List
of publications on data protection and human rights- and rule of law issues in
the digital environment
(in reverse chronological order, selection, mainly from last 20 years):
In
preparation (autumn 2025):
ü
The Data Protection Officer’s Handbook, a manual
on the application of the GDPR in practice (updating but also significantly
expanding on the DPO Handbook written in an EU project: see below,
2019), Oxford University Press, due for publication in 2026.
ü
The inadequacy of the EU data protection
adequacy determination criteria and processes, due for publication on SSRN later in
2025.
2025
ü
A (not so simple) question: must all
algorithmic discrimination be “prevented” and “eliminated” – or need it only be
“minimised”?, September 2025, available at:
[iGlobalLawyer, 2 October 2025]
Also submitted to the European Data Protection Board in the
consultation on its Guidelines 3/2025 on the interplay between the DSA and
the GDPR and released on the EDPB website:
https://www.edpb.europa.eu/system/files/2025-09/edpb_guidelines_202503_interplay-dsa-gdpr_v1_en.pdf
ü
In praise of recitals (& Explanatory
Memoranda), 10 September 2025, available at:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5467126
ü
First do no harm: The potential of harm being
caused to fundamental rights and freedoms by state cybersecurity interventions, 2nd
edition, in: Ben Wagner, Matthias C. Kettemann and
Kilian Vieth (Eds.), Research Handbook on Human Rights & Digital
Technology: Global Politics, Law & International Relations, CIHR,
Berlin/Elgar Publishing, UK & USA (updating the same chapter in the 2019 1st
edition, listed below under that year). Published on 30 January 2025 at:
2024
ü
Did the PNR judgment address the core issues?, follow-up
to my opinion on the core Issues in the case, prepared at the request of the
Fundamental Rights European Experts Group (FREE Group) in November 2021 (see
under that year), published in the European Law Journal, 2 January 2024,
available at:
https://onlinelibrary.wiley.com/doi/10.1111/eulj.12480
ü
The data protection implications of the use of
Artificial Intelligence (AI) in education, paper written at the request of Privacy
International and DefendDigitalMe, January
2024 (with Jen Persson).*
ü
AI & the GDPR, paper
written in preparation of the above paper, January 2024.*
* These papers were used by Privacy International in its long
online article, “Studying under Surveillance: the securitisation of learning”,
7 November 2024, available at:
https://privacyinternational.org/long-read/5463/studying-under-surveillance-securitisation-learning
(See the acknowledgment at the end.)
2023
ü
The Indian Digital Personal Data Protection
Act, 2023, viewed from a European perspective, October 2023, available at:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4614984 (full
report)
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4614992 (executive
summary)
ü
UK tribunal fundamentally wrong on Clearview, October
2023, available at:
https://www.ianbrown.tech/2023/10/18/uk-tribunal-fundamentally-wrong-on-clearview/
ü
Tricking an AI system & the Cybercrime
Convention, 25 September 2023, available at:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4584116 (SSRN)
https://www.ianbrown.tech/wp-content/uploads/2023/09/KORFF-Tricking-an-AI-system-the-Cybercrime-Convention-230925.pdf (link
from blog)
ü
Data protection in light of
the EU common data spaces?, A critique of the European Commission
Proposal for a Regulation on a Framework for Financial Data Access & of the
European Data Protection Supervisor’s Opinion on the proposal (Opinion
38/2023), with some broader observations, published on 5 September 2023,
available at:
https://www.ianbrown.tech/2023/09/05/data-protection-in-light-of-the-eu-common-data-spaces/
ü
The Limitations of and Flaws in
Algorithmic/AI-Based Technologies,* May 2023, available at:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4437110
ü
The Lack of Data on the Effectiveness of Mass Surveillance,* May 2023,
available at:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4437119
*The above two short papers reproduce (with minor editorial
changes) two sections of my 2021 Opinion on Core Issues in the PNR CJEU Case,
prepared at the request of the Fundamental Rights European Experts Group (FREE
Group): see under that year, below.
