Dissertations / Theses on the topic 'Data Protection Directive'

The right to private and family life and the right to the protection of personal data are two fundamental rights of the EU. The protection of these rights is addressed in the new General Data Protection Regulation (GDPR), the Directive on Privacy and Electronic Communications (ePrivacyDirective) and the upcoming new Regulation on Privacy and Electronic Communications (draft ePrivacy Regulation). In this thesis these three legal acts are evaluated in light of profiling through ultrasound tracking technology. Their technology neutrality and their functioning as safeguards of the two fundamental rights against the use of profiling through ultrasound tracking technology is tested. The GDPR is found to differentiate between profiling in the context of automatic decision-making and profiling in other contexts. The process of profiling is described in general terms. It is shown how tracking technologies in general and ultrasound tracking technology in particular have a central role in the profiling process.It is found that ultrasound tracking technology enables far wider tracking and data collection than the other tracking technologies. Differences and similarities between ultrasound tracking technology and other tracking technologies are described. According to the findings, the three legal instruments, the GDPR, the ePrivacy Directive and the draft ePrivacy Regulation, all live up to their aim of technology neutrality on theoretical level, since profiling through ultrasound tracking technology is within the material scope of all of them. An exemption is Article 8(2) of the draft ePrivacy Regulation that, unlike Article 9 of the ePrivacyDirective, does not stretch to cover location tracking through ultrasound technology. However, as will be shown, there are risks related to the practical implementation of these legal frameworks.

As of writing this thesis, the EU’s new data protection laws (GDPR) will start to apply within one year. The new regulations are poorly understood by many and rumours of varying accuracy are circling the IT industry. This thesis takes a look at the parts of the GDPR concerning system design and architecture, clarifying what they mean and their consequences for system design. The new regulations are compared to the old data protection laws (Directive 95/46/EC), showing how companies must alter their computer systems in order to adapt. Using evaluations of the old data protection laws predictions are made for how the GDPR will affect the IT industry going forward. One of the more important questions are what tools are available for companies when adapting to privacy protection regulations and threats. This thesis aims to identify the most common processes for this kind of system modification and compare their effectiveness in relation to the GDPR.
Vid framställningen av denna avhandling är det mindre än ett år innan EUs nya dataskyddsförordning (GDPR) träder i kraft. Många har bristande förståelse av de nya förordningarna och rykten av varierande korrekthet cirkulerar inom IT industrin. Denna avhandling utför en kritisk undersökning utav de delar inom GDPR som berör system design och arkitektur och beskriver dess innebörd för system design. De nya lagarna jämförs med de föregående dataskyddslagarna (Direktiv 95/46/EC) för att påvisa de modifikationer som kommer krävas för att anpassa datorsystem till de nya förordningarna. Genom att undersöka de äldre dataskyddslagarnas effekt på industrin görs även förutsägelser kring hur GDPR kommer påverka IT industrin inom den närmaste framtiden. Än av de intressantare frågorna är vilka metoder som finns tillgängliga för att underlätta systemanpassningar relaterade till dataskyddsförordningar. Denna avhandling syftar att identifiera de mest etablerade av dessa typer av processer och jämföra deras lämplighet i förhållande till GDPR.

This thesis examines predictive modelling from the legal perspective. Predictive modelling is a technology based on applied statistics, mathematics, machine learning and artificial intelligence that uses algorithms to analyse big data collections, and identify patterns that are invisible to human beings. The accumulated knowledge is incorporated into computer models, which are then used to identify and predict human activity in new circumstances, allowing for the manipulation of human behaviour. Predictive models use big data to represent people. Big data is a term used to describe the large amounts of data produced in the digital environment. It is growing rapidly due mainly to the fact that individuals are spending an increasing portion of their lives within the on-line environment, spurred by the internet and social media. As individuals make use of the on-line environment, they part with information about themselves. This information may concern their actions but may also reveal their personality traits. Predictive modelling is a powerful tool, which private companies are increasingly using to identify business risks and opportunities. They are incorporated into on-line commercial decision-making systems, determining, among other things, the music people listen to, the news feeds they receive, the content people see and whether they will be granted credit. This results in a number of potential harms to the individual, especially in relation to personal autonomy. This thesis examines the harms resulting from predictive modelling, some of which are recognized by traditional law. Using the European legal context as a point of departure, this study ascertains to what extent legal regimes address the use of predictive models and the threats to personal autonomy. In particular, it analyses Article 8 of the European Convention on Human Rights (ECHR) and the forthcoming General Data Protection Regulation (GDPR) adopted by the European Union (EU). Considering the shortcomings of traditional legal instruments, a strategy entitled ‘empowerment’ is suggested. It comprises components of a legal and technical nature, aimed at levelling the playing field between companies and individuals in the commercial setting. Is there a way to strengthen humanity as predictive modelling continues to develop?

