Brendan Van Alsenoy

With the adoption of the General Data Protection Regulation (GDPR), the EU legislature has revised the territorial scope of EU data protection law. In part, the GDPR confirms choices made by policymakers and the Court of Justice of the European Union (CJEU) in the context of Directive 95/46/EC. In other respects, important new elements have been introduced. The aim of this contribution is to scrutinize the triggers that render EU data protection law applicable to conduct which takes place… Show more

With the adoption of the General Data Protection Regulation (GDPR), the EU legislature has revised the territorial scope of EU data protection law. In part, the GDPR confirms choices made by policymakers and the Court of Justice of the European Union (CJEU) in the context of Directive 95/46/EC. In other respects, important new elements have been introduced. The aim of this contribution is to scrutinize the triggers that render EU data protection law applicable to conduct which takes place, either in whole or in part, outside of Union territory The main question this contribution seeks to answer is whether the (extra-)territorial scope of the GDPR can be reconciled with the principles of public international law. Show less

When imposing requirements, European data protection law distinguishes between different types of actors. The most important distinction in this regard is the distinction between "controller" and "processor". Unfortunately, technological and societal developments have rendered it increasingly difficult to apply these concepts in practice.

Against this background, this thesis seeks to determine whether EU data protection law should maintain its current distinction between controllers… Show more

When imposing requirements, European data protection law distinguishes between different types of actors. The most important distinction in this regard is the distinction between "controller" and "processor". Unfortunately, technological and societal developments have rendered it increasingly difficult to apply these concepts in practice.

Against this background, this thesis seeks to determine whether EU data protection law should maintain its current distinction between controllers and processors as the basis for allocating responsibility and risk.

The thesis concludes that while the newly adopted General Data Protection Regulation has introduced significant improvements, a number of recommendations can still be made:

1. The possibility of abolishing the distinction between controllers and processors should receive further consideration. Alternatively, the definitions of each concept should undergo revisions in order to enhance legal certainty, in particular through the use of mutually exclusive criteria.

2. The European legislature should consider the use of standards (as opposed to rules) to mitigate certain risks of overinclusion and to facilitate the tailoring of obligations to different processing activities.

3. The obligation to implement data protection by design should eventually also be made directly applicable to the providers of processing services because of their important role in determining the means of the processing.

4. The legal framework should allow for contractual flexibility in the relationship between controllers and processors, leaving room for greater specificity in the form of regulatory guidance.

5. The scope of the personal use exemption should be expanded to apply to all activities which may reasonably be construed as taking place in the course of an individual’s private or family life.
Show less

Accountability has been recognised as a basic data protection principle for more than 30 years. Still, both the meaning and implementation of this principle remain topics of ongoing debate. Recent policy initiatives have focused on the practical implementation of accountability through “privacy management programmes” and the demonstration of such programmes towards regulators or other “accountability agents”. In many ways, this is only the tip of the iceberg. As a foundational principle… Show more

Accountability has been recognised as a basic data protection principle for more than 30 years. Still, both the meaning and implementation of this principle remain topics of ongoing debate. Recent policy initiatives have focused on the practical implementation of accountability through “privacy management programmes” and the demonstration of such programmes towards regulators or other “accountability agents”. In many ways, this is only the tip of the iceberg. As a foundational principle, accountability implicates basic governance issues such as transparency, answerability and verifiability.

Many basic questions regarding accountability still remain unresolved. For example, to what extent should data controllers be accountable towards stakeholders other than regulators (e.g., civil society)? If so, what are appropriate mechanisms? Other questions focus on issues of practical implementation and methodology. For which activities should data controllers be accountable? How should they measure the impact of their activities? How might technology be used to promote accountability?

On 13 November 2014, a workshop entitled ‘Cultures of Accountability: A cross-cultural perspective on current and future accountability mechanisms’ brought together 36 experts from academia, international organisations, civil society, privacy enforcement authorities and industry. The objective of the workshop was to further the debate regarding the role of accountability in data protection regulation. Specific objectives included:

1. To enable privacy experts to learn, not only from each other, but also from the experiences in other areas of practice;
2. To explore mechanisms to enhance accountability towards individuals; and
3. To inform the development of more effective accountability mechanisms.
Show less

