus areas.Social implicationsConsumer protection is a burning global issue in this era of consumerism. It is important to build consumer trust, transparency and integrity of transactions to reduce the risk and uncertainties of purchase.Originality/valueConsumer protection studies conducted in the context of Oman, hitherto, deal more with data protection and dispute resolution mechanisms, and less with legal provisions, regulations and consumer confidence. The study shares newer insights based on a systematic review of legal and business databases. It is the first study of its kind in the context of Oman and the Middle East in general. (shrink)

In the European Union, the General Data Protection Regulation (GDPR) provides comprehensive rules for the processing of personal data. In addition, the EU lawmaker intends to adopt specific rules to protect confidentiality of communications, in a separate ePrivacy Regulation. Some have argued that there is no need for such additional rules for communications confidentiality. This Article discusses the protection of the right to confidentiality of communications in Europe. We look at the right’s origins (...) to assess the rationale for protecting it. We also analyze how the right is currently protected under the European Convention on Human Rights and under EU law. We show that at its core the right to communications confidentiality protects three individual and collective values: privacy, freedom of expression, and trust in communication services. The right aims to ensure that individuals and organizations can safely entrust communication to service providers. Initially, the right protected only postal letters, but it has gradually developed into a strong safeguard for the protection of confidentiality of communications, regardless of the technology used. Hence, the right does not merely serve individual privacy interests, but also other more collective interests that are crucial for the functioning of our information society. We conclude that separate EU rules to protect communications confidentiality, next to the GDPR, are justified and necessary. (shrink)

The General Data Protection Regulation (GDPR) of the EU confirms the protection of personal data as a fundamental human right and affords data subjects more control over the way their personal information is processed, shared, and analyzed. However, where data are processed by artificial intelligence (AI) algorithms, asserting control and providing adequate explanations is a challenge. Due to massive increases in computing power and big data processing, modern AI algorithms are too (...) complex and opaque to be understood by most data subjects. Articles 15 and 22 of the GDPR provide a modest regulatory framework for automated data processing by, among other things, mandating that data controllers inform data subjects about when it is being used, and its logic and ramifications. Nevertheless, due to the phrasing of the articles and the numerous exceptions they allow, doubts have arisen about their effectiveness. In this paper, we empirically evaluate the quality and effectiveness of AI disclosures as mandated by the GDPR. By means of an online survey (N = 835), we investigated how data subjects expect to be informed about the automated processing of their data. We then conducted a content analysis of the AI disclosures of N = 100 companies and organizations. The combined findings reveal that current GDPR-mandated disclosures do not meet the expectations and needs of data subjects. Explanations drawn up following the guidelines of the generic formulations of the GDPR differ widely and are often vague, incomplete and lack transparency. In our conclusions we identify a path towards standardizing and optimizing AI information notices. (shrink)

Period-tracking software applications or ‘menstruapps’ have witnessed a surge in popularity in recent years. At the same time, many of them are a part of the adtech industry, using business models that create revenue by selling users’ personal and intimate data. This exploratory article brings menstruapps into a feminist legal debate. It investigates the supranational European legal standards on intimate and sensitive data processing, particularly the General Data Protection Regulation. Scrutinising explicit consent according to (...) GDPR Article 9, this paper, through empirical examples, claims that current legal standards are not enforced. The standards are, furthermore, theoretically insufficient to fully safeguard data subjects’ integrity and autonomy. Instead of abandoning the concept, the article reimagines consent, using a contextual and communicative model where power relations are taken into consideration, building on the feminist concept of freedom to negotiate. (shrink)

In this chapter I identify three problems affecting the plausibility of group privacy and argue in favour of their resolution. The first problem concerns the nature of the groups in question. I shall argue that groups are neither discovered nor invented, but designed by the level of abstraction (LoA) at which a specific analysis of a social system is developed. Their design is therefore justified insofar as the purpose, guiding the choice of the LoA, is justified. This should remove the (...) objection that groups cannot have a right to privacy because groups are mere artefacts (there are no groups, only individuals) or that, even if there are groups, it is too difficult to deal with them. The second problem concerns the possibility of attributing rights to groups. I shall argue that the same logic of attribution of a right to individuals may be used to attribute a right to a group, provided one modifies the LoA and now treats the whole group itself as an individual. This should remove the objection that, even if groups exist and are manageable, they cannot be treated as holders of rights. The third problem concerns the possibility of attributing a right to privacy to groups. I shall argue that sometimes it is the group and only the group, not its members, that is correctly identified as the correct holder of a right to privacy. This should remove the objection that privacy, as a group right, is a right held not by a group as a group but rather by the group’s members severally. The solutions of the three problems supports the thesis that an interpretation of privacy in terms of a protection of the information that constitutes an individual—both in terms of a single person and in terms of a group—is better suited than other interpretations to make sense of group privacy. (shrink)

