The Right to Information During Crises
The Sources of the Right to Information
The right to information during crises has always implicitly existed under Article 19 of the UDHR, which provides the right to “freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”12 This is given legal force in Article 19 of the ICCPR.13
It can also be interpreted as existing as an “interdependent and interrelated right” required for the realization of Article 3 of the UDHR, the right to “life, liberty and security of person.”14 The UN Population Fund defines the interdependence and interrelatedness of rights as follows:
“The fulfilment of one right often depends, wholly or in part, upon the fulfilment of others. For instance, fulfilment of the right to health may depend, in certain circumstances, on fulfilment of the right to development, to education or to information.”15
Realizing Article 3 of the UDHR in the networked age increasingly depends on the ability of populations to access and benefit from information during crises, including the ability to access and use ICTs and other critical communications infrastructure. Thus, a right to information during crises should be seen as an interdependent and interrelated right of Article 3 in the same way that the rights to other internationally recognized and protected forms of humanitarian assistance are protected as interdependent rights related to Article 3.16
Actions taken by state and non-state actors to obstruct, interdict, control, or use information and related infrastructure to otherwise harm populations during emergencies and disasters, including depriving them of the means to freely communicate, should be treated as violations of Articles 3 and 19 of the UDHR. These actions may not only be violations of freedom of speech, but may also constitute violations of the right of all people to freely receive humanitarian assistance.17
In June 2016, a non-binding resolution of the UN Human Rights Council effectively articulated a human right to the internet in response to recent incidents in which freedom of expression online has been infringed upon by governments. The resolution affirms that:
“…the same rights that people have offline must also be protected online, in particular freedom of expression, which is applicable regardless of frontiers and through any media of one’s choice, in accordance with articles 19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights;”18
The value of ICTs is not the technology itself, but in its ability to access, generate, store, transmit, and transform information. Thus, the right to information during crisis should not be conflated with the right to any specific technology. However, the rapid development of information technologies from the middle of the twentieth century onwards has fundamentally altered humanity’s relationship with information.19
Crisis affected populations identifying technology as critical to meeting their needs and survival are not identifying the technology itself as the critical item, but the enhanced access to information provided.20 Insofar as specific ICTs are identifiable as critical to the survival of populations, it is because they amount to a standard of care, and right to benefit as such is identified in Article 27, Part 1 of the UDHR:
“Everyone has the right freely to participate in the cultural life of the community, to enjoy the arts and to share in scientific advancement and its benefits.”21
The Right to Protection from Harm
The Sources of the Right to Protection from Harm
The right to protection from harm resulting from the use of ICTs and data is derived from multiple sources. The Humanitarian Charter states:
“The right to protection and security is rooted in the provisions of international law, in resolutions of the United Nations and other intergovernmental organizations, and in the sovereign responsibility of states to protect all those within their jurisdiction. The safety and security of people in situations of disaster or conflict is of particular humanitarian concern, including the protection of refugees and internally displaced persons. As the law recognises, some people may be particularly vulnerable to abuse and adverse discrimination due to their status such as age, gender, indigenous status, ethnicity, or race, and may require special measures of protection and assistance. To the extent that a state lacks the capacity to protect people in these circumstances, we believe it must seek international assistance to do so.”22
This right to protection from harm resulting from ICTs and data is based on the same provisions of international law referenced above, which include, though are not limited to, the UDHR, in particular Article 3: The Right to Life, Liberty and Security of Person; and the protections afforded to protected populations in situations of armed conflict under the Geneva Conventions.23 Protection is defined by the International Committee of the Red Cross’ Professional Standards for Protection Work as follows:
“…protection is a set of activities aimed at limiting the dangers to which people—civilians and detainees in particular—are exposed during armed conflict and other situations of violence, defending the rights of such people and preventing or halting any abuses they may be suffering.”24
Protection efforts to prevent the negative effects of both the crisis and the humanitarian response to the crisis are core to the very definition of the humanitarian imperative and its implementation in practice. Relatedly, the principle of protection not only concerns the negative impacts of non-humanitarian actors, but includes the implications of humanitarian action itself. The Sphere Standards, which contain the Humanitarian Charter, also call on humanitarian actors to “Avoid exposing people to further harm as a result of your actions.”25
Protection efforts that may be required as a result of the existence of a right to protection from harm related to HIAs, for example, can include the implementation of data security practices for the handling of data from affected populations.