The role of individuals has shifted. In less than 30 years, individuals have transcended their role as passive “data subjects” to become actively involved in the creation, distribution and consumption of personal data. Unless an exemption or derogation applies, individuals are – at least in theory – subject to data protection law. This hypothesis was confirmed early on by the Lindqvist ruling and more recently in Ryneš. The aim of this paper is to analyse whether it is still possible to… Show more

The role of individuals has shifted. In less than 30 years, individuals have transcended their role as passive “data subjects” to become actively involved in the creation, distribution and consumption of personal data. Unless an exemption or derogation applies, individuals are – at least in theory – subject to data protection law. This hypothesis was confirmed early on by the Lindqvist ruling and more recently in Ryneš. The aim of this paper is to analyse whether it is still possible to reconcile the “personal use exemption” of article 3(2) Directive 95/46 with the widespread use of technologies by individuals. Using online social networks, drones and Google Glass as use cases, this paper w Show less

In May of this year, the Court of Justice of the European Union (CJEU) decided that individuals can – under certain conditions – obtain removal of certain search results. In November, the Article 29 Working Party issued a set of guidelines concerning the implementation of the CJEU ruling. These guidelines state that search engines must implement the ruling “on all relevant domains, including .com”. Critics argue that the approach advanced by the Working Party goes a bridge too far, imposing… Show more

In May of this year, the Court of Justice of the European Union (CJEU) decided that individuals can – under certain conditions – obtain removal of certain search results. In November, the Article 29 Working Party issued a set of guidelines concerning the implementation of the CJEU ruling. These guidelines state that search engines must implement the ruling “on all relevant domains, including .com”. Critics argue that the approach advanced by the Working Party goes a bridge too far, imposing European values onto non-EU jurisdictions. How far should the right to be forgotten extend, geographically speaking? Should Google, upon finding that an individual’s request is justified, modify its search results globally? Or should it only modify search results shown within the EU? The aim of this paper is answer these questions, using public international law as the normative framework. Show less

In December 2014, Facebook announced that it would revise its Data Use Policy and Terms of Service. At the request of the Belgian Privacy Commission, ICRI/CIR (KU Leuven), in cooperation with iMinds-SMIT (Vrije Universiteit Brussel) conducted an extensive analysis of Facebook’s revised policies and terms.

Facebook rolled out its new policies and terms on January 30th, 2015. In the text, Facebook authorizes itself to (1) track its users across websites and devices; (2) use profile… Show more

In December 2014, Facebook announced that it would revise its Data Use Policy and Terms of Service. At the request of the Belgian Privacy Commission, ICRI/CIR (KU Leuven), in cooperation with iMinds-SMIT (Vrije Universiteit Brussel) conducted an extensive analysis of Facebook’s revised policies and terms.

Facebook rolled out its new policies and terms on January 30th, 2015. In the text, Facebook authorizes itself to (1) track its users across websites and devices; (2) use profile pictures for both commercial and non-commercial purposes and (3) collect information about its users’ whereabouts on a continuous basis. Facebook announced the changes more than a month in advance, but the choice for its +1 billion users remained the same: agree or leave Facebook. Show less

In May of this year, the Court of Justice of the European Union (CJEU) decided that individuals can – under certain conditions – obtain removal of certain search results. In November, the Article 29 Working Party issued a set of guidelines concerning the implementation of the CJEU ruling. These guidelines state that search engines must implement the ruling “on all relevant domains, including .com”. Critics argue that the approach advanced by the Working Party goes a bridge too far, imposing… Show more

In May of this year, the Court of Justice of the European Union (CJEU) decided that individuals can – under certain conditions – obtain removal of certain search results. In November, the Article 29 Working Party issued a set of guidelines concerning the implementation of the CJEU ruling. These guidelines state that search engines must implement the ruling “on all relevant domains, including .com”. Critics argue that the approach advanced by the Working Party goes a bridge too far, imposing European values onto non-EU jurisdictions. How far should the right to be forgotten extend, geographically speaking? Should Google, upon finding that an individual’s request is justified, modify its search results globally? Or should it only modify search results shown within the EU? The aim of this paper is answer these questions, using public international law as the normative framework. Show less

Following the ruling of the Court of Justice of the European Union (CJEU) in the Google Spain case, Google organised a series of public hearings to inform the public about its implementation of “the right to be forgotten” . Last week, the EU’s Article 29 Data Protection Working Party issued its guidelines on how the ruling should be implemented. Here, Jef Ausloos and Brendan Van Alsenoy of the Interdisciplinary Centre for Law and ICT at KU Leuven summarise the main points of the Working… Show more

