Skip to main content
W. Gregory Voss
  • Toulouse Business School
    1, place Alphonse Jourdain
    CS 66810
    31068 Toulouse cedex 7
    France
  • +33 (0)5 61 29 47 46

W. Gregory Voss

University of Toulouse, Toulouse Business School, Department of Human Resources Management & Business Law, Faculty Member
  • University of Toulouse, Toulouse Business School, Business Law, Faculty Memberadd
  • Associate Professor of Business Law at TBS Business School (Toulouse Business School), W. Gregory Voss teaches on TBS... moreedit
  • edit
Papers
Transatlantic Data Transfer Compliance (28 B.U. J. SCI & TECH L. 158 (2022)more
by W. Gregory Voss
Data play a central role in the economy today. Nonetheless, the main trading partner of the United States—the European Union—places restrictions on crossborder transfers of personal data exported from the European Union. Destination... more
Data play a central role in the economy today. Nonetheless, the main trading
partner of the United States—the European Union—places restrictions on crossborder transfers of personal data exported from the European Union. Destination countries must benefit from a decision by the European Commission that their data protection practice is “adequate” to import data, or transfer tools must be used to further protect those data. The United States does not benefit from such a decision and an arrangement that previously allowed data to continue to flow to the United States—the Privacy Shield—was invalidated by the Court of Justice of the European Union in 2020 in a case that is known as Schrems II.

This study focuses on EU-U.S. personal data transfers. It provides a holistic
view of the legal parameters involved in transatlantic data transfer compliance post-Schrems II, relevant developments past and future, and potential compliance actions, supplemented with relevant guidance and an analysis of enforcement actions. Such compliance is considered the most difficult task of privacy professionals today. The aim is to give a fuller understanding in this context of the EU General Data Protection Regulation (GDPR), which sets out the crossborder data transfer restriction, with a view to potential pathways to navigate those challenges.

Following the Introduction, this study dives into both the cross-border transfer restriction contained in the GDPR, and into the Schrems II ruling. EU-U.S. negotiations to try to build a replacement for the Privacy Shield are discussed. A new 2021 version of the standard contractual clauses transfer tool, used to allow data exports, is analyzed. In addition, the requirement to respect the essence of fundamental rights and freedoms set out in the Schrems II judgment is explained. Supplemental measures to ensure data protection and to allow transfers to jurisdictions with problematic legislation, such as the United States (with its surveillance laws), are detailed. Furthermore, European Economic Area data protection enforcement action in the domain of cross-border transfers is studied, including a recent case relating to the use of the popular Google Analytics tracking cookies. Finally, lessons for compliance are drawn, prior to concluding remarks.

NB: This article is available for download in full text via the Journal's website, currently at this address: https://www.bu.edu/jostl/current-issue/
Issue: 2
Volume: 28
Page Numbers: 158-214
Publication Date: 2022
Publication Name: Boston University Journal of Science & Technology Law
Research Interests:
Download (.pdf)
AI Act: The European Union's Proposed Framework Regulation for Artificial Intelligence Governancemore
by W. Gregory Voss
Publication Date: 2021
Publication Name: Journal of Internet Law
Research Interests:
After Google Spain and Charlie Hebdo: The Continuing Evolution of European Union Data Privacy Law in a Time of Changemore
by W. Gregory Voss
This article investigates various developments over that year that helped (or are helping) reshape European Union data privacy law, building around two important events: the Court of Justice of the European Union's Google Spain... more
This article investigates various developments over that year that helped (or are helping) reshape European Union data privacy law, building around two important events: the Court of Justice of the European Union's Google Spain decision, applying a form of a "right to be forgotten," and the Paris terrorist attacks on the satirical journal Charlie Hebdo in January 2015 after which additional security measures involving websites and surveillance in France were adopted and advances on an EU directive on PNR data were made.The EU member state court decisions that came in the wake of the Google Spain decision and that give a right to individuals in the EU to have certain search engine results delisted, which raise issues for Internet search engines, publishers of information, and potentially other Internet intermediaries, are discussed, as are Google’s attempts to come to terms with the Google Spain decision. In addition, this article covers the continuing EU member state d...
Publication Date: 2016
Publication Name: Consumer Law eJournal
Research Interests:
Download (.pdf)
Airline Commercial Use of EU Personal Data in the Context of the GDPR, British Airways and Schrems IImore
by W. Gregory Voss
In July 2019, shortly after the end of the first year of application of the EU General Data Protection Regulation (GDPR), the UK's data protection regulator announced its intention to fine British Airways £183 million under the GDPR in... more
In July 2019, shortly after the end of the first year of application of the EU General Data Protection Regulation (GDPR), the UK's data protection regulator announced its intention to fine British Airways £183 million under the GDPR in connection with a data breach. That proposed penalty, which would have been the highest administrative fine to-date under the GDPR if finally issued in the amount announced, highlighted the relevance of the GDPR to airlines. As a result of the territorial scope of the GDPR, the regulation interests European and non-European airlines alike. This study, which focuses on requirements for commercial use of EU personal data by U.S. airlines (but which should interest non-U.S. airlines, as well), uses actual cases to help analyze the application of the GDPR to the airline industry, including the British Airways GDPR penalty case. It is one of the first studies to do so, and as such contributes to the literature. When the GDPR applies to them, airlines should become fully aware of its key relevant provisions, starting with those related to the GDPR's scope and its underlying data protection principles, discussed in this study. In addition, airlines must have a legal basis to process EU personal data under the GDPR and, as this study shows, must have adequately prepared for data subject requests to exercise rights and for potential data breaches. Several examples of the first GDPR sanctions in the airline industry are detailed, and lessons drawn from them. In this context, this study determines that data security is a key element. Finally, the 2020 Schrems II decision invalidating the EU-U.S. Privacy Shield is examined, and its potential impact on the transfer of EU personal data from the European Union to the United States by airlines is studied, following an analysis of U.S. airline privacy policies available on the Internet from the European Union. In this context, the use of standard contractual clauses (SCCs) in order to allow for data export from the European Union is considered.
Publication Date: 2021
Publication Name: Colorado Technology Law Journal
Research Interests:
Europe and cyberspace – Data protectionmore
by W. Gregory Voss
The development of computer technology raised concerns for the privacy of the individuals to whom data being processed relates. Soon European nations began adopting data protection laws to protect the privacy of individuals, eventually... more
The development of computer technology raised concerns for the privacy of the individuals to whom data being processed relates. Soon European nations began adopting data protection laws to protect the privacy of individuals, eventually regulating what had become known as “cyberspace.” To allow for the free flow of personal data within the European Union, while protecting the privacy of individuals, the regional block adopted EU-wide data protection legislation in 1995, which was then implemented in Member State law.