Les usages quotidiens des citoyens d’une société numérique produisent des données de manière exponentielle, et ce, à une vitesse considérable. Dans un tel contexte, le développement de technologies de collecte massive de données apparait comme une évidence. De telles technologies impliquent le traitementde données à caractère personnel afin de créer une valeur économique ou encore d’optimiser des processus métiers ou décisionnels. Le règlement général sur la protection des données (UE) 2016/679 (RGPD) tend à encadrer ces pratiques en respectant des impératifs de souplesse et de neutralité technologique. Cependant, le big data s’avère d’une complexité inédite, ses caractéristiques propres allant à l’encontre même de plusieurs principes du règlement général sur la protection des données. Largement partagé, ce constat a peu à peu imposé une forme implicite de status quo ne permettant pas la résolution effective de l’incompatibilité entre la réalité du big data et son encadrement juridique opéré par le règlement général à son égard. Pour ce faire, une approche distributive, fondée sur les composantes du big data que sont sa structure, ses données ainsi que ses capacités algorithmiques, permettra ensuite d’étudier la qualification de cette notion afin d’en dégager un régime approprié. Résoudre une telle problématique passera tout d’abord par une actualisation de la qualification de données à caractère personnel afin de répondre à la complexification des traitements de données réalisés à l’aide de capacités algorithmiques avancées. De plus, la responsabilisation des différents acteurs impliqués, notamment au travers du régime de responsabilité conjointe de traitement, sera associée à la notion de risque afin d’apporter l’actualisation nécessaire à l’encadrement du big data. Pour finir, l’application d’une méthodologie d’analyse d’impact sur la protection des données viendra éprouver puis synthétiser l’indispensable renforcement de l’adéquation entre la théorie juridique et la réalité pratique du big data
Citizens’ daily uses of technologies in a digital society exponentially produce data. In this context, the development of massive data collection appears as inevitable. Such technologies involve the processing of personal data in order to create economic value or to optimize business or decision-making processes. The General Data Protection Regulation (EU) 2016/679 (GDPR) aims to regulate these practices while respecting the imperatives of flexibility and technological neutrality. However, big data is proving to be an unprecedentedly complex legal issue, as its specific characteristics oppose several principles of the General Data Protection Regulation. Widely shared, this observation has gradually imposed an implicit form of status quo that does not allow for the effective resolution of the incompatibility between the reality of big data and the legal framework provided by the GDPR. In order to solve this equation, a distributive approach, based on the components of the big data: its structure, its data and its algorithmic capabilities, will then make it possible to study the qualification of this notion in order to identify an appropriate regime. Overcoming such a problem will, first of all, involve updating the qualification of personal data in order to respond to the increasing complexity of data processing carried out using advanced algorithmic capabilities. In addition, the accountability of the various actors involved, in particular through joint responsibilities for processing, will be associated with the notion of risk in order to bring the necessary updating to the regulation of big data. Finally, the application of a data protection impact analysis methodology will test and then synthesize the indispensable strengthening of the adequacy between legal theory and the practical reality of big data