Specific obligations to implement data security practices are explicated in Article 7 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data26 and Part 2, Paragraph 11 of the Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.27
The Right to Data Privacy
The Sources of the Right to Data Privacy
The aggregate of international agreements, covenants, and national laws that inform the concept of data privacy constitute an emerging norm, one that explicitly expands the right to privacy to include data privacy and balances it against the need for the collection and processing of information. The recognition of data privacy as the extension of an existing fundamental human right establishes a requirement for professional standards of practice for the humanitarian community. These agreements, covenants, and national laws begin from the premise that privacy is a fundamental human right, as provided for in the UDHR, and legal force in the Covenant on Civil and Political Rights.28 Article 12 of the UDHR states:
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”29
These data privacy agreements exist to clarify and ensure the right to privacy in the era of computing and data.30,31 To that end, many data privacy and protection laws and regulations are expressed as obligations incumbent upon data holders and states to ensure respect of the right to privacy and the subsequent enjoyment of that right by data subjects. Legal scholarship avers that rights and obligations exist in parallel and roughly correlative fashion.32,33 These agreements constitute the antecedents by which the right to privacy in the context of HIAs are explicated.
There is as of yet no accepted humanitarian standard for data privacy and data security. However, a set of international norms is emerging around principles first articulated in the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the OECD Guidelines on the Protection of Privacy and the Transborder Flows of Personal Data. These principles include the directive to ensure that data are obtained and processed fairly and lawfully; stored for specified and legitimate purposes; are accurate; and are stored for the minimum period necessary. It also commits parties to the principle of data minimization, and transparency of purpose.34
The last several decades have seen other regional agreements emerge that affirm the data privacy principles laid out by the OECD and establish them as minimum standards, or establish broadly similar guidelines for data protection. The EU Directive 95/46/EC establishes these principles at the heart of European Union data protection law.35 The Asia-Pacific Economic Cooperation (APEC) Privacy Framework mirrors the OECD Guidelines and extends them by making explicit the principle of preventing harm to the data subject36 and individual consent.37
The Organization of American States (OAS) has also adopted twelve “Principles on Privacy and Personal Protection.” These principles are similar to those adopted by the EU, OECD, and APEC.38 The Economic Community of West African States (ECOWAS) Supplementary Act39 on Personal Data Protection draws strongly from the EU Directive and establishes similar principles,40 as does the African Union Convention on Cyber Security and Personal Data Protection.41
On the national level, there is an emerging consensus around the principles found in European data privacy laws42 and the OECD Guidelines as accepted international minimum standards. As of 2015, 109 nations had implemented one or more data privacy laws that incorporate European precedents43 or share underlying principles with European Conventions and the OECD Guidelines.
These shared principles are defined as “covering the most important parts of its private sector, or its national public sector, or both,” and providing,“a set of basic data privacy principles, to a standard at least approximating the minimum provided for by the OECD Guidelines or Council of Europe (CoE) Convention 108, plus some methods of officially backed enforcement (i.e. not only self-regulation).”44
While limited in jurisdiction to public health responses, these principles are well established in international law through the World Health Organization (WHO) International Health Regulations, Article 45, which stipulates the guarantees that State Parties to that treaty must extend to ensure the appropriate processing of personal data.45
The principle of primum non nocere, or “do no harm,” is enshrined in Sphere Protection Principle 1,46 and is a bedrock component of the humanitarian principle of humanity.47 In the networked age, doing no harm means that humanitarian actors must seek to know, prevent and mitigate harms, including violations of human rights, that may result from breaches of data privacy and security. Privacy, security, and agency are interrelated concepts in theory and practice.
The Right to Data Agency
The Sources of the Right to Data Agency
Article 7 of the ICCPR explicitly extends the right of free consent to medical or scientific experimentation from the right to bodily integrity. It states: “No one shall be subjected to torture or to cruel, inhuman or degrading treatment or punishment. In particular, no one shall be subjected without his free consent to medical or scientific experimentation.”48
Article 7 is the fundamental basis of the right to dignity described in the Core Humanitarian Standards.49 The right to dignity requires adherence to the provisions of international law concerned with, among other things, freedom from cruel, inhumane, or degrading treatment.50
The concept of data agency encompasses the principles of informed consent and the concepts of informed participation and notification. The first codification of the principle of informed consent arose in the verdict of the United States v. Karl Brandt, which established the ten principles for permissible medical experimentation known as the Nuremberg Code,51 which is treated as customary international law.52 The first principle of the Nuremberg Code stipulates that “the voluntary consent of the human subject is absolutely essential.”53
In 1964, the Declaration of Helsinki established an internationally recognized code of conduct for experimentation. The principle of informed consent was expanded to include the provision of each subject with information about relevant aspects of experimental procedures prior to obtaining consent to participation.54 In addition to reiterating the requirement for informed consent, the Declaration of Helsinki introduced special considerations for vulnerable populations and the concept of independent ethics review, which evolved into the Institutional Review Board (IRB).55
Finally, in 1979, the Belmont Report defined three ethical principles, beyond the rules laid out in the Nuremberg Code and Declaration of Helsinki, necessary for the protection of human subjects: respect for persons, beneficence, and justice.56 The principle of respect for persons establishes “first that individuals should be treated as autonomous agents, and second, that persons with diminished autonomy are entitled to protection.” Beneficence is defined as an obligation to both do no harm, and to maximize benefits while minimizing potential harm. The principle of justice incorporates formulations of equal treatment. These principles are directly consistent with the humanitarian principle of humanity, which encompasses respect for human dignity,57 and apply in all settings beyond standard of care, including all experimental procedures.