Following the ruling of the Court of Justice of the European Union (CJEU) in the Google Spain case, Google organised a series of public hearings to inform the public about its implementation of “the right to be forgotten” . Last week, the EU’s Article 29 Data Protection Working Party issued its guidelines on how the ruling should be implemented. Here, Jef Ausloos and Brendan Van Alsenoy of the Interdisciplinary Centre for Law and ICT at KU Leuven summarise the main points of the Working Party’s guidance. Show less

Three weeks after the CJEU handed down its judgment in Google Spain, the search engine provider launched a web form to comply with the Court’s ruling. In July, Google announced the establishment of the so-called “Advisory Council on the Right to be Forgotten”. This Council, comprised of external experts, was to develop guidance on how search engines should balance one person’s “right to be forgotten” with the public’s right to information.The result of these hearings was something of a “mixed… Show more

Three weeks after the CJEU handed down its judgment in Google Spain, the search engine provider launched a web form to comply with the Court’s ruling. In July, Google announced the establishment of the so-called “Advisory Council on the Right to be Forgotten”. This Council, comprised of external experts, was to develop guidance on how search engines should balance one person’s “right to be forgotten” with the public’s right to information.The result of these hearings was something of a “mixed bag”, leaving us with both things to remember and things to forget. Show less

In May of this year, the Court of Justice of the European Union (CJEU) decided that individuals can – under certain conditions – ask Google (photo credit) to stop referring to certain information about them. The CJEU’s recognition of this so-called “right to be forgotten” has kicked up quite a storm. Now that the dust is beginning to settle, it’s time to direct our attention to questions of practical implementation. One set of questions is about territorial reach. How far should the right to be… Show more

In May of this year, the Court of Justice of the European Union (CJEU) decided that individuals can – under certain conditions – ask Google (photo credit) to stop referring to certain information about them. The CJEU’s recognition of this so-called “right to be forgotten” has kicked up quite a storm. Now that the dust is beginning to settle, it’s time to direct our attention to questions of practical implementation. One set of questions is about territorial reach. How far should the right to be forgotten extend, geographically speaking? Should Google, upon finding that an individual’s request is justified, modify its search results globally? Or should it only modify search results shown within the EU? Show less

Search engines can be portrayed both as champions of freedom and as agents of surveillance. By facilitating the retrieval of online data, they enable a global public to seek, receive and impart information. Where information about individuals is concerned, however, search engine services can also pose a risk to the privacy of data subjects. Due to the increase in personal information available online, search engine providers are frequently confronted with requests to remove certain web pages… Show more

Search engines can be portrayed both as champions of freedom and as agents of surveillance. By facilitating the retrieval of online data, they enable a global public to seek, receive and impart information. Where information about individuals is concerned, however, search engine services can also pose a risk to the privacy of data subjects. Due to the increase in personal information available online, search engine providers are frequently confronted with requests to remove certain web pages from their search results. A ‘notice-and-takedown’ procedure, similar to the one employed for copyright purposes, could offer considerable relief for the individuals’ concerned. However, questions have been raised regarding the compatibility of such mechanisms with the fundamental rights to freedom of expression, due process, as well as the principle of roportionality. The objective of this paper is to analyze whether the different interests at stake can be adequately reconciled within the framework of EU Data Protection Directive 95/46, using Google Spain (C-131/12) as a case study. Show less

Privacy notices are instruments that intend to inform individuals of the processing of their personal data,their rights as data subjects,as well as any other information required by data protection or privacy laws. This paper clarifies the current discourse regarding the (in)utility of privacy notices, particularly in the context of online transactions. It discusses the role that privacy notices play under the European data protection framework today, summarizes the main critiques regarding the… Show more

Privacy notices are instruments that intend to inform individuals of the processing of their personal data,their rights as data subjects,as well as any other information required by data protection or privacy laws. This paper clarifies the current discourse regarding the (in)utility of privacy notices, particularly in the context of online transactions. It discusses the role that privacy notices play under the European data protection framework today, summarizes the main critiques regarding the use of privacy notices in practice, and develops a number of recommendations for the future. Show less

In Opinion 1/2010, the Article 29 Data Protection Working Party has provided additional guidance concerning the concepts of ‘controller’ and ‘processor’ contained in Directive 95/46/EC. This guidance aims to assist practitioners in their determination of whether an entity is acting as a controller or as a processor towards a particular data processing operation. Despite the fact that this opinion is informative, the existing framework still appears to leave room for a considerable amount of… Show more