The lack of harmonization of Member State implementing legislation and the development of new technologies led to the adoption of a uniform EU law in the form of the General Data Protection Regulation (GDPR), which has had international impact. The GDPR develops further individual rights and continues cross-border transfer restrictions, while including clearer extraterritorial application when the personal data of individuals in the European Union are collected, thus recognizing that cyberspace does not end at borders.
Publication Date: 2021
Publication Name: Digital Encyclopedia of European History
Research Interests:
Unpacking the privacy paradox of consumers: A psychological perspectivemore
by W. Gregory Voss
This study explicates why consumers allow the unconditional collection and processing of personal data while doubting data privacy. A process model addressing this privacy paradox is consequently designed through multidisciplinary... more
This study explicates why consumers allow the unconditional collection and processing of personal data while doubting data privacy. A process model addressing this privacy paradox is consequently designed through multidisciplinary research. Altogether, two online studies concur that certain factors may mitigate the negative effect of risk perception concerning data privacy during the personal data disclosure process. Hence, we examine the impact of the privacy paradox based on the literature on mental accounting, which describes interactions between present and future costs and benefits. In this context, consumer behavior is deciphered via analysis of four key variables, namely, the mental accounting of privacy-related risks, consumer involvement, type of perceived benefit regarding the specific purchase/transaction, and consumer familiarity.
DOI: 10.1002/mar.21524
Publication Date: 2021
Publication Name: Psychology & Marketing
Research Interests:
Sanctions RGPD : ne sont-elles qu'un tigre de papier ?more
by W. Gregory Voss
Le renforcement des sanctions prévues par le RGPD allia de pair avec un changement de paradigme consistant notamment à faire disparaître une bonne partie des formalités à accomplir avant de pouvoir procéder à un traitement de données et à... more
Le renforcement des sanctions prévues par le RGPD allia de pair avec un changement de paradigme consistant notamment à faire disparaître une bonne partie des formalités à accomplir avant de pouvoir procéder à un traitement de données et à responsabiliser les acteurs. Mais on peut se demander si la révolution annoncée - et redoutée - en matière de sanctions pour violations de la réglementation sur la protection des données personnelles a bien eu lieu.
Publication Date: 2021
Publication Name: Juriste d'entreprise magazine (JEM) n° 38, avril 2021, pp. 26-27
Research Interests:
THE CCPA AND THE GDPR ARE NOT THE SAME: WHY YOU SHOULD UNDERSTAND BOTHmore
by W. Gregory Voss
This article gives a comparative view of two main pieces of data privacy legislation from, respectively, California and the EU: the CCPA and the GDPR. While there are similarities between the two, there are differences, as well, providing... more
This article gives a comparative view of two main pieces of data privacy legislation from, respectively, California and the EU: the CCPA and the GDPR. While there are similarities between the two, there are differences, as well, providing challenges for compliance. For example, both instruments have extraterritorial effect, however only the GDPR is truly omnibus legislation given the CCPA carveouts for areas of federal legislation and its thresholds for application. Thus, this article aims to provide certain elements to be taken into consideration in evaluating legislation on both sides of the Atlantic.
Publication Date: 2021
Publication Name: CPI Antitrust Chronicle
Research Interests:
Download (.pdf)
EU GENERAL DATA PROTECTION REGULATION SANCTIONS IN THEORY AND IN PRACTICEmore
by W. Gregory Voss
Prior to the application of the EU General Data Protection Regulation (GDPR), one result of the low maximum corporate fines for violations under the preceding data protection legislation was, arguably, a lack of compliance by U.S. Tech... more
Prior to the application of the EU General Data Protection Regulation (GDPR), one result of the low maximum corporate fines for violations under the preceding data protection legislation was, arguably, a lack of compliance by U.S. Tech Giants and other companies. At least on paper, this changed under the GDPR. This study approaches the issue of GDPR sanctions, not through the lens of a catastrophe waiting to happen, but instead though a development first of the theoretical grounds for sanctions, prior to a view of the practical side of them. In doing so, it is somewhat unique and adds to the GDPR literature. Furthermore, it engages the legal strategy and compliance literature to bring its results home to inform companies as to the risks involved and to provide strategic recommendations both for companies and for regulators.

Among the several sub-goals of sanctions, this study determines that the most relevant for an analysis of GDPR sanctions—which are administrative, regulatory and financial sanctions, in large
part—is the deterrence function, beyond the symbolic functions. This demands effective and substantial administrative fines. While these are not the only sanctions available under the GDPR—this study also sets out a range of possible sanctions, such as judicial compensation and orders to halt data processing—they are perhaps the most characteristic of data protection enforcement. However, through what is referred to as the one-stop-shop mechanism, the Irish DPA is the lead authority for most of the U.S. Tech Giants, and it has failed to act against them up to now, resulting in a potential lack of deterrence. This study argues that, on the one hand, companies should embrace compliance, and on the other hand, truly dissuasive administrative fines must be issued by supervisory authorities when they are justified, in order for the sanctions to have their necessary deterrence effect.
Issue: 1
Volume: 37
Page Numbers: 1-96
Publication Date: 2021
Publication Name: Santa Clara High Technology Law Journal
Research Interests:
Download (.pdf)
GDPR Compliance in Light of Heavier Sanctions to Come--at Least in Theorymore
by W. Gregory Voss
This post of October 29, 2020 in the Oxford Business Law Blog presents our forthcoming article in volume 37 of the Santa Clara High Technology Law Journal (2020): "EU General Data Protection Regulation Sanctions in Theory and in... more
This post of October 29, 2020 in the Oxford Business Law Blog presents our forthcoming article in volume 37 of the Santa Clara High Technology Law Journal (2020): "EU General Data Protection Regulation Sanctions in Theory and in Practice." It discusses the theory of sanctions, applied to the GDPR, and the reality of GDPR sanctions to-date. Furthermore, it draws compliance lessons from this experience, providing recommendations for companies and regulators, alike. Post located here: https://www.law.ox.ac.uk/business-law-blog/blog/2020/10/gdpr-compliance-light-heavier-sanctions-come-least-theory
Publication Date: 2020
Publication Name: Oxford Business Law Blog
Research Interests:
Download (.pdf)
Cross-Border Data Flows, the GDPR, and Data Governance (29 Wash. Int'l L.J. 485 (2020))more
by W. Gregory Voss
Today, cross-border data flows are an important component of international trade and an element of digital service models. However, they are impeded by restrictions on cross-border personal data transfers and data localization... more
Today, cross-border data flows are an important component of international trade and an element of digital service models. However, they are impeded by restrictions on cross-border personal data transfers and data localization legislation. This Article focuses primarily on these complexities and on the impact of the new European Union ("EU") legislation on personal data protection-the GDPR. First, this Article introduces its discussion of these flows by placing them in their economic and geopolitical setting, including a discussion of the results of a lack of international harmonization of law in the area. In this framework, rule overlap and rival standards are relevant. Once this situation is established, this Article turns to an analysis of the legal measures that have filled the gap left by the lack of international regulation and the failure to harmonize law: extraterritorial laws in the European Union (regional legislation) and the United States (state legislation);
Issue: 3
Volume: 29
Page Numbers: 485-531
Publication Date: 2020
Publication Name: Washington International Law Journal
Research Interests:
Download (.pdf)
Obstacles to Transatlantic Harmonization of Data Privacy Law in Contextmore
by W. Gregory Voss
Globalization seems to call for the harmonization of laws, especially in sectors affecting global business, and this is all the truer with respect to laws affecting the technology industry, with the facility of its cross-border... more
Globalization seems to call for the harmonization of laws, especially in sectors affecting global business, and this is all the truer with respect to laws affecting the technology industry, with the facility of its cross-border communications networks. Data privacy law on both sides of the Atlantic benefits from common origins but eventually divergence occurred, causing compliance challenges for companies and the potential halting of cross-border data flows from the European Union to the United States. Harmonization could possibly obviate such difficulties, and there is a window of opportunity to achieve this with discussion in the United States of a potential federal data privacy law. After setting out the historical context, this study posits and details three major obstacles to full-scale transatlantic harmonization of data privacy law, from the perspective of what has become the predominant data privacy model— that of the European Union. These are: laissez-faire policy and neoliberalism in the United States (and resulting focus on self-regulation there), the lobbying power of the U.S. technology industry giants in a conducive U.S. legislative system, and differing constitutional provisions on both sides of the Atlantic. Each of these elements makes attaining true harmonization more difficult, if not impossible. Nonetheless, corporate action in the United States might have given some hope of a de facto harmonization of practices, although hopes have not led to the equivalent of harmonization of laws. Political and other realities provide further context, leaving reason to be doubtful about the prospects of true transatlantic harmonization of data privacy law. Finally, certain areas for improvement in the context of U.S. legislative action are discussed.
Issue: 2
Volume: 2019
Page Numbers: 405-463
Publication Date: 2019
Publication Name: University of Illinois Journal of Law, Technology & Policy
Research Interests:
Download (.pdf)
Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies GDPR Compliance Legal Strategies and the Scope of Protected Personal Data Photo by Markus Spiske on Unsplash What is it aboutmore
by W. Gregory Voss and Kimberly A. Houser
Research Interests:
Download (.pdf)
Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companiesmore
by W. Gregory Voss and Kimberly A. Houser
(NB: The file on this site is a post-print, prior to final changes and not in the final format. The final version of this article is available at https://onlinelibrary.wiley.com/doi/abs/10.1111/ablj.12139.) The European Union's General... more
(NB: The file on this site is a post-print, prior to final changes and not in the final format. The final version of this article is available at https://onlinelibrary.wiley.com/doi/abs/10.1111/ablj.12139.)
The European Union's General Data Protection Regulation (GDPR) became applicable in May 2018. Due to the GDPR's extraterritorial scope, which could result in massive fines for U.S. companies, comparative data privacy law is of great current interest. In June 2018, California passed its own Consumer Privacy Act, echoing some of the provisions of the GDPR. Despite the many articles comparing the two schemes of law, little attention has been given to the foundation of these laws, that is, what exactly encompasses the data referred to by these laws? By understanding how the term “personal data” or “personal information” is defined in both jurisdictions, and why these definitions and the treatment of protected data are so different, companies can strategize to take advantage of these developments in the European Union. After explaining the differences in how data is treated in the United States and the European Union by exploring the definitions, regulations, and court cases, we will explore the five legal strategy pathways that companies might pursue with respect to the legal aspects of data transfer and privacy law compliance. While these strategies range from ignoring the law to adopting the European model worldwide, this analysis of legal strategy reveals a means for companies to gain a competitive advantage through their adoption of a worldwide compliance scheme.
DOI: 10.1111/ablj.12139
Issue: 2
Volume: 56
Page Numbers: 287-344
Publication Date: 2019
Publication Name: American Business Law Journal
Research Interests:
Download (.pdf)
Kimberly Houser & W. Gregory Voss, The European Commission on the Privacy Shield: All Bark and No Bite?, (Dec. 20, 2018), http://illinoisjltp.com/timelytech/the-european-commission-on-the-privacy-shield-all-bark-and-no-bite/more
by W. Gregory Voss
Much has been written about the difference in the privacy laws of the European Union and the United States and ideologies behind the two regimes. One risk of the increasing divergence in views on privacy is the potential halting of data... more
Much has been written about the difference in the privacy laws of the European Union and the United States and ideologies behind the two regimes.  One risk of the increasing divergence in views on privacy is the potential halting of data transfers from the European Union to the United States by the European Commission (EC).  As data is a significant driver of the world economy, special care must be taken both to ensure that data is able to cross borders easily, and individuals’ rights to data protection are respected.