2022
ü
The Inadequacy of the October 2022 New US
Presidential Executive Order on Enhancing Safeguards for United States Signals
Intelligence Activities, November 2022, available at:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4495169
ü
Opinion on the implications of the exclusion
from new binding European instruments on the use of AI in military, national
security and transnational law enforcement contexts, written
at the request of the European Center for
Not-for-Profit Law (ECNL), October 2022, available at:
https://ecnl.org/sites/default/files/2022-10/ECNL%20Opinion%20AI%20national%20security.pdf (full
opinion)
https://ecnl.org/sites/default/files/2022-10/ECNL%20Opinion%20AI%20national%20security_exec%20summary_0.pdf (executive summary)
ü
Will the EU-US Privacy Framework succeed where
the Privacy Shield and Safe Harbour failed?, (Some
brief initial comments on the announcement of an “agreement in principle” on a
new Trans-Atlantic Data Privacy Framework & on the EDPB’s statement on the
agreement in principle), 11 April 2022, available at:
https://www.ianbrown.tech/2022/04/11/will-the-eu-us-privacy-framework-succeed-where-the-privacy-shield-and-safe-harbour-failed/ (blog
summary)
https://www.ianbrown.tech/wp-content/uploads/2022/04/Early-comments-on-TADPF.pdf (full
text)
ü
Update on the Opinion on the future of
personal data transfers from the EU/EEA to Israel & the Occupied
Territories (see 2021, below, third listing), 23 February 2022, available
at:
https://www.ianbrown.tech/2022/02/23/israels-privacy-protection-act-amendments-and-eu-adequacy/ (blog
summary)
ü
The EU's own 'Snowden Scandal': illegal mass
surveillance and bulk data data mining by Europol and
the EU Member States, January 2022, available at:
https://www.ianbrown.tech/2022/01/17/the-eus-own-snowden-scandal/ (blog)
https://www.ianbrown.tech/wp-content/uploads/2022/01/KORFF-The-EUs-own-Snowden-Scandal-with-endnotes-jan2022.pdf (full
article with notes)
https://edri.org/our-work/the-eus-own-snowden-scandal-europols-data-mining/
(Short version with link)
2021:
ü
Note on the GDPR and US-based cloud servers, November
2021, available at:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4495293
ü
Opinion on Core Issues in the PNR CJEU Case, prepared
at the request of the Fundamental Rights European Experts Group (FREE Group), November
2021, available at:
https://www.ianbrown.tech/2021/12/11/opinion-on-the-passenger-name-record-cjeu-case/
(blog with links to:)
https://www.ianbrown.tech/wp-content/uploads/2021/12/KORFF-FREE-Paper-on-Core-Issues-in-the-PNR-Case.pdf (full
opinion, 147 pages)
https://www.ianbrown.tech/wp-content/uploads/2021/12/KORFF-PNR-Case-Executive-Summary.pdf
(executive summary, 27 pages)
Retweeted at: EU Law Analysis blog, 14 December 2021:
https://eulawanalysis.blogspot.com/2021/12/is-passenger-name-record-directive.html
EDRigram, 15 December 2021:
https://edri.org/our-work/data-protection-and-digital-competition/
ü
Amid the spying by EU Member States’
intelligence agencies, is EU law silent?, a
follow-up to the papers on the inadequacy of UK data protection law (see below,
2020), August 2021, available at:
ü
Opinion on the future of personal data
transfers from the EU/EEA to Israel & the Occupied Territories, prepared
at the request of the European Middle East Project, EuMEP,
January 2021, published July 2021 at:
https://www.ianbrown.tech/wp-content/uploads/2021/07/KORFF-Opinion-EU-Israel-data-transfers-final.pdf (full
text)
https://www.ianbrown.tech/wp-content/uploads/2021/07/KORFF-Exec-Summ-EU-Israel-data-transfers-final.pdf
(executive summary)
ü
Exchanges of personal data after the Schrems
II judgment, study carried out with Ian Brown at the request of the European
Parliament’s Civil Liberties (LIBE) Committee into the future of EU – US flows
of personal data, July 2021, available at:
https://www.europarl.europa.eu/RegData/etudes/STUD/2021/694678/IPOL_STU(2021)694678_EN.pdf
Video recording of online presentation of the study to the LIBE
Committee (with slides) on 9 November 2021, available at:
ü
Transfers of personal data from the EU – not a
“Mission Impossible”, 22 April 2021, available at:
ü
The inadequacy of the EU Commission’s Draft
GDPR Adequacy Decision on the UK, 3 March 2021, available at:
ü
UK adequacy, international transfers, and
human rights compliance, 2 February 2021, available at:
ü
“The United Kingdom is not a third country
under EU law”, 2 January 2021, available at:
