Digital evidence and ‘cloud’ computing

The term ‘cloud computing’ has begun to enter the lexicon of the legal world. The term is not new, but the implications for obtaining and retaining evidence in electronic format for the resolution of civil disputes and the prosecution of alleged criminal activities might be significantly affected in the future by ‘cloud’ computing. This article is an exploratory essay in assessing the effect that ‘cloud’ computing might have on evidence in digital format in criminal proceedings in the jurisdiction of England & Wales.     

Allocating responsibility among controllers,processors, and “everything in between”: the definition of actors and roles in Directive 95/46/EC

In Opinion 1/2010, the Article 29 Data Protection Working Party has provided additional guidance concerning the concepts of ‘controller’ and ‘processor’ contained in Directive 95/46/EC. This guidance aims to assist practitioners in their determination of whether an entity is acting as a controller or as a processor towards a particular data processing operation. Despite the fact that this opinion is informative, the existing framework still appears to leave room for a considerable amount of legal uncertainty. This uncertainty is attributable in part to the nature of the existing concepts, but also (and perhaps to a larger extent) to their apparent misalignment with current processing realities. In this paper, the author seeks to articulate why the existing concepts often remain difficult to apply in practice, in order to enable a constructive reflection on how these issues might be addressed in the future.     

The ‘right to be forgotten’ or the ‘principle that has been remembered’

The Court of Justice of the European Union (CJEU) has ruled on questions referred by a Spanish court relating to interpretation of the Data Protection Directive and its application to search engine activities. In a controversial judgment, the CJEU found that search engines are data controllers in respect of their search results; that European data protection law applies to their processing of the data of EU citizens, even where they process the relevant data outside the EU; and that a ‘right to be forgotten’ online applies to outdated and irrelevant data in search results unless there is a public interest in the data remaining available and even where the search results link to lawfully published content.     

The Cyprus and other EU court rulings on data retention: The Directive as a privacy bomb

This paper discusses the controversy surrounding the Data Retention Directive with an emphasis on the 2011 decision of the Cyprus Supreme Court which has annulled several district court orders that allowed the police access to telecommunications data relating to certain persons relevant to criminal investigations. The annulment has been on the ground that the legal provisions upon which the orders have been issued are unconstitutional. It will suggest that the decision does not entail a direct rejection of the EU Data Retention Directive and that in any event, Cyprus is not a Member State resisting the particular measure. This is because the legal provisions are deemed unconstitutional, though part of the law that has transposed the relevant Directive into national law are provisions that go beyond what the EU legislator intended to regulate through that Directive. Still, the particular Directive sits rather uneasily within the ‘human rights’ regime, in particular the one governing the individual right of privacy.     

‘Modernising’ data protection Convention 108: A safe basis for a global privacy treaty?

Proposals for the reform or ‘modernisation’ of Council of Europe Data Protection Convention 108 have now been forwarded from the Convention's Consultative Committee for consideration by the Council of Ministers. This article assesses the changes proposed, which strengthen the obligations of Parties to implement the Convention as a matter of effective practice, not just as a law on paper. It tightens most of the existing data protection principles, and adds new ones which better align the Convention with the EU Directive (and proposed Regulation). The Convention Committee will have explicit new functions including assessing candidates for accession, and periodically reviewing implementation by existing parties. However, the proposals concerning the required standard for data export limitations are in some respects ill-defined and dangerous for data subjects. The existing standard that personal data can only be exported if the recipient provides ‘adequate’ protection has been abandoned for an undefined requirement of ‘appropriate’ protection. The article situates the risk of abandoning meaningful data export restrictions in the context of the USA's push for ‘interoperability’ of very different data protection standards.     

Mine host is searching for a ‘neutrality’ principle!

This article examines the Advocate-General's comments on the ‘hosting’ provision in the eCommerce Directive (00/31/EC). He suggests the existence of a ‘neutrality’ principle in respect of intermediary liability, which operates irrespective of an intermediary's knowledge about the legality or otherwise of the hosted content. This article critically examines this suggestion within the broader debate about the role and responsibilities of intermediaries in a cyberspace context.     

