Books.
Full citation: Spiecker I / Papakonstantinou V / Hornung G / De Hert P, General Data Protection Regulation, Article-by-Article Commentary, Nomos / Hart, 2021.
About : This commentary covers all topics and critical aspects elicited by the new European General Data Protection Regulation and its interpretation. The commentary focuses on the regulation itself, including cross-references to further provisions (eg the Police and Criminal Justice Data Protection Directive, the E-Privacy-Directive or the former Data Protection Directive 95/46/EC). Article by article the purpose of a provision is classified, its background, function and structure analysed and its content interpreted. The commentary provides an independent view of all topics, presenting both an overview and specific interpretation that provide far-reaching arguments. The editors and authors are outstanding experts in the field of data protection law well known for their practical as well as structured and thorough approach to data protection issues. They offer suitable solutions and sound arguments especially for international companies, legal councils and corporate lawyers as well as data protection agencies, NGOs and legislators.
Παπακωνσταντίνου Ε, Start-Up Greece: Πώς η Ελλάδα θα γίνει το επόμενο Start-Up Nation, Eκδόσεις Σταμούλη, Αθήνα, 2020.
Περιγραφή: Το νέο βιβλίο του Βαγγέλη Παπακωνσταντίνου «Start-Up Greece: Πως η Ελλάδα θα γίνει το επόμενο Start-Up Nation» προτείνει ένα νέο μοντέλο του επιχειρείν στο οποίο θα μπορούσε να βασιστεί η ανάπτυξη τα επόμενα χρόνια. Ποιο θα µπορούσε να είναι το επόµενο αναπτυξιακό µοντέλο για την Ελλάδα καθώς βγαίνει σιγά σιγά από την υπερδεκαετή οικονοµική κρίση; Πως θα µπορούσε να ανακτηθεί η χαµένη δεκαετία και να αποφευχθεί παρόµοιο ενδεχόµενο στο µέλλον; Το βιβλίο αυτό προτείνει τα startups και οι startuppers να γίνουν το επόµενο οικονοµικό και κοινωνικό µοντέλο για την χώρα και δίνει πρακτικές και εφαρµόσιµες λύσεις για τους τρόπους µε τους οποίους κάτι τέτοιο θα µπορούσε να επιτευχθεί. Υιοθετώντας ένα νέο µοντέλο (νεανικής) επιχειρηµατικότητας η Ελλάδα θα καταφέρει να γίνει το επόµενο Startup Nation.
Full citation: Rowena Rodrigues/Vagelis Papakonstantinou (eds.), Privacy and Data Protection Seals, Springer / T.M.C. Asser Press, 2018.
About: The book presents timely and needed contributions on privacy and data protection seals as seen from general, legal, policy, economic, technological, and societal perspectives. It covers data protection certification in the EU (i.e., the possibilities, actors and building blocks); the Schleswig-Holstein Data Protection Seal; the French Privacy Seal Scheme; privacy seals in the USA, Europe, Japan, Canada, India and Australia; controversies, challenges and lessons for privacy seals; the potential for privacy seals in emerging technologies; and an economic analysis. This book is particularly relevant in the EU context, given the General Data Protection Regulation (GDPR) impetus to data protection certification mechanisms and the dedication of specific provisions to certification. Its coverage of practices in jurisdictions outside the EU also makes it relevant globally. This book will appeal to European legislators and policy-makers, privacy and data protection practitioners, certification bodies, international organisations, and academics. Rowena Rodrigues is a Senior Research Analyst with Trilateral Research Ltd. in London and Vagelis Papakonstantinou is a Senior Researcher at the Vrije Universiteit Brussel in Brussels.
Full citation: Sanjay Goel/Yuan Hong/Vagelis Papakonstantinou/Dariusz Kloza, Smart Grid Security, Springer, 2015.
About: Smart Grid is one of the key technologies that will reshape the landscape in terms of electricity, generation, management, and usage. The goal of smart grid is to overlay the communication grid on top of the electric grid such that the grid becomes more self-aware and efficient by making more informed decisions. The grid entails collecting large volumes of data both on the state of the grid as well as supply and demand which can then be processed to make the grid more efficient. Layering the communication infrastructure and connecting the entire grid obviously opens up additional vulnerabilities in the network that can be exploited. The smart grid will be a large network albeit largely disconnected from the current Internet but of the same scale with similar architecture. Some of the vulnerabilities of the Internet will also impact the smart grid. In addition, since the grid intrudes into the homes and personal lives of users there are privacy issues that need to be addressed. This book covers technical, legal, and policy issues related to information security and privacy in context of the smart grid.
Full citation: Vagelis Papakonstantinou, Self-Regulation and the Protection of Privacy, Nomos Verlagsgesselschaft, Baden-Baden, 2002.
About: Self-regulation is frequently brought forward as the preferred alternative for the regulation of the Information Society. The emergence of new ways of communicating and doing business has initiated claims for their equally new regulative treatment, that will have to go beyond existing legislative boundaries, in order to help them develop. This is a view repeatedly advocated by the private sector, academics and, sometimes, national governments. On the other hand, disputes have been raised by those who challenge self-regulation’s ability to provide adequate safeguards for individuals in relation to the protection of their rights. This research attempts to assess the role of self-regulation for the protection of privacy. While doing this, an attempt is undertaken to define self-regulation through the notions of the “cooperative state” and “market regulation”. The background and the contemporary implementation of self-regulatory instruments in the field of data protection is examined, before an assessment of current schemes is carried out. The author supports that self-regulation has ultimately very little to offer to data protection, and should only be viewed as an assisting mechanism under the auspices of national data protection authorities. Only in parallel to data protection legislation can self-regulation truly serve the protection of individual privacy.
Das Werk ist Teil der Reihe Frankfurter Studien zumDatenschutz, Band 22.
Full citation: Vagelis Papakonstantinou, The legal protection of software in a networked environment, Esperia publications, London, 2001.
About: This book has been published under the European Public Law Series: Volume XXI, Vagelis Papakonstantinou, “The Legal Status of Network Software in Europe”, (105 pp.) (CD-Rom), 2002, 20 €, ISBN: 960-8057-15-9 / SET: 960- 8057-10-8.
Μαρκοπούλου Δ/Παπακωνσταντίνου Ε, Νόμος 4072/2012 περί Σημάτων (άρθρα 121επ.) – Κατ’ άρθρον Ερμηνεία, εκδόσεις Σάκκουλα, Αθήνα, 2016.
Περιγραφή: H έλλειψη ενός εγχειριδίου με αντικείμενο τον ν. 4072/2012, ο οποίος κάλυψε μεταξύ άλλων και το Δίκαιο των Σημάτων αντικαθιστώντας τον προϊσχύοντα για δεκαπέντε και πλέον έτη ν. 2239/1994, και οι δυσχέρειες που αυτή δημιουργεί στην πρακτική ώθησε τους συγγραφείς στη συγγραφή αυτού του βιβλίου. Το βιβλίο έχει τη μορφή κατ’ άρθρου σχολιασμού. Όπου απαιτήθηκε θεωρητική ανάλυση, αυτή έγινε με κατά το δυνατό συνοπτικό τρόπο και με παραπομπή σε περαιτέρω θεωρία. Έμφαση έχει δοθεί στην παράθεση παραδειγμάτων (νομολογίας), εθνικής και Κοινοτικής, για την τεκμηρίωση της ανάλυσης. Στην ίδια κατεύθυνση, της παροχής ενός κατά το δυνατό χρήσιμου εργαλείου στην πρακτική, οργανώθηκαν και οι πίνακες που παρατίθενται στο τέλος της ανάλυσης. Εκτός από το ευρετήριο, παρατίθενται πίνακας νομολογίας (με αναφορά στα σχετικά με κάθε απόφαση άρθρα του νόμου), καθώς και κατ’ άρθρο αναφοράς στο κείμενο του νόμου (με αφετηρία δηλαδή συγκεκριμένο άρθρο του νόμου αναφέρουμε σε ποια άλλα άρθρα γίνεται εξίσου αναφορά, ώστε ο αναγνώστης να αποκτήσει πλήρη εικόνα). Η ανάλυση λαμβάνει υπόψη της και την τροποποίηση του Κοινοτικού κανονιστικού πλαισίου που στο μεταξύ εξίσου έλαβε χώρα. Παρότι η συγγραφή βασίστηκε στον προϊσχύονταΚανονισμό 207/2009, καθώς από την 23 Μαρτίου 2016 τέθηκε σε ισχύ οΚανονισμός 2424/2015,στην ανάλυση γίνεται επισήμανση των αλλαγών σε κάθε επιμέρους άρθρο.
Παπακωνσταντίνου Ε/Μαρκοπούλου Δ, Startups: Οδηγός Επιβίωσης για Νέους Επιχειρηματίες, εκδόσεις Σταμούλη, Αθήνα, 2015 (Β΄ έκδοση 2019)
Περιγραφή: Έχετε μια επιχειρηματική ιδέα, αλλά σάς προβληματίζει το πέπλο αβεβαιότητας που υπάρχει γύρω από τις startups? Θέλετε να αυξήσετε τις πιθανότητες επιτυχίας του επιχειρηματικού σας τολμήματος; Τότε το βιβλίο αυτό είναι για σάς και πιθανότατα, θα αποτελέσει την καλύτερη «startup επένδυση» που κάνατε ποτέ. Οι συγγραφείς του βιβλίου, μέσα από την πολυετή ενασχόλησή τους με τις startups στην Ελλάδα, ετοίμασαν έναν σύντομο αλλά περιεκτικό οδηγό βήμα-βήμα, με σκοπό να προσφέρουν ένα εντατικό μάθημα σύγχρονης ελληνικής επιχειρηματικότητας σε επίδοξους νέους επιχειρηματίες που είτε δεν ξεκίνησαν ακόμα, είτε μόλις άρχισαν να δραστηριοποιούνται επιχειρηματικά. Από τη σύλληψη της ιδέας, μέχρι και την απόκτηση του πρώτου πελάτη, το βιβλίο αυτό θα σας δώσει τις βασικές γνώσεις ώστε να μην χρειάζεται να «ανακαλύψετε τον τροχό από την αρχή», αλλά να μπορέσετε να επικεντρωθείτε μαζί με τους (απαραίτητους) συμβούλους σας, στα ειδικά θέματα του εγχειρήματός σας.
