{"title":"告诉我一些新情况:适用于推断数据和档案的数据主体权利","authors":"Bart Custers , Helena Vrabec","doi":"10.1016/j.clsr.2024.105956","DOIUrl":null,"url":null,"abstract":"<div><p>The EU General Data Protection Regulation (GDPR) contains several data subject rights, but for many of these rights it is not entirely clear how they should work in practice, especially in digital environments. Most data subject rights apply to personal data obtained directly or indirectly from the data subject. This is often personal data that data subjects already are familiar with, i.e., things they already know about themselves. Unclear, however, is to what extent ascribed personal data, such as inferred data and categories or profiles in which data subjects are placed by data controllers, are within the scope of these rights. Such ascribed personal data often concerns novel information, generated by data controllers, and includes insights into how controllers view and assess them, which may have practical and legal impact on data subjects. Given these characteristics, the ascribed personal data may be much more interesting to data subjects, so it appears beneficial, from the policy perspective, to have this novel information included in the scope of data subject rights. If data subject rights do not apply to inferred data and profiles, invoking these rights is unlikely to be informative and provide meaningful information for data subjects, particularly in complex, digital environments. However, if data subject rights do apply to inferred data and profiles, the scope of these rights may be hard to delineate and they may quickly interfere with rights and freedoms of others, including trade secrets of data controllers and privacy rights of other data subjects. In this article, we investigate the implications of applying data subject rights to inferred data and profiles. For each data subject right in the GDPR, we assess which types of personal data could and perhaps should be in scope, based on grammatical and teleological legal analyses as well as practical considerations. While the area of data subject rights received significant academic attention in the past years, our article contributes to the discussion by providing a systematic, holistic framework to consider the scope of the rights in relation to ascribed data.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":null,"pages":null},"PeriodicalIF":3.3000,"publicationDate":"2024-03-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000232/pdfft?md5=10f15b5723ebb024eee39edef4dd2225&pid=1-s2.0-S0267364924000232-main.pdf","citationCount":"0","resultStr":"{\"title\":\"Tell me something new: data subject rights applied to inferred data and profiles\",\"authors\":\"Bart Custers , Helena Vrabec\",\"doi\":\"10.1016/j.clsr.2024.105956\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>The EU General Data Protection Regulation (GDPR) contains several data subject rights, but for many of these rights it is not entirely clear how they should work in practice, especially in digital environments. Most data subject rights apply to personal data obtained directly or indirectly from the data subject. This is often personal data that data subjects already are familiar with, i.e., things they already know about themselves. Unclear, however, is to what extent ascribed personal data, such as inferred data and categories or profiles in which data subjects are placed by data controllers, are within the scope of these rights. Such ascribed personal data often concerns novel information, generated by data controllers, and includes insights into how controllers view and assess them, which may have practical and legal impact on data subjects. Given these characteristics, the ascribed personal data may be much more interesting to data subjects, so it appears beneficial, from the policy perspective, to have this novel information included in the scope of data subject rights. If data subject rights do not apply to inferred data and profiles, invoking these rights is unlikely to be informative and provide meaningful information for data subjects, particularly in complex, digital environments. However, if data subject rights do apply to inferred data and profiles, the scope of these rights may be hard to delineate and they may quickly interfere with rights and freedoms of others, including trade secrets of data controllers and privacy rights of other data subjects. In this article, we investigate the implications of applying data subject rights to inferred data and profiles. For each data subject right in the GDPR, we assess which types of personal data could and perhaps should be in scope, based on grammatical and teleological legal analyses as well as practical considerations. While the area of data subject rights received significant academic attention in the past years, our article contributes to the discussion by providing a systematic, holistic framework to consider the scope of the rights in relation to ascribed data.</p></div>\",\"PeriodicalId\":51516,\"journal\":{\"name\":\"Computer Law & Security Review\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":3.3000,\"publicationDate\":\"2024-03-18\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://www.sciencedirect.com/science/article/pii/S0267364924000232/pdfft?md5=10f15b5723ebb024eee39edef4dd2225&pid=1-s2.0-S0267364924000232-main.pdf\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computer Law & Security Review\",\"FirstCategoryId\":\"90\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0267364924000232\",\"RegionNum\":3,\"RegionCategory\":\"社会学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"LAW\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0267364924000232","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}
Tell me something new: data subject rights applied to inferred data and profiles
The EU General Data Protection Regulation (GDPR) contains several data subject rights, but for many of these rights it is not entirely clear how they should work in practice, especially in digital environments. Most data subject rights apply to personal data obtained directly or indirectly from the data subject. This is often personal data that data subjects already are familiar with, i.e., things they already know about themselves. Unclear, however, is to what extent ascribed personal data, such as inferred data and categories or profiles in which data subjects are placed by data controllers, are within the scope of these rights. Such ascribed personal data often concerns novel information, generated by data controllers, and includes insights into how controllers view and assess them, which may have practical and legal impact on data subjects. Given these characteristics, the ascribed personal data may be much more interesting to data subjects, so it appears beneficial, from the policy perspective, to have this novel information included in the scope of data subject rights. If data subject rights do not apply to inferred data and profiles, invoking these rights is unlikely to be informative and provide meaningful information for data subjects, particularly in complex, digital environments. However, if data subject rights do apply to inferred data and profiles, the scope of these rights may be hard to delineate and they may quickly interfere with rights and freedoms of others, including trade secrets of data controllers and privacy rights of other data subjects. In this article, we investigate the implications of applying data subject rights to inferred data and profiles. For each data subject right in the GDPR, we assess which types of personal data could and perhaps should be in scope, based on grammatical and teleological legal analyses as well as practical considerations. While the area of data subject rights received significant academic attention in the past years, our article contributes to the discussion by providing a systematic, holistic framework to consider the scope of the rights in relation to ascribed data.
期刊介绍:
CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.