Browsing by Subject "GDPR"

Tässä tutkielmassa perehdytään EU:n datatalouden sääntely-ympäristöön. Olemme keskellä digitaalista vallankumousta, joka on yli kahden vuosikymmenen intensiivisen kryptografian ja hajautetun tiedonkäsittelyn tutkimuksen tulos. Kehitys on synnyttänyt uraauurtavan teknologian: lohkoketjun. Lohkoketjuteknologia on hajautettu pääkirjajärjestelmä, joka mahdollistaa transaktioiden turvallisen ja muuttumattoman kirjaamisen tietoverkossa. Lisäksi lohkoketju helpottaa uusien hallintojärjestelmien luomista hajautettujen organisaatioiden avulla, jotka pystyvät toimimaan itsenäisesti tietokoneverkossa ilman ihmisen väliintuloa. Nämä innovatiiviset sovellukset ovat johtaneet vertailuihin lohkoketjun ja internetin välillä, mikä on taas ruokkinut ennusteita siitä, että tämä teknologia häiritsee keskitettyjen viranomaisten vaikutusvaltaa. Vastatakseen yhteiskunnassa tapahtuviin muutoksiin EU on ottanut käyttöön uuden toimintasuunnitelman, jonka tavoitteena on säännellä digitaalisia sisämarkkinoita. Lähtökohtana tässä tutkielmassa tarkastellaan uusia sääntelyjärjestelmiä ja esitellään lohkoketjuteknologioiden pääpiirteet (tunnetaan myös nimellä Distributed Ledger Technologies eli hajautetut kirjanpitoteknologiat), sekä tarkastellaan samalla niitä konkreettisia haasteita, joita tämä teknologia asettaa lainvalvonnalle. Sen jälkeen siirrytään kolmeen tapaustutkimukseen sääntely- ja käyttöesimerkkeinä. Ensimmäisessä tapaustutkimuksessa keskitytään lohkoketjun ja yleisen tietosuoja-asetuksen yhteensopivuuteen. Lohkoketjujen rakenne itsessään asettaa merkittäviä haasteita yhteensopivuudelle GDPR:n kanssa. Tämä johtuu lohkoketjuun tallennettujen tietojen muuttumattomuudesta, joka onkin yksi lohkoketjun keskeisistä ominaisuuksista. Toisessa tapaustutkimuksessa valotetaan sitten sitä, miten lohkoketjujärjestelmää voidaan hyödyntää immateriaalioikeuden yhteydessä, esimerkiksi teollis- ja tekijänoikeuksien rekisteröinnissä. Kolmannessa tapaustutkimuksessa tarkastellaan, miten lohkoketjua ja NFT:tä voidaan hyödyntää luovalla alalla, ja esitetään suosituksia havaittuihin haasteisiin.

Data protection has become a pivotal topic in modern democratic societies. Lawmakers have, however, faced challenges in protecting data in the face of rapid technological growth and development in the online environment. ‘Cookies’ are a prominent tool for website operators that enable the collection and processing of vast amounts of personal data of internet users. The use of cookies is based on user’s consent as required under Article 5(3) of Directive 2002/58/EC (ePrivacy Directive). It is, however, questionable whether cookie consent and notice practices are de facto effective in protecting internet users and providing them control over the use of their data obtained via cookies. The goal of this master’s thesis is to analyse whether the traditional model of consent and notice is the appropriate legal basis for the use of website cookies. The research question is divided into two parts. The first part concerns whether consent and notice are an effective tool in providing control and protection to individuals with respect to personal data processed through internet cookies. The second part concerns whether the EU’s data protection framework provides clear and harmonised rules on cookie consents and notices. It will focus especially on the General Data Protection Regulation 2016/679 (GDPR) and the ePrivacy Directive. This thesis uses mainly the legal doctrinal method and qualitative empirical evidence in answering its research question. After the introductory chapter, this thesis will in chapter 2 define cookies and its purposes, as well as outline the legal framework used in this research. Chapter 3 introduces the reader to the concept of consent and its different components, as well as the transparency principle and the accompanying information obligation. Consent consists of freely given, specific, informed and unambiguous elements. Chapter 4 will then discuss the first part of the research question. It will be seen that cookie consents and notices are burdened by many factors as evidenced through behavioural economics, cognitive and structural problems, as well as other factors. It is concluded, therefore, that cookie consents and notices in their traditional form are not an effective tool in providing control and data protection to internet users. Nevertheless, consent and notice are so enshrined in the EU’s data protection regime that they will not be easily abandoned. Chapter 5 discusses the second part of the research question by looking at practical examples in order to see how websites from the legal sector and different national data protection authorities have complied with cookie consent and notice obligations. It will be seen that cookie rules are interpreted inconsistently by even these websites, which has resulted in noncompliance in some instances. Hence, it is concluded that the GDPR and the ePrivacy Directive have failed to harmonise cookie consents and notices. Chapter 6 will look to the future and discuss briefly the proposed Regulation on Privacy and Electronic Communications (ePrivacy Regulation) in terms of i) ‘cookie walls’, which basically coerces website users to accept cookies or otherwise they will be denied access to the site or service, and ii) the legitimate interests ground, which has been introduced as an alternative legal basis to consent with respect to cookies in the latest revised draft of the ePrivacy Regulation adopted on 21 February 2020 by the Croatian Presidency. It will be concluded in chapter 7 that the traditional model of consent and notice might not always be the appropriate legal basis for cookies, hence legislators should look into other legal bases as well, such as, the legitimate interest ground. However, whether or not this ground will be able to provide better protection and control to internet users remains to be seen.

