Orla Lynskey

Orla Lynskey

Email: O.Lynskey@lse.ac.uk
Administrative support: Lucy Wright
Room: New Academic Building 6.23
Tel. 020-7955-7726

Orla Lynskey has been an Assistant Professor in the Law Department since September 2012. She teaches and conducts research in the areas of data protection, technology regulation, digital rights and EU law. She holds an LLB (Law and French) from Trinity College Dublin, an LLM in EU Law from the College of Europe (Bruges) and a PhD from the University of Cambridge. This PhD research has been developed into a monograph, The Foundations of EU Data Protection Law, published by OUP in 2015. She is called to the Bar of England and Wales and working in Competition law practice in Brussels before beginning her doctoral research. She is an editor of International Data Privacy Law (OUP) and the European Law Blog, and is a member of the Editorial Board of the European Data Protection Law Review.

Research Interests

Orla conducts research in the fields of technology regulation and digital rights, with her primary focus being on EU data protection and privacy law. Her previous work has focused on the dual dignitary and economic nature of personal data and the normative limits of individual control over personal data. She is currently working on two distinct research projects. The first focuses on the distributive impact of legal regimes for personal data processing and profiling. The second project examines intermediary platform power in the online environment. It seeks to articulate the potential fundamental rights implications of such platform power, examines whether the current legal framework addresses these harms and identifies appropriate modalities of regulation to mitigate the negative effects of such power where necessary.


The Foundations of EU Data Protection Law (Oxford University Press, 2015)

Nearly two decades after the EU first enacted data protection rules, key questions about the nature and scope of this EU policy, and the harms it seeks to prevent, remain unanswered. The inclusion of a Right to Data Protection in the EU Charter has increased the salience of these questions, which must be addressed in order to ensure the legitimacy, effectiveness and development of this Charter right and the EU data protection regime more generally.

The Foundations of EU Data Protection Law is a timely and important work which sheds new light on this neglected area of law, challenging the widespread assumption that data protection is merely a subset of the right to privacy. By positioning EU data protection law within a comprehensive conceptual framework, it argues that data protection has evolved from a regulatory instrument into a fundamental right in the EU legal order and that this right grants individuals more control over more forms of data than the right to privacy. It suggests that this dimension of the right to data protection should be explicitly recognised, while identifying the practical and conceptual limits of individual control over personal data.

At a time when EU data protection law is sitting firmly in the international spotlight, this book offers academics, policy-makers, and practitioners a coherent vision for the future of this key policy and fundamental right in the EU legal order, and how best to realise it.

Selected articles
and chapters in books

'Beyond Privacy: The Data Protection Implications of the IP Bill' LSE Law Policy Briefing Papers: SPECIAL ISSUE: The Investigatory Powers Bill (15/2015)

In an era of digital communications, personal data flows do not respect national borders. UK residents communicate with friends and family living outside the UK’s borders while internet communications are routed all over the world when making their way from our computers and other connected devices to their final destination. At the same time, there is increasing public awareness of the dangers caused by mass data collection and data profiling. The Talk Talk and Ashley Madison data breaches, the Snowden revelations, the suspension of Safe Harbor data transfers between the EU and the US and the (misnamed) ‘Right to be Forgotten’ judgment by the EU Court of Justice (CJEU) have all made news headlines in recent years, and stakeholders – activists, businesses, policy-makers, the judiciary – are increasingly aware of the need to take personal data protection seriously. This dual dynamic – the global nature of digital information flows and the increased awareness of data protection and privacy issues – poses a challenge for national lawmakers. Any law introduced influencing the flow of information, such as the proposed Investigatory Powers Bill (IP Bill), will have effects in other countries beyond the UK, and will influence where companies outside choose to invest and to develop their operations. This Briefing Paper will therefore put the IP Bill in its EU law context. It suggests that, beyond privacy, the IP Bill will jeopardise two aspects of the right to data protection: individual autonomy and personal data security. In addition to these rights implications, the IP Bill may also have economic implications by discouraging technology industry investment in the UK.

