Orla Lynskey

Orla Lynskey

Email: O.Lynskey@lse.ac.uk
Administrative support: Lucy Wright
Room: New Academic Building 6.23
Tel. 020-7955-7726

Orla Lynskey has been an Assistant Professor in the Law Department since September 2012. She teaches and conducts research in the areas of data protection, technology regulation, digital rights and EU law. She holds an LLB (Law and French) from Trinity College Dublin, an LLM in EU Law from the College of Europe (Bruges) and a PhD from the University of Cambridge. This PhD research has been developed into a monograph, The Foundations of EU Data Protection Law, published by OUP in 2015. She is called to the Bar of England and Wales and working in Competition law practice in Brussels before beginning her doctoral research. She is an editor of International Data Privacy Law (OUP) and the European Law Blog, and is a member of the Editorial Board of the European Data Protection Law Review.

Research Interests

Orla conducts research in the fields of technology regulation and digital rights, with her primary focus being on EU data protection and privacy law. Her previous work has focused on the dual dignitary and economic nature of personal data and the practical and normative limits of individual control over personal data ('informational self-determination'). She is currently working on inter-related projects on the fundamental rights implications of 'platform power' in digital markets and the EU's right to data portability.


The Foundations of EU Data Protection Law (Oxford University Press, 2015)

Nearly two decades after the EU first enacted data protection rules, key questions about the nature and scope of this EU policy, and the harms it seeks to prevent, remain unanswered. The inclusion of a Right to Data Protection in the EU Charter has increased the salience of these questions, which must be addressed in order to ensure the legitimacy, effectiveness and development of this Charter right and the EU data protection regime more generally.

The Foundations of EU Data Protection Law is a timely and important work which sheds new light on this neglected area of law, challenging the widespread assumption that data protection is merely a subset of the right to privacy. By positioning EU data protection law within a comprehensive conceptual framework, it argues that data protection has evolved from a regulatory instrument into a fundamental right in the EU legal order and that this right grants individuals more control over more forms of data than the right to privacy. It suggests that this dimension of the right to data protection should be explicitly recognised, while identifying the practical and conceptual limits of individual control over personal data.

At a time when EU data protection law is sitting firmly in the international spotlight, this book offers academics, policy-makers, and practitioners a coherent vision for the future of this key policy and fundamental right in the EU legal order, and how best to realise it.

Selected articles
and chapters in books

'Courts, privacy and data protection in the UK: why two wrongs don't make a right' in Maja Brkan and Evangelia Psychogiopoulou (eds.) Courts, Privacy and Data Protection in the Digital Environment  (Edward Elgar, 2017)

'Brexit and the UK's Tech Industry' LSE Law - Policy Briefing Paper No. 26-2017

The UK’s digital economy is currently growing at twice the rate of the wider economy, and now contributes an estimated £97 billion per annum to the economy. As such, the Prime Minister has singled growth in the technology industry as a priority for the UK after leaving the EU. Understanding the implications of Brexit for the tech industry requires us to think about the changes to the UK’s regulatory framework once EU law ceases to apply, and the constraints that EU law imposes even after Brexit.

'Regulating "Platform Power"' LSE Law Society and Economy Working Paper Series, 01/2017

Increasing regulatory and doctrinal attention has recently focused on the problem of ‘platform power’. Yet calls for regulation of online platforms fail to identify the problems such regulation would target, and as a result appear to lack merit. In this paper, two claims are advanced. First, that the concept of ‘platform power’ is both an under and over-inclusive regulatory target and, as such, should be replaced by the broader concept of a ‘digital gatekeeper’. Second, that existing legal mechanisms do not adequately reflect the power over information flows and individual behaviour that gatekeepers can exercise. In particular, this gatekeeper power can have implications for individual rights that competition law and economic regulation are not designed to capture. Moreover, the technological design, and complexity, of digital gatekeepers renders their operations impervious to scrutiny by individual users, thereby exacerbating these potential implications.

(with Francisco Costa-Cabral) 'Family ties: The intersection between data protection and competition in EU law' (2017) 54 Common Market Law Review, Issue 1, pp. 11–50

Personal data is a valuable commodity in the digital economy, and companies compete to acquire and process this data. This rivalry is subject to the application of competition law. However, personal data also has a dignitary dimension which is protected through data protection law and EU Charter rights to data protection and privacy. This paper maps the relationship between these legal frameworks. It identifies the commonalities that facilitate their intersection, whilst acknowledging their distinct methods and aims. It argues that when the material scope of these legal frameworks overlap, competition law can incorporate data protection law as a normative yardstick when assessing non-price competition; data protection can thus act as an internal constraint on competition law. In addition, it advocates that following the Lisbon Treaty, data protection and other fundamental rights also exercise an external constraint on competition law and, in certain circumstances, can prevent or shape its application. As national and supranational regulators grapple with the challenge of facilitating a dynamic information economy that respects fundamental rights, recognition of these constraints would pave the way for a more coherent EU law approach to the digital society.

