“In the public interest”: The privacy implications of international business-to-business sharing of cyber-threat intelligence

This article reports on preliminary findings and recommendations of a cross-discipline project to accelerate international business-to-business automated sharing of cyber-threat intelligence, particularly IP addresses. The article outlines the project and its objectives and the importance of determining whether IP addresses can be lawfully shared as cyber threat intelligence.The goal of the project is to enhance cyber-threat intelligence sharing throughout the cyber ecosystem. The findings and recommendations from this project enable businesses to navigate the international legal environment and develop their policy and procedures to enable timely, effective and legal sharing of cyber-threat information. The project is the first of its kind in the world. It is unique in both focus and scope. Unlike the cyber-threat information sharing reviews and initiatives being developed at country and regional levels, the focus of this project and this article is on business-to-business sharing. The scope of this project in terms of the 34 jurisdictions reviewed as to their data protection requirements is more comprehensive than any similar study to date.This article focuses on the sharing of IP addresses as cyber threat intelligence in the context of the new European Union (EU) data protection initiatives agreed in December 2015 and formally adopted by the European Council and Parliament in April 2016. The new EU General Data Protection Regulation (GDPR) applies to EU member countries, a major focus of the international cyber threat sharing project. The research also reveals that EU data protection requirements, particularly the currently applicable law of the Data Protection Directive 95/46/EC (1995 Directive) (the rules of which the GDPR will replace in practice in 2018), generally form the basis of current data protection requirements in countries outside Europe. It is expected that this influence will continue and that the GDPR will shape the development of data protection internationally.In this article, the authors examine whether static and dynamic IP addresses are “personal data” as defined in the GDPR and its predecessor the 1995 Directive that is currently the model for data protection in many jurisdictions outside Europe. The authors then consider whether sharing of that data by a business without the consent of the data subject, can be justified in the public interest so as to override individual rights under Articles 7 and 8(1) of the Charter of Fundamental Rights of the European Union, which underpin EU data protection. The analysis shows that the sharing of cyber threat intelligence is in the public interest so as to override the rights of a data subject, as long as it is carried out in ways that are strictly necessary in order to achieve security objectives. The article concludes by summarizing the project findings to date, and how they inform international sharing of cyber-threat intelligence within the private sector.     

A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

Personality under EU Law: A Conceptual Answer towards the Pluralisation of the EU

Although the trend towards pluralisation within the institutional framework of the EU is somewhat reflected in theoretical efforts, legal scholarship's answer remains incomplete. Acknowledging that legal personality is always relative—ie related to a particular legal system—personality under EU Law should be recognised and developed as a distinct category. This allows for reconsideration and rearrangement of inter‐ and intrapersonal relations in EU Law: inter‐institutional agreements can gain firmer legal ground, the recognition of hierarchical structures within the EU executive branch can advance the maintenance of the rule of law, legal protection of the Union's citizens shall be advanced, and options as well as limits to privatising organisation at the EU level shall be formulated. On the whole, methodological self‐reflection along these lines is bound to lead to a valuable contribution of legal research in times of EU crisis.     

民法典框架下个人数据财产法益的体系构建

从欧盟个人数据保护相关立法的变迁可以发现,个人数据从隐私权保护的传统模式开始出现向财产权保护模式过渡的迹象。这并不意味着数据产业界的新机会,而是调节数据主体与数据控制者之间日益失衡关系的新尝试。财产权保护模式有着隐私权保护模式无可比拟的优势,却也存在权利定性和范围界定上的困难。与非个人数据更为鲜明的财产属性不同,个人数据上的民事权益应该构建为一个以数据主体的财产利益为基础、以数据控制者对个人数据的占有利益为核心的财产法益体系。数据控制者及其义务作为个人数据财产法益体系的中心,才能在保护数据主体和发挥数据效用之间保持平衡。     

