Online selling and contracting: An overview of EU rules

In the second of our series of articles considering the EU’s limited harmonisation of the laws regulating the activities of businesses using the Internet, we look at the rules governing contracting and selling online. We consider the circumstances in which three key EU directives apply, the rights, under these directives, of consumers who contract online and the effect of electronic signatures as used for online contracting.     

There's more to it than data protection – Fundamental rights,privacy and the personal/household exemption in the digital age

Heated debates triggered by the plans to introduce the “right to be forgotten” exposed problems the all-encompassing application of rules on data processing may cause in practice. The purpose of this article is to discuss the compatibility of these rules with the rapidly evolving online environment in the context of the need to guarantee human rights on the internet. The author argues that there is an imbalance in the protection of individual rights online. It results from the limited application of personal/household exception and, in general, the narrow understanding of the concept of online privacy. According to the author in order for data protection laws to flesh out not only the fundamental right of data protection, but also play a mediatory role in balancing other rights, the application of the personal/household exception should be extended to include private online activities. This would reflect the complex character of the very concept of online privacy, diversity of actors and activities shaping online “territories”, as well as the increasingly heterogeneous fabric of the Web.     

Using sensitive data to prevent discrimination by artificial intelligence: Does the GDPR need a new exception?

Organisations can use artificial intelligence to make decisions about people for a variety of reasons, for instance, to select the best candidates from many job applications. However, AI systems can have discriminatory effects when used for decision-making. To illustrate, an AI system could reject applications of people with a certain ethnicity, while the organisation did not plan such ethnicity discrimination. But in Europe, an organisation runs into a problem when it wants to assess whether its AI system accidentally discriminates based on ethnicity: the organisation may not know the applicants’ ethnicity. In principle, the GDPR bans the use of certain ‘special categories of data’ (sometimes called ‘sensitive data’), which include data on ethnicity, religion, and sexual preference. The proposal for an AI Act of the European Commission includes a provision that would enable organisations to use special categories of data for auditing their AI systems. This paper asks whether the GDPR's rules on special categories of personal data hinder the prevention of AI-driven discrimination. We argue that the GDPR does prohibit such use of special category data in many circumstances. We also map out the arguments for and against creating an exception to the GDPR's ban on using special categories of personal data, to enable preventing discrimination by AI systems. The paper discusses European law, but the paper can be relevant outside Europe too, as many policymakers in the world grapple with the tension between privacy and non-discrimination policy.     

How to attribute the right to data portability in Europe: A comparative analysis of legislations

The number of online services is constantly growing, offering numerous and unprecedented advantages for consumers. Often, the access to these services requires the disclosure of personal information. This personal data is very valuable as it concedes significant advantages over competitors, allowing better answers to the customer's needs and therefore offering services of a better quality. For some services, analysing the customers' data is at the core of their business model. Furthermore, personal data has a monetary value as it enables the service providers to pursue targeted advertising. Usually, the first companies who provide a service will benefit from large volumes of data and might create market entrance barriers for new online providers, thus preventing users from the benefits of competition. Furthermore, by holding a grip on this personal data, they are making it more expensive or burdensome for the user to shift to a new service. Because of this value, online services tend to keep collected information and impede their users to reuse the personal data they have provided. This behaviour results in the creation of a lock-in effect. Upcoming awareness for this problem has led to the demand of a right to data portability. The aim of this paper is to analyse the different legislative systems that exist or have been recently created in this regard that would grant a right to data portability. Firstly, this article draws up the framework of data portability, explaining its origin, general aspects, advantages as well as its possible downfalls. Secondly, the core of the article is approached as the different ways of granting data portability are analysed. In this regard, the possible application of European Competition Law to prohibit restrictions to data portability is examined. Afterwards, an examination of the application of U.S. Antitrust Law is made to determine whether it could be a source of inspiration for European legislators. Finally, an analysis of the new General Data Protection Regulation is made with respect to the development of data portability throughout the European legislative procedure. This article makes a cross-examination of legislations, compares them with one another in order to offer a reflection on the future of portable data in Europe, and finally attempts to identify the best approach to attribute data portability.     