Παπακωνσταντίνου Ε, Δίκαιο Πληροφορικής, εκδόσεις Σάκκουλα, Αθήνα – Θεσσαλονίκη, 2010.
Περιγραφή: Δίκαιο Δεδομένων Προσωπικού Χαρακτήρα – Προστασία Λογισμικού – Βάσεις Δεδομένων – Ηλεκτρονικό εμπόριο Το παρόν αποτελεί στην ουσία τη δεύτερη έκδοση των Νομικών Θεμάτων Πληροφορικής (εκδόσεις Σάκκουλα, 2006). Ομολογουμένως, στην πρώτη έκδοση του βιβλίου μου δίστασα να δώσω τίτλο Δίκαιο Πληροφορικής, εξαιτίας των τότε συνθηκών: επιμέρους τομείς του (όπως το Δίκαιο Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) δεν είχαν ακόμα αναπτύξει την πλήρη δυναμική τους, άλλοι όπως το ηλεκτρονικό εμπόριο ή και το Διαδίκτυο δεν είχαν τύχει ακόμα, εντός και εκτός Ελλάδας, σαφή αντιμετώπιση στη θεωρία, ενώ οι τεχνολογίες Πληροφορικής και Τηλεπικοινωνιών έβρισκαν ακόμα οριακή εφαρμογή στην καθημερινή ζωή της ελληνικής κοινωνίας. Το σύνολο των παραπάνω παραδοχών στο μεταξύ ανατράπηκε. Οι τεχνολογίες Πληροφορικής και Τηλεπικοινωνιών, με τη μια ή την άλλη μορφή τους, πλέον επηρεάζουν τη ζωή καθενός από εμάς – από την καθημερινή τους χρήση πηγάζουν δικαιώματα και υποχρεώσεις, οι υλοποιήσεις τους προστατεύονται με νέα ή ήδη υπάρχοντα νομικά εργαλεία. Η καθολική αποδοχή και χρήση του Διαδικτύου και των νέων τεχνολογιών προκάλεσαν στο μεταξύ αυξημένο ενδιαφέρον από τη θεωρία, ενώ ταυτόχρονα άρχισε να σχηματίζεται και αξιόλογη ελληνική νομολογία. Οι συνθήκες φαίνεται πως τελικά ωρίμασαν και στην Ελλάδα για τη δημιουργία αυτοτελούς Δικαίου Πληροφορικής, ως κατηγορία του κλάδου της Νομικής Πληροφορικής. Με αφετηρία τις παραπάνω διαπιστώσεις προχώρησα στην αλλαγή τίτλου του βιβλίου μου, ελπίζοντας και η δεύτερη αυτή έκδοσή του να τύχει της ευνοϊκής υποδοχής που συνάντησε και η πρώτη. Όπως άλλωστε και κατά το παρελθόν, το παρόν είναι αποτέλεσμα πολυετών ανταλλαγών με τους φοιτητές και τους διδάσκοντες του Τμήματος Μηχανικών Η/Υ και Πληροφορικής του Πανεπιστημίου Πατρών, χωρίς την ενεργή συμβολή των οποίων η συγγραφή του θα ήταν αδύνατη.
Παπακωνσταντίνου Ε, Ψηφιακή Ελλάδα, Εκδόσεις Κλειδάριθμος, 2010.
Περιγραφή: Εφαρμόζεται κάποιο σχέδιο για το πώς θα φτάσουμε στην Ψηφιακή Ελλάδα; Πώς δημιουργήθηκε το ισχύον νομικό πλαίσιο για τις νέες τεχνολογίες και πόσο αποτελεσματικά λειτουργεί στην πράξη; Πώς θα μπορούσαμε να κινηθούμε ασφαλέστερα και αποτελεσματικότερα προς μια πραγματική Ψηφιακή Ελλάδα; Η ανάλυση που γίνεται στο βιβλίο αυτό επιχειρεί να απαντήσει στα παραπάνω καίρια ερωτήματα. Η αφετηρία της ανάλυσης είναι νομική, καθώς η ανάλυση του ρυθμιστικού πλαισίου στους επιμέρους τομείς της Ψηφιακής Ελλάδας αποτελεί τον πυρήνα της. Στόχος της όμως δεν είναι να δοθούν νομικές απαντήσεις, αλλά να καταδειχθεί η σχέση μεταξύ νόμων και Ψηφιακής Ελλάδας. Ουσιαστικά, ο στόχος αυτού του βιβλίου είναι διπλός: αφενός να καταγράψει και αφετέρου να προτείνει. Η καταγραφή αφορά την Ψηφιακή Ελλάδα σήμερα, την ιστορική της διαδρομή και το σύγχρονο ρυθμιστικό πλαίσιο. Οι προτάσεις αφορούν την πορεία της στο μέλλον. Στα περιεχόμενα του βιβλίου περιλαμβάνονται και τα ακόλουθα: Το άτομο (Ο Έλληνας μέσος χρήστης νέων τεχνολογιών, H συμμετοχή του στο Web 2.0, Η επεξεργασία των δεδομένων του προσωπικού χαρακτήρα, Η (Τηλ)επικοινωνία του). Η αγορά (Η ελληνική “μέση επιχείρηση νέων τεχνολογιών” – η ελληνική επιχείρηση ΝΕΤ, Οι σχέσεις της αγορά (Δημιουργία των κανόνων, Εφαρμογή των κανόνων, Παροχή υπηρεσιών/κατανάλωση προϊόντων και υπηρεσιών, Άσκηση πολιτικής;).
Παπακωνσταντίνου Ε, Νομικά Θέματα Πληροφορικής, Εκδόσεις Σάκκουλα, Αθήνα- Θεσσαλονίκη, 2006.
Περιγραφή: Προστασία Δεδομένων Προσωπικού Χαρακτήρα, Έννομη Προστασία Λογισμικού, Ηλεκτρονικό εμπόριο
Μαρκοπούλου Δήμητρα / Τσουκαλά Βασιλική, Δεδομένα Προσωπικού Χαρακτήρα: Εθνική Νομοθεσία – Κατ’ άρθρον αποφάσεις της ΑΠΔΠΧ – Ευρωπαϊκή & Διεθνής Νομοθεσία – Αποφάσεις ΔΕΕ. Επιμέλεια: Ευάγγελος Παπακωνσταντίνου, εκδόσεις Σάκκουλα 2014.
Περιγραφή: Το βιβλίο διακρίνεται, μετά από σύντομη γενική εισαγωγή, σε δύο μέρη. Το πρώτο αναφέρεται στην εθνική νομοθεσία. Περιλαμβάνεται ο κωδικοποιημένος ν. 2472/1997 και αποφάσεις για τις οποίες έγινε κατά το δυνατό ακριβής περίληψη και παράθεση κατ’ άρθρον. Στη συνέχεια η παράθεση των νομοθετημάτων γίνεται ανά τομέα επεξεργασιών (ηλεκτρονικές επικοινωνίες, αστυνομική και δικαστική συνεργασία, άλλοι νόμοι). Το δεύτερο μέρος αναφέρεται στην Ευρωπαϊκή και Κοινοτική νομοθεσία. Παρατίθενται πρώτα τα βασικά ρυθμιστικά κείμενα και στη συνέχεια εκείνα που αφορούν συγκεκριμένους τομείς επεξεργασίας. Τέλος, περιλαμβάνεται στο παρόν και βασική νομολογία. Σύντομη παράθεση, σε τρίτο μέρος, γίνεται στο διεθνές δίκαιο, κυρίως για την πληρότητα της εικόνας (χωρίς ο αναγνώστης να ξεχνά ότι οι Οδηγίες του ΟΟΣΑ είναι ένα κείμενο με διεθνή επιρροή που μόλις ολοκλήρωσε σε διαδικασία αναθεώρησης). Τέλος, στην εισαγωγή κάθε υποκεφαλαίου παρατίθενται χρήσιμες οδηγίες (και επιφυλάξεις). Ο αναγνώστης οφείλει να τις λάβει υπόψη του πριν την αναδρομή στο νομοθέτημα που τον ενδιαφέρει.
Articles.
Full citation: Vasiliki Papadouli/Vagelis Papakonstantinou, A preliminary study on artificial intelligence oracles and smart contracts: A legal approach to the interaction of two novel technological breakthroughs in the Computer Law & Security Review, Vol. 51,October 2023.
Abstract: Artificial Intelligence and Smart Contracts are two cutting-edge technological achievements of the so-called 4th Industrial Revolution era. Both have already had a significant impact on various aspects of modern life, including transactions, and each one has already been under scientific investigation. Instead, their interaction has not become the subject of a debate, although it can further (positively) affect the transactions. This interconnection takes place through specific mechanisms, called Oracles, which can be, among others, highly sophisticated Artificial Intelligence systems (autonomous systems). The present article aims to present the role of the Artificial Intelligence Oracles throughout the ‘smart contractual procedure’, as well as to shed light on the potential (new) legal issues this interconnection may raise. The main result of this article is to indicate the appropriate legal directions in case of Artificial Intelligence Oracles’ failures, based on the most prevalent current approaches to AI’s (the user’s) contractual and/or non-contractual liability. The major research’s conclusion is that the Artificial Intelligence Oracle’s failures may result in one of the following situations: (a) breach of a (smart) contract, (b) unjust enrichment, (c) conclusion of a (voidable) smart contract that should not have been concluded, or (d) non-conclusion of a smart contract that should have been concluded. The responsibility of each person participating in the ‘smart contractual procedure’, i.e. the contractual parties, the blockchain platform and the Artificial Intelligence user/owner (or even the Artificial Intelligence system itself), as well as the AI provider or designer, is examined in each of the afore-mentioned situations separately. Given that legislative initiatives have already begun, the present article aspires to contribute to the consistent address of the newly raised legal issues.
