Browsing by Subject "GDPR"

Sort by: Order: Results:

Now showing items 1-10 of 10
  • Penttinen, Heidi (Helsingin yliopisto, 2018)
    Data-aineistojen merkitys kasvaa jatkuvasti: datasta on tullut liiketoiminnan keskeistä raaka-ainetta ja jopa sen elinehto. Alati digitalisoituvassa maailmassa mahdollisuudet datan keräämiseen ja hyödyntämiseen ovat monipuolisia. Arkiset palvelut ja sovellukset tuottavat huomaamattamme henkilökohtaista tietoa yritysten hyödynnettäväksi. Uuden teknologian mahdollistama nopea kehitys datan keräämisessä ja hyödyntämisessä on jättänyt aukkoja siitä viestimisessä ja nostanut samalla esiin siihen liittyvän eettisen problematiikan. Tässä tutkimuksessa tarkastellaan kaupallisten organisaatioiden asiantuntijoiden käsityksiä yksityisyydestä sekä sitä, miten yksityisyys ja läpinäkyvyys liitetään toisiinsa liiketoiminnallisessa kontekstissa. Lisäksi tutkimuksessa tuodaan esiin asiantuntijoiden puheessa ilmeneviä tyypillisiä näkökulmia aiheeseen eli yksityisyyden ja läpinäkyvyyden kehyksiä. Tutkimus edustaa laadullista tutkimusta. Tutkimuksen aineisto koostuu kahdeksasta, eri aloilla työskentelevien viestinnän, markkinoinnin, lainsäädännön ja IT-alan asiantuntijoiden teemahaastatteluista. Aineisto on kerätty keväällä 2018. Tutkimuksen aineiston analyysissa sovelletaan Erving Goffmanin (1974) tunnetuksi tekemää kehysanalyysia. Tutkimustulosten mukaan kuluttajien data näyttelee merkittävää roolia yritysten liiketoiminnan kehittämisessä. Dataa hyödynnetään yrityksissä muun muassa tuotteiden ja palveluiden kehittämisessä, markkinoinnin ja viestinnän kohdentamisessa sekä uusien innovaatioiden luomisessa. Yksityisyys-aihe on ollut aiempaa näkyvämmin esillä Euroopan unionin uuden tietosuoja-asetuksen (2016/679) myötä. Asetuksessa Euroopan unioni ottaa kantaa kuluttajien henkilötietojen käsittelyyn ja pakottaa yritykset viestimään aiempaa läpinäkyvämmin datan keräämisestä ja hyödyntämisestä. Sekä kaupallisessa liiketoiminnassa että lainsäädännössä siis piirretään uusia reunaehtoja yksityisyydelle. Tutkimuksessa lähestytään yksityisyyden ja läpinäkyvyyden teemoja laaja-alaisesti sekä monitieteisen yksityisyyden tutkimuksen että läpinäkyvyyden teorian kautta. Kuten aiemmassakaan tutkimuksessa, ei tässäkään tutkimuksessa päästä yhteisymmärrykseen yksityisyyden ja läpinäkyvyyden syvimmistä merkityksistä. Tutkimuksessa kuitenkin erottuu viisi yksityisyyden ulottuvuutta, jotka edustavat tyypillisiä näkökulmia aiheeseen. Nämä ovat yksityisyys oikeutena, yksityisyys tunnistettavuutena, yksityisyys velvollisuutena, yksityisyys kauppatavarana ja yksityisyys kilpailuetuna. Kuluttajien yksityisyyden ja organisatorisen läpinäkyvyyden välillä nähtiin vahva yhteys: datan hyödyntämiseen yrityksissä kuuluu elimellisesti myös läpinäkyvyyden vastuu, jonka mukaan yritysten tulee viestiä toiminnastaan kuluttajille ymmärrettävästi. Läpinäkyvyys toimii raaka-aineena luottamukselle, joka asiakassuhteessa on puolestaan edellytys yrityksen kilpailuedun saavuttamiselle. Asiantuntijoiden puheesta nousi esiin viisi pääkehystä, joiden kautta keskustelua yksityisyydestä ja läpinäkyvyydestä käydään: lainsäädännön kehys, muutoksen kehys, teknologian kehys, kaupallisuuden kehys ja monimutkaisuuden kehys. Tutkimuksessa korostuu erityisesti lainsäädännön merkitys käsitteiden määrittelyssä ja puheen sanoittamisessa: nopeasti muuttuva teknologialähtöinen toimintaympäristö sekä aiheen kompleksinen luonne ajavat yritykset suuntaamaan toimintaansa ja käsityksiään ensisijaisesti lainsäädännön yksityisyystulkinnan mukaisesti. Toisaalta yksityisyyden ja läpinäkyvyyden puheesta erottuu perinteistä lainsäädäntölähtöistä ajattelutapaa konfliktoiva näkökulma, jossa yksityisyyttä ei nähty vain suojattavana asiana, vaan sillä nähtiin olevan myös kaupallista arvoa. Kaupallisista lähtökohdista ponnistavassa puheessa kuluttajien yksityisyyden ja yritysten liiketoiminnallisten intressien nähdään voivan elää tasapainossa ilman lainsäädännön tulkinnasta tuttua jännitteisyyttä. Yksityisyyden kunnioittaminen on uusi normi, mutta mahdollinen kilpailuetu ei rakennu vain yksin sen päälle. Kilpailuedun saavuttaminen vaatii kohderyhmälähtöistä viestintää, sillä sen nähdään syntyvän ennen kaikkea yksityisyyden kunnioittamisen ja organisatorisen läpinäkyvyyden synergiassa. Aiemmissa tutkimuksissa vahvana ilmenevää näkemystä siitä, että sidosryhmien vaatimukset organisaatioita kohtaan ovat kasvaneet, ei jaettu tämän tutkimuksen teemojen kontekstissa. Tilannetta voi jopa kuvailla päinvastaiseksi: yritykset odottavat kuluttajilta aktiivisuutta ja kiinnostusta oman yksityisyytensä suojelemiseen.
  • Elevant, Ina (Helsingin yliopisto, 2021)
