Showing papers in "Computer Law & Security Review in 2016"

Abstract: The five-year wait is finally over; a few days before expiration of 2015 the “trilogue” that had started a few months earlier between the Commission, the Council and the Parliament suddenly bore fruit and the EU data protection reform package has finally been concluded. As planned since the beginning of this effort a Regulation, the General Data Protection Regulation is going to replace the 1995 Directive and a Directive, the Police and Criminal Justice Data Protection Directive, the 2008 Data Protection Framework Decision. In this way a long process that started as early as in 2009, peaked in early 2012, and required another three years to pass through the Parliament's and the Council's scrutiny is finished. Whether this reform package and its end-result is cause to celebrate or to lament depends on the perspective, the interests and the expectations of the beholder. Four years ago we published an article in this journal under the title “The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals”. This paper essentially constitutes a continuation of that article: now that the General Data Protection Regulation's final provisions are at hand it is possible to present differences with the first draft prepared by the Commission, to discuss the issues raised through its law-making passage over the past few years, and to attempt to assess the effectiveness of its final provisions in relation to their declared purposes.

Abstract: The Internet of Things (IoT) heralds a new era of computing whereby every imaginable object is equipped with, or connected to a smart device allowing data collection and communication through the Internet. The IoT challenges individual privacy in terms of the collection and use of individuals' personal data. This study assesses the extent to which the Australian Privacy Principles protect individual privacy associated with data collection through the IoT. A systematic literature review identified four key privacy themes that represent issues related to the collection of individuals' data through the IoT: unauthorised surveillance, uncontrolled data generation and use, inadequate authentication and information security risks. These four themes are used to critically analyse the Australian Privacy Principle's (APPs) protection of individual data. Findings indicate that (1) the APPs do not adequately protect individual privacy of data collected through the IoT, and (2) future privacy legislation must consider the implications of global reach of IoT services, and ubiquity and security of IoT data collection with respect to individual privacy.

Abstract: The explosion in the number of smart, connected, and inherently insecure devices is shifting the security paradigm. While the Internet of Things technological shift will require clear legal frameworks, alternative approaches also need to be developed. This article examines the changing legal cybersecurity environment in the Internet of Things context. It discusses selected applicable international regulations as well as alternative approaches to addressing the security issues arising in the Internet of Things.

Abstract: In the previous edition of this special series on robotics and law, we explored some of the legal, regulatory and ethical implications of robotic systems and applications. We continue on that theme in this edition, focusing on specific types of robotic systems (medical device robots and nanorobotics) and core legal and regulatory issues, including intellectual property, employment and cyber security. In exploring these areas, our objective remains to start a dialogue about how our existing legal frameworks might need to adapt and change to meet the demands of the robotics age. We then conclude this special series with our views on the future of robotics law and the development of legal practice in this area.

Abstract: In the big data era, new technologies and powerful analytics make it possible to collect and analyse large amounts of data in order to identify patterns in the behaviour of groups, communities and even entire countries. Existing case law and regulations are inadequate to address the potential risks and issues related to this change of paradigm in social investigation. This is due to the fact that both the right to privacy and the more recent right to data protection are protected as individual rights. The social dimension of these rights has been taken into account by courts and policymakers in various countries. Nevertheless, the rights holder has always been the data subject and the rights related to informational privacy have mainly been exercised by individuals. This atomistic approach shows its limits in the existing context of mass predictive analysis, where the larger scale of data processing and the deeper analysis of information make it necessary to consider another layer, which is different from individual rights. This new layer is represented by the collective dimension of data protection, which protects groups of persons from the potential harms of discriminatory and invasive forms of data processing. On the basis of the distinction between individual, group and collective dimensions of privacy and data protection, the author outlines the main elements that characterise the collective dimension of these rights and the representation of the underlying interests.

