“Personal data protection is a fundamental right, and is also enshrined in the Lisbon Treaty. The Charter of Fundamental Rights of the European Union provides that „Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”
Every individual has the right to adequate protection of his personal data. Processing of personal data must be necessary, fair, lawful and proportionate. The data that individuals provide directly or indirectly must not be used for purposes other than originally intended. Nor can such data be passed on indiscriminately to entities that the individual has not chose to be involved with. These rights apply to everyone, irrespective of nationality or place of residence. Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life is only permitted with explicit consent of the individual, where allowed by national legislation. (…)
These rights also apply online, where individuals have in addition the following rights:
To be fully informed and give their agreement if a website stores and retrieves information from their terminal equipment or wants to track them when they surf the internet;
Confidentiality of their online communications, such as emails;
To be notified if their personal data held by their Internet Service Provider has been compromised, e.g. lost or stolen, and their privacy is likely to be adversely affected;
Not to be sent unsolicited commercial communications, known as ‘spam‘, unless they have given their agreement.”
Code of EU Online RIghts
Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by the active legislation. Also, every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries. Therefore, common EU rules have been established to ensure that citizens’ personal data enjoys a high standard of protection everywhere in the EU and the best possible protection of your data when it is exported abroad.
On 4 May 2016, the official texts of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA have been published in the EU Official Journal in all the official languages; and are to make Europe fit for the digital age. While the Regulation enters into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
The new General Data Protection Regulation introduces one, single, technologically neutral and future-proof set of rules across the EU, meaning that regardless of how technology and the digital environment develop in the future, the personal data of individuals in the EU will be secure, and their fundamental right to data protection respected. It also reinforces the ‘right to be forgotten’, so that if an individual no longer wants their personal data to be processed, and there is no legitimate reason for an organisation to keep it, it must be removed from their system. Citizens also have a right to data portability, i.e. the right to obtain a copy of their data from one Internet company and to transmit it to another one without hindrance from the first company. These new rules are to help build trust in the online environment, which is good for individuals and businesses, and to create fair competition as all non-EU companies will have to apply the same rules as EU companies when offering goods or services in the EU.
LIBRe Foundation adopts an all-round research methodology to data protection. Our team studies the issues related to processing of personal data in the broader context of the interaction between citizens and private and public entities. We believe that data protection should not be seen as an isolated phenomenon, but rather as part of the broader framework of fundamental rights. In this, we adopt the approach of studying cross-domain interactions between different areas of law where data protection plays a certain important role, such as Employment Law, Medical Law, Consumer Protection Law, е-Commerce Law, etc.
Personal data concerning health include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject, i.e. a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.
Nowadays, with the development of the information technologies, we do not talk only about classical sets of medical data, but also about digital representations of individuals including all health related information, which can be incorporated into a decision support tool for clinicians, i.e computer modelling and simulation, as well as the development of applications to process information and to create knowledge, making better disease prediction and treatment possible, covering the entire patient management chain, from prevention to diagnosis, treatment and rehabilitation.
The use of Big Data and the Internet of Things in the medical sector become unavoidable and have a major impact on the healthcare system in general. LIBRe Foundation pays specific attention to the emergence of new devices capable of collecting and processing vast amounts of data concerning the health of individuals. Such devices create risks from both security and data protection point of view. Our research in this field focuses on identifying ways to make this information useful to both individuals and medics while minimizing the risks of unlawful data processing.
Identity management is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources within that system by associating user rights and restrictions with the established identity.
While there are many different approaches to identity management, it essentially involves two fundamental processes: (1) the process of identifying a person and issuing an identity credential to reflect that identity (“identification”), and (2) the process of later verifying that a particular person presenting that credential and claiming to be that previously identified person is, in fact, such person (“authentication”). Once an individual’s identity is successfully authenticated, a third process, referred to as “authorization,” is used by the party relying on the authenticated identity to determine what rights and privileges are accorded to such person.
The challenge is to import the concept of a single identity credential that can be used with numerous organizations that had no involvement with the original issuance of the credential, to the digital online environment. That is, to create secure, reliable and trustworthy digital identity credentials that can be used across different ecosystems and entities. However, this notion reveals a significant amount of complications with respect to the personal data collected during the identification and authentication process; and the storage of such personal data.
The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.
Anything we post can become part of our online reputation and online brand for the rest of our digital life. On the Internet, we create an image of ourselves through the information we share in blogs comments, tweets, snapshots, videos, and links; оthers can also add their own opinions (good or bad), which contribute to our reputation. Our privacy on the Internet depends on our ability to control both the amount of personal information that you provide and who has access to that information.
LIBRe Foundation studies the implications of new technologies on the way individuals regard their online reputation. Our research considers legal, social, economic and ethical arguments to support of the view that online reputation could deviate from ‘offline’ reputation to a considerable extent. In our research we consider the various determining factors of reputation on the internet in search of an approach that would enable individuals to exercise control over their online reputation.