    The rise of the Internet of Things (IoT) has brought with itself an unimaginable ease to large-scale collection and sharing of personal data. Such large-scale collection and sharing are often done on the basis of data subject’s consent. Consent enjoys a prominent role in the European data protection framework. Consent has, however, been criticised for not providing individuals with adequate protection in online environments. This problem will only be exacerbated with the rise of IoT as IoT extends the data collection practices of the online environments also to offline environments. The purpose of this thesis is to explore the use of consent in the processing of personal data in the IoT. There are two research questions this thesis aims to answer: i) what are the problems and challenges related to the traditional consent based model in relation to IoT, and ii) is there an alternative way forward to user consent? This will be done through legal doctrinal methodology. However, this thesis will also take an interdisciplinary approach as it also draws from different disciplines than law such as technology, behavioural sciences and economics. This thesis shows that, in digitalized world, consent is neither freely given nor informed; thus, challenging the notion of valid consent. These problems arise from information and power asymmetries that are present between data subjects and controllers. However, IoT also brings with itself a unique set of problems as most IoT devices lack screens and input methods making it hard for individuals to access information and provide consent. Moreover, the unobtrusive and ubiquitous nature of IoT makes data collection activities invisible making it hard to apply transparency principle. It is also predicted that the presence of IoT in public spaces leads to the diminishment of private spaces. In light of this, this thesis discusses some alternative ways forward to user consent. The first approach focuses on improving consent, while the second approach aims to shift the focus away from consent by placing accountability on controllers. While both of these alternatives have appeal, they do not come without challenges. Therefore, more research is needed in the field of IoT and data protection.
  • From, Alexandra (Helsingin yliopisto, 2020)
    Data protection has become a pivotal topic in modern democratic societies. Lawmakers have, however, faced challenges in protecting data in the face of rapid technological growth and development in the online environment. ‘Cookies’ are a prominent tool for website operators that enable the collection and processing of vast amounts of personal data of internet users. The use of cookies is based on user’s consent as required under Article 5(3) of Directive 2002/58/EC (ePrivacy Directive). It is, however, questionable whether cookie consent and notice practices are de facto effective in protecting internet users and providing them control over the use of their data obtained via cookies. The goal of this master’s thesis is to analyse whether the traditional model of consent and notice is the appropriate legal basis for the use of website cookies. The research question is divided into two parts. The first part concerns whether consent and notice are an effective tool in providing control and protection to individuals with respect to personal data processed through internet cookies. The second part concerns whether the EU’s data protection framework provides clear and harmonised rules on cookie consents and notices. It will focus especially on the General Data Protection Regulation 2016/679 (GDPR) and the ePrivacy Directive. This thesis uses mainly the legal doctrinal method and qualitative empirical evidence in answering its research question. After the introductory chapter, this thesis will in chapter 2 define cookies and its purposes, as well as outline the legal framework used in this research. Chapter 3 introduces the reader to the concept of consent and its different components, as well as the transparency principle and the accompanying information obligation. Consent consists of freely given, specific, informed and unambiguous elements. Chapter 4 will then discuss the first part of the research question. It will be seen that cookie consents and notices are burdened by many factors as evidenced through behavioural economics, cognitive and structural problems, as well as other factors. It is concluded, therefore, that cookie consents and notices in their traditional form are not an effective tool in providing control and data protection to internet users. Nevertheless, consent and notice are so enshrined in the EU’s data protection regime that they will not be easily abandoned. Chapter 5 discusses the second part of the research question by looking at practical examples in order to see how websites from the legal sector and different national data protection authorities have complied with cookie consent and notice obligations. It will be seen that cookie rules are interpreted inconsistently by even these websites, which has resulted in noncompliance in some instances. Hence, it is concluded that the GDPR and the ePrivacy Directive have failed to harmonise cookie consents and notices. Chapter 6 will look to the future and discuss briefly the proposed Regulation on Privacy and Electronic Communications (ePrivacy Regulation) in terms of i) ‘cookie walls’, which basically coerces website users to accept cookies or otherwise they will be denied access to the site or service, and ii) the legitimate interests ground, which has been introduced as an alternative legal basis to consent with respect to cookies in the latest revised draft of the ePrivacy Regulation adopted on 21 February 2020 by the Croatian Presidency. It will be concluded in chapter 7 that the traditional model of consent and notice might not always be the appropriate legal basis for cookies, hence legislators should look into other legal bases as well, such as, the legitimate interest ground. However, whether or not this ground will be able to provide better protection and control to internet users remains to be seen.
