‘Modernising’ data protection Convention 108: A safe basis for a global privacy treaty?

Proposals for the reform or ‘modernisation’ of Council of Europe Data Protection Convention 108 have now been forwarded from the Convention's Consultative Committee for consideration by the Council of Ministers. This article assesses the changes proposed, which strengthen the obligations of Parties to implement the Convention as a matter of effective practice, not just as a law on paper. It tightens most of the existing data protection principles, and adds new ones which better align the Convention with the EU Directive (and proposed Regulation). The Convention Committee will have explicit new functions including assessing candidates for accession, and periodically reviewing implementation by existing parties. However, the proposals concerning the required standard for data export limitations are in some respects ill-defined and dangerous for data subjects. The existing standard that personal data can only be exported if the recipient provides ‘adequate’ protection has been abandoned for an undefined requirement of ‘appropriate’ protection. The article situates the risk of abandoning meaningful data export restrictions in the context of the USA's push for ‘interoperability’ of very different data protection standards.     

Identity and its verification

The European Commission's eJustice Strategy seems to contemplate that all lawyers will be issued with an ‘identity card’ card, perhaps intended to include a key for making digital signatures. The Council of Bars and Law Societies of Europe (CCBE) is proposing to introduce such a card. The purpose of this article is to clarify what ‘identity’ is and what is involved in verifying it, and to offer some general observations about identity cards. Although written with the eJustice proposals in mind, nevertheless the purpose of this article is to address the topic in its widest sense, which means it affects identity and its verification, whatever the circumstances.     

Digital evidence and ‘cloud’ computing

The term ‘cloud computing’ has begun to enter the lexicon of the legal world. The term is not new, but the implications for obtaining and retaining evidence in electronic format for the resolution of civil disputes and the prosecution of alleged criminal activities might be significantly affected in the future by ‘cloud’ computing. This article is an exploratory essay in assessing the effect that ‘cloud’ computing might have on evidence in digital format in criminal proceedings in the jurisdiction of England & Wales.     

The ‘beyond parental control’ label in Nigeria

Recent reports in Nigeria indicate a geometric rise in incarcerated adolescents, with an overwhelming majority of this increase being attributed to adolescents being declared ‘beyond parental control’. There is a nagging suspicion that the Nigerian juvenile justice system has over criminalised adolescents by declaring them ‘beyond control’ when behavioural problems have actually resulted from child abuse/neglect and family disruption. A study was undertaken in a juvenile justice institution in Nigeria to assess the adequacy of pre-incarceration parental care among adolescents that had been declared as ‘beyond parental control’. The study included 75 adolescent boys that had been declared as ‘beyond parental control’ and a comparison group of 144 matched school going boys. It examined self-reports received from the adolescent boys regarding their pre-incarceration family life and social circumstances, as well as the behavioural problems they had experienced. The findings indicate that adolescent boys who were declared as ‘beyond parental control’ had a significantly higher lifetime history of behavioural problems than the comparison group, and they also had significantly higher indicators of pre-incarceration child abuse/neglect and problems with stability and consistency of primary support. These findings pose questions regarding the presumption of adequate parental care prior to the declaration of ‘beyond parental control’. It also raises questions about child rights protection and juvenile justice reform in Nigeria.     

Reconstructing ‘conflict of interest’ in financial markets: Private management, public challenges, future prospects

Following widespread criticism of financial market (self-)regulation, there is a shift in regulatory mood, explored here with reference to evolving conceptions of conflict of interest. The pre-crisis distinction between conflict of interest (normal, manageable) and its exploitation (unacceptable, legally actionable) has become somewhat eroded, as exemplified by the SEC’s 2010 civil fraud action against investment bank Goldman Sachs. However the settlement of that case on the basis of ‘mistake’ left many questions unanswered: about the meaning(s) of conflict of interest, about managerial mistake versus exploitative intent in administrative/civil cases and equally about the potential for action under criminal law. Looking forward, a judgement of the European Court of Justice on insider trading – concerning a rebuttable assumption of intent – could be taken as a template for ‘drawing the line’ on conflict of interest. Acting on the basis of informational asymmetry could be taken as an indicator of intent and serious wrongdoing unless financial market actors can demonstrate otherwise.     

New digital services: Options for leveraging digital convergence in Europe

This article examines the nature, regulatory challenges and options for Community policies that arise from the effects of technological convergence. It concludes that new forms of regulation will need to be flexible and technology-neutral in order to be ‘future proof’.     

Mental health law and the UN Convention on the rights of persons with disabilities

People with a mental illness may be subject to the UN Convention on the Rights of Persons with Disabilities (CRPD), depending on definitions of terms such as ‘impairment’, ‘long-term’ and the capaciousness of the word ‘includes’ in the Convention's characterisation of persons with disabilities. Particularly challenging under the CRPD is the scope, if any, for involuntary treatment.     