https://www.ianbrown.tech/2021/01/02/the-united-kingdom-is-not-a-third-country-under-eu-law/
2020
ü
The inadequacy of UK data protection law in
general and in view of UK surveillance laws (with some comments on the adequacy
decisions on Guernsey, Jersey and the Isle of Man & on the implications for
other countries and territories including Gibraltar & EU Member States)
(with Ian Brown), submission to the European Union
bodies involved in assessing whether under the EU General Data Protection
Regulation (GDPR) the United Kingdom should be held to provide “adequate”
protection to personal data:
Part One on general inadequacy of UK data protection law,
submitted on 9 October 2020, available at:
https://www.ianbrown.tech/2020/10/09/the-uks-inadequate-data-protection-framework/
Part Two on UK surveillance law, submitted on 30 November 2020,
available at:
https://www.ianbrown.tech/wp-content/uploads/2020/11/Korff-Brown-Submission-to-EU-re-UK-adequacy-Part-Two-DK-IB201130.pdf
Executive Summary and discussion of the implications, also
submitted on 30 November 2020:
ü
Contribution to EDRi’s Data Retention:
Revisited booklet, published on 28 September 2020, available at:
https://edri.org/wp-content/uploads/2020/09/Data_Retention_Revisited_Booklet.pdf
ü
Comments on Prof. Chris Kuner's blog Schrems
II Re-Examined of 25 August 2020, August 2020, available at:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3681389
ü
GDPR requirements on Data Protection Impact
Assessments & methodologies for DPIAs, July 2020, available at:
https://ssrn.com//abstract_id=3656234
ü
Contribution to the appeal by EDRi to the
European Commission and the EU Member States to ban the use of face
recognition technology for mass surveillance, 13 May 2020, available at:
https://edri.org/wp-content/uploads/2020/05/Paper-Ban-Biometric-Mass-Surveillance.pdf
ü
Drafter of Submission by the FREE Group to
the European Commission review of the GDPR, 29 April 2020, available at:
ü
The Origins and Meaning of Data Protection, 13
January 2020 (with Marie Georges), available at:
https://ssrn.com/abstract=3518386
2019
ü
The Territorial (and Extra-Territorial)
Application of the GDPR With Particular Attention to Groups of Companies
Including Non-EU Companies and to Companies and Groups of Companies That Offer
Software-as-a-Service, August 2019, available at:
https://ssrn.com/abstract=3439293
Executive Summary available, at:
https://ssrn.com/abstract=3439295
ü
The DPO Handbook, Guidance for data protection
officers in the public and quasi‐public sectors on how to ensure compliance
with the European Union General Data Protection Regulation, July
2019 (with Marie Georges), 246 pages:
http://www.fondazionebasso.it/2015/wp-content/uploads/2019/07/T4DATA-MANUAL-2019.pdf
The Handbook was prepared in the context of an EU-funded programme
of Training of Trainers from various EU Member States’ data protection
authorities (Grant Agreement number: 769100 — T4DATA —
REC-DATA-2016/REC-DATA-2016-01), January 2018 – November 2019. A brochure on
the project can be found here:
http://www.fondazionebasso.it/2015/wp-content/uploads/2018/04/T4Data_Brochure.pdf
ü
The importance of voice biometrics in the
healthcare industry, June 2019, available at:
https://www.biometricupdate.com/201906/the-importance-of-voice-biometrics-in-the-healthcare-industry
2018
ü
Comments on the Draft Guidelines on the
Accreditation of Certification Bodies (WP261), submitted on 6 April 2018, published
by EDRi at:
https://edri.org/files/EDRi_comments_on_WP261_re-accreditation.pdf
Explanatory entry in EDRigram 16.9 of 2 May 2018, available at:
https://edri.org/are-gdpr-certification-schemes-the-next-data-transfer-disaster/
ü
Generalised monitoring of communications in order to block “undesirable” Internet content, February
2018, available at:
https://edri.org/files/copyright/20180213-Korff-GeneralisedMonitoringOnlineContent.pdf
(This is an edited and slightly expanded version of one section in
the paper First do no harm, listed below.)
ü
First do no harm: The potential of harm being
caused to fundamental rights and freedoms by state cybersecurity interventions, February 2018, in: Ben Wagner, Matthias C. Kettemann and Kilian Vieth (Eds.), Research
Handbook on Human Rights & Digital Technology: Global Politics, Law &
International Relations, CIHR, Berlin/Elgar Publishing, UK & USA, 2019.
ü
Signatory to Amicus Brief on Behalf of EU Data Protection and Data
Privacy Scholars in United States v.
