Projecten per jaar
Standards perform a pre-law function of informing the legislative reform of the Privacy in Electronic Communications (ePrivacy) Directive 2002/58/EC (amended by 2009/136/EC), and several post-law functions in the General Data Protection Regulation EU/679/2016, the ePrivacy Directive, and the 2017 ePrivacy Regulation Commission Proposal. The post-law functions of standards in support of the EU data protection law are grouped into standards that provide rules for the implementation of the regulation (‘meta-rules function’), standards that concern the data controllers, processors (‘regulatees function’) and standards for data subjects (‘beneficiaries function’). In terms of standards for regulatees, standardisation can play the role of calibrating and specifying technical and organisational measures so that those measures are appropriate to the risks likely to occur from data processing operations, and the characteristics and conditions of processing. This aspect of standardisation in data protection law is closely linked to the risk based approach, introduced in the GDPR alongside the introduction of the accountability principle. In relation to beneficiaries, standards may provide the (technical) means to data subjects to have their wishes and preferences heard such expressing their preference on tracking. One limitation of this function concerns the voluntary nature of standards. Unless standards are vested with technical or legal enforceability, the function of data protection standards as an empowerment instrument cannot materialise, since data subjects are dependent on the choices of controllers and processors to voluntarily adhere to standards and respect their choices. The role of standards would be then limited to communication of the preferences of data subjects, without any guarantee that those will be respected. Next, standards as meta-rules in data protection law may play a role in decreasing fragmentation and enhancing coordination among different regimes or rules. The use of standards for implementing data protection certification mechanisms in the GDPR provided one such example. In general, seals and marks that are not easily recognisable for data subjects defeat their transparency purpose. Thus, a degree of uniformity is important for the effectiveness of the data protection certification mechanisms. Those standards are intended to prescribe to both private regulators (i.e. certification bodies) and public regulators (supervisory authorities and Member States) common requirements and implementation rules. The identified functions are of facilitating or enabling nature, depending on the necessity of standardisation for the materialisation of the goal of the relevant legal provision. Standards, as facilitators, are a useful, but not necessary, tool to achieve a goal laid down in data protection law. The enabling nature concerns usually aspects of duties or compliance measures with a strong technical component, such as pseudonymisation and encryption of personal data.
Several limitations of the role of standards concern the material scope of standards and the data protection legislation. The difference in the scope and regulatory target of standards and data protection, as those are framed by the definitions of their constitutive elements (product, system, etc.) essentially means that, from a data protection point of view, standards may regulate peripheral components of a processing operation. Further limitations stem from procedural legitimacy issues, the risk of conferral of public powers to standardisation bodies, especially due to the possibility of standards becoming de facto mandatory, and the overall decisional power of standardisation bodies as regards the content of international and European (harmonised) standards. The decisional power varies depending on the development mode of standards (committee-based, co-development, etc.), the integration mechanism in the EU legal order and the type of the data protection act.
|Kwalificatie||Doctor of Laws|
|Datum van toekenning||21 jun 2021|
|Status||Published - 21 jun 2021|
VingerafdrukDuik in de onderzoeksthema's van 'Data Protection Standardisation. The role and limits of technical standards in the European Union data protection law.'. Samen vormen ze een unieke vingerafdruk.
- 1 Afgelopen
Data Protection by Design and by Default: Framing Guiding Principles into Legal Obligations in the GDPRJasmontaite, L., Kamara, I., Zanfir Fortuna, G. & Leucci, S., jun 2018, In : European Data Protection Law Review. 4, 2, blz. 168-189
Understanding the balancing act behind the legitimate interest of the controller ground: a pragmatic approachKamara, I. & De Hert, P., aug 2018, 12 redactie, Vrije Universiteit Brussel, Brussels Privacy HUB, 33 blz. (Working papers).
Onderzoeksoutput: Working paper
Co-regulation in EU personal data protection: the case of technical standards and the Privacy by Design standardisation ‘mandate’Kamara, I., mrt 2017, In : European Journal of Law and Technology. 8, 1, 24 blz.
Onderzoeksoutput: ArticleOpen Access
Data Protection Standardisation. The role and limits of technical standards in the EU data protection law.Irene Kamara (Speaker)21 jun 2021
Activiteit: Talk or presentation at a conference
Irene Kamara (Speaker)15 apr 2019
Activiteit: Talk or presentation at a workshop/seminar
Irene Kamara (Visitor)mei 2018 → jul 2018
Activiteit: Research and Teaching at External Organisation