Frågan om rätten till personlig integritet är aktuell på ett helt annat sätt idag än den var på 1990-talet. Sedan dataskyddsdirektivet trädde i kraft har behandlingen av personuppgifter ökat exponentiellt. Informationsteknik har möjliggjort en omfattande kartläggning av personers beteenden online. Idag använder många webbplatser funktioner för att samla in och på andra sätt behandla sina besökares personuppgifter. Samtidigt har informationen om personuppgiftsbehandlingen som ges till enskilda på webbplatser i många fall blivit omfattande och komplicerad. Ett av syftena med den nya dataskyddsförordningen är att bygga upp konsumenters förtroende för handel på internet. Förordningen syftar även till att stärka skyddet för enskildas personliga integritet. Bestämmelserna kan anses vara svårtydda, vilket kan leda till att skyddet som bäst blir oförändrat. I ett samhälle som blir alltmer digitaliserat tycks det önskvärt att de moderna reglerna håller vad de lovar, annars kan konsekvenserna bli stora. I denna uppsats diskuteras om dataskyddsförordningens krav på informerat samtycke förbättrar förutsättningarna för ett effektivt skydd för den personliga integriteten. De nya bestämmelserna är mer omfattande men har kritiserats för att vara otydliga, närmare principer i direktiv snarare än direkt tillämplig förordningstext. Bestämmelserna behöver också vägas mot andra rättigheter. Därför kan bestämmelserna om samtycke och informationsplikt leda till ett sämre skydd för enskilde om inte tydlig vägledning ges. Det är därför en risk som kommer behöva beaktas vid tillämpningen av förordningen. Om personuppgiftsansvariga saknar vägledning finns en risk att bestämmelserna i praktiken inte ger enskilda den kontroll över sina personuppgifter som var avsedd.

This diploma thesis is focused on the development of a new backup plan and its implementation. In introductory part of the thesis I explore the theorethical backround of data backup and data management. Next part is dedicated to analysis of current state and investor requierements. Last part is aimed to implementation of new backup plan with focusing on economic and quality point of view. Besides concept and realization of backup plan the concept of the backup directive is created .

Since the US National Security Agency’s former contractor Edward Snowden exposed the Agency’s mass surveillance, the EU has been making a series of attempts toward a more safeguarded and stricter path concerning its data privacy protection. On 8 April 2014, the Court of Justice of the European Union (the CJEU) invalidated the EU Data Retention Directive 2006/24/EC on the basis of incompatibility with the Charter of Fundamental Rights of the European Union (the Charter). After this judgment, the CJEU examined the legality of the Safe Harbour Agreement, which had been the main legal basis for transfers of personal data from the EU to the US under Decision 2000/520/EC. Subsequently, on 6 October 2015, in the case of Schrems v Data Protection Commissioner, the CJEU declared the Safe Harbour Decision invalid. The ground for the Court’s judgment was the fact that the Decision enabled interference, by US public authorities, with the fundamental rights to privacy and personal data protection under Article 7 and 8 of the Charter, when processing the personal data of EU citizens. According to the judgment, this interference has been beyond what is strictly necessary and proportionate to the protection of national security and the persons concerned were not offered any administrative or judicial means of redress enabling the data relating to them to be accessed, rectified or erased. The Court’s analysis of the Safe Harbour was borne out of the EU Commission’s own previous assessments. Consequently, since the transfers of personal data between the EU and the US can no longer be carried out through the Safe Harbour, the EU legislature is left with the task to create a safer option, which will guarantee that the fundamental rights to privacy and protection of personal data of the EU citizens will be respected. However, although the EU is the party dictating the terms for these transatlantic transfers of personal data, the current provisions of the US law are able to provide for derogations from every possible renewed agreement unless they become compatible with the EU data privacy law. Moreover, as much business is at stake and prominent US companies are involved in this battle, the pressure toward the US is not only coming from the EU, but some American companies are also taking the fight for EU citizens’ right to privacy and protection of their personal data.