Together, the Nuremberg Code, the Declaration of Helsinki, and the Belmont Report are the mutually reinforcing foundation for the principles governing informed consent for all human subject experimentation.
The Right to Redress and Rectification
The Sources of the Right to Redress and Rectification
Privacy is recognized as a fundamental human right in the UDHR, which is the basis of international human rights law.58 It is also included in the Covenant on Civil and Political Rights.59 Article 12 of the UDHR states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”60
The United Nations has also formally commented on the importance of rectification and redress. United Nations General Assembly Resolution 45/95 of 14 December describes an international, borderless right to access, rectification, and erasure in: “Principle of interested-person access: Everyone who offers proof of identity has the right to know whether information concerning him is being processed and to obtain it in an intelligible form, without undue delay or expense, and to have appropriate rectifications or erasures made in the case of unlawful, unnecessary or inaccurate entries and, when it is being communicated, to be informed of the addressee’s. Provision should be made for a remedy, if need be with the supervisory authority specified in Principle 8 below. The cost of any rectification shall be borne by the person responsible for the file. It is desirable that the provisions of this principle should apply to everyone, irrespective of nationality or place of residence.”61
The right of the individual whose personal data has been collected to access and challenge that personal data is recognized as fundamental to safeguarding the right to privacy. Individuals must be able to discover whether a data manager has collected data about them. They must also be allowed to access this data, in a form intelligible to them. This enables them to review its accuracy and to amend, revise, or correct if necessary.
This right, sometimes called the right to individual participation, is found in the major regional covenants and agreements regarding data privacy, including the OECD Guidelines governing the protection of privacy and transborder flows of personal data,62 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,63 Directive 95/46/EC of the European Parliament,64 the APEC Privacy Framework,65 the OAS Principles on Privacy and Personal Data Protection,66 the ECOWAS Supplementary Act A/SA/.1/01/10 on Personal Data Protection within ECOWAS,67 and the African Union Convention On Cyber Security And Personal Data Protection.68
While the right to individual participation is not an absolute right, the OECD Expert Group nevertheless felt that it was necessary to include in the OECD Guidelines, as they considered it the most important of privacy safeguards.69 Likewise, the OAS Inter-American Judicial Committee calls this right “one of the most important safeguards in the field of privacy protection.”70
This access should be simple to exercise, and part of the day-to-day activities of the data manager. It should not require the individual to access legal mechanisms or procedures. This right is necessarily limited: it may be modified or restricted in cases where allowing access would abrogate the human rights of the individual or others. In the event that access is denied, the data manager must provide reasons for that denial, in an intelligible format and within a reasonable time period.
The right to redress is a key component of emerging international legal norms governing the use of data. The EU has taken a leading role in encoding a right for people to seek rectification of inaccurate data and redress for harms stemming from the use of their data into law.71
Regulation (EC) 45/2001 explicitly enshrines the right to rectification in Article 14, stating: “The data subject shall have the right to obtain from the controller the rectification without delay of inaccurate or incomplete personal data.”72 Article 8 of the 2000 Charter of Fundamental Rights of the European Union states: “Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”73
Notably, Article 8 explicitly links the right of access to the right of rectification—implying that one cannot exist without the other. The forthcoming EU Regulation 2016/679, or General Data Protection Regulation (GDPR), which will enter into force in May 2018, further describes and enhances the right to rectification and redress. Article 59 notes:
“Modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such request.”74
Article 59 not only reiterates the link between the right of access to data and the right of rectification, but also describes a specific timeframe within which data managers are obligated to respond to requests from data subjects.
12. United Nations General Assembly, “Universal Declaration of Human Rights.”
13. United Nations General Assembly, “International Covenant on Civil and Political Rights,” United Nations Treaty Series 999, no. 14668 (1976): 171, https://treaties.un.org/doc/Publication/UNTS/Volume%20999/volume-999-I-14668-English.pdf
14. United Nations General Assembly, “Universal Declaration of Human Rights.”
15. United Nations Population Fund, “Human Rights Principles,” UNFPA, 2005, http://www.unfpa.org/resources/human-rights-principles.
