Law enforcement access to personal data originally collected by private parties: Missing data subjects' safeguards in directive 2016/680?

Access by law enforcement authorities to personal data initially collected by private parties for commercial or operational purposes is very common, as shown by the transparency reports of new technology companies on law enforcement requests. From a data protection perspective, the scenario of law enforcement access is not necessarily well taken into account. The adoption of the new data protection framework offers the opportunity to assess whether the new ‘police’ Directive, which regulates the processing of personal data for law enforcement purposes, offers sufficient safeguards to individuals. To make this assessment, provisions contained in Directive 2016/680 are tested against the standards established by the ECJ in Digital Rights Ireland and Tele2 Sverige on the retention of data and their further access and use by police authorities. The analysis reveals that Directive 2016/680 does not contain the safeguards identified in the case law. The paper further assesses the role and efficiency of the principle of purpose limitation as a safeguard against repurposing in a law enforcement context. Last, solutions to overcome the shortcomings of Directive 2016/680 are examined in conclusion.     

Understanding the notion of risk in the General Data Protection Regulation

The goal of this contribution is to understand the notion of risk as it is enshrined in the General Data Protection Regulation (GDPR), with a particular on Art. 35 providing for the obligation to carry out data protection impact assessments (DPIAs), the first risk management tool to be enshrined in EU data protection law, and which therefore contains a number of key elements in order to grasp the notion. The adoption of this risk-based approach has not come without a number of debates and controversies, notably on the scope and meaning of the risk-based approach. Yet, what has remained up to date out of the debate is the very notion of risk itself, which underpins the whole risk-based approach. The contribution uses the notions of risk and risk analysis as tools for describing and understanding risk in the GDPR. One of the main findings is that the GDPR risk is about “compliance risk” (i.e., the lower the compliance the higher the consequences upon the data subjects' rights). This stance is in direct contradiction with a number of positions arguing for a strict separation between compliance and risk issues. This contribution sees instead issues of compliance and risk to the data subjects rights and freedoms as deeply interconnected. The conclusion will use these discussions as a basis to address the long-standing debate on the differences between privacy impact assessments (PIAs) and DPIAs. They will also warn against the fact that ultimately the way risk is defined in the GDPR is somewhat irrelevant: what matters most is the methodology used and the type of risk at work therein.     

From ugly duckling to Swan. The rise of data protection and its limits

This article considers the development of data protection laws from a position on the periphery of legal consciousness to the situation where it is the subject of intensive legal and media publicity. Focusing on the recent controversies surrounding the use of Facebook apps for political purposes, the article will consider the role and limitations of data and privacy protection laws. The question will be posed – if not answered – whether national or regional laws can be effective in what increasingly is a global information society.     

European national news

This article tracks developments at the national level in key European countries in the area of IT and communications and provides a concise alerting service of important national developments. It is co-ordinated by Herbert Smith Freehills LLP and contributed to by firms across Europe. This column provides a concise alerting service of important national developments in key European countries. Part of its purpose is to complement the Journal's feature articles and briefing notes by keeping readers abreast of what is currently happening “on the ground” at a national level in implementing EU level legislation and international conventions and treaties. Where an item of European National News is of particular significance, CLSR may also cover it in more detail in the current or a subsequent edition.     

“Regulation,I presume?” said the robot – Towards an iterative regulatory process for robot governance

