Here comes the ‘cybernators’!

The EU Framework Decision 2005/222/JHA on attacks against information systems addresses the core of computer-related crime by a harmonisation instrument that approximates criminal law rules and facilitates judicial cooperation for illegal access to information systems (hacking), illegal interference with information systems and intentional deletion, damaging, deterioration, alteration, suppression or rendering inaccessible of computer data. The Framework Decision is expected to close existing legal loopholes in some legislation which has allowed criminals, such as hackers, to walk free after causing severe damage. However, the new law is unevenly implemented and will cripple the work of security experts testing the systems as well as stifle online public protest.     

Data processing by police and criminal justice authorities in Europe – The influence of the Commission's draft on the national police laws and laws of criminal procedure

The proposal for a fundamental reform of the European data protection law, published by the EU Commission on 25 January 2012 is composed of two elements. Apart from a General Data Protection Regulation, the Commission proposes a second regulatory instrument, namely a Directive with regard to data processing by police and criminal justice authorities that shall supersede the Council Framework Decision 2008/977/JHA. This paper seeks to analyse the draft Directive in the context of the entire reform approach and scrutinizes a number of specific issues in regard to the scope, the requirements of data processing, notification duties and data transfer to third countries.     

The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals

The recent release by the European Commission of the first drafts for the amendment of the EU data protection regulatory framework is the culmination of a consulting and preparation process that lasted more than two years. At the same time, it opens up a law-making process that is intended to take at least as much time. The Commission has undertaken the herculean task to amend the whole EU data protection edifice, through the introduction of a General Data Protection Regulation, intended to replace the EU Data Protection Directive 95/46/EC, and a Police and Criminal Justice Data Protection Directive, intended to replace the Framework Decision 2008/977/JHA. This paper shall focus at the replacement of the EU Data Protection Directive by the draft General Data Protection Regulation. Due to the fact that the draft Regulation is a long (and ambitious) text, a selection has been made, with the aim of highlighting its treatment of basic data protection principles and elements, in order to identify merits and shortcomings for the general data protection purposes.     

The Patients’ Rights Directive (2011/24/EU) – Providing (some) rights to EU residents seeking healthcare in other Member States

This article presents the main elements of Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare, commonly known as the Patient’s Rights Directive. It is the latest EU initiative with regard to European Health Care and the Single Market. The main elements of the Directive contain provisions related to the prior authorisation of health care in another Member State, the reimbursement of such health care and the removal of unjustified obstacles to achieving these aims.These provisions largely reflect the recent case law of the European Court of the Justice (ECJ). Amongst these are provisions involving the use of personal data. Such provisions will engage data protection issues and will have to be carried out according to the data protection directives. Alongside this primary aim of codifying ECJ case law the Patient’s Rights Directive also introduces novel initiatives aimed at fostering cross border cooperation between various elements of national healthcare systems.Part 1 of this contribution will describe the legal basis and the aims of the PRD, Part 2 will describe the principle obligations placed on the Member States with regard to reimbursement, Parts 3 and 4 will describe other informational and procedural requirements placed upon the Member States of Treatment and Affiliation. Finally Part 5 will outline some of the novel initiatives that have been included in the PRD.The increases in the frequency of cross border-treatment that this directive attempts to facilitate are likely to see a concurrent increase in cross-border patient information flows. Such data flows will be subject to the Union’s provisions on Data Protection. It remains uncertain whether the EU’s Data Protection regime will act as inhibitor to cross-border medical treatment or rather represent a gold standard that allows patients to engage in such activities with peace of mind. The Patient’s Rights Directive will form part of the EU’s future e-Health strategy which envisages a large increase in the fluidity of patient data. A discussion of this directive is therefore merited in this journal.     

Data Theft? Cybercrime and the Increasing Criminalization of Access to Data

The use of computers in the commission of crime, so-called ??cybercrime??, presents a considerable challenge to law enforcement. Central to the prosecution of cybercrime is the offence of unauthorised access to a computer, or ??hacking??. Originally conceived of as analogous to trespass, the trend in some jurisdictions has been toward punishing access to computer data per se. This issue also arises under the Council of Europe Convention on Cybercrime which criminalizes ??offences against the confidentiality, integrity and availability of computer data and systems??. As the criminal law traditionally provides protection only to limited forms of information, the increasing use of the criminal law to protect computer data therefore confers on it a status not enjoyed by information stored in other forms. Drawing upon the laws of Australia, the United Kingdom and the United States, this article explores the increasing criminalization of access to computer data. It describes the evolution of cybercrime laws and considers ways in which problems of over breadth may be avoided. Questions will also be raised as to the appropriate role of the criminal law in protecting information.     

