Working Papers

The Brussels Privacy Hub Working Papers are intended to circulate research in progress for comment and discussion. The Working Papers focus on all areas of data protection and privacy research and can contain empirical research on privacy issues and analytical work on privacy governance and regulation in the EU; global flows of data; reconciling law enforcement and privacy interests; privacy challenges posed by new technologies; comparative research on privacy in different regions; jurisprudential issues of privacy protection; and many others.

Editorial Board: Paul De Hert, Christopher Kuner and Gloria Gonzalez Fuster


Submission Guidelines download


WORKING PAPER • VOL. 3 • N° 9 • MARCH 2017

European Human Rights, Criminal Surveillance, and Intelligence Surveillance: Towards “Good Enough” Oversight, Preferably but Not Necessarily by Judges

by Gianclaudio Malgieri & Paul De Hert

This contribution is a Chapter in D. Gray and S. Henderson (eds.), Cambridge Handbook of Surveillance Law, forthcoming, 2017



The two European Courts (the European Court of Human Rights, ECtHR and, to a lesser degree, the European Union Court of Justice, EUCJ) have contributed greatly to the development of a legal framework for surveillance by either law enforcement agencies in the criminal law area or by secret services. Both courts put great emphasis on a system of control ex ante and post hoc by independent supervisory authorities. A complex and controversial issue remains whether the human rights to privacy, respect of communications, and to an effective remedy (enshrined in Article 8 and 13 of European Convention on Human Rights (ECHR)), requires judicial review as a necessary safeguard for secret surveillance or alternatively, at which conditions, parallel systems of non-judicial review can be accepted as adequate safeguards against illegitimate interference in citizens’ private life.

The European Courts have not yet established a clear doctrine in determining suitable thresholds and parameters. In particular, the ECtHR has a flexible approach in interpreting article 8 and 13 ECHR, depending on several factors (“vital” interests at stake, political considerations, etc.). In general terms, the Court has shown a preference towards judiciary oversight, but in the European legal order there are several examples of alternative oversight systems assessed positively by the Court, such as the quasi-judiciary systems (where the independency of the supervisory body, its wide jurisdiction, its power to data access and its power to effective reactions are proved) or the system of oversight set by Data Protection Authorities in the EU member states. However, in recent judgements of the ECtHR and the EUCJ we see an increasing emphasis on declaring the necessity of a “good enough” judicial (ex ante or post hoc) control over surveillance, meaning not simply a judicial control, but a system of oversight (judicial, quasi-judicial, hybrid) which can provide an effective control over surveillance, supported by empirical checks in the national legal system at issue.

BPHWorkingPaperVOL3N9 Download the full paper




The “Right to be Forgotten” and Search Engine Liability

by Hiroshi Miyashita



This paper aims to conduct a comparative study on the right to be forgotten by analyzing the different approaches on the intermediary liability. In the EU, Google Spain case in the Court of Justice clarified the liability of search engine on the ground of data controller’s responsibility to delist a certain search results in light of fundamental right of privacy and data protection. On the contrary, in the U.S., the search engine liability is broadly exempted under the Communications Decency Act in terms of free speech doctrine. In Japan, the intermediary liability is not completely determined as the right to be forgotten cases are divided in the point of the search engine liability among judicial decisions.

The legal framework of the intermediary liability varies in the context from privacy to e-commerce and intellectual property. In the wake of right to be forgotten case in the EU, it is important to streamline the different legal models on the intermediary liability if one desires to fix its reach of the effect on right to be forgotten. This paper analyzes that the models of the search engine liability are now flux across the borders, but should be compromised by way of the appropriate balance between privacy and free speech thorough the right to be forgotten cases.

BPHWorkingPaperVOL2N8 Download the full paper

Keywords: Privacy, Data Protection, Right to be Forgotten, Search Engine, Intermediary Liability



Structure and Enforcement of Data Privacy Law in South Korea

by Haksoo Ko, John Leitner, Eunsoo Kim and Jong-Gu Jung



South Korea’s data privacy law has evolved rapidly, in particular during the past several years, despite a short history of relevant legislation and enforcement. South Korea’s data privacy law has exceedingly stringent consent requirements. In addition to consent, there are many other statutory provisions with onerous requirements, arguably making the overall data privacy law regime in South Korea one of the strictest in the world. South Korea’s data privacy law, in particular the Personal Information Protection Act (the PIPA), has a similar structure to the EU’s data privacy law. However, the overall legal regime for data privacy and also its enforcement mechanism reveal South Korea’s unique characteristics and its weaknesses. In terms of the overall legal regime for data privacy, one interesting characteristic is that, in addition to the PIPA, an omnibus data privacy statute, there are multiple additional statutes governing data privacy issues for specific sectors or industries. In terms of the enforcement of data privacy law, a multitude of government agencies and institutions are in charge. Thus, depending on applicable statutes and other factors, different agencies or institutions could be in charge. Issues on data privacy has gained notable traction in recent years in South Korea and, perhaps reflecting this phenomenon, relevant laws and regulations have been amended frequently. A notable trend is to strengthen penalty provisions and, in particular, the maximum amount of administrative fine is now set at 3% of relevant sales revenue. It remains to be seen if heightened penalty provisions will indeed help addressing data privacy concerns in a meaningful manner.


