Summary Big Data for Society
Lecture 2: EU Data Regulation Overview
EU 2009 charter of fundamental rights states:
1. Everyone has the right to the protection of personal data
2. Such data must be processed fairly, for specified purposes, and on the basis of
the consent of the person concerned.
3. Compliance with these rules shall be subject to control by an independent
authority.
The US does not recognize this human right.
Only in 2013, not legally binding resolution on the right to privacy in the digital age.
Takeaway: Europe has from the beginning the idea of data protection and the US not,
only the right to privacy.
Principles: limitations
Both the ECHR and EU Charter have provisions to limit the rights to privacy and data
protection, this means that the rights are not absolute.
The interference with these rights cannot go further than is necessary ->
proportionally. So for example when there is potential terrorism.
Sometimes the right of data protection interferes with other rights, for example the
freedom of expression for example when writing political comments on the internet. I
have the right to data protection. Sometimes the freedom of expression goes above the
data protection in this case.
When there are tensions between the different rights, it’s the courts role to balance
them.
It’s the duty of member states to reconcile with freedom of expression and information.
For example: public access to official documents.
Regulations: GDPR
The General Data Protection Regulation is a single set of data protection rules to be
applied by all EU members. It has been implemented since 25 May 2018. Applies to all
organizations that process data of anyone in EU territory, even American organizations
in the EU.
It empowers EU members by allowing sanctions and fines.
Personal data: any data relating to an individual (data subject) who can be
identified, directly or indirectly.
1
,Anonymized are not considered personal data, f.e. The student numbers on your
exam.
Pseudonymized data are. F.e. when you can relate the student numbers to your name.
Sensitive data = link particularly to the privacy of someone: race, religion, biometrics,
sexual orientation.
Data processing = any operation performed on personal data, automated or manual.
For this processing you have:
- Data controller -> decides why and how personal data will be processed.
- Data processor -> processes personal data on behalf of a data controller.
F.e. on exams the teacher is both!
Consent: any freely given, specific, informed and unambiguous indication of the data
subject’s wishes.
Example of this: Tilburg University who uses cookies, this is because of GDPR. 7 years
ago this wasn’t mandatory.
GDPR has 7 main principles.
Principle 1: Lawfulness, fairness and transparency: processing must be lawful, fair
and transparent to the data subject. Meaning:
- Consent = sufficient to grant lawfulness
- Lawful = subject to a special, stricter regime.
- Fairness = communicating potential risks to data subjects.
Principle 2: Purpose limitation: Data must be processed for the legitimate purposes
specified explicitly to the data subject when collected. F.e. take studentnummer, name
and everything and give it to someone who takes it to something nothing to do with the
goal. That is not right.
Exceptions: archiving purposes of public interest, research and statistical purposes. F.e.
Research questions change a little bit.
Principle 3: Data minimization: Should be collected and processed only as much data
as absolutely necessary for the purposes specified. Collect ONLY the data which is
necessary for the purpose. So collect not everything.
Principle 4: Accuracy: personal data must be accurate and up to date. If not, the data
processor has to correct it.
2
,Principle 5: Storage limitation: personally identifying data may be stored only for as
long as necessary for the specified purpose. So store it as long as necessary, then
delete it or anonymize it. Exam example, teacher should not store the details from the
exam after the grades.
Principle 6: Integrity and confidentiality: Processing must be done in such a way as to
ensure appropriate security, integrity, and confidentiality.
- Necessary level of security is determined by: availability, costs and risks.
Exam example: not super personal data, might not store it in a special cloud. But
I can't leave it open in a cafe for example and go to the bathroom.
Principle 7: Accountability (important one): controllers and processors must actively
and continuously implement measures to ensure compliance.
- Data controllers are responsible for being able to demonstrate compliance. The
controller must show that they actually instructed the processor for everything to
be done. The data processor must follow these guidelines and show how he/she
did it.
- In some contexts it might be necessary to check compliance within firms.
GDPR: Supervision
Each member State establishes a supervisory authority under national law.
- Must act with complete independence
- Are in charge of tasks such as advising nationals or assisting data subjects with
alleged violations -> when your data is hacked you go to the authority.
- They have power to intervene if necessary:
Warn, reprimand or even fine controllers and processors.
Order data to be rectified, blocked or deleted.
- They are required to tightly cooperate with each other as there is a one-stop-
shop mechanism for cross-border processing cases. So the Netherlands
authorities have to work together with other countries. So you only have to go to
one authority.
There is also a European Data Protection Board.
Works like an ECB in relation to a national bank. This works in collaboration with each
national supervisory authority. Is like the main Supervisor.
3
, GDPR: subject data’s rights
The data subject have the following 8 rights:
1. The right to be informed
2. The right of access, for example amazon data has about you.
3. The right to rectification
4. The right to erasure
5. The right to restrict processing.
6. The right to data portability, gather your data and bring to someone else.
7. The right to object, to say no.
8. Right against automated decision and profiling. Right to have a human being
check that. Grades checked by a machine for example.
In case of violation of the rights: The controller or processor is liable for any material
and non-material damage. The fine for infringements can be extremely high: up to 20
million or 4% of the total worldwide annual turnover (Meta for example).
EU Data strategy
Goal: To frame all these regulations into one framework they made the Data strategy.
So they made a single market for data where:
- Data can flow within the EU and across sectors, for the benefit of all.
- European rules, in particular privacy, data protection and competition law.
- The rules are very practical and clear so they overcome the complexity of the
regulations with this.
Composed of many different regulations:
- Digital services act
- Digital markets act
- Data governance act
- Data act.
Regulations of European health data space and regulations about AI are still in
discussion.