The European Union's approach to online behavioural advertising: Protecting individuals or restricting business?

The European Union (EU) has firmly set its stall out to protect individuals' data and privacy and has demonstrated this through the rejection of the old opt-out regime and the introduction of the new opt-in rules. These require businesses to obtain individual's prior and informed consent before their data are collected, stored and used for the purposes of online behavioural advertising (OBA). Individuals in the EU are afforded protection from the apparent dangers relating to data privacy and misuse that is associated with OBA, which is beyond the expectation of most Internet users. However, there are some criticisms levelled at the law that the EU has produced. Is simply gaining informed consent sufficient for protecting all types of information? Do certain types of information require a higher level of consent than others? Does the law fulfil its aim of protecting data subject's privacy and data? Is the current law restrictive to business? Do individuals know or care that their information is being collected for the purposes of targeted advertising and is there a better way to ensure that they do? Finally, will proposed new law to be found in the EU Data Protection Regulation solve any of these problems? This article will assess whether, as a policy decision, the EU's current approach has been too cautious in its attempts to protect individuals or restrict business.     

Legal constraints for the protection of privacy and personal data in electronic evidence handling1

This paper describes the application of personal data protection rules in the process of e‐evidence handling. It focuses mainly on the application of Directive 95/46/EC rules to the digital environment. It also makes reference to the legal risks derived from the collection and processing of e‐evidence in violation of privacy and personal data protection law.     

Are Internet protocol addresses personal data? The fight against online copyright infringement

Internet Protocol addresses [IP addresses] are central for Internet electronic communications. They individualize computers and their users to make the delivery of data packets possible. IP addresses are also often used to identify websurfers for litigation purposes. In particular, they constitute a key in the fight against online copyright infringement to identify infringers. However, it is a matter of dispute to know if IP addresses are personal data. In a review of relevant case law, the present paper seeks to identify when IP addresses are - or should be - considered as personal data. It suggests a contextual approach to the concept of personal data.     

信息信义义务理论之批判

“信息信义义务”理论已掀起网络平台监管争论的汹涌波涛,该理论经由杰克·巴尔金(Jack Balkin)教授发展,旨在“一碗水端平”一般用户与搜集、分析、出卖个人信息为业的数据公司之间的关系。在处理医患关系、律师与客户、会计师与客户的关系时,法律课以医生、律师和会计师特殊的注意、保密和忠实义务。巴尔金教授主张,与之相类似,在处理脸书(Facebook)、谷歌(Google)和推特(Twitter)等公司与终端用户的关系时,也应课以公司类似的特殊义务。过去数年里,该论断赢得了广泛的支持,鲜有敌手。但信息信义义务理论存在潜在矛盾和模棱两可之处,其是否有能力解决上述问题使人生疑。故此,本文揭示上述理论缺陷,意在瓦解“信息信义义务”新理论共识。尽管我们同意巴尔金教授“占主导地位的网络平台造成损害,由此呼唤法律的介入管制”的论断,但我们质疑信息信义义务这套理论是否能充分、恰当地回应所谓的信息不安全问题,更勿论一些更为根本的问题——建立于监视渗透基础上的优势市场份额以及与商业模式相关的根本问题。我们也呼吁重视信息信义义务这一理论框架的潜在成本——我们担心,该理论框架会对网络平台的结构性权利产生一种盲目的自满,也过早地放弃了对公共监管的更美愿景。     

Encryption safe harbours and data breach notification laws

Data breach notification laws require organisations to notify affected persons or regulatory authorities when an unauthorised acquisition of personal data occurs. Most laws provide a safe harbour to this obligation if acquired data has been encrypted. There are three types of safe harbour: an exemption; a rebuttable presumption and factor-based analysis. We demonstrate, using three condition-based scenarios, that the broad formulation of most encryption safe harbours is based on the flawed assumption that encryption is the silver bullet for personal information protection. We then contend that reliance upon an encryption safe harbour should be dependent upon a rigorous and competent risk-based review that is required on a case-by-case basis. Finally, we recommend the use of both an encryption safe harbour and a notification trigger as our preferred choice for a data breach notification regulatory framework.     

