Browsing by Author "Antikainen, Antti"

The research question of this thesis is about the secondary use of data and a risk-based approach to the regulation of data protection. The intention of this thesis is to explore the current regulation of secondary use of data, which means uses of data that are outside the primary purpose for the collection of data. Law and economics is applied to frame and offer regulatory solutions to the research question. In the current changing environment, the right to privacy is at danger. A fundamental rights conflict has emerged between the right to privacy and the fundamental rights of the data controllers. The online economy is built around the use of personal data, also secondary use is widespread. This conflict needs to be solved, since if data is not used there will be substantial welfare losses to the whole society. The thesis explores the current legislation, mainly the general data protection directive and the EU commission proposal for General data protection regulation. The emphasis is on the concept of purpose restriction and the legality of processing data. The current basis for secondary use of data is the ‘legitimate use’ article 7(f) of the directive, which is implemented in different Member States statutes. The secondary use of personal data must meet the conditions and fulfil the purpose restriction, this is however problematic since the purpose limitation principle limits the future uses of data, and also repurposing the data is problematic. Anonymization is explored as a current solution for the problem. In the field of anonymization there are two major problems, which are the devaluation of the value of the data if the anonymization is conducted robustly. Also the problem is with re-identification, which means that the anonymization is broken and an individual is found from the data set. Enforcement is analyzed, since without functioning sanctions there are incentives for using data without complying with the data protection laws. Current level of sanctions is not sufficient. The increasing value of data calls for proper enforcement; however without new legal inventions a too strict regimen of sanctions will cause new problems. Monetary value of sanctions is seen as a highly important part of a functioning system of data protection. Future research would benefit the setting of effective level of sanctions. The solution the thesis offers for the problematic purpose restriction and legitimacy of data use is based on risk-based regulation. A risk-based solution would allow more data uses while simultaneously protecting the fundamental right to privacy. The proposed model would classify data on the basis of risk the use causes for processing and regulate the different categories. Anonymization is used in certain categories to reduce the risk of processing. With legal inventions the increasing value of data can be harnessed while simultaneously protecting fundamental rights of the data subjects.