Microsoft Corp., (U.S. Supreme Court), filed 18 January 2018, available
at:
https://www.supremecourt.gov/DocketPDF/17/17-2/28272/20180118141249281_17-2%20BSAC%20Brief.pdf
(Cf. also
the separate amicus brief submitted
by Privacy International and a range of human and digital rights organisations
I am involved with, including EDRi and FIPR, available at:
2017
ü
40th Birthday Wishes for DVD &
DANA, Datenschutznachrichten (DANA), 3/2017 (December 2017), p. 134,
available at:
https://www.datenschutzverein.de/wp-content/uploads/2018/08/DANA_17_3_Sonderheft-40_Jahre_DVD.pdf
ü
Fundamental rights on the internet: Has the
Court of Justice of the European Union forgotten about our freedom of
expression and information?, EDRi Research Paper containing an analysis
of Case C-131/12, Google Spain SL, Google
Inc. v Agencia Española de Protección de Datos and Mario Costeja González (the “Right
to be forgotten” case) and Case C-314/12, UPC
Telekabel Wien GmbH v Constantin Film Verleih GmbH (the Telekabel
case), December 2017, to be published in the European Data Protection Law
journal in 2018. Co-author, with Annika Linck (lead author) and Joe McNamee, Maryant Fernández Pérez, Diego Naranjo and Anne-Morgane
Devriendt (further co-authors).
ü
Significant input into EDRi’s answers to an
EU Public consultation on improving cross-border access to electronic evidence
in criminal matters that drew on the EDRi Comments and Suggestions
mentioned in the next indent, and in particular into
the Annexe to the EDRis answers, submitted on
27 October 2017, available here:
https://edri.org/files/consultations/e-evidence_edriresponse_20171027.pdf
https://edri.org/files/consultations/annexconsultatione-evidence_20171026.pdf
(My input is acknowledged in footnote 1 in the Annexe, on
p. 1)
ü
Note on the Draft Terms of Reference for
drafting a second optional Protocol to the Cybercrime Convention, which
formed the basis for a global civil society submission to the Council of Europe
with Comments and Suggestions on those Draft Terms of Reference,
submitted on 18 September 2017, available at:
https://edri.org/files/surveillance/cybercrime_2ndprotocol_globalsubmission_e-evidence_20170908.pdf
(My work is acknowledged in footnote 3 to the submission, on p. 2)
EDRi Press Release:
https://edri.org/cross-border-access-data-edri-delivers-international-ngo-position-council-europe/
The Council of Europe welcomed the submission:
NB: This global submission followed on from an EDRi submission of
an earlier analysis by me of the final report of the Council of Europe “Cloud
Evidence Group” (CEG), submitted to the Council of Europe by EDRi in November
2016, referenced below.
ü
Commentary
on Article 91 of the EU General Data Protection Regulation (on data
protection for churches and other religious associations and communities), to
be included in a major Commentary on the EU General Data Protection
Regulation, edited by Mark Cole and Franziska Boehm et al. This was due for publication in 2020 but does not appear to
have been published.
ü
Papers prepared for an EU Study on data
requirements for the European Citizens’ Initiative (JUST/DG.C.4/2016/01),
January – August 2017:
- ECIs & Data Protection (July 2017);
- ECIs & Data Sensitivity (July 2017);
- Note on the data protection status and
liabilities of the EU Commission and ECI organisers in relation to the
Commission-provided ECI Online Collection System (OCS) (August 2017)
Also:
- Major contributions to the Interim and
Final Reports on the study, in particular on risk
assessments and options for reform.
Final report, 22 September 2017, available at:
ü
Cyber Harm Caused to Fundamental Rights and
Freedoms by State Cybersecurity Interventions, paper written for the University of
Oxford Oxford Martin School’s Global Cyber Security
Capacity Centre (GCSCC) expert workshop on “Cyber Harm”, Oxford, February 2017,
available at:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3709808
(An extended and updated version of this paper was included as a
chapter in the Research Handbook on Human Rights & Digital Technology:
Global Politics, Law & International Relations: see under 2019, above. An
updated 2nd edition of that book, and this chapter, is due for
publication in early-2025: see under that year, above.)
ü
Boundaries of Law: Exploring Transparency,
Accountability, and Oversight of Government Surveillance Regimes, comparative report covering Colombia,
DR Congo, Egypt, France, Germany, India, Kenya, Myanmar, Pakistan, Russia,
South Africa, Turkey, UK, USA, prepared for the World Wide Web Foundation, (lead
author, with Ben Wagner, Julia Powles, Renata Avila and Ulf Buermeyer), global
report, January 2017, available at:
https://ssrn.com/abstract=2894490
2016
ü
Key Points re
the Cybercrime Convention Committee (T-Cy) Report: Criminal justice access to
electronic evidence in the cloud: Recommendations for consideration by the
T-CY, Final report of the T-CY Cloud Evidence Group (T-CY (2016)5, 16 September
2016), Note prepared for European Digital Rights (EDRi) and sent by
EDRi to the Council of Europe with a covering letter in November 2016,
available at:
https://edri.org/files/surveillance/korff_note_coereport_leaaccesstocloud%20data_final.pdf
(NB: This Note was followed by a wider submission by global NGOs
in September 2017, again based on an analysis by me, referenced above.)
