Showing papers in "International Review of Law, Computers & Technology in 2014"

Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law

Abstract: ‘Privacy by design’ is an increasingly popular paradigm. It is the principle or concept that privacy should be promoted as a default setting of every new ICT system and should be built into systems from the design stage. The draft General Data Protection Regulation embraces ‘privacy by design’ without detailing how it can or should be applied. This paper discusses what the proposed legal obligation for ‘privacy by design’ implies in practice for online businesses. In particular, does it entail hard-coding privacy requirements in system design? First, the ‘privacy by design’ provision in the proposed Regulation is analysed and interpreted. Next, we discuss an extreme interpretation – embedding data protection requirements in system software – and identify five complicating issues. On the basis of these complications, we conclude that ‘privacy by design’ should not be interpreted as trying to achieve rule compliance by techno-regulation. Instead, fostering the right mindset of those responsible for developi...

Privacy principles, risks and harms

Abstract: The protection of privacy is predicated on the individual's right to privacy and stipulates a number of principles that are primarily focused on information privacy or data protection and, as such, are insufficient to apply to other types of privacy and to the protection of other entities beyond the individual. This article identifies additional privacy principles that would apply to other types of privacy and would enhance the consideration of risks or harms to the individual, to groups and to society as a whole if they are violated. They also relate to the way privacy impact assessment (PIA) may be conducted. There are important reasons for generating consideration of and debate about these principles. First, they help to recalibrate a focus in Europe on data protection to the relative neglect of other types of privacy. Second, it is of critical importance at a time when PIA (renamed ‘data protection impact assessment’, or DPIA) may become mandatory under the European Commission's proposed Data Protecti...

Privacy notices versus informational self-determination: Minding the gap

Abstract: Privacy notices are instruments that intend to inform individuals of the processing of their personal data, their rights as data subjects, as well as any other information required by data protection or privacy laws. The goal of this paper is to clarify the current discourse regarding the (in)utility of privacy notices, particularly in the context of online transactions. The perspective is a European one, meaning that the analysis shall be geared towards the European Data protection framework, particularly the European Data Protection Directive. The paper discusses the role that privacy notices play under the European data protection framework today, summarizes the main critiques regarding the use of privacy notices in practice and develops a number of recommendations.

mHealth and data protection – the letter and the spirit of consent legal requirements

Abstract: In this article, the role of consent is discussed in the framework of fundamental rights and in the context of mobile health technologies (mHealth), such as smart phones, mobile phones or tablet/palm-held computing devices to provide healthcare. The authors surmise how, in practice, although there will be more emphasis on informed consent formally, there will be less space for genuine individual consent. This betrays a focus more on the letter of consent rules in data protection than their spirit. This risks reducing consent to a tick box operation in a manner analogous to consumer transactions, something manifestly unsuitable for consent, even if only in informational terms, during medical procedures.

E-Government users’ privacy and security concerns and availability of laws in Dubai

Abstract: The purpose of the study was to review privacy and security concerns and their impact on e-government adoption in Dubai. The research analyzed the literature on e-government, security and privacy concerns of e-government adoption and the legislative provision relating to privacy and security protection. A survey on e-government user concerns on privacy, security and ease of use was also carried out. The data for the survey in this research were collected from 190 respondents in Dubai. The results of the analysis revealed that perceived security, privacy and perceived ease of use were important constructs in e-government adoption. The analysis of legal framework showed that the Federal Constitution, the Penal Code, the new Data Protection Act and the Computer Crime Act could be used to address various privacy and security concerns. Thus, it is important that the policy makers facilitate an appropriate awareness campaign of the existence of both information privacy and security to attract more participation...

Britain's smart meter programme: A case study in privacy by design

Abstract: Following requirements in the 1996 EU Energy Efficiency Directive, member states are developing programmes to encourage the installation of ‘smart’ power meters that record much larger quantities of data about power usage than traditional meters. These data can reveal a great deal of information about individual household activity, leading privacy regulators to call for privacy to be ‘designed in’ to these systems. The British smart metering programme has given some attention to this privacy by design process. This article assesses its effectiveness in this case, using documentary analysis, participant observation, and follow-up interviews with a range of stakeholders. It finds that decisions made early in the British programme had negative privacy impacts that have only been partially remedied by the later development of detailed rules on the processing of smart meter data by energy suppliers and distributors. The article also considers broader lessons for the privacy by design approach.

