General Data Protection Regulation

Öz: BTC, Bitcoin blok zincirinde üretilen ve yeni çağın dijital parası da olarak tanımlanan ilk kripto paradır. BTC'nin altında yatan blok zinciri teknolojisi, BTC'nin ağda üretilmesine ve dijital BTC cüzdanlarında muhafaza edilip dünyanın farklı yerlerinde olan bu cüzdanlar vasıtasıyla ağda işleme konu edilmesine imkân sağlamaktadır. Dağıtık kayıt defterinin, dolayısıyla blok zinciri teknolojisinin herkese açık bir yapıya sahip olması, Bitcoin blok zincirine dünyanın herhangi bir yerinden isteyen herkesin ağa katılmasına imkân vermektedir. Aynı şekilde bu yapı, madencilik ile ağda BTC üretilmesinde; ağda yapılan BTC işlemlerinin ağda önceden belirlenmiş kurallar çerçevesinde üzerinde mutabakata varılıp onaylanmasında ve işlemin ağa yeni bir blok olarak eklenerek zincirin oluşturulmasında kullanıcılarına yetki vermektedir. Ağın işleyişi, farklı ülkelerde bulunan kullanıcılar tarafından eşler arası bir ağda, herhangi bir merkezi/aracı kurumun ve herhangi bir devletin kontrolünden bağımsız olarak yürütülmektedir. Milletlerarası özel hukuk perspektifinden bakıldığında, Bitcoin blok zincirinin teknik özellikleri, özellikle herhangi bir kripto para hizmet sağlayıcısı olmaksızın iki kullanıcı arasında on-chain olarak yapılan BTC transferinin belirli bir yargı yetkisi alanı içerisinde tanımlanmasını zorlaştırmakta ve işlemlere sınır ötesi bir nitelik kazandırmaktadır. Dolayısıyla, Bitcoin blok zinciri ağının geleneksel ulusal sınırları tanımayan sınır ötesi doğası on-chain BTC transferlerinin nasıl ve ne koşulda milletlerarası niteliğe haiz olarak değerlendirileceği sorusunu da gündeme getirmiştir.

Public archives play an important role in our society by identifying, assessing and preserving documentary material of long-term value, ensuring accountability of government and other organizations. Privacy and data protection are most important reasons to limit access to these archives. Many documents in public archives contain sensitive information about individuals, making data protection a primary concern that limits access to recent archive holdings. This creates a conflict between the need for transparency and accountability and legal obligations to protect personal data. There are still uncertainties regarding the practical implementation of the GDPR on the ground. In this article we explore the perspectives of different interest groups and discuss how an appropriate balance of rights and interests can be realized.

V skladu z določilom druge alineje prvega odstavka 89. člena Zakon delovnih razmerjih lahko delodajalec delavcu redno odpove pogodbo o zaposlitvi, če delavec ne dosega pričakovanih delovnih rezultatov, ker dela ne opravlja pravočasno, strokovno in kakovostno, ne izpolnjuje pogojev za opravljanje dela, določenih z zakoni in drugimi predpisi, izdanimi na podlagi zakona, zaradi česar delavec ne izpolnjuje oziroma ne more izpolnjevati pogodbenih ali drugih obveznosti iz delovnega razmerja – t. i. razlog nesposobnosti.

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Searching the Web to find doctors and make appointments online is a common practice nowadays. However, simply visiting a doctors website might disclose health related information. As the GDPR only allows processing of health data with explicit user consent, health related websites must ask consent before any data processing, in particular when they embed third party trackers. Admittedly, it is very hard for owners of such websites to both detect the complex tracking practices that exist today and to ensure legal compliance. In this paper, we present Ernie, a browser extension we designed to visualise six state-of-the-art tracking techniques based on cookies. Using Ernie, we analysed 385 health related websites that users would visit when searching for doctors in Germany, Austria, France, Belgium, and Ireland. More specifically, we explored the tracking behavior before any interaction with the consent pop-up and after rejection of cookies on websites of doctors, hospitals, and health related online phone-books. We found that at least one form of tracking occurs on 62% of the websites before interacting with the consent pop-up, and 15% of websites include tracking after rejection. Finally, we performed a detailed technical and legal analysis of three health related websites that demonstrate impactful legal violations. This paper shows that while, from a legal point of view, health related websites are more privacy-sensitive than other kinds of websites, they are exposed to the same technical difficulties to implement a legally compliant website. We believe Ernie, the browser extension we developed, to be an invaluable tool for policy-makers and regulators to improve detection and visualization of the complex tracking techniques used on these websites. • Security and privacy → Pseudonymity, anonymity and untraceability; Web application security; Privacy protections; • * The views, opinions and positions expressed in this article are those of the author and are not endorsed by its institution. The work has been carried out by Nataliia Bielova while she was at Inria until August 2021.