Developments in medical big data analytics may bring societal benefits but are also challenging privacy and other ethical values. At the same time, an overly restrictive data protection regime can form a serious threat to valuable observational studies. Discussions about whether data privacy or data solidarity should be the foundational value of research policies, have remained unresolved. We add to this debate with an empirically informed ethical analysis. First, experiences with the implementation of the (...) class='Hi'>General Data Protection Regulation (GDPR) within a European research consortium demonstrate a gap between the aims of the regulation and its effects in practice. Namely, strictly formalised data protection requirements may cause routinisation among researchers instead of substantive ethical reflection, and may crowd out trust between actors in the health data research ecosystem; while harmonisation across Europe and data sharing between countries is hampered by different interpretations of the law, which partly stem from different views about ethical values. Then, building on these observations, we use theory to argue that the concept of trust provides an escape from the privacy-solidarity debate. Lastly, the paper details three aspects of trust that can help to create a responsible research environment and to mitigate the encountered challenges: trust as multi-agent concept; trust as a rational and democratic value; and trust as method for priority setting. Mutual cooperation in research—among researchers and with data subjects—is grounded in trust, which should be more explicitly recognised in the governance of health data research. (shrink)

Informed consent bears significant relevance as a legal basis for the processing of personal data and health data in the current privacy, data protection and confidentiality legislations. The consent requirements find their basis in an ideal of personal autonomy. Yet, with the recent advent of the global pandemic and the increased use of eHealth applications in its wake, a more differentiated perspective with regards to this normative approach might soon gain momentum. This paper discusses the compatibility (...) of a moral duty to share data for the sake of the improvement of healthcare, research, and public health with autonomy in the field of data protection, privacy and medical confidentiality. It explores several ethical-theoretical justifications for a duty of data sharing, and then reflects on how existing privacy, data protection, and confidentiality legislations could obstruct such a duty. Consent, as currently defined in the General Data Protection Regulation – a key legislative framework providing rules on the processing of personal data and data concerning health – and in the recommendation of the Council of Europe on the protection of health-related data – explored here as soft-law – turns out not to be indispensable from various ethical perspectives, while the requirement of consent in the General Data Protection Regulation and the recommendation nonetheless curtails the full potential of a duty to share medical data. Also other legal grounds as possible alternatives for consent seem to constitute an impediment. (shrink)

The aim of the article is to explain the relationship between the ethical evaluation of scientific research involving personal data and the assessment of compliance with data protection law. The article presents the mutual relationship between the protection of personal data and scientific activity from a dogmatic perspective, the legal regulation of the processing of personal data in scientific research, and the so-called research exceptions that apply when data are processed for scientific (...) research. It also covers the importance of meeting the ethical requirements of scientific research in order to profit from the indicated exceptions. Finally, it provides a comparison between the ethical and the legal systems of personal data protection in research (objectives, criteria, authorities, and procedures). (shrink)

The paper deals with the governance of Unmanned Aircraft Systems in European law. Three different kinds of balance have been struck between multiple regulatory systems, in accordance with the sector of the governance of UAS which is taken into account. The first model regards the field of civil aviation law and its European Union ’s regulation: the model looks like a traditional mix of top-down regulation and soft law. The second model concerns the EU general data (...) protection law, the GDPR, which has set up a co-regulatory framework summed up with the principle of accountability also, but not only, in the field of drones. The third model of governance has been adopted by the EU through methods of legal experimentation and coordination mechanisms for UAS. The overall aim of the paper is to elucidate the ways in which such three models interact, insisting on differences and similarities with other technologies, and further legal systems. (shrink)