Abstract: Although scientists have calculated the significant positive welfare effects of Artificial Intelligence (AI), fear mongering continues to hinder AI development If regulations in this sector stifle our active imagination, we risk wasting the true potential of AIs dynamic efficiencies Not only would Schumpeter dislike us for spoiling creative destruction, but the AI thinkers of the future would also rightfully see our efforts as the ‘dark age’ of human advancement This article provides a brief philosophical introduction to artificial intelligence; categorizes artificial intelligence to shed light on what we have and know now and what we might expect from the prospective developments; reflects thoughts of worldwide famous thinkers to broaden our horizons; provides information on the attempts to regulate artificial intelligence from a legal perspective; and discusses how the legal approach needs to be to ensure the balance between artificial intelligence development and human control over them, and to ensure friendly artificial intelligence

Abstract: This article presents results of a survey of primarily, although not exclusively, European drone industry representatives, regulators and civil society organisations that examined privacy, data protection and ethics with respect to civil drone operations. The article provides snapshot information about the diversity of the drone industry, including information about the types of companies, the types of drones being manufactured and operated, their payloads, capabilities and applications. Using self-reported information from industry representatives, it also demonstrates that these stakeholders do not have a clear understanding of European privacy and data protection law, which can impact their levels of liability and protections for individuals on the ground. With respect to regulators and civil society watchdogs, the results demonstrate that law enforcement, commercial and private (or recreational) drone operators are all thought to be associated with significant privacy, data protection and ethical risks, and that recreational operators are thought to carry the highest risks. However, perceptions of high-risk operators vary among different organisations, raising a potential for regulatory fragmentation. The article concludes with a consideration of the implications of these findings for the regulation of privacy, data protection and ethics for civil drone operations.

Abstract: The proposal for a new European Data Protection Regulation introduces the novel obligation of performing data protection assessments. Since these assessments will become a mandatory exercise for those in control of data processing systems, they will become an important apparatus for the governance of new and emerging information technologies. This tool, and in particular the notion of “risks to the rights and freedoms of data subjects” which is at its core, epitomises the shift from classical legal practice to more risk-based approaches. Merging risks and rights in the proposed fashion could change their meanings into something hardly predictable. This contribution proposes to explore the nature of the relation between both concepts within the assessment of a “risk to a right”. It will start by mapping out the various relations that exist between risks and rights in different practices. This should serve to identify gaps in the way DPIAs are currently operationalised and might well determine whether the introduction of this methodology in its current form might itself pose a risk to the rights of privacy and data protection. In turn however, it can provide opportunities for improvement and for lessons to be drawn from other practices and expertise that strike different relations between risks and rights, like the ones found in environmental governance and courts.

Abstract: In Big Data, the application of sophisticated data analytics to very large datasets makes it possible to infer or derive (“to discover”) additional personal information about consumers that would otherwise not be known from examining the underlying data. The discovery and use of this type of personal information for consumer profiling raises significant information privacy concerns, challenging privacy regulators around the globe. This article finds appropriate privacy principles to protect consumers' privacy in this context. It draws insights from a comparative law study of information privacy laws in the United States and Australia. It examines draft consumer privacy legislation from the United States to reveal its strengths and weaknesses in terms of addressing the significant privacy concerns that relate to Big Data's discovery of personal data and subsequent profiling by businesses.

Abstract: Information about millions of people is collected for behavioural targeting, a type of marketing that involves tracking people's online behaviour for targeted advertising. It is hotly debated whether data protection law applies to behavioural targeting. Many behavioural targeting companies say that, as long as they do not tie names to data they hold about individuals, they do not process any personal data, and that, therefore, data protection law does not apply to them. European Data Protection Authorities, however, take the view that a company processes personal data if it uses data to single out a person, even if it cannot tie a name to these data. This paper argues that data protection law should indeed apply to behavioural targeting. Companies can often tie a name to nameless data about individuals. Furthermore, behavioural targeting relies on collecting information about individuals, singling out individuals, and targeting ads to individuals. Many privacy risks remain, regardless of whether companies tie a name to the information they hold about a person. A name is merely one of the identifiers that can be tied to data about a person, and it is not even the most practical identifier for behavioural targeting. Seeing data used to single out a person as personal data fits the rationale for data protection law: protecting fairness and privacy.