The modelling of a legal text into a machine-processable form, such as a list of logic formulae, enables a semi-automatic reasoning about legal compliance but might entail some anticipation of legal interpretation in the modelling. The formulae need therefore to be validated by legal experts, but it is unlikely that they are familiar with the formalism used. This calls for an interdisciplinary validation methodology to ensure that the model is legally coherent with the text it aims to represent but that could also close the communication gap between formal modellers and legal evaluators. This paper discusses such a methodology, providing an human-readable representation that preserves the formulae's meaning but that presents them in a way that is usable by non-experts. We exemplify the methodology on a use case where Articles of the GDPR are translated in the Reified I/O logic encoded in LegalRuleML.

Our main result provides a roadmap for compliance of STD design and management with the core principles embodied in the GDPR, offering guidelines both for Public and Private Sectors and for other stakeholders, namely for travellers as citizens.

In this paper we discuss requirements that privacy signals must satisfy to be enforceable under the ePrivacy Regulation and enable its real-world application. Privacy signals are digital representations that allow users to communicate their preferences [1] [2][3][4] of how users want their personal data to be processed, e.g. Do Not Track [5][6] for opting out of tracking, Global Privacy Control (GPC) for opting out of third party sharing, IAB's Transparency and Consent (TCF) signal [8] for communicating decisions), or exercise rights (e.g. Art.21(5) GDPR), and can be automated and customised for the websites they visit. Privacy signals must be adopted by both sides of the communication, i.e., controllers and data subjects along with support from device or software providers. Signals have the advantage to create a level playing field between all actors (users, websites, third parties), and to avoid user consent to be exploited through deceptive interfaces (dark patterns) [4][9] that nudge users to accept tracking though ubiquitous consent banners where consent where consent cannot be 'informed' or 'freely given'. The idea of automated signals is not new in the GDPR. Article 21(5) thereof already envisaged that users could exercise their "right to object to processing" by using automated signals, however, this provision was never implemented, neither a process to designate a signal was included in the GDPR .

Legitimate interest is one of the six grounds for processing data under the European Union's General Data Protection Regulation (GDPR). The flexibility and ambiguity of the term "legitimate interests" can be problematic; coupled with the lack of enforcement from legal authorities and different interpretations from the various data protection authorities, legitimate interests can be taken advantage of as a loophole to collect more user data. Drawing insights from multiple disciplines, we ran two studies to empirically investigate the deceptive designs being used when legitimate interests are applied in privacy notices, and how user perceptions line up with these practices. We identified six deceptive designs, and found that the ways legitimate interest is applied in practice does not match user expectations.

Privacy signals are digital representations that allow users to communicate their preferences [1] [2][3][4] of how users want their personal data to be processed, e.g. Do Not Track [5][6] for opting out of tracking, Global Privacy Control (GPC) [7] for opting out of third party sharing, IAB’s Transparency and Consent (TCF) signal [8] for communicating decisions), or exercise rights (e.g. Art.21(5) GDPR), and can be automated and customised for the websites they visit. In this paper we discuss requirements that privacy signals must satisfy to be enforceable under the ePrivacy Regulation and enable its real-world application.

In this document, we present our opinion on the Commission Nationale Informatique et Libertes (hereinafter, "CNIL") Draft Recommendation "On the practical procedures for collecting the consent provided for in article 82 of the French data protection act, concerning operations of storing or gaining access to information in the terminal equipment of a user (recommendation "cookies and other trackers")" from January 14 th , 2020 [5]. We first provide a high-level opinion and feedback on the CNIL draft recommendation, that summarizes our more detailed analysis of various paragraphs of the draft. In the following sections, we first present a quotation from the draft recommendation on cookies and other trackers in a visual box, and then provide our opinion, concerns or open questions. In the bold text we emphasize our recommendations. In our reasoning, we often rely on the legal and technical analysis of consent dialogs we have conducted, which is now availab...

The modelling of a legal text into a machine-processable form, such as a list of logic formulæ, enables a semi-automatic reasoning about legal compliance but might entail some anticipation of legal interpretation in the modelling. The formulæ need therefore to be validated by legal experts, but it is unlikely that they are familiar with the formalism used. This calls for an interdisciplinary validation methodology to ensure that the model is legally coherent with the text it aims to represent but that could also close the communication gap between formal modellers and legal evaluators. This paper discusses such a methodology, providing an human-readable representation that preserves the formulæ’s meaning but that presents them in a way that is usable by non-experts. We exemplify the methodology on a use case where Articles of the GDPR are translated in the Reified I/O logic encoded in LegalRuleML.