  • Ahonen, Heikki (Helsingin yliopisto, 2020)
    The research group dLearn.Helsinki has created a software for defining the work life competence skills of a person, working as a part of a group. The software is a research tool for developing the mentioned skills of users, and users can be of any age, from school children to employees in a company. As the users can be of different age groups, the data privacy of different groups has to be taken into consideration from different aspects. Children are more vulnerable than adults, and may not understand all the risks imposed to-wards them. Thus in the European Union the General Data Protection Regulation (GDPR)determines the privacy and data of children are more protected, and this has to be taken into account when designing software which uses said data. For dLearn.Helsinki this caused changes not only in the data handling of children, but also other users. To tackle this problem, existing and future use cases needed to be planned and possibly implemented. Another solution was to implement different versions of the software, where the organizations would be separate. One option would be determining organizational differences in the existing SaaS solution. The other option would be creating on-premise versions, where organizations would be locked in accordance to the customer type. This thesis introduces said use cases, as well as installation options for both SaaS and on-premise. With these, broader views of data privacy and the different approaches are investigated, and it can be concluded that no matter the approach, the data privacy of children will always prove a challenge.
  • Ture, Tsegaye (Helsingin yliopisto, 2021)
    The introductory section of the thesis discusses on the European General Data Protection Regulation, abbreviated GDPR, background information and historical facts. The second section covers basic concepts of personal data and GDPR enforcement. The third section gives detailed analysis on data subject rights as well as best practices for GDPR compliance to avoid penalties. The fourth section concentrates on the technical aspects of the right to be forgotten, solely concentrating on the technical aspects of permanent erasure/deletion of personal or corporate data in compliance with the customer’s desire. Permanent deletion or erasure of data, technically addressing the issue of the right to be forgotten and block chain network technology are the main focus areas of the thesis. The fifth section of the thesis profoundly elaborates block chain and the relation with GDPR compliance in particular. Then the thesis resumes explaining about security aspects and encryption, confidentiality, integrity and availability of data as well as authentication, authorization and auditing mechanisms in relation to the GDPR. The last section of the thesis is the conclusion and recommendation section which briefly summarizes the entire discussion and tries to suggest further improvements
  • Hildén, Jockum (2021)
    Despite efforts to mitigate European concerns over US governmental access to European data, the US regulatory framework is still problematic from a fundamental rights perspective, as elevated by the Schrems II ruling. The issues associated with transnational transfers of data have been further complicated by the European Data Protection Board’s recommendations that state that EU personal data cannot be processed in the clear in third countries where public authorities demand access to data. Based on empirical case studies from the Netherlands and Sweden, the present contribution outlines possible remedies that mitigate this problem, but the fundamental issue appears unsolvable. While the US has taken steps to grant foreign nationals more rights, significant challenges remain with the US approach to mass surveillance and EU citizens’ lack of judicial redress.