La protection des données personnelles sensibles consistait, jusqu'au RGPD, en un contrôle préalable réalisé par une autorité indépendante, malgré l’obstacle posé à la libre circulation. Cette protection renforcée est aujourd'hui remplacée par l’obligation du responsable de traitement d’élaborer une étude d’impact. Une telle mutation implique un risque de pré-légitimation des traitements et peut être favorable au responsable de traitement. Or, est-elle conforme au droit fondamental à la protection des données personnelles ? La thèse interroge le contenu de ce droit et la validité du RGPD. À partir d'une étude comparative allant des années 1970 à nos jours, entre quatre pays et l’Union européenne, les données personnelles sensibles sont choisies comme moyen d'analyse en raison de la protection particulière dont elles font l’objet. Il est démontré qu’en termes juridiques, la conception préventive fait partie de l’histoire de la protection européenne des données et peut donner un sens à la protection et à son seul bénéficiaire, l’individu.Un tel sens serait d’ailleurs conforme aux Constitutions nationales qui garantissent aussi l’individu malgré leurs variations. Cependant, cette conception n’est pas forcement compatible avec l’art. 8 de la Charte des droits fondamentaux de l’UE. La thèse explique que cette disposition contient la garantie d’une conciliation (entre les libertés de l’UE et celles des individus) qui peut impliquer une réduction de la protection de ces dernières. Or, il revient à la CJUE, désormais seule compétente pour son interprétation, de dégager le contenu essentiel de ce droit ; objectif auquel la thèse pourrait contribuer
Before the GDPR, protection of sensitive personal data consisted of a prior check by an independent authority despite limiting their free movement. This has been replaced by the obligation of the controller to prepare a privacy impact assessment. With this modification, one can assume a risk of pre-legitimization of data processing, putting the controller at an advantage. Is that compatible with the fundamental right to the protectionof personal data ? This thesis questions the content of this right and the validity of the GDPR. It is based on a comparative study from 1970s until present day between four European countries and the European Union, in which sensitive data are chosen as a meanto the analysis due to their particular protection. Research shows that in legal termsthe preventive conception is a part of the history of protection in the European Union. By limiting freedom of processing it gives meaning to protection and its only subject,the individual. Such an interpretation is compatible with National Constitutions despite their variations. However, the preventive conception of data protection is not so easily compatible with article 8 of the European Charter of Fundamental Rights. The thesis puts forward that this article contains the safeguard of a balancing, between EU liberties and individuals’ freedoms, which implicates reduced protection. It is up to the European Court of Justice to identify the essence of this right, an aim to which this thesis could contribute

Dissertação de Mestrado em Gestão e Políticas Públicas
Num mundo onde cada vez mais a informação se encontra facilmente disponível, surgem novos desafios à proteção dos dados pessoais dos cidadãos. O tema da proteção de dados pessoais tem ganho crescente importância no contexto atual, isto porque a informação é cada vez mais um bem fundamental e por isso mesmo tem de ser devidamente protegida, pois uma simples divulgação de dados pode causar danos irreversíveis, quer a um nível micro, quer a um nível macro. Deste modo importa conhecer o que a União Europeia já fez e o que está a fazer nesta matéria. Assim, com base neste contexto, o trabalho que aqui se apresenta pretende identificar os fatores (barreiras e facilitadores) que influenciam a implementação e aplicação das diretivas comunitárias de proteção de dados pessoais em Portugal. Para a identificação destes fatores, optámos por uma metodologia de natureza qualitativa e realizámos entrevistas semi-estruturadas a quatro profissionais da área da proteção de dados pessoais. Para a realização da investigação recorremos ainda à pesquisa bibliográfica, análise documental, participação em conferências e entrevistas exploratórias. Na fase de resultados e após a análise de conteúdo das entrevistas, concluiu-se que das catorze questões incorporadas no guião, treze questões são facilitadores do processo de aplicação das diretivas comunitárias de proteção de dados pessoais em Portugal, umas com maior incidência do que outras. No entanto conseguimos identificar as questões com mais facilitadores e com mais barreiras, identificando assim as condições de sucesso e de insucesso para a aplicação das diretivas. Neste trabalho indicamos as diretivas de proteção de dados pessoais e as respetivas leis que as transpõem. A realização deste trabalho permitiu ainda abordar questões importantes no âmbito da proteção de dados pessoais, como é o caso dos direitos dos titulares dos dados, das obrigações dos responsáveis pelo tratamento dos dados ou ainda a Comissão Nacional de Proteção de Dados.
In a world where more and more information is easily available, there are new challenges to the protection of personal data of citizens. The issue of personal data protection has gained increasing importance in the current context, this is because information is increasingly a fundamental and must be properly protected, because a simple disclosure of data can cause irreversible damage, either to a micro level, either at the macro level. Thus it is important to know what the European Union has done and what it is doing in this area. Thus, based on this context, the work presented here aims to identify the factors (barriers and facilitators) that influence the implementation and application of EU directives of personal data protection in Portugal. To identify these factors, we opted for a qualitative methodology and held semi-structured interviews to four professionals in the field of personal data protection. To carry out the research we use also to literature, document analysis, participation in conferences and exploratory interviews. In the results and after the content analysis of the interviews, it was concluded that the fourteen issues incorporated in the script, thirteen issues are facilitators of the process of application of community directives of personal data protection in Portugal, with higher incidence than other. However we can identify the issues with more facilitators and more barriers, identifying the conditions of success and of failure to implement the directives. In this work we indicate the personal data protection directives and the respective laws that transposes. This work also helped to address important issues in the protection of personal data, such as the rights of data subjects, the obligations of data controllers or the National Data Protection Commission.
N/A