Functional anonymisation: Personal data and the data environment

Anonymisation of personal data has a long history stemming from the expansion of the types of data products routinely provided by National Statistical Institutes. Variants on anonymisation have received serious criticism reinforced by much-publicised apparent failures. We argue that both the operators of such schemes and their critics have become confused by being overly focused on the properties of the data itself. We claim that, far from being able to determine whether data is anonymous (and therefore non-personal) by looking at the data alone, any anonymisation technique worthy of the name must take account of not only the data but also its environment.This paper proposes an alternative formulation called functional anonymisation that focuses on the relationship between the data and the environment within which the data exists (the data environment). We provide a formulation for describing the relationship between the data and its environment that links the legal notion of personal data with the statistical notion of disclosure control. Anonymisation, properly conceived and effectively conducted, can be a critical part of the toolkit of the privacy-respecting data controller and the wider remit of providing accurate and usable data.     

Protecting personal data in wartime: The destruction of the alphabetic tabulators in Oslo

As a contribution to this special issue of CLSR, Jon Bing offers a unique wartime account of one of the earliest attempts to prevent ‘online processing’ of personal data by the occupying authorities for oppressive purposes.     

Using financial intelligence to target online fraud victimisation: applying a tertiary prevention perspective

Abstract

It is well established that policing in an online environment is fraught with challenges. To combat losses attributed to online fraud, Australia has seen the emergence of a victim-oriented approach, which uses financial intelligence to identify potential victims and deliberately intervenes through the sending of a letter. This approach predominantly targets victims of advance fee fraud and romance fraud who are sending money to West African countries. The current article presents three Australian case studies: Project Sunbird (West Australian Police and West Australian Department of Commerce); Operation Disrepair (South Australian Police); and the National Scams Disruption Project (Australian Competition and Consumer Commission). The article locates these cases within existing theory on crime prevention, using available data to document initial positive outcomes. Overall, this article supports the use of a victim-oriented tertiary approach to online fraud, and advocates its potential to reduce both repeat victimisation and the harm incurred through online fraud.     

The uncertain future of data retention laws in the EU: Is a legislative reset possible?

The article discusses the CJEU's most important case law, including interpretations presented in recent cases relating to data retention for both national security purposes (Privacy International, La Quadrature du Net) and the fight against serious crime (H.K). The analysis is a starting point for discussing the draft e-Privacy Regulation, in particular a controversial proposal introduced by the EU Council that may limit the Court's jurisdiction in cases involving data retention rules that cover state security.Negotiated over the past five years, the draft e-Privacy Regulation fleshes out EU data protection rules governing electronic communication services. As a result, the way in which obligations under the Regulation are defined is critical in setting a standard for retention rules consistent with CJEU case law for decades to come. At the same time, succumbing to pressure from Member States may have the opposite result – the emergence of new ambiguities concerning not only the admissibility of data retention but also the competence of EU institutions to regulate this area of the telecommunications sector.     

Data transfer to third countries: Transfers of personal data to third countries: the role of binding corporate rules

This article explores an EU Working Party report that examines the role of contractual solutions, such as binding corporate rules, on transfers of personal data to third countries.     

Criminal Exploitation of Online Systems by Organised Crime Groups

This article considers how information and communications technologies (ICT) can be used by organised crime groups to infringe legal and regulatory controls. Three categories of groups are identified: traditional organised criminal groups which make use of ICT to enhance their terrestrial criminal activities; organised cybercriminal groups which operate exclusively online; and organised groups of ideologically and politically motivated individuals who make use of ICT to facilitate their criminal conduct. The activities of each group are then assessed in relation to five areas of risk: the use of online payment systems, online auctions, online gaming, social networking sites and blogs. It is concluded that the distinction between traditional organised crime groups and the other two groups—cybercriminal groups and ideologically/politically motivated cyber groups—is converging, with financially-motivated attacks becoming more targeted. Legislation will need to adapt to deal with new technological developments and threats that organised criminals seek to exploit.