BPHWorkingPaperVOL2N71 Download the full paper

Keywords: Data privacy, South Korea’s data privacy law, Personal Information Protection Act


WORKING PAPER • VOL. 2 • N° 6 • MAY 2016

Permissions and Prohibitions in Data Protection Jurisdiction

by Mistale Taylor



Under public international law, a State has a right to exercise jurisdiction and is expected to show restraint when applying extraterritorial jurisdiction. The EU’s Data Protection Directive is far-reaching and has notable effects beyond its territory. The General Data Protection Regulation could serve to broaden these external effects. This expansive application of prescriptive jurisdiction has caused jurisdictional tensions between, for instance, the EU and the US. EU data protection law could conceivably fall into traditional public international law permissive principles of jurisdiction, such as subjective territoriality, objective territoriality, passive personality or the effects doctrine. Whilst there appears to be a shift from territory to personality in European data protection law, territory is still necessary to trigger the application of jurisdiction. The demarcations provided by public international law could offer ways to mitigate transatlantic conflicts in jurisdiction.

BPHWorkingPaperVOL2N61 Download the full paper

Keywords: jurisdiction – data protection – public international law – extraterritoriality



The right to Privacy and Personal Data Protection in Brazil: Time for internet privacy rights?

by Vinícius Borges Fortes



The Brazilian Internet Bill of Rights, called ‘Marco Civil da Internet’, instituted various principles and parameters for Internet regulation in Brazil. There is however a persistent gap in the Brazilian legal system concerning laws and infrastructure for the effective guarantee of the right to data protection online, coupled with the absence of specific conceptual precision on the notion of privacy on the Internet. In this context, this paper examines the convenience of using the innovative concept of ‘Internet privacy rights’, composed of four rights. The study concludes that the express reception of such Internet privacy rights by the laws that govern it and related topics in Brazil, especially those that regulate or will regulate the protection of personal data in the country, allows the redefinition of the core of the fundamental right to privacy, where only the protection of private life, honour, intimacy and image are considered. Ultimately, it argues that Internet Privacy Rights shall be regarded as included in the core of the fundamental right to privacy in the Brazilian legal system.

BPHWorkingPaperVOL2N51 Download the full paper

Keywords: Fundamental rights. Internet. Internet privacy rights. Personal data protection. Privacy.



The data protection regime in China


by Prof. Paul de Hert and Dr. Vagelis Papakonstantinou, Vrije Universiteit Brussel, VUB



This in-depth analysis was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee.

One cannot talk of a proper data protection regime in China, at least not as it is perceived in the EU. The international data protection fundamentals that may be derived from all relevant regulatory instruments in force today, namely the personal data processing principles and the individual rights to information, access and rectification, are not unequivocally granted under Chinese law. An efficient enforcement mechanism, also required under European standards, is equally not provided for. China has no comprehensive data protection act but several relevant sectorial laws that, under a combined reading together with basic criminal and civil law provisions, may add up to a data protection ‘cumulative effect’. This assertion is examined and assessed in the analysis that follows. A list of realistic policy recommendations has been drawn up in order to establish whether China’s recent data protection effort is part of a persistent, yet concise, policy.

BPHWorkingPaperVOL1N41 Download the full paper

Keywords: data protection, China





Towards efficient cooperation between supervisory authorities in the area of data privacy law

by Dariusz Kloza, Antonella Galetta



As research conducted in the framework of the PHAEDRA project (Improving Practical and Helpful cooperAtion betweEn Data Protection Authorities, 2013-2015) demonstrated, numerous cross-jurisdictional cooperation initiatives in the area of data privacy have flourished in the recent decades at bilateral, regional, supranational and international levels. However, it was also determined that these initiatives are still too immature to reach their final aim, i.e. the efficient protection of data privacy in matters producing implications in more than one jurisdiction. Therefore, this contribution discusses how to make such cooperation more efficient and how this goal could be achieved. A set of 23 legal and practical recommendations that might help both policy-makers and supervisory authorities overcome contemporary inefficiencies are proposed, including a modest action plan to that end. As a conclusion, a line is drawn between binding and non-binding types of cooperation.

BPHWorkingPaperVOL1N31 Download the full paper

Keywords: privacy, personal data protection, data privacy, data protection authorities, cooperation, enforcement, General Data Protection Regulation





The new cloud computing ISO/IEC 27018 standard through the lens of the EU legislation on data protection

by Paul de Hert, Vagelis Papakonstantinou, Irene Kamara



At a time when cloud computing industry is developing rapidly, mainly due to the flexibility and the cost minimization cloud computing offers, ISO and IEC developed a new standard on cloud computing to deal with issues of protection of PII and security of information. The new standard aims to address the down-sides of cloud computing and the concerns of the cloud clients, mainly the lack of trust and transparency, by developing controls and recommendations for cloud service providers acting as PII processors.

The article examines the strengths and weaknesses of the new standard, its added value to the cloud computing landscape and to data protection, as well as its relation to the European Personal Data Protection framework.

BPHWorkingPaperVOL1N21 Download the full paper

Keywords: cloud computing, standardisation, ISO, personal data, security, confidentiality




The data protection regime applying to the inter-agency cooperation and futurearchitecture of the EU criminal justice and law enforcement area

by Paul de Hert & Vagelis Papakonstantinou



This study aims, first, at identifying data protection shortcomings in the inter-agency cooperation regime in the EU criminal justice and law enforcement area and, second, at outlining, under six possible scenarios, the interplay among the data protection legal instruments in the law-making process today in field, as well as, the response each could provide to such shortcomings.

BPHWorkingPaperVOL1N1 Download the full paper

Keywords: Data Protection in the EU criminal justice and law enforcement area, Europol, Eurojust, EPPO, OLAF




BPHWorkingPaperVOL3N9 BPHWorkingPaperVOL2N8 BPHWorkingPaperVOL2N71 BPHWorkingPaperVOL2N61 BPHWorkingPaperVOL2N51 BPHWorkingPaperVOL1N41 BPHWorkingPaperVOL1N31