Exploring the non-absolute nature of the right to data protection

Abstract: In two recent judgements, the Court of Justice of the European Union stated that ‘The right to the protection of personal data is not, however, an absolute right, but must be considered in relation to its function in society’ (Eifert, para 48). This paper considers the ‘non-absolute’ nature of the right to data protection. Being a relatively new right, the boundaries of this right in the Charter are still somewhat unexplored. This paper considers five aspects that can be seen as setting boundaries to the otherwise absolute nature of the right to data protection: (a) consideration of the function of the right to data protection in society; (b) positive delimitations of the right that come from the formulation of the right (Article 8) in the Charter; (c) limitations on the right provided for in Article 52 of the Charter; (d) close connections with Article 7 of the Charter and Article 8 ECHR; and (e) the detailed provisions in current data protection secondary legislation and the future data protection regul...

The changing face of protests in the digital age: on occupying cyberspace and Distributed-Denial-of-Services DDoS attacks

Abstract: On 7th January 2013 the Anonymous hacking collective launched a White House petition asking the Obama administration to recognize DDoS1 attacks as a valid form of protest, similar to the Occupy protests. The ‘Occupy’ movement against financial inequality has become an international protest phenomenon stirring up the debate on the legal responses to acts of civil disobedience. At the same time, online attacks in the form of DDoS are considered by many as the digital counterparts of protesting. While the law generally acknowledges a certain level of protection for protesting as a manifestation of the rights to free speech and free assembly, it is still unclear whether DDoS attacks could qualify as free speech. This paper examines the analogies between offline protests and DDoS attacks, discusses legal responses in both cases and seeks to explore the scope for free speech protection.

Does fair anonymization exist

Abstract: Anonymization is viewed as an instrument by which personal data can be rendered so that it can be processed further without harming data subjects' private lives, for purposes that are beneficial to the public good. The anonymization is fair if the possibility of re-identification can be practically excluded. The data processor does all that he or she can to ensure this. For a fair anonymization, simply removing the primary personal identification data, such as the name, resident address, phone number and email address, is not enough, as many papers have warned. Therefore, new guidance documents, and even legal rulings such as the HIPAA Privacy Rule on de-identification, may improve the security of anonymization. Researchers are continuously testing the efficiency of the methods and simulating re-identification attacks. Since the US and Canada do not have a population registry, re-identification experiments were carried out with the help of other publicly available databases, such as census data or the vot...

The Creative Commons licences through moral rights provisions in French law

Abstract: Since 2002, Creative Commons has been continuously evolving in order to create a licensing scheme that not only fulfils the needs of the author but also stays compatible with already existing national copyright laws. The extent of the respect of moral rights provisions has always been highlighted during the licences' evolution. This Article first examines whether moral rights are expressly mentioned in the licences and if so, what their treatment is. Each element of the moral rights in the French system will be considered in order to verify their compatibility with the Creative Commons licences. In this context, it will be also asserted whether some existing clauses in the licence contradict with the moral rights of authors. The Article will conclude that although a more flexible interpretation of moral rights provisions is needed when dealing with open content licences, it is essential that Creative Commons addresses the aspects of the licences that are identified as problematic in relation to moral rights. Finally, it will be demonstrated that regardless of the legal status of the licences, the authors' responsibility towards their rights is what will ultimately be the safeguard of their creations' path.

The future of technological law: The machine state

Abstract: Advances in technology will challenge and change the current manner in which legal regulation occurs. It has always been possible to describe governance and law as a form of technology in itself, but the growth of digital technologies provides a new means by which to regulate the population. This article posits the theory that the inherent characteristics of technology will become inherent within the digitisation of law. As law becomes an increasingly digital entity, it will become more concerned with perfect reproduction of law upon the person, and so more encompassing in its scope. In addition, the increasing use of digital technologies in augmented reality, in 3D and 4D printing both in solid and biological matter, poses a fundamental change in the regulatory relationship between the State and the individual – a challenge the State will need to address.

Law, culture and massively multiplayer online games

Abstract: Massively multiplayer online games (MMOGs) are now a major international phenomena. Millions of people can play together online, readily navigating boundaries between nations, languages and legal jurisdictions. The communities around some of these games are huge, of a size equivalent to a large city or small nation. This article explores three themes, labelled for conceptual purposes ‘games as legal spaces’, ‘games need lawyers’, and ‘lawyers need games’. It argues that games are inherently legal spaces, infused with legal-ness in a variety of ways; that more direct engagement from the legal community would be of tremendous value in making these systems, and the entertainment spaces which they regulate, ‘better’; and that we have a great deal to learn about law and about the regulation of the online space from games. The article concludes with the proposition that there is an opportunity for impactful knowledge exchange between legal scholars, MMOG developers and publishers, and the gaming community.

‘Look to yourselves, that we lose not those things which we have wrought.’ What do the proposed changes to the purpose limitation principle mean for public bodies' rights to access third-party data?

