Pan-European personal data breaches: Mapping of current practices and recommendations to facilitate cooperation among Data Protection Authorities

Malatras, Apostolos; Sánchez, Inmaculada; Beslay, Laurent; Coisel, Iwen; Vakalis, Ioannis; D'Acquisto, Giuseppe; Sánchez, Manuel García; Grall, Matthieu; Hansen, Marit; Zorkadis, Vasilios

doi:10.1016/j.clsr.2017.03.013

Cited by 9 publications

(9 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hence, the EU's tooting its own horn about GDPR and its unification is matched by academia's pragmatic tenor. Academia recognizes the anticipated benefit of law consistency in the data protection in the entire EU (Zerlang, 2017) and even beyond (Kuner et al, 2017), but immediately adds that the GDPR poses new challenges in general (Malatras et al, 2017;Raab & Szekely, 2017) as well as vis-à-vis special aspects (Barnard-Willis et al, 2016;Bologno & Bistolfi, 2017;Cradock et al, 2017) to its subjects, including such public law entities as municipalities. Some voices are even more critical and state that the GDPR legal unification is rather more theoretical than real, since formal aspects of the regulation and the content materials of the fundamental right to data protection make this process challenging (Martinéz-Martinéz, 2018).…”

Section: Source: Authorsmentioning

confidence: 99%

Selected Issues from the Dark Side of the General Data Protection Regulation

Cvik

Pelikánová

Malý

2018

Review of Economic Perspectives

View full text Add to dashboard Cite

The Regulation (EU) 2016/679 on the protection of personal data (GDPR) was enacted in 2016 and applies from 25 th May 2018 in the entire EU. The GDPR is a product of an ambitious reform and represents a direct penetration of the EU law into the legal systems of the EU member states. The EU works on the enhancement of awareness about the GDPR and points out its bright side. However, the GDPR has its dark side as well, which will inevitably have a negative impact. Hence, the goal of this paper is twofold -(i) to scientifically identify, forecast, and analyze selected problematic aspects of the GDPR and its implementation, in particular for Czech municipalities, and (ii) to propose recommendations about how to reduce, or even avoid, their negative impacts. These theoretic analyses are projected to a Czech case study focusing on municipalities, which offers fresh primary data and allows a further refining of the proposed recommendations. An integral part of the performed analyses is also a theoretic forecast of expenses linked to the GDPR, which municipalities will have to include in their mandatory expenses and mid-term prognostic expectations regarding the impact on the budgets of these municipalities from Central Bohemia. The GDPR, like Charon, is at the crossing, the capacity and knowledge regarding its application is critical for operating in the EU in 2018. It is time both to admit that the GDPR has its dark side and to present real and practical recommendations about how to mitigate it.

show abstract

Section: Source: Authorsmentioning

confidence: 99%

Selected Issues from the Dark Side of the General Data Protection Regulation

Cvik

Pelikánová

Malý

2018

Review of Economic Perspectives

View full text Add to dashboard Cite

show abstract

“…In this respect, the fact that the NIS and eIDAS Regulation impose cooperation between the supervisory authority and the NDPA in case of a data breach, with ENISA in case of incidents involving two or more states, and with law enforcement authorities whenever incidents are triggered by computer-related crime is welcome. Best practice may build upon the recent cyber exercise coordinated by the Joint Research Centre, 120 and those carried out by ENISA to achieve strategic, operational and technical convergence. 121 The question as to whether the legal framework is achieving the goal of self-improvement is also hard to answer.…”

Section: Optional Threat Sharing E-privacy Directivementioning

confidence: 99%

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Porcedda

2018

Computer Law & Security Review

View full text Add to dashboard Cite

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches (Framework Directive, e-Privacy Directive, eIDAS Regulation, PSD2, GDPR, NIS Directive) is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information securityone of the three pillars of the EU cyber security policythe question is whether the legal 'patchwork' is helping to 'patch' the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.

show abstract

“…So the EU opted for a unified legal regime but academia commented on this exceedingly heavily praised presented drive of the EU via pragmatic and more objective observations. Included would be that personal data breaches in the IS / IT environment are frequent, often have a cross-border nature and rarely are effectively and efficiently sanctioned (Malatras et al, 2017 andTurečková, 2014)), that GDPR offers law consistency in data protection in the entire EU (Zerlang, 2017 andZuiderveen Borgesius, 2016), which brings both general (Piekarczyk, 2016) and specific threats and issues (Pormeister, 2017) and about which there is not enough awareness (Raab and Szekely, 2017). Regarding the duty to implement appropriate technical and organization measures to ensure a level of security to protect a natural person's personal data, it is important to unify the, so far, very diverse approach and regime of the controlling data protection authorities, labeled by the GDPR as "supervisory authorities" (Raab and Szekely, 2017) so as to reach a unified, effective and efficient application of the GDPR in the EU.…”

Section: Legislative and Literature Overviewmentioning

confidence: 99%

Impact of GDPR Security Measures on the Intellectual Property and Unfair Competition

Pelikánová

Cvik

2018

Acta Univ. Agric. Silvic. Mendelianae Brun.

View full text Add to dashboard Cite

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) created a duty to implement appropriate technical and organizational measures to ensure a level of security to protect natural persons with regard to the processing of personal data. Infringement of this duty is severely punished. These GDPR security measures and their operation should effectively and efficiently reflect intellectual property (“IP”) and unfair competition concerns. The theoretic teleological interpretation of the GDPR along with the critical study of the academic literature is complemented by a practical exploratory investigation via a micro‑case study based on interviews of a well‑balanced group of subjects of this GDRP duty – Czech SMEs. Although the yielded results are rather indicative than generally conclusive, they allow to suggest a partial confirmation of the proposed hypotheses that this GDPR duty will have a significant impact on IP and unfair competition. The semi‑conclusions based on the primary and secondary data enlightens the status quo, offers recommendations and brings suggestions for further research.

show abstract

Pan-European personal data breaches: Mapping of current practices and recommendations to facilitate cooperation among Data Protection Authorities

Cited by 9 publications

References 5 publications

Selected Issues from the Dark Side of the General Data Protection Regulation

Selected Issues from the Dark Side of the General Data Protection Regulation

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Impact of GDPR Security Measures on the Intellectual Property and Unfair Competition

Contact Info

Product

Resources

About