Projects per year
Standards perform a pre-law function of informing the legislative reform of the Privacy in Electronic Communications (ePrivacy) Directive 2002/58/EC (amended by 2009/136/EC), and several post-law functions in the General Data Protection Regulation EU/679/2016, the ePrivacy Directive, and the 2017 ePrivacy Regulation Commission Proposal. The post-law functions of standards in support of the EU data protection law are grouped into standards that provide rules for the implementation of the regulation (‘meta-rules function’), standards that concern the data controllers, processors (‘regulatees function’) and standards for data subjects (‘beneficiaries function’). In terms of standards for regulatees, standardisation can play the role of calibrating and specifying technical and organisational measures so that those measures are appropriate to the risks likely to occur from data processing operations, and the characteristics and conditions of processing. This aspect of standardisation in data protection law is closely linked to the risk based approach, introduced in the GDPR alongside the introduction of the accountability principle. In relation to beneficiaries, standards may provide the (technical) means to data subjects to have their wishes and preferences heard such expressing their preference on tracking. One limitation of this function concerns the voluntary nature of standards. Unless standards are vested with technical or legal enforceability, the function of data protection standards as an empowerment instrument cannot materialise, since data subjects are dependent on the choices of controllers and processors to voluntarily adhere to standards and respect their choices. The role of standards would be then limited to communication of the preferences of data subjects, without any guarantee that those will be respected. Next, standards as meta-rules in data protection law may play a role in decreasing fragmentation and enhancing coordination among different regimes or rules. The use of standards for implementing data protection certification mechanisms in the GDPR provided one such example. In general, seals and marks that are not easily recognisable for data subjects defeat their transparency purpose. Thus, a degree of uniformity is important for the effectiveness of the data protection certification mechanisms. Those standards are intended to prescribe to both private regulators (i.e. certification bodies) and public regulators (supervisory authorities and Member States) common requirements and implementation rules. The identified functions are of facilitating or enabling nature, depending on the necessity of standardisation for the materialisation of the goal of the relevant legal provision. Standards, as facilitators, are a useful, but not necessary, tool to achieve a goal laid down in data protection law. The enabling nature concerns usually aspects of duties or compliance measures with a strong technical component, such as pseudonymisation and encryption of personal data.
Several limitations of the role of standards concern the material scope of standards and the data protection legislation. The difference in the scope and regulatory target of standards and data protection, as those are framed by the definitions of their constitutive elements (product, system, etc.) essentially means that, from a data protection point of view, standards may regulate peripheral components of a processing operation. Further limitations stem from procedural legitimacy issues, the risk of conferral of public powers to standardisation bodies, especially due to the possibility of standards becoming de facto mandatory, and the overall decisional power of standardisation bodies as regards the content of international and European (harmonised) standards. The decisional power varies depending on the development mode of standards (committee-based, co-development, etc.), the integration mechanism in the EU legal order and the type of the data protection act.
|Qualification||Doctor of Laws|
|Award date||21 Jun 2021|
|Publication status||Published - 21 Jun 2021|
- data protection
- private regulation
- transnational private regulation
- legal pluralism
- Binding Corporate Rules
- procedural legitimacy
- Radio Equipment Directive
- harmonised standards
- conformity assessment
- data protection by design
FingerprintDive into the research topics of 'Data Protection Standardisation. The role and limits of technical standards in the European Union data protection law.'. Together they form a unique fingerprint.
- 1 Finished
OZR3262: Bilateral cooperation within the framework of a joint doctoral project: Bench Fee for Joint PhD VUB_Tilburg, Kamara Irene
16/04/18 → 31/12/21
Data Protection by Design and by Default: Framing Guiding Principles into Legal Obligations in the GDPRJasmontaite, L., Kamara, I., Zanfir Fortuna, G. & Leucci, S., Jun 2018, In: European Data Protection Law Review. 4, 2, p. 168-189
Research output: Contribution to journal › Article › peer-review
Understanding the balancing act behind the legitimate interest of the controller ground: a pragmatic approachKamara, I. & De Hert, P., Aug 2018, 12 ed., Vrije Universiteit Brussel, Brussels Privacy HUB, 33 p. (Working papers).
Research output: Working paper
Co-regulation in EU personal data protection: the case of technical standards and the Privacy by Design standardisation ‘mandate’Kamara, I., Mar 2017, In: European Journal of Law and Technology. 8, 1, 24 p.
Research output: Contribution to journal › Article › peer-reviewOpen Access
Data Protection Standardisation. The role and limits of technical standards in the EU data protection law.
Irene Kamara (Speaker)21 Jun 2021
Activity: Talk or presentation › Talk or presentation at a conference
Irene Kamara (Speaker)15 Apr 2019
Activity: Talk or presentation › Talk or presentation at a workshop/seminar
Irene Kamara (Visitor)May 2018 → Jul 2018
Activity: Other › Research and Teaching at External Organisation