Abstract: Recently, the Court of Justice of the European Union issued decision C-131/12, which was considered a major breakthrough in Internet data protection. The general public welcomed this decision as an actualization of the controversial “right to be forgotten”, which was introduced in the initial draft for a new regulation on data protection and repeatedly amended, due to objections by various Member States and major companies involved in massive processing of personal data. This paper attempts to delve into the content of that decision and examine if it indeed involves the right to be forgotten, if such a right exists at all, and to what extent it can be stated and enforced.

Abstract: Since the original Data Protection Directive in 1995, EU law has attached particular importance to user consent. This emphasis on consent is retained – albeit in different forms – in the various positions adopted by the EU institutions on the draft General Data Protection Regulation in advance of their trilogue negotiations. This article identifies three distinct models of user consent in the EU jurisprudence in this area: presumed consent; informed consent; and active consent. The article suggests that the later models developed as a response to empirical concerns about treating consent as a reliable proxy for user privacy preferences online. On this analysis, the active consent model advocated by the Article 29 Working Party and favoured by the Parliament's draft Data Protection Regulation is assumed to address the empirical issues associated with the presumed and informed consent models. In fact, the psychology and behavioural science research shows that website users are subject to a variety of specific situational influences that intuitively impel the giving of consent. The article concludes that the EU's approach to data and privacy protection online, even under current proposals, is fundamentally misguided and makes four recommendations about the future direction of EU law in this area.

Abstract: Parliaments and regulators have been very slow to address the public safety and behavioural surveillance threats embodied in drones. On the basis of a pragmatic set of Principles for the design of a regulatory scheme, it is proposed that countries apply existing regulatory arrangements and, where necessary, amend and extend them.

Abstract: Marketing techniques such as advergames have proven to be an extremely useful marketing tool for advertisers and in particular when targeted towards children. Such techniques allow for the development of a positive product or brand association through the delivery of fun interactive content. As a result, children are no longer merely passive receivers of commercial communications. Instead, they become actively involved in the advertising process. Advergames have a potentially manipulative aspect. Children are often unable to distinguish between the commercial message and the non-commercial content. This has negative consequences when one considers the potentially persuasive nature of marketing techniques such as advergames which can further heighten this confusion. Moreover, as modern business models are based on data, advertisers are increasingly interested in the personal information of their young customers. Increased computing capabilities mean that commercial entities are now able to profile individual consumer behaviour online and assess how it differs from rational decision-making and to leverage this for economic gain. Such profiles facilitate the targeting of personalised advertisements thereby tailoring marketing campaigns based on children's behaviour. The capacity to collect and process information in addition to the technical ability to personalise consumer services online potentially allows for the triggering of consumer frailty. This has particular importance when one considers the effects of positive emotions, caused by advergames. The purpose of this paper is to examine the legal issues associated with advergames from an EU perspective and, in particular, this advertising technique's capacity to manipulate emotions.

Abstract: In the summer of 2015, two American hackers succeeded in hacking into a car and taking over vital functions such as the engine and the brakes. Although this had been done before, the new element of the hack was that it no longer required physical access to the car. The hack took place at a distance via the mobile telephone network. This is a worrying development. It raises the question whether automobile manufacturers are doing enough to counter cyber security threats and, if that is not the case, whether a regulatory intervention is necessary and, if so, how to fashion regulation.

Abstract: This article evaluates the implications of PSD II for payments in the digital market against a background of the European Commission's Digital Market Strategy. It analyses the core elements of PSD II relevant to payments in the digital market. These include the expansion of the scope of the directive; changes in the rights and obligations of the parties and the allocation of liability for unauthorised payment transactions; and, the introduction of security and authentication requirements in the online context. The article also highlights the more harmonised approach to enforcement and the close involvement of the European Banking Authority. The article also identifies gaps in the PSD II framework and speculates that these will ultimately have to be addressed if the Commission's Digital Market Strategy is to be achieved. Thus, it concludes that, while the reforms introduced in PSD II will improve the quality of payment services and enhance e-commerce within the European Union, some payment-related impediments to the perfection of the internal digital market remain.