In this work, we analyze the legal requirements on cookie banners as a consent mechanism in Web applications. We describe how banners are supposed to be implemented to be fully compliant with the ePrivacy Directive and the GDPR. Our contribution resides in the definition of 22 operational and fine-grained requirements on cookie banner design that are legally compliant, and moreover, we define whether and when the verification of compliance of each requirement is feasible. The definition of requirements emerges from a joint interdisciplinary analysis composed of lawyers and computer scientists in the domain of web tracking technologies. As such, while some requirements are provided by explicitly codified legal sources, others result from the domain-expertise of computer scientists. In our work, we match each requirement against existing cookie banners designs of websites. We exemplify each requirement with compliant and non-compliant cookie banners. For each requirement, we perform a...

Consent Management Providers (CMPs) provide consent popups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB's TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify multiple scenarios wherein CMPs are controllers.

The General Data Protection Regulation (GDPR), Data Protection Authorities (DPAs) and the European Data Protection Board (EDPB) discuss purposes for data processing and the legal bases upon which data controllers can rely on: either "consent" or "legitimate interests". We study the purposes defined in IAB Europe's Transparency and Consent Framework (TCF) and their usage by advertisers. We analyze the purposes with regard to the legal requirements for defining them lawfully, and suggest that several of them might not be specific or explicit enough to be compliant. Arguably, a large portion thereof requires consent, even though the TCF allows advertisers to declare them under the legitimate interests basis. Finally, we measure the declaration of purposes by all advertisers registered in the TCF versions 1.1. and 2.0 and show that hundreds of them do not operate under a legal basis that could be considered compliant under the GDPR.

Data protection, currently under the limelight at the European level, is undergoing a long and complex reform that is finally approaching its completion. Consequently, there is an urgent need to customize semantic standards towards the prospective legal framework. The aim of this paper is to provide a bottom-up ontology describing the constituents of data protection domain and its relationships. Our contribution envisions a methodology to highlight the (new) duties of data controllers and foster the transition of IT-based systems, services, tools and businesses to comply with the new General Data Protection Regulation. This structure may serve as the foundation for the design of data protection compliant information systems.

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

A privacy policy is nothing more than a legal document for a website. It describes the company's specifics, visitors' perspectives on the data, and establishment methods. It is an essential component of every website, and firms need to ensure that it is factual and understandable even to laypeople. Continuous data collection from data subjects through digital infrastructure is a widespread practice involving numerous stakeholders. This presents significant concerns regarding data protection and user privacy. The main objective of a privacy statement is to inform us about handling personal information acquired during the visit to a website/mobile application. Many Platforms make use of this privacy policy for their business development. Here we analyse the privacy policy of the leading brands and the economy from our user data. This article aims to provide awareness to the user about the usage of his data with his concern.

Son dönemde bilim ve teknolojideki ilerlemelerin insanlık açısından kaygı uyandırıcı boyutlara ulaşması, insan haklarında yeni yaklaşımları ortaya çıkarmıştır. Bu yaklaşımlar, her ne kadar hukuki bir kesinliğe ulaşmasa da dördüncü kuşak insan haklarında bir araya gelmektedir. Biyo-etik haklar, siber uzay hakkı, kişisel verilerin korunması hakkı gibi hak kategorileri dördüncü kuşak insan hakları arasında değerlendirilmektedir. Özellikle kişisel verilerin korunması, çok daha kapsayıcı ve yaygın bir konu olduğundan insan hakları literatüründe öne çıkan bir vurgudur. Kişisel verilerin korunması hakkına yönelik en önemli tehditlerden biri, günden güne kullanımı artan büyük veri temasıdır. Büyük veri gerek kamu gerekse de özel kurum ve kuruluşlarda “dijital devlet” bağlamında yaygın bir araç haline gelirken, sosyolojiden siyaset ve sosyal hizmete kadar sosyal bilimlerin birçok alanında genişleyen bir metodoloji halini almaktadır. Yüksek bir temsil gücüne sahip olması, homojenleşmiş gruplara odaklanması gibi nedenlerle tercih edilen büyük veri çalışmalarında, kişisel verilerin korunmasının ne denli gözetildiği ayrı bir tartışma konusudur. Bu noktada araştırmacıların etik sorumluluklarını hem araştırma gruplarının korunması hem de çalışmalarını çeşitli odakların çıkarlarına hizmet edecek şekilde karakterize etmemesi doğrultusunda genişletmesi beklenmektedir. Diğer taraftan araştırma grupları da kişisel verilerinin hangi amaçlarla kimler tarafından kullanılacağı bağlamında kendilerinin de mesuliyet sahibi olduğunun farkında olmalıdırlar. Bunların doğrultusunda bu çalışma, sosyal bilimlerin farklı alanlarındaki büyük veri çalışmalarının kişisel verilerin korunması odağında yarattığı açmazları değerlendirmektedir.