Full citation: Vagelis Papakonstantinou, The Cybersecurity Obligations of States Perceived as Platforms: Are Current European National Cybersecurity Strategies enough? in the ACIG journal, Vol. 1, Issue 1.2022, December 2022.
Abstract: Cybersecurity is a relatively recent addition to the list of preoccupations for modern states. The forceful emergence of the internet and computer networks and their subsequent prevalence quickly brought this to the fore. By now, it is inconceivable that modern administrations, whether public or private, can exist entirely outside the digital realm. Nevertheless, with great opportunities also comes great risk. Attacks against com- puter systems quickly evolved from marginalised incidents to matters of state concern. The exponential increase in the importance of cybersecurity over the past few years has led to a multi-level response. New policies, followed by relevant laws and regulations, have been introduced at national and international levels. While modern states have therefore been compelled to devise concrete cybersecurity strategies in response to potential threats, the most notable aspect of these strategies is their resemblance to one another. Such uni- form thinking could develop into a risk per se: challenges may appear unexpectedly, given the dynamic nature of the internet and the multitude of actors and sources of risk, which could put common knowledge, or what may be called conventional wisdom, to the test at a stage where the scope for response is limited. This paper builds upon the idea of national states being perceived as platforms within the contemporary digital and regulatory environ- ment. Platforms are in this context information structures or systems, whereby the primary role of states acting as platforms is that of an information broker for its citizens or subjects. This role takes precedence even over the fundamental obligation of states to provide se- curity; it calls upon them first to co-create (basic) personal data, and then to safely store and further transmit such data. Once the key concept of states as platforms has been elaborated in section 2, this paper then presents the concrete consequences of this approach within the cybersecurity field. In section 3, former off-line practices for safely storing per- sonal information, undertaken by states within their role as platforms, are contrasted with the challenges posed by the digitisation of information. The focus is then turned in section 4 to the EU, and the NIS Directive’s obligation upon Member States to introduce and imple- ment national cybersecurity strategies, which are therefore examined under the lens intro- duced in section 2. Finally, specific points for improvement and relevant recommendations for these cybersecurity strategies are presented in section 5.
Full citation: Vagelis Papakonstantinou, States as platforms following the new EU regulations on online platforms, European View, SAGE journals, Vol. 21,Issue 2, November 2022.
Abstract: The recent adoption by the European Parliament of the Digital Services Act means that, when it comes into effect, it will formally introduce into EU law the term ‘online platforms’. In effect, between the Digital Services Act and the Digital Markets Act, a comprehensive framework for the regulation of online platforms is being introduced into EU law, the first of its kind both in Europe and internationally. However, European regulatory innovation invites a different viewpoint: Could states be considered platforms? What if this new regulatory framework was applied to states themselves? This article first outlines the regulations on online platforms in EU law. Then it discusses the role of states as information brokers in order to support its main argument, that states can be viewed as (online) platforms. A discussion of the consequences of such a conclusion is included in the final part of this analysis.
Full citation: Vagelis Papakonstantinou/ Paul de Hert, The Regulation of Digital Technologies in the EU: The law-making phenomena of “act-ification”, “GDPR mimesis” and “EU law brutality”, Technology and Regulation Journal, Volume 2022 (2022), May 2022.
Abstract: EU regulatory initiatives on technology-related topics has spiked over the past few years. On the basis of its Priorities Programme 2019-2024, while creating “Europe fit for the Digital Age”, the EU Commission has been busy releasing new texts aimed at regulating a number of technology topics, including, among others, data uses, online platforms, cybersecurity, or artificial intelligence. This paper identifies three basic phenomena common to all, or most, EU new technology-relevant regulatory initiatives, namely (a) “act-ification”, (b) “GDPR mimesis”, and (c) “regulatory brutality”. These phenomena divulge new-found confidence on the part of the EU technology legislator, who has by now asserted for itself the right to form policy options and create new rules in the field for all of Europe. These three phenomena serve as indicators or early signs of a new European technology law-making paradigm that by now seems ready to emerge.
Full citation: Anastasia Karagianni/ Vagelis Papakonstantinou, Surveillance in Schools Across Europe: A New Phenomenon in Light of the COVID-19 Pandemic? The Cases of Greece and France, European Journal of Educational Research, Volume 11, Issue 2, April 2022.
Abstract: Surveillance technology is more and more used in educational environments, which results in mass privacy violations of kids and, thus, the processing of huge amount of children’s data in the name of safety. Methodology used is doctrinal, since the focus of this research was given in the implementation of the legal doctrine of data protection law in the educational environments. More than that, the cases of Greece and France regarding the use of surveillance technologies in schools are carefully studied in this article. Privacy risks that both children and educators are exposed to are underlined. In these terms, this research paper focuses on the proper implementation of the European data protection framework and the role of Data Protection Authorities as control mechanisms, so that human rights risks from the perspective of privacy and data protection to be revealed, and the purposes of the use of such technologies to be evaluated. This study is limited in the legal examination of the European General Data Protection Regulation, and its implementation in the legal orders of Greece and France, and practice pertaining to the case studies of Greece and France respectively.
Full citation: Vagelis Papakonstantinou, Cybersecurity as praxis and as a state: The EU law path towards acknowledgement of a new right to cybersecurity? in Computer Law & Security Review, Vol. 44, April 2022.
Abstract: The end of the second decade of the 21st century has been the best of times for EU’s cybersecurity law and policy: Its NIS Directive has been transposed into all Member States’ national law, creating a new administrative structure at EU and Member State level and mandating relevant policies and strategies to update and harmonise those that were already in place. Its Cybersecurity Act of 2019 incorporated the EU Agency for Cybersecurity (ENISA), and promises to install a new European cybersecurity certification scheme. To support policy with funding, large sums of research money have been spent on the development of cybersecurity tools and the relevant framework. However, EU’s significant regulatory activity is faced with substantial difficulties. While cybersecurity concerns are placed high on the list of issues that worry Europeans making a regulatory response pressing, the cybersecurity theoretical framework is far from concluded: Difficulties start as early as when attempting to define the term, ultimately divulging a lack of common understanding. Different actors understand cybersecurity differently under different circumstances. A distinction that could perhaps prove useful in creating clarity as to its exact meaning would distinguish between cybersecurity as praxis and cybersecurity as a state. Cybersecurity as praxis would then be understood as the activities and measures that need to be undertaken in order to accomplish cybersecurity’s aims and objectives. Accordingly, cybersecurity as a state would mean the condition that is achieved once cybersecurity as praxis has succeeded; Within cybersecurity as a state persons need to be protected against any cyber threat. A distinction between cybersecurity as praxis and cybersecurity as a state would not only be useful in delineating the term’s content but could also constitute the necessary theoretical groundwork for development, ultimately, of a new right to cybersecurity. EU law has already taken positive steps towards acknowledgement of a new right to cybersecurity. However, a lot more needs to be done; Past progress needs to be continued and updated. A conceivable next step could take the form of formal acknowledgement of such a new right in EU law, in a future amendment of the Act’s provisions or otherwise.
Full citation: Dimitra Markopoulou/Vagelis Papakonstantinou, Digitalisation of water services and the water sector cyber threat landscape: Is the EU regulatory framework adequate? in the Journal of Water Law, Vol. 27, Issue 4, November 2021.
Abstract: Critical infrastructures are vital for the functioning of modern societies. Over the last decades the number, variety and complexity of critical infrastructures have increased significantly; So has their exposure to different types of threats that vary from natural disasters and human errors to theft or even terrorist attacks. During the last two decades though a new type of threat has made its appearance in the Critical Infrastructure landscape, that of cyberattacks. The drinking water and water transportation sector is unquestionably categorized as a Critical Infrastructure. Within a water digitalisation context, the water sector has followed the example of other sectors, most notably energy, in increasing its dependence on ICT for improving its service, sustainability and affordability. While ICT may increase the water sector’s productivity and reliability, at the same time it makes it increasingly vulnerable to malicious cyberattacks or accidental cyber incidents. The consequences of a possible interruption or compromise of the water sector’s ICS, for example manipulation or disruption of water services, damage to equipment, or compromise of water safety could prove disastrous both for public health and safety and due to economic loss. At the same time, water sector entities are responsible for processing and accordingly protecting personal information, including employees’ records and customers’ billing data. While the current EU regulatory framework on water management has gone through a great reform over the last decades, it does not deal with the protection of water facilities against cyber risks. Even though the EU cybersecurity policy, including the protection regime on Critical Infrastructures, as well as the General Data Protection Regulation find full applicability on the water entities, the new digitalized water landscape calls for a shift in approach in order to create a more cyber resilient water sector.
Full citation: Dimitra Markopoulou/Vagelis Papakonstantinou, The regulatory framework for the protection of critical infrastructures against cyberthreats: Identifying shortcomings and addressing future challenges: The case of the health sector in particular, Computer Law & Security Review, Vol. 41, July 2021.