'The Internal and External Constraints of Data Protection on Competition Law in the EU' LSE Law Society and Economy Working Paper Series, WPS 25-2015

Personal data has both an economic and a dignitary value. This begs the question of whether competition law should respect the dual nature of personal data, given that the regulation of competition is chiefly dictated by economic concerns. This article addresses that question by mapping the potential intersections between EU data protection law and competition law. In particular, it argues that data protection law exercises an internal and an external constraint on competition law. On the one hand, competition law involves judgments about ‘normal competition’ and consumer welfare which may require a normative contribution by data protection law. Using data protection as a normative benchmark in this way does not depart from the logic of competition law as data protection still requires a competitive concern hook on which to hang. Data protection would thus act as an ‘internal constraint’ on competition law. On the other hand, regardless of such logic, competition authorities are bound to respect the fundamental right to data protection. This requires them to restrict the scope of competition law and to guarantee the effectiveness of that fundamental right. In this way, data protection acts as an ‘external constraint’ on competition law. Recognising these constraints would pave the way for a more coherent EU law approach to consumer concerns in a digital society.

'Control over personal data in a digital age: Google Spain v AEPD and Maria Costeja Gonzalez' Modern Law Review (2015) 78 3 pp.522-534

Examines the ECJ ruling in Google Spain SL v Agencia Espanola de Proteccion de Datos (AEPD) (C-131/12) that a search engine was required to remove links to web pages displayed in search results where the processing of the data would be incompatible with Directive 95/46 (Data Protection Directive). Notes that the ECJ's ruling differed from the Advocate General's Opinion. Argues that the description "a right to be forgotten" is misleading.

'The Data Retention Directive is incompatible with the rights to privacy and data protection and is invalid in its entirety: Digital Rights Ireland' C.M.L. Rev. 2014, 51(6), pp.1789-1811.

'Deconstructing data protection: the "added-value" of a right to data protection in the EU legal order' International and Comparative Law Quarterly (2014) 63 (3) pp.569-597

Article 8 of the EU Charter of Fundamental Rights sets out a right to data protection which sits alongside, and in addition to, the established right to privacy in the Charter. The Charter's inclusion of an independent right to data protection differentiates it from other international human rights documents which treat data protection as a subset of the right to privacy. Its introduction and its relationship with the established right to privacy merit an explanation. This paper explores the relationship between the rights to data protection and privacy. It demonstrates that, to date, the Court of Justice of the European Union (CJEU) has consistently conflated the two rights. However, based on a comparison between the scope of the two rights as well as the protection they offer to individuals whose personal data are processed, it claims that the two rights are distinct. It argues that the right to data protection provides individuals with more rights over more types of data than the right to privacy. It suggests that the enhanced control over personal data provided by the right to data protection serves two purposes: first, it proactively promotes individual personality rights which are threatened by personal data processing and, second, it reduces the power and information asymmetries between individuals and those who process their data. For these reasons, this paper suggests that there ought to be explicit judicial recognition of the distinction between the two rights.

'From Market-Making Tool to Fundamental Right: the Role of the Court of Justice in Data Protection's Identity Crisis', chapter in Serge Gutwirth et al (eds) European Data Protection: Coming of Age (Springer 2013) pp.59-84

The European Data Protection Directive pursues dual, and potentially conflicting, objectives; it aims to facilitate the establishment of the internal market be enabling the free flow of personal data and to protects fundamental rights. This paper will examine the peculiar relationship between these dual objectives. Its aim is twofold. Firstly, to demonstrate that the ambiguity regarding the relationship between the Directive’s dual objectives could lead to doubts concerning its validity. Secondly, to demonstrate, by reference to the case law of the Court of Justice, that the Directive’s market-making characteristics have played second fiddle to its fundamental rights dimension in recent years; the Court has loosened the Directive’s links to the internal market while placing increasing emphasis on the fundamental rights vocation of data protection. One common theme emerges from the paper; the aims of European Data Protection policy are unclear and as such it is bound to suffer an 'identity crisis'.