The General Data Protection Regulation (GDPR) prohibits the transfer of personal data outside of the European Economic Area (EEA) to countries without “adequate” privacy protections.  As the United States is considered to have insufficient protections, the EC requires that an approved mechanism, such as the Privacy Shield—its agreement with the United States that permits U.S. companies to self-certify that they will meet certain minimum privacy protections—be used for such transfers.  Alternative mechanisms include standard contractual clauses (SCCs).  Suspension of any one approved mechanism may call into question the legitimacy of the others.

Although the Privacy Shield survived its first EC review in 2017, many called for the EC to suspend the Privacy Shield at its second review due to a number of factors: the continuation of the Schrems case; the failure of the U.S. government to enact the recommendations made in the 2017 Privacy Shield review; and recent U.S. government actions demonstrating disregard for data privacy protection; the EC chose to back down instead of proceeding to a clash.[7]  On In a report issued on December 19, 2018 (2018 Report), the EC indicated that the Privacy Shield had passed its second review, subject to the United States appointing a permanent Privacy Shield Ombudsperson by February 28, 2019.  Before analyzing the 2018 Report, it is important to understand why the U.S.’s commitment to the Privacy Shield mechanism seems tenuous, at best.
Publication Date: 2018
Publication Name: J. of L., Tech., & Pol’y: Timely Tech
Research Interests:
GDPR: The End of Google and Facebook or a New Paradigm in Data Privacy? - 25 Rich. J.L. & Tech. no. 1 (2018)more
by W. Gregory Voss
Note: This article is available for viewing and for downloading (click on the PDF link) at the appropriate page of the journal's website:... more
Note: This article is available for viewing and for downloading (click on the PDF link) at the appropriate page of the journal's website: https://jolt.richmond.edu/gdpr-the-end-of-google-and-facebook-or-a-new-paradigm-in-data-privacy/.

EU Data Protection Agencies have been vigorously enforcing violations of regional and national data protection law in recent years against U.S. tech companies, but few changes have been made to their business model of exchanging free services for personal data. With the Cambridge Analytica debacle revealing how insufficient American privacy law is, we now find ourselves questioning whether the General Data Protection Regulation (GDPR) is not the onerous 99 article regulation to be feared, but rather a creation years ahead of its time.  This paper will explain how the differences in U.S. and EU privacy and data protection law and ideology have led to a wide divergence in enforcement actions and what U.S. companies will need to do in order legally process the data of their users in the EU. The failure of U.S. tech companies to fulfill the requirements of the GDPR, which has extraterritorial application and becomes applicable on May 25, 2018, could result in massive fines (up to $4 billion using the example of Google). The GDPR will mandate a completely new business model for these U.S. tech companies that have been operating for well over a decade with very loose restrictions under U.S. law. Will the GDPR be the end of Google and Facebook or will it be embraced as the gold standard of how companies ought to operate?
Issue: 1
Volume: 25
Publication Date: 2018
Publication Name: Richmond Journal of Law and Technology
Research Interests:
Can Facebook and Google Survive the GDPR?more
by W. Gregory Voss
Publication Date: 2018
Publication Name: Oxford Business Law Blog
Research Interests:
Internal Compliance Mechanisms for Firms in the EU General Data Protection Regulation 50 (3) Revue juridique Thémis de l'Université de Montréal (RJTUM) 783-820.more
by W. Gregory Voss
The new EU General Data Protection Regulation (GDPR) establishes requirements (and certain incentives) for internal compliance mechanisms that do not exist in current legislation. These requirements, which will have an impact on internal... more
The new EU General Data Protection Regulation (GDPR) establishes requirements (and certain incentives) for internal compliance mechanisms that do not exist in current legislation. These requirements, which will have an impact on internal processes and staffing of firms, such as the requirement in certain cases of engaging a data protection officer, of conducting a data protection impact assessment, or making notifications of data breaches, will require firms to organize themselves prior to the GDPR becoming applicable in 2018. This article sets out first the increased territorial scope of the GDPR, prior to discussing the increased accountability of firms, focusing on data protection impact assessments, prior consultation and prior authorization, data protection officers, and data breach notifications. On the way, certain differences among the various versions of the GDPR prior to its adoption on these points will be discussed. Finally, incentives for compliance are highlighted. Résumé Le nouveau règlement général sur la protection des données dans l'UE (RGPD) fait naître des obligations et comprend des incitatifs liés à l'élaboration de mécanismes internes de conformité qui n'existent pas dans la législation actuelle. Ces obligations, telles que celles, dans certains cas, de désigner un délégué à la protection des données, de mener une analyse d'impact relative à la protection des données ou d'effectuer une notification d'une violation des données à caractère personnel, auront un impact sur les processus internes ainsi que sur l'organisation du personnel des entreprises. Ainsi, elles obligeront ces dernières à revoir leurs manières de faire d'ici la date de la mise en application du RGPD en 2018. Cet article expose d'abord le champ d'application territorial accru du RGPD, avant de discuter de la responsabilisation augmentée des entreprises et plus précisément des analyses d'impact relatives à la protection des données, de la consultation et de l'autorisation préalables, des délégués à la protection des données et des notifications d'une violation des données à caractère personnel. Ce faisant, certaines divergences entre les différentes versions préliminaires du RGPD sur ces points seront évoquées. Enfin, certains éléments qui inciteront les entreprises à se mettre en conformité avec le RGPD seront soulignés.