Abstract: Ensuring the security of personal data, particularly in terms of access controls, is becoming progressively more challenging. The most widely deployed authentication method, a user name plus a password, increasingly appears to be unfit-for-purpose. A more robust technique for maintaining the security of personal data is multi-factor authentication whereby two or more different types of credential are required. This approach is gaining traction, and in the European Union, some national data protection authorities are already recommending the use of multi-factor authentication as a means of complying with the obligation in the EU Data Protection Directive to take “appropriate technical and organisational measures to protect personal data”. A proposal to replace that Directive with a General Data Protection Regulation is at an advanced stage in the EU legislative process with enhanced data security a central feature of the proposed reform. This article examines how the proposed Regulation would be likely to change the standard for data security both in general terms and in specific ways that might have an impact on the use of multi-factor authentication. Other sources of EU guidance are also considered, together with the position under the national laws and regulatory practices of six EU Member States.

Abstract: The paper represents one of the first comprehensive analyses of Russian personal data localization regulations, which became effective at September 1, 2015. This work describes in detail the main components of the data localization mechanism: triggers of its application, scope, exemptions and enforcement. It also takes into account the official and non-official interpretations of the law by Russian regulators, some of which were developed with the participation of the author. Special consideration is given to the jurisdictional aspects of the Russian data protection legislation and the criteria of its application to foreign data controllers. The author also reveals the rationale behind the adoption of data localization provisions and analyzes their possible impact on foreign companies operating in Russia and implementation of innovative IT-technologies (Cloud computing, Big Data and Internet of Things). The paper concludes that most of the potential benefits of data localization provisions, i.e. in the area of public law, law enforcement activities and taxation. Nevertheless, data localization provisions may still have medium-term positive impact on privacy, since they force all stakeholders to revisit the basic concepts of existing personal data legislation (the notion of personal data, data controller, processing, etc.), thus serving as a driver for re-shaping existing outdated data privacy regulations and crafting something more suitable for the modern IT-environment.

Abstract: Over the past decade, policy makers, academics and activists have looked into solutions within the realm of technology as a means of stepping up the fight against human trafficking while ensuring a high level of protection of the victims. Even though different types of technology might be effective in the context of crime prevention, investigation or prosecution (whether national or transnational) and victim protection, such processes inevitably raise significant concerns particularly in relation to privacy and data protection. This article aims to offer an introduction to these challenges in order to trigger a much-needed dialogue in this regard. After outlining key terms and main provisions concerning privacy and data protection, the present article then explores three ways in which technological developments can contribute to combatting human trafficking – location tracking, data collection and drones –, through these it highlights the respective privacy and data protection concerns and attempts to offer ways forward.

Abstract: This paper portrays a general overview of the existing European legal framework that applies to the publication and consumption of linked data resources in typical settings. The point of view of both data publishers and data consumers is considered, identifying their rights and obligations, with special attention to those derived from the copyright and data protection laws. The goal of this analysis is to identify the practices that help to make the publication and consumption of linked data resources legally compliant processes. An insight on broader regulations, best practices and common situations is given.

Abstract: This study aims to analyse and compare the legal regulations of selected countries related to the use of dashboard cameras (dashcams) in vehicles and to publish the corresponding recordings of dashboard cameras in the context of privacy protection. Researchers used empirical analysis of legal documents and case law, as well as the analysis of the decisions and opinions of the institutions in charge of data protection in selected countries to identify the legal regulation of dashcam use. The study selected countries in Europe that first banned the use of dashcams, or that have enacted specific prohibitions or court decisions, as well as those that do not prohibit their use and where the dashcams are in widespread use. The article presents the authors' position on the legal regulation and assessment of dashcam use, i.e. that, according to the authors, dashcam use and/or publication of their recordings should not be forbidden in the EU. The results of this research may be applied to the regulation of corresponding relations as well as for assessment of situations connected with the use of dashcams and/or publication of recordings made with dashcams and related violations of the right to privacy and when interpreting various situations on the use of dashcams and/or publications of their recordings.