Abstract: The concept of “Critical Infrastructures” is constantly evolving in order to reflect current concerns and to respond to new challenges, especially in terms of (cyber)security and resilience. Protection of critical infrastructures against numerous threats has therefore developed into a high priority at national and EU level. During the last two decades a new type of threat has prevailed in the Critical Infrastructure threat landscape, that of cyberattacks; Protection against them is the primary focus of this paper. In order to do so the analysis first aims to drop some light into the differences between Critical Infrastructures and Critical Information Infrastructures, terms that are often confused, and to indicate possible inadequacies in the applicable protection regulatory regime. Finally, the health sector has been chosen as a sector-specific case in an effort to demonstrate how protection of a Critical Infrastructure, challenged as it has been with a constantly increasing number of cyber incidents, could be sufficiently protected in the new digitalised era.
Full citation: Paul de Hert /Vagelis Papakonstantinou, Framing Big Data in the Council of Europe and the EU data protection law systems: Adding ‘should’ to ‘must’ via soft law to address more than only individual harms, Computer Law and Security Review, Volume 40,April 2021
Abstract: On 19 November 2019 the Council of Europe hosted an international conference, immediately preceding the annual plenary meeting of its Committee of Convention 108, on “Convention 108+ and the future data protection global standard”. One of the authors made a presentation on “Comparing the EU and Council of Europe approach to Big Data”, and it is its contents and findings that are further elaborated in this paper; Its aim is, in essence, to incorporate the feedback received and to adapt past research on Big Data, that was mostly relevant to the EU, also on the Council of Europe data protection system. After a few preliminary remarks on Big Data terminology and possible regulatory approaches, Big Data regulation is examined against the EU and the Council of Europe data protection systems. Particular emphasis is given to the Council of Europe regulatory approach both in terms of Convention 108+ and with regard to its Guidelines on Big Data and AI. The authors believe that, because both the EU and the Council of Europe have avoided to refer to Big Data in their basic data protection regulatory texts (a most likely intentional omission), guidance is indeed needed, and it may well come in the form of soft law. The Council of Europe has taken the lead in this through its Guidelines; Their timely, comprehensive and balanced approach showcases the Council’s will for such processing to indeed take place, but within a well-regulated environment, albeit not under a rigid regulatory construction.
Full citation: Vagelis Papakonstantinou/ Paul de Hert, Big Data analytics in electronic communications: A reality in need of granular regulation (even if this includes an interim period of no regulation at all), Computer Law and Security Review, Volume 36, April 2020
Abstract: Over the past few years big data analytics have forcefully entered the mainstream. Admittedly, modern life would be inconceivable without the services afforded by this type of processing in the field of electronic communications. At the same time public administrations are increasingly discovering the benefits of big data analytics afforded to them by telecommunications operators. Nevertheless, despite public attention and high volumes of expert analyses, the majority of approaches on the challenges to personal data protection by this type of data processing remains theoretical; Tellingly, the EDPS speaks of the “black box” of big data analytics. However, the authors were able to open, and stare into, the “black box” of big data analytics in the electronic communications field in 2017 and 2018 in the context of GDPR compliance assessments. Their analysis first attempts to set the legal scene today, answering two crucial questions on scope and applicable law, before presenting a typology for a scalable and granular approach that the authors feel is necessary but nevertheless is missing from the text of the draft ePrivacy Regulation. The authors therefore conclude that processing requirements and particularities, as evidenced under the big data analytics paradigm, make necessary a much more detailed approach than the one afforded by the draft ePrivacy Regulation today. Until these needs are met, through the introduction of a new, fundamentally amended text, the authors suggest that the current regulatory framework and the mechanisms afforded by it be extended for an interim period, so as to afford legislators with the necessary space and time to revise their work.
Full citation: Dimitra Markopoulou/Vagelis Papakonstantinou/ Paul de Hert, The New EU cybersecurity framework: The NIS Directive, ENISA’S role and the General Data Protection Regulation, Computer Law and Security Review, Volume 35, Issue 6, November 2019
Abstract: The NIS Directive is the first horizontal legislation undertaken at EU level for the protection of network and information systems across the Union. During the last decades e-services, new technologies, information systems and networks have become embedded in our daily lives. It is by now common knowledge that deliberate incidents causing disruption of IT services and critical infrastructures constitute a serious threat to their operation and consequently to the functioning of the Internal Market and the Union. This paper first discusses the Directive’s addressees particularly with regard to their compliance obligations as well as Member States’ obligations as regards their respective national strategies and cooperation at EU level. Subsequently, the critical role of ENISA in implementing the Directive, as reinforced by the proposal for a new Regulation on ENISA (the EU Cybersecurity Act), is brought forward, before elaborating upon the, inevitable, relationship of the NIS Directive with EU’s General Data Protection Regulation.
Full citation: Paul de Hert /Vagelis Papakonstantinou, Data protection and the EPPO, New Journal of European Criminal Law, Volume 10, Issue 1, April 2019
Abstract: The European Public Prosecutor’s Office (the ‘EPPO’) necessarily processes personal data in order to fulfil its mission; As such, it falls squarely within the European Union (EU) data protection regulatory landscape. However, because the EU data protection regulatory landscape itself is currently found at a crossroads, an analysis of the EPPO data protection model may be twofold: First, placing it within the proper cross-organization dialogue currently taking place on the future regulatory model of personal data processing for law enforcement purposes carried out at EU level. Second, at an EPPO-specific level, whereby the actual data protection regime afforded to it may be assessed. This article purports to elaborate upon the above two data protection dimensions of EPPO personal data processing activities: It presents considerations and policy options during the lawmaking period that resulted in the establishment of the EPPO, it analyses the data protection regime ultimately awarded to it and attempts to, critically, place the EPPO data protection model within its proper operational and legislative environment.
Full citation: Vagelis Papakonstantinou/Paul de Hert, Structuring modern life running on software. Recognizing (some) computer programs as new digital ”persons”, Computer Law & Security Review, Volume 34, Issue 4, August 2018
Abstract: Saudi Arabia grants nationality to an AI robot; the first “clash of robots” took place in Japan; and, Bill Gates suggests that robots start paying taxes. We believe that these developments justify new legal fiction interventions. Software has long now exceeded the intellectual property boundaries. It is no longer merely property; it has assumed life of its own. It does not matter that such life is imaginary today. Legal persons were brought to life through legal fiction intervention that was based on much less motivation – merely the human incentive for profit. Software is certainly connected today with profit, given that the world’s most valued corporations are software companies. However, it has moved much further than that, to assume in many ways artificial life of its own. We think that it is time that the dichotomy between natural and legal persons, that has served humanity so well over the past centuries, now be trisected: A new, digital person, ought to be added to it.
Full citation: Paul de Hert/Vagelis Papakonstantinou/Gianclaudio Malgieri/Laurent Beslay/Ignacio Sanchez, The Right to Data Portability in the GDPR: Towards user-centric interoperability of digital services, Computer Law & Security Review, Volume 33, Issue 2, April 2017
Abstract: The right to data portability is one of the most important novelties within the EU General Data Protection Regulation, both in terms of warranting control rights to data subjects and in terms of being found at the intersection between data protection and other fields of law (competition law, intellectual property, consumer protection, etc.). It constitutes, thus, a valuable case of development and diffusion of effective user-centric privacy enhancing technologies and a first tool to allow individuals to enjoy the immaterial wealth of their personal data in the data economy. Indeed, a free portability of personal data from one controller to another can be a strong tool for data subjects in order to foster competition of digital services and interoperability of platforms and in order to enhance controllership of individuals on their own data. However, the adopted formulation of the right to data portability in the GDPR could benefit from further clarification: several interpretations are possible, particularly with regard to the object of the right and its interrelation with other rights, potentially leading to additional challenges within its technical implementation. The aim of this article is to propose a first systematic interpretation of this new right, by suggesting a pragmatic and extensive approach, particularly taking advantage as much as possible of the interrelationship that this new legal provision can have with regard to the Digital Single Market and the fundamental rights of digital users. In sum, the right to data portability can be approximated under two different perspectives: the minimalist approach (the adieu scenario) and the empowering approach (the fusing scenario), which the authors consider highly preferable.
Full citation: Paul de Hert/Vagelis Papakonstantinou, The rich UK contribution to the field of EU data protection: Let’s not go for “third country” status after Brexit, Computer Law & Security Review, Volume 33, Issue 2, April 2017
Abstract: The die is cast. At the time of drafting this paper the so-called Brexit, the exit of the UK from the EU, seems like a certainty after the poll results of 23 June 2016. Within such historic, indeed seismic, developments data protection seems but a minor issue, a footnote to a world-changing chapter waiting to be written. Yet, from our modest vantage point, undertaken after this Journal’s kind invitation, we submit that data protection, although one out of the myriad legal aspects pertaining to Brexit that urgently await consideration, may prove to be a crucial issue in this process. Notwithstanding what happens in the immediate future, when attention will presumably be focused on coordinating the dates when Brexit may potentially occur and the GDPR comes into effect, long-term thinking is critical. We believe that, because developments in this field of law will be among those felt directly by individuals on both sides of the Channel, data protection has the potential to be among the issues that “make” or “break” a possibly successful Brexit – if success is perceived as minimal disturbance to an already functioning system. UK and EU data protection are intrinsically connected by now, by osmosis, after decades of mutual exchanges and intensive collaboration. If indeed, contrary to our wishes, a data protection Brexit does take place, the preferred way forward for the authors would be for the UK to unreservedly and permanently adhere to the EU data protection model. If this will not be the case, then we feel that a high-level principle-driven solution would serve data protection purposes better than a detailed and technical solution; the latter, if ever achievable, would essentially attempt the impossible: to surgically severe what is today an integral part of a living and functioning system.