ü
National Courts and EU Trade Policy Powers:
the EU/Canada trade deal and the German Constitutional Court, brief
analysis of the German Constitutional Court ruling refusing a request for an
interim injunction to prevent the German Government from signing the CETA
Agreement, published in the EU Law Analysis blog, 18 October 2016, available
at:
http://eulawanalysis.blogspot.co.uk/
ü
The Practical Implications of the new EU
General Data Protection Regulation for EU- and non-EU Companies (with a
one-page executive summary), August 2016, presented at CMS Cameron McKenna LLP
in February 2017.
ü
The Internet of Things: Security-, Privacy-
& Data Protection Risks, report
written for the Organisation for Economic Cooperation and Development (OECD)
(with Ian Brown, University of Oxford), due for publication later in 2016.
ü
Maintaining Trust in a Digital Connected
Society, report
written for the International Telecommunications Union (ITU); presented at the
ITU’s 16th Global Symposium for Regulators, held at Sharm El Sheikh, Egypt, in
May 2016, available here:
http://www.itu.int/en/ITU-D/Conferences/GSR/Documents/ITU_MaintainingTrust_GSR16.pdf
ü
Privacy seals in the new EU General Data
Protection Regulation: Threat or facilitator? Part 2: What has it turned out to
be?, in: Datenschutznachrichten (DANA), 2/2016 (July 2016), available
here:
https://www.datenschutzverein.de/wp-content/uploads/2016/07/DANA_2-2016_RoteLinienRevisited_Web.pdf (scroll to p. 77)
[NB: This is a follow-up to the 2015 DANA article, listed below,
under that year]
ü
E-Privacy Directive Revision: An analysis from
civil society groups (main contributor, working with other EDRi
experts), July 2016, available at:
https://edri.org/files/epd-revision/EDRi_ePrivacyDir-final.pdf
ü
Proceed with caution: Flexibilities in the
General Data Protection Regulation, detailed analysis prepared for EDRi
(main author, working with other EDRi experts), July 2016, available at:
https://edri.org/files/GDPR_analysis/EDRi_analysis_gdpr_flexibilities.pdf
2015
ü
Note on the EU-US Umbrella Data Protection
Agreement, prepared for the Fundamental Rights European Experts (FREE)
group, October 2015, available at:
http://www.statewatch.org/news/2015/oct/eu-usa-umbrella-freegroup-Korff-Note.pdf
ü
Privacy seals in the new EU General Data
Protection Regulation: Threat or Facilitator?, in: Rote Linien zur EU-DSGVO, in: Datenschutznachrichten (DANA), 3/2015 (August 2015), available
here:
https://www.datenschutzverein.de/wp-content/uploads/2015/08/DANA_3-2015_RoteLinien_Web.pdf (scroll to p. 128)
ü
Passenger Name Records, data mining & data
protection: the need for strong safeguards, report prepared for the Consultative
Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (T-PD)
of the Council of Europe, written with Marie Georges and presented to the
Committee in June 2015, available at:
2014
ü
The rule of law on the Internet and in the
wider digital world, “Issue
Paper” written for the Commissioner for Human Rights of the Council of Europe,
released December 2014, available in English (with the executive summary and
the Commissioner’s recommendations also available in French, Turkish and
Russian) at:
https://rm.coe.int/ref/CommDH/IssuePaper(2014)1
ü
Expert Opinion, prepared
for the Committee of Inquiry of the German Bundestag
into the “5EYES” global surveillance systems revealed by Edward Snowden,
presented at the Committee Hearing, Berlin, 5 June 2014, available at:
http://www.bundestag.de/blob/282874/8f5bae2c8f01cdabd37c746f98509253/mat_a_sv-4-3_korff-pdf-data.pdf (full
text in English, in spite of what it says on the cover
page):
http://www.bundestag.de/blob/282876/b90dd97242f605aa69a39d563f9532e7/mat_a_sv-4-3_korff_zusammenfassung-pdf-data.pdf (summary
in English)
ü
Legal Analysis supporting the International
Principles on the Application of Human Rights to Communications Surveillance, issued
by a global consortium of civil society organisations, of which I wrote the
first draft, May 2014, available at:
https://necessaryandproportionate.org/files/2016/03/29/background_and_supporting_legal_analysis_en.pdf (I wrote
the first draft, subsequently expanded upon by others: see the acknowledgments
on p. 1)
ü
Foreign surveillance: law and practice in a
global digital environment (with Ian Brown), European Human Rights Law
Review, 2014(3) (April 2014), available at:
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2521433
ü
Powerpoint
presentation to the Committe on Legal Affairs &
Human Rights of the Parliamentary Assembly of the Council of Europe (PACE – LA)
on Mass Surveillance in Context,
Strasbourg, 8 April 2014:
(powerpoint slides available on request)
ü
Contribution to a Terrorism prevention
scenario, prepared in the EU SURVEILLE
project by a team led by Prof. Scheinin of the
European University Institute in Florence (IT), April 2014, with a chart
illustrating “The full surveillance analyses context”.