This article envisions an iterative regulatory process for robot governance. In the article, we argue that what lacks in robot governance is actually a backstep mechanism that can coordinate and align robot and regulatory developers. In order to solve that problem, we present a theoretical model that represents a step forward in the coordination and alignment of robot and regulatory development. Our work builds on previous literature, and explores modes of alignment and iteration towards greater closeness in the nexus between research and development (R&D) and regulatory appraisal and channeling of robotics’ development. To illustrate practical challenges and solutions, we explore different examples of (related) types of communication processes between robot developers and regulatory bodies. These examples help illuminate the lack of formalization of the policymaking process, and the loss of time and resources that the waste of knowledge generated for future robot governance instruments implies. We argue that initiatives that fail to formalize the communication process between different actors and that propose the mere creation of coordinating agencies risk being seriously ineffective. We propose an iterative regulatory process for robot governance, which combines the use of an ex ante robot impact assessment for legal/ethical appraisal, and evaluation settings as data generators, and an ex post legislative evaluation instrument that eases the revision, modification and update of the normative instrument. In all, the model breathes the concept of creating dynamic evidence-based policies that can serve as temporary benchmark for future and/or new uses or robot developments. Our contribution seeks to provide a thoughtful proposal that avoids the current mismatch between existing governmental approaches and what is needed for effective ethical/legal oversight, in the hope that this will inform the policy debate and set the scene for further research.     

An approach to minimizing legal and reputational risk in Red Team hacking exercises

Robust cyber-resilience depends on sound technical controls and testing of those controls in combination with rigorous cyber-security policies and practices. Increasingly, corporations and other organizations are seeking to test all of these, using methods more sophisticated than mere network penetration testing or other technical audit operations. More sophisticated organizations are also conducting so-called “Red Team” exercises, in which the organization tasks a small team of highly skilled and trained individuals to try to gain unauthorized access to physical and logical company assets and information. While such operations can have real value, they must be planned and conducted with great care in order to avoid violating the law or creating undue risk and reputational harm to the organization. This article explores these sometimes tricky issues, and offers practical risk-based guidance for organizations contemplating these types of exercises.     

Sponsorship behaviour of the BRICS in the United Nations General Assembly

The formation of informal groupings of states is a manifestation of the global shift in economic power. One such a grouping is the BRICS, consisting of Brazil, Russia, India, China and South Africa, which stands out for its importance due to its economic weight, its coverage across continents and the numerous internal differences. The BRICS have collectively flexed their muscle and expressed their intentions to extend their cooperation at the United Nations (UN). Proposals in the United Nations General Assembly (UN GA) take the form of resolutions, which can be written and co-written by the UN member states. This so-called sponsoring of resolutions is a way to push agenda items forward. Using a large-N network analysis, we examine the patterns of co-sponsorship of the BRICS of resolutions adopted in the UN GA plenary sessions. We find that the BRICS cooperate on fields such as economic issues, however, they do not form a coherent bloc when it comes to resolution sponsorship. These results raise the question in what way the BRICS actually cooperate at the UN level.     

Regulating religious authority for political gains: al-Sisi’s manipulation of al-Azhar in Egypt

The shedding of blood is a serious matter in Islamic law; disregard for human life negates the very essence of just rule. By standing by General al-Sisi as he suppressed the Muslim Brotherhood, the popular legitimacy of al-Azhar – the oldest seat of Islamic learning – was called into question. This article shows how the al-Sisi government skilfully deployed the two other state-controlled religious establishments, the Ministry of Awqaf (Religious Endowments) and Dar-ul-Ifta, to boost al-Azhar’s popular legitimacy in this context. Existing scholarship highlights the importance of competition within the Egyptian religious sphere to explain how the Egyptian state co-opts the al-Azhari official establishment. This article instead shows how the state, equally skilfully, uses state institutions to boost al-Azhar’s popular legitimacy – albeit to ensure that it remains useful for the purposes of political legitimisation. Political authority and religious authority in Egypt thus remain closely entangled.     

中国共产党与中国特色社会主义事业总体布局

摘要：中国特色社会主义事业总体布局大体经历了四个发展阶段：前期探索阶段、初步形成阶段、完善与充实阶段和重大推进阶段。这是中国共产党在领导人民建设中国特色社会主义的探索实践中不断深化认识的结果,反映出我们党是一个实事求是、与时俱进、开拓创新的马克思主义政党,这必将坚定我们在其领导下实现中华民族伟大复兴的信心。