The Industrial Revolution Concept 4.0 agree that personal data is economic value data. Personal data can be used for commercial purposes, so clear and specific arrangements need to be made. In Indonesia, the meaning of this type of personal data has not yet reached the highest level of Laws up to Government Regulations. This study aims to analyze the regulations on private data or data that are personal in Indonesia and make comparisons with several countries in Europe that implement personal data protection agreements. In this series of studies, the method used is a normative juridical method which consists of three types relating to statutory regulations, conceptual approaches, and comparative approaches. Based on the results of the study, a common thread related to the regulation of data privacy protection legislation No. 19 of 2016 concerning ITE up to the latest namely Permenkominfo No. 20 of 2016. However, at the technical level, regulations and regulations regarding the use o...

The Ishango Bone, an artifact estimated to be 20,000 years old, is thought to be an ancient form of a 29-day calendar. 1 It may have been used to track the lunar cycle, or a woman's menstrual cycle. 2 Tens of thousands of years later, women still track their menstrual cycles, whether in digital or analog format. In 2014, Apple released HealthKit, a way to display health information for users. 3 The company was widely criticized for not including a period tracker in HealthKit. 4 The next year, © 2020 Cara Tenenbaum * Cara Tenenbaum is an expert healthcare policy analyst that specializes in women's health, digital health, and personalized medicine. As a director at Pyxis Partners, Cara leads and manages multiple client projects with a focus on improving access to reproductive and sexual health services. She also focuses on treatments and services for mental health and substance use disorders. Cara received her Juris Doctor (JD) and Master's in Business Administration (MBA) from Case Western Reserve University and her bachelor's degree from the University of Maryland. 1. See Claudia Zaslavsky, Women as the First Mathematicians, ISGEM NEWSLETTER (Int'l Stud. Group Ethnomathematics), Jan. 1992 ("Thus far the oldest such incised bone, discovered in southern Africa and having 29 incisions, goes back about 37,000 years. Now, who but a woman keeping track of her cycles would need a lunar calendar?"). 2. Id. 3. See Chris Welch, Apple HealthKit Announced: A Hub for All Your iOS Fitness Tracking Needs, VERGE (June 2, 2014, 2:10 PM), erge.com/2014/6/2/5772074/apple-healthkit-ios-8-announcement ("Apple just unveiled HealthKit, a new app bundled with iOS 8 that's designed to help users keep better track of their personal health and fitness data."). 4. E.g., Arielle Duhaime-Ross, Apple Promised an Expansive Health App,

The Ishango Bone, an artifact estimated to be 20,000 years old, is thought to be an ancient form of a 29-day calendar. 1 It may have been used to track the lunar cycle, or a woman's menstrual cycle. 2 Tens of thousands of years later, women still track their menstrual cycles, whether in digital or analog format. In 2014, Apple released HealthKit, a way to display health information for users. 3 The company was widely criticized for not including a period tracker in HealthKit. 4 The next year, © 2020 Cara Tenenbaum * Cara Tenenbaum is an expert healthcare policy analyst that specializes in women's health, digital health, and personalized medicine. As a director at Pyxis Partners, Cara leads and manages multiple client projects with a focus on improving access to reproductive and sexual health services. She also focuses on treatments and services for mental health and substance use disorders. Cara received her Juris Doctor (JD) and Master's in Business Administration (MBA) from Case Western Reserve University and her bachelor's degree from the University of Maryland. 1. See Claudia Zaslavsky, Women as the First Mathematicians, ISGEM NEWSLETTER (Int'l Stud. Group Ethnomathematics), Jan. 1992 ("Thus far the oldest such incised bone, discovered in southern Africa and having 29 incisions, goes back about 37,000 years. Now, who but a woman keeping track of her cycles would need a lunar calendar?"). 2. Id. 3. See Chris Welch, Apple HealthKit Announced: A Hub for All Your iOS Fitness Tracking Needs, VERGE (June 2, 2014, 2:10 PM), erge.com/2014/6/2/5772074/apple-healthkit-ios-8-announcement ("Apple just unveiled HealthKit, a new app bundled with iOS 8 that's designed to help users keep better track of their personal health and fitness data."). 4. E.g., Arielle Duhaime-Ross, Apple Promised an Expansive Health App,