数据跨境流动规制中的“长臂管辖”——对欧盟GDPR的原旨主义考察

欧盟《一般数据保护条例》是个人数据保护的重要立法之一,而其中的“长臂管辖”条款是最有特色并颇受争议的规则。从内在视角来看,欧盟语境下个人数据的特殊含义和重要地位,是“长臂管辖”的正当性基础。而其在制度上形成内外联动的局面,是因为欧盟想扭转其在全球互联网和信息产业的劣势地位,并增强其在全球数据保护立法的话语权,同时更好地保护个人数据和国家安全。对此,中国未来的数据保护立法应结合自身数据产业的特点,明确立法旨意,形成内外联动,在国际互联网和数据治理中采取积极有为的态度,掌握该领域的话语权。     

CLOUD act agreements from an EU perspective

For many years, transatlantic cooperation between the EU and the US in the area of personal data exchange has been a subject of special interest on the part of lawmakers, courts – including supranational ones – NGOs and the public. When implementing recent reform of data protection law, the European Union decided to further strengthen guarantees of the protection of privacy in cyberspace. At the same time, however, it faced the practical problem of how to ensure compliance with these principles in relation to third countries. The approach proposed in the GDPR, which is based on a newly-defined territorial scope of application, clearly indicates an attempt to apply EU rules extraterritorially in relation to data processors in third countries.Irrespective of EU activity, the United States has also introduced its own regulations addressing the same problem. An example is the federal law adopted in 2018, specifying how to execute national court orders for the transfer of electronic data. The CLOUD Act was established in response to legal doubts raised in the Microsoft v United States case regarding the transfer of electronic data stored in the cloud by US obliged entities to law enforcement authorities, as well as in cases where this data is physically located in another country and its transfer could result in violating the legal norms of a foreign jurisdiction. The CLOUD Act also facilitates bilateral international agreements that enable the cross-border transfer of e-evidence for the purposes of ongoing criminal proceedings. Both the content of the new regulations and the model proposed by the US legislature for future agreements concluded on the basis of the CLOUD Act can be seen as an alternative to regulations arising from EU law.The purpose of this paper is to analyse the CLOUD Act and CLOUD Act Agreements from the perspective of EU law and, in particular, attempt to answer the question as to whether this new legal mechanism brings the EU and the USA closer to finding common ground with regard to a coherent model of exchange and protection of personal data.     

The fundamental right of data protection in the European Union: in search of an uncharted right

The entry into force of the EU Charter of Fundamental Rights and the ensuing introduction of the right to data protection as a new fundamental right in the legal order of the EU has raised some challenges. This article is an attempt to bring clarity on some of these questions. We will therefore try to address the issue of the place of the right to the protection of personal data within the global architecture of the Charter, but also the relationship between this new fundamental right and the already existing instruments. In doing so, we will analyse the most pertinent case law of the Court of Luxembourg, only to find out that it creates more confusion than clarity. The lesson we draw from this overview is that the reasoning of the Court is permeated by a ‘privacy thinking’, which consists not only in overly linking the rights to privacy and data protection, but also in applying the modus operandi of the former to the latter (which are different we contend). The same flawed reasoning seems to be at work in the EU Charter of Fundamental Rights. Therefore, it is crucial that the different modi operandi be acknowledged, and that any upcoming data protection instrument is accurately framed in relation with Article 8 of the Charter.     

中药知识产权国际化保护问题的实效方法论应用——以中美对中药保护最佳路径选择为视角

解决中药知识产权保护问题离不开国际化因素的考量,但是国际化并不能等同于西方化,尤其是美国化的西药审批及保护标准,这是中医入欧盟零注册危机给国人的最新启示。从专利特别保护、传统知识特别保护及公用知识无保护三种主要路径对中美中药市场竞争的影响出发,应用实效方法论的重要工具博弈均衡理论,对中美中药及植物药保护的不同选择路径不同利益效果作了对比性的数据及逻辑分析。研究发现,我国对中药知识产权国际化保护的最佳选择应是理清中药作为传统知识的知识产权地位,而促进美国对植物药的专利化具备利益的可行性。建议在构建国内中药传统知识保护的专门法律制度的同时,创建性地促进中药的科技创新、国际合作以及相关国际公约的修改。     

Russian data retention requirements: Obligation to store the content of communications

