Law enforcement access to personal data originally collected by private parties: Missing data subjects' safeguards in directive 2016/680?

Access by law enforcement authorities to personal data initially collected by private parties for commercial or operational purposes is very common, as shown by the transparency reports of new technology companies on law enforcement requests. From a data protection perspective, the scenario of law enforcement access is not necessarily well taken into account. The adoption of the new data protection framework offers the opportunity to assess whether the new ‘police’ Directive, which regulates the processing of personal data for law enforcement purposes, offers sufficient safeguards to individuals. To make this assessment, provisions contained in Directive 2016/680 are tested against the standards established by the ECJ in Digital Rights Ireland and Tele2 Sverige on the retention of data and their further access and use by police authorities. The analysis reveals that Directive 2016/680 does not contain the safeguards identified in the case law. The paper further assesses the role and efficiency of the principle of purpose limitation as a safeguard against repurposing in a law enforcement context. Last, solutions to overcome the shortcomings of Directive 2016/680 are examined in conclusion.     

Understanding the notion of risk in the General Data Protection Regulation

The goal of this contribution is to understand the notion of risk as it is enshrined in the General Data Protection Regulation (GDPR), with a particular on Art. 35 providing for the obligation to carry out data protection impact assessments (DPIAs), the first risk management tool to be enshrined in EU data protection law, and which therefore contains a number of key elements in order to grasp the notion. The adoption of this risk-based approach has not come without a number of debates and controversies, notably on the scope and meaning of the risk-based approach. Yet, what has remained up to date out of the debate is the very notion of risk itself, which underpins the whole risk-based approach. The contribution uses the notions of risk and risk analysis as tools for describing and understanding risk in the GDPR. One of the main findings is that the GDPR risk is about “compliance risk” (i.e., the lower the compliance the higher the consequences upon the data subjects' rights). This stance is in direct contradiction with a number of positions arguing for a strict separation between compliance and risk issues. This contribution sees instead issues of compliance and risk to the data subjects rights and freedoms as deeply interconnected. The conclusion will use these discussions as a basis to address the long-standing debate on the differences between privacy impact assessments (PIAs) and DPIAs. They will also warn against the fact that ultimately the way risk is defined in the GDPR is somewhat irrelevant: what matters most is the methodology used and the type of risk at work therein.     

From ugly duckling to Swan. The rise of data protection and its limits

This article considers the development of data protection laws from a position on the periphery of legal consciousness to the situation where it is the subject of intensive legal and media publicity. Focusing on the recent controversies surrounding the use of Facebook apps for political purposes, the article will consider the role and limitations of data and privacy protection laws. The question will be posed – if not answered – whether national or regional laws can be effective in what increasingly is a global information society.     

European national news

This article tracks developments at the national level in key European countries in the area of IT and communications and provides a concise alerting service of important national developments. It is co-ordinated by Herbert Smith Freehills LLP and contributed to by firms across Europe. This column provides a concise alerting service of important national developments in key European countries. Part of its purpose is to complement the Journal's feature articles and briefing notes by keeping readers abreast of what is currently happening “on the ground” at a national level in implementing EU level legislation and international conventions and treaties. Where an item of European National News is of particular significance, CLSR may also cover it in more detail in the current or a subsequent edition.     

“Regulation,I presume?” said the robot – Towards an iterative regulatory process for robot governance

