Privacy and Data Protection

The protection of natural persons in relation to the processing of personal data is a fundamental right recognized by the EU Charter of Fundamental Rights. The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data; where

'personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);

an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; and

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

This EU data protection legislation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.

The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. The exchange of personal data between public and private actors, including natural persons, associations and undertakings across the Union has increased. National authorities in the Member States are being called upon by Union law to cooperate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State.

Excerpts from Regulation (EU) 2016/679 of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

“Personal data protection is a fundamental right, and is also enshrined in the Lisbon Treaty. The Charter of Fundamental Rights of the European Union provides that „Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”

Every individual has the right to adequate protection of his personal data. Processing of personal data must be necessary, fair, lawful and proportionate. The data that individuals provide directly or indirectly must not be used for purposes other than originally intended. Nor can such data be passed on indiscriminately to entities that the individual has not chose to be involved with. These rights apply to everyone, irrespective of nationality or place of residence. Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life is only permitted with explicit consent of the individual, where allowed by national legislation. (…)

These rights also apply online, where individuals have in addition the following rights:

To be fully informed and give their agreement if a website stores and retrieves information from their terminal equipment or wants to track them when they surf the internet;

Confidentiality of their online communications, such as emails;

To be notified if their personal data held by their Internet Service Provider has been compromised, e.g. lost or stolen, and their privacy is likely to be adversely affected;

Not to be sent unsolicited commercial communications, known as ‘spam‘, unless they have given their agreement.”

Code of EU Online RIghts

Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by the active legislation. Also, every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries. Therefore, common EU rules have been established to ensure that citizens’ personal data enjoys a high standard of protection everywhere in the EU and the best possible protection of your data when it is exported abroad.

On 4 May 2016, the official texts of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA have been published in the EU Official Journal in all the official languages; and are to make Europe fit for the digital age. While the Regulation enters into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.

The new General Data Protection Regulation introduces one, single, technologically neutral and future-proof set of rules across the EU, meaning that regardless of how technology and the digital environment develop in the future, the personal data of individuals in the EU will be secure, and their fundamental right to data protection respected. It also reinforces the ‘right to be forgotten’, so that if an individual no longer wants their personal data to be processed, and there is no legitimate reason for an organisation to keep it, it must be removed from their system. Citizens also have a right to data portability, i.e. the right to obtain a copy of their data from one Internet company and to transmit it to another one without hindrance from the first company. These new rules are to help build trust in the online environment, which is good for individuals and businesses, and to create fair competition as all non-EU companies will have to apply the same rules as EU companies when offering goods or services in the EU.

LIBRe Foundation adopts an all-round research methodology to data protection. Our team studies the issues related to processing of personal data in the broader context of the interaction between citizens and private and public entities. We believe that data protection should not be seen as an isolated phenomenon, but rather as part of the broader framework of fundamental rights. In this, we adopt the approach of studying cross-domain interactions between different areas of law where data protection plays a certain important role, such as Employment Law, Medical Law, Consumer Protection Law, е-Commerce Law, etc.

Personal data concerning health include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject, i.e. a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

Nowadays, with the development of the information technologies, we do not talk only about classical sets of medical data, but also about digital representations of individuals including all health related information, which can be incorporated into a decision support tool for clinicians, i.e computer modelling and simulation, as well as the development of applications to process information and to create knowledge, making better disease prediction and treatment possible, covering the entire patient management chain, from prevention to diagnosis, treatment and rehabilitation.

The use of Big Data and the Internet of Things in the medical sector become unavoidable and have a major impact on the healthcare system in general. LIBRe Foundation pays specific attention to the emergence of new devices capable of collecting and processing vast amounts of data concerning the health of individuals. Such devices create risks from both security and data protection point of view. Our research in this field focuses on identifying ways to make this information useful to both individuals and medics while minimizing the risks of unlawful data processing.

Identity management is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources within that system by associating user rights and restrictions with the established identity.

While there are many different approaches to identity management, it essentially involves two fundamental processes: (1) the process of identifying a person and issuing an identity credential to reflect that identity (“identification”), and (2) the process of later verifying that a particular person presenting that credential and claiming to be that previously identified person is, in fact, such person (“authentication”). Once an individual’s identity is successfully authenticated, a third process, referred to as “authorization,” is used by the party relying on the authenticated identity to determine what rights and privileges are accorded to such person.

The challenge is to import the concept of a single identity credential that can be used with numerous organizations that had no involvement with the original issuance of the credential, to the digital online environment. That is, to create secure, reliable and trustworthy digital identity credentials that can be used across different ecosystems and entities. However, this notion reveals a significant amount of complications with respect to the personal data collected during the identification and authentication process; and the storage of such personal data.

The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.

Anything we post can become part of our online reputation and online brand for the rest of our digital life. On the Internet, we create an image of ourselves through the information we share in blogs comments, tweets, snapshots, videos, and links; оthers can also add their own opinions (good or bad), which contribute to our reputation. Our privacy on the Internet depends on our ability to control both the amount of personal information that you provide and who has access to that information.

LIBRe Foundation studies the implications of new technologies on the way individuals regard their online reputation. Our research considers legal, social, economic and ethical arguments to support of the view that online reputation could deviate from ‘offline’ reputation to a considerable extent. In our research we consider the various determining factors of reputation on the internet in search of an approach that would enable individuals to exercise control over their online reputation.