This final formatted copy of the article was first published in 50 (3) Revue juridique Thémis de l'Université de Montréal (RJTUM) 783-820 and is available on the journal's website at https://ssl.editionsthemis.com/revue/article-4951-internal-compliance-mechanisms-for-firms-in-the-eu-general-data-protection-regulation.html.
Issue: 3
Volume: 50
Page Numbers: 783-820
Publication Date: 2018
Publication Name: Revue juridique Thémis de l'Université de Montréal
Research Interests:
Download (.pdf)
European Union Data Privacy Law Developmentsmore
by W. Gregory Voss
This article explores recent developments in European Union data privacy and data protection law, through an analysis of European Union advisory guidance, independent administrative agency enforcement action, case law, and legislative... more
This article explores recent developments in European Union data privacy and data protection law, through an analysis of European Union advisory guidance, independent administrative agency enforcement action, case law, and legislative reform in the areas of digital technologies, the internet, telecommunications and personal data.

In the first case, Article 29 Working Party guidance on anonymization techniques – so important in the field of big data – is discussed and distinguished from pseudonymization. Next, Google privacy policy enforcement action by various EU Member State data protection agencies (inter alia, France, Germany, Italy, the Netherlands and Spain) is chronicled, with lessons being drawn for businesses regarding privacy policies and data protection compliance generally. Thirdly, European Union Court of Justice joined cases Digital Rights Ir. Ltd. V. Minister for Comm. Marine & Natural Res., invalidating the EU Data Retention Directive, which was applicable to providers of publicly available electronic communications services and public communications networks, such as ISPs and telecom operators, is analyzed and the WP29 reaction to the decision is discussed.

The Data Retention Directive decision and recent legislative action on the proposed EU General Data Protection Regulation (GDPR) highlight the importance in Europe of the protection of individuals’ fundamental rights to privacy and freedom of expression in the internet and telecommunications context. Finally, this article discusses recent developments regarding the GDPR, while the revelations of U.S. NSA mass surveillance programs continued to preoccupy European lawmakers.
Research Interests:
Download (.pdf)
L'impact de la recherche en droit et sa mesuremore
by W. Gregory Voss and Vincent Rebeyrol
Les chercheurs sont, aujourd’hui, sommés de démontrer l’utilité de leur recherche et, comme tel, de justifier de son impact. De ce point de vue, la recherche en droit, qui présente de réelles particularités par rapport à la recherche dans... more
Les chercheurs sont, aujourd’hui, sommés de démontrer l’utilité de leur recherche et, comme tel, de justifier de son impact. De ce point de vue, la recherche en droit, qui présente de réelles particularités par rapport à la recherche dans d’autres disciplines, s’inscrit pleinement dans cette exigence d’utilité démontrée. L’impact de cette recherche sur tous ceux qui utilisent le droit et, plus généralement, sur la société, est réel. La mesure de cet impact reste cependant délicate, même si quelques pistes méritent d’être explorées.

Research in Law, which presents true specificities, is inseparable from legal teachings. The impact of this research on all those who use the Law and, more generally, on society, is real.  The measurement of the extent of this impact, however, remains a delicate operation, even if some options are worth exploring.
Research Interests:
First the GDPR, Now the Proposed ePrivacy Regulationmore
by W. Gregory Voss
On January 10, 2017, less than nine months after the General Data Protection Regulation (GDPR) was adopted by the European Union, the European Commission issued its proposal for a new ePrivacy Regulation. In analyzing this new proposal,... more
On January 10, 2017, less than nine months after the General Data Protection Regulation (GDPR) was adopted by the European Union, the European Commission issued its proposal for a new ePrivacy Regulation. In analyzing this new proposal, this article first places European Union ePrivacy legislation in context before detailing the main points of the proposed ePrivacy Regulation, then discusses reactions to the proposed Regulation, and outlines the legislative process.
Issue: 1
Volume: 21
Page Numbers: 3-11
Publication Date: 2017
Publication Name: Journal of Internet Law
Research Interests:
Les défis du droit d'auteur américain (copyright) dans le contexte numériquemore
by W. Gregory Voss
This is an article (in French) which has been adapted from one of my contributions on U.S. for the workshop -- "Les défis du numérique dans l'entreprise en Europe" ("The Challenges of Digital Technologies in Europe") held at the Toulouse... more
This is an article (in French) which has been adapted from one of my contributions on U.S. for the workshop -- "Les défis du numérique dans l'entreprise en Europe" ("The Challenges of Digital Technologies in Europe") held at the Toulouse Business School on February 27, 2015. It details certain important differences between American Copyright law and Rights of Authorship in France and Copyright Law in Europe. Included in this discussion are formalities and their role in copyright litigation, protection of databases and the Feist case, exclusive rights under Copyright Law and moral rights. The Aereo case and the Pharrell Williams "Blurred Lines" case are also evoked. The article concludes with a several areas of study for reform from former Register of Copyrights Maria Pallante.
Publisher: Wolters Kluwer France
Journal Name: Revue Lamy Droit de l'Immatériel
Publication Date: Feb 2017
Research Interests:
European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delistingmore
by W. Gregory Voss
This article discusses a few of the most important European data privacy law developments in recent history – perhaps the most significant since 1995 when the European Union adopted the Data Protection Directive. These include the... more
This article discusses a few of the most important European data privacy law developments in recent history – perhaps the most significant since 1995 when the European Union adopted the Data Protection Directive. These include the adoption of the General Data Protection Regulation (GDPR), the invalidation of the U.S. – EU Safe Harbor cross-border personal data transfer framework in the Schrems decision, and the Safe Harbor’s subsequent replacement by the Privacy Shield. The latter allows transfer of personal data (such as data about employees and prospects) from the European Union to the United States, upon certification of commitments by participating companies, and provides guarantees from U.S. agencies and means of enforcement in case of violations.
The article also covers continuing developments concerning the “right to delisting,” which was applied in the 2014 Google Spain decision.
Treatment of the GDPR, which will be applicable as of May 2018 (allowing companies time to prepare), includes its extended territorial scope, changes to personal data processing principles, provisions regarding storage of data for public interest, scientific, historical or statistical purposes, developments regarding legitimate bases for processing, including consent, increased data subject rights which will require companies to take action, as well as new compliance requirements which may include, when applicable, performing data protection impact assessments and/or hiring data protection officers. Furthermore, new record-keeping obligations, new requirements for data breach notifications , and higher administrative fines are detailed.
Research Interests:
Download (.pdf)
Proposal for an International Taxonomy on the Various Forms of the "Right to Be Forgotten": A Study on the Convergence of Norms (14 Colo. Tech. L. J. 281-344 (2016))more
by W. Gregory Voss
The term “right to be forgotten” is used today to represent a multitude of rights, and this fact causes difficulties in interpretation, analysis, and comprehension of such rights. These rights have become of utmost importance due to the... more
The term “right to be forgotten” is used today to represent a multitude of rights, and this fact causes difficulties in interpretation, analysis, and comprehension of such rights. These rights have become of utmost importance due to the increased risks to the privacy of individuals on the Internet, where social media, blogs, fora, and other outlets have entered into common use as part of human expression. Search engines, as Internet intermediaries, have been enrolled to assist in the attempt to regulate the Internet, and the rights falling under the moniker of the “right to be forgotten,” without truly knowing the extent of the related rights. In part to alleviate such problems, and focusing on digital technology and media, this paper proposes a taxonomy to identify various rights from different countries, which today are often regrouped under the banner “right to be forgotten,” and to do so in an understandable and coherent way. As an integral part of this exercise, this study aims to measure the extent to which there is a convergence of legal rules internationally in order to regulate private life on the Internet and to elucidate the impact that the important Google Spain “right to be forgotten” ruling of the Court of Justice of the European Union has had on law in other jurisdictions on this matter.
This paper will first introduce the definition and context of the “right to be forgotten.” Second, it will trace some of the sources of the rights
discussed around the world to survey various forms of the “right to be forgotten” internationally and propose a taxonomy. This work will allow
for a determination on whether there is a convergence of norms  egarding the “right to be forgotten” and, more generally, with respect to privacy and personal data protection laws. Finally, this paper will provide certain criteria for the relevant rights and organize them into a proposed analytical grid to establish more precisely the proposed taxonomy of the “right to be forgotten” for the use of scholars, practitioners, policymakers, and students alike.
Research Interests:
Download (.pdf)
The Future of Transatlantic Data Flows: Privacy Shield or Bust?more
by W. Gregory Voss
This article starts by providing background for the recently announced EU-US Privacy Shield, beginning with the adoption of the European Union's 1995 Data Protection Directive that limited cross border ttransfers of personal data tou... more
This article starts by providing background for the recently announced EU-US Privacy Shield, beginning with the adoption of the European Union's 1995 Data Protection Directive that limited cross border ttransfers of personal data tou countries with "an adequate level of protection" of such data.  The resulting "Safe Harbor" negotiated between the EU and the U.S. in order to allow continuing data flows between the two blocs is described, together with the Schrems decision invalidating it, with the consequences for transatlantic data flows being highlighted.  The need for a "Safe Harbor 2.0," and details of the same, relabelled as the "Privacy Shield," are provided.  Finally, the current legal uncertainty surrounding the Privacy Shield and potential alternatives to it are evoked.
Research Interests:
Le concept de données à caractère personnel : divergences transatlantiques Safe Harbor et Privacy Shieldmore
by W. Gregory Voss
Research Interests:
Privacy, E-Commerce, and Data Security (2015) (Year in Review 2014)more
by W. Gregory Voss and Kyoung Yeon Kim
Journal Name: ABA/SIL Year in Review
Publication Date: 2015
Research Interests:
Download (.pdf)
After Google Spain and Charlie Hebdo: The Continuing Evolution of European Union Data Privacy Law in a Time of Changemore
by W. Gregory Voss
This article investigates various developments over that year that helped (or are helping) reshape European Union data privacy law, building around two important events: the Court of Justice of the European Union's Google Spain decision,... more
This article investigates various developments over that year that helped (or are helping) reshape European Union data privacy law, building around two important events: the Court of Justice of the European Union's Google Spain decision, applying a form of a "right to be forgotten", and the Paris terrorist attacks on the satirical journal Charlie Hebdo in January 2015 after which additional security measures involving websites and surveillance in France were adopted and advances on an EU directive on PNR data were made.

