Legal identity for all

This paper examines Sustainable Development Goal 16.9 on legal identity for all. It considers notions of legal identity in international law and looks at legal frameworks for legal identity in Commonwealth member countries, including in respect of birth registration, national identity registers and cards, legal identity requirements for transactions and services, and new forms of digital identity. The paper examines specific legal issues relevant to identity, including privacy and data protection, identity theft and property rights. It concludes by reviewing the latest developments in concepts of identity, and applicable emerging technologies. It makes recommendations in respect of legal and policy reform that Commonwealth member countries may undertake with a view to meeting SDG Target 16.9.     

Disclosure,Exposure and the ʻRight to be Forgottenʼ after Google Spain: Interrogating Google Search's webmaster,end user and Lumen notification practices

This article argues that Google's essentially blanket and unsafeguarded dissemination to webmasters of URLs delisted under the Google Spain judgment disclosures claimants’ personal data, cannot be justified either on the purported basis of their consent or a legal requirement but instead seriously infringes European data protection standards. Such disclosure would only be compatible with the initially contextually sensitive context of collection where it was (i) reasonably necessary and explicitly limited to the purposes of checking the legality of the initial decision and/or bona fide research and (ii) prevented unauthorised repurposing or other misuse through robust safeguards. Strict necessity thresholds would need to apply where disclosure involved special categories of data or was subject to reasoned objection by a data subject and international transfers would require further controls, ideally as provided by the European Commission's standard contractual clauses. Disclosing identifiable data on removals to end users would directly and fundamentally undermine a data subject's rights and, therefore, ipso facto violate purpose limitation and legality, irrespective of whether rights are claimed in data protection, defamation or civil privacy. The public's legitimate interests in receiving information on personal data removals are best secured through safeguarded scientific research, which search engines should facilitate.     

Data registers in respiratory medicine: a pilot project evaluating compliance with privacy laws and the National Statement on Ethical Conduct in Research Involving Humans

This article reports on data from a small pilot survey evaluating the compliance of voluntary databases in respiratory medicine with privacy laws and the National Health and Medical Research Council's National Statement on Ethical Conduct in Research Involving Humans. The increasing complexity of privacy law, including the recent private sector amendments, creates many challenges for database administrators. The impact of privacy laws upon voluntary or non-statutory databases, and upon doctors reporting patient data to such databases, is far from straightforward. The article suggests way in which the law might be adapted in order to better facilitate the role of voluntary data registers in health research and public health surveillance, while still protecting the privacy of patient information. The article also briefly considers how database administrators might "future-proof" their existing data holdings to ensure compliance with legal and ethical standards.     

网络平台的公共性及其实现——以电商平台的法律规制为视角

网络平台是组织生产力的新型主体,在数字经济时代承担着维护网络市场秩序、保障用户权益的公共职能。网络平台对其用户,特别是对平台内经营者,具有强大的支配力和影响力,此种平台权力属于典型的私权力。网络平台行使私权力有助于减少平台内经营行为的负外部性,弥补政府规制能力的不足,但其私权力也容易遭到滥用。除了要借助市场竞争机制和传统私法规范约束平台私权力,还有必要引入公法原理及其价值要求,对平台私权力进行适度干预。网络平台制定和实施规则时,应遵循基本的程序正义和实体正义标准。法院应对平台滥用私权力的行为进行必要的司法审查。立法者应根据权责利相统一的原则,科学合理地设置平台责任。     

Protecting the privacy and security of sensitive customer data in the cloud

The global ubiquity of cloud computing may expose consumers' sensitive personal data to significant privacy and security threats. A critical challenge for the cloud computing industry is to earn consumers' trust by ensuring adequate privacy and security for sensitive consumer data. Regulating consumer privacy and security also challenges government enforcement of data protection laws that were designed with national borders in mind. From an information privacy perspective, this article analyses how well the regulatory frameworks in place in Europe and the United States help protect the privacy and security of sensitive consumer data in the cloud. It makes suggestions for regulatory reform to protect sensitive information in cloud computing environments and to remove regulatory constraints that limit the growth of this vibrant new industry.     