Full citation: Paul de Hert/Vagelis Papakonstantinou, The new General Data Protection Regulation: Still a sound system for the protection of individuals? Computer Law & Security Review, Volume 32, Issue 2, April 2016
Abstract: The five-year wait is finally over; a few days before expiration of 2015 the “trilogue” that had started a few months earlier between the Commission, the Council and the Parliament suddenly bore fruit and the EU data protection reform package has finally been concluded. As planned since the beginning of this effort a Regulation, the General Data Protection Regulation is going to replace the 1995 Directive and a Directive, the Police and Criminal Justice Data Protection Directive, the 2008 Data Protection Framework Decision. In this way a long process that started as early as in 2009, peaked in early 2012, and required another three years to pass through the Parliament’s and the Council’s scrutiny is finished. Whether this reform package and its end-result is cause to celebrate or to lament depends on the perspective, the interests and the expectations of the beholder. Four years ago we published an article in this journal under the title “The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals”. This paper essentially constitutes a continuation of that article: now that the General Data Protection Regulation’s final provisions are at hand it is possible to present differences with the first draft prepared by the Commission, to discuss the issues raised through its law-making passage over the past few years, and to attempt to assess the effectiveness of its final provisions in relation to their declared purposes.
Full citation: Paul de Hert/Vagelis Papakonstantinou, The New Police and Criminal Justice Data Protection Directive. A first analysis, New Journal of European Criminal Law, Vol. 7, Issue 1, 2016
Abstract: Allegedly the Police and Criminal Justice Data Protection Directive (henceforth, the “Directive”) is the little-known, much overlooked part of the EU data protection reform package that stormed into the EU legislative agenda towards the end of 2015. Its counterpart, regulating all other personal data processing activities, the General Data Protection Regulation (henceforth, the “Regulation”), is undoubtedly the text that fascinated legislators, legal scholars and even journalists over the four years since their simultaneous release in first draft formats, with its numerous noteworthy novelties: the right to be forgotten, the right to data portability, data protection impact assessments, privacy by design, consistency and one-stop-shop mechanisms among EU Data Protection Authorities etc. Compared to this impressive list the text of the Directive indeed sounds mundane and unimaginative. However, we firmly believe that the repercussions it will have in the EU personal data processing scene surrounding the work of law enforcement authorities, once it comes into effect, will be fundamental and will be equally felt by everybody exactly in the same way that its famous sibling intends to do.
Full citation: Paul de Hert/Vagelis Papakonstantinou/Irene Kamara, The cloud computing standard ISO/IEC 27018 through the lens of the EU legislation on data protection, Computer Law & Security Review, Volume 32, Issue 1, February 2016
Abstract: In July 2014 ISO and IEC published a standard relating to public cloud computing and data protection. The standard aims to address the down-sides of cloud computing and the concerns of the cloud clients, mainly the lack of trust and transparency, by developing controls and recommendations for cloud service providers acting as PII processors. At the same time, the standard aims to assist providers to demonstrate transparency and accountability in the handling of data and information in the cloud. This paper looks briefly at the data protection and security challenges of cloud computing. It discusses the provisions and added value of the standard in the context of the European data protection legislation and also looks at the uptake of the standard one year after its publication.
Full citation: Paul de Hert/Vagelis Papakonstantinou, Google Spain: Addressing Critiques and Misunderstandings One Year Later, Maastricht Journal of European and Comparative Law, Vol. 22, Issue 4 (2015
Abstract: In the text that follows the authors will rst highlight some subjectively important facts that need to be kept under consideration while assessing the Court’s decision against the business model currently employed by US internet companies (section 1). In section 2 the authors will engage with Sartor’s concerns with regard to search engines being classi ed as ‘data controllers’. Section 3 will deal with the issue of extraterritoriality, attempting to assess both Wolf’s reservations and Hijmans’ enthusiasm. e Court’s balancing between economic interests and the right to data protection will be elaborated upon in section 4, while also attempting to address Peers’ and Solove’s criticism on the Court’s balancing method. Finally, in section 5, the authors, in response to Kuner’s idea of the globalization of constitutional clashes, will present their own thoughts on Google’s actual implementation of the Court’s decision for the past year and the DPAs’ reaction to it.
Full citation: Paul de Hert/Vagelis Papakonstantinou, Repeating the Mistakes of the Past will do little Good for Air Passengers in the EU – The Comeback of the EU PNR Directive and a Lawyer’s Duty to Regulate Profiling, editorial, New Journal of European Criminal Law, Vol. 6, Issue 2, 2015
Abstract: On the 17th of February an old data protection acquaintance, the EU PNR Directive1, returned to life. On that date the Parliament’s LIBE Committee released its Report2 on its rst (re-)reading of a dra that was otherwise presumed dead since 2011, when that same Committee found it unacceptable because of fundamental rights concerns and asked the Commission to withdraw it. The fact remains that the general data protection environment has in the meantime substantially changed: the PNR Directive’s provisions must now be reconciled with the latest case law of the Court of Justice on acceptable surveillance and with the EU data protection reform package, in particular with its dra Police and Criminal Justice Directive8 that is to replace the 2008 Framework Decision. is applies both to substantive law and supervision model.
Full citation: Paul de Hert/Vagelis Papakonstantinou, The Council of Europe Data Protection Convention Reform : Analysis of the new text and critical comment on its global ambition, Computer Law & Security Review, Elsevier, Vol. 30, 2014
Abstract: The year 2010 set an important milestone in the development of data protection law in Europe: both Europe’s basic regulatory texts, the EU Data Protection Directive and the Council’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), were placed at an amendment process, having served individual data protection for many years and witnessed in the meantime technological developments that threatened to make their provisions obsolete. After briefly presenting Convention 108, the analysis that follows will highlight the Council’s data protection system currently in effect as well as developments relating to the Convention’s amendment so far with the aim of identifying improvements and shortcomings. While doing this two separate points of view shall be adopted: at first a micro point of view will attempt to identify improvements and shortcomings through an ‘insider’ perspective, that is, judging only the merits and difficulties of the draft text at hand. Afterwards a macroscopic view will be adopted, whereby strategic issues will be discussed pertaining to the important issue of the relationship of the suggested draft with the EU data protection system, as well as, the same draft’s potential to constitute the next global information privacy standard.
Full citation: Paul de Hert/Vagelis Papakonstantinou, International Governance of Data Privacy: Three Scenarios for the Future, I/S: A Journal of Law and Policy for the Information Society, Moritz College of Law Ohio State University/H.J. Heinz III School of Public Policy and Management Carnegie Mellon University, Vol. 9 Issue 2, Summer 2013
Abstract: Data privacy regulation has reached a crossroads: while three out of the four intergovernmental organizations that have released relevant regulations (the OECD, the Council of Europe, and the EU) are amending their respective texts, each one is implementing its own agenda. The Internet and cloud computing are making the need for international governance more evident than ever. Three scenarios may be foreseen: 1) the status quo remains, and technology intervenes to address public concerns; 2) the EU General Data Protection Regulation, which is expected to replace the EU Data Protection Directive by mid-2014, comes into effect and then goes on to set the international data privacy standard; or, 3) as suggested in this paper, an international data privacy organization, preferably a UN agency, is established to promote data privacy issues and warrant international data privacy governance, similar to how the World Intellectual Property Organization advances the purposes of intellectual property protection. The establishment of an international organization does not necessarily mean that a new, comprehensive international data privacy framework also needs to be introduced (at least at this stage). Instead, international instruments already in effect could be used. The globally accepted but perhaps under-used 1990 UN Guidelines for the Regulation of Computerized Personal Data Files are an obvious choice.
Full citation: Paul de Hert/Vagelis Papakonstantinou/David Wright/Serge Gutwirth, The proposed Regulation and the construction of a principles-driven system forindividual data protection, Innovation-The European Journal for Social Science Research, Taylor & Francis / ICCR-Foundation, 2013
Abstract: The overhaul of the EU data protection regime is a welcome development for various reasons: the 1995 Directive is largely outdated and cumbersome within an Internet (indeed, Web 2.0) environment. The 2008 Framework Decision is a practically unenforceable instrument, and even harmful in its weakness in protecting personal data. The Commission’s proposed Regulation and Directive intended to replace it to improve the data protection afforded to individuals in their respective fields of application across the EU today. This paper considers some of the principles, some new, some old, that underpin the proposed new data protection framework, which was released on 25 January 2012. We offer an analysis of the key principles of lawfulness of the processing, access to justice, transparency and accountability – principles intended to be all-encompassing, abstract and omnipresent. Some of the above principles may appear to be new, but such is not necessarily the case. For instance, the principle of lawfulness is central in the current 1995 Directive, but it reappears in an amended form in the proposed EU data protection framework. On the other hand, the principle of accountability is an addition to the list that will need to prove its value in practice. Regardless of the outcome of the EU data protection framework amendment process and the ultimate wording of the instruments that compose it, the application and visibility of these principles ought to remain unaffected.
Full citation: Vagelis Papakonstantinou/Paul de Hert, Legal Challenges Posed by Online Aggregation of Museum Content: The Cases Of Europeana and the Google Art Project, SCRIPTed, Volume 9, Issue 3, December 2012
Abstract: Museums are, in most cases, publicly-owned holders of vast amounts of information that are, by definition, open to everyone. Location restrictions, however, usually limit public access. The Internet could change this: once museums digitise their collections and upload them onto their Internet sites, online access would be possible for anyone, anywhere. The difficulty in this case would be that there are practically thousands of museums around the globe, ideally each maintaining its own Internet site. Users therefore face substantial difficulties when conducting research online. From this point of view it is probably a self-evident development to aggregate online museum content in a single website, in order to facilitate user access. This explains the initiatives, for instance, of Europeana from the public sector and the Google Art Project from the private sector – each one in terms of content volume and user exposure holds a pre-eminent position among its (Internet) peers. These initiatives, however, are disruptive, both as regards business methods and legal systems, challenging traditional notions and treading at the borders of well-established legal principles and long-serving rules and regulations. This article discusses the legal issues raised by the contemporary aggregation initiatives of museum content over the Internet, by reference to the above two initiatives. Questions relating to copyright, the sui generis database right, as well as, the issues of systems’ interoperability, public sector information and restitution will be addressed in the analysis that follows.
