The introduction of data breach notification legislation in Australia: A comparative view

This article argues that Australia's recently-passed data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), and its coming into force in 2018, makes an internationally important, yet imperfect, contribution to data breach notification law. Against the backdrop of data breach legislation in the United States and European Union, a comparative analysis is undertaken between these jurisdictions and the Australian scheme to elucidate this argument. Firstly, some context to data breach notification provisions is offered, which are designed to address some of the problems data breaches cause for data privacy and information security. There have been various prominent data breaches affecting Australians over the last few years, which have led to discussion of what can be done to deal with their negative effects. The international context of data breach notification legislation will be discussed, with a focus on the United States and European Union jurisdictions, which have already adopted similar laws. The background to the adoption of the Australia legislation will be examined, including the general context of data privacy and security protection in Australia. The reform itself will be then be considered, along with the extent to which this law is fit for purpose and some outstanding concerns about its application. While data breach notification requirements are likely to be a positive step for data security, further reform is probably necessary to ensure strong cybersecurity. However, such reform should be cognisant of the international trends towards the adoption of data security measures including data breach notification, but lack of alignment in standards, which may be burdensome for entities operating in the transnational data economy.     

The European Court of Justice in Bolagsupplysningen: The Brussels I Recast Regulation's jurisdictional rules for online infringement of personality rights further clarified

In the European Union the Brussels Ibis Regulation governs the jurisdiction of Member State courts in civil and commercial matters. The reference for a preliminary ruling coming from the Estonian Supreme Court in the Bolagsupplysningen case offered the European Court of Justice another opportunity to develop its interpretation of the special ground for non-contractual obligations (article 7.2). The European Court of Justice's Grand Chamber ruled that legal persons, like natural persons, have the option of bringing a claim based on the infringement of personality rights by an online publication before the courts of the Member State where their centre of interests is located. It laid down that the centre of interests of a legal person pursuing an economic activity is determined by reference to the place where the company carries out the main part of its economic activities. The victim of a tortious internet publication can only seek an order for rectification and removal of the incorrect information in the courts that have jurisdiction over the entirety of the harm sustained and not before the courts that only enjoy jurisdiction with regard to the damage suffered in their territory.     

Law enforcement access to personal data originally collected by private parties: Missing data subjects' safeguards in directive 2016/680?

Access by law enforcement authorities to personal data initially collected by private parties for commercial or operational purposes is very common, as shown by the transparency reports of new technology companies on law enforcement requests. From a data protection perspective, the scenario of law enforcement access is not necessarily well taken into account. The adoption of the new data protection framework offers the opportunity to assess whether the new ‘police’ Directive, which regulates the processing of personal data for law enforcement purposes, offers sufficient safeguards to individuals. To make this assessment, provisions contained in Directive 2016/680 are tested against the standards established by the ECJ in Digital Rights Ireland and Tele2 Sverige on the retention of data and their further access and use by police authorities. The analysis reveals that Directive 2016/680 does not contain the safeguards identified in the case law. The paper further assesses the role and efficiency of the principle of purpose limitation as a safeguard against repurposing in a law enforcement context. Last, solutions to overcome the shortcomings of Directive 2016/680 are examined in conclusion.     

European national news

This article tracks developments at the national level in key European countries in the area of IT and communications and provides a concise alerting service of important national developments. It is co-ordinated by Herbert Smith Freehills LLP and contributed to by firms across Europe. This column provides a concise alerting service of important national developments in key European countries. Part of its purpose is to complement the Journal's feature articles and briefing notes by keeping readers abreast of what is currently happening “on the ground” at a national level in implementing EU level legislation and international conventions and treaties. Where an item of European National News is of particular significance, CLSR may also cover it in more detail in the current or a subsequent edition.     

Banking in the cloud: Part 2 – regulation of cloud as ‘outsourcing’

This paper looks at EU banks' use of public cloud computing services. It is based primarily on anonymised interviews with banks, cloud providers, advisers, and financial services regulators. The findings are presented in three parts. Part 1 explored the extent to which banks operating in the EU, including global banks, use public cloud computing services.Part 2 of this paper covers the main legal and regulatory issues that may affect banks' use of cloud services. It sets out how EU banking regulators have approached banks' use of cloud services and considers regulators' lack of cloud computing knowledge. The paper further considers how the regulation of outsourcing applies to banks' use of cloud services, including whether cloud computing constitutes “outsourcing”. It analyses the contentious issue of contractual audit rights for regulators as well as legal and practical issues around risk assessments, security, business continuity, concentration risk, bank resolution, and banking secrecy laws.Part 3 looks at the key contractual issues that arise between banks and cloud service providers, including data protection requirements, termination, service changes, and liability.All three parts of the paper can be accessed via Computer Law and Security Review's page on ScienceDirect at: http://www.sciencedirect.com/science/journal/02673649?sdc=2. The full list of sources is available via the same link and will be printed alongside the third part of the article.     