Abstract: Information security is not directly regulated in Australia and is instead subject to a patchwork of different legal and regulatory frameworks. How Australian information security practitioners construct and action information security therefore becomes important to the overall operation of a fragmented regulatory framework. How then do Australian information security practitioners understand information security and make compliance-oriented decisions? Our exploratory interview research examined how nine Australian information security practitioners understood and constructed their role as delegated regulators of organisational information security processes. Participants expressed a number of concerns that reveal a very different world to that traditionally portrayed as the discipline and practice of information security. We examine these concerns and discuss what they mean in the context of the Australian environment.

Abstract: Tor is one of the most popular technical means of anonymising one's identity and location online. While it has been around for more than a decade, it is only in recent years that Tor has begun appearing in mainstream media and openly catching the attention of governments and private citizens alike. The conflicting interests related to the use and abuse of Tor also raise a number of legal issues that are yet to be analysed in depth in academic literature. This article focuses on a number of relevant legal issues pertaining to Tor and reflects our initial legal comments, while noting that all of the identified legal questions merit further research. After introducing the technical side of Tor and the attitudes of governments towards it, we (1) explore the human rights connotations of the anonymity provided by Tor, coming to the conclusion that this anonymity is an integral part of certain human rights, particularly the right to privacy and the right to freedom of expression. Government activities with respect to Tor should thus not be unlimited. In relation to this, we (2) provide a closer look at the problem of content liability of the Tor exit node operators. Finally, we (3) point out several legal problems in conducting criminal investigations with the need to obtain the evidence from the Tor network. We conduct this legal analysis in the context of international and European law, paying a particular attention to the case law of the European Court of Human Rights and the Court of Justice of the European Union.

Abstract: Online behavioural advertising (OBA) comes to consumers at a price. Often unknowingly, people deliver up commercially-valuable personal information as a condition of online user experience, functionality and access. Websites are increasingly tracking user behaviours for commercial purposes and social media derives its income largely from data collection and advertising targeted to the personal disclosures and behavioural attributes which are its data-production mainstay. In this context, consumers face a plethora of information collection practices, all designed to generate data analytics including inferential and predictive profiling to create a ‘digital identity’ for OBA purposes. In this subterranean exchange, consumers are economically redefined as data subjects and advertising targets; a reframing which is perhaps why the OBA industry faces a crisis in consumer concern, both as to privacy and trust. This paper proposes that the regulatory control of OBA in Australia is in disarray. Consumer ignorance of online privacy management and OBA practices is demonstrable. Industry transparency, disclosure, consent processes and compliance practices are questionable. Regulator interest is minimal, industry self-regulation is weak and consumer technical ability and personal responsibility is a last fragile line of defence. Data breaches are ubiquitous in a crowded and poorly-audited supply chain, and entail significant adverse consumer consequences. Yet despite these serious concerns, Australian regulators are failing to respond to OBA issues, either through mandating greater industry disclosure or through regulatory action. The author seeks to expose these weaknesses in calling for consumer and privacy regulators to take more meaningful action to better protect consumers' interests online.

Abstract: This article presents the findings of interviews with representatives from the majority of EU data protection authorities in the context of the ongoing data protection reform process. It not only identifies commonalities between the authorities to the extent it is possible to speak about an EU DPA perspective, but also identifies areas of tension and disagreement as well as future intentions. The focus of the article is upon the impact of the data protection reform process on the way that these independent bodies, located in EU Member States will increasingly have to cooperate at an EU-level. Capturing these perspectives at this moment in the reform process provides not only insight into the process from a group of concerned stakeholders, but also insight into how these stakeholders are (re-)positioning themselves, planning, and anticipating the impacts of the reform.