Full citation: Paul de Hert/Vagelis Papakonstantinou, The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals, The Computer Law & Security Review, Elsevier, Vol. 28, 2011
Abstract: The recent release by the European Commission of the first drafts for the amendment of the EU data protection regulatory framework is the culmination of a consulting and preparation process that lasted more than two years. At the same time, it opens up a law-making process that is intended to take at least as much time. The Commission has undertaken the herculean task to amend the whole EU data protection edifice, through the introduction of a General Data Protection Regulation, intended to replace the EU Data Protection Directive 95/46/EC, and a Police and Criminal Justice Data Protection Directive, intended to replace the Framework Decision 2008/977/JHA. This paper shall focus at the replacement of the EU Data Protection Directive by the draft General Data Protection Regulation. Due to the fact that the draft Regulation is a long (and ambitious) text, a selection has been made, with the aim of highlighting its treatment of basic data protection principles and elements, in order to identify merits and shortcomings for the general data protection purposes.
Full citation: Paul de Hert/Vagelis Papakonstantinou, The Police and Criminal Justice Data Protection Directive: Comment and Analysis, Society for Computers and Law (SCL, UK), ‘Computers & Law’, Volume 22, issue 6 (2012), p 21ff.
Abstract: What is the current legal data protection framework for the Area of Freedom, Security and Justice (AFSJ) personal data processing and what framework could be created in the near future? These two questions are constantly recurring in the EU data protection field, particularly after the ratification of the Lisbon Treaty. The amendment of the EU data protection regulatory framework currently under way offers a unique opportunity to re-evaluate past regulatory options and plan for the future.
Full citation: Vagelis Papakonstantinou/Paul de Hert, The amended EU Law on ePrivacy and Electronic Communications. New rules on data protection, spam, data breaches and protection of intellectual property rights, John Marshall Journal of Computer and Information Law (JCIL), Volume XXIX Number 1, Fall 2011
Abstract: Telecommunications are privileged in being the only sector in European Union (“EU”) law benefiting from sector-specific data protection legislation. Although the (European) right to data protection is by now a fundamental right1 intended to find horizontal application into any and all fields that involve even the remotest personal data processing, certain sectors did go ahead and acquire regulations, of various legal statuses, specific to their needs and special conditions. Telecommunications (electronic communications) have benefited from sector-specific data protection legislation since 1997, when the first relevant set of regulations was released. Today, the Directive on Privacy and Electronic Communications (the “ePrivacy Directive”) 2 governs the field; its latest amendment, in 2009, brought forward the third in chronological (if not in generational) order relevant regulations.
Because all three versions of the ePrivacy Directive are close in chronological order and succeed one another following technological and regulatory trends, it is essential, before elaborating upon its amendment and effect on European data protection, to first briefly highlight those aspects of its predecessors that demonstrate the development of issues that remain relevant today and their respective regulatory approaches over time. In sections 1 – 6 we will therefore briefly present the EU data protection framework preceding the introduction of the 2009 ePrivacy Directive, as well as the general regulatory environment upon which its specialized provisions build. Special emphasis will be given to the originally intended regulatory model of implementing sector-specific regulations to complement the general provisions, a model, however, that appears to have been ultimately employed only in the telecommunications sector. In addition, attention shall be given to the general EU data protection framework currently in reform, and the effect such reform may have for the ePrivacy Directive. Sections 7 and 8 describe the preparatory phases and the background leading up to the introduction of the 2009 ePrivacy Directive. In sections 9-12 the focus is turned to those additions to the ePrivacy Directive that are considered of particular interest, at least from a data protection point of view. In this context, the cases of system integrity, spam, cookies and user consent, public directories, and personal data breach notifications are examined respectively. Finally, in section 13, special attention is given to the Three Strikes Law debate and to the Internet Freedom provision ultimately adopted in the text of the 2009 ePrivacy Directive.
Full citation: Paul de Hert/Vagelis Papakonstantinou, The EU PNR framework decision proposal: Towards completion of the PNR processing scene in Europe, The Computer Law & Security Review, Elsevier, Vol. 26, 2010
Abstract: The entry into force of the Lisbon Treaty has suspended discussions over the release of a EU PNR processing system. Plans to introduce an intra-EU PNR processing system initiated since 2007, although strongly supported by the Commission and the Council, did not bear fruit before the ratification of the Lisbon Treaty and the, institutional, involvement of the Parliament. While discussions have been suspended since October 2009 and most probably a new draft proposal will be produced, it is perhaps useful to present in brief the proposal currently in place so as to highlight its shortcomings for European data protection and suggest ways individual protection may be strengthened in future drafts.
Full citation: Paul de Hert/Vagelis Papakonstantinou, The data protection framework decision of 27 November 2008 regarding police and judicial cooperation in criminal matters – modest but not the data protection text everybody expected, The Computer Law & Security Review, Elsevier, 25, 2009
Abstract: After more than three years in the making, that have witnessed much controversy, several working texts and at least two altogether different versions, the Data Protection Framework Decision “on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters” (hereafter, the DPFD) was finally adopted on 27 November 2008. The DPFD was supposed to be celebrated as the Data Protection Directive equivalent in European law enforcement (Third Pillar) processing. However, since its formal adoption, and even before that, data protection proponents (the European Data Protection Supervisor, the Article 29 Working Party, national Data Protection Commissioners, NGOs) lamented its adoption as the result of changes that ultimately compromised data protection. Is the DPFD a disappointment to the great expectations that accompanied its first draft, back in 2006? An attempt to address this question shall be undertaken in this paper.
Full citation: Vagelis Papakonstantinou/Paul de Hert, The PNR Agreement and transatlantic anti-terrorism co-operation. No firm human rights framework on either side of the Atlantic, Common Market Law Review (Kluwer Law International), 46 No. 3, June 2009
Abstract: Seamless air commuting between the EU and the USA appears to constitute nowadays a much sought-after but nevertheless still elusive cause. The level of co operation between the two parties has had, and is still having, its best and worst days. The protection of individual privacy continues to constitute one of the causes for much controversy. In Europe, the formal recognition of a right to data protection, in addition to the right to privacy, has led to an elaborate framework for the protection of individuals; however, internal, institutional difficulties have frequently caused confusion as to the appropriate legal treatment of different situations. In the USA individual privacy and personal data are protected through a mixture of sources: Constitutional law, Supreme Court case law, federal legislation, sector-specific legislation, etc. The difference in approach is obvious and has fed European belief about having higher standards in protection of personal data. After 9/11, the request of American security authorities to have increased access to the personal data of passengers (PNR data) visiting the USA, inevitably led to yet another confrontation of the two systems. The conflict was attempted to be resolved by a First (2004) PNR Agreement, that was annulled by the European Court of Justice, then by an Interim PNR Agreement and, finally, by the, in effect, Second (2007) PNR Agreement. The paper attempts to bring forward the route to the conclusion of the PNR Agreements, as well as to asses the effectiveness of the policy choices and the PNR Agreement model itself for the protection of individual privacy.
Full citation: Kay Hailbronner/Vagelis Papakonstantinou/Marcel Kau, TheAgreement on Passenger Data Transfer (PNR) and the EU-US cooperation in Data Communication, International Migration, Blackwell Publishing, Vol 46 (2), 2008
Abstract: Although individual privacy is a much-esteemed right on both sides of the Atlantic, in practice its protection has engendered, within the last ten years, some serious legal and socio-economic conflicts between the United States and the European Union. Its elusive context only constitutes part of the problem’s explanation. After all, regardless whether “privacy”, “information privacy” or “data protection”, individuals in the Western hemisphere broadly understand the same thing when it comes to infringements of their privacy rights. Part of the same explanation also relates to different backgrounds: in the United States, the state is admittedly viewed in opposition to individuals, as something whose powers must be kept under control; in Europe, different historical experiences have led to a similar concept of checks and balances as in the United States, though public interests and common goods foster the government’s positions toward the individual. Consequently, this setting has led to a stronger need for data protection in Europe, and a more lenient protection framework in the United States.
On 11 December 2006, an expert meeting supported by the German Marshall Fund dealt with the Agreement on Passenger Data Transfer between EU Member States and the United States in the context of transatlantic cooperation in data communication. The participants of the meeting came from both Europe and the United States, and included academics as well as representatives of the US government, the EU Commission, and the Electronic Privacy Information Center (EPIC), a Washington-based non-governmental organization. The focus of the discussions was the existing Agreement of European airlines to provide data on arriving passengers and the different data protection traditions in the United States and Europe.
Full citation: Papakonstantinou Vagelis, A Data Protection Approach to Data Matching Operations Among Public Bodies, International Journal of Law and Information Technology (Oxford University Press), Vol. 9 No. 1, 2001
Abstract: Data matching operations have been promoted as an administrative panacea that helps to reduce costs while maximising efficiency and combating fraud. Nevertheless, they may constitute at the same time a brutal invasion into individuals’ privacy. After an extensive effort to define precisely data matching and distinguish such processing from similar filing operations, a data protection approach will be attempted through a given axis of analysis in order to demonstrate the strengths and weaknesses of this legislative approach.
Book chapters.
Full citation: Vagelis Papakonstantinou, The Need to Introduce a New Individual Right to Cybersecurity, in European Cybersecurity in Context: A Policy-Oriented Comparative Analysis edited by Luigi Martino and Nada Gamal, European Liberal Forum, 2022.