One of the realities that developing countries like Nigeria have to face today is that national and international markets have become more and more interconnected through the global platform of telecommunications and the Internet. This global networked economy is creating a paradigm shift in the focus of development goals and strategies particularly for developing countries. Globalisation is driving the nations of the world more into political and economic integration. These integrations are enhanced by a globally interconnected network of economic and communication systems at the apex of which is the Internet. This network of networks thrives on and encourages the expansion of cross-border flows of ideas and information, goods and services, technology and capital. Being an active member of the global network economy is essential to Nigeria’s economic development. It must plug into the network or risk being shut out. The global market network operates by means of rules and standards that are largely set by the dominant players in the network. Data protection is a critical component of the regime of rules and standards that govern the global network economy; it is evolving into an international legal order that transcends geographical boundaries. The EU Directive on data protection is the de facto global standard for data protection; it threatens to exclude non-EU countries without an adequate level of privacy protection from the EU market. More than 50 countries have enacted data protection laws modelled on the EU standard. Access to the huge EU market is a major motivation for the current trend in global harmonisation of domestic data protection laws. This trend provides a compelling reason for examining the issues relating to data protection and trans-border data flows and their implications for Nigeria’s desire to integrate into the global network economy. There are two primary motivations for legislating restrictions on the flow of data across national boundaries. The first is the concern for the privacy of the citizens, and second, securing the economic well-being of a nation. It is important that Nigeria’s privacy protection keeps pace with international norms in the provision of adequate protection for information privacy order to prevent potential impediments to international trading opportunities.
Public, Constitutional, & International
LLD

In present-day society more and more personal information is being collected. The nature of the collection has also changed: more sensitive and potentially prejudicial information is collected. The advent of computers and the development of new telecommunications technology, linking computers in networks (principally the Internet) and enabling the transfer of information between computer systems, have made information increasingly important, and boosted the collection and use of personal information. The risks inherent in the processing of personal information are that the data may be inaccurate, incomplete or irrelevant, accessed or disclosed without authorisation, used for a purpose other than that for which they were collected, or destroyed. The processing of personal information poses a threat to a person's right to privacy. The right to identity is also infringed when incorrect or misleading information relating to a person is processed. In response to the problem of the invasion of the right to privacy by the processing of personal information, many countries have adopted "data protection" laws. Since the common law in South Africa does not provide adequate protection for personal data, data protection legislation is also required. This study is undertaken from a private law perspective. However, since privacy is also protected as a fundamental right, the influence of constitutional law on data protection is also considered. After analysing different foreign data protection laws and legal instruments, a set of core data protection principles is identified. In addition, certain general legal principles that should form the basis of any statutory data protection legislation in South Africa are proposed. Following an analysis of the theoretical basis for data protection in South African private law, the current position as regards data protection in South-Africa is analysed and measured against the principles identified. The conclusion arrived at is that the current South African acts can all be considered to be steps in the right direction, but not complete solutions. Further legislation incorporating internationally accepted data protection principles is therefore necessary. The elements that should be incorporated in a data protection regime are discussed.
Jurisprudence
LL. D. (Jurisprudence)