Location privacy: The challenges of mobile service devices

Adding to the current debate, this article focuses on the personal data and privacy challenges posed by private industry's use of smart mobile devices that provide location-based services to users and consumers. Directly relevant to personal data protection are valid concerns about the collection, retention, use and accessibility of this kind of personal data, in relation to which a key issue is whether valid consent is ever obtained from users. While it is indisputable that geo-location technologies serve important functions, their potential use for surveillance and invasion of privacy should not be overlooked. Thus, in this study we address the question of how a legal regime can ensure the proper functionality of geo-location technologies while preventing their misuse. In doing so, we examine whether information gathered from geo-location technologies is a form of personal data, how it is related to privacy and whether current legal protection mechanisms are adequate. We argue that geo-location data are indeed a type of personal data. Not only is this kind of data related to an identified or identifiable person, it can reveal also core biographical personal data. What is needed is the strengthening of the existing law that protects personal data (including location data), and a flexible legal response that can incorporate the ever-evolving and unknown advances in technology.     

Developing regulatory standards for the concept of security in online dispute resolution systems

Online dispute resolution (ODR) has improved access to justice in the digital world. ODR users benefit from faster and cheaper dispute resolution mechanisms compared to traditional litigation and Alternative Dispute Resolution. There are few and quite varied regulatory systems for ODR.This research aims to develop a set of standards to measure the concept of security and to increase the consistency of security in ODR systems. An exploratory mixed method approach is used, involving a quantitative (survey) and mainly qualitative approach (face-to-face interviews) for gathering data. We identify three elements of information security, privacy, and authentication as standards for an appropriate ODR legal framework. Finally, these findings led to practical implications for policy makers and regulators.     

“大数据杀熟”行为政府治理路径探讨

“大数据杀熟”行为严重损害了消费者权益。相对于传统商业“杀熟”行为,“大数据杀熟”行为更隐蔽,消费者维权更艰难。这种利用算法应用技术损害消费者权益的行为严重违背商业伦理,不仅关乎消费者个人权益,更会影响公共利益,仅凭市场调节难以纠正,需要通过法律进行救济。政府应在遵循辅助性原则的前提下,通过算法应用技术备案、建立“政府-社会”合作规制等制度,用新制度规制新技术,更好地发挥政府在治理“大数据杀熟”行为过程中的作用,保护消费者权益和社会公共利益。     

Taking fundamental rights seriously in the Digital Services Act's platform liability regime

This article highlights how the EU fundamental rights framework should inform the liability regime of platforms foreseen in secondary EU law, in particular with regard to the reform of the E-commerce directive by the Digital Services Act. In order to identify all possible tensions between the liability regime of platforms on the one hand, and fundamental rights on the other hand, and in order to contribute to a well-balanced and proportionate European legal instrument, this article addresses these potential conflicts from the standpoint of users (those who share content and those who access it), platforms, regulators and other stakeholders involved. Section 2 delves into the intricate landscape of online intermediary liability, interrogating how the E-Commerce Directive and the emerging Digital Services Act grapple with the delicate equilibrium between shielding intermediaries and upholding the competing rights of other stakeholders. The article then navigates in Section 3 the fraught terrain of fundamental rights as articulated by the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union (CJEU) under the aegis of the European Convention on Human Rights and the EU Charter. This section poses an urgent inquiry: can the DSA's foundational principles reconcile these legal frameworks in a manner that fuels democracy rather than stifles it through inadvertent censorship? Section 4 then delves into the intricate relationship between fundamental rights and the DSA reform. This section conducts a comprehensive analysis of the key provisions of the DSA, emphasising how they underscore the importance of fundamental rights. In addition to mapping out the strengths of the framework the section also identifies existing limitations within the DSA and suggests potential pathways for further refinement and improvement. This article concludes by outlining key avenues for achieving a balanced and fundamental rights-compliant regulatory framework for platform liability within the EU.     

Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies

The European Union's General Data Protection Regulation (GDPR) became applicable in May 2018. Due to the GDPR's extraterritorial scope, which could result in massive fines for U.S. companies, comparative data privacy law is of great current interest. In June 2018, California passed its own Consumer Privacy Act, echoing some of the provisions of the GDPR. Despite the many articles comparing the two schemes of law, little attention has been given to the foundation of these laws, that is, what exactly encompasses the data referred to by these laws? By understanding how the term “personal data” or “personal information” is defined in both jurisdictions, and why these definitions and the treatment of protected data are so different, companies can strategize to take advantage of these developments in the European Union. After explaining the differences in how data is treated in the United States and the European Union by exploring the definitions, regulations, and court cases, we will explore the five legal strategy pathways that companies might pursue with respect to the legal aspects of data transfer and privacy law compliance. While these strategies range from ignoring the law to adopting the European model worldwide, this analysis of legal strategy reveals a means for companies to gain a competitive advantage through their adoption of a worldwide compliance scheme.     