Trends of indecent images of children and child sexual offences between 2005/2006 and 2012/2013 within the United Kingdom

Abstract

Little is known about the trends of indecent images of children (IIOC) offences, as UK criminal justice figures are unavailable within official crime data. This study aims to explore the rates of conviction and the relationship between IIOC offences and child sexual abuse offences from 2005/2006 to 2012/2013. The results indicated a continuing increase in offences of take, permit, distribute IIOC, rape of a child under 13, sexual activity of child under 16 and abuse of children through prostitution or pornography. Six out of a possible 17 correlations were significant, with the strongest correlation found between take, make, distribute IIOC and rape of a female under 13. Explanations for the findings are discussed and the utility of comprehensive prevalence figures for different stakeholders involved in addressing this crime issue.     

An inquiry into the legal status of the ECOWAS cybercrime directive and the implications of its obligations for member states

On 19 August 2011, the ECOWAS Council of Ministers adopted Directive C/DIR.1/08/11 on Fighting Cybercrime at its Sixty Sixth Ordinary Session in Abuja, Nigeria. The adoption of the Directive at that time arose from the need to tackle the growing trend in cybercrime within the ECOWAS region, as some Member States were already gaining global notoriety as major sources of email scams and Internet fraud. Accordingly, the Directive established a legal framework for the control of cybercrime within the ECOWAS region, and also imposed obligations on Member States to establish the necessary legislative, regulatory and administrative measures to tackle cybercrime. In particular, the Directive required Member States to implement those obligations “not later than 1st January, 2014″. This article undertakes an inquiry into the legal status of the Directive as an ECOWAS regional instrument in the domestic legal systems of Member States.In this regard, the article examines whether the requirement regarding the superiority or direct applicability of ECOWAS Community laws such as ECOWAS Acts and Regulations in the domestic legal systems of Member States also apply to ECOWAS Directives such as the Cybercrime Directive. The article also examines the legal implications of the Directive's obligations for Member States. The article argues that while some Member States have not implemented the obligations under the Directive, that those obligations however provide a legal basis for holding Member States accountable, where the failure to implement has encouraged the perpetration of cybercrime that infringed fundamental rights guaranteed under human right instruments such as the African Charter on Human and Peoples’ Rights or under their national laws.     

Data protection: The future of privacy

The Art. 29 Working Party (hereinafter “Art. 29 WP”) is an influential body comprised of representatives from the Member State Data Protection Authorities² established under the Data Protection Directive 95/46/EC, has recently issued an opinion with the Working Party on Police and Justice. This is quite significant, since the opinion sets out some of the issues that will need to be addressed in the lead up to the revision of the Data Protection Directive 95/46/EC.³ This comes at a time, when there have been discussions on the current application of the European Data Protection Directive to the internet,⁴ (such as social networking) and the recent European Commission’s consultation on the legal framework for the fundamental right to protection of personal data. Not least, there have been a number of cases brought before the European Court of Justice dealing with the partial implementation of the Data Protection Directive 95/46/EC.⁵The aim of this paper is to consider in detail the issues set out by the Art. 29 WP and the likely challenges in revising the Data Protection Directive 95/46/EC.     

Crime Trends in Western Europe from 1990 to 2000

This paper analyses the evolution of police recorded crime rates for nine offences (intentional homicide, assault, rape, robbery, theft, vehicle theft, burglary, domestic burglary, and drug offences) over the period 1990–2000 in 16 Western European Countries. The analysis shows that there was an increase in drug and violent offences, while property offences reached a peak at the beginning of the 1990s and started decreasing afterwards. The evolution of property offences can be related to the emergence of a large black market for stolen goods in Central and Eastern Europe at the beginning of the time series, while by the end of it that market was saturated and there had also been a reinforcement of police measures in the frontiers and of security measures in Western European households. The increase in drug offences is correlated to the rise of drug use in Europe shown by other indicators, and can be related to an increased availability of drugs in European markets. Finally, the upward trend in violent offences can be explained partially by gang struggles over the control of illegal markets and by the consolidation of problematic neighbourhoods, but seems also due to a large extent of increase in the reporting of violent offences by their victims and the recording of such offences by the police. The analysis shows that opportunity-based theories provide a satisfactory explanation of the trends in recorded crime, and that the crime opportunities are heavily influenced by socio-economical factors.Versions of this paper were presented at the 3rd Annual Conference of the European Society of Criminology (Helsinki, August 27–30, 2003) and at the Societies of Criminology 1st Key Issues Conference (Paris, May 13–15, 2004). The paper was written during a stay at the Max Planck Institute for Foreign and International Criminal Law (Freiburg imBreisgau, Germany) made possible through the support of Swiss National Science Foundation     