16. Ruth Abril Stoffels, “Legal Regulation of Humanitarian Assistance in Armed Conflict: Achievements and Gaps,” Revue Internationale de La Croix-Rouge/International Review of the Red Cross 86, no. 855 (September 27, 2004): 517, doi:10.1017/S1560775500181027.
17. The Sphere Project, Sphere Project: Humanitarian Charter and Minimum Standards in Humanitarian Response.
18. United Nations Human Rights Council, The Promotion, Protection and Enjoyment of Human Rights on the Internet, United Nations Human Rights Council Resolutions, 2016, https://digitallibrary.un.org/record/845728?ln=en.
19. Luciano Floridi, The Ethics of Information, Paperback (Oxford: Oxford University Press, 2013), 7–8 & Chapter 15.
20. It is critical to avoid the conflation of technology with information. By way of example, were we to interpret UNCLOS Article 24, Part 2, “The coastal State shall give appropriate publicity to any danger to navigation, of which it has knowledge, within its territorial sea” to mean lighthouses and paper maps, than GPS and digital charts would have no role in hazard identification. United Nations, “United Nations Convention on the Law of the Sea,” United Nations Treaty Series 1833, no. 31363 (1994), https://treaties.un.org/Pages/showDetails.aspx?objid=0800000280043ad5.
21. United Nations General Assembly, “Universal Declaration of Human Rights.”
22. The Sphere Project, Sphere Project: Humanitarian Charter and Minimum Standards in Humanitarian Response.
23. International Committee of the Red Cross, “Geneva Convention Relative to the Protection of Civilian Persons in Time of War (Forth Geneva Convention),” United Nations Treaty Series 75, no. 287 (August 12, 1949): 288–416.↩
24. International Committee of the Red Cross, Professional Standards for Protection Work, 2013 ed., vol. 0999/002 (Geneva, 2013), https://www.icrc.org/eng/assets/files/other/icrc-002-0999.pdf.
25. The Sphere Project, Sphere Project: Humanitarian Charter and Minimum Standards in Humanitarian Response, 13.
26. The Council of Europe, “Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data” ETS No.108 (1981), http://www.refworld.org/docid/3dde1005a.html.
27. Organization for Economic Cooperation and Development, “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” 2013, http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.
28. United Nations General Assembly, “International Covenant on Civil and Political Rights.”
29. United Nations General Assembly, “Universal Declaration of Human Rights.”
30. Council of Europe, “Explanatory Report of Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data,” European Treaty Series (Strasbourg, 1981), http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm.
31. Organization for Economic Cooperation and Development, “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” fig. 3.
32. Francis Leiber, Manual of Political Ethics, Vol 2. (Boston: Charles C. Little and James Brown, 1839), col. 1, https://books.google.com/books?id=MwVAAAAAYAAJ.
33. William N. Eskridge Jr., “The Relationship between Obligations and Rights of Citizens,” Fordham Law Review 69, no. 5 (2001): 1721–51.
34. The Council of Europe, “Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data.”
35. European Parliament, “Regulation 45/2001 of the European Parliament and of the Council of 18 December 2000 on the Protection of Individuals with Regard to the Processing of Personal Data by the Community Institutions and Bodies and on the Free Movement of Such Data,” Official Journal of the European Communities 44, no. L8 (January 12, 2001): 0001–0022, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2001:008:0001:0022:en:PDF.
36. Asia-Pacific Economic Cooperation, “APEC Privacy Framework,” vol. APEC#205-S (Singapore, 2005), pt. III, I.14, https://www.apec.org/publications/2005/12/apec-privacy-framework.
37. Ibid., vol. APEC #205-S, pt. III.V.20.& Part III V.20.
38. Organization of American States, “Privacy and Data Protection” (Rio de Janeiro: Organization of American States, 2015), http://www.oas.org/en/sla/dil/docs/CJI-doc_474-15_rev2.pdf.
39. Communaute Economique des Etats de l’Afrique de l’Ouest/Economic Community of West African States, “Supplementary Act A/SA.1/01/10 On Personal Data Protection within ECOWAS,” 2010, http://www.statewatch.org/news/2013/mar/ecowas-dp-act.pdf.
40. Graham Greenleaf, “The Influence of European Data Privacy Standards Outside Europe: Implications for Globalization of Convention 108,” International Data Privacy Law 2, no. 2 (May 1, 2012): 68–92, doi:10.1093/idpl/ips006.
