European national news

The regular article tracking developments at the national level in key European countries in the area of IT and communications - co-ordinated by Herbert Smith LLP and contributed to by firms across Europe. This column provides a concise alerting service of important national developments in key European countries. Part of its purpose is to compliment the Journal’s feature articles and briefing notes by keeping readers abreast of what is currently happening “on the ground” at a national level in implementing EU level legislation and international conventions and treaties. Where an item of European National News is of particular significance, CLSR may also cover it in more detail in the current or a subsequent edition.     

个人信息权及其欧盟保护

个人信息权是指自然人依法对以数据电文形式存在的可识别的个人信息所享有的支配、控制并排除他人侵害的权利,大体上从属于人格权范畴,与传统人格权相比较又表现出相对的个性特征。目前个人信息侵权形式主要表现包括ISP对个人信息的非法使用和传播、未经授权搜集利用他人信息、专门的网络窥探和调查业务以及公权力机关工作人员及公共服务单位非法出卖泄露个人信息等。由于目前国内个人信息权侵权与保护相关立法相对缺位,因而从欧盟个人信息保护的立法演进开始,介绍欧盟以《资料保护指令》为代表的系统保护经验,从而推动和促进我国相关立法的发展。     

Biometric Security and Privacy Using Smart Identity Management and Interoperability: Validation and Vulnerabilities of Various Techniques

The central position of this article is that validation and interoperability are paramount for the effective and ethical use of biometrics. Illuminating the relevance for policymakers of the science underlying the security and privacy aspects of biometrics, this article calls for adequate and enforceable performance metrics that can be independently corroborated. Accordingly, the article considers biometrics and forensics for the dual challenges of addressing security and privacy using smart identity management. The discussion revolves around the concepts of “personally identifiable information” (PII) and interoperability with emphasis on quantitative performance analysis and validation for uncontrolled operational settings, variable demographics, and distributed and federated operations. Validation metrics includes expected rates of identification/misidentification, precision, and recall. The complementary concepts of identity and anonymity are addressed in terms of expected performance, functionality, law and ethics, forensics, and statistical learning. Biometrics encompasses appearance, behavior, and cognitive state or intent. Modes of deployment and performance evaluation for biometrics are detailed, with operational and adversarial challenges for both security and privacy described in terms of trustworthiness, vulnerabilities, functional creep, and feasibility of safeguards. The article underscores how lack of interoperability is mostly due to overfitting and tuning to well‐controlled settings, so that validation merely confirms “teaching to the test” rather than preparation for real‐world deployment. Most important for validation is reproducibility of results including full information on the experimental design used, that forensic exclusion is allowed, and that scientific methods for performance evaluation are followed. The article concludes with expected developments regarding technology use and advancements that bear on security and privacy, including data streams and video, de‐anonymization and reidentification, social media analytics and cyber security, and smart camera networks and surveillance.     

Taming Risks in Asia: The World Bank Group and New Mining Regimes

Abstract

Despite the admonishments of the 2003 Extractive Industry Review, the World Bank Group (WBG) has continued to promote the expansion of mining activities in resource-rich client-countries. While maintaining its mantra on the economic benefits of the sector in cash-strapped countries, in recent years poverty reduction and environmental sustainability have become the new buzzwords to justify the need for the WBG to remain actively involved in the sector. Building on the cases of the Philippines, Papua New Guinea and Lao PDR, this paper analyses this new socio-environmental narrative in conjunction with the highly political nature of the role played by the WBG in the mining sector of its country-clients. The cases demonstrate that the World Bank has played a key role in influencing a wave of new mining regimes in the region. Further, these new regimes, which comprise multilateral social and environmental safeguards, circumscribe the risks faced by industry, rather than by local populations. While successful in stimulating foreign investments in the sector, these regimes might prove ineffective in taming local and national resentment against mining activities. Crucially, the engineering of mining regimes and norm-settings in multilateral arenas raises concerns about the legitimacy of the transformations of roles and responsibilities assigned to local mining stakeholders and the possible subsequent contraction of local political spaces.     

The ITS Directive: More than a timeframe with privacy concerns and a means for access to public data for digital road maps?

Roads are ever more congested, pollution keeps rising and traffic-related deaths remain at unacceptable levels. It is clear that society’s needs with regard to transportation and mobility have become unsustainable. Intelligent Transport Systems (ITS) are often heralded as a potential solution to this problem, yet have still to yield tangible results. The EU has, however, adopted the ITS Directive, aiming for an EU-wide implementation of ITS solutions. Three questions are raised. First, can the ITS Directive really provide for the required substantial provisions in this field? Second, as ITS solutions are often deemed to be pervasive and intrusive, how does the ITS Directive interact with the EU legal framework on privacy and data protection? Third, given the involvement of private commercial entities in the field of providing road, traffic and travel data, can a public–private partnership be found to allow for the re-use of both public and private sector data in ITS solutions?     

Balancing data protection and privacy – The case of information security sensor systems

This article analyses government deployment of information security sensor systems from primarily a European human rights perspective. Sensor systems are designed to detect attacks against information networks by analysing network traffic and comparing this traffic to known attack-vectors, suspicious traffic profiles or content, while also recording attacks and providing information for the prevention of future attacks. The article examines how these sensor systems may be one way of ensuring the necessary protection of personal data stored in government IT-systems, helping governments fulfil positive obligations with regards to data protection under the European Convention on Human Rights (ECHR), the EU Charter of Fundamental Rights (The Charter), as well as data protection and IT-security requirements established in EU-secondary law. It concludes that the implementation of sensor systems illustrates the need to balance data protection against the negative privacy obligations of the state under the ECHR and the Charter and the accompanying need to ensure that surveillance of communications and associated metadata reach established principles of legality and proportionality. The article highlights the difficulty in balancing these positive and negative obligations, makes recommendations on the scope of such sensor systems and the legal safeguards surrounding them to ensure compliance with European human rights law and concludes that there is a risk of privatised policymaking in this field barring further guidance in EU-secondary law or case law.     

EU General Data Protection Regulation: Changes and implications for personal data collecting companies

The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR's coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR's practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.     

European national news

This article tracks developments at the national level in key European countries in the area of IT and communications and provides a concise alerting service of important national developments. It is co-ordinated by Herbert Smith Freehills LLP and contributed to by firms across Europe. This column provides a concise alerting service of important national developments in key European countries. Part of its purpose is to complement the Journal's feature articles and briefing notes by keeping readers abreast of what is currently happening ``on the ground'' at a national level in implementing EU level legislation and international conventions and treaties. Where an item of European National News is of particular significance, CLSR may also cover it in more detail in the current or a subsequent edition.     

Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) devotes particular attention to the protection of personal data of children. The rationale is that children are less aware of the risks and the potential consequences of the processing of their personal data on their rights. Yet, the text of the GDPR offers little clarity as to the actual implementation and impact of a number of provisions that may significantly affect children and their rights, leading to legal uncertainty for data controllers, parents and children. This uncertainty relates for instance to the age of consent for processing children's data in relation to information society services, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required vis-à-vis children. This article aims to identify a number of key issues and questions – both theoretical and practical – that raise concerns from a multi-dimensional children's rights perspective, and to clarify remaining ambiguities in the run-up to the actual application of the GDPR from 25 May 2018 onwards.