民间高利贷的泛刑法分析

近年来,民间高利贷被作为非法经营罪追究刑事责任的判例频频出现。究其原由,源于中国人民银行办公厅与最高人民法院刑事审判第二庭就武汉的涂汉江案所为的两个复函。然而,这两个复函关于民间高利贷属于国务院《非法金融机构和非法金融业务活动取缔办法》所列非法金融行为的解释均属无权解释,因此,有关民间高利贷构成非法经营罪的所有判例,均无法律依据。事实上,在现有法律框架下,民间高利贷因不违反任何法律与行政法规而不具有构成非法经营罪的非法性要件。同时,民间高利贷虽有伴生犯罪之弊,但其更有产生的必然性,也有存在的合理性,因此,对其也不应通过修改刑法而将其入罪。     

The Transfer of Personal Data to Third Countries Under EU Directive 95/46/EC

The 1981 Council of Europe Convention 108 and EU Directive 95/46/ EC assert that data protection is privacy protection. Consequently, countries with data protection rules control trans-border data flows to protect the rights of their citizens. Under the Directive, but subject to some derogations, personal data may only be transferred to third countries with adequate protection. 'Adequacy' is to be assessed in the light of all the circumstances. Alternative safeguards can be provided by means such as contractual arrangements. The Data Protection Commissioners have tried to define 'adequacy' as the usual data protection principles plus an assurance of compliance. This can be delivered by self-regulation as well as formal law. The Directive has not made a radical break with the past. The usual principles are those found in Convention 108 and in the 1980 OECD Guidelines. Those instruments also dealt with the control of trans-border data flows because of fears of restrictions on the free flow of information. The flexibility of the effective current UK law, which permits flows whilst preventing those which would lead to a breach of data protection, would have prevented the acrimony of the current debate with third countries. National laws on transborder data flows long pre-date the Directive and data protection authorities can be expected to continue to promote pragmatic methods of protecting exported data such as the use of model contracts either as a basis for derogation from 'adequacy' or as part of a package to satisfy the adequacy test. Work is taking place to build bridges between those with formal law and others relying on self-regulation. In Ottawa last October OECD ministers reaffirmed the 1980 Guidelines and if practical privacy protection can be secured globally, transborder data-flow control is of much less concern.     

The Data Subject's Right of Access and to be Informed in Finland: An Experimental Study

The EC Data Protection Directive 95/46/EC emphasises the roleof transparency in fair and lawful processing of personal data.This study describes the results from sending forty requestsfor access to data held and information on processing to controllersof personal data in Finland. The results show that there arestill difficulties in gaining access, in verifying the correctnessof information provided and in the procedures controllers employto provide information. These factors are discussed in lightof Finnish and EC regulation, as well as information systems.Proposals are put forward as to how the difficulties might beaddressed.     

Cursing the Cloud (or) Controlling the Cloud?

Inspired by the cloud computing hypes, this paper responds to some of the hypes, but not to all. The hype in this paper refers to the level of the adequacy of data protection and privacy in a cloud computing (the Cloud) environment. Paradoxically, this paper proffers observational insights that surround the Cloud from the perspectives of data protection and privacy. It examines briefly the efforts of January 2010 led by Microsoft and anticipating “liability” scenarios. The liability rhetorically refers to the illegal access in the Cloud. This paper does not focus entirely on the technology sophistication; however, it analyses two scenarios of illegal access. To mitigate the liability, it suggests a “Cloud Compliant Strategy (CCS)” being a proposed model to control the Cloud. The observational insights of this paper have also intertwined with the adequacy of data protection from the lenses of the European Union (EU) Data Protection Directive 95/46/EC (DPD) and Safe Harbor provisions (SH).     

The Data Protection (Amendment) Act, 2003: the Data Protection Directive and its implications for medical research in Ireland

Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data has been transposed into national law and is now the Data Protection (Amendment) Act, 2003. The Directive and the transposing Act provide for new obligations to those processing data. The new obligation of primary concern is the necessity to obtain consent prior to the processing of data (Article 7, Directive 95/46/EC). This has caused much concern especially in relation to 'secondary data' or 'archived data'. There exist, what seem to be in the minds of the medical research community, two competing interests: (i) that of the need to obtain consent prior to processing data and (ii) the need to protect and foster medical research. At the same time as the introduction of the Act, other prior legislation, i.e. the Freedom of Information Act, 1997-2003, has encouraged candour within the doctor-patient relationship and the High Court in Ireland, in the case of Geoghegan v. Harris, has promulgated the 'reasonable-patient test' as being the correct law in relation to the disclosure of risks to patients. The court stated that doctors have a duty to disclose all material risks to patients. The case demonstrates an example of a move toward a more open medical relationship. An example of this rationale was also recently seen in the United Kingdom in the House of Lords decision in Chester v. Afshar. Within the medical research community in Ireland, the need to respect the autonomy of patients and research participants by providing information to such parties has also been observed (Sheikh A. A., 2000 and Irish Council for Bioethics, 2005). Disquiet has been expressed in Ireland and other jurisdictions by the medical research communities in relation to the exact working and meaning of the Directive and therefore the transposing Acts (Strobl et al). This may be due to the fact that, as observed by Beyleveld "The Directive makes no specific mention of medical research and, consequently, it contains no provisions for medical research as an explicitly delineated category." (Beyleveld D., 2004) This paper examines the Irish Act and discusses whether the concerns expressed are well-founded and if the Act is open to interpretation such that it would not hamper medical research and public health work.     

An academic perspective on the copyright reform

The recently proposed new Copyright Directive was released on 14 September 2016. It has been described by EU law-makers as the pillar of the copyright package promised by the European Commission (EC), to be delivered before the end of Mr. Juncker's mandate. In its Communication of 6 May 2015, the EC had stressed “the importance to enhance cross-border access to copyright-protected content services, facilitate new uses in the fields of research and education, and clarify the role of online services in the distribution of works and other subject-matter.” The proposed Copyright Directive is thus a key measure aiming to address two of these three issues. However it is not without shortfalls.We have therefore decided to publicly express our concerns and send an open letter to the European Commission, the European Parliament and the Council to urge them to re-assess the new provisions dealing with mandatory filtering of user-generated content in the light of the CJEU case law and the Charter of Fundamental Rights of the European Union.In a more extended statement, we examine in details the text of both the explanatory memorandum and the Directive itself.Our conclusions are:1. A comprehensive re-assessment of Article 13 and Recital 39 in the light of the Charter of Fundamental Rights of the European Union and the E-commerce Directive (in particular Article 15) including CJEU case law is needed, as the proposed Copyright Directive does not expressly address the issue of its compatibility with both of these texts.2. Recital 38 does not clarify the domain and effect of Article 13. Rather, it creates confusion as it goes against settled CJEU case law (relating to Articles 14 and 15 of the E-commerce Directive and Article 3 of the Infosoc Directive). Recital 38 should therefore be deleted or substantially re-drafted/re-phrased. If the EU wants to introduce a change in this regard it should clearly justify its choice. In any case, a recital in the preamble to a directive is not an appropriate tool to achieve this effect.We hope that this exercise will prove useful for the debate that has now begun both in the European Parliament and in the Council.     

Community trade mark case law round-up 2006

Legal Context: This article looks at the important decisions of 2006 on theCommunity Trade Mark made by the Court of First Instance, theEuropean Court of Justice and the OHIM. These cases concernthe application of Council Regulation 40/94 on the CommunityTrade Mark, and also preliminary rulings from the European Courtof Justice on the interpretation of Council Directive 89/104(the Trade Mark Directive). Key Points: The volume of case law relating to Community trade marks, notto mention the variety of official languages in which the lawis interpreted, makes it almost impossible for even the conscientiouspractitioner to keep abreast with developments as they occur. This article provides an overview of the shifts in Communitytrade mark practice, in terms of not only the relatively accessiblesubstantive law but also the far more diffuse areas of procedurallaw and Office practice. In seeking to review and explain these shifts, the authors haveadopted a view of the case law that is functional rather thanphilosophical. In doing so, they lay bare the manner in whichthe institutions that administer and adjudicate Community trademark issues interrelate to one another. Practical Significance: Practitioners can quickly find the important decisions from2006 relating to particular articles of the Council Regulation40/94 on the Community Trade Mark. This article provides an overview of the most significant trademark cases decided in 2006 by the European Courts of Justiceand the OHIM Boards of Appeal. The article enables practitionersto access rapidly the key decisions of 2006. The cases discussed concern the application of Council Regulation40/94 on the Community trade mark (‘CTMR’), CommissionRegulation 2868/95 implementing the CTMR (‘CTMIR’),and Council Directive 89/104 (the ‘Trade Mark Directive’).     

