How about me? The scope of personal information under the Australian Privacy Act 1988

A recent Australian Federal Court decision has raised the issue of the scope of information protected under the Australian Privacy Act 1988. The Court failed to adequately address this question, leaving Australians unsure as to whether sections of their information, such as the IP addresses allocated to their mobile devices, will be considered personal information under the Act. The main consideration the Court dealt with was what it means for information to be “about” an individual. In this paper I address two questions: a) how is information determined to be “about” an individual under the Act; and b) how should this determination be made in the future? I conclude that currently available guidance from the courts, the Australian Information Commissioner and scholarly commentary are inadequate to enable individuals, organisations and agencies to consistently make such determinations. Accordingly I draw on approaches to this question taken in Canada, New Zealand, the European Union and the United Kingdom to argue that the definition should be broadly interpreted in a technologically-aware manner. This will help to ensure that personal information is more comprehensively protected under the Privacy Act.     

Privacy regulations on biometrics in Australia

This paper aims to provide an analysis of the current regulatory environment, at the federal level, of privacy protection concerning biometrics in Australia. The study only focuses on the federal Privacy Act 1988 (Cth) and the Biometrics Institute Privacy Code. The discussion is based on the legal concerns of the use of biometrics, and an analysis is made concerning the implications of privacy protection sources.     

A comparison of proposed legislative data privacy protections in the United States

The use of online consumer tracking methods has raised significant privacy concerns for consumers and policymakers for decades. Advertisers using these methods analyze web-viewing habits to predict consumer preferences and actions. The advertising industry in the United States has promoted self-regulatory principles to respond to these concerns. However, in December 2010, the U.S. Federal Trade Commission reported that these efforts “have been too slow and up to now have failed to provide adequate and meaningful protection.” President Barack Obama's administration has supported broader legislation for comprehensive protection of individuals' private data. The leading model for data privacy protection is the 1980 Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This article examines two leading legislative privacy proposals in the context of the OECD principles. This examination concludes that, although the proposals do not provide sufficient comprehensive privacy protections, they do fill significant gaps in current U.S. privacy laws.     

A walk in to the cloud and cloudy it remains: The challenges and prospects of ‘processing’ and ‘transferring’ personal data

Cloud computing is an information technology technique that promises greater efficiency and reduced-cost to consumers, businesses and public institutions. However, to the extent it has brought better efficiency and minimal cost, the emergence of cloud computing has posed a significant regulatory challenge on the application of data protection rules particularly on the regime regulating cross-border data flow. The Data Protection Directive (DPD), which dates back to 1995, is at odds with some of the basic technological and business-related features of the cloud. As a result, it is claimed that the Directive hardly offers any help in using the legal bases to ‘process’ and ‘transfer’ data as well as to determine when a transfer to a third country occurs in cloud computing. Despite such assertions, the paper argues that the ECJ's Bodil Lindqvist decision can to a certain extent help to delineate circumstances where transfer should and should not occur in the cloud. Concomitantly, the paper demonstrates that controllers can still make the most of the available possibilities in justifying their ‘processing’ as well as ‘transferring’ of data to a third country in cloud arrangements. In doing so, the paper also portrays the challenges that arise down the road. All legal perspectives are largely drawn from EU level though examples are given from member states and other jurisdictions when relevant.     

Protecting the privacy and security of sensitive customer data in the cloud

The global ubiquity of cloud computing may expose consumers' sensitive personal data to significant privacy and security threats. A critical challenge for the cloud computing industry is to earn consumers' trust by ensuring adequate privacy and security for sensitive consumer data. Regulating consumer privacy and security also challenges government enforcement of data protection laws that were designed with national borders in mind. From an information privacy perspective, this article analyses how well the regulatory frameworks in place in Europe and the United States help protect the privacy and security of sensitive consumer data in the cloud. It makes suggestions for regulatory reform to protect sensitive information in cloud computing environments and to remove regulatory constraints that limit the growth of this vibrant new industry.     

Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform

We describe the design, implementation, and evaluation of FROST—three new forensic tools for the OpenStack cloud platform. Our implementation for the OpenStack cloud platform supports an Infrastructure-as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest firewall logs. Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust in the cloud provider, but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We demonstrate how FROST's new features enable forensic investigators to obtain forensically-sound data from OpenStack clouds independent of provider interaction. Our preliminary evaluation indicates the ability of our approach to scale in a dynamic cloud environment. The design supports an extensible set of forensic objectives, including the future addition of other data preservation, discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.     

Citizens' perceptions of data protection and privacy in Europe

Data protection and privacy gain social importance as technology and data flows play an ever greater role in shaping social structure. Despite this, understanding of public opinion on these issues is conspicuously lacking. This article is a meta-analysis of public opinion surveys on data protection and privacy focussed on EU citizens. The article firstly considers the understanding and awareness of the legal framework for protection as a solid manifestation of the complex concepts of data protection and privacy. This is followed by a consideration of perceptions of privacy and data protection in relation to other social goals, focussing on the most visible of these contexts–the debate surrounding privacy, data protection and security. The article then considers how citizens perceive the ‘real world’ environment in which data processing takes place, before finally considering the public's perception and evaluation of the operation of framework against environment.     