  • Bhardwaj, Shivam (Helsingin yliopisto, 2020)
    The banking and financial sector has often been synonymous with established names, with some having centuries old presence. In the recent past these incumbents have been experiencing a consequential disruption by new entrants and rapidly changing consumer demands. These disruptions to the status quo have been characterised by a shift towards adoption of technology and artificial intelligence particularly in the service and products offered to the end customers. The changing business climate in the financial sector has risen many convoluted questions for the regulators. These complications cover a vast set of issues – from the concerns relating to the privacy of data of the end users to the increasing vulnerability of the financial market, to unproportionally increased compliance requirements for new entrants, all form part of the mesh of questions that have arisen in the wake of new services and operations being designed with the aid and assistance of artificial intelligence, machine learning and big data analytics. It is in this background that this Thesis seeks to explore the trajectory of the development of the legal landscape for regulating artificial intelligence – both in general and specifically in the financial and banking sector, particularly in the European Union. During the analysis, existing legal enactments, such as the General Data Protection Regulation, have been scrutinised and certain observations have been made regarding the areas that still remain unregulated or open to debate under the laws as it stands today. In the same vein, an attempt has been made to explore the emerging discussion on a dedicated legal regime for artificial intelligence in the European Union, and those observations have been viewed from the perspective of the financial sector, thereby creating thematic underpinnings that ought to form part of any legal instrument aiming to optimally regulate technology in the financial sector. To concretise the actual application of such a legal instrument, a European Union member state has been identified and the evolution of the regulatory regime in the financial sector has been discussed with the said member states’ financial supervisory authority, thus highlighting the crucial role of the law making and enactment bodies in creating and sustaining a technologically innovative financial and banking sector. The themes recognised in this Thesis could be the building blocks upon which the future legal discourse on artificial intelligence and the financial sector could be structured.
  • Bu-Pasha, Shakila (2020)
    Article 35 of the General Data Protection Regulation (GDPR) states that data controllers are required to carry out data protection impact assessment (DPIA) if a processing operation, particularly involving the use of new technologies, is ‘likely to result in a high risk to the rights and freedoms of natural persons’. The focus in this paper is on the role and responsibilities of data controllers in a smart city platform in assessing ‘high risk’ and the importance of impact assessment in relation to data processing with the latest technologies for the protection of personal data.
  • Zhakhina, Saltanat (Helsingin yliopisto, 2019)
    The purpose of the thesis is to assess the compatibility of the business model of providing free online services in exchange for processing of the personal data for advertising purposes, in particular for the Online Behavioural Advertising purpose, with the GDPR. Online Behavioural Advertising is a main way through which the free online services are funded. At the same time large-scale personal data collection and intrusive profiling, the controllers engage into pose significant risks for the rights of the data subjects. Empirical findings show that the companies using such business model oftentimes collect large amount of personal data in violation of GDPR. In addition, the researchers highlight the power asymmetries between the large online platform and the data subjects. Therefore, whether such a business model is compatible with the GDPR from legal perspective is of a particular importance. The first part of the thesis focuses on the lawfulness of the existing data collection practices in the context of the business model in question. The second part of the thesis discusses the profiling and data sharing in the context of such model and the third part focuses on the principles of the data protection by design and by default. The mentioned legal provisions are analysed with the focus on their compatibility with the business model in question. The research found that the business model seems to be compatible with the GDPR in a sense that it is in principle possible to comply with its requirements for the controllers. Such a compliance however would likely lead to a decrease in revenue for the controllers who relied on unsuitable legal basis or who manipulated users into giving away more PD. At the same time such a compliance still would not give the effective protection to the data subjects’ rights due to the lack of more explicit, precise and specific rules in GDPR.
  • BBMRI-LPC Consortium FP7 GA no (2019)
    Biobank samples and data from studies of large prospective cohorts (LPC) represent an invaluable resource for health research. Efficient sharing and pooling of samples and data is a central pre-requisite for new advances in biomedical science. This requirement, however, is not compatible with the present scattered and traditional access governance structures, where legal and ethical frameworks often form an obstacle for effective sharing. Moreover, the EU General Data Protection Regulation (GDPR) is demanding increasingly rigorous administration from all those organisations processing personal data. The BBMRI-LPC project (Biobanking and Biomolecular Research Infrastructure. Large Prospective Cohorts) assembled 21 LPCs from 10 countries and two EU-wide multinational cohort networks with a key objective to promote collaborative innovative transnational research proposed by external researchers on the broad field of common chronic diseases, and analyze the gaps and needs involved. BBMRI-LPC organized three scientific calls to offer European investigators an opportunity to gain free of charge transnational access to research material available in the participating cohorts. A total of 11 highquality research proposals involving multiple prospective cohorts were granted, and the access process in the individual projects carefully monitored. Divergent access governance structures, complex legal and ethical frameworks and heterogeneous procedures were identified as currently constituting substantial obstacles for sample and data transfer in Europe. To optimize the scientific value and use of these research resources, practical solutions for more streamlined access governance in collaborative projects are urgently needed. A number of infrastructure developments could be made to improve time-efficiency in access provision.