The right to the protection of personal data is the only fundamental right in the Charter that specifically demands the setting up of specialised administrative authorities. 1 Hence, not only is the existence of the data protection supervisory agencies required by the EU's constitutional law, but also their ability to effectively control the potential infringers is a matter of the data subjects' fundamental rights. Conversely, if their institutional or

The General Data Protection Regulation (GDPR) remains an important requirement for many electronic services which utilise user data. GDPR compliance verification for a cloud provider is aimed to confirm that personal data provided by a user is shared in-line with the requirements of this legislation, so that any subsequent audit carried out on the provider does not lead to a financial penalty. This verification involves two aspects: (i) ensuring that user consent has been obtained; (ii) sharing of data with external cloud providers is undertaken in a transparent way, so that the user is aware of which providers the information was shared with and for what purpose. Using a survey we describe why users are still ambivalent about the use of GDPRand how its adoption can be improved using a Blockchain-based architecture that can provide greater transparency on how GDPR compliance is supported by cloud providers.

The General Data Protection Regulation (GDPR) introduced new guidelines regarding the privacy risk assessments that should be conducted in organizations. The purpose of assessment, Data Protection Impact Assessment (DPIA), described in the GDPR is to determine the impact the identified risks could have on the privacy of the data subjects. There are many risk assessment frameworks available nowadays and also a number of guides regarding the DPIA process have been written since the implementation of the new data protection regulation, but no standardized framework has been made available. The aim of this thesis is to analyze how different risk assessment frameworks (OCTAVE Allegro, ISO, NIST) can help to conduct DPIAs and identify a methodology and guidelines which helps and organization to perform effective DPIA on processing activities which involve personal data. The outcome of the thesis is a framework adapted for the DPIA process.

Google is the gateway to the Internet for billions of people. However, to use Google's multiple platforms and services, users must accept Google's terms. With the advent of the EU's GDPR (General Data Protection Regulation), Google made significant changes to these terms. In this article, we scrutinise the intertextual relations between Google's privacy policies and terms of service (ToS) and the GDPR -and the discursive co-constitutive complexity within and between these frameworks. We argue that the material and communicative articulation of Google's privacy policies and ToS should be understood as deliberative data politics delimiting users' agency, consent, and privacy. Furthermore, we emphasise complexity and the demands of reducing complexity as two opposing dynamics. While the GDPR required Google to make its terms and policies clearer and more understandable, ironically, in the process of accommodating GDPR's demand of increased transparency, the discursive complexity of Google's policies has in fact increased.

The health care sector experiences 76% of cybersecurity breaches due to basic web application attacks, miscellaneous errors, and system intrusions, resulting in compromised health data or disrupted health services. The European Commission proposed the European Health Data Space (EHDS) in 2022 to enhance care delivery and improve patients' lives by offering all European Union (EU) citizens control over their personal health data in a private and secure environment. The EU has taken an important step in homogenizing the health data environment of the European health ecosystem, although more attention needs to be paid to keeping the health data of EU citizens safe and secure within the EHDS. The pooling of health data across countries can have tremendous benefits, but it may also become a target for cybercriminals or state-sponsored hackers. State-of-the-art security measures are essential, and the current EHDS proposal lacks sufficient measures to warrant a cybersecure and resilient environment.

Resumen: El presente artículo científico ofrece un análisis sistemático del Artículo1 del Reglamento General de Protección de Datos (RGPD), a través de la evaluación de su alcance y justificación, génesis y evolución legislativa en el panorama internacional, el contexto regional y su desarrollo nacional, relación con el ámbito de aplicación del Derecho de la Unión y su interacción con otros derechos fundamentales.

Abstract: This scientific article provides a systematic analysis of Article1 of the General Data Protection Regulation (GDPR), through the assessment of its scope and justification, genesis and legislative evolution in the international landscape, the regional context and its national development, relationship with the scope of application of Union law and its interaction with other fundamental rights.

The present paper offers a critique of the General Data Protection Regulation in the realm of access to information. Even though the GDPR supports the constitutionally obvious position that the right to data protection does not outweigh other equally important rights, the enhanced protection of the right to the protection of personal data leads to the potential neglect of other constitutional rights, such as that of access to information. Data protection and access to information authorities should be established both on an EU, as well as at national level as a single authority. Scientific research must be facilitated through access to a multitude of information. The present article explores the question of data ownership and aims to propose a new system that will enhance access to information. A key tool of our research will be the comparative overview of existing legislative systems and a review of the different approaches in the case-law of independent authorities.