Abstract: Currently cybersecurity concerns are often perceived as exclusively pertaining to states and organisations. All current regulatory instruments either in effect or in the legislative process are addressed to Member States and (large or important) organisations in the EU. For individuals, on the other hand, cybersecurity is seen as a service to be indirectly provided by third parties. This is a fundamentally flawed understanding. Individuals should not be seen as passive recipients of cybersecurity, dependent on the goodwill and effectiveness of third parties. On the contrary, they need legal tools to protect themselves in the digital environment. The introduction of a new right to cybersecurity will enable individuals to protect their digital selves, while legally requiring third parties to respect their rights.
Full citation: Paul de Hert/ Vangelis Papakonstantinou, Right to be Forgotten, in Elgar Encyclopedia of Law and Data Science edited by Giovanni Comandé, Professor of Law, Sant’Anna School of Advanced Studies and Coordinator, LIDER-Lab, Edward Elgar Publishing, 2022.
Abstract: This Encyclopedia brings together jurists, computer scientists, and data analysts to map the emerging field of data science and law for the first time, uncovering the challenges, opportunities, and fault lines that arise as these groups are increasingly thrown together by expanding attempts to regulate and adapt to a data-driven world. It explains the concepts and tools at the crossroads of the many disciplines involved in data science and law, bridging scientific and applied domains. Entries span algorithmic fairness, consent, data protection, ethics, healthcare, machine learning, patents, surveillance, transparency and vulnerability.
Full citation: Vagelis Papakonstantinou, “Should We be Afraid of Fake News?” in “Disinformation and Digital Media as a Challenge for Democracy” by Georgios Terzis, Dariusz Kloza, Elzbieta Kuzelewska, Daniel Trottier (eds.), Intersentia, 2020.
Abstract: This book is motivated, to a large extent, by some recent troubling developments in public discourse, namely the developments in information and disinformation practices. From the beginning of history, various and diverse means or channels of communication have been used to inform, misinform (unintentionally) and disinform (deliberately). However, in recent decades, the emergence and development of new information and communications technologies (ICT), combined with the ever-increasing digitalisation and globalisation of almost every aspect of modern life, among others, have opened up new and uncharted avenues to that end. This book therefore focuses on disinformation practices occurring with the help of digital media as these practices bring to the fore profound negative ramifications for the functioning of a democratic polity.
Full citation: Paul de Hert/Vagelis Papakonstantinou, Data Protection Policies in EU justice and home affairs: A multi-layered and yet unexplored territory for legal research, in The Routledge Handbook of Justice and Home Affairs Research, Ripoll Servent A/Trauner F, Routledge, 2018.
Abstract: Justice and Home Affairs is one of the fastest expanding areas of research in European Studies. The European response to security concerns such as terrorism, organised crime networks, and drug trafficking as well as to the challenge of managing migration flows are salient topics of interest to an increasing number of scholars of all disciplines, the media and general public. This handbook takes stock of policy development and academic research in relation to justice and home affairs and analyses the field in an unprecedented thematic depth. The book comprehensively investigates the field from the perspective of the three dimensions central to European integration: the sectoral (policies), the horizontal (states, regions) and the vertical (institutions, decision-making) dimensions. It also discusses the most important theoretical approaches used in this research area and provides the reader with a state of the art picture of the field. By adopting such a comprehensive and broad-based approach, the handbook is uniquely positioned to be an important referent for scholars, practitioners and students interested in the area of justice, home affairs and European politics.
Full citation: Paul de Hert/Vagelis Papakonstantinou, Moving Beyond the Special Rapporteur on Privacy with the Establishment of a New, Specialised United Nations Agency: Addressing the Deficit in Global Cooperation for the Protection of Data Privacy, in Svantesson D/Kloza D, Transatlantic Data Privacy Relations as a Challenge for Democracy, Intersentia, 2017.
Abstract: In July 2015, the UN Human Rights Council appointed Professor Joseph Cannataci as its first-ever Special Rapporteur on the right to privacy. His mandate is, among others, to gather information, identify obstacles, take part in global initiatives and raise awareness.
In order to address this global deficit in cooperation, the authors believe that a new, specialised UN agency for the protection of data privacy needs to be established. We believe that the World Intellectual Property Organization (WIPO) could serve as useful inspiration to this end. The role of the global regulatory text of reference for data privacy, corresponding to the Paris and Berne Conventions within the global system for intellectual property protection, could be held by the UN Guidelines for the Regulation of Computerized Personal Data Files. Despite their age, we believe that, if modernized, they could achieve global consensus and attain the basic data privacy purposes, constituting the global common lowest denominator. In the first section of this chapter, we briefly outline the deficit in global cooperation to the detriment of the level of data protection afforded to individuals (section 1). Then the UN initiatives for the global protection of data privacy are discussed (section 2). In the next section, we suggest that a new, specialised UN agency for data privacy be established, and we identify its potential benefits (section 3). Finally, we compare such an initiative with the WIPO and global intellectual property protection model that, to our mind, could serve as a useful role model for the development of a similar, global UN system for the protection of data privacy (section 4).
Full citation: Paul de Hert/Vagelis Papakonstantinou, The EU institutions’ battle over data processing vs individual rights, in Policy Change in the Area of Freedom, Security and Justice: How EU institutions matter, editors F Trauner/A Ripoll Servent, Routledge, 2015.
Abstract: The EU plays an increasingly important role in issues such as the fight against organised crime and the management of migration flows, transforming the Area of Freedom, Security and Justice (AFSJ) into a priority of the EU’s political and legislative agenda.
This book investigates whether institutional change – the gradual communitarisation of the AFSJ – has triggered policy change, and in doing so, explores the nature and direction of this policy change. By analysing the role of the EU’s institutions in a systematic, theory-informed and comparative way, it provides rich insights into the dynamics of EU decision-making in areas involving high stakes for human rights and civil liberties. Each chapter contains three sections examining: the degree of policy change in the different AFSJ fields, ranging from immigration and counter-terrorism to data protection the role of EU institutions in this process of change a case study determining the mechanisms of change.
The book will be of interest to practitioners, students and scholars of European politics and law, EU policy-making, security and migration studies, as well as institutional change.
Full citation: Paul de Hert/Vagelis Papakonstantinou, The EDPS as a unique stakeholder in the European data protection landscape, fulfilling the explicit and non-explicit expectations, in Data Protection anno 2014: How to Restore Trust? Contributions in honour of Peter Hustinx, European Data Protection Supervisor (2004-2014), Intersentia, 2014.
Abstract: We live in an era in which privacy and data protection are daily news items. This tendency demonstrates that privacy and data protection are taken seriously in wide circles of our society. Most of the time, however, issues relating to privacy and data protection are not newsworthy because these rights have been so well protected. It is the scandals that make the news, the latest example being the NSA affair which has dominated the news for months. These news stories create a feeling of discomfort and lead to diminishing trust – diminishing trust of citizens in companies they deal with, in their governments, in supranational entities such as the European Union, in the law, and diminishing trust between countries. This book defines the restoration of this trust in relation to privacy and data protection as the most pressing challenge. It reflects on the state of play in the area of privacy and personal data protection in Europe and the United States at the start of 2014. The authors discuss the issues from different perspectives, such as constitutional values and the role of the judiciary, the role of the legislator and independent control, and transatlantic relations. This volume collects contributions of a large number of outstanding academic scholars, legal practitioners, regulators and politicians from Europe as well as the United States. All contributions are written in honour of Peter Hustinx, the first European Data Protection Supervisor who will step down in 2014, after ten successful years in office and after a long and impressive career in the area of privacy and data protection. A recommended read for everyone interested in privacy and data protection and more generally in the complex relations between law and the information society.
Full citation: Papakonstantinou Vagelis, Intellectual Property Rights: the security perspective, in Electronic Security and Digital Forensics Handbook (ed. Hamid Jahankhani), Inderscience Publishers, 2009.
Abstract: The widespread use of information and communications technology (ICT) has created a global platform for the exchange of ideas, goods and services, the benefits of which are enormous. However, it has also created boundless opportunities for fraud and deception. Cybercrime is one of the biggest growth industries around the globe, whether it is in the form of violation of company policies, fraud, hate crime, extremism, or terrorism. It is therefore paramount that the security industry raises its game to combat these threats. Today’s top priority is to use computer technology to fight computer crime, as our commonwealth is protected by firewalls rather than firepower. This is an issue of global importance as new technologies have provided a world of opportunity for criminals. This book is a compilation of the collaboration between the researchers and practitioners in the security field; and provides a comprehensive literature on current and future e-security needs across applications, implementation, testing or investigative techniques, judicial processes and criminal intelligence. The intended audience includes members in academia, the public and private sectors, students and those who are interested in and will benefit from this handbook.
Full citation: Papakonstantinou Vagelis, Cyberspace and cybercrime, in Electronic Security and Digital Forensics Handbook (ed. Hamid Jahankhani), Inderscience Publishers, 2009.
Abstract: The widespread use of information and communications technology (ICT) has created a global platform for the exchange of ideas, goods and services, the benefits of which are enormous. However, it has also created boundless opportunities for fraud and deception. Cybercrime is one of the biggest growth industries around the globe, whether it is in the form of violation of company policies, fraud, hate crime, extremism, or terrorism. It is therefore paramount that the security industry raises its game to combat these threats. Today’s top priority is to use computer technology to fight computer crime, as our commonwealth is protected by firewalls rather than firepower. This is an issue of global importance as new technologies have provided a world of opportunity for criminals.