The EU member state court decisions that came in the wake of the Google Spain decision and that give a right to individuals in the EU to have certain search engine results delisted, which raise issues for Internet search engines, publishers of information, and potentially other Internet intermediaries, are discussed, as are Google’s attempts to come to terms with the Google Spain decision.

In addition, this article covers the continuing EU member state data protection agency enforcement action on Google's privacy policy, that were detailed in the author’s prior article – “European Data Privacy Law Developments”, with lessons being drawn for businesses regarding privacy policies and data protection compliance generally.

The surveillance measures discussed apply to electronic and other communication methods and introduce possibilities in France for mass data collection. Thus, the French legislation adopted in part in reaction to terrorist attacks, described by some as analog to the U.S. Patriot Act – evidences modifications related to security affecting the business legal environment for internet and telecommunications companies and others. Similarly, EU efforts to allow greater passenger data sharing following the Charlie Hebdo attacks also show the continuing tension between data privacy – considered a fundamental right in the EU – and security.

Finally, ongoing work on the European Union data protection law reform – which will apply to non-European companies offering goods or services to individuals in Europe or monitoring their behavior -- is detailed.
Journal Name: The Business Lawyer
Publication Date: Dec 2015
Research Interests:
Download (.pdf)
La culture et son impact sur les actions politiques des entreprises ; Le cas du Règlement général sur la protection des données (RGPD)more
by W. Gregory Voss and Andrew Barron
This study elucidates cultural differences in how companies attempted to achieve their political objectives during the formulation of a new European regulation. Compared to their European counterparts, Anglo-Saxon rms had frequent... more
This study elucidates cultural differences in how companies attempted to achieve their political objectives during the formulation of a new European regulation. Compared to their European counterparts, Anglo-Saxon  rms had frequent recourse to individual political actions and constituency-building strategies. Our comparative approach emphasises the need to understand the rationality of corporate political actions. Our results encourage lobbyists to consider how cultural differences impact upon the political strategies of their international rivals.

Cette recherche expose d’importantes différences culturelles dans la manière dont les entreprises ont tenté d’atteindre leurs objectifs politiques lors de la formulation d’un nouveau règlement européen. Ainsi, les entreprises anglo-saxonnes étaient plus disposées que leurs homologues européens à conduire des actions politiques individuelles tout en mettant en oeuvre des tactiques de constitution de coalitions. Une approche comparative met l’accent sur la compréhension de la rationalité des actions politiques des entreprises. Nos résultats encouragent les lobbyistes à considérer l’impact des différences culturelles dans les stratégies politiques de leurs concurrents internationaux.
Research Interests:
Introduction à quelques aspects du droit américainmore
by W. Gregory Voss
This is an introduction (in French) to my contributions on U.S. law for the workshop -- "Les défis du numérique dans l'entreprise en Europe" ("The Challenges of Digital Technologies in Europe") held at the Toulouse Business School on... more
This is an introduction (in French) to my contributions on U.S. law for the workshop -- "Les défis du numérique dans l'entreprise en Europe" ("The Challenges of Digital Technologies in Europe") held at the Toulouse Business School on February 27, 2015.  One of my contributions, which is unpublished -- "Les conditions générales d’utilisation des sites web soumis au droit américain et quelques protections pour les consommateurs" -- is available on this website.  Another -- "Les données personnelles dans l'entreprise vues au travers du prisme du droit américain" -- was published in the October 2015 issue of the Revue Lamy Droit de l'immatériel (No. 119).  A third contribution is forthcoming in an upcoming issue of the Revue Lamy Droit de l'immatériel. // Ceci est une introduction à mes contributions sur le droit américain à la journée d'étude --  "Les défis du numérique dans l'entreprise en Europe" -- qui a eu lieu à Toulouse Business School le 27 février 2015.  Une de mes trois contributions qui n'a pas encore été publiée -- "Les conditions générales d’utilisation des sites web soumis au droit américain et quelques protections pour les consommateurs"  -- est disponible sur ce site.  Une deuxième -- "Les données personnelles dans l'entreprise vues au travers du prisme du droit américain" -- a été publiée dans le n° 119 (octobre 2015) de la Revue Lamy Droit de l'immatériel.  Une troisième contribution est à paraître dans un autre numéro de la Revue Lamy Droit de l'immatériel.
Research Interests:
Download (.pdf)
Les données personnelles dans l’entreprise vues au travers du prisme du droit américainmore
by W. Gregory Voss
Publisher: Wolters Kluwer France
Journal Name: Revue Lamy Droit de l'Immatériel (n° 119; 65-67)
Publication Date: Oct 1, 2015
European Union Data Privacy Law Developmentsmore
by W. Gregory Voss
This article explores recent developments in European Union data privacy and data protection law, through an analysis of European Union advisory guidance, independent administrative agency enforcement action, case law, and legislative... more
This article explores recent developments in European Union data privacy and data protection law, through an analysis of European Union advisory guidance, independent administrative agency enforcement action, case law, and legislative reform in the areas of digital technologies, the internet, telecommunications and personal data.