'Track[ing] Changes: An Examination of EU Regulation of Online Behavioural Advertising through a Data Protection Lens' 2011(36) 6 European Law Review 874-886 

This article examines the proportionality, from a data protection perspective, of the regulatory regime applicable in the European Union to online behavioural advertising in light of recent amendments to the E-Privacy Directive. In this regard, first, the concept of behavioural advertising is explained. Secondly, the relevant legal framework is set out; particular attention is paid to the changes to the E-Privacy Directive that now mandate a user “opt-in” for targeted advertising. Thirdly, the harms to which behavioural advertising may give rise are outlined in order to facilitate the analysis of whether the recent changes constitute a proportionate response to these harms. It will be demonstrated that the European Union's protective regime will come at a cost for internet users; however, it is in keeping with the now prominent position of the right to data protection in the European legal order.

'The extent to which the EC legislature takes into account WTO obligations - jousting lessons from the European Parliament' (co-authored by Jacques Bourgeois), chapter in Dashwood and Maresceau (eds.) Law and Practice of EU External Relations (Cambridge University Press, 2008)

'The ever-longer arm of EC law: the extension of Community competence into the field of criminal law' 2008 (45)1 Common Market Law Review 131-158 (co-authored by A. Dawes)

The physical and legal borders of the European Community have been subject to a large number of changes in recent years. Throughout this period of transition Member States have sought to ensure that certain parameters remain unchanged. One such example is the province of Member States to determine which behaviour to punish by way of criminal sanctions. However, the recent judgments of the (ECJ) in the Cases C-176/03 and C-440/05 have changed these parameters by confirming that the European Community may provide for the imposition of criminal sanctions in certain policies. This article outlines these judgments and examines their impact, addressing a number of questions they left open. It also seeks to highlight the challenges the Community legislature will face should it seek to integrate criminal sanctions into EC legislation. While the shortfalls of the 'double text' situation cannot be denied, these flaws result from a deliberate decision by the Member States to attribute criminal competence to the EU under the Third Pillar, rather than to the EC under the First Pillar. It is thus unfortunate that such a consideration was not given greater weight by either the ECJ in its judgments, or the Commission in its extensive interpretation of the Court's judgment in Case C-176/03.

'The application of Article 86(2) EC to measures which do not fulfil the Altmark criteria; institutionalising incoherence in the legal framework governing state compensation of public service obligations' 2007 30(1) World Competition 153-168

 Whether or not state compensation for the performance of public service obligations constitutes aid is a question to which consistent answers have not been forthcoming.  In its Altmark Trans judgment the Court made an attempt to definitely settle this issue when it held that state compensation for the undertaking of public service obligations does not confer an advantage on undertakings if the four criteria set out in that judgment are fulfilled. However, this conditional answer provided by the Court to this question opened a different can of worms. The Altmark criteria overlap with those found in Article 86(2) EC begging the question; did Altmark incorporate the Article 86(2) EC derogation into the Article 87(1) EC concept of advantage? The Commission's position is clearly set out in its Monti package; it considers that the exception may be applied after the Altmark criteria. By permitting the application of the same legal criteria twice, the Commission runs the risk of applying these criteria in an inconsistent manner. This article sets out to examine the ramifications the Altmark judgment has had on the legal certainty of the Community's state aid regime. In this regard, particular emphasis will be put on the Commission's recent ''Monti package'' to examine whether it has cleared up any remaining confusion post-Altmark.This article has been shortlisted for the 2nd World Competition Young Writer's Award.

'Giving with one hand and taking away with another: A critical analysis of the Asylum Procedures Directive', Focus article, European Current Law, August 2006

'Complementing and completing the Common European Asylum System: a legal analysis of the emerging extraterritorial elements of EU refugee protection policy' (2006) 31(2) European Law Review 230-250