Oversight of HMRC soft law: lessons from the Ombudsman

An investigation of the role which the Ombudsman plays in tax law, on which comparatively little has been written, reveals that the body makes an important and distinct contribution. There is now almost universal acceptance that tax law is overly complex and indeterminate. If the primary law offers few answers to the taxpayer, then HMRC’s role as administrator of the system becomes apparent. Soft law elaborating upon how HMRC will apply the primary law to a given class of taxpayers is rendered indispensable. In practice however, HMRC soft law has often been found to be deficient. Analysis of the current oversight arrangements for HMRC soft law immediately reveals the genesis of these issues. Select committees exercise Parliamentary control, whilst an independent body performs external audits. These entities however only incommensurately examine the soft law. Into this void steps the Parliamentary and Health Service Ombudsman, a body which has ‘carved for itself a distinctive niche’ in the public law framework. The paper accordingly seeks to elaborate upon the important role that the Ombudsman plays in scrutinising HMRC soft law and the lessons which can be derived from this analysis.     

Inheritance tax on trusts

In addition to the extensive changes made by the Finance Act2006 to the inheritance tax rules on trusts, there is now afurther significant development. HM Revenue and Customs (HMRC)have recently responded to a number of questions raised by severalprofessional bodies including STEP (the Society of Trust andEstate Practitioners) and the CIOT (the Chartered Instituteof Taxation) on a number of detailed points on the new legislation.The responses from HMRC are very helpful and will clarify anumber of important matters, although there are a number ofissues that still need to be resolved. The main areas whichwere covered in the questions are outlined in this article.     

The introduction of data breach notification legislation in Australia: A comparative view

This article argues that Australia's recently-passed data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), and its coming into force in 2018, makes an internationally important, yet imperfect, contribution to data breach notification law. Against the backdrop of data breach legislation in the United States and European Union, a comparative analysis is undertaken between these jurisdictions and the Australian scheme to elucidate this argument. Firstly, some context to data breach notification provisions is offered, which are designed to address some of the problems data breaches cause for data privacy and information security. There have been various prominent data breaches affecting Australians over the last few years, which have led to discussion of what can be done to deal with their negative effects. The international context of data breach notification legislation will be discussed, with a focus on the United States and European Union jurisdictions, which have already adopted similar laws. The background to the adoption of the Australia legislation will be examined, including the general context of data privacy and security protection in Australia. The reform itself will be then be considered, along with the extent to which this law is fit for purpose and some outstanding concerns about its application. While data breach notification requirements are likely to be a positive step for data security, further reform is probably necessary to ensure strong cybersecurity. However, such reform should be cognisant of the international trends towards the adoption of data security measures including data breach notification, but lack of alignment in standards, which may be burdensome for entities operating in the transnational data economy.     

From ugly duckling to Swan. The rise of data protection and its limits

This article considers the development of data protection laws from a position on the periphery of legal consciousness to the situation where it is the subject of intensive legal and media publicity. Focusing on the recent controversies surrounding the use of Facebook apps for political purposes, the article will consider the role and limitations of data and privacy protection laws. The question will be posed – if not answered – whether national or regional laws can be effective in what increasingly is a global information society.     

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.     

Protecting the privacy and security of sensitive customer data in the cloud

The global ubiquity of cloud computing may expose consumers' sensitive personal data to significant privacy and security threats. A critical challenge for the cloud computing industry is to earn consumers' trust by ensuring adequate privacy and security for sensitive consumer data. Regulating consumer privacy and security also challenges government enforcement of data protection laws that were designed with national borders in mind. From an information privacy perspective, this article analyses how well the regulatory frameworks in place in Europe and the United States help protect the privacy and security of sensitive consumer data in the cloud. It makes suggestions for regulatory reform to protect sensitive information in cloud computing environments and to remove regulatory constraints that limit the growth of this vibrant new industry.     