The ‘beyond parental control’ label in Nigeria

Recent reports in Nigeria indicate a geometric rise in incarcerated adolescents, with an overwhelming majority of this increase being attributed to adolescents being declared ‘beyond parental control’. There is a nagging suspicion that the Nigerian juvenile justice system has over criminalised adolescents by declaring them ‘beyond control’ when behavioural problems have actually resulted from child abuse/neglect and family disruption. A study was undertaken in a juvenile justice institution in Nigeria to assess the adequacy of pre-incarceration parental care among adolescents that had been declared as ‘beyond parental control’. The study included 75 adolescent boys that had been declared as ‘beyond parental control’ and a comparison group of 144 matched school going boys. It examined self-reports received from the adolescent boys regarding their pre-incarceration family life and social circumstances, as well as the behavioural problems they had experienced. The findings indicate that adolescent boys who were declared as ‘beyond parental control’ had a significantly higher lifetime history of behavioural problems than the comparison group, and they also had significantly higher indicators of pre-incarceration child abuse/neglect and problems with stability and consistency of primary support. These findings pose questions regarding the presumption of adequate parental care prior to the declaration of ‘beyond parental control’. It also raises questions about child rights protection and juvenile justice reform in Nigeria.     

Cursing the Cloud (or) Controlling the Cloud?

Inspired by the cloud computing hypes, this paper responds to some of the hypes, but not to all. The hype in this paper refers to the level of the adequacy of data protection and privacy in a cloud computing (the Cloud) environment. Paradoxically, this paper proffers observational insights that surround the Cloud from the perspectives of data protection and privacy. It examines briefly the efforts of January 2010 led by Microsoft and anticipating “liability” scenarios. The liability rhetorically refers to the illegal access in the Cloud. This paper does not focus entirely on the technology sophistication; however, it analyses two scenarios of illegal access. To mitigate the liability, it suggests a “Cloud Compliant Strategy (CCS)” being a proposed model to control the Cloud. The observational insights of this paper have also intertwined with the adequacy of data protection from the lenses of the European Union (EU) Data Protection Directive 95/46/EC (DPD) and Safe Harbor provisions (SH).     

South Korea's innovations in data privacy principles: Asian comparisons

Over the last two decades, at least a dozen Asian jurisdictions have adopted significant data privacy (or ‘data protection’) laws. South Korea started to implement such laws in relation to its public sector in the 1990s, then its private sector from 2001, culminating in the comprehensive Personal Information Privacy Act of 2011. Internationally, there have been two stages in the development of data privacy principles (the common core of such laws), the first typified by the OECD's data protection Guidelines of 1981, and the second typified by the European Union data protection Directive of 1995, with a third stage currently under development.     

Regulating electronic identity in the European Union: An analysis of the Lisbon Treaty’s competences and legal basis for eID

This paper discusses the feasibility of EU legal action in the field of electronic identity (eID) within the new distribution of legal competences and the provision of novel legal basis engendered by the Treaty of Lisbon. The article attempts to find a ‘legal anchor’ to the idea of a pan-European electronic identity within EU law, looking at the issues of competences and legal basis. After examining various different areas of competence and the most feasible (and probable) candidates for a legal basis supporting an EU legal framework for eID, the paper argues that the latter should be found in the combination of Article 16 TFEU (concerning the right to the protection of personal data) with Article 3 TUE, and Articles 26 and 114 TFEU (concerning the establishment and functioning of the Internal Market), which also constitute the area of competence where an eID legal initiative can be pursued.     

Asia-Pacific news

This column provides a country by country analysis of the latest legal developments, cases and issues relevant to the IT, media and telecommunications’ industries in key jurisdictions across the Asia-Pacific region. The articles appearing in this column are intended to serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.     

Asia-Pacific news

This column provides a country by country analysis of the latest legal developments, cases and issues relevant to the IT, media and telecommunications’ industries in key jurisdictions across the Asia Pacific region. The articles appearing in this column are intended to serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.     

Asia-Pacific news

This column provides a country by country analysis of the latest legal developments, cases and issues relevant to the IT, media and telecommunications’ industries in key jurisdictions across the Asia Pacific region. The articles appearing in this column are intended to serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.     

Asia-Pacific news

This column provides a country by country analysis of the latest legal developments, cases and issues relevant to the IT, media and telecommunications’ industries in key jurisdictions across the Asia-Pacific region. The articles appearing in this column are intended to serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.     