Standards for privacy of individually identifiable health information. Office of the Assistant Secretary for Planning and Evaluation, DHHS. Final rule

This rule includes standards to protect the privacy of individually identifiable health information. The rules below, which apply to health plans, health care clearinghouses, and certain health care providers, present standards with respect to the rights of individuals who are the subjects of this information, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information. The use of these standards will improve the efficiency and effectiveness of public and private health programs and health care services by providing enhanced protections for individually identifiable health information. These protections will begin to address growing public concerns that advances in electronic technology and evolution in the health care industry are resulting, or may result in, a substantial erosion of the privacy surrounding individually identifiable health information maintained by health care providers, health plans and their administrative contractors. This rule implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996.     

Beyond Endogeneity: How Firms and Regulators Co‐Construct the Meaning of Regulation

What role do regulators and firms play in the construction of open‐ended regulatory terms? The new institutional legal endogeneity model posits that organizations respond to legal uncertainty by adopting formal structures to symbolically signal their compliance. These structures, however, tend to embody businesses' managerial and commercial values, as opposed to regulatory goals. Law becomes endogenous insofar as legal actors then defer to businesses' institutionalized ideas about regulation and compliance. Professionals, such as lawyers and human‐resource managers, and their strategic deployment of framing, are portrayed as the engines of the above process of legal endogeneity. By comparison, administrative agencies' strategies in shaping the meaning that corporations attach to the law are practically ignored. Building on a detailed case study of British financial firms' responses to the Financial Services Authority's Treating Customers Fairly initiative, this article problematizes the supposition of regulatory deference to business constructions of law. Instead, it develops a more balanced model that recognizes business professionals' and regulators' co‐construction of regulation and compliance. The process of regulatory meaning co‐construction, as depicted by this model, involves alignment and disputes between regulators' and professionals' strategic framing of regulatory concerns with tangible consequences for the enactment of regulation.     

Standards for privacy of individually identifiable health information. Office of the Assistant Secretary for Planning and Evaluation, DHHS. Proposed rule

This rule proposes standards to protect the privacy of individually identifiable health information maintained or transmitted in connection with certain administrative and financial transactions. The rules proposed below, which would apply to health plans, health care clearinghouses, and certain health care providers, propose standards with respect to the rights individuals who are the subject of this information should have, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information. The use of these standards would improve the efficiency and effectiveness of public and private health programs and health care services by providing enhanced protections for individually identifiable health information. These protections would begin to address growing public concerns that advances in electronic technology in the health care industry are resulting, or may result, in a substantial erosion of the privacy surrounding individually identifiable health information maintained by health care providers, health plans and their administrative contractors. This rule would implement the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996.     

Online Privacy in China: A Survey on Information Practices of Chinese Websites

This paper is a survey on the information practices of Chinesewebsites. Three groups of Chinese commercial websites were selectedand their information practices were analysed and compared withthe generally accepted principles of online information practices.Survey results indicated that Chinese websites collected a vastamount of personal data through various forms. The percentageof websites posting privacy disclosures was comparatively small.For those sites with privacy policy or discrete privacy statement,their information practices did not accord with generally acceptedprinciples of information practices. The paper presents recommendationsfor China to deal with such a legal issue that makes nationalborders meaningless.     

垄断法下的相关数据市场研究

数据是互联网平台经济的利润中心与关键驱动力.在对平台经济的反垄断审查中,相关机构很少将数据要素纳入审查分析范围.平台经济的反垄断审查分析中需重新审视数据要素的价值.互联网平台是在线经济结构的最有影响力的参与者.与传统的管道业务模型不同,平台市场是多方且相互依存的市场.追求规模化意味着平台须尽一切努力获取数据资源.数据不但有利于改善平台的获利能力,还有利于促进平台业务模型创新.数据市场垄断可能引发进入障碍、隐私侵害和消费者利益损害等.遏制数据市场力对市场竞争的损害需将数据要素纳入反垄断审查范围.在反垄断分析中应将数据市场视为整体.在定义数据市场力时,应考虑数据的市场份额以及收集与处理数据的能力.     