41. African Union, “African Union Convention on Cybersecurity and Personal Data Protection” EX.CL/846 (2014).
42. As laid out in The Council of Europe, “Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data.”
43. Greenleaf, “The Influence of European Data Privacy Standards Outside Europe: Implications for Globalization of Convention 108.”
44. Graham Greenleaf, “Global Data Privacy Laws 2015: 109 Countries, with European Laws Now a Minority,” Privacy Laws Business International Report, January 30, 2015.
45. World Health Organization, International Health Regulations (2005), 3rd ed. (Geneva, 2016), http://www.who.int/ihr/publications/9789241580496/en/.
46. The Sphere Project, Sphere Project: Humanitarian Charter and Minimum Standards in Humanitarian Response.
47. “To respect is primarily an attitude of abstaining, meaning: do not harm, do not threaten, spare the lives, integrity and the means of existence of others, have regard for their individual personality and dignity.” Jean Pictet, “The Fundamental Principles of the Red Cross: Commentary,” International Federation of the Red Cross and Red Crescent Societies, 1979.
48. United Nations General Assembly, “International Covenant on Civil and Political Rights.”
49. CHS Alliance, Groupe URD, and The Sphere Project, Core Humanitarian Standard: Core Humanitarian Standard on Quality and Accountability, 2014, https://corehumanitarianstandard.org/files/files/Core%20Humanitarian%20Standard%20-%20English.pdf.
50. International Committee of the Red Cross, “Geneva Convention Relative to the Protection of Civilian Persons in Time of War (Forth Geneva Convention).”
51. Trials of War Criminals before the Nuremberg Military Tribunals under Control Council Law No. 10: The Medical Case, vol. 2 (Washington, DC: United States Government Printing Office, 1949).
52. Thomas Weatherall, Jus Cogens: International Law and Social Contract (Cambridge: Cambridge University Press, 2015).
53. Ibid., 181.
54. World Medical Association, “World Medical Association Declaration of Helsinki Ethical Principles for Medical Research Involving Human Subjects,” paras. 25–32.
55. Ibid., para. 23.
56. National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, “Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research, Report of the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research,” Federal Register, vol. 44, April 18, 1979, http://www.hhs.gov/ohrp/regulations-and-policy/belmont-report/.
57. United Nations General Assembly, “Strengthening of the Coordination of Humanitarian Emergency Assistance of the United Nations” A/RES/46/1 (December 19, 1991), https://digitallibrary.un.org/record/135197?ln=en.
58. United Nations, “The Foundation of International Human Rights Law,” accessed September 22, 2016, http://www.un.org/en/sections/universal-declaration/foundation-international-human-rights-law/index.html.
59. United Nations General Assembly, “International Covenant on Civil and Political Rights.”
60. United Nations General Assembly, “Universal Declaration of Human Rights.”
61. United Nations General Assembly, “Guidelines for the Regulation of Computerized Personal Data Files,” United Nations General Assembly Resolutions 45, no. 95 (1990): pt. 4, http://www.refworld.org/pdfid/3ddcafaac.pdf.
62. Organization for Economic Cooperation and Development, “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.”
63. The Council of Europe, “Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data.”
64. The European Parliament, “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data,” Official Journal of the European Union 38, no. L281 (1995): 0031–0050.
65. Asia-Pacific Economic Cooperation, “APEC Privacy Framework.”
66. Organization of American States, “Privacy and Data Protection.”
67. Communaute Economique des Etats de l’Afrique de l’Ouest/Economic Community of West African States, “Supplementary Act A/SA.1/01/10 On Personal Data Protection within ECOWAS.”
68. African Union, “African Union Convention on Cybersecurity and Personal Data Protection.”
69. Organization for Economic Cooperation and Development, “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” 58.
70. Organization of American States, “Privacy and Data Protection,” 13.
71. The European Union describes this right in three documents, which are cited in full below: Regulation (EC) 45/2001, the 2000 Charter of Fundamental Rights of the European Union, and the upcoming EU General Data Protection Regulation (Regulation (EU) 2016/679
72. European Parliament, “Regulation 45/2001 of the European Parliament and of the Council of 18 December 2000 on the Protection of Individuals with Regard to the Processing of Personal Data by the Community Institutions and Bodies and on the Free Movement of Such Data.”
73. European Commission, “The Charter of Fundamental Rights of the European Union,” Official Journal of the European Communities 43, no. C364 (December 18, 2000): 1–22, doi:10.1108/03090550310770974.
74. European Parliament, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Da,” Official Journal of the European Union 59, no. L119 (May 4, 2016): 1–88.