Dissertação de Mestrado em Ciências Jurídico-Forenses apresentada à Faculdade de Direito
This dissertation, made in an era when the technological development poses a challenge to fundamental rights, intends to frame and analyze the new Regulation (EU) 2016/679, from the European Parliament and the Council of 27th April 2016 (General Data Protection Regulation).For that purpose, the work was split in two parts. Upstream, data protection as a fundamental right, the target of a concise legislative evolution, from which GDPR was born.In fact, it was based on the ECHR and the Convention 108, amidst the Council of Europe, that the European Union and the European countries developed the right to data protection. In the Portuguese case, it was even constitutionally elevated (through article 35 of the Portuguese constitution), and in the European Union law through the Directive 95/46/CE, the basis of the current outlook of the data protection law.That directive, although with new solutions, was unable to achieve the harmonization that was wished for. The solution was for the European Parliament and Council to use article 16 TFEU to approve the General Data Protection Regulation, directly applicable in the Member-states, which had the main purpose of centralizing the rules insofar as to promote the protection of individual persons as to their personal data processing and free movement of those data. Hence, in a second moment the innovations brought by GDPR, which affect all the economic agents, are presented. GDPR encompasses much of what were already the rights and obligations enshrined in the former directive. The essential differences are found in the sanctions framework (20 Million euros or 4% of turnover) and accountability, which forced many companies to worry about the topic for the first time.Therefore, what GDPR demands is an attitude shift of all economic agents: Citizens, Organizations and State, in order to promote the awareness of a true right to personal data protection.
A presente dissertação, encetada numa época em que o desenvolvimento tecnológico desafia os direitos fundamentais, pretende enquadrar e analisar o novo Regulamento (UE) 2016/679 do Parlamento Europeu e do Conselho de 27 de abril de 2016 (Regulamento Geral de Proteção de Dados Pessoais).Para tanto foi levado a cabo a divisão em duas partes do presente trabalho. A montante, a proteção de dados enquanto direito fundamental e alvo de uma evolução legislativa concisa, por força da qual surgiu o RGPD.De facto, foi com base na CEDH e na Convenção 108, no contexto do Conselho da Europa, que a União Europeia e os países da Europa desenvolveram o direito à proteção de dados. No caso de Portugal, consagrando inclusive constitucionalmente (através do artigo 35.º da CRP), e no âmbito da Direito da União Europeia através da Diretiva 95/46/CE, a base para o atual panorama do direito da proteção de dados. Essa diretiva, embora inovatória, não conseguiu atingir a harmonização pretendida. A solução foi o Parlamento Europeu e o Conselho socorrem-se da base legal do art. 16.º do TFUE e aprovarem o Regulamento Geral de Proteção de Dados, diretamente aplicável nos Estados-Membros, que teve como objetivo primário a centralização normativa de modo a fomentar a proteção das pessoas singulares no que diz respeito ao tratamento de dados pessoais e à livre circulação desses dados.Daí que num segundo momento são apresentadas as inovações que o RGPD trouxe e que afetam todos os agentes económicos. O RGPD incorpora muito daquilo que já eram os direitos e obrigações consagrados na anterior diretiva. As diferenças essenciais encontram-se no modelo sancionatório (20 milhões de euros ou 4% da faturação anual) e a autorresponsabilização, que obrigaram muitas empresas a preocuparem-se com o tema pela primeira vez.Assim, o RGPD o que exige é uma mudança de atitude por parte de todos os agentes económicos: Cidadãos, Organizações e Estado, para que se consiga promover a sensibilização e a compreensão da existência de um verdadeiro direito à proteção de dados pessoais.