In the first case, Article 29 Working Party guidance on anonymization techniques – so important in the field of big data – is discussed and distinguished from pseudonymization. Next, Google privacy policy enforcement action by various EU Member State data protection agencies (inter alia, France, Germany, Italy, the Netherlands and Spain) is chronicled, with lessons being drawn for businesses regarding privacy policies and data protection compliance generally. Thirdly, European Union Court of Justice joined cases Digital Rights Ir. Ltd. V. Minister for Comm. Marine & Natural Res., invalidating the EU Data Retention Directive, which was applicable to providers of publicly available electronic communications services and public communications networks, such as ISPs and telecom operators, is analyzed and the WP29 reaction to the decision is discussed.

The Data Retention Directive decision and recent legislative action on the proposed EU General Data Protection Regulation (GDPR) highlight the importance in Europe of the protection of individuals’ fundamental rights to privacy and freedom of expression in the internet and telecommunications context. Finally, this article discusses recent developments regarding the GDPR, while the revelations of U.S. NSA mass surveillance programs continued to preoccupy European lawmakers.

PLEASE NOTE THAT THIS PAPER MAY BE DOWNLOADED USING THE SSRN LINK PROVIDED.
Issue: 1
Volume: 70
Publisher: American Bar Association
Journal Name: The Business Lawyer (vol. 70, no. 1, Winter 2014/2015; 253-260)
Page Numbers: 253-260
Publication Date: 2014
Publication Name: Business Lawyer
Research Interests:
Download (.pdf)
The Right to Be Forgotten in the European Union: Enforcement in the Court of Justice and Amendment to the Proposed General Data Protection Regulationmore
by W. Gregory Voss
This article analyzes the famous Google Spain case (May 13, 2014) of the Court of Justice of the European Union and its recognition of a form of "the right to be forgotten", allowing individuals to request the delisting of their personal... more
This article analyzes the famous Google Spain case (May 13, 2014) of the Court of Justice of the European Union and its recognition of a form of "the right to be forgotten", allowing individuals to request the delisting of their personal data from search engines if certain conditions are met. In doing so, it puts the right to be forgotten into the context of ongoing discussions on reform of the European Union's data protection Framework and amendments in the European Parliament to the Proposed General Data Protection Regulation.

PLEASE NOTE THAT THIS PAPER MAY BE DOWNLOADED USING THE SSRN LINK PROVIDED.
Research Interests:
Looking at European Union Data Protection Law Reform through a Different Prism: The Proposed EU General Data Protection Regulation Two Years Latermore
by W. Gregory Voss
This article provides an overall review of the proposed European Union General Data Protection Regulation (GDPR), two years after its initial proposal by the European Commission. It places the GDPR in the context of the current Data... more
This article provides an overall review of the proposed European Union General Data Protection Regulation (GDPR), two years after its initial proposal by the European Commission. It places the GDPR in the context of the current Data Protection Directive that it will replace once adopted, and details provisions of the GDPR, including those that were amended by the LIBE Committee (just prior to the vote of changes in the European Parliament sitting in plenary): extraterritorial effect of the GDPR, conditions placed on consent to processing, right to be forgotten and right to erasure, level of administrative sanctions, sensitive data, cross-border data transfers, and requirements for privacy impact assessments and data protection officers. The heavy lobbying on this EU legislation is discussed, and the impact of the NSA PRISM revelations on the legislative process are analyzed.

PLEASE NOTE THAT THIS PAPER MAY BE DOWNLOADED USING THE SSRN LINK PROVIDED.
Research Interests:
One Year and Loads of Data Later, Where Are We? An Update on the Proposed European Union General Data Protection Regulationmore
by W. Gregory Voss
This article reviews the European Union’s Proposed General Data Protection Regulation (GDPR) one year after the European Commission proposed it. Reactions to the GDPR from EU Member States, the Article 29 Data Protection Working Party... more
This article reviews the European Union’s Proposed General Data Protection Regulation (GDPR) one year after the European Commission proposed it. Reactions to the GDPR from EU Member States, the Article 29 Data Protection Working Party (WP29), the relevant European Parliament committees and the Council of the European Union are analyzed and the legislative action on the GDPR to date is traced. Furthermore, proposed amendments to the GDPR by the leading parliamentary committee – Civil Liberties, Justice and Home Affairs (LIBE) -- are detailed, notably in the areas of expanded scope of the GDPR, personal data breach notifications, consent to and legitimate bases for processing, data portability and the right to be forgotten, data protection officers (DPOs), and cross-border data transfers, among others. Finally, steps to prepare for the eventual adoption of the GDPR are set out.

PLEASE NOTE THAT THIS PAPER MAY BE DOWNLOADED USING THE SSRN LINK PROVIDED.
Research Interests:
Privacy, E-Commerce, and Data Security (2014) (Year in Review 2013)more
by W. Gregory Voss and Jennifer Mozwecz
Research Interests:
Download (.pdf)
Preparing for the Proposed EU General Data Protection Regulation: With or without Amendmentsmore
by W. Gregory Voss
Research Interests:
Download (.pdf)
Privacy, E-Commerce, and Data Security (2013) (Year in Review 2012)more
by W. Gregory Voss
Research Interests:
Download (.pdf)
Privacy law implications of the use of drones for security and justice purposesmore
by W. Gregory Voss
With the advent of new technologies, new means of surveillance and data collection have appeared on the radar. Drones are among the latest to be considered for domestic security purposes, both in the EU and the USA. After surveying some... more
With the advent of new technologies, new means of surveillance and data collection have appeared on the radar. Drones are among the latest to be considered for domestic security purposes, both in the EU and the USA. After surveying some examples of the non-warfare use of drone for security and criminal justice purposes, this article analyses applicable privacy and data protection legislation and constitutional guarantees, on both sides of the Atlantic. This study extends to the application to drone-generated data of, inter alia, the Fourth Amendment to the US Constitution, Council of Europe instruments, and the EU Data Protection Framework, highlighting challenges to civil liberties and tensions between these and national security and justice concerns. Finally, this article looks briefly at proposals for legislative reform regarding drones at the US State and Federal levels and prospects for future legislation.
More Info: Proof -- for version of record use link -- Voss, W.G. (2013) ‘Privacy law implications of the use of drones for security and justice purposes’, Int. J. Liability and Scientific Enquiry, Vol. 6, No. 4, pp.171–192.
Publisher: Inderscience
Publication Date: Apr 2014
Publication Name: International Journal of Liability and Scientific Enquiry
Research Interests:
Download (.pdf)
Survey of Recent European Union Privacy Developmentsmore
by W. Gregory Voss
The Spanish law implementing the European Union (EU) Data Protection Directive, advisory guidance on consent, facial recognition and biometric technologies from the European Union Article 29 Data Protection Working Party (WP29) , and... more
The Spanish law implementing the European Union (EU) Data Protection Directive, advisory guidance on consent, facial recognition and biometric technologies from the European Union Article 29 Data Protection Working Party (WP29) , and proposals for EU data protection law reform are analyzed in this survey piece. EU legislative processes are illustrated by a specific occurence: Spanish Organic Law 15/1999 on the Protection of Personal Data is reviewed in the context of Court of Justice of the European Union (ECJ) joined cases, Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) v. Administración del Estado, and Federación de Comercio Electrónico y Marketing Directo (FECEMD) v. Administración del Estado. The addition of a condition for the processing of personal data not present in the 1995 Data Protection Directive was rejected, and in the process the ECJ case Productores de Música de España (Promusicae) v. Telefónica de España SAU is cited regarding the transposition of European directives into EU Member State national law. WP29 guidance on (i) consent to personal data processing, including in an employment relationship, and on (ii) the special risks involved in the use of facial recognition and biometric technologies, is discussed. Finally, the proposal by the European Commission of the General Data Protection Regulation is seen as the culmination of various trends in the development of EU data protection law.