“In the public interest”: The privacy implications of international business-to-business sharing of cyber-threat intelligence

This article reports on preliminary findings and recommendations of a cross-discipline project to accelerate international business-to-business automated sharing of cyber-threat intelligence, particularly IP addresses. The article outlines the project and its objectives and the importance of determining whether IP addresses can be lawfully shared as cyber threat intelligence.The goal of the project is to enhance cyber-threat intelligence sharing throughout the cyber ecosystem. The findings and recommendations from this project enable businesses to navigate the international legal environment and develop their policy and procedures to enable timely, effective and legal sharing of cyber-threat information. The project is the first of its kind in the world. It is unique in both focus and scope. Unlike the cyber-threat information sharing reviews and initiatives being developed at country and regional levels, the focus of this project and this article is on business-to-business sharing. The scope of this project in terms of the 34 jurisdictions reviewed as to their data protection requirements is more comprehensive than any similar study to date.This article focuses on the sharing of IP addresses as cyber threat intelligence in the context of the new European Union (EU) data protection initiatives agreed in December 2015 and formally adopted by the European Council and Parliament in April 2016. The new EU General Data Protection Regulation (GDPR) applies to EU member countries, a major focus of the international cyber threat sharing project. The research also reveals that EU data protection requirements, particularly the currently applicable law of the Data Protection Directive 95/46/EC (1995 Directive) (the rules of which the GDPR will replace in practice in 2018), generally form the basis of current data protection requirements in countries outside Europe. It is expected that this influence will continue and that the GDPR will shape the development of data protection internationally.In this article, the authors examine whether static and dynamic IP addresses are “personal data” as defined in the GDPR and its predecessor the 1995 Directive that is currently the model for data protection in many jurisdictions outside Europe. The authors then consider whether sharing of that data by a business without the consent of the data subject, can be justified in the public interest so as to override individual rights under Articles 7 and 8(1) of the Charter of Fundamental Rights of the European Union, which underpin EU data protection. The analysis shows that the sharing of cyber threat intelligence is in the public interest so as to override the rights of a data subject, as long as it is carried out in ways that are strictly necessary in order to achieve security objectives. The article concludes by summarizing the project findings to date, and how they inform international sharing of cyber-threat intelligence within the private sector.     

Opening up government data for Big Data analysis and public benefit

Governments around the world are posting many thousands of their datasets on online portals. A major purpose of releasing this data is to drive innovation through Big Data analysis, as well as to promote government transparency and accountability. This article considers the benefits and risks of releasing government data as open data, and identifies the challenges the Australian government faces in releasing its data into the public domain. The Australian government has ambitious aims to release greater amounts of its data to the public. However, it is likely this task will prove difficult due to uncertainties surrounding the reliability of de-identification and the requirements of privacy law, as well as a public service culture which is yet to fully embrace the open data movement.     

Profiling the mobile customer – Privacy concerns when behavioural advertisers target mobile phones – Part I

Mobile customers are being tracked and profiled by behavioural advertisers to be able to send them personalized advertising. This process involves data mining consumer databases containing personally-identifying or anonymous data and it raises a host of important privacy concerns. This article, the first in a two part series on consumer information privacy issues on Profiling the Mobile Customer, addresses the questions: “What is profiling in the context of behavioural advertising?” and “How will consumer profiling impact the privacy of mobile customers?” The article examines the EU and U.S. regulatory frameworks for protecting privacy and personal data in regards to profiling by behavioural advertisers that targets mobile customers. It identifies potential harms to privacy and personal data related to profiling for behavioural advertising. It evaluates the extent to which the existing regulatory frameworks in the EU and the U.S. provide an adequate level of privacy protection and identifies key privacy gaps that the behavioural advertising industry and regulators will need to address to adequately protect mobile consumers from profiling by marketers. The upcoming second article in this series will discuss whether industry self-regulation or privacy-enhancing technologies will be adequate to address these privacy gaps and makes suggestions for principles to guide this process.¹     

Protecting the communication: Data protection and security measures under telecommunications regulations in the digital age

This paper aims to provide a comparative overview and evaluation of various legal frameworks for electronic communications security in light of the recent developments in the electronic communications sector. The article also includes an insight on European Union and Turkish legal environment for data protection security in electronic communications sector.     