Digital Services Package
Is composed of:
1. The digital services Act (DSA)
2. The Digital Markets act (DMA)
Both pursue the same goals:
4
Lecture 2: EU Data Regulation Overview
EU 2009 charter of fundamental rights states:
1. Everyone has the right to the protection of personal data
2. Such data must be processed fairly, for specified purposes, and on the basis of
the consent of the person concerned.
3. Compliance with these rules shall be subject to control by an independent
authority.
The US does not recognize this human right.
Only in 2013, not legally binding resolution on the right to privacy in the digital age.
Takeaway: Europe has from the beginning the idea of data protection and the US not,
only the right to privacy.
Principles: limitations
Both the ECHR and EU Charter have provisions to limit the rights to privacy and data
protection, this means that the rights are not absolute.
The interference with these rights cannot go further than is necessary ->
proportionally. So for example when there is potential terrorism.
Sometimes the right of data protection interferes with other rights, for example the
freedom of expression for example when writing political comments on the internet. I
have the right to data protection. Sometimes the freedom of expression goes above the
data protection in this case.
When there are tensions between the different rights, it’s the courts role to balance
them.
It’s the duty of member states to reconcile with freedom of expression and information.
For example: public access to official documents.
Regulations: GDPR
The General Data Protection Regulation is a single set of data protection rules to be
applied by all EU members. It has been implemented since 25 May 2018. Applies to all
organizations that process data of anyone in EU territory, even American organizations
in the EU.
It empowers EU members by allowing sanctions and fines.
Personal data: any data relating to an individual (data subject) who can be
identified, directly or indirectly.
1
,Anonymized are not considered personal data, f.e. The student numbers on your
exam.
Pseudonymized data are. F.e. when you can relate the student numbers to your name.
Sensitive data = link particularly to the privacy of someone: race, religion, biometrics,
sexual orientation.
Data processing = any operation performed on personal data, automated or manual.
For this processing you have:
- Data controller -> decides why and how personal data will be processed.
- Data processor -> processes personal data on behalf of a data controller.
F.e. on exams the teacher is both!
Consent: any freely given, specific, informed and unambiguous indication of the data
subject’s wishes.
Example of this: Tilburg University who uses cookies, this is because of GDPR. 7 years
ago this wasn’t mandatory.
GDPR has 7 main principles.
Principle 1: Lawfulness, fairness and transparency: processing must be lawful, fair
and transparent to the data subject. Meaning:
- Consent = sufficient to grant lawfulness
- Lawful = subject to a special, stricter regime.
- Fairness = communicating potential risks to data subjects.
Principle 2: Purpose limitation: Data must be processed for the legitimate purposes
specified explicitly to the data subject when collected. F.e. take studentnummer, name
and everything and give it to someone who takes it to something nothing to do with the
goal. That is not right.
Exceptions: archiving purposes of public interest, research and statistical purposes. F.e.
Research questions change a little bit.
Principle 3: Data minimization: Should be collected and processed only as much data
as absolutely necessary for the purposes specified. Collect ONLY the data which is
necessary for the purpose. So collect not everything.
Principle 4: Accuracy: personal data must be accurate and up to date. If not, the data
processor has to correct it.
2
,Principle 5: Storage limitation: personally identifying data may be stored only for as
long as necessary for the specified purpose. So store it as long as necessary, then
delete it or anonymize it. Exam example, teacher should not store the details from the
exam after the grades.
Principle 6: Integrity and confidentiality: Processing must be done in such a way as to
ensure appropriate security, integrity, and confidentiality.
- Necessary level of security is determined by: availability, costs and risks.
Exam example: not super personal data, might not store it in a special cloud. But
I can't leave it open in a cafe for example and go to the bathroom.
Principle 7: Accountability (important one): controllers and processors must actively
and continuously implement measures to ensure compliance.
- Data controllers are responsible for being able to demonstrate compliance. The
controller must show that they actually instructed the processor for everything to
be done. The data processor must follow these guidelines and show how he/she
did it.
- In some contexts it might be necessary to check compliance within firms.
GDPR: Supervision
Each member State establishes a supervisory authority under national law.
- Must act with complete independence
- Are in charge of tasks such as advising nationals or assisting data subjects with
alleged violations -> when your data is hacked you go to the authority.
- They have power to intervene if necessary:
Warn, reprimand or even fine controllers and processors.
Order data to be rectified, blocked or deleted.
- They are required to tightly cooperate with each other as there is a one-stop-
shop mechanism for cross-border processing cases. So the Netherlands
authorities have to work together with other countries. So you only have to go to
one authority.
There is also a European Data Protection Board.
Works like an ECB in relation to a national bank. This works in collaboration with each
national supervisory authority. Is like the main Supervisor.
3
, GDPR: subject data’s rights
The data subject have the following 8 rights:
1. The right to be informed
2. The right of access, for example amazon data has about you.
3. The right to rectification
4. The right to erasure
5. The right to restrict processing.
6. The right to data portability, gather your data and bring to someone else.
7. The right to object, to say no.
8. Right against automated decision and profiling. Right to have a human being
check that. Grades checked by a machine for example.
In case of violation of the rights: The controller or processor is liable for any material
and non-material damage. The fine for infringements can be extremely high: up to 20
million or 4% of the total worldwide annual turnover (Meta for example).
EU Data strategy
Goal: To frame all these regulations into one framework they made the Data strategy.
So they made a single market for data where:
- Data can flow within the EU and across sectors, for the benefit of all.
- European rules, in particular privacy, data protection and competition law.
- The rules are very practical and clear so they overcome the complexity of the
regulations with this.
Composed of many different regulations:
- Digital services act
- Digital markets act
- Data governance act
- Data act.
Regulations of European health data space and regulations about AI are still in
discussion.
Digital Services Package
Is composed of:
1. The digital services Act (DSA)
2. The Digital Markets act (DMA)
Both pursue the same goals:
4