A Behavioural Understanding of Privacy and its Implications for Privacy Law

This article draws upon social interaction theory (the work of Irwin Altman) to develop a theory of the right to privacy, which reflects the way that privacy is experienced. This theory states that the right to privacy is a right to respect for barriers, and that an invasion of privacy occurs when a privacy barrier is penetrated. The first part of the paper establishes the position of the author's theory in the existing scholarship. The second part of the paper expands upon the theory to explain the nature of privacy barriers and the way that the author's theory manages a number of specific privacy issues, including threats to privacy, attempted invasions of privacy, unforeseeable interferences with privacy and waiving the right to privacy. The final part of the paper demonstrates the impact that this approach to privacy could have upon judicial reasoning, in particular Article 8 European Convention on Human Rights.     

Privacy and personal data protection in China: An update for the year end 2009

This paper explores developments in privacy and data protection regulation in China. It argues that, since China is an emerging global economic power, the combination of domestic social economic development, international trade and economic exchange will encourage China to observe international standards of privacy and personal data protection in its future regulatory response.     

Privacy by design and anonymisation techniques in action: Case study of Match technology

Privacy by Design is now enjoying widespread acceptance. The EU has recently expressly included it as one of the key principles in the revised data protection legal framework. But how does Privacy by design and data anonymisation work in practise? In this article the authors address this question from a practical point of view by analysing a case study on EU Financial Intelligence Units (“FIUs”) using the Ma³tch technology as additional feature to the existing exchange of information via FIU.NET decentralised computer network. They present, analyse, and evaluate Ma³tch technology from the perspective of personal data protection. The authors conclude that Ma³tch technology can be seen as a valuable example of Privacy by Design. It achieves data anonymisation and enhances data minimisation and data security, which are the fundamental elements of Privacy by Design. Therefore, it may not only improve the exchange of information among FIUs and allow for the data processing to be in line with applicable data protection requirements, but it may also substantially contribute to the protection of privacy of related data subjects. At the same time, the case study clearly shows that Privacy by Design needs to be supported and complemented by appropriate organisational and technical procedures to assure that the technology solutions devised to protect privacy would in fact do so.     

德国竞争法的私人执行——历史局限和最新发展

从理论上说,德国比较重视竞争法的私人执行,但由于立法的不确定性和司法的限制性解释,德国竞争法的私人执行在《反限制竞争法》第7次修订前,其实际效果并不理想;私人执行既没有影响力,也没有决定力。第7次修订后,德国竞争法的私人执行制度在多个方面发生了积极的变化,以促进和强化竞争法的私人执行;但尽管如此,修订后的竞争法私人执行规定仍存在某些方面的不足,需要将来进一步发展。     

A Challenge for Police-Community Relations: Rethinking Stop and Search in England and Wales

This article presents research carried out as part of a government research programme looking at how police tactic of 'stop and search' in England and Wales. For many years, figures which have shown a higher rate of stop and search of minority ethnic groups, particularly black people, have provoked much controversy, and have been seen by many as a manifestation of police racism. This article reviews the way in which stop and search impacts on public confidence, with particular reference to those from minority ethnic groups. It goes on to explore its role within policing, including an examination of its effectiveness against crime and the evidence for racism in police practice. Following from this, it considers how stop and search can be used in a way that minimises negative impacts on the community and maximises its effectiveness against crime.     

Addressing identity crime in crime management information systems: Definitions,classification, and empirics

Identity fraud as a term and concept in its formative stages was often presumed to be identity theft and visa versa. However, identity theft is caused by the identities (or tokens) of individuals or organisations being stolen is an enabling precursor to identity fraud. The boundaries of identity fraud and identity theft are now better defined. The absence of specific identity crime legislation could be a cause of perpetrators not classified as breaching identity crimes but under other specific entrenched law such as benefit fraud, or credit card fraud. This metrics overlap can cause bias in crime management information systems. This study uses a multi-method approach where data was collected in both a quantitative and qualitative manner. These approaches are used as a lens for defining different classes of online identity crimes in a crime management (IS) security context. In doing so, we contribute to a deeper understanding of identity crime by specifically examining its hierarchical classes and definitions; to aid clearer structure in crime management IS. We seek to answer the questions: should current law around identity fraud continue to be reinforced and measures introduced to prevent identity crime; should laws be amended; or should new identity crime laws be constructed? We conclude and recommend a solution incorporating elements of all three.     

细化缓刑适用条件的若干思考——《刑法修正案（八）》对缓刑适用条件的修改及其展开

《刑法修正案（八）》对缓刑适用条件作了一定程度的细化，但还存在一些问题，包括没有对缓刑的裁量适用条件进行类型化、缓刑的强制适用条件过于绝对化、缓刑的禁止适用条件范围太小、没有规定适用缓刑的程序条件等。因此，刑法应对缓刑适用条件作进一步细化，以类型化的方式补充缓刑的裁量适用条件，完善缓刑的强制适用条件的规定方式，扩大缓刑的禁止适用条件的范围，增设缓刑适用的程序条件。