This paper presents an analysis of Russian data retention regulations. The most controversial point of the Russian data retention requirements is an obligation to keep the content of communications that is untypical for legislation of European and other countries. These regulations that oblige telecom operators and Internet communication services to store the content of communications should come into force on July 1, 2018.The article describes in detail the main components of the data retention mechanism: the triggers for its application, its scope, exemptions and barriers to its enforcement. Attention is paid to specific principles for implementation of content retention requirements based on the concepts of proportionality, reasonableness and effectiveness.Particular consideration is given to the comparative aspects of the Russian data retention legislation and those applying in different countries (mainly EU member states). The article focuses on the differences between the Russian and EU approaches to the question of how to strike a balance between public security interests and privacy. While the EU model of data retention is developing in the context of profound disputes on human rights protection, the Russian model is mostly concentrated on security interests and addresses mainly economic, technological aspects of its implementation.The paper stresses that a range of factors (legal, economic and technological) needs to be taken into account for developing an optimal data retention system. Human rights guarantees play the key role in legitimization of such intrusive measures as data retention. Great attention should be paid to the procedures, precise definitions, specification of entitled authorities and the grounds for access to data, providing legal immunities and privileges, etc. Only this extensive range of legal guarantees can balance intervention effect of state surveillance and justify data retention practices.     

On defense of “ethification” of law: How ethics may improve compliance with the EU digital laws

In recent years, academics and professionals witness the rise of the “ethification” of law, specifically in the area of ICT law. Ethification shall be understood as a proliferation of moral principles and moral values in the legal discourse within the areas of research, innovation governance, or directly enforceable rules in the industry. Although the ethical considerations may seem distant from mere regulatory compliance, the opposite is true. The article focuses on the positive side of the “ethification” of digital laws through the lens of legal requirements for impact assessments pursuant to General Data Protection Regulation and conformity assessments in the proposal for the Artificial Intelligence Act. Authors argue that ethical considerations are often absent in the context of using new technologies including artificial intelligence, yet they may provide additional value for organizations and society as a whole. Additionally, carrying out ethics-based assessments is already in line with existing regulatory requirements in the fields of data protection law and proposed EU AI regulation. These arguments are reflected in the context of facial recognition technology, where both data protection impact assessment under the EU General Data Protection Regulation and conformity assessment under the proposal of the EU Artificial Intelligence Act will be mandatory. Facial recognition technology is analyzed through the ethics-based assessment involving stakeholder analysis, data flows map, and identification of risks and respective countermeasures to show additional insights that ethics provides beyond regulatory requirements.     

Editor’s Note

In the context of today’s big data and cloud computing, the global flow of data has become a powerful driver for international economic and investment growth. The EU and the U.S. have created two different paths for the legal regulation of the cross-border flow of personal data due to their respective historical traditions and realistic demands. The requirements for data protection have shown significant differences. The EU advocates localization of data and firmly restricts cross-border flow of personal data. The U.S. tends to protect personal data through industry self-regulation and government law enforcement. At the same time, these two paths also merge and supplement with each other. Based on this, China needs to learn from the legal regulatory paths of the EU and the US, respectively, to establish a legal idea that places equal emphasis on personal data protection and the development of the information industry. In terms of domestic law, the Cybersecurity Law of the People’s Republic of China needs to be improved and supplemented by relevant supporting legislation to improve the operability of the law; the industry self-discipline guidelines should be established; and various types of cross-border data need to be classified and supervised. In terms of international law, it is necessary to participate in international cooperation based on the priority of data sovereignty and promote the signing of bilateral, multilateral agreements, and international treaties on the cross-border flow of personal data.     

Towards a common standard of protection of the right to housing in Europe through the charter of fundamental rights

The trend towards the financialisation of housing since the 1980s and the global financial crisis exposed a dramatic lacuna in the legal protection of the right to housing. Yet, the right to housing features not only in national and international human rights instruments, but also in the EU Charter of Fundamental Rights. Charter rights are increasingly finding expression in the case law of the Court of Justice of the European Union (CJEU). In particular, drawing on the Charter, the CJEU's interpretation of EU consumer law is moving towards a recognition of housing rights as inherent components of consumer protection. On the basis of such developments, this article examines whether there is scope to extend this human rights approach to new areas – namely, to the Mortgage Credit Directive (2014) – a major EU harmonising measure – and to the work of EU institutions now responsible for banking supervision. The article concludes that, if guided by the Charter of Fundamental Rights, the case law of the CJEU and the practice of supranational banking supervision could significantly enhance the protection of the right to housing, both at EU and Member State level.     