The future of privacy certification in Europe: an exploration of options under article 42 of the GDPR

The EU faces substantive legislative reform in data protection, specifically in the form of the General Data Protection Regulation (GDPR). One of the new elements in the GDPR is its call to establish data protection certification mechanisms, data protection seals and marks to help enhance transparency and compliance with the Regulation and allow data subjects to quickly assess the level of data protection of relevant products and services. To this effect, it is necessary to review privacy and data protection seals afresh and determine how data protection certification mechanisms, seals or marks might work given the role they will be called to play, particularly in Europe, in facilitating data protection. This article reviews the current state of play of privacy seals, the EU policy and regulatory thrusts for privacy and data protection certification, and the GDPR provisions on certification of the processing of personal data. The GDPR leaves substantial room for various options on data protection certification, which might play out in various ways, some of which are explored in this article.     

Open-source intelligence and privacy by design

As demonstrated by other papers on this issue, open-source intelligence (OSINT) by state authorities poses challenges for privacy protection and intellectual-property enforcement. A possible strategy to address these challenges is to adapt the design of OSINT tools to embed normative requirements, in particular legal requirements. The experience of the VIRTUOSO platform will be used to illustrate this strategy. Ideally, the technical development process of OSINT tools is combined with legal and ethical safeguards in such a way that the resulting products have a legally compliant design, are acceptable within society (social embedding), and at the same time meet in a sufficiently flexible way the varying requirements of different end-user groups. This paper uses the analytic framework of privacy design strategies (minimise, separate, aggregate, hide, inform, control, enforce, and demonstrate), arguing that two approaches for embedding legal compliance seem promising to explore in particular. One approach is the concept of revocable privacy with spread responsibility. The other approach uses a policy mark-up language to define Enterprise Privacy Policies, which determine appropriate data handling.     

Data Breach,Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses

While data theft and cyber risk are major threats facing organizations, existing research suggests that most organizations do not have sufficient protection to prevent data breaches, deal with notification responsibilities, and comply with privacy laws. This article explores how insurance companies play a critical, yet unrecognized, role in assisting organizations in complying with privacy laws and dealing with cyber theft. My analysis draws from and contributes to two literatures on organizational compliance: new institutional organizational sociology studies of how organizations respond to legal regulation and sociolegal insurance scholars' research on how institutions govern through risk. Through participant observation at conferences, interviews, and content analysis of insurer manuals and risk management services, my study highlights how insurers act as compliance managers for organizations dealing with cyber security threats. Well beyond pooling and transferring risk, insurance companies offer cyber insurance and unique risk management services that influence the ways organizations comply with privacy laws.     

Regulating small things: genes, gametes and nanotechnology

Biotechnology and nanotechnology both intersect with other technologies in ways that open new possibilities for further technological progress. The potential for increased convergence between technological fields highlights the need for regulatory frameworks to be integrated, flexible and responsive. Within a federal legal system such as Australia's, there is a need to ensure that we adopt a coordinated national approach to the crafting of regulatory solutions. In addition, there is a need for global cooperation in the development of international standards and regulatory harmonisation. Finally, this article considers the role that law plays in negotiating risk in relation to new technologies.     

Games of Engagement: Postures Within the Regulatory Community*

This paper seeks to advance understanding of compliance through identifying the constituent elements of four empirically derived postures of regulatees: resistance and disengagement (associated with non-compliance), and managerial accommodation and capture (associated with compliance) (V. Braith-waite et al. 1994). The nature of these postures is investigated through two theoretical frameworks, Meidinger's (1987) notion of regulatory culture (and the construct of social bonds) and Merton's (1968) modes of adaptation (and the construct of commitments to institutional goals and means). Social bonds and commitments to goals and means are important for explaining resistance, disengagement and managerial accommodation. In the case of capture of the regulatees, social bonds are more important than commitments to goals and means. The findings counsel regulatory agencies to establish trust and respect in the regulatee-regulator relationship.