In Opinion 1/2010, the Article 29 Data Protection Working Party has provided additional guidance concerning the concepts of ‘controller’ and ‘processor’ contained in Directive 95/46/EC. This guidance aims to assist practitioners in their determination of whether an entity is acting as a controller or as a processor towards a particular data processing operation. Despite the fact that this opinion is informative, the existing framework still appears to leave room for a considerable amount of legal uncertainty. This uncertainty is attributable in part to the nature of the existing concepts, but also (and perhaps to a larger extent) to their apparent misalignment with current processing realities. In this paper, the author seeks to articulate why the existing concepts often remain difficult to apply in practice, in order to enable a constructive reflection on how these issues might be addressed in the future. Show less

Accountability is a concept which has received renewed attention in current policy discourses concerning the future of data protection regulation. The main purpose of this article is to analyze the origin and development of accountability as a data protection principle. The article starts by outlining how accountability is generally understood across disciplines. This outline is followed by an historical survey of the most significant legal and policy instruments which have incorporated… Show more

Accountability is a concept which has received renewed attention in current policy discourses concerning the future of data protection regulation. The main purpose of this article is to analyze the origin and development of accountability as a data protection principle. The article starts by outlining how accountability is generally understood across disciplines. This outline is followed by an historical survey of the most significant legal and policy instruments which have incorporated accountability as a separate data protection principle. After that the potential role and impact of the accountability principle in the context of the revision of Directive 95/46/EC will be examined, with specific focus on the introduction of a general principle of accountability and the role of accountability in the context of international data transfers. This analysis also identifies some of the main challenges and open issues for the further development of this concept within the EU Data Protection framework Show less

While e-government has a clear potential to improve governmental service delivery and governance, at the same time it gives rise to concerns as to whether these initiatives will not put citizensʼ privacy at risk. With its development, digital identification and identity management have become fundamental aspects of public policy, on both a national and European level. The electronic identities of citizens are in fact at the very center of e-government, and the management of their personal… Show more

While e-government has a clear potential to improve governmental service delivery and governance, at the same time it gives rise to concerns as to whether these initiatives will not put citizensʼ privacy at risk. With its development, digital identification and identity management have become fundamental aspects of public policy, on both a national and European level. The electronic identities of citizens are in fact at the very center of e-government, and the management of their personal information triggers worries and debates as to whether appropriate safeguards are (or will be) in place. Show less

Now that more and more legal transactions are being performed online, it is increasingly necessary to enable integration of legal mandates within identity and information management systems. The purpose of this article is to outline the legal framework surrounding delegation and to identify basic requirements for any technical application which seeks to provide recognition to legal mandates and delegation processes. Special consideration is also given to the legal implications in situations… Show more

Now that more and more legal transactions are being performed online, it is increasingly necessary to enable integration of legal mandates within identity and information management systems. The purpose of this article is to outline the legal framework surrounding delegation and to identify basic requirements for any technical application which seeks to provide recognition to legal mandates and delegation processes. Special consideration is also given to the legal implications in situations where a (presumed) mandate holder acts without or outside his authority. Based on these considerations, this article attempts to outline an approach which can significantly reduce the potential risks for both mandate issuers and relying service providers. Show less

Directive 95/46/EC and implementing legislation define the respective obligations and liabilities of the different actors that may be involved in a personal data processing operation. There are certain exceptions to the scope of these regulations, among which processing which is carried out by natural persons in the course of activities that may be considered ‘purely personal’. The purpose of this article is to investigate the liability of users of social network sites under data protection and… Show more

Directive 95/46/EC and implementing legislation define the respective obligations and liabilities of the different actors that may be involved in a personal data processing operation. There are certain exceptions to the scope of these regulations, among which processing which is carried out by natural persons in the course of activities that may be considered ‘purely personal’. The purpose of this article is to investigate the liability of users of social network sites under data protection and to assess the extent to which the current data protection framework can sufficiently accommodate the new realities of web 2.0 and social networking applications.
accommodate the new realities of web 2.0 and social networking applications. Show less

In this article, the authors are evaluating the current authentication mechanisms for eGovernment employed in Belgium. Particular focus is placed on the Belgian electronic identity card (eID) and the use of national identification numbers. After evaluating the current situation the authors proceed to highlight possible alternatives.