The EU General Data Protection Regulations and their consequences on computer system design / EUs allmänna dataskyddsförordning och dess konsekvenser för programsystemteknik

Magnusson, Wilhelm

January 2017

As of writing this thesis, the EU’s new data protection laws (GDPR) will start to apply within one year. The new regulations are poorly understood by many and rumours of varying accuracy are circling the IT industry. This thesis takes a look at the parts of the GDPR concerning system design and architecture, clarifying what they mean and their consequences for system design. The new regulations are compared to the old data protection laws (Directive 95/46/EC), showing how companies must alter their computer systems in order to adapt. Using evaluations of the old data protection laws predictions are made for how the GDPR will affect the IT industry going forward. One of the more important questions are what tools are available for companies when adapting to privacy protection regulations and threats. This thesis aims to identify the most common processes for this kind of system modification and compare their effectiveness in relation to the GDPR. / Vid framställningen av denna avhandling är det mindre än ett år innan EUs nya dataskyddsförordning (GDPR) träder i kraft. Många har bristande förståelse av de nya förordningarna och rykten av varierande korrekthet cirkulerar inom IT industrin. Denna avhandling utför en kritisk undersökning utav de delar inom GDPR som berör system design och arkitektur och beskriver dess innebörd för system design. De nya lagarna jämförs med de föregående dataskyddslagarna (Direktiv 95/46/EC) för att påvisa de modifikationer som kommer krävas för att anpassa datorsystem till de nya förordningarna. Genom att undersöka de äldre dataskyddslagarnas effekt på industrin görs även förutsägelser kring hur GDPR kommer påverka IT industrin inom den närmaste framtiden. Än av de intressantare frågorna är vilka metoder som finns tillgängliga för att underlätta systemanpassningar relaterade till dataskyddsförordningar. Denna avhandling syftar att identifiera de mest etablerade av dessa typer av processer och jämföra deras lämplighet i förhållande till GDPR.

GDPR

PbD

PIA

PUL

privacy impact assessment

privacy by design

Directive 95/46/EC

General Data Protection Regulations

Computer Sciences

Datavetenskap (datalogi)

Управление деятельностью по обработке персональных данных на примере региональных органов Роскомнадзора : магистерская диссертация / Management of personal data processing on the example of regional bodies of Roskomnadzor

Бураков, В. В., Burakov, V. V.

January 2019

The master's work consists of 74 sheets, 59 bibliographic sources are used. The relevance of the research topic. The activity of Roskomnadzor in protecting the rights of personal data subjects, with the increasing influence of information technology on all spheres of society, is more important than ever. At the same time, the activities of this body are not as effective as modern realities require. Protocol of amendments to the said Convention in October 2018. The purpose of this master's thesis is to explore the management of personal data processing activities and formulate recommendations for its improvement. To achieve this goal it is necessary to solve the following tasks: get acquainted with the theoretical foundations of the processing of personal data; to compile a characteristic of Roskomnadzor as a state body and business entity using the example of the Roskomnadzor Office in the Urals Federal District; to analyze the results of Roskomnadzor's activities in the field of personal data; develop recommendations for improving the activities of Roskomnadzor in the field of personal data. The studies carried out allowed the formation of a number of measures to improve the activities of Roskomnadzor in protecting the rights of personal data subjects. The significance of the developed measures is characterized by an increase in the effectiveness of the fight against offenses in all spheres of society. / Магистерская работа состоит из 74 листа, использовано 59 библиографических источников. Актуальность темы исследование. Деятельность Роскомнадзора по защите прав субъектов персональных данных, с увеличением влияния информационных технологий на все сферы жизни общества важна как никогда. При этом, деятельность этого органа не так эффективна, как того требуют современные реалии. Протокола изменений к упомянутой Конвенции в октябре 2018 года. Цель данной магистерской диссертации – исследовать управление деятельностью по обработке персональных данных и сформировать рекомендации по её совершенствованию. Для достижения поставленной цели необходимо решить следующие задачи: ознакомиться с теоретическими основами обработки персональных данных; составить характеристику Роскомнадзора как государственного органа и хозяйствующего субъекта на примере Управления Роскомнадзора по Уральскому федеральному округу; провести анализ результатов деятельности Роскомнадзора в области персональных данных; разработать рекомендации по совершенствованию деятельности Роскомнадзора в сфере персональных данных. Проведенные исследования позволили сформировать ряд мероприятий по совершенствованию деятельности Роскомнадзора по защите прав субъектов персональных данных. Значимость разработанных мероприятий характеризуется повышением эффективности борьбы с правонарушениями во всех сферах жизни общества.