Antes da Era Digital, a personalização de um preço para corresponder à disposição de pagar do consumidor era considerada inatingível. No entanto, essa prática comercial agora pode ser alcançada através do processamento de dados pessoais e da elaboração do perfil comportamental do consumidor, utilizando técnicas relacionadas com Big Data e Big Analytics. Isto mereceu a atenção do Direito Europeu, como o demonstra o novo requisito de informação pré-contratual trazido pela Diretiva de Modernização, atualmente a aguardar transposição. A sua redação é concisa e o seu contexto é alargado em certa medida pelo Considerando 45, que aponta para o motivo da necessidade de informar os consumidores: de modo a poderem ter em conta os potenciais riscos nas suas decisões de compra trazidos pela personalização dos preços. Este trabalho começa por situar o assunto conceitualmente, juntamente com seu fundo económico e a perceção geral do público acerca disto. A perspetiva adotada não pressupõe distinção prévia entre preços personalizados maiores ou menores do que o uniforme, com algumas exceções destacadas quando relevantes. Essa escolha é justificada pela noção de que, em qualquer situação, uma empresa que utiliza essa estratégia de preços fá-lo com o objetivo de maximizar os lucros. Na análise jurídica, argumenta-se que o processamento de dados pessoais (como a elaboração de perfis comportamentais) é uma condição essencial para estimar o preço de reserva do consumidor. Assim, o Regulamento Geral de Proteção de Dados é aplicável. Além disso, o consentimento do titular dos dados apresenta-se como o único fundamento legal viável para esse propósito específico. Uma ressalva sobre preços derivados de perfis comportamentais é o risco de vieses ocultos revelarem que, de fato, estes basearam-se em características protegidas. A questão da transparência é central para a investigação sob a perspetiva do direito do consumo, uma vez que este quadro jurídico se esforça por capacitar os indivíduos com o conhecimento que precisam para tomar decisões informadas, sem obstruir a autonomia das empresas. Outra disposição da Diretiva de Modernização relativa à transparência dos preços para os consumidores é examinada paralelamente ao tópico central – nomeadamente, as regras de redução de preços e a sua potencial interação. Por fim, as considerações conclusivas oferecidas apontam que o novo requisito de informação é um passo na direção certa. No entanto, é necessário ampliar o seu escopo para realmente habilitar os consumidores para enfrentarem os riscos que os preços personalizados podem trazer para suas decisões de compra.
Before the Digital Era, the personalisation of a price to match a consumer’s willingness to pay was thought to be unattainable. However, this commercial practice can now be achieved through the processing of personal data and profiling of consumer behaviour utilising techniques related to Big Data and Big Analytics. This merited the attention of European Law, as shown by the new pre-contractual information requirement brought by the Modernisation Directive, currently awaiting transposition. Its wording is concise, and its context is expanded to some extent by the Recital 45, which points to the reason behind the need to inform consumers: to enable them to take into account the potential risks in their purchasing decision brought by price personalisation. This work starts by situating the matter conceptually, along with its economic background and the public’s general perception about it. The perspective presumes no prior distinction between personalised prices that are either higher or lower than the uniform fee, with a few exceptions highlighted when relevant. This choice is justified by the notion that in either situation, a business employing this pricing strategy is doing so with the goal of maximising profits. In the legal analysis, it is argued that personal data processing (such as behaviour profiling) is an essential condition for estimating the consumer’s reservation price. Thus, the General Data Protection Regulation is applicable. Additionally, the data subject’s consent presents itself as the sole viable lawful grounds for this specific purpose. One caveat of prices derived from profiling is the risk of hidden biases turning out to reveal it was, in fact, based on a protected characteristic. The issue of transparency is central to the investigation under a consumer law perspective, as this legal framework strives to enable individuals with the knowledge they need to make informed decisions, while not hindering businesses’ autonomy. Another provision from the Modernisation Directive regarding prices’ transparency towards consumers is examined alongside the central topic – namely, price reduction rules, and their potential interplay. Lastly, the conclusive remarks offered point out that the new information requirement is a step in the right direction. However, it is necessary to broaden its scope to truly empower consumers to face the risks personalised prices could bring to their purchasing decisions.