Procedural law provisions of the council of Europe convention on cybercrime1

The Council of Europe Convention on Cybercrime is the first international treaty on crimes committed via the Internet and other computer networks. It aims principally at harmonising the domestic criminal law elements of offences and connected provisions in the area of cyber‐crime and setting up a fast and effective regime of international co‐operation. Considering the inadequacy of traditional investigative powers and the absence, in most countries, of specific procedural rules applicable in cyberspace, the Convention is also aiming at providing for the domestic criminal procedure law powers necessary for the investigation and prosecution of criminal offences that are likely to be committed via computer systems, as well as for any type of criminal investigation where it is necessary to collect information that exists in electronic form. These powers, some of which are particulary innovative, correspond to different objectives, such as compiling evidence, locating the source and identifying the perpetrator of an offence. However, they are all intended to enable computer data to be obtained or gathered in the context of ongoing criminal investigations, and do not have a proactive effect or scope. The Conventions fundamental premise is thus to recognise that digital data has a legal value in itself and probative force that is identical to that of material evidence existing in the non‐virtual world.     

How platforms govern users’ copyright-protected content: Exploring the power of private ordering and its implications

Online platforms provide primary points of access to information and other content in the digital age. They foster users’ ability to share ideas and opinions while offering opportunities for cultural and creative industries. In Europe, ownership and use of such expressions is partly governed by a complex web of legislation, sectoral self- and co-regulatory norms. To an important degree, it is also governed by private norms defined by contractual agreements and informal relationships between users and platforms. By adopting policies usually defined as Terms of Service and Community Guidelines, platforms almost unilaterally set use, moderation and enforcement rules, structures and practices (including through algorithmic systems) that govern the access and dissemination of protected content by their users. This private governance of essential means of access, dissemination and expression to (and through) creative content is hardly equitable, though. In fact, it is an expression of how platforms control what users – including users-creators – can say and disseminate online, and how they can monetise their content.As platform power grows, EU law is adjusting by moving towards enhancing the responsibility of platforms for content they host. One crucial example of this is Article 17 of the new Copyright Directive (2019/790), which fundamentally changes the regime and liability of “online content-sharing service providers” (OCSSPs). This complex regime, complemented by rules in the Digital Services Act, sets out a new environment for OCSSPs to design and carry out content moderation, as well as to define their contractual relationship with users, including creators. The latter relationship is characterized by significant power imbalance in favour of platforms, calling into question whether the law can and should do more to protect users-creators.This article addresses the power of large-scale platforms in EU law over their users’ copyright-protected content and its effects on the governance of that content, including on its exploitation and some of its implications for freedom of expression. Our analysis combines legal and empirical methods. We carry our doctrinal legal research to clarify the complex legal regime that governs platforms’ contractual obligations to users and content moderation activities, including the space available for private ordering, with a focus on EU law. From the empirical perspective, we conducted a thematic analysis of most versions of the Terms of Services published over time by the three largest social media platforms in number of users – Facebook, Instagram and YouTube – so as to identify and examine the rules these companies have established to regulate user-generated content, and the ways in which such provisions shifted in the past two decades. In so doing, we unveil how foundational this sort of regulation has always been to platforms’ functioning and how it contributes to defining a system of content exploitation.     

侵害公民个人电子信息的侵权行为及其责任

全国人大常委会《关于加强网络信息保护的决定》规定了保护网络信息安全,制裁侵害公民个人电子信息侵权行为的原则,对于侵害公民个人电子信息“侵害他人民事权益的,依法承担侵权责任”.这种侵权行为是一般侵权行为,《决定》列举的侵害公民个人电子信息的不同表现形式,应当根据《侵权责任法》第6条第1款关于过错责任原则的规定,确定构成要件、举证责任以及相应的责任承担方式.     

The GDPR: A game changer for electronic identification schemes? The case study of Gov.UK Verify

This article offers an interdisciplinary analysis of the General Data Protection Regulation (GDPR) in the context of electronic identification schemes. Gov.UK Verify, the UK Government's electronic identification scheme, and its compatibility with some important aspects of EU data protection law are reviewed. An in-depth examination of Gov.UK Verify's architecture and the most significant constituent elements of both the Data Protection Directive and the imminent GDPR – notably the legitimising grounds for the processing of personal data and the doctrine of joint controllership – highlight several flaws inherent in the Gov.UK Verify's development and mode of operation. This article advances the argument that Gov.UK Verify is incompatible with some major substantive provisions of the EU Data Protection Framework. It also provides some general insight as to how to interpret the requirement of a legitimate legal basis and the doctrine of joint controllership. It ultimately suggests that the choice of the appropriate legal basis should depend upon a holistic approach to the relationship between the actors involved in the processing activities.