An international legal framework for data protection: Issues and prospects

The processing of personal data across national borders by both governments and the private sector has increased exponentially in recent years, as has the need for legal protections for personal data. This article examines calls for a global legal framework for data protection, and in particular suggestions that have been made in this regard by the International Law Commission and various national data protection authorities. It first examines the scope of a potential legal framework, and proceeds to analyze the status of data protection in international law. The article then considers the various options through which an international framework could be enacted, before drawing some conclusions about the form and scope such a framework could take, the institutions that could coordinate the work on it, and whether the time is ripe for a multinational convention on data protection.     

The UK 'non-dom' and non-resident trusts

The Commissioners decision in the recently reported case ofRobert Gaines-Cooper (SpC 568) has raised some interesting pointsfor tax practitioners and their clients. Momentarily, it hasbrought to public scrutiny the predicament of a citizen bornin the UK, who chose to live for significant periods abroadbut spent the rest of his time in the UK; and who, by so doing,wrongly (in the eyes of HMRC and the Special Commissioners)considered himself to be non-resident and non-domiciled forUK tax purposes, a mistake with significant and adverse taxconsequences for him. Whilst of immediate concern to tax practitioners,should this decision be of equal concern to trust practitionersadvising on the potential     

‘Modernising’ data protection Convention 108: A safe basis for a global privacy treaty?

Proposals for the reform or ‘modernisation’ of Council of Europe Data Protection Convention 108 have now been forwarded from the Convention's Consultative Committee for consideration by the Council of Ministers. This article assesses the changes proposed, which strengthen the obligations of Parties to implement the Convention as a matter of effective practice, not just as a law on paper. It tightens most of the existing data protection principles, and adds new ones which better align the Convention with the EU Directive (and proposed Regulation). The Convention Committee will have explicit new functions including assessing candidates for accession, and periodically reviewing implementation by existing parties. However, the proposals concerning the required standard for data export limitations are in some respects ill-defined and dangerous for data subjects. The existing standard that personal data can only be exported if the recipient provides ‘adequate’ protection has been abandoned for an undefined requirement of ‘appropriate’ protection. The article situates the risk of abandoning meaningful data export restrictions in the context of the USA's push for ‘interoperability’ of very different data protection standards.     

Access to justice: a new approach using human rights standards

This article details a trial of a new approach to measuring access to justice that utilises human rights instruments as the reference point. It involves an examination of people's actual experience of the justice system using human rights standards as the benchmark. The research project selected the right to income security. The project trialled a range of methods gathering data about how people have been treated in the Australian social security system and how they would expect to be treated if there was a human right to social security in Australia. This data is assessed against the set of standards developed to measure the enjoyment of the right to social security. The trial suggests that without knowledge about human rights and legal rights, without the confidence to exercise those rights and without the capacity or capability to seek or find help it is unlikely that people will realise their rights and accordingly access to justice is placed in question. The research methodology has the potential to be a useful model to conduct further access to justice research.     

从保密到安全:数据销毁义务的理论逻辑与制度建构

我国现行立法规定了自然人有请求信息处理者删除个人信息的权利,但这并不等于承认数据生命周期的最后环节是“删除”,因为“删除权”是“信息处理的合法性与必要性基础丧失”的必然结果,而“数据销毁”才是“数据归于消灭”的处理流程末端。数据销毁义务的理论基础在于信息保密方式的扩张,即从维持信息保密状态转向维持数据安全风险的可控性。在数据安全风险评估过程中,倘若义务主体无法保障暂时不使用的重要数据和个人信息处于安全状态,则应当采取适当的数据销毁范式降低数据泄露或非法复原的安全风险。在未来立法活动中,我国应当明确数据销毁义务的义务主体、销毁方式和销毁范围等具体制度内容,完成数据安全立法的“最后闭环”。     