ü
Surveillance law and practice (with Ian Brown), late-2013 to early-2014,
study carried out at the request of the UN University as part of a research
project on the application of international human rights law to national
regimes overseeing governmental digital surveillance, requested by the United
Nations High Commissioner for Human Rights, unpublished but described in her
report to the UNGA, The
right to privacy in the digital
age, as providing “a major substantive contribution to the preparation of
[the report]” – para. 8 of the report, available at:
http://www.ohchr.org/Documents/Issues/DigitalAge/A-HRC-27-37_en.doc
2013
ü
Article on Surveillance and the EU general
data protection regulation: possibilities, limits and obstacles, Datenschutznachrichten, December 2013
ü Submission by the European Digital
Rights Initiative (EDRi) & Fundamental Rights Experts Group (FREE) to the
United States Congress, the European Parliament, the European Commission &
the Council of the European Union, & the Secretary-General & the
Parliamentary Assembly of the Council of Europe on the surveillance activities
of the United States and certain European States’ national security and
“intelligence” agencies, August 2013:
http://www.edri.org/files/submission_free_edri130801.pdf
Press
release re presentation of the
submission to the chair of the European Parliament Civil Liberties Committee
(LIBE), 4 September 2013:
ü
Note on European & International Law on
Trans-National Surveillance, prepared for the Civil Liberties Committee
of the European Parliament to assist the Committee in its enquiries into USA
and European States’ surveillance, August 2013, available with related powerpoint slides from:
http://www.europarl.europa.eu/meetdocs/2009_2014/organes/libe/libe_20131014_1500.htm
ü
Report on The Use of the Internet and Related
Services, Private Life & Data Protection:
trends & technologies, threats & implications, March
2013:
https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=090000168067f7f4
2012
ü
Paper expanding on a short intervention on behalf
of European Digital Rights (EDRi) at the EU
– USA Privacy Conference in Washington DC, 19 March 2012, available at:
https://edri.org/files/korff120319.pdf
ü
Comments on Selected Topics in the Draft EU Data Protection
Regulation (prepared
for the European Digital Rights Initiative, EDRi):
http://ssrn.com/abstract=2150145
Summaries
and Proposed Amendments only, at:
http://ssrn.com/abstract=2150151
ü
Digital Freedoms in International Law (with Dr. Ian Brown of the Oxford Internet
Institute of the University of Oxford), June 2012, prepared for the Global
Network Initiative, available at:
Executive
Summary at:
https://globalnetworkinitiative.org/sites/default/files/Digital%20Freedoms%20Exec%20Summary.pdf
2011
ü
A chapter (Chapter 6) on Social Media and Human Rights in the COE publication “Human Rights and a
changing media landscape”, Council of Europe Publishing, December 2011
(with Ian Brown, University of Oxford).
Available at:
http://www.coe.int/t/commissioner/Activities/themes/MediaFreedom/MediaLandscape2011.pdf
ü
Opinion on the
compatibility of the Anti-Counterfeiting
Trade Agreement (ACTA) with the European Convention on Human Rights & the EU Charter of Fundamental Rights (with Ian
Brown, University of Oxford), August 2011, prepared
at the request of the Greens/European Free Alliance group in the European Parliament.
Available at:
http://rfc.act-on-acta.eu/fundamental-rights
(NB: a clearer pdf version was put on
the Dutch Groen Links website at:
http://groenlinks.nl/files/ACTA%20and%20Fundamental%20Rights.pdf)
ü
Using NHS patient data for research without
consent (with Ian Brown and Lindsey Brown), in Law, Innovation & Technology, January 2011.
