Understanding the notion of risk in the General Data Protection Regulation

The goal of this contribution is to understand the notion of risk as it is enshrined in the General Data Protection Regulation (GDPR), with a particular on Art. 35 providing for the obligation to carry out data protection impact assessments (DPIAs), the first risk management tool to be enshrined in EU data protection law, and which therefore contains a number of key elements in order to grasp the notion. The adoption of this risk-based approach has not come without a number of debates and controversies, notably on the scope and meaning of the risk-based approach. Yet, what has remained up to date out of the debate is the very notion of risk itself, which underpins the whole risk-based approach. The contribution uses the notions of risk and risk analysis as tools for describing and understanding risk in the GDPR. One of the main findings is that the GDPR risk is about “compliance risk” (i.e., the lower the compliance the higher the consequences upon the data subjects' rights). This stance is in direct contradiction with a number of positions arguing for a strict separation between compliance and risk issues. This contribution sees instead issues of compliance and risk to the data subjects rights and freedoms as deeply interconnected. The conclusion will use these discussions as a basis to address the long-standing debate on the differences between privacy impact assessments (PIAs) and DPIAs. They will also warn against the fact that ultimately the way risk is defined in the GDPR is somewhat irrelevant: what matters most is the methodology used and the type of risk at work therein.     

GPS tracking and the right of privacy

Government authorities and law enforcement agencies start using the satellite-based GPS tracking technology more often for various purposes. Due to its unique technical features, GPS tracking poses a much greater threat to the right of privacy compared with traditional electronic tracking techniques, such as the Beeper. Comparisons are extensively analyzed and a number of the US cases are quoted for illustrations. In the end, several key principles are proposed to facilitate the supervision of investigation behaviors in China.     

Open-source intelligence and privacy by design

As demonstrated by other papers on this issue, open-source intelligence (OSINT) by state authorities poses challenges for privacy protection and intellectual-property enforcement. A possible strategy to address these challenges is to adapt the design of OSINT tools to embed normative requirements, in particular legal requirements. The experience of the VIRTUOSO platform will be used to illustrate this strategy. Ideally, the technical development process of OSINT tools is combined with legal and ethical safeguards in such a way that the resulting products have a legally compliant design, are acceptable within society (social embedding), and at the same time meet in a sufficiently flexible way the varying requirements of different end-user groups. This paper uses the analytic framework of privacy design strategies (minimise, separate, aggregate, hide, inform, control, enforce, and demonstrate), arguing that two approaches for embedding legal compliance seem promising to explore in particular. One approach is the concept of revocable privacy with spread responsibility. The other approach uses a policy mark-up language to define Enterprise Privacy Policies, which determine appropriate data handling.     

Digital identity,privacy and the right to identity in the United States of America

This article analyses digital identity as an emergent legal concept in the United States of America, as a consequence of the move to place all federal government services on-line. The features and functions of digital identity and its legal nature are examined, and the consequences are considered.     

The retention of personal information online: A call for international regulation of privacy law

New technologies permit online businesses to reduce expenses and increase efficiency by, for example, storing information in “the cloud”, engaging in online tracking and targeted advertising, location and tracking technologies, and biometrics. However, the potential for technology to facilitate long term retention of customers' personal information raises concerns about the competing right of individuals to the privacy of their personal information. Although the European Commission has recently released a proposal for regulation to “provide a data subject with the right to be forgotten and to erasure”, neither the OECD Privacy Guidelines nor the APEC Privacy Framework includes any requirement to delete personal information. While New Zealand includes a “limited retention principle” in the Privacy Act 1993, apart from one limited exception the privacy principles cannot be enforced in court. Taking New Zealand privacy law as an example, this paper examines the issue of retention of customer data, explains why this is a serious problem and argues that although it could be addressed by appropriate amendments to domestic laws, domestic privacy legislation may not be sufficient in an online environment. In the same way as other areas of law, such as the intellectual property regime, have turned to global regulatory standards which reflect the international nature of their subject matter, international privacy regulation should be the next stage for the information privacy regime.     

New Challenges Posed by Robots to China’s Civil Code in the Age of Artificial Intelligence

In the age of artificial intelligence (AI), robots have profoundly impacted our life and work, and have challenged our civil legal system. In the course of AI development, robots need to be designed to protect our personal privacy, data privacy, intellectual property rights, and tort liability identification and determination. In addition, China needs an updated Civil Code in line with the growth of AI. All measures should aim to address AI challenges and also to provide the needed institutional space for the development of AI and other emerging technologies.     

英美银行保密义务规则的冲突与制衡

以英美国家的判例法为基础,分析银行对客户的保密义务规则的冲突与制衡,最后针对这些利益冲突提出制度设计方案。     

浅论隐私权的立法问题

随着市场经济的发展和人们文化观念的转变,我国隐私权纠纷案件呈上升趋势。其原因除人们的认识差距外,更重要的是我国法律对此无完整的规范。隐私权有明确的定义、特征、内容和构成要件。我国现行法律包括宪法、民法、刑法、行政法、诉讼法等对隐私权的保护主要采取了间接、分散的立法方式,建议关于隐私权的保护应在保护公民人身权的最主要、最基本的法律即民法通则中有所体现,使隐私权和公民的其他人格权一样,在立法上加以明确规定。     

Why Cryptocurrencies Want Privacy: A Review of Political Motivations and Branding Expressed in “Privacy Coin” Whitepapers

New currencies designed for user anonymity and privacy – widely referred to as “privacy coins” – have forced governments to listen and legislate, but the political motivations of these currencies are not well understood. Following the growing interest of political brands in different contexts, we provide the first systematic review of political motivations expressed in cryptocurrency whitepapers whose explicit goal is “privacy.” Many privacy coins deliberately position themselves as alternative political brands. Although cryptocurrencies are often closely associated with political philosophies that aim to diminish or subvert the power of governments and banks, advocates of privacy occupy much broader ideological ground. We present thematic trends within the privacy coin literature and identify epistemic and ethical tensions present within the communities of people calling for the adoption of entirely private currencies.     

隐私权及其刑法保护

从世界范围看,隐私权正在被逐步确认为一种独立的民事权利——人格权之一种。人们欲求内心世界安宁和宁居环境的精神需求迫切需要我们运用法律的手段保护公民的隐私权。文章首先探讨了隐私及隐私权的一些基本问题。在此基础上,作者结合我国刑法相关条文,对隐私权的刑法保护作了一些分析和思考。