The Patients’ Rights Directive (2011/24/EU) – Providing (some) rights to EU residents seeking healthcare in other Member States

This article presents the main elements of Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare, commonly known as the Patient’s Rights Directive. It is the latest EU initiative with regard to European Health Care and the Single Market. The main elements of the Directive contain provisions related to the prior authorisation of health care in another Member State, the reimbursement of such health care and the removal of unjustified obstacles to achieving these aims.These provisions largely reflect the recent case law of the European Court of the Justice (ECJ). Amongst these are provisions involving the use of personal data. Such provisions will engage data protection issues and will have to be carried out according to the data protection directives. Alongside this primary aim of codifying ECJ case law the Patient’s Rights Directive also introduces novel initiatives aimed at fostering cross border cooperation between various elements of national healthcare systems.Part 1 of this contribution will describe the legal basis and the aims of the PRD, Part 2 will describe the principle obligations placed on the Member States with regard to reimbursement, Parts 3 and 4 will describe other informational and procedural requirements placed upon the Member States of Treatment and Affiliation. Finally Part 5 will outline some of the novel initiatives that have been included in the PRD.The increases in the frequency of cross border-treatment that this directive attempts to facilitate are likely to see a concurrent increase in cross-border patient information flows. Such data flows will be subject to the Union’s provisions on Data Protection. It remains uncertain whether the EU’s Data Protection regime will act as inhibitor to cross-border medical treatment or rather represent a gold standard that allows patients to engage in such activities with peace of mind. The Patient’s Rights Directive will form part of the EU’s future e-Health strategy which envisages a large increase in the fluidity of patient data. A discussion of this directive is therefore merited in this journal.     

Legal developments and industry issues relevant to IT,media and telecommunications law in key jurisdictions across the Asia Pacific

This column provides a country by country analysis of the latest legal developments, cases and issues relevant to the IT, media and telecommunications' industries in key jurisdictions across the Asia Pacific region. The articles appearing in this column are intended to serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.     

Legal developments and industry issues relevant to IT,media and telecommunications law in key jurisdictions across the Asia Pacific

This column provides a country by country analysis of the latest legal developments, cases and issues relevant to the IT, media and telecommunications' industries in key jurisdictions across the Asia Pacific region. The articles appearing in this column are intended to serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.     

Banking in the cloud: Part 2 – regulation of cloud as ‘outsourcing’

This paper looks at EU banks' use of public cloud computing services. It is based primarily on anonymised interviews with banks, cloud providers, advisers, and financial services regulators. The findings are presented in three parts. Part 1 explored the extent to which banks operating in the EU, including global banks, use public cloud computing services.Part 2 of this paper covers the main legal and regulatory issues that may affect banks' use of cloud services. It sets out how EU banking regulators have approached banks' use of cloud services and considers regulators' lack of cloud computing knowledge. The paper further considers how the regulation of outsourcing applies to banks' use of cloud services, including whether cloud computing constitutes “outsourcing”. It analyses the contentious issue of contractual audit rights for regulators as well as legal and practical issues around risk assessments, security, business continuity, concentration risk, bank resolution, and banking secrecy laws.Part 3 looks at the key contractual issues that arise between banks and cloud service providers, including data protection requirements, termination, service changes, and liability.All three parts of the paper can be accessed via Computer Law and Security Review's page on ScienceDirect at: http://www.sciencedirect.com/science/journal/02673649?sdc=2. The full list of sources is available via the same link and will be printed alongside the third part of the article.     

Banking in the cloud: Part 1 – banks' use of cloud services

This paper looks at EU banks' use of public cloud computing services. It is based primarily on anonymised interviews with banks, cloud providers, advisers, and financial services regulators. The findings are presented in three parts. Part 1 explores the extent to which banks operating in the EU, including global banks, use public cloud computing services. It describes how banks are using cloud computing and the key drivers for doing so (such as time to market), as well as real and perceived barriers (such as misconceptions about cloud and financial services regulation), including cultural and technical/commercial aspects. It summarises how banks have approached the cloud and how cloud providers have approached the banking sector.Part 2 of this paper will cover the main legal and regulatory issues that may affect banks' use of cloud services, including how the regulation of outsourcing applies to banks' use of cloud services. Part 3 will look at the key contractual issues that arise between banks and cloud service providers, including data protection requirements, termination, service changes, and liability.All three parts of the paper can be accessed via Computer Law and Security Review's page on ScienceDirect at: http://www.sciencedirect.com/science/journal/02673649?sdc=2. The full list of sources is available via the same link and will be printed alongside the third part of the paper.     

Privacy and the regulation of 2012

This paper explores the European Commission’s proposal for a new Regulation to update and reform data protection law in Europe. As regards the Regulation itself, without presenting an exhaustive analysis of all the provisions, this paper aims to highlight some significant changes proposed to the data protection regime by comparison between Directive 95/46 and the proposed Regulation. It takes particularly into account legislative innovation concerning data protection principles, data subjects’ rights, data controllers and data processors obligations, and the regulation of technologies. Before analyzing these innovations, it introduces some considerations about the Commission’s choice to use a Regulation instead of a Directive to harmonize national data protection regime.