'The ‘Europeanisation’ of Data Protection Law'  Cambridge Yearbook of European Legal Studies (2017)

EU data protection law has, to date, been monitored and enforced in a decentralised way by independent supervisory authorities in each Member State. While the independence of these supervisory authorities is an essential element of EU data protection law, this decentralised governance structure has led to competing claims from supervisory authorities regarding the national law applicable to a data processing operation and the national authority responsible for enforcing the data protection rules. These competing claims – evident in investigations conducted into the data protection compliance of Google and Facebook – jeopardise the objectives of the EU data protection regime. The new General Data Protection Regulation will revolutionise data protection governance by providing for a centralised decision-making body, the European Data Protection Board. While this agency will ensure the ‘Europeanisation’ of data protection law, given the nature and the extent of this Board’s powers, it marks another significant shift in the EU’s agency-creating process and must, therefore, also be considered in its broader EU context.

'Data Protection and Freedom of Information', Chapter 16 in Pattenden and Sheehan (eds.) The Law of Professional-Client Confidentiality (2nd ed.)  (OUP 2016)

'Beyond Privacy: The Data Protection Implications of the IP Bill' LSE Law Policy Briefing Papers: SPECIAL ISSUE: The Investigatory Powers Bill (15/2015)

In an era of digital communications, personal data flows do not respect national borders. UK residents communicate with friends and family living outside the UK’s borders while internet communications are routed all over the world when making their way from our computers and other connected devices to their final destination. At the same time, there is increasing public awareness of the dangers caused by mass data collection and data profiling. The Talk Talk and Ashley Madison data breaches, the Snowden revelations, the suspension of Safe Harbor data transfers between the EU and the US and the (misnamed) ‘Right to be Forgotten’ judgment by the EU Court of Justice (CJEU) have all made news headlines in recent years, and stakeholders – activists, businesses, policy-makers, the judiciary – are increasingly aware of the need to take personal data protection seriously. This dual dynamic – the global nature of digital information flows and the increased awareness of data protection and privacy issues – poses a challenge for national lawmakers. Any law introduced influencing the flow of information, such as the proposed Investigatory Powers Bill (IP Bill), will have effects in other countries beyond the UK, and will influence where companies outside choose to invest and to develop their operations. This Briefing Paper will therefore put the IP Bill in its EU law context. It suggests that, beyond privacy, the IP Bill will jeopardise two aspects of the right to data protection: individual autonomy and personal data security. In addition to these rights implications, the IP Bill may also have economic implications by discouraging technology industry investment in the UK.

'The Internal and External Constraints of Data Protection on Competition Law in the EU' LSE Law Society and Economy Working Paper Series, WPS 25-2015

Personal data has both an economic and a dignitary value. This begs the question of whether competition law should respect the dual nature of personal data, given that the regulation of competition is chiefly dictated by economic concerns. This article addresses that question by mapping the potential intersections between EU data protection law and competition law. In particular, it argues that data protection law exercises an internal and an external constraint on competition law. On the one hand, competition law involves judgments about ‘normal competition’ and consumer welfare which may require a normative contribution by data protection law. Using data protection as a normative benchmark in this way does not depart from the logic of competition law as data protection still requires a competitive concern hook on which to hang. Data protection would thus act as an ‘internal constraint’ on competition law. On the other hand, regardless of such logic, competition authorities are bound to respect the fundamental right to data protection. This requires them to restrict the scope of competition law and to guarantee the effectiveness of that fundamental right. In this way, data protection acts as an ‘external constraint’ on competition law. Recognising these constraints would pave the way for a more coherent EU law approach to consumer concerns in a digital society.

'Control over personal data in a digital age: Google Spain v AEPD and Maria Costeja Gonzalez' Modern Law Review (2015) 78 3 pp.522-534

Examines the ECJ ruling in Google Spain SL v Agencia Espanola de Proteccion de Datos (AEPD) (C-131/12) that a search engine was required to remove links to web pages displayed in search results where the processing of the data would be incompatible with Directive 95/46 (Data Protection Directive). Notes that the ECJ's ruling differed from the Advocate General's Opinion. Argues that the description "a right to be forgotten" is misleading.

'The Data Retention Directive is incompatible with the rights to privacy and data protection and is invalid in its entirety: Digital Rights Ireland' C.M.L. Rev. 2014, 51(6), pp.1789-1811.

'Deconstructing data protection: the "added-value" of a right to data protection in the EU legal order' International and Comparative Law Quarterly (2014) 63 (3) pp.569-597

Article 8 of the EU Charter of Fundamental Rights sets out a right to data protection which sits alongside, and in addition to, the established right to privacy in the Charter. The Charter's inclusion of an independent right to data protection differentiates it from other international human rights documents which treat data protection as a subset of the right to privacy. Its introduction and its relationship with the established right to privacy merit an explanation. This paper explores the relationship between the rights to data protection and privacy. It demonstrates that, to date, the Court of Justice of the European Union (CJEU) has consistently conflated the two rights. However, based on a comparison between the scope of the two rights as well as the protection they offer to individuals whose personal data are processed, it claims that the two rights are distinct. It argues that the right to data protection provides individuals with more rights over more types of data than the right to privacy. It suggests that the enhanced control over personal data provided by the right to data protection serves two purposes: first, it proactively promotes individual personality rights which are threatened by personal data processing and, second, it reduces the power and information asymmetries between individuals and those who process their data. For these reasons, this paper suggests that there ought to be explicit judicial recognition of the distinction between the two rights.