Teknologins och digitaliseringens utveckling har möjliggjort att allt mer verksamhet flyttat till onlinemiljön. Företag och andra aktörer kan dra nytta från människornas handlande på internet genom att samla in uppgifter om dem och exempelvis använda informationen för att utveckla sina tjänster eller sin verksamhet. Uppgifterna har därmed blivit värdefulla för handeln och denna data kan överföras mellan aktörerna och över statsgränserna. Utvecklingen har förtydligat behovet att säkerställa skyddet av personuppgifterna och deras säkra behandling, också i situationer då de överförs. Avhandlingens syfte är att granska det skydd av personuppgifter som säkerställs i dataskyddslagstiftningen i Europeiska unionen. Det mest centrala instrumentet i dataskyddslagstiftningen är den allmänna dataskyddsförordningen, som kommer att fungera som grund för avhandlingen. Vidare granskas hur skyddet av personuppgifterna utsträcks till situationer då personuppgifterna överförs utanför unionens gränser. Därtill granskar avhandlingen dataskyddsförordningens verkan utanför unionens gränser, då den kan tillämpas på aktörer som inte är etablerade inom unionen. Avhandlingen presenterar även två rättsfall från Europeiska unionens domstol som varit betydelsefulla för överföring av personuppgifter. Avhandlingen består av tre huvuddelar. I avhandlingens andra kapitel granskas hur personuppgifter definieras, hur skyddet av personuppgifter byggs upp och behandling av personuppgifter regleras i dataskyddsförordningen. I avhandlingens tredje kapitel behandlas dataskyddsförordningen närmare och hur dess territoriella utsträckning kan anses som extraterritoriell. Även utmaningar som kan uppkomma med den breda territoriella utsträckningen behandlas i kapitlet. I det fjärde kapitlet behandlas överföringar av personuppgifter i ljuset av dataskyddsförordningen samt de olika överföringssätt som dataskyddsförordningen tillåter. I kapitlet presenteras även rättsfallen Schrems I och II, som har medfört osäkerhet på området för överföring av personuppgifter från Europeiska unionen till Förenta staterna. Genom domarna ogiltigförklarades mekanismerna som tidigare möjliggjorde överföring av personuppgifter för att säkerställa en tillräcklig skyddsnivå för personuppgifterna. Avhandlingen kommer att presentera olika förslagna utvecklingsmöjligheter på området för att undvika en likadan situation i framtiden. Avhandlingen avslutas med konklusioner.