A walk in to the cloud and cloudy it remains: The challenges and prospects of ‘processing’ and ‘transferring’ personal data

Cloud computing is an information technology technique that promises greater efficiency and reduced-cost to consumers, businesses and public institutions. However, to the extent it has brought better efficiency and minimal cost, the emergence of cloud computing has posed a significant regulatory challenge on the application of data protection rules particularly on the regime regulating cross-border data flow. The Data Protection Directive (DPD), which dates back to 1995, is at odds with some of the basic technological and business-related features of the cloud. As a result, it is claimed that the Directive hardly offers any help in using the legal bases to ‘process’ and ‘transfer’ data as well as to determine when a transfer to a third country occurs in cloud computing. Despite such assertions, the paper argues that the ECJ's Bodil Lindqvist decision can to a certain extent help to delineate circumstances where transfer should and should not occur in the cloud. Concomitantly, the paper demonstrates that controllers can still make the most of the available possibilities in justifying their ‘processing’ as well as ‘transferring’ of data to a third country in cloud arrangements. In doing so, the paper also portrays the challenges that arise down the road. All legal perspectives are largely drawn from EU level though examples are given from member states and other jurisdictions when relevant.     

Topographies of forensic practice in Imperial Germany

This article examines the topography and “cultural machinery” of forensic jurisdictions in Imperial Germany. It locates the sites at which boundary disputes between psychiatric and legal professionals arose and explores the strategies and practices that governed the division of expert labor between them. It argues that the over-determined paradigms of ‘medicalization’ and ‘biologization’ have lost much of their explanatory force and that historians need to refocus their attention on the institutional and administrative configuration of forensic practices in Germany. After first sketching the statutory context of those practices, the article explores how contentious jurisdictional negotiations pitted various administrative, financial, public security, and scientific interests against one another. The article also assesses the contested status of psychiatric expertise in the courtroom, as well as post-graduate forensic psychiatric training courses and joint professional organizations, which drew the two professional communities closer together and mediated their jurisdictional disputes.     

Current developments in Open Source Software

Open Source Software (OSS) has hit the mainstream in recent years and its scope is set to increase. Best seen as a range of associated licensing techniques, there are many different types of OSS licences. Coupled with a lack of settled case law and rapidly developing market practice, legal interpretation of the OSS world presents challenges to lawyers. Of the ‘top 20’ OSS licences, the GPL is the most commonly used and among the most radical in legal effect. The GPL's legal radicalism centres on its Article 2(b) concept of ‘copyleft’. Copyleft is an inheritance requirement to pass on the GPL's terms to other software that ‘contains’ or is ‘derived from’ the initially used GPL software. I illustrations of Article 2(b) issues from the Linux and Java worlds are provided. Current case law (such as it is) is then overviewed. Finally, contractual and policy implications of OSS governance are then reviewed as the increasing uptake of OSS in the organisation is mirrored in the growing importance of OSS governance.     

Depressed but not legally mentally impaired

This article examines the mental impairment (insanity) defense in the Australian state of Victoria and argues that the defense is successful only when offenders suffer from psychotic mental illnesses. This raises the question about how non-psychotic offenders are dealt with by the courts when they claim ‘mental impairment’ for serious acts of violence such as homicide, particularly when a relatively large number of perpetrators involved in homicide suffer from non-psychotic illnesses like depression. The analysis shows that depressive illnesses do not reach the threshold for mental impairment (legal insanity) such that they mitigate violent criminal behavior, although they can, arguably, diminish culpability. This article draws upon existing literature, qualitative analysis of two court cases and semi-structured interviews with four legal representatives to make its conclusions.     

Can hyperlinks and digital rights management secure affordable access to information?

Digital Rights Management Systems (DRMs) related control mechanism, which are analogous to and augment the exclusive rights, have been the subject of debate since the early 1980s. DRMs, which function like an electronic security guard that ‘never leaves its post, never takes a break and never sleeps,¹ can invade the privacy of individuals, prevent competition and/or control access to a work that is not or is no longer copyright protected. Hyperlinks are citations of an electronic address, but when clicked they navigate the user to the source of further information, including codes circumventing DRMs. This article accepts that the excesses of DRMs can outreach copyright and/or contract law, but argues that DRMs provide an opportunity for innovative business models, which can both protect digital works and promote free use of hyperlinks. Part 1 outlines the background and legislative provisions related to DRMs. It contrasts the WIPO Copyright Treaty (WCT) 1996,² Articles 11 and 12, with corresponding provisions found in the implementing legislation of the US Digital Millennium Copyright Act (DMCA) 1998,³ and the EU Copyright Directive (EUCD) 2001.⁴ It also examines the intellectual property aspects of the Trans-Pacific Partnership (TPP) and Europe's Anti-counterfeiting Trade Agreement (ACTA).⁵ Part 2 debates opposing academic opinion and comments on case law relating to DRMs, including the use of hyperlinks as a way of trafficking circumvention technology and/or facilitating unauthorised access to a copyright work. It assesses the extent to which DRMs might inhibits the development of new products, prevents competition, or invades the privacy of individuals, and points to the opportunities a consumer group-rightholder negotiated model end user licence can offer. Part 3 concludes that DRMs bolsters the clutches of the rightholder, but reduce unauthorised access to information thus minimising revenue loss, which can make hyperlinked ‘consumer’ access to information ‘affordable,’ or even free.     

Hey,you, get off of that cloud?