This book is a compilation of the collaboration between the researchers and practitioners in the security field; and provides a comprehensive literature on current and future e-security needs across applications, implementation, testing or investigative techniques, judicial processes and criminal intelligence. The intended audience includes members in academia, the public and private sectors, students and those who are interested in and will benefit from this handbook.
Full citation: Papakonstantinou Vagelis, Legal Issues for DRM: the future, in Digital Rights Management for E-Commerce Systems (eds. Drossos L, Tsolis D, Sioutas S, Papatheodorou T), IGI Global, 2008.
Abstract: DRM systems have been implemented in the past few years by the Content Industry as the panacea against all copyright (and Intellectual Property Rights in general) infringements over the Internet. The validity of this statement shall be assessed in this analysis, identifying its strengths and record to-date and highlighting its shortcomings in an increasingly complex e-commerce (Web 2.0) environment. While doing this, particular attention shall be given to (mostly EU) Intellectual Property Law, Consumer Law, Data Protection Law, and Competition Law.
Full citation: Paul de Hert/Vagelis Papakonstantinou/Cornelia Riehle, Data Protection in the Third Pillar. Cautious pessimism, in Crime, Rights and the EU: the future of police and judicial cooperation (ed. Maik Martin), JUSTICE, 2007.
Abstract: Police and judicial databases are filled with sensitive information, as all police data on persons can be considered sensitive, whether its use violates privacy or not. Depending on the context, the mere fact that someone appears in a police database may in itself be sensitive information. Nevertheless, most citizens are unaware of the extent to which their personal data are processed by police and judicial authorities. This naivety plays into the hands of those who favour (new) security policies that infringe fundamental rights.
Official Reports.
Full citation: Handbook on Data Protection in Humanitarian Action, Kuner C/Marelli M, Brussels Privacy Hub and the International Committee of the Red Cross (ICRC), 2017.
Abstract: Recent developments in new technologies have meant that the Processing of ever-increasing quantities of Personal Data in an interconnected world has become easier and faster. This has also given rise to concerns about the possible intrusion into the private sphere of individuals and to regulatory efforts worldwide to respond to these concerns. The Handbook on Data Protection in Humanitarian Action has been published as part of the Data Protection in Humanitarian Action project, organized jointly by the Brussels Privacy Hub, an academic research centre of the Vrije Universiteit Brussel (VUB) in Brussels, Belgium, and the International Committee of the Red Cross (ICRC) Data Protection Office in Geneva, Switzerland. The content of the first edition of the Handbook was developed in a series of workshops held in Brussels and Geneva in 2015–2016, with representatives from Humanitarian Organizations (including humanitarian practitioners), data protection authorities, academics, non-governmental organizations, researchers and other experts. They came together to address questions of common concern in the application of data protection in Humanitarian Action, particularly with respect to new technologies. On 3 June 2020, the Hub together with the International Committee of the Red Cross (ICRC) published the second edition of their Handbook on Data Protection in Humanitarian Action. The co-editors of the second edition are Christopher Kuner, co-director of the Hub, and Massimo Marelli of ICRC. The second edition builds on the first edition published in 2017, and includes additional chapters on data protection and the following technologies: digital identity; social media; blockchain; connectivity as aid; and artificial intelligence and machine learning.
Full citation: Paul de Hert/Vagelis Papakonstantinou, The data protection regime in China, European Parliament, Committee on Civil Liberties, Justice and Home Affairs, 2015.
Abstract: This in-depth analysis was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. One cannot talk of a proper data protection regime in China, at least not as it is perceived in the EU. The international data protection fundamentals that may be derived from all relevant regulatory instruments in force today, namely the personal data processing principles and the individual rights to information, access and rectification, are not unequivocally granted under Chinese law. An efficient enforcement mechanism, also required under European standards, is equally not provided for. China has no comprehensive data protection act but several relevant sectorial laws that, under a combined reading together with basic criminal and civil law provisions, may add up to a data protection ‘cumulative effect’. This assertion is examined and assessed in the analysis that follows. A list of realistic policy recommendations has been drawn up in order to establish whether China’s recent data protection effort is part of a persistent, yet concise, policy.
Full citation: Paul de Hert/Vagelis Papakonstantinou, The data protection regime applying to the inter-agency cooperation and future architecture of the EU criminal justice and law enforcement area, European Parliament, Committee on Civil Liberties, Justice and Home Affairs, 2014.
Abstract: This in-depth analysis was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. One cannot talk of a proper data protection regime in China, at least not as it is perceived in the EU. The international data protection fundamentals that may be derived from all relevant regulatory instruments in force today, namely the personal data processing principles and the individual rights to information, access and rectification, are not unequivocally granted under Chinese law. An efficient enforcement mechanism, also required under European standards, is equally not provided for. China has no comprehensive data protection act but several relevant sectorial laws that, under a combined reading together with basic criminal and civil law provisions, may add up to a data protection ‘cumulative effect’. This assertion is examined and assessed in the analysis that follows. A list of realistic policy recommendations has been drawn up in order to establish whether China’s recent data protection effort is part of a persistent, yet concise, policy.
Full citation: Didier Bigo/Sergio Carrera/Gloria González Fuster/Elspeth Guild/Paul De Hert/Julien Jeandesboz/Vagelis Papakonstantinou, Towards a New EU Legal Framework for Data Protection and Privacy: Challenges, Principles and the Role of the European Parliament, European Parliament, Committee on Civil Liberties, Justice and Home Affairs, 2011.
Abstract: This in-depth analysis was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. One cannot talk of a proper data protection regime in China, at least not as it is perceived in the EU. The international data protection fundamentals that may be derived from all relevant regulatory instruments in force today, namely the personal data processing principles and the individual rights to information, access and rectification, are not unequivocally granted under Chinese law. An efficient enforcement mechanism, also required under European standards, is equally not provided for. China has no comprehensive data protection act but several relevant sectorial laws that, under a combined reading together with basic criminal and civil law provisions, may add up to a data protection ‘cumulative effect’. This assertion is examined and assessed in the analysis that follows. A list of realistic policy recommendations has been drawn up in order to establish whether China’s recent data protection effort is part of a persistent, yet concise, policy.
Full citation: Paul De Hert/Vagelis Papakonstantinou/Rowena Rodrigues/David Barnard-Wills/David Wright/Luca Remotti/Tonia Damvakeraki, Editors: Laurent Beslay, EC JRC–IPSC/Nicolas Dubois, EC DG JUST, EU Privacy seals project: Challenges and Possible Scope of an EU Privacy Seal Scheme, European Commission, Joint Research Centre, 2014.
Abstract: The objective of this report is focus on the challenges of implementing an effective EU privacy seal and its possible scope. It returns the focus to privacy and data protection, and presents further groundwork to feed into Task 4 of the Study (Proposals and evaluation of options for an EU-wide privacy seals scheme). Where relevant, research results and analyses of Tasks 1 and 2 are used. First, the report assesses the gaps in current privacy seal sector. Next, it highlights the advantages of, priorities for and possible scope of an EU privacy seal scheme. Eventually, four case studies (CCTV systems, cloud services, smart metering systems and biometric systems) illustrate the possible scope of an EU privacy seal scheme and demonstrate whether an EU privacy seals scheme would bring any added value to privacy and data protection.
Working Papers.
Full citation: Data privacy law as a new field of law, Vagelis Papakonstantinou, CDSL Working Paper, 7/2024.
Abstract: The turn of the 1980s was a milestone period in the development of data privacy laws, that was only paralleled by the turn of the 2020s. The former saw the introduction of Convention 108 by the Council of Europe in 1981 and, four months earlier, the OECD’s Guidelines “governing the Protection of Privacy and Transborder Flows of Personal Data”. Apart from the above two international instruments within only a few years’ period France, Germany and the United Kingdom all introduced personal data protection legislation within their respective jurisdictions. the same milestone period for the development of data privacy laws has been witnessed around the turn of the 2020s: In the EU the General Data Protection Regulation and the Data Protection Law Enforcement Directive came into effect in 2018; the Council of Europe’s Convention 108 was modernised also in 2018. In the USA, California’s Consumer Privacy Act was introduced in 2018; China introduced its own relevant legislation in 2021; Brazil and India acquired their first relevant law in 2020 and 2021 respectively. In Europe, a GDPR mimesis phenomenon was noted. Forty years after its firm establishment, data privacy law is reaching its maturity point and international renown. In view of the above, can there perhaps be talk of a new legal field? Have data privacy laws over the past forty years formulated a separate field of law? Or are we simply dealing with important but solitary, standalone pieces of legislation? If a new legal field has indeed been formed, how will it be called? “Data protection law”, “privacy law” or a combination of the two? However, perhaps more pertinently, do these distinctions matter at all? What is a “field of law” within Roman and Common Law legal systems and what is the significance of its continued existence? What are the criteria for its designation? Does this distinction bring any concrete and practical benefits to law today? If yes, and if legal field status was actually acknowledged to data privacy law, what would these be? The analysis that follows aims at addressing these questions.
Full citation: Five years after 2018, the annus mirabilis for EU data protection: Where we stand and the outlook ahead, Vagelis Papakonstantinou, CDSL Working Paper, 8/2024.
Abstract: The law has an ambivalent relationship with the future. It is not only that it is hard to make predictions, especially about the future, but also that a single word (in the future) by the lawmaker can quickly make years of law implementation (and relevant case law and legal theory) obsolete. Notwithstanding incertitude, however, path dependence (“the tendency of institutions or technologies to become committed to develop in certain ways as a result of their structural properties or their beliefs and values”) perhaps helps make predictions a bit less hopeless. It is around these thoughts, and concerns, that the analysis that follows unfolds. Five years have passed after 2018, the annus mirabilis for EU data protection when both the GDPR and the LED became effective, and this anniversary invites a retrospective assessment and a, modest, attempt to look into the future.