Print proof version available at:
http://ssrn.com/abstract=1753029
2010
ü
European data protection law on the taking of
fully automated decisions, presentation at the Annual Conference of the
(UK) National Association of Data Protection Officers (NADPO), London, November
2010)
ü
Expert presentation to European Parliament
Civil Liberties (LIBE) Committee, at a hearing on “Data Protection in a Transatlantic Perspective: Future EU-US data protection agreement in the framework of police and judicial
cooperation in criminal matters”, 25 October 2010:
-
Video of the hearing:
http://www.europarl.europa.eu/wps-europarl-internet/frd/vod/player?eventCode=20101025-1500-COMMITTEE-LIBE&language=en&byLeftMenu=researchcommittee&category=COMMITTEE&format=wmv#anchor1 (NB:
plays in IE only)
-
Handout, put up with background papers on:
Handout itself:
-
Note on US Ambassador comments
(submitted after the hearing):
put up with main committee docs on:
http://www.europarl.europa.eu/meetdocs/2009_2014/organes/libe/libe_20101025_1500_audition.htm
Note itself:
ü
Technologies for the use of images; Automated
processes of identification, behavioural analysis and risk detection; Control
at the airports, presentation at a Seminar on Security,
Privacy & Data Protection, organised by the Spanish Data Protection
Agency (AEPD), Madrid, June 2010, to be published at the end of 2010, available
at:
http://ssrn.com/abstract=1673772
ü “Spat”
with Prof. Nigel Shadbolt in the British Science Association’s online Magazine
People & Science, March 2010, on the topic of Public
information: cause for celebration or concern?,
available from:
http://www.britishscienceassociation.org/NR/rdonlyres/9B5B96B3-90B0-4A9D-9095-59ED66B93EDC/0/peoplesciencemar2010FINAL.pdf
(see pp. 10 - 11).
-
Final Report (56 pages), with a 5-page Executive
Summary, available at:
https://op.europa.eu/da/publication-detail/-/publication/9c7a02b9-ecba-405e-8d93-a1a8989f128b
Sole author of the following papers and
reports produced for this study:
-
Comparative Chart;
-
Working Paper No. 2: Data protection laws in the EU: The difficulties in meeting the challenges
posed by global social and technical developments (120 pages);
-
Country Report – France;
-
Country Report – Germany;
-
Country Report – United Kingdom.
These are no longer available from the EU
Commission website but can be found here:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1638951
(Comparative Chart)
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1638949 (Working
Paper No. 2)
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1638955 (France)
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1638959 (Germany)
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1638938 (United
Kingdom)
2009
ü
Evaluation of the contribution of Working Party
29 to the work of the Commission in the field of Data Protection – final report, April 2009 (with Charles
Raab, Yves Poullet, Norbert Wimmer, Thomas Mueller and Dieter Wagner), report
on a study commissioned by the European Commission. (Used internally by the Commission and not
published)
ü
Thematic Study
on assessment of data protection measures and relevant institutions [United
Kingdom], February 2009,
country report produced for a project commissioned by the EU Fundamental Rights
Agency, available at:
https://fra.europa.eu/sites/default/files/role-data-protection-authorities-2009-uk.pdf
ü
Terrorism and the Proportionality of Internet
Surveillance (with I Brown), European Journal of Criminology, March 2009,
available at: SSRN: http://ssrn.com/abstract=1261194
ü
Forensic
genomics: kin privacy, driftnets and
other open questions (with F. Stajano, L. Bianchi & P. Li`o),
paper submitted in May 2008 for the Workshop on Privacy in Electronic
Society (WPES), Alexandria (VA), USA, October 2008. See:
https://www.cl.cam.ac.uk/~fms27/papers/2008-StajanoBiaLioKor-genomics.pdf
2008
ü
The need to apply UK data protection law in
accordance with European law, Data Protection Law & Practice, May
2008.
ü
European Privacy Seal - Criteria Catalogue (with
Sebastian Meissner and Thomas Probst) and associated Commentary, several
versions produced in the context of the “EuroPriSe” project, November 2008 –
May 2009. These documents are only available to accredited experts and
participating certification bodies.
(NB:
This catalogue were replaced in 2024 with a new set of
criteria for use by the experts of the now officially EU-accredited EuroPriSe
Certification Body. I am one of those experts.)
ü
Protecting the Right to Privacy in the Fight
Against Terrorism, Issue Paper of the High Commissioner
for Human Rights of the Council of Europe, November 2008, available at:
https://rm.coe.int/ref/CommDH/IssuePaper(2008)3
2007
ü Issues of confidentiality and privacy of data with
relation to HIV, presentation at a
(UK) National Aids Trust and Aids Action Europe seminar on Legislation and judicial systems in relation to HIV and AIDS,
seminar report, December 2007, pp. 29-32.
The report can be downloaded from:
http://www.nat.org.uk/document/420.