Abstract: This article analyses the proposed changes to the purpose limitation principles contained in the draft Data Protection Regulation adopted by the European Commission in January 2012. It examines the historical motives for the introduction of the principle as part of the 1995 Data Protection Directive, and looks at the constitutional framework under which it operates both at EU and member state level. It considers the risks and long-term consequences that EU citizens may face if the principle is eroded or substantially abandoned.

The work of revision of the Council of Europe Convention 108 for the protection of individuals as regards the automatic processing of personal data

Abstract: Thirty years after the Convention 108 for the protection of individuals as regards the automatic processing of personal data was adopted, the Council of Europe launched a process of modernising this text in order to adapt it to the substantive technological revolutions that have occurred since its birth in 1981. After two years of work, the Committee of the Convention 108 (T-PD Committee) has adopted the proposal of a revised version of both the Convention 108 and its additional Protocol. This paper presents the main propositions of changes brought by the modernisation work. Major changes have been brought to certain definitions and to the scope of the Convention as well as to the basic principles and to the special regime for sensitive data. Important new rights have been added to the list of guarantees offered to data subjects. New duties appear now in the text. And the transborder data flow regime has been entirely rewritten.

Using EHRs to design drug repositioning trials: A devolved approach to data protection

Abstract: One area where the application of data protection law has proven complex is in relation to the secondary usage of health data in EHRs for medical research Here the tension between the privacy interests of patients and the risk of harm if such sensitive data are compromised, and on the other side, the potential societal value of utilizing the data for the benefit of medical science, is especially striking In this paper, we consider the applicable provisions of the EU Data Protection Directive, and outline a general approach to patient data handling for research, which we believe to be compatible with relevant legal and ethical requirements We then illustrate and apply this by reference to a specific EU FP7 project, involving EHR data processing to select patients for clinical pharmaceutical trials After introducing the project (PONTE), we explain the ‘devolved’ data protection architecture it employs and provide a legal evaluation

Incompatibility of the Digital Economy Act 2010 subscriber appeal process provisions with Article 6 of the ECHR

Abstract: Through case-law research, this paper critically assesses the compatibility of the Digital Economy Act 2010 (DEA) subscriber appeal process provisions (Section 13 of the DEA) with Article 6 of the European Convention on Human Rights (ECHR). Drawing on the European Court of Human Rights (ECtHR) case-law, Ofcom's Initial Obligations Code (the Code), and the DEA judicial review decision, namely, BT PLC and Talk Talk PLC v Secretary of State for Business Innovation and Skills and others, this paper focuses on the three Strasbourg Court principles of equality of arms, admissibility of evidence, and presumption of innocence, in an effort to determine whether Section 13 of the DEA infringes them, and whether this constitutes a breach of a subscriber's right to a fair trial under Article 6 of the ECHR. The paper examines these three ECtHR principles. It contrasts such principles with the Code's provisions, and considers the compatibility of Section 13 of the DEA with Article 6 of the ECHR. It concludes that the D...

Who decides on the future of data protection? Role of law firms in shaping European data protection regime

Abstract: Drawing on theories of European integration and governance and sociological studies on the influence of elite law firms on rule-setting, this paper shows that law firms (a) operate in the area of data protection that is of extreme complexity and requires expert knowledge; and (b) display characteristics similar to other actors who succeeded in influencing agenda-setting and the results of policy-making despite having no formal competence to do so. This article proposes a hypothesis of the influence of elite law firms in EU data protection rule-setting. It argues that the EU data protection sector is prone to such influence as it is by definition transnational and, at some technical and some core points, inadequate to reflect the real data processing practices and therefore is entrenched with uncertainty. Therefore, the research into politics of data protection in Europe cannot disregard the role of these actors in shaping the European data protection regime.

The software Proteus – UsedSoft changing our understanding of software as ‘saleable goods’

Abstract: One of the ongoing conundrums in the field of IT law is the nature of software. Pragmatic solutions have been adopted, and lawyers and developers alike have become comfortable that contracts and licences can be drafted and concluded in relative certainty despite the fundamental conceptual problem. As Atiyah's Sale of Goods puts it: … the key to the conundrum is not to get lost in metaphysical questions as to whether or not software is goods, but to focus on who is being sued in respect of what sort of defect, and to be clear as to the basis on which liability is being imposed. (Atiyah 2010, 78–79)However, the decisions in UsedSoft (C-128/11 [2012] All E.R. (EC) 1220) have illustrated that these pragmatic solutions are just that, contingent arrangements that can be shaped, and changed, and re-interpreted to fit new legal and economic realities. Repeated legislation in this area has caused the Court of Justice of the European Union (CJEU) to reshape and remould its ideas about what software is at various d...