Opinion 1/15 of the Grand Chamber dated 26 July 2017 about the agreement on Passenger Name Record data between the EU and Canada

On 26 July 2017, the Grand Chamber of the European Court of Justice rendered its seminal Opinion 1/15 about the agreement on Passenger Name Record data between the EU and Canada. The Grand Chamber considered that the decision of the Council about the conclusion, on behalf of the Union, of the agreement between the EU and Canada about the transfer and processing of PNR data must be based jointly on Article 16(2) about the protection of personal data and Article 87(2)(a) about police co-operation among member states in criminal matters, but not on Article 82(1)(d) about judicial co-operation in criminal matters in the EU of the Treaty on the Functioning of the EU. The Grand Chamber also considered that the agreement is incompatible with Article 7 on the right to respect for private life, Article 8 on the right to the protection of personal data, Article 21 on non-discrimination and Article 52(1) on the principle of proportionality of the Charter of Fundamental Rights of the EU since it does not preclude the transfer, use and retention of sensitive data. In addition to the requirement to exclude such data, the Grand Chamber listed seven requirements that the agreement must include, specify, limit or guarantee to be compatible with the Charter.The opinion of the Grand Chamber has far-reaching implications for the agreement on PNR data between the EU and Canada. It has also far-reaching implications for international agreements on PNR data between the EU and other third states. Last, it has far-reaching implications for Directive 681 of 27 April 2016 on PNR data.     

Party Politics and Governance in Grenada: An Analysis of the New National Party (1984–2012)

Abstract

This article examines party politics and governance in post-revolutionary Grenada, using the case of the New National Party (NNP). The central question is what does the evolution of the NNP suggests about governance and democracy in post-invasion Grenada? The article traces four phases of the NNP since its formation in 1984: (1) externally imposed marriage of convenience; (2) intra-party conflict and splintering; (3) rebranding, consolidation and dominance; and (4) electoral defeat. The article contends that Grenada has transitioned to formal democracy and the NNP is a significant actor. Yet, despite this transition, Grenada has not become the showcase of democracy that the US said it would in 1984.     

South Africa's financial and economic prospects for the next five years

South African dominance of trade in Africa as well as its position as a regional hegemon was entrenched by the Trade, Development and Cooperation Agreement (TDCA) with the European Union in 1999. South Africa's full-blown integration into the BRICS (Brazil, Russia, India, China, South Africa) formation since 2011 has brought new dynamics, however, as South Africa now has a marked BRICS orientation. Although the European Union (EU) as a bloc is still South Africa's largest trading partner, China has become South Africa's largest single-country trading partner. The question arises as to whether this new found loyalty makes sense in terms of South Africa's regional position and its trade prospects. Against the background of more intra-industry trade with the EU and the new and growing inter-industry trade with the other BRICS economies, South Africa's trade share of African trade has been in relative decline. This study uses an international political economy framework to analyse South African trade hegemony based on the TDCA and the possible effects of a shift towards BRICS. The conclusion is that, although the shift towards BRICS can politically be justified, economically it should not be at the expense of the benefits of the more advantageous relationship with the EU.     

Looking back,thinking forward: Understanding the feasibility of normative supranationalism in the African Union

The creation of the African Union (AU) in 2002 was seen as a significant paradigm shift in the course of continental integration. Unlike its predecessor, the Organization of African Unity, the AU has a normative framework that espouses supranational aspirations. Various aspects of the AU framework, such as the nature of some of the AU institutions, the declared right of intervention, and the objective of harmonising the policies of Regional Economic Communities under the AU umbrella, are allusions to supranationalism. Furthermore, it appears that normative supranationalism is the goal, in that these aspects indicate the intention on the part of the architects of the AU to create a regime under which AU laws and policies are superior to national and sub-regional rules. The fact that, after a decade of the AU's existence, little or no progress has been made in this regard requires serious introspection. Therefore, the aim of this paper is to explore some of the factors that militate against the effective operation of normative supranationalism in the AU and proffer recommendations on how to address those constraints.     

Outsourcing a partnership? Assessing ACP–EU cooperation under the Cotonou Partnership Agreement

Since 2000 the cooperation between the European Union (EU) and the African, Caribbean and Pacific (ACP) states has been governed through the Cotonou Partnership Agreement. This article complements existing research that focuses on Brussels-based stakeholders with an analysis drawing on the existing literature and on stakeholders' perceptions of ACP–EU cooperation and ACP institutions gathered via interviews in nine ACP countries. The findings presented observe a social disconnect between, on the one hand, the Cotonou Partnership Agreement's institutions and Brussels-based representatives, and, on the other hand, the broad-based and multistakeholder partnership they are tasked to promote. The article points to low levels of support in ACP countries, particularly in Africa, to continued ACP–EU cooperation in its present form, and stresses the need for an open and participatory process of reviewing and reshaping ACP–EU relations.