2006
ü
Childrens Databases - Safety
& Privacy (with FIPR team), study for the UK Information Commissioner, 2006,
available at:
https://www.cl.cam.ac.uk/~rja14/Papers/kids.pdf
2005
ü
Data Protection Laws in the European Union, FEDMA,
Brussels, and DMA-USA, New York, December 2005 - consisting of a main volume in
hardback and two CD-ROMs, as follows:
-
Main volume (in hardback): The EC
Directives on data protection
-
CD-ROM Volume 1: Annexes and Source Documents (including the
Comparative Summary of National [Data Protection] Laws, listed separately,
below)
-
CD-ROM Volume 2: Data Protection Laws of 15 Member States of
the EU Analyzed:
Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland,
Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden, United Kingdom
2004
ü Privacy
and Law Enforcement (with Ian Brown), study for the UK
Information Commissioner, released on the Commissioner’s website in September
2004 as “Striking
the Right Balance: Respecting the Privacy of Individuals and Protecting the
Public from Crime”:
http://www.informationcommissioner.gov.uk/eventual.aspx?id=6840
ü
Terrorist Designation with
Regard to European and International Law: The Case of the PMOI (with
prof Bill Bowring), 2004
2003
ü Comparative
Summary of National laws, a comparative analysis of the data
protection laws of the EU Member States, written as part of a study on implementation
of the EC Data Protection Directive (Directive 95/46/EC), commissioned by the
European Commission. Part published by the Commission no longer available on
the Commission website, but the full study can be found here:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1287667
[Note: this was the fourth study
by me for the European Commission: on
the earlier ones, see below.]
Some selected papers and publications
from before 2003:
ü
Paper on “Privacy
in a Business: An Operational Model”, published (in Italian) in the
proceedings of an international conference on “Privacy, Cost to Resource”,
organised by the Italian data protection authority in Rome in December 2002.
ü
European data protection law & the
Internet: a briefing on the Opinions and Recommendations of the Working Party
established under Art. 29 of the EC Directive on data protection, relevant to
the collecting, storing, dissemination and use of personal data on the
Internet, prepared for the
Privacy Leadership Initiative, December 2000.
ü Note on the Proposal for a Regulation on the protection of
individuals with regard to the processing of personal
data by Community institutions and bodies (COM (1999) 337 final), prepared at the request of Justice for submission to the House of Lords sub-committee on
social affairs, education and home affairs, January 2000
ü
The
question of “applicable law”, in: Compliance Guide 3 – Interim report
(part of the New UK Data Protection Act 1998 Information & Compliance
Programme), Privacy Laws & Business, November 1999
ü
Three major studies for the Commission of the
European Communities into:
-
The protection of the rights and interests of
legal persons with regard to the processing of
personal data relating to such persons (1997, published 2000).
-
The feasibility of a seamless system of data
protection rules for the European Union (1996 – 97, published 1999);
-
Existing case-law on compliance with data
protection laws and principles in the Member States of the European Union (1997,
published 1998), available at:
ü
Data
Protection Law & International trade, paper prepared for the American
Chamber of Commerce Seminar on The Impact of Data Protection on Global Trade,
Brussels, 1997
ü
Europol
Briefing for a workshop on European Police and Legal Space, held in
Bilbao, June 1994. The briefing linked
data protection, human rights and constitutional EU-matters.
ü
The EC Draft Directive on data protection and
the question of “applicable law”, 1994, originally an unpublished
briefing for the direct marketing industry but subsequently published in a
slightly edited German translation as Der
EG-Richtlinienentwurf über
Datenschutz und “anwendbares Recht”, in: Recht
der Datenverarbeitung, Year 10 (1994), Vol. No.
5- 6, p. 209 ff.
ü
Data Protection Law in Practice in the
European Union, FEDIM, Brussels (1993) (NB: a new edition was published in 2004:
see above).
ü
International Data Protection, in: Interights
Bulletin, Vol. 6, Number 4 (1991), p. 57 (front page) and pp. 59 - 62
ü
A series of detailed briefings on the various
drafts, amendments and revised drafts of an EC-Council Directive on data
protection for FEDMA, Brussels, 1990 – 1995.
ü
The
Schengen Information System: also a question of data protection, in: G P
M F Mols (ed.), Dissonanten bij het akkoord van Schengen,
Deventer, 1990
ü
The revised United Nations Guidelines
concerning computerized personal data files – with notes and comments by
Amnesty International, 1988
ü
Data protection and the freedom to seek,
receive and impart information and ideas without interference by public
authorities and regardless of frontiers, outline of a talk presented at a
meeting of the Legal Section of the International Association for Mass
Communication Research, Barcelona, (1988).
– o – O – o –