The present paper offers a critique of the General Data Protection Regulation in the realm of access to information. Even though the GDPR supports the constitutionally obvious position that the right to data protection does not outweigh other equally important rights, the enhanced protection of the right to the protection of personal data leads to the potential neglect of other constitutional rights, such as that of access to information. Data protection and access to information authorities should be established both on an EU, as well as at national level as a single authority. Scientific research must be facilitated through access to a multitude of information. The present article explores the question of data ownership and aims to propose a new system that will enhance access to information. A key tool of our research will be the comparative overview of existing legislative systems and a review of the different approaches in the case-law of independent authorities.

Bilişim çağında, gündelik toplumsal ilişkilerden, devletlerin yürüttüğü güvenlik hizmetlerine kadar birçok bireysel veya kamusal faaliyet dijital alana taşınmıştır. Nesnelerin interneti, yapay zekâ, beyin makine arayüzü ve gözetim teknolojilerinin gelişimiyle gündelik hayatın daha da fazla dijitalleşeceği, özel veya kamusal verilerin öneminin artacağı açıktır. Bu gelişmeler ışığında kriptografinin de "kişisel veri" kavramı gibi gelecekte hukukçuların gündemlerinden birini oluşturacağını tahmin edebiliriz. Çünkü verilerin gizliliği ve siber güvenlik ancak şifreleme teknolojileri ile sağlanabilmektedir. Bu nedenle, Türkiye'de henüz az sayıda insanın duyduğu kriptografi hukukuna değinmek gerekir. Kriptografi hukuku, şifreleme teknolojilerinin üretim süreçlerini, kimler tarafından, nasıl ve hangi şartlar, sınırlar altında kullanılabileceğini, ithalat ve ihracatını düzenleyen hukuk kurallarını barındıran, kamu hukukunun bir dalıdır. Veri gizliliği ve güvenliğiyle ilişkisi nedeniyle bilişim hukukunun altında değerlendirilebilir. Kriptografi hukuku, silahlı kuvvetlerce ve gizli servislerce kullanılan şifreleme teknolojilerinin, milli güvenlikle ilgili görülerek, ihracatlarının düzenlenmesiyle doğar. Örneğin, hukuk sistemimizde kriptografiye dair bulabileceğimiz ilk düzenlemeler Wassenaar Anlaşmasına dayanır. Buna karşın bu hukuk alanında karşılaşılabilecek en önemli sorunlar özel kişilerce şifreleme teknolojilerinin kullanımıyla karşımıza çıkar. Bireyler ve devlet arasındaki, mahremiyet ve güvenlik dengesi adalete dayanmalıdır. Suç delillerini karartmak amacıyla şifreleme teknolojilerinden yararlanılabilmekte ve suç örgütleri devlet otoritelerine karşı önemli bir koz kazanmaktadır. Örneğin Çin, özel şahıslarca şifreleme teknolojilerinin kullanımını kısıtlamaktadır. Bir şifrelemenin delil elde etmek amacıyla kırılamaması durumunda, sanığın şifreleme anahtarını vermesinin gerekip gerekmediği, bunun nemo tenetur ilkesi çerçevesinde meşruiyeti başka bir tartışma *

The General Data Protection Regulation (GDPR) is the new European data protection law whose compliance affects organisations in several aspects related to the use of consent and personal data. With emerging research and innovation in data management solutions claiming assistance with various provisions of the GDPR, the task of comparing the degree and scope of such solutions is a challenge without a way to consolidate them. With GDPR as a linked data resource, it is possible to link together information and approaches addressing specific articles and thereby compare them. Organisations can take advantage of this by linking queries and results directly to the relevant text, thereby making it possible to record and measure their solutions for compliance towards specific obligations. GDPR text extensions (GDPRtEXT) uses the European Legislation Identifier (ELI) ontology published by the European Publications Office for exposing the GDPR as linked data. The dataset is published using DCAT and includes an online webpage with HTML id attributes for each article and its subpoints. A SKOS vocabulary is provided that links concepts with the relevant text in GDPR. To demonstrate how related legislations can be linked to highlight changes between them for reusing existing approaches, we provide a mapping from Data Protection Directive (DPD), which was the previous data protection law, to GDPR showing the nature of changes between the two legislations. We also discuss in brief the existing corpora of research that can benefit from the adoption of this resource.