This article envisions an iterative regulatory process for robot governance. In the article, we argue that what lacks in robot governance is actually a backstep mechanism that can coordinate and align robot and regulatory developers. In order to solve that problem, we present a theoretical model that represents a step forward in the coordination and alignment of robot and regulatory development. Our work builds on previous literature, and explores modes of alignment and iteration towards greater closeness in the nexus between research and development (R&D) and regulatory appraisal and channeling of robotics’ development. To illustrate practical challenges and solutions, we explore different examples of (related) types of communication processes between robot developers and regulatory bodies. These examples help illuminate the lack of formalization of the policymaking process, and the loss of time and resources that the waste of knowledge generated for future robot governance instruments implies. We argue that initiatives that fail to formalize the communication process between different actors and that propose the mere creation of coordinating agencies risk being seriously ineffective. We propose an iterative regulatory process for robot governance, which combines the use of an ex ante robot impact assessment for legal/ethical appraisal, and evaluation settings as data generators, and an ex post legislative evaluation instrument that eases the revision, modification and update of the normative instrument. In all, the model breathes the concept of creating dynamic evidence-based policies that can serve as temporary benchmark for future and/or new uses or robot developments. Our contribution seeks to provide a thoughtful proposal that avoids the current mismatch between existing governmental approaches and what is needed for effective ethical/legal oversight, in the hope that this will inform the policy debate and set the scene for further research.     

An approach to minimizing legal and reputational risk in Red Team hacking exercises

Robust cyber-resilience depends on sound technical controls and testing of those controls in combination with rigorous cyber-security policies and practices. Increasingly, corporations and other organizations are seeking to test all of these, using methods more sophisticated than mere network penetration testing or other technical audit operations. More sophisticated organizations are also conducting so-called “Red Team” exercises, in which the organization tasks a small team of highly skilled and trained individuals to try to gain unauthorized access to physical and logical company assets and information. While such operations can have real value, they must be planned and conducted with great care in order to avoid violating the law or creating undue risk and reputational harm to the organization. This article explores these sometimes tricky issues, and offers practical risk-based guidance for organizations contemplating these types of exercises.     

“大数据”时代的公安工作初探

自2012年以来,“大数据”(Big Data)一词越来越多地被提及,人们用它来描述和定义信息爆炸时代产生的海量数据,并命名与之相关的技术发展与创新.对公安工作而言,“大数据”时代的来临,既是挑战,又是机遇.公安机关必须顺应形势发展,从工作思维、顶层设计、信息整合、共享应用、人才保障等方面入手,助推公安工作新发展、新进步.     

Daring to Be Heard: Advertorials by Organized Interests on the Op-Ed Page of The New York Times , 1985-1998

Advertorials are a form of outside lobbying that organized interests use to influence policymakers and attentive publics. It is apparent from their popularity that organized interests consider them to be an effective form of political communication. This article analyzes 2,805 organized interest advertorials that appeared on the lower right quadrant of The New York Times op-ed page from 1985 to 1998. Advertorials take two broad forms: (a) image advertorials, which are paid messages by organized interests designed to create a favorable climate of opinion, and (b) advocacy advertorials, which are sponsored messages intended to win support for an interest's viewpoints on controversial issues. Typologies of advertorials (11 categories), organized interests (21 categories), corporate and noncorporate economic interests (29 categories), and policy content (28 categories) are used to document annually and over time who is sponsoring advertorials, what types of advertorials are being used, what interests avail themselves of advertorial campaigns, which issue areas are receiving attention, what images and policy messages are being communicated, which organizations sponsor the most advertorials, and the timing of such political advertising campaigns. We find over time an increasing number of advertorials, an increasing number and diversity of sponsoring interest organizations, an increasing trend toward advocacy advertorials, a continuing but declining sponsorship dominance by corporate interests, a shifting policy issue emphasis that corresponds to events in the political environment, and evidence that organized interests employ a variety of sponsorship strategies.     

Data Quality in Student Risk Behavior Surveys and Administrator Training

SUMMARY

This study examined the influence of survey validity screening on the results from three group-administered school surveys administered to samples totaling approximately 5500 students in 19 schools. The estimated levels of risk behaviors, antisocial behaviors, and victim experiences were substantially reduced when respondents who gave multiple inconsistent or extreme responses to other survey items were screened out of the data. The researchers also observed that the percentage of students giving inconsistent and illogically extreme responses was greater among those surveys given by an untrained administrator, raising the hypothesis that administrator training could be a critical factor in obtaining more consistent and trustworthy survey data. These results indicate that it may be important to train school staff in survey administration and to screen surveys for validity in order to improve the accuracy of student self-report surveys.