Internet of Things – New security and privacy challenges

The Internet of Things, an emerging global Internet-based technical architecture facilitating the exchange of goods and services in global supply chain networks has an impact on the security and privacy of the involved stakeholders. Measures ensuring the architecture's resilience to attacks, data authentication, access control and client privacy need to be established. An adequate legal framework must take the underlying technology into account and would best be established by an international legislator, which is supplemented by the private sector according to specific needs and thereby becomes easily adjustable. The contents of the respective legislation must encompass the right to information, provisions prohibiting or restricting the use of mechanisms of the Internet of Things, rules on IT-security-legislation, provisions supporting the use of mechanisms of the Internet of Things and the establishment of a task force doing research on the legal challenges of the IoT.     

Regulating intersectional activity: privacy and energy efficiency,laws and technology

Using a case study, this paper explores the extent to which one area of law (privacy and data protection) can intersect with, and be challenged by, proposals for delivery of another goal – greater energy efficiency. The article then explores the extent to which these fields are becoming more integrated; and also the risks of relying on technology (notably through Privacy by Design) to do this, particularly given the uncertainties embraced by lawyers and which can be problematic to technologists. Having identified challenges in meeting both energy efficiency and privacy/data protection goals at the same time, the article develops two responses. One looks more widely in law, to competition, to prevent particular activity and to confirm the relevance of greater legal interdisciplinarity. The other is a more multi-faceted collaborative governance approach, involving legal and technical expertise and consumer perspectives, with standards having a valuable role. Addressing climate change through greater energy efficiency should be an appropriate motivation to bring about this second approach, which draws on wider environmental governance developments. With largely a UK and EU focus, but seeking to be of transnational relevance, the paper makes key contributions as to the capacity and limits of how law can address societal challenges; explores the risks of assuming that social and legal problems can be readily addressed by technology; confirms the need for lawyers to look to other fields of law; and assists progress in an increasingly intersectional and dynamic field.     

The End of Innocence: Open Justice,Free Speech and Privacy in the Modern Constitution – Khuja (formerly PNM) v Times Newspapers Limited

This case note explores the issue of open justice considered by Khuja (formerly PNM) v Times Newspapers Limited in the Supreme Court and argues that the current law is confused and incoherent. Far from settling the debate, it is suggested that the decision further undermines some of the key assumptions underpinning the current approach, especially in the light of the compelling and humane minority judgment. This leaves the area ripe for reconsideration in general terms. This note challenges many of the formulaic slogans and rhetoric in previous case law as well as suggesting that the meaning of open justice has been lost in current discourse. After summarising the facts, this note sets out the majority and minority judgments, before analysing some of the conceptual difficulties raised – particularly those of open justice, privacy, presumption of innocence and freedom of speech.     

Normative challenges of identification in the Internet of Things: Privacy,profiling, discrimination,and the GDPR

In the Internet of Things (IoT), identification and access control technologies provide essential infrastructure to link data between a user's devices with unique identities, and provide seamless and linked up services. At the same time, profiling methods based on linked records can reveal unexpected details about users' identity and private life, which can conflict with privacy rights and lead to economic, social, and other forms of discriminatory treatment. A balance must be struck between identification and access control required for the IoT to function and user rights to privacy and identity. Striking this balance is not an easy task because of weaknesses in cybersecurity and anonymisation techniques. The EU General Data Protection Regulation (GDPR), set to come into force in May 2018, may provide essential guidance to achieve a fair balance between the interests of IoT providers and users. Through a review of academic and policy literature, this paper maps the inherent tension between privacy and identifiability in the IoT. It focuses on four challenges: (1) profiling, inference, and discrimination; (2) control and context-sensitive sharing of identity; (3) consent and uncertainty; and (4) honesty, trust, and transparency. The paper will then examine the extent to which several standards defined in the GDPR will provide meaningful protection for privacy and control over identity for users of IoT. The paper concludes that in order to minimise the privacy impact of the conflicts between data protection principles and identification in the IoT, GDPR standards urgently require further specification and implementation into the design and deployment of IoT technologies.     

A new approach to the right to privacy,or how the European Court of Human Rights embraced the non-domination principle

As it is currently regulated, the right to privacy is predominantly conceived as a subjective right protecting the individual interests of natural persons. In order to determine whether this right has been affected in a specific situation, the so-called ‘non-interference’ principle is applied. Using this concept, it follows that the right to privacy is undermined if an ‘infringement’ with that right by a third party can be demonstrated. Although the ‘infringement’-criterion works well when applied to more traditional privacy violations, such as a third party entering the home of an individual or eavesdropping on a private conversation, with respect to modern data-driven technologies, it is often very difficult to demonstrate an actual and concrete ‘infringement’ on a person's right or freedom. Therefore, an increasing number of privacy scholars advocate the use of another principle, namely the republican idea of ‘non-domination’. At the core of this principle is not the question of whether there has been an ‘interference’ with a right; rather, it looks at existing power relations and the potential for the abuse of power. Interestingly, in recent times, the European Court of Human Rights seems to accept the republican approach to privacy when it deals with complex data-driven cases.     

How about me? The scope of personal information under the Australian Privacy Act 1988

A recent Australian Federal Court decision has raised the issue of the scope of information protected under the Australian Privacy Act 1988. The Court failed to adequately address this question, leaving Australians unsure as to whether sections of their information, such as the IP addresses allocated to their mobile devices, will be considered personal information under the Act. The main consideration the Court dealt with was what it means for information to be “about” an individual. In this paper I address two questions: a) how is information determined to be “about” an individual under the Act; and b) how should this determination be made in the future? I conclude that currently available guidance from the courts, the Australian Information Commissioner and scholarly commentary are inadequate to enable individuals, organisations and agencies to consistently make such determinations. Accordingly I draw on approaches to this question taken in Canada, New Zealand, the European Union and the United Kingdom to argue that the definition should be broadly interpreted in a technologically-aware manner. This will help to ensure that personal information is more comprehensively protected under the Privacy Act.     

秘密监听问题探析

随着社会的发展和犯罪手段日益智能化,秘密监听作为一种高科技刑事侦查手段,在司法实务中被广泛地应用于侦破犯罪案件。然而同国外发达国家相比,我国关于秘密监听的立法还很不完善,司法实践中容易造成混乱,并与公民的隐私权相冲突。为此,需要探讨秘密监听的立法起源,结合证据学阐明秘密监听的证据效力,并针对秘密监听在立法、司法中存在的问题,对它的适用条件,程序机制及个人权利的保护提出可行性的构想。     

Privacy impact assessment: Its origins and development

Privacy impact assessment (PIA) is a systematic process for evaluating the potential effects on privacy of a project, initiative or proposed system or scheme. Its use has become progressively more common from the mid-1990s onwards.