PLEASE NOTE THAT THIS PAPER MAY BE DOWNLOADED USING THE SSRN LINK PROVIDED.
Publisher: American Bar Association
Journal Name: The Business Lawyer (vol. 68, no. 1, November 2012; 205-213)
Publication Date: Nov 1, 2012
Research Interests:
Download (.pdf)
Les conditions générales d’utilisation des sites web soumis au droit américain et quelques protections pour les consommateursmore
by W. Gregory Voss
Un aperçu du droit américain des conditions générales d’utilisation des sites web et quelques protections pour les consommateurs en droit américain. Développé d'après mon intervention intitulée “Les contrats du commerce électronique... more
Un aperçu du droit américain des conditions générales d’utilisation des sites web  et quelques protections pour les consommateurs en droit américain.  Développé d'après mon intervention intitulée “Les contrats du commerce électronique soumis au droit américain” à la Journée d’Etude: Les défis du numérique dans les entreprises en Europe, à Toulouse, France le 27 février 2015.
Research Interests:
Download (.pdf)
Le "droit à l'oubli numérique" en Europe et en Californiemore
by W. Gregory Voss
Revue Lamy Droit de l'Immatériel (RLDI), No. 100, janvier 2014
Research Interests:
Table ronde: Transformation de la sphère publique : sécurité de l'Etat à l'ère numériquemore
by W. Gregory Voss and Benoît Dupont
Research Interests:
L'ACTA bouté hors d'Europe...tout à fait?more
by W. Gregory Voss
Research Interests:
Books
Navigating EU Privacy and Data Protection Lawsmore
by W. Gregory Voss
This handbook presents various concepts for EU privacy and data protection law in a comprehensible manner, providing analysis of existing and practical advice on how to approach data policy compliance. With global businesses and companies... more
This handbook presents various concepts for EU privacy and data protection law in a comprehensible manner, providing analysis of existing and practical advice on how to approach data policy compliance. With global businesses and companies struggling to meet varying EU national privacy compliance laws, this book will be a useful primer to guide academics, practitioners, law students, and business professionals in understanding data privacy compliance, and provide additional supplemental resources on specific national legislation.
Research Interests:
Chapters
Data Protection Issues for Smart Contractsmore
by W. Gregory Voss
Smart contracts offer promise for facilitating and streamlining transactions in many areas of business and government. However, they also may be subject to the provisions of relevant data protection laws, if personal data is processed.... more
Smart contracts offer promise for facilitating and streamlining transactions in many areas of business and government. However, they also may be subject to the provisions of relevant data protection laws, if personal data is processed. This Chapter focuses on the European Union’s General Data Protection Regulation (GDPR), as the most significant and influential data protection legislation at this time, given in part to its omnibus nature and extraterritorial scope. By their very nature, smart contracts raise difficulties for the classification of the various actors involved, which will have an impact on their responsibilities under the law and their potential liability for violations. Our analysis focuses primarily on the role of data controller in the context of blockchain technology, used in smart contracts. In doing so, the signification of the classification is highlighted in the context of the GDPR. Furthermore, certain rights granted to data subjects under the GDPR may be difficult to provide in the context of smart contracts, such as the right to rectification and the right to erasure (‘right to be forgotten’). This Chapter addresses such issues, together with relevant advisory guidance and recommendations, such as the use of encryption in order to make data nearly inaccessible in order to approach as nearly as possible the same result as erasure, and the storage of certain data off-chain. On the way, the important distinction between anonymised data and personal data is explained, together with its practical implications. Finally, the GDPR requirements of data minimisation, of data security (‘integrity and confidentiality’), and of privacy by design and by default must be respected, if that legislation applies. This means that data protection and privacy must be considered when smart contracts are designed.
DOI: 10.5040/9781509937059.ch-004
Publication Date: 2021
Publication Name: Smart Contracts: Technological, Business & Legal Perspectives
Research Interests:
The concept of accountability in the context of the evolving role of ENISA in data protection, ePrivacy and cybersecuritymore
by W. Gregory Voss
The European Union Agency for Network and Information Security (ENISA), is one of the “third generation” of EU agencies, active in the area of cybersecurity. Over a period of years this expert agency’s fundamental regulation has been... more
The European Union Agency for Network and Information Security (ENISA), is one of the “third generation” of EU agencies, active in the area of cybersecurity. Over a period of years this expert agency’s fundamental regulation has been amended and replaced, and its governing bodies modified. However, a sea change occurred when ENISA received significant additional responsibilities and resources as a result of the EU Cybersecurity Act. In such context, the Chapter’s essential focus is on whether or not accountability is a concern for ENISA today, given its development.
In the light of this evolution both in terms of ENISA’s fundamental regulation and its role, this chapter first provides an overview of theoretical perspectives regarding the accountability of EU agencies, as they are relevant to assess ENISA’s accountability, and describes ENISA as an expert body. Next, ENISA’s role in connection with certain aspects of EU legislation in data protection, eprivacy, and cybersecurity is detailed, and most notably its creation of ‘soft law’ in these domains. An early challenge to ENISA’s legal basis is also discussed. The evolution of ENISA’s mandate, evidencing its growing importance, is detailed, and changes to its governance structures, as one solution to accountability challenges, are studied. Finally, additional discussion of accountability of ENISA in connection with its increased law ensues, with particular attention paid to its ‘soft law’ role, and potential need for a higher level of ex ante control in the form of greater ‘proceduralisation’ of law-making, prior to a making a forward-looking conclusion.
DOI: 10.4324/9781003174769-11
Publication Date: 2021
Publication Name: Technocracy and the Law: Accountability, Governance and Expertise
Research Interests:
The European Union’s 2014 Non-Financial Reporting Directive: Mandatory Ex Post Disclosure -- But Does It Need Improvement?more
by W. Gregory Voss
This chapter introduces European Union’s 2014 Non-Financial Reporting Directive (NFR Directive), considered a first step in the field of mandatory sustainability reporting, prior to analyzing the need for it to be improved. The author... more
This chapter introduces European Union’s 2014 Non-Financial Reporting Directive (NFR Directive), considered a first step in the field of mandatory sustainability reporting, prior to analyzing the need for it to be improved. The author begins by setting out the historical context, both on the international and EU levels, including a new EU definition of corporate social responsibility (CSR) that envisages non-voluntary action. While the emphasis is placed on the extractive industries, the chapter’s treatment of the issue is of more general interest. The NFR Directive, which has been described as an example of the reflection in law and regulation of the United Nations Guiding Principles, is detailed through the legislative proposal and negotiations that led to its adoption, and through its content, including environment, social and employment reporting, which extends to a diversity policy description for publicly-traded companies governed by member State law. The NFR Directive is seen as part of an international process, complementing measures at the international level to improve financial reporting transparency, such as those of the OECD, the G20 and the G8. However, a certain amount of discretion is accorded to the EU member States in the implementation of the Directive into national law (allowing for the possibility of lack of harmonization), and elements such as the legislation’s ex-post focus and limited scope, and the lack of an auditing mechanism have been subject to criticism. The chapter concludes with a discussion of opportunities for improvement.
Page Numbers: 359-381
Publication Date: 2019
Publication Name: Extractive Industries and Human Rights in an Era of Global Justice: New Ways of Resolving and Preventing Conflicts
Research Interests:
The Digital Single Market: Move from Traditional to Digital?more
by W. Gregory Voss
This chapter focuses on the importance of the impact of e-commerce and digital technologies in the transition from the European single market into a Digital Single Market (DSM). Highlighted is the opportunity that this change may present... more