'From Market-Making Tool to Fundamental Right: the Role of the Court of Justice in Data Protection's Identity Crisis', chapter in Serge Gutwirth et al (eds) European Data Protection: Coming of Age (Springer 2013) pp.59-84

The European Data Protection Directive pursues dual, and potentially conflicting, objectives; it aims to facilitate the establishment of the internal market be enabling the free flow of personal data and to protects fundamental rights. This paper will examine the peculiar relationship between these dual objectives. Its aim is twofold. Firstly, to demonstrate that the ambiguity regarding the relationship between the Directive’s dual objectives could lead to doubts concerning its validity. Secondly, to demonstrate, by reference to the case law of the Court of Justice, that the Directive’s market-making characteristics have played second fiddle to its fundamental rights dimension in recent years; the Court has loosened the Directive’s links to the internal market while placing increasing emphasis on the fundamental rights vocation of data protection. One common theme emerges from the paper; the aims of European Data Protection policy are unclear and as such it is bound to suffer an 'identity crisis'.

'Track[ing] Changes: An Examination of EU Regulation of Online Behavioural Advertising through a Data Protection Lens' 2011(36) 6 European Law Review 874-886 

This article examines the proportionality, from a data protection perspective, of the regulatory regime applicable in the European Union to online behavioural advertising in light of recent amendments to the E-Privacy Directive. In this regard, first, the concept of behavioural advertising is explained. Secondly, the relevant legal framework is set out; particular attention is paid to the changes to the E-Privacy Directive that now mandate a user “opt-in” for targeted advertising. Thirdly, the harms to which behavioural advertising may give rise are outlined in order to facilitate the analysis of whether the recent changes constitute a proportionate response to these harms. It will be demonstrated that the European Union's protective regime will come at a cost for internet users; however, it is in keeping with the now prominent position of the right to data protection in the European legal order.

'The extent to which the EC legislature takes into account WTO obligations - jousting lessons from the European Parliament' (co-authored by Jacques Bourgeois), chapter in Dashwood and Maresceau (eds.) Law and Practice of EU External Relations (Cambridge University Press, 2008)

'The ever-longer arm of EC law: the extension of Community competence into the field of criminal law' 2008 (45)1 Common Market Law Review 131-158 (co-authored by A. Dawes)

The physical and legal borders of the European Community have been subject to a large number of changes in recent years. Throughout this period of transition Member States have sought to ensure that certain parameters remain unchanged. One such example is the province of Member States to determine which behaviour to punish by way of criminal sanctions. However, the recent judgments of the (ECJ) in the Cases C-176/03 and C-440/05 have changed these parameters by confirming that the European Community may provide for the imposition of criminal sanctions in certain policies. This article outlines these judgments and examines their impact, addressing a number of questions they left open. It also seeks to highlight the challenges the Community legislature will face should it seek to integrate criminal sanctions into EC legislation. While the shortfalls of the 'double text' situation cannot be denied, these flaws result from a deliberate decision by the Member States to attribute criminal competence to the EU under the Third Pillar, rather than to the EC under the First Pillar. It is thus unfortunate that such a consideration was not given greater weight by either the ECJ in its judgments, or the Commission in its extensive interpretation of the Court's judgment in Case C-176/03.

'The application of Article 86(2) EC to measures which do not fulfil the Altmark criteria; institutionalising incoherence in the legal framework governing state compensation of public service obligations' 2007 30(1) World Competition 153-168

 Whether or not state compensation for the performance of public service obligations constitutes aid is a question to which consistent answers have not been forthcoming.  In its Altmark Trans judgment the Court made an attempt to definitely settle this issue when it held that state compensation for the undertaking of public service obligations does not confer an advantage on undertakings if the four criteria set out in that judgment are fulfilled. However, this conditional answer provided by the Court to this question opened a different can of worms. The Altmark criteria overlap with those found in Article 86(2) EC begging the question; did Altmark incorporate the Article 86(2) EC derogation into the Article 87(1) EC concept of advantage? The Commission's position is clearly set out in its Monti package; it considers that the exception may be applied after the Altmark criteria. By permitting the application of the same legal criteria twice, the Commission runs the risk of applying these criteria in an inconsistent manner. This article sets out to examine the ramifications the Altmark judgment has had on the legal certainty of the Community's state aid regime. In this regard, particular emphasis will be put on the Commission's recent ''Monti package'' to examine whether it has cleared up any remaining confusion post-Altmark.This article has been shortlisted for the 2nd World Competition Young Writer's Award.

'Giving with one hand and taking away with another: A critical analysis of the Asylum Procedures Directive', Focus article, European Current Law, August 2006

'Complementing and completing the Common European Asylum System: a legal analysis of the emerging extraterritorial elements of EU refugee protection policy' (2006) 31(2) European Law Review 230-250