Regulating electronic identity in the European Union: An analysis of the Lisbon Treaty’s competences and legal basis for eID

This paper discusses the feasibility of EU legal action in the field of electronic identity (eID) within the new distribution of legal competences and the provision of novel legal basis engendered by the Treaty of Lisbon. The article attempts to find a ‘legal anchor’ to the idea of a pan-European electronic identity within EU law, looking at the issues of competences and legal basis. After examining various different areas of competence and the most feasible (and probable) candidates for a legal basis supporting an EU legal framework for eID, the paper argues that the latter should be found in the combination of Article 16 TFEU (concerning the right to the protection of personal data) with Article 3 TUE, and Articles 26 and 114 TFEU (concerning the establishment and functioning of the Internal Market), which also constitute the area of competence where an eID legal initiative can be pursued.     

Having yes,using no? About the new legal regime for biometric data

The rise of biometric data use in personal consumer objects and governmental (surveillance) applications is irreversible. This article analyses the latest attempt by the General Data Protection Regulation (EU) 2016/679 and the Directive (EU) 2016/680 to regulate biometric data use in the European Union. We argue that the new Regulation fails to provide clear rules and protection which is much needed out of respect of fundamental rights and freedoms by making an artificial distinction between various categories of biometric data. This distinction neglects the case law of the European Court of Human Rights and serves the interests of large (governmental) databases. While we support regulating the use and the general prohibition in the GDPR of using biometric data for identification, we regret this limited subjective and use based approach. We argue that the collection, storage and retention of biometric images in databases should be tackled (objective approach). We further argue that based on the distinctions made in the GDPR, several categories of personal data relating to physical, physiological or behavioural characteristics are made to which different regimes apply. Member States are left to adopt or modify their more specific national rules which are eagerly awaited. We contend that the complex legal framework risks posing headaches to bona fide companies deploying biometric data for multifactor authentication and that the new legal regime is not reaching its goal of finding a balance between the free movement of such data and protecting citizens. Law enforcement authorities also need clear guidance. It is questioned whether Directive (EU) 2016/680 provides this.     

Is EU Administrative Law Failing in Some of Its Crucial Tasks?

Beneath the surface of steady changes in EU administrative law lurk a number of long‐term, structural problems. In this article, I argue that, because of these structural problems, EU administrative law is failing in some of its crucial tasks: (1) finding a balance between administrative convergence and administrative diversity within the EU legal system, (2) structuring administrative power and its exercise, (3) governing administrative instability. EU administrative law, however, is not necessarily trapped in the status quo. By identifying and articulating a number of long‐term problems, this article aims at providing some tools that future research could use in the discussion on the possible ways forward. More generally, it suggests that EU administrative law should be reshaped as a project of institutional design.     

The emergence of biobanks in the legal landscape: towards a new model of governance

Biobanks are increasingly seen as new tools for medical research. Their main purpose is to collect, store, and distribute human body materials. These activities are regulated by legal instruments which are heterogeneous in source (national and international), and in form (binding and non-binding). We analyse these to underline the need for a new model of governance for modern biobanks. The protection initially ensured by respect for fundamental rights will need to focus on more interactions with society in order to ensure biobanks' sustainability. International regulation is more oriented on ethical principles and traces the limits of the uses of genetics, while European regulation is more concerned with the protection of fundamental rights and the elaboration of standards for biobanks' quality assurance. But is this protection adequate and sufficient? Do we need to move from the biomedical research analogy to new forms of legal protection, and governance systems which involve citizens?     