The banking and financial sector has often been synonymous with established names, with some having centuries old presence. In the recent past these incumbents have been experiencing a consequential disruption by new entrants and rapidly changing consumer demands. These disruptions to the status quo have been characterised by a shift towards adoption of technology and artificial intelligence particularly in the service and products offered to the end customers. The changing business climate in the financial sector has risen many convoluted questions for the regulators. These complications cover a vast set of issues – from the concerns relating to the privacy of data of the end users to the increasing vulnerability of the financial market, to unproportionally increased compliance requirements for new entrants, all form part of the mesh of questions that have arisen in the wake of new services and operations being designed with the aid and assistance of artificial intelligence, machine learning and big data analytics. It is in this background that this Thesis seeks to explore the trajectory of the development of the legal landscape for regulating artificial intelligence – both in general and specifically in the financial and banking sector, particularly in the European Union. During the analysis, existing legal enactments, such as the General Data Protection Regulation, have been scrutinised and certain observations have been made regarding the areas that still remain unregulated or open to debate under the laws as it stands today. In the same vein, an attempt has been made to explore the emerging discussion on a dedicated legal regime for artificial intelligence in the European Union, and those observations have been viewed from the perspective of the financial sector, thereby creating thematic underpinnings that ought to form part of any legal instrument aiming to optimally regulate technology in the financial sector. To concretise the actual application of such a legal instrument, a European Union member state has been identified and the evolution of the regulatory regime in the financial sector has been discussed with the said member states’ financial supervisory authority, thus highlighting the crucial role of the law making and enactment bodies in creating and sustaining a technologically innovative financial and banking sector. The themes recognised in this Thesis could be the building blocks upon which the future legal discourse on artificial intelligence and the financial sector could be structured.

In my thesis, I explore the roles and responsibilities of software developers as data controllers under the General Data Protection Regulation (hereinafter ‘GDPR’), focusing on the complexities arising from centralised and decentralised software development processes. I address two research questions: (i) taking into account the factors and considerations specific to centralised and decentralised software development processes, how can the roles and responsibilities of software developers as data controllers be determined under the GDPR? and (ii) how may the unique features of Decentralised Applications (hereinafter ‘dApps’) influence the assignment of data controllership in the context of the GDPR? To answer my research questions, I first start by establishing a comprehensive understanding of some relevant core concepts: data controllership, software development, and the varying levels of centralisation in software development. Thereafter, I analyse the roles of individuals within Software Development Companies, SDAs, open source projects, dApps, and smart contracts. In centralised development, assigning controllership is more straightforward, but some complex situations like joint controllership may arise in certain cases. Decentralised software development processes, like in open source projects, complicates the determination of data controllership due to dispersed decision-making across various roles. Examining these roles and different project categories helps to better understand potential data controllership allocations. Furthermore, I discuss specific challenges in determining data controllership in dApps and smart contracts. The totally decentralised nature of dApps and the immutability of its source code further complicates things when trying to identify a single entity with control over the processing of personal data. Additionally, establishing accountability (which is a cornerstone of data controllership), is difficult without control. Currently, no definitive guidance on this matter exists, suggesting that additional legislation may be needed to address the intricacies of decentralised systems within the context of the GDPR. Throughout my thesis, I emphasise the importance of a case-by-case analysis for determining data controllership, and provide insights into potential assessment outcomes. Overall, my research serves as a foundation for understanding software developers’ roles and responsibilities as data controllers in various development processes under the GDPR.

The purpose of the thesis is to assess the compatibility of the business model of providing free online services in exchange for processing of the personal data for advertising purposes, in particular for the Online Behavioural Advertising purpose, with the GDPR. Online Behavioural Advertising is a main way through which the free online services are funded. At the same time large-scale personal data collection and intrusive profiling, the controllers engage into pose significant risks for the rights of the data subjects. Empirical findings show that the companies using such business model oftentimes collect large amount of personal data in violation of GDPR. In addition, the researchers highlight the power asymmetries between the large online platform and the data subjects. Therefore, whether such a business model is compatible with the GDPR from legal perspective is of a particular importance. The first part of the thesis focuses on the lawfulness of the existing data collection practices in the context of the business model in question. The second part of the thesis discusses the profiling and data sharing in the context of such model and the third part focuses on the principles of the data protection by design and by default. The mentioned legal provisions are analysed with the focus on their compatibility with the business model in question. The research found that the business model seems to be compatible with the GDPR in a sense that it is in principle possible to comply with its requirements for the controllers. Such a compliance however would likely lead to a decrease in revenue for the controllers who relied on unsuitable legal basis or who manipulated users into giving away more PD. At the same time such a compliance still would not give the effective protection to the data subjects’ rights due to the lack of more explicit, precise and specific rules in GDPR.