Dissertação de Mestrado em Medicina Legal e Ciências Forenses apresentada à Faculdade de Medicina
O intercâmbio de dados genéticos através de bases de dados de perfis de ADN é reconhecido como importante ferrramenta à investigação e a instrução criminal no âmbito da União Europeia, bem como nos EUA, devido ao poder de identificação que lhe é inerente e útil à manutenção da segurança social, especialmente no tocante a crimes graves e ao terrorismo. O tratamento de dados de ADN por autoridades de aplicação da lei afronta a garantia de direitos e liberdades fundamentais consagrados no direito europeu, como a proteção de dados pessoais e a privacidade. Por isso, requer adequada regulamentação que assegure o equilíbrio entre direitos e liberdades fundamentais e o interesse público. No âmbito europeu, a realidade é uma miscelânea de legislações internas do Estado-Membro relativas à proteção de dados pessoais. O que se considera o principal problema da interconexão célere e eficaz entre Estados-Membros da UE para fins de investigação criminal. Diante da recente reforma do sistema normativo europeu de proteção de dados que resultou na publicação da Diretiva (UE) 2016/680 relativa à proteção de dados pessoais objeto de tratamento para fins de prevenção, investigação, deteção ou repressão de infrações penais ou execução de sanções penais, analisa-se no presente trabalho os potenciais impactos do novo conjunto de regras aplicáveis ao tratamento de dados por autoridades competentes para àqueles fins. O estudo abrange a análise do potencial efeito da Diretiva (UE) 2016/680 no intercâmbio de perfis de ADN e dados pessoais correspondentes ao abrigo da Decisão do Conselho 2008/615/JAI; o exemplo da base de dados de perfis de ADN de Portugal, inserindo na problemática a questão da cooperação internacional entre Estados-Membros; e a cooperação internacional policial e judicial entre a UE e os EUA mediante o intercâmbio automatizado de dados pessoais. As conclusões resumem pontos positivos e negativos da futura aplicação da Diretiva (UE) 2016/680 em relação à proteção de dados de perfis de ADN e dados pessoais correspondentes objeto de tratamento por autoridades competentes para fins forenses.
The exchange of genetic data through DNA databases is acknowledged as an important tool for criminal investigation and prosecution within the EU, as well as in the USA, due to its identification power and utility for homeland security issues, especially with regard to serious crimes and terrorism. The processing of DNA data by law enforcement authorities defies the guarantee of fundamental rights and freedoms enshrined in European law, such as the protection of personal data and privacy. Therefore, such processing requires appropriate regulation to ensure a balance between fundamental rights and freedoms and the public interest. In the European context, the reality is a mix of domestic legislation of the Member States relating to the protection of personal data. This is considered to be the main problem of rapid and effective interconnection of data between EU Member States for criminal investigation purposes. In the light of the recent reform of the European Data Protection framework that has resulted in the Directive (EU) 2016/680 on the protection of personal data processed for the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of sanctions, this paper analyzes the potential impacts of the new set of rules applicable to data processing by competent authorities. The study covers the analysis of the potential effect of the Directive on the exchange of DNA profiles and related personal data under Council Decision 2008/615/JHA; the study of the DNA profile database of Portugal, as an example,, inserting the question of international cooperation between Member States into the problem; and international police and judicial cooperation between the EU and the US through the automated exchange of personal data. The conclusions summarize positive and negative aspects of the Directive (EU) 2016/680 that is to be enforced on the protection of DNA profile data and corresponding personal data being processed by competent authorities for forensic purposes.

碩士
國立成功大學
電信管理研究所
106
This research is to find out what policies and regulations different countries have adapted and generate experts’ opinions towards critical privacy issues. The methodologies include literature reviews, comparative study, modified Delphi method and AHP analysis.