Lecture 8 - Article on the new Regulation
The Regulation and Directive are covering everything except for secret services, which is a
problem because secret services are a problem, but it is kept outside of Europe’s
competences. A good lawyer knows then we look at CoE law, as this one was without
exceptions. So there is data protection without security systems but not in the EU because
MS are keeping this for themselves. This is a problem because of the Snowden, we all look
at the European Parliament. The Regulation is innovative, but it got help by the ECJ as it is a
European activist court, more Europe is the consequence of this court. The right to be
forgotten wouldn’t have been in the Regulation without the ECJ, think of the Google case,
pushing lawmakers to talk about the right to be forgotten. The article highlightings the 11
aspects of the long document. Page. 181, the history of the Regulation is being discussed.
Then the trilogues happened, there is double lawmakers: the parliament and the council (the
MS), so it is a two chamber system. The commission is no executive or government but
something special. Trilogues are negotiations between the commission, the parliament and
council. They reached an agreement which was published in may 2016.
On page 182 the importance of working with a Regulation is creating one space and doing
away with harmonization problems. The regulation is binding, no need to be transposed as
opposed to a Directive. There is something against Europeanization of everything, but in this
case we need it because data protection is global anyways, so why keeping it at local level.
Data processing is no longer a local phenomenon, so it is something that spontaneously
became Europe and has not been disputed, not even by nationalists, adding to the quality. A
lot of lobbying went to the council representing states. You can defend some particularities
but not too many. Will full harmonization be reached? Will DPAs act in a fully coordinated
way? Will it work? Delicate construction, paid by the MS, not the EU but they have to
implement and coordinate EU law. The EU is harmonizing something, but it counts on
national states to do it. The regulation in the Netherlands will be supervised by the Dutch
DPA. There is a European data protection board that will have powers to coordinate. Board
has a representative of DPAs and European data protection supervisor?
Not much change regarding the basic objects of the regulation. The Definition of personal
data has proven to be resilient. It is either identified subjects or identifiable. What is
identifiable will be subject to a proportionality test. New is the recognition of pseudonymised
data could be an exam question. It is supposed to be personal data, it is not anonymised.
Someone has the key to identify people but others don’t. Sometimes pseudonymised data is
partially regarded anonymous data from the point of view of the person who is processing
personal data. It’s very dangerous, we don’t know what will happen to this category. It’s good
to work with pseudonymised data, but in principle it is personal data. Maybe one day judges
will say you don’t have the key and it is disproportionately that you won’t get it, which
industry will love.
With regards to sensitive data opposed to ordinary data there is nothing new. Genetic,
biometrical and sexual orientation data is added newly. Sensitive data is something that
reveals something more intimate. In our big data industry, even very banal data can reveal
very intimate information. Data protection is struggling with a good intuition (that there is
data) and false friend as sometimes ordinary data contains very intimate information.
Biometrical data, opening my Apple with a fingerprint, is this sensitive data? As the
The Regulation and Directive are covering everything except for secret services, which is a
problem because secret services are a problem, but it is kept outside of Europe’s
competences. A good lawyer knows then we look at CoE law, as this one was without
exceptions. So there is data protection without security systems but not in the EU because
MS are keeping this for themselves. This is a problem because of the Snowden, we all look
at the European Parliament. The Regulation is innovative, but it got help by the ECJ as it is a
European activist court, more Europe is the consequence of this court. The right to be
forgotten wouldn’t have been in the Regulation without the ECJ, think of the Google case,
pushing lawmakers to talk about the right to be forgotten. The article highlightings the 11
aspects of the long document. Page. 181, the history of the Regulation is being discussed.
Then the trilogues happened, there is double lawmakers: the parliament and the council (the
MS), so it is a two chamber system. The commission is no executive or government but
something special. Trilogues are negotiations between the commission, the parliament and
council. They reached an agreement which was published in may 2016.
On page 182 the importance of working with a Regulation is creating one space and doing
away with harmonization problems. The regulation is binding, no need to be transposed as
opposed to a Directive. There is something against Europeanization of everything, but in this
case we need it because data protection is global anyways, so why keeping it at local level.
Data processing is no longer a local phenomenon, so it is something that spontaneously
became Europe and has not been disputed, not even by nationalists, adding to the quality. A
lot of lobbying went to the council representing states. You can defend some particularities
but not too many. Will full harmonization be reached? Will DPAs act in a fully coordinated
way? Will it work? Delicate construction, paid by the MS, not the EU but they have to
implement and coordinate EU law. The EU is harmonizing something, but it counts on
national states to do it. The regulation in the Netherlands will be supervised by the Dutch
DPA. There is a European data protection board that will have powers to coordinate. Board
has a representative of DPAs and European data protection supervisor?
Not much change regarding the basic objects of the regulation. The Definition of personal
data has proven to be resilient. It is either identified subjects or identifiable. What is
identifiable will be subject to a proportionality test. New is the recognition of pseudonymised
data could be an exam question. It is supposed to be personal data, it is not anonymised.
Someone has the key to identify people but others don’t. Sometimes pseudonymised data is
partially regarded anonymous data from the point of view of the person who is processing
personal data. It’s very dangerous, we don’t know what will happen to this category. It’s good
to work with pseudonymised data, but in principle it is personal data. Maybe one day judges
will say you don’t have the key and it is disproportionately that you won’t get it, which
industry will love.
With regards to sensitive data opposed to ordinary data there is nothing new. Genetic,
biometrical and sexual orientation data is added newly. Sensitive data is something that
reveals something more intimate. In our big data industry, even very banal data can reveal
very intimate information. Data protection is struggling with a good intuition (that there is
data) and false friend as sometimes ordinary data contains very intimate information.
Biometrical data, opening my Apple with a fingerprint, is this sensitive data? As the