This chapter focuses on the importance of the impact of e-commerce and digital technologies in the transition from the European single market into a Digital Single Market (DSM). Highlighted is the opportunity that this change may present to enable the growth of the European Union’s international trade by capitalising on the potential of electronic transactions to enhance trust within the European digital framework. Key issues of data protection and data localization – the former leading to trust, while the latter causes fragmentation – and the importance of data security for trust and the interoperability of data flows under the DSM are analysed.
Research Interests:
Security and Privacy Implications of e-Procurement in the TTIPmore
by W. Gregory Voss
This Chapter discusses the possible treatment of the security and privacy aspects of e-procurement in the TTIP negotiations, expanding upon a presentation given at a one-day seminar on the TTIP held on May 27, 2015 at CIDOB (Barcelona... more
This Chapter discusses the possible treatment of the security and privacy aspects of e-procurement in the TTIP negotiations, expanding upon a presentation given at a one-day seminar on the TTIP held on May 27, 2015 at CIDOB (Barcelona Centre for International Affairs), Spain's highest ranked think tank (University of Pennsylvania Go To Think Tank ranking 2014).
Research Interests:
Book Reviews
Internet, New Technologies, and Value: Taking Share of Economic Surveillancemore
by W. Gregory Voss
This review of (and discussion around) Valérie-Laure Benabou and Judith Rochfeld's as yet untranslated book, A qui profite le clic? Le partage de la valeur à l'ère du numérique, begins by briefly tracing the development of the Internet... more
This review of (and discussion around) Valérie-Laure Benabou and Judith Rochfeld's as yet untranslated book, A qui profite le clic? Le partage de la valeur à l'ère du numérique, begins by briefly tracing the development of the Internet from disintermediation to today's situation where new Internet intermediaries capture the value of personal data and user-generated content created on or through the web. Once recent developments involving disclosure of mass surveillance and European adoption of new data protection legislation are discussed, the authors' book is introduced, and the discussion shifts to economic surveillance. Cookies—which are the tools that allow the giant, mainly American Internet companies to capture data about web-users' behavior—and reactions to their use are debated. The necessity for transparency and the failure of contractual provisions to mirror true consent are detailed.
During the reading of Benabou and Rochfeld's book, we note that an important actor in the creation of value—the consumer—does not necessarily receive his or her share of the resulting value. The law, which has a role in defending certain values, whether it be copyright law, competition law, or contract law, has difficulties dealing with new paradigms created by new technologies and information. In Europe, fundamental rights and consumer law are supposed to help the web user, but do they go far enough? The book's authors propose beginnings of solutions to the law's difficulties in this context— based on transparency, technical mastery of content by the consumers who created it, control of consent, and collective action. Although the book leaves us hungry for more, it also leaves us thought-provoked as the reviewer comments.  Citation: 2017 U. ILL. J.L. TECH. & POL’Y 469-485 (Fall 2017, Issue 2).
Issue: 2
Volume: 2017
Page Numbers: 469-485
Publication Date: 2017
Publication Name: U. ILL. J.L. TECH. & POL’Y
Research Interests:
Download (.pdf)
Book Review: Angela Daly: Private Power, Online Information Flows and EU Law: Mind the Gapmore
by W. Gregory Voss
This article is a book review of Angela Daly's book "Private Power, Online Information Flows and EU Law: Mind the Gap," which was published in December 2016 in the Hart Studies in Competition Law series (Hart Publishing).
Journal Name: JIPITEC - Journal of Intellectual Property, Information Technology and E-Commerce Law -- Volume 8, Issue 1, pp. 89-92
Publication Date: Apr 2017
Research Interests:
Download (.pdf)
Talks
Data Protection Webinars 2021 Cross-Border Data Flows and Compliance Post-Schrems IImore
by W. Gregory Voss
In the series of Data Protection Webinars 2021, on Tuesday, July 6th, Professor Gregory Voss was invited to speak on Cross-Border Data Flows and Compliance Post-Schrems II.
Publication Date: 2021
Publication Name: Observatório da Proteção de Dados Pessoais (Nova School of Law, Portugal)
Research Interests:
GDPR one year anniversary by Gregory VOSSmore
by W. Gregory Voss
This short presentation highlights some salient points of the first year that the GDPR applied (from May 25, 2018), and discusses U.S. companies' divergent legal strategies for GDPR compliance, and the importance of the broad definition... more
This short presentation highlights some salient points of the first year that the GDPR applied (from May 25, 2018), and discusses U.S. companies' divergent legal strategies for GDPR compliance, and the importance of the broad definition of "personal data" in the GDPR in this context. The presentation links to the publication of my and Kimberly Houser's article, "Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies," which appeared in Volume 56, Issue 2 of the American Business Law Journal on the same day. A pre-print of that article is available at https://ssrn.com/abstract=3389515.
DOI: 10.13140/RG.2.2.24089.26726
Publication Date: 2019
Research Interests:
Gregory VOSS on Facebook & Google Data Protectionmore
by W. Gregory Voss
Gregory VOSS, Law Professor at TBS, analyzes the consequences of the new data protection European law on Facebook & Google business models.
Research Interests:
Le nouveau règlement européen sur la protection des données : contraintes et opportunités pour les entreprises ?more
by W. Gregory Voss
This is a short video from a Toulouse Business School breakfast research conference on "Le nouveau règlement européen sur la protection des données : contraintes et opportunités pour les entreprises ?" (regarding the EU General Data... more
This is a short video from a Toulouse Business School breakfast research conference on  "Le nouveau règlement européen sur la protection des données : contraintes et opportunités pour les entreprises ?" (regarding the EU General Data Protection Regulation) held on December 8, 2017? Both I and Stanley CLAISSE, a French "avocat" of the Toulouse Bar spoke on the occasion.
Research Interests:
Data Protection and Data Ethics: A Transatlantic Perspectivemore
by W. Gregory Voss
This April 12, 2017 talk at the invitation of Virginia Tech University's Pamplin College of Business and University Libraries elucidated some differences between data protection in the United States and in the European Union, as well as... more
This April 12, 2017 talk at the invitation of Virginia Tech University's Pamplin College of Business and University Libraries elucidated some differences between data protection in the United States and in the European Union, as well as highlighting some of the issues related to data ethics.
Research Interests:
Pre-prints
(Pre-print) THE CONCEPT OF ACCOUNTABILITY IN THE CONTEXT OF THE EVOLVING ROLE OF ENISA IN DATA PROTECTION, EPRIVACY, AND CYBERSECURITYmore
by W. Gregory Voss
The European Union Agency for Network and Information Security (ENISA), is one of the “third generation” of EU agencies, active in the area of cybersecurity. Over a period of years this expert agency’s fundamental regulation has been... more
The European Union Agency for Network and Information Security (ENISA), is one of the “third generation” of EU agencies, active in the area of cybersecurity. Over a period of years this expert agency’s fundamental regulation has been amended and replaced, and its governing bodies modified. However, a sea change occurred when ENISA received significant additional responsibilities and resources as a result of the EU Cybersecurity Act. In such context, the Chapter’s essential focus is on whether or not accountability is a concern for ENISA today, given its development.
In the light of this evolution both in terms of ENISA’s fundamental regulation and its role, this chapter first provides an overview of theoretical perspectives regarding the accountability of EU agencies, as they are relevant to assess ENISA’s accountability, and describes ENISA as an expert body. Next, ENISA’s role in connection with certain aspects of EU legislation in data protection, ePrivacy, and cybersecurity is detailed, and most notably its creation of ‘soft law’ in these domains. An early challenge to ENISA’s legal basis is also discussed. The evolution of ENISA’s mandate, evidencing its growing importance, is detailed, and changes to its governance structures, as one solution to accountability challenges, are studied. Finally, additional discussion of accountability of ENISA in connection with its increased law ensues, with particular attention paid to its ‘soft law’ role, and potential need for a higher level of ex ante control in the form of greater ‘proceduralisation’ of law-making, prior to a making a forward-looking conclusion.
Page Numbers: 247-284
Publication Date: 2021
Publication Name: Technocracy and the Law: Accountability, Governance and Expertise
Research Interests:
Download (.pdf)
-
by 30-day views
-
total views
-
followers
Related Authors
Anastasia Botsi
Gloria González Fuster
Dalia Alic
Bruna Bastos
Christian Hocepied
Ingolf Pernice
Jörg Pohle
Scott Bradner
Center for European Integration Studies
Elaine Fahey