The regular article tracking developments at the national level in key European countries in the area of IT and communications – Co-ordinated by Herbert Smith LLP and contributed to by firms across Europe

This column provides a concise alerting service of important national developments in key European countries. Part of its purpose is to compliment the Journal's feature articles and Briefing Notes by keeping readers abreast of what is currently happening “on the ground” at a national level in implementing EU level legislation and international conventions and treaties. Where an item of European National News is of particular significance, CLSR may also cover it in more detail in the current or a subsequent edition.     

从保密到安全:数据销毁义务的理论逻辑与制度建构

我国现行立法规定了自然人有请求信息处理者删除个人信息的权利,但这并不等于承认数据生命周期的最后环节是“删除”,因为“删除权”是“信息处理的合法性与必要性基础丧失”的必然结果,而“数据销毁”才是“数据归于消灭”的处理流程末端。数据销毁义务的理论基础在于信息保密方式的扩张,即从维持信息保密状态转向维持数据安全风险的可控性。在数据安全风险评估过程中,倘若义务主体无法保障暂时不使用的重要数据和个人信息处于安全状态,则应当采取适当的数据销毁范式降低数据泄露或非法复原的安全风险。在未来立法活动中,我国应当明确数据销毁义务的义务主体、销毁方式和销毁范围等具体制度内容,完成数据安全立法的“最后闭环”。     

大数据时代背景下职务犯罪预防工作发展探讨

职务犯罪预防工作作为预防腐败体系建设的重点,在今后发展的过程中,在保持工作整体发展势头不减的情况下,应根据自身在预防建议和警示教育中存在的不足,积极解放思想、与时俱进、务实创新,通过借助大数据技术,提升职务犯罪预防工作的科学性、针对性、准确性。     

Descrambling data on solid-state disks by reverse-engineering the firmware

Data recovery is an important component of digital forensic research. Although recovering data from hard drives or small-scale mobile devices has been well studied, solid-state disks (SSDs) have a very different internal architecture and some additional functions, and it is not clear whether these differences will have an effect on data recovery. Data scrambling is an additional function of an SSD controller which can improve data reliability, but makes data recovery difficult. In this research, the dedicated flash software was first introduced that can acquire the physical image of an SSD without destroying the device hardware. Based on the software, a validation experiment was presented to evaluate the effect of data scrambling on data recovery and the causes of the effect were analyzed. Then two approaches to descrambling the data in the flash chips were proposed and their advantages and disadvantages discussed. After that, a procedure to identify the scrambling seeds that are used to descramble the scrambled data was described. Finally, descrambling software was implemented based on the second descrambling method. The experiment shows that this software can successfully descramble the data from an SSD flash drive regardless of the internal structure of the scrambler in the SSD controller and can generate an unscrambled physical image on which most existing data-recovery techniques can be effective.     

老年人保健品诈骗犯罪侦查研究——基于大数据背景

老年人保健品诈骗犯罪具有职业化、犯罪对象范围明确、犯罪手段多元、隐蔽且变异性强等特点。传统侦查方法面临受害人不能及时报案失去破案先机、侦查投入成本高、部门间协调机制不畅等困境。大数据技术可以满足人民群众快侦快破的新期待,在提供明确的侦查方向、实现犯罪深挖、助力控赃挽损等方面实现新突破。在大数据背景下,建立数据驱动侦查的大数据思维,加强警企合作并拓展整合数据来源,完善线上线下协同作战模式,提升民警的大数据侦查专业素养,有助于老年人保健品诈骗犯罪案件侦查机制的完善。     

The Cyprus and other EU court rulings on data retention: The Directive as a privacy bomb

This paper discusses the controversy surrounding the Data Retention Directive with an emphasis on the 2011 decision of the Cyprus Supreme Court which has annulled several district court orders that allowed the police access to telecommunications data relating to certain persons relevant to criminal investigations. The annulment has been on the ground that the legal provisions upon which the orders have been issued are unconstitutional. It will suggest that the decision does not entail a direct rejection of the EU Data Retention Directive and that in any event, Cyprus is not a Member State resisting the particular measure. This is because the legal provisions are deemed unconstitutional, though part of the law that has transposed the relevant Directive into national law are provisions that go beyond what the EU legislator intended to regulate through that Directive. Still, the particular Directive sits rather uneasily within the ‘human rights’ regime, in particular the one governing the individual right of privacy.     

Trust in the clouds

The “cloud” is not new, and its roots go back to the original plans for computing from the 1950s. Now that computing is moving back to the original cloud-based models that were envisioned more than 60 years ago, with it, consumers are realizing the increases in security and safety that accompany the move to centralized servers. Yet the perception of “trust” in this context is often still formed by views that people have from their use of computers over the past two decades, which is localized in nature (“if I can see it, I can control it”). This view is based on perception more than fact. Our paper discusses different views of trust in other contexts (such as banking and travel) and concludes that users of cloud computing should recast their view of trust in a similar way that consumers of banking and travel have changed their perceptions of trust in the last 100 years.     

Regulating electronic identity in the European Union: An analysis of the Lisbon Treaty’s competences and legal basis for eID

This paper discusses the feasibility of EU legal action in the field of electronic identity (eID) within the new distribution of legal competences and the provision of novel legal basis engendered by the Treaty of Lisbon. The article attempts to find a ‘legal anchor’ to the idea of a pan-European electronic identity within EU law, looking at the issues of competences and legal basis. After examining various different areas of competence and the most feasible (and probable) candidates for a legal basis supporting an EU legal framework for eID, the paper argues that the latter should be found in the combination of Article 16 TFEU (concerning the right to the protection of personal data) with Article 3 TUE, and Articles 26 and 114 TFEU (concerning the establishment and functioning of the Internal Market), which also constitute the area of competence where an eID legal initiative can be pursued.     

Data breach notification law in the EU and Australia – Where to now?

Mandatory data breach notification laws have been a significant legislative reform in response to unauthorized disclosures of personal information by public and private sector organizations. These laws originated in the state-based legislatures of the United States during the last decade and have subsequently garnered worldwide legislative interest. We contend that there are conceptual and practical concerns regarding mandatory data breach notification laws which limit the scope of their applicability, particularly in relation to existing information privacy law regimes. We outline these concerns here, in the light of recent European Union and Australian legal developments in this area.     

Allocating responsibility among controllers,processors, and “everything in between”: the definition of actors and roles in Directive 95/46/EC

In Opinion 1/2010, the Article 29 Data Protection Working Party has provided additional guidance concerning the concepts of ‘controller’ and ‘processor’ contained in Directive 95/46/EC. This guidance aims to assist practitioners in their determination of whether an entity is acting as a controller or as a processor towards a particular data processing operation. Despite the fact that this opinion is informative, the existing framework still appears to leave room for a considerable amount of legal uncertainty. This uncertainty is attributable in part to the nature of the existing concepts, but also (and perhaps to a larger extent) to their apparent misalignment with current processing realities. In this paper, the author seeks to articulate why the existing concepts often remain difficult to apply in practice, in order to enable a constructive reflection on how these issues might be addressed in the future.