In recent years ICTs have strongly influenced not only the provision of Health Services but also Health Service management. Consequently, the role of health information, as well as that of health data, is becoming increasingly essential to the extent that it could become the axis of the system in the near future. Additionally, the new regulation on personal data protection at a European level (EU Regulation 2016/679) must be taken into consideration. Taking this legal framework as a starting point, the present paper analyses the possibilities of the processing of health data permitted by legal norms, paying special attention to the possibility of its use for purposes not directly related to the provision of healthcare. PALABRAS CLAVE: TICs; información sanitaria; datos personales; datos de salud; Reglamento general de protección de datos.

In the United Kingdom (UK), the Data Protection Act (DPA) has been in force since 1998, whereas South African (SA) organisations are preparing for compliance with the Protection of Personal Information Act (POPIA). The objective of this research is to compare aspects of data protection compliance between the UK and SA to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in an online context compared to a country that is preparing for compliance, using the results to make recommendations for non-compliance aspects. To fulfil the research objective, an insurance industry multi-case study was conducted. Similar data privacy requirements from the DPA and POPIA were selected for the multi-case study and as such, consent for direct marketing, secure processing of personal information (PI), privacy policies and sharing of PI collected via websites were evaluated. For each country, PI o...

Purpose The purpose of this study was to investigate the difference between South Africa (SA) and the United Kingdom (UK) in terms of data protection compliance with the aim to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in comparison with a country that is preparing for compliance. Design/methodology/approach An insurance industry multi-case study within the online insurance services environment was conducted. Personal information of four newly created consumer profiles was deposited to 10 random insurance organisation websites in each country to evaluate a number of data privacy requirements of the Data Protection Act and Protection of Personal Information Act. Findings The results demonstrate that not all the insurance organisations honored the selected opt-out preference for receiving direct marketing material. This was evident in direct marketing material that was sen...

The article considers the legality of mass surveillance and protection of personal data in the context of the international human rights law and the right to respect for private life. Special attention is paid to the protection of data on the Internet, where the personal data of billions of people are stored. The author emphasizes that mass surveillance and technology that allows the storage and processing of the data of millions of people pose a serious threat to the right to privacy guaranteed by Article 8 of the ECHR of 1950. Few companies comply with the human rights principles in their operations by providing user data in response to requests from public services. In this regard, States must prove that any interference with the personal integrity of an individual is necessary and proportionate to address a particular security threat. Mandatory data storage, where telephone companies and Internet service providers are required to store metadata about their users’ communications ...

The General Data Protection Regulation is the core instrument of the reformed legal framework for personal data protection in the European Union. The GDPR was put into effect on May 25, 2018, and requires assessing and conducting a Data Protection Impact Assessment for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons, specifically using new technologies and considering the nature, scope, context, and purposes of the processing. Although GDPR does not precisely specify the types of processing activities for which a DPIA would be necessary, through the guidelines that it provides, the organization should conduct a DPIA, if there is large scale processing of health data. An example of this, is a Cloud-based Health Organization. Taking into account this parameter, that Cloud-based Health Organization processes personal data that could impact the freedoms and rights of a data subject under the GDPR and that the GDPR does not spe...

The approval of the General Data Protection Regulation (GDPR) brought a revolution in the way we treat data produced in digital media. The GDPR increases individuals’ participation in the treatment of their data, and it also introduces technical challenges, whose failure can lead to a fine of 4% of the organization’s annual revenue. Among many approaches that aim to contribute to the solutions of challenges introduced by GDPR, there is a research branch promoting the use of data provenance as a means to make transparent the increasingly complex workflows of systems. However, existing provenance models are not fully compliant with the GDPR. In this paper, we aim to contribute to the evolution of the GDPR data provenance model proposed by Ujcich et al.. We suggest eleven new changes that make the model more apparent and more compatible with the GDPR text. We also present two design patterns that should guide us in using these changes in real contexts. Resumo. A aprovação do Regulament...

Siber risklerin değişen niteliği, analitik ve yapay zekâ uygulamalarıyla kişisel verilerin işlenmesinin yaygınlaşması, veri işleme ve saklama ortamlarının çeşitlenmesi, sektörel düzenlemelerin artması, klasik veri koruma yaklaşımlarının yetersiz kalmasına sebep olmuştur. Bu bağlamda, değişen veri koruma ve mahremiyet düzlemlerinde ortaya çıkan yeni riskler ve sorunlar için etkin bir çözüm olarak hesap verebilirlik ilkesi ortaya çıkmıştır. Hesap verebilirlik ilkesi, salt mevzuata uyumu aşan ve kavramsal derinliği haiz bir paradigma değişikliğidir. Bu ilke, veri sorumlularının, veri koruma düzenlemelerine uyum için uygun ve etkin tedbirleri almasını ve talep halinde de bunu ispat etmelerini gerektirmektedir. Diğer bir deyişle hesap verebilirlik ilkesi, kişisel verilerin korunmasının bir veri sorumlusu nezdinde sürekli gözetilen, etkin şekilde uygulanan ve düzenli olarak denetlenen bir değer olduğunun ispatı sürecidir. Bu makalenin amacı, veri koruma hukuku bağlamında hesap verebilirlik ilkesini mukayeseli olarak incelemektir. Çalışma, hesap verebilirlik ilkesinin temelini ve kapsamını sorgulamayı, diğer veri koruma ilkeleriyle ilişkisini tespit etmeyi ve ilkenin veri sorumluları ile veri işleyenler üzerindeki normatif etkisini ortaya koymayı hedeflemektedir.

