Brussels, Belgium
Brussels, Belgium

Time filter

Source Type

Balboni P.,European Privacy Association | Macenaite M.,European Privacy Association
Computer Law and Security Review | Year: 2013

Privacy by Design is now enjoying widespread acceptance. The EU has recently expressly included it as one of the key principles in the revised data protection legal framework. But how does Privacy by design and data anonymisation work in practise? In this article the authors address this question from a practical point of view by analysing a case study on EU Financial Intelligence Units ("FIUs") using the Ma3tch technology as additional feature to the existing exchange of information via FIU.NET decentralised computer network. They present, analyse, and evaluate Ma3tch technology from the perspective of personal data protection. The authors conclude that Ma3tch technology can be seen as a valuable example of Privacy by Design. It achieves data anonymisation and enhances data minimisation and data security, which are the fundamental elements of Privacy by Design. Therefore, it may not only improve the exchange of information among FIUs and allow for the data processing to be in line with applicable data protection requirements, but it may also substantially contribute to the protection of privacy of related data subjects. At the same time, the case study clearly shows that Privacy by Design needs to be supported and complemented by appropriate organisational and technical procedures to assure that the technology solutions devised to protect privacy would in fact do so. © 2013 Paolo Balboni & Milda Macenaite. Published by Elsevier Ltd. All rights reserved.

Balboni P.,European Privacy Association | Pelino E.,European Privacy Association
Information and Communications Technology Law | Year: 2013

The paper aims at discussing some major issues in relation to the complex and highly debated relationship between Cloud Service Providers ('CSPs') and government agency responsible for the enforcement of the laws (Law Enforcement Agencies - 'LEAs'). Our analysis focuses on the EU situation and investigates whether the protection of personal data of EU citizens against LEAs' access is adequately guaranteed and what are the main elements that have to be taken into account by CPSs when dealing with LEAs' requests. After a brief overview of the existing international scenario, the legal grounds of LEAs' activities in the cloud is examined. The main focus is on the Council of Europe Cybercrime Convention, regarded by the EU Commission as 'the main legal instrument' in the fight against cybercrime. The whole analysis is applied to the relationship between CSPs and their clients. We consider the position recently expressed by the Art. 29 Working Party on cloud computing (opinion no. 5/2012) and the European Cloud Strategy. In our conclusions we highlight the very delicate position of CSPs, precisely taken between an obligation to comply with LEAs' requests, data protection regulations and obligations of transparency towards their clients. © 2013 Taylor & Francis.

Balboni P.,European Privacy Association | Pelino E.,European Privacy Association | Scudiero L.,European Privacy Association
Computer Law and Security Review | Year: 2014

This paper aims to contribute to the discussion concerning the one-stop-shop mechanism proposed in the General Data Protection Regulation (hereinafter "GDPR"). The choice of regulation as the instrument to legislate on data protection is already an unmistakable indication that unification and simplification (together with respect of data subjects' interests) shall be the guide for every legal discussion on the matter. The one-stop-shop mechanism (hereinafter "OSS") clearly reflects the unification and simplification which the reform aims for. We believe that OSS is logically connected with the idea of one Data Protection Authority (hereinafter "DPA") with an exclusive jurisdiction and that this can only mean that, given one controller, no other DPA can be a competent authority. 2 In other words, OSS implies a single and comprehensive competent authority of a given controller. In our analysis we argue that such architecture: a) works well with the "consistency mechanism"; b) provides guarantees to data subjects for a clear allocation of powers (legal certainty); and c) is not at odds with the complaint lodging procedure. Our position on fundamental questions is as follows. What is the perimeter of competence of the DPA in charge? We believe that it should have enforcement power on every issue of the controller, including issuing the fines. How to reconcile such dominant role of one DPA with the principle of co-operation among DPAs? We do not consider co-operation at odds with the rule that decisions are taken by just one single authority. Finally, we share some suggestions on how to make the jurisdiction allocation mechanism (the main establishment criterion) more straightforward. © 2014 Paolo Balboni, Enrico Pelino & Lucio Scudiero. Published by Elsevier Ltd. All rights reserved.

Loading European Privacy Association collaborators
Loading European Privacy Association collaborators