数据安全认证:个人信息保护的第三方规制

契合"放管服"改革理念的数据安全认证,在数字时代整个规制法体系中必将占据日益重要的地位。数据安全认证通过声誉评价机制,可以引导、激励互联网企业守法合规经营,可以增强用户对中小微互联网企业和新兴数字产业的信任感,可以避免"一刀切"的政府规制,可以满足社会公众多元的数据安全需求。数据安全认证机构应具有高度的独立性与专业性,防止其被互联网企业"俘获"或成为政府的"附庸"。宜实行自愿为主、强制为辅的数据安全认证模式。认证程序应强调公正透明性,认证标准应注重评价企业数据合规的制度建设。根据过错责任原则,分别设置数据安全认证机构"相应的赔偿责任"或"连带责任",并加大对数据安全认证违法行为的公法责任追究。科学构建法治化的数据安全认证体制机制,不仅是保障数据安全的现实需要,而且是弥补数字时代政府规制缺陷的迫切需求。     

Body scanners versus privacy and data protection

In recent history, the world has experienced dramatic events which have had a substantial effect on the balance between human rights protection and security measures. Body scanners installed at airports are intended to protect our lives. But at the same time they have a serious impact on privacy and data protection. The international legislation allows limiting people’s rights and freedoms, but only if it is in accordance with the law and is proportionate and necessary for national security, public safety and for the protection of the rights and freedoms of others. Do body scanners respect these principles? The article examines the current situation, its background and future prospects. It discusses and analyzes the key terms and legal instruments, problems, disputes and proposed “safeguards”. The work concludes by pointing out the unlawfulness of current regimes and sets forth perspective on the possible solutions.     

Big genetic data and its big data protection challenges

The use of various forms of big data have revolutionised scientific research. This includes research in the field of genetics in areas ranging from medical research to anthropology. Developments in this area have inter alia been characterised by the ability to sequence genome wide sequences (GWS) cheaply, the ability to share and combine with other forms of complimentary data and ever more powerful processing techniques that have become possible given tremendous increases in computing power. Given that many if not most of these techniques will make use of personal data it is necessary to take into account data protection law. This article looks at challenges for researchers that will be presented by the EU's General Data Protection Regulation, which will be in effect from May 2018. The very nature of research with big data in general and genetic data in particular means that in many instances compliance will be onerous, whilst in others it may even be difficult to envisage how compliance may be possible. Compliance concerns include issues relating to ‘purpose limitation’, ‘data minimisation’ and ‘storage limitation’. Other requirements, including the need to facilitate data subject rights and potentially conduct a Data Protection Impact Assessment (DPIA) may provide further complications for researchers. Further critical issues to consider include the choice of legal base: whether to opt for what is often seen as the ‘default option’ (i.e. consent) or to process under the so called ‘scientific research exception’. Each presents its own challenges (including the likely need to gain ethical approval) and opportunities that will have to be considered according to the particular context in question.     

Computer Crime: A Technology Gap

A review of current industrial practices, litigation trends, and the growing use of computer data banks and networks leads to the following conclusions about computer crime: data security and integrity are frequently compromised by lax security practices and operating procedures. Frequently the perceived but erroneous assumption that the inherent difficulty of the computer operating system will detour would-be violators is the only security a system has. This article describes methods commonly used to attack data bases and operating systems. The conclusion is that computer crime is an international phenomenon and investigation and prosecution are complex matters. For example, an examination of the copyright laws as they relate to computer crime indicates that there are frequent violations. International violators of the copyright laws frequently distribute bootleg copies of software worldwide. The article concludes that there is a gap between technology and law in the field of computer crimes. International cooperation is needed to define copyright laws and promote investigation and prosecution of international violators.