MASTER'S THESIS

PERSONAL DATA

PROFESSIONAL ACTIVITIES

PERSONAL DATA SUBJECT

DIRECTIVE 95/46/EC

INVIOLABILITY PRINCIPLE

LIABILITY PRINCIPLE

BIG DATA

PERSONAL DATA LAW

ПЕРСОНАЛЬНЫЕ ДАННЫЕ

ДИРЕКТИВА 95/46/ЕС

БОЛЬШИЕ ДАННЫЕ

Protection of Personal Data, a Power Struggle between the EU and the US: What implications might be facing the transfer of personal data from the EU to the US after the CJEU’s Safe Harbour ruling?

Strindberg, Mona

January 2016

Since the US National Security Agency’s former contractor Edward Snowden exposed the Agency’s mass surveillance, the EU has been making a series of attempts toward a more safeguarded and stricter path concerning its data privacy protection. On 8 April 2014, the Court of Justice of the European Union (the CJEU) invalidated the EU Data Retention Directive 2006/24/EC on the basis of incompatibility with the Charter of Fundamental Rights of the European Union (the Charter). After this judgment, the CJEU examined the legality of the Safe Harbour Agreement, which had been the main legal basis for transfers of personal data from the EU to the US under Decision 2000/520/EC. Subsequently, on 6 October 2015, in the case of Schrems v Data Protection Commissioner, the CJEU declared the Safe Harbour Decision invalid. The ground for the Court’s judgment was the fact that the Decision enabled interference, by US public authorities, with the fundamental rights to privacy and personal data protection under Article 7 and 8 of the Charter, when processing the personal data of EU citizens. According to the judgment, this interference has been beyond what is strictly necessary and proportionate to the protection of national security and the persons concerned were not offered any administrative or judicial means of redress enabling the data relating to them to be accessed, rectified or erased. The Court’s analysis of the Safe Harbour was borne out of the EU Commission’s own previous assessments. Consequently, since the transfers of personal data between the EU and the US can no longer be carried out through the Safe Harbour, the EU legislature is left with the task to create a safer option, which will guarantee that the fundamental rights to privacy and protection of personal data of the EU citizens will be respected. However, although the EU is the party dictating the terms for these transatlantic transfers of personal data, the current provisions of the US law are able to provide for derogations from every possible renewed agreement unless they become compatible with the EU data privacy law. Moreover, as much business is at stake and prominent US companies are involved in this battle, the pressure toward the US is not only coming from the EU, but some American companies are also taking the fight for EU citizens’ right to privacy and protection of their personal data.

EU

EU Law

US Privacy Law

Safe Harbour

Safe Harbor

Data Protection

Personal Data transfer

Facebook

Articles 7

8 and 47 of the Charter

Article 16(1) of the TFEU

Article 8 ECHR

EDPS

Decision 2000/520/EC

Directive 95/46/EC

Personal Integrity

Right to Privacy

Right to Private Life

Data Retention

Surveillance

IT Law

Article 29 Working Party

EU-rätt

EU-stadgan

datalagring

datalagringsdirektivet

personlig integritet

dataskydd

grundläggande rättigheter

proportionalitetsprincipen