This study conducts a threefold analysis of the EU proposal for an Artificial Intelligence Act (AIA). The first objective is a regulatory analysis of the proposal, focusing on the proposed structures for implementation, concepts, and key requirements for Artificial Intelligence (AI) producers. The second objective is a comparison with the General Data Protection Regulation (GDPR), and its complementarity in providing a robust response to the needs of operators and users of data-driven algorithmic technologies. The third objective is to examine the potential for harmonization of the EU internal market and competitiveness with non-EU markets. The analysis includes a regulatory comparison with the GDPR, which highlights the EU's digital economy policy based on national authorities, risk-based approaches and European bodies for harmonization. The analytical framework of the Brussels Effect is also applied to the AIA proposal, which expresses the intentions of the regulations, both from internal and external pressures. The study concludes that the AIA proposed by the European Commission has the potential to have a significant impact on the development and use of AI systems, particularly in the EU and for companies operating internationally. However, it also poses challenges in terms of implementation and enforcement, which could hamper growth.

All models of legal governance and most regulatory options have to do with 'top-down' solutions as an essential ingredient of the approach. Such models may include 'bottom-up' forms of self-regulation, such as in forms of ex post regulation, or unenforced self-regulation. This paper focuses on what lies in between such top-down and bottom-up approaches, namely, the middle-out interface of the analysis. Within the EU legal framework, this middle-out layer is mainly associated with forms of co-regulation, as defined by Recital 44 of the 2010 AVMS Directive and Article 5(2) of the GDPR. However, there are also additional models on how we should grasp the middle-out layer of legal regulation, as shown by the debates on the governance of AI and the Web of Data. For example, the debates on issues such as monitored self-regulation, coordination mechanisms for good AI governance, and 'wind-rose' models for the Web of Data make it clear that co-regulation is not the only alternative to both bottom-up and top-down approaches. From a methodological viewpoint, the middle-out approach sheds light on three different kinds of issues that regard (i) how to strike a balance between multiple regulatory systems; (ii) how to align primary and secondary rules of the law; and (iii) how to properly coordinate bottom-up and top-down policy choices. The increasing complexity of technological regulation recommends new models of governance that revolve around this middle-out analytical ground.

Health systems advance towards personalized, preventive, predictive, participative precision (5P) medicine, considering the individual's health status, contexts and conditions. This results in fully distributed, highly dynamic, highly complex business systems and processes with multiple, comprehensively cooperating actors from different specialty and policy domains, using their specific methodologies, terminologies, ontologies, knowledge and skills. Rules and regulations governing the business process as well as the organizational, legal and individual conditions, thereby controlling the behavior of the system, are called policies. Trust and confidence needed for running such system are strongly impacted by security and privacy concerns controlled by corresponding policies. The most comprehensive policy dealing with security and privacy requirements and principles in any business collecting, processing and sharing personal identifiable information (PII) is the recently implemented European General Data Protection Regulation (GDPR). This paper investigates how GDPR supports healthcare transformation and how this can be implemented based on international standards and specifications.

Objec ves: Aiming to strengthen EU ci zens' fundamental privacy rights in the digital age the new European General Data Protec on Regula on shall apply from May 25th 2018. It will require companies processing personal data to implement a set of organiza onal and technical controls for ensuring proper handling of these data. Obviously this applies for companies providing eHealth services. As HL7 off ers a lot of material to support security and privacy for handling personal healthcare data, this paper aims at showing which HL7 standards and components can be used to support the implementa on of GDPR related controls. The paper shows some key facts of the European GDPR as well as analyzes HL7 standards and components in the security and privacy domain to provide a basic mapping. Results: As a result the paper provides a table mapping HL7 ar facts to GDPR requirements. The paper shows, that consequently using HL7 security and privacy standards and components effi ciently helps to implement GDPR requirements.