Automated consent through privacy agents: Legal requirements and technical architecture

The changes imposed by new information technologies, especially pervasive computing and the Internet, require a deep reflection on the fundamental values underlying privacy and the best way to achieve their protection. The explicit consent of the data subject, which is a cornerstone of most data protection regulations, is a typical example of requirement which is very difficult to put into practice in the new world of “pervasive computing” where many data communications necessarily occur without the users' notice. In this paper, we argue that an architecture based on “Privacy Agents” can make privacy rights protection more effective, provided however that this architecture meets a number of legal requirements to ensure the validity of consent delivered through such Privacy Agents. We first present a legal analysis of consent considering successively (1) its nature; (2) its essential features (qualities and defects) and (3) its formal requirements. Then we draw the lessons of this legal analysis for the design of a valid architecture based on Privacy Agents. To conclude, we suggest an implementation of this architecture proposed in a multidisciplinary project involving lawyers and computer scientists.     

Financial Intelligence Units: Reflections on the applicable data protection legal framework

Financial Intelligence Units (FIUs) are key players in the current Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) legal system. FIUs are specialised bodies positioned between private financial institutions and states’ law enforcement authorities, what renders them a crucial middle link in the chain of information exchange between the private and public sectors. Considering that a large share of this information is personal data, its processing must meet the minimum data protection standards. Yet, the EU data protection legal framework is composed of two main instruments, i.e. the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), which provide different thresholds for the protection of personal data. The aim of this paper is to clarify the applicable data protection legal regime for the processing of personal data by FIUs for AML/CFT purposes. To that end, the paper provides an overview of the nature and goals of AML/CFT policy and discusses the problem of the diversity of existing FIU models. Further, it proposes a number of arguments in favour of and against the possibility of applying either the GDPR or LED to the processing of personal data by the FIUs and reflects on how convincingly these arguments can be used depending on the specificities of a given FIU model.     

Profiling tax and financial behaviour with big data under the GDPR

Big data and machine learning algorithms have paved the way towards the bulk accumulation of tax and financial data which are exploited to either provide novel financial services to consumers or to augment authorities with automated conformance checks. In this regard, the international and EU policies toward collecting and exchanging a large amount of personal tax and financial data to facilitate innovation and to promote transparency in the financial and tax domain have been increased substantially over the last years. However, this vast collection and utilization of “big” tax and financial data raise also considerations around privacy and data protection, especially when these data are fed to clever algorithms to build detailed personal profiles or to take automated decisions which may exceptionally affect people's lives. Ultimately, these practices of profiling tax and financial behaviour provide fertile ground for discriminating processing of individuals and groups.In light of the above, this paper aims to shed light on the following four interdependent and highly disputed areas: firstly, to review the most well-known profiling and automated decision risks emerged from big data technology and machine learning algorithmic processing as well as to analyse their impact on the tax and financial privacy rights through their immense profiling practices; secondly, to document the current EU initiatives toward financial and tax transparency, namely the AEOI, PSD2, MiFID2, and data retention policies, along with their implications for personal data protection when used for profiling and automated decision purposes; thirdly, to highlight the way forward for mitigating the risks of profiling and automated decision in the big data era and to investigate the protection of individuals against these practices in the light of the new technical and legal frameworks; in this respect, we finally delve into the regulatory EU efforts towards fairer and accountable profiling and automated decision processes, and in particular we examine the extent to which the GDPR provisions establishes a protection regime for individuals against advanced profiling techniques, enabling thus accountability and transparency.     

后“SchremsⅡ案”时期欧盟数据跨境流动法律监管的演进及我国的因应

“SchremsⅡ案”对以隐私权和数据保护为核心构建的欧盟数据跨境流动规则体系产生重大影响,它要求无论使用何种数据跨境流动工具,都必须确保第三国能够提供与欧盟同等的保护水平。在该案的影响下,《欧盟基本权利宪章》在数据保护领域的地位进一步提高,保障措施的适用愈发严苛,欧洲数据保护委员会在数据保护领域将扮演更重要的角色,数据跨境流动欧盟法规则与国际贸易法的不兼容问题日益凸显。欧盟虽然结合SchremsⅡ案的判决完善了对数据跨境的法律监管,但依然没有减少外界对其监管合理性的质疑。我国对数据跨境流动的监管存在着配套立法不健全、规则可操作性差、多元价值失衡、缺乏内外联动的“中国方案”等问题。对此,应完善我国相关立法,加强中欧国际合作,共同引领构建数据跨境流动的国际规则。