Abstract: In July 2014 ISO and IEC published a standard relating to public cloud computing and data protection. The standard aims to address the down-sides of cloud computing and the concerns of the cloud clients, mainly the lack of trust and transparency, by developing controls and recommendations for cloud service providers acting as PII processors. At the same time, the standard aims to assist providers to demonstrate transparency and accountability in the handling of data and information in the cloud. This paper looks briefly at the data protection and security challenges of cloud computing. It discusses the provisions and added value of the standard in the context of the European data protection legislation and also looks at the uptake of the standard one year after its publication.

Abstract: Critical infrastructures are vital assets for public safety, economic welfare and/or national security of countries. Today, cyber systems are extensively used to control and monitor critical infrastructures. A considerable amount of the infrastructures are connected to the Internet over corporate networks. Therefore, cyber security is an important item for the national security agendas of several countries. The enforcement of security principles on the critical infrastructure operators through the regulations is a still-debated topic. There are several academic and governmental studies that analyze the possible regulatory approaches for the security of the critical infrastructures. Although most of them favor the market-oriented approaches, some argue the necessity of government interventions. This paper presents a three phased-research to identify the suitable regulatory approach for the critical infrastructures of Turkey. First of all, the data of the critical infrastructures of Turkey are qualitatively analyzed, by using grounded theory method, to extract the vulnerabilities associated with the critical infrastructures. Secondly, a Delphi survey is conducted with six experts to extract the required regulations to mitigate the vulnerabilities. Finally, a focus group interview is conducted with the employees of the critical infrastructures to specify the suitable regulatory approaches for the critical infrastructures of Turkey. The results of the research show that the critical infrastructure operators of Turkey, including privately held operators, are mainly in favor of regulations.

Abstract: Australia has formally recognized the importance of digital identity and has raised the issue of reciprocal rights and duties between the government and its citizens. Australia is the first country to articulate digital citizenship in these terms. This paper considers the respective rights and duties of government and citizens that could be included in a digital citizenship charter, and the likely legal implications. The paper explores these aspects in relation to digital identity because of its increasing commercial and legal importance. The author argues that considering the consequences for individuals, the right to identity, as an international fundamental human right, should now be recognized and protected in relation to digital identity. The argument is presented that recognition and protection of this right is an essential component of a model of accountable and responsible digital citizenship. While the paper uses the Australian concept of digital citizenship as the basis for the discussion, the issues are relevant to all jurisdictions implementing e-government initiatives that require an individual to use digital identity for transactions.

Abstract: This paper analyses the final version of Articles 42 and 43 dedicated to the certification procedures in the General Data Protection Regulation (hereinafter GDPR). It questions the introduction of this procedure in the data protection regulation framework and argues that the purposes assigned to the certification in the GDPR meet the needs of the different contributors to the preliminary discussions to the reform. It also argues that the processes defined in Articles 42 and 43 to issue the certification diverge from the commonly accepted practices in this activity and the processes suggested in the new regulation impede its chance to be successfully implemented.

Abstract: In this article online dispute resolution (ODR) and alternative dispute resolution (ADR) are assessed in relation to the protection of personal data. ODR and ADR schemes are mechanisms to settle low-cost e-commerce disputes out-of-court. The purpose of this analysis is to examine the suitability of online dispute resolution as an additional means to the existing mechanisms for data protection enforcement. In this discussion particular attention is given to services offered to users as ‘free’, but which instead process personal data as a condition on access (e.g. social networking sites). The second section examines data protection in the digital age, highlighting the key principles of data protection and the challenges associated with the existing enforcement mechanisms. The third section questions the suitability of online dispute resolution as a solution for data protection enforcement in the European Union. In order to avail of the EU regulated ODR mechanism to resolve data protection issues, data protection disputes must fall under the scope of the Alternative Dispute Resolution Directive and the Online Dispute Resolution Regulation. Following an analysis of the applicability of the framework in this context, the final part of this article focuses on the challenges associated with the application of ODR schemes to the enforcement of online data protection disputes.