If the final years of this decade are to be over-shadowed by a ‘credit crunch’ and a global recession, then the IT industry's recent focus on cost and resource efficiency via cloud-computing will increasingly seem pertinent to many businesses. This paper will explore some of the legal and practical risks any business will need to consider in their cloud-computing arrangements.     

The ‘Right to be Forgotten’ – Worth remembering?

In the last few years there has been a lot of buzz around a so-called ‘right to be forgotten’. Especially in Europe, this catchphrase is heavily debated in the media, in court and by regulators. Since a clear definition has not emerged (yet), the following article will try to raise the veil on this vague concept. The first part will weigh the right’s pros and cons against each other. It will appear that the ‘right to be forgotten’ clearly has merit, but needs better definition to avoid any negative consequences. As such, the right is nothing more than a way to give (back) individuals control over their personal data and make the consent regime more effective. The second part will then evaluate the potential implementation of the right. Measures are required at the normative, economical, technical, as well as legislative level. The article concludes by proposing a ‘right to be forgotten’ that is limited to data processing situations where the individual has given his or her consent. Combined with a public interest exception, this should (partially) restore the power balance and allow individuals a more effective control over their personal data.     

Anonymisation of personal data – A missed opportunity for the European Commission

As early as the 1970's, privacy studies recognised that ‘anonymisation’ needed to be approached with caution. This caution has since been vindicated by the increasing sophistication of techniques for reidentification. Yet the courts in the UK have so far only hesitatingly grappled with the issues involved, while European courts have produced no guidance.     

MiFID II – A radical contribution to the development of data law?

Away from the hubbub about HFT (High Frequency Trading) a quiet storm is blowing in to the EU that will radically change securities trading in bonds, OTC derivatives and other asset classes. The rules, called MiFID II,² top off the alphabet soup of an extensive new rule book that, after the European Parliament's ‘Super Tuesday’ on 15 April 2014, is finally set to become law. Radical changes are afoot!     

Allocating responsibility among controllers,processors, and “everything in between”: the definition of actors and roles in Directive 95/46/EC

In Opinion 1/2010, the Article 29 Data Protection Working Party has provided additional guidance concerning the concepts of ‘controller’ and ‘processor’ contained in Directive 95/46/EC. This guidance aims to assist practitioners in their determination of whether an entity is acting as a controller or as a processor towards a particular data processing operation. Despite the fact that this opinion is informative, the existing framework still appears to leave room for a considerable amount of legal uncertainty. This uncertainty is attributable in part to the nature of the existing concepts, but also (and perhaps to a larger extent) to their apparent misalignment with current processing realities. In this paper, the author seeks to articulate why the existing concepts often remain difficult to apply in practice, in order to enable a constructive reflection on how these issues might be addressed in the future.     

Citizens' perceptions of data protection and privacy in Europe

Data protection and privacy gain social importance as technology and data flows play an ever greater role in shaping social structure. Despite this, understanding of public opinion on these issues is conspicuously lacking. This article is a meta-analysis of public opinion surveys on data protection and privacy focussed on EU citizens. The article firstly considers the understanding and awareness of the legal framework for protection as a solid manifestation of the complex concepts of data protection and privacy. This is followed by a consideration of perceptions of privacy and data protection in relation to other social goals, focussing on the most visible of these contexts–the debate surrounding privacy, data protection and security. The article then considers how citizens perceive the ‘real world’ environment in which data processing takes place, before finally considering the public's perception and evaluation of the operation of framework against environment.     

From offender to situation: the 'cold' approach to sexual violence prevention?

Many commentators have pointed to the monstrous nature of sexual violence, with its related sense of pollution and disgust. In response, post-release regulation has a ‘hot’ quality: in the USA, sexually violent predator statutes, residency requirements, GPS satellite monitoring, and variations on the theme of community notification all speak of the expressiveness of the response. ‘Hot’ signifies and has embedded within it an ‘individualist’ rather than ‘structural’ account of action, emphasises a dramaturgical reading of the social world, and privileges the political rather than the problem-solving sphere. What has been far less explored, until recently, is research and prevention policy related specifically to the sexual violence itself, or the situation in which the offense occurs. By contrast to the ‘hot’ response, elision from offender to situation appears to betoken a ‘cold’ quality. This paper analyses the conceptual and empirical underpinnings of such a ‘cold’ situational approach, evaluates existing studies across settings, and assesses the implications of this problem-solving process for prevention policy and practice. It concludes by embedding the analysis within a broader precautionary politics of ‘hot’ and ‘cold’ control.     

Digital Britain interim report: A step in the right direction?

The Digital Britain interim report was published on 29 January 2009 by the DCMS and BERR with the final report being due out in June. The Report divides itself into four areas for ‘action’; namely Digital Networks, Digital Content, Universal Connectivity and Equipping Everyone to Benefit from Digital Britain. The level of action proposed in each case varies widely and the Report has come under criticism for delivering little in the way of concrete promises or clearly defined strategy. This article summarises and analyses a number of the key purported actions from the Report in order to consider whether it is indeed an appropriate step towards an action plan that would secure the Britain's place at the forefront of the new media age.