数据法定继承规则的情境化构建

设置合理的数据法定继承规则至关重要。数据的可继承性不应受到财产性悖论、人格权益论、个人信息保护规则与通信秘密规则的阻碍,但被继承人以遗嘱或在用户协议的菜单式选项中予以排除可能导致数据不可继承。面对弱化的家庭和个性化法律的展望,现行法定继承人范围和顺位规则受到挑战,建议以情感属性较强的数据为“试点”,将“与该数据具备最密切情感联系之人”纳入法定继承人的范围。在数据遗产继承的具体方式上,采取继承人数据使用权限的视角更具实益。可以根据数据的身份重要程度、公开程度、是否涉及第三方隐私等属性,通过调整用户组策略下的数据使用权限设置情境化的数据法定继承规则。     

Having yes,using no? About the new legal regime for biometric data

The rise of biometric data use in personal consumer objects and governmental (surveillance) applications is irreversible. This article analyses the latest attempt by the General Data Protection Regulation (EU) 2016/679 and the Directive (EU) 2016/680 to regulate biometric data use in the European Union. We argue that the new Regulation fails to provide clear rules and protection which is much needed out of respect of fundamental rights and freedoms by making an artificial distinction between various categories of biometric data. This distinction neglects the case law of the European Court of Human Rights and serves the interests of large (governmental) databases. While we support regulating the use and the general prohibition in the GDPR of using biometric data for identification, we regret this limited subjective and use based approach. We argue that the collection, storage and retention of biometric images in databases should be tackled (objective approach). We further argue that based on the distinctions made in the GDPR, several categories of personal data relating to physical, physiological or behavioural characteristics are made to which different regimes apply. Member States are left to adopt or modify their more specific national rules which are eagerly awaited. We contend that the complex legal framework risks posing headaches to bona fide companies deploying biometric data for multifactor authentication and that the new legal regime is not reaching its goal of finding a balance between the free movement of such data and protecting citizens. Law enforcement authorities also need clear guidance. It is questioned whether Directive (EU) 2016/680 provides this.     

From social netizens to data citizens: Variations of GDPR awareness in 28 European countries

We study variability in General Data Protection Regulation (GDPR) awareness in relation to digital experience in the 28 European countries of EU27-UK, through secondary analysis of the Eurobarometer 91.2 survey conducted in March 2019 (N = 27,524). Education, occupation, and age are the strongest sociodemographic predictors of GDPR awareness, with little influence of gender, subjective economic well-being, or locality size. Digital experience is significantly and positively correlated with GDPR awareness in a linear model, but this relationship proves to be more complex when we examine it through a typological analysis. Using an exploratory k-means cluster analysis we identify four clusters of digital citizenship, across both dimensions of digital experience and GDPR awareness: the off-line citizens (22%), the social netizens (32%), the web citizens (17%), and the data citizens (29%). The off-line citizens rank lowest in internet use and GDPR awareness; the web citizens rank at about average values, while the data citizens rank highest in both digital experience and GDPR knowledge and use. The fourth identified cluster, the social netizens, have a discordant profile, with remarkably high social network use, below average online shopping experiences, and low GDPR awareness. Digitalization in human capital and general internet use is a strong country-level correlate of the national frequency of the data citizen type. Our results confirm previous studies of the low privacy awareness and skills associated with intense social media consumption, but we find that young generations are evenly divided between the rather carefree social netizens and the strongly invested data citizens. In order to achieve the full potential of the GDPR in changing surveillance practices while fostering consumer trust and responsible use of Big Data, policymakers should more effectively engage the digitally connected social netizens in the public debate over data use and protection. Moreover, they should enable all types of digital citizens to exercise their GDPR rights and to support the creation of value from data, while defending the right to protection of personal data.