{"title":"Between progress and caution: LegalTech's promise in transforming personal credit risk management in China","authors":"Duoqi Xu, Li Chen","doi":"10.1016/j.clsr.2024.106090","DOIUrl":"10.1016/j.clsr.2024.106090","url":null,"abstract":"<div><div>The integration of LegalTech in China's financial and legal sectors offers useful insights for innovative legal practices, financial regulation and judicial reform. This article examines how LegalTech transforms personal credit risk management in China, analyzing its integration within banking compliance systems and judicial processes. It explores three key dimensions: the evolution of debt collection practices through technological innovation, the enhancement of public remedies through automated judicial systems, and the development of legal frameworks to legitimize LegalTech solutions. While highlighting LegalTech's potential to improve efficiency in credit risk resolution, the article addresses critical challenges including moral hazard in automated systems and the preservation of judicial discretion in technological implementation.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"56 ","pages":"Article 106090"},"PeriodicalIF":3.3,"publicationDate":"2024-11-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142756883","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Facial recognition technology in law enforcement: Regulating data analysis of another kind","authors":"Monika Simmler, Giulia Canova","doi":"10.1016/j.clsr.2024.106092","DOIUrl":"10.1016/j.clsr.2024.106092","url":null,"abstract":"<div><div>Facial recognition technology (FRT) has emerged as a powerful tool for law enforcement, enabling the automated identification of individuals based on their unique facial features. Authorities have more and more made use of the technology to enhance criminal investigations through the analysis of images and video footage. In view of its increased use in Europe, this paper explores the legal implications of FRT in law enforcement under EU law and evaluates approaches to regulation. FRT use constitutes biometric data processing and comes with a particularly sensitive analysis of data. Its specific nature is grounded in the creation of a new (biometric) quality of data in order to subsequently compare for matches. Due to its impact on fundamental rights, this approach differs from conventional forensic analyses and must be appropriately regulated. Such regulation should consider the multiple data processing steps and reflect each step's impact on fundamental rights. From this procedural stance, the shortcomings of the EU Artificial Intelligence Act (AI Act) become evident. The AI Act contains specific rules for biometric AI systems but does not provide the necessary legal bases to justify FRT use by law enforcement. Without a comprehensive legal framework, such use is not permitted. This article provides concrete guidelines for addressing such regulation.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"56 ","pages":"Article 106092"},"PeriodicalIF":3.3,"publicationDate":"2024-11-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142748477","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Open or closing doors? The influence of ‘digital sovereignty’ in the EU's Cybersecurity Strategy on cybersecurity of open-source software","authors":"Jennifer Tridgell","doi":"10.1016/j.clsr.2024.106078","DOIUrl":"10.1016/j.clsr.2024.106078","url":null,"abstract":"<div><div>‘Digital sovereignty’ is the geopolitical mantra of the moment. A key agent of that policy shift, the European Union (‘EU’) has increasingly embraced ‘digital sovereignty’ as both the ideological foundation and impetus for building its digital future in accordance with ‘European values and principles,’ often driven by and intersecting with cybersecurity concerns as articulated in its 2020 <em>Cybersecurity Strategy for the Digital Decade</em> (‘Strategy’). Yet it is impossible to consider cybersecurity without open-source software (‘OSS’). Increasingly, the EU, USA and other Governments have recognised that fact in the wake of HeartBleed and Log4j incidents. OSS’ decentralised governance and ubiquity, underpinning most software worldwide, may amplify vulnerabilities and adverse effects of cyberattacks, whilst its typically collaborative model of development and innovation often fosters valuable, open cybersecurity solutions.</div><div>In navigating that policy tightrope of OSS as a double-edged sword for cybersecurity, the EU has adopted ‘closed’ language of ‘digital sovereignty’ that is ostensibly contrary to the ‘open’ nature of OSS. That rhetorical duality is particularly pronounced since the EU described OSS as a tool for realising its ‘digital sovereignty,’ in addition to policy support for ‘a global, open, interoperable cyberspace’ alongside the pursuit of ‘digital sovereignty.’ While there is a epistemic gap in understanding the relationship between the EU's rhetoric of ‘digital sovereignty’ and reality, nascent studies indicate that it has a tangible effect on policy change in multiple digital spheres, generally furthering a degree of ‘control.’ However, that relationship within the OSS cybersecurity context has underexplored and poorly understood, although that policy is a priority for the EU and may bear significant implications for OSS globally.</div><div>Particularly analyzing the Cyber Resilience Act (‘CRA’) as key means for implementing the EU's Strategy and its first cybersecurity legislation that would comprehensively engage OSS if adopted by the Council, this article argues that the EU's desire to strengthening cybersecurity in OSS is generally welcome. Yet there is an ostensibly a disjunct between ‘digital sovereignty’ that underpins that legislation and OSS cybersecurity, with too much control of OSS potentially proving counterproductive for EU cybersecurity. This paper illustrates that (i) it is imperative for the EU to address OSS cybersecurity; (ii) yet the lens of digital sovereignty is ostensibly a rough fit for that approach, considering OSS’ philosophy and practice; and (iii) based on the CRA, EU's practice of translating ‘digital sovereignty’ into policy change is mixed, leaving uncertain ramifications for OSS cybersecurity in the EU and beyond. On the one hand, it moves towards more ‘control’ at least in determining definitional parameters and power dynamics with novel ‘stewardship’ positions for certain OSS ","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"56 ","pages":"Article 106078"},"PeriodicalIF":3.3,"publicationDate":"2024-11-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142701168","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Botnet defense under EU data protection law","authors":"Piotr Rataj","doi":"10.1016/j.clsr.2024.106080","DOIUrl":"10.1016/j.clsr.2024.106080","url":null,"abstract":"<div><div>We analyse the legal framework spanned by EU data protection law with respect to the defence against botnet-related threats. In particular, we examine what legal constraints the General Data Protection Regulation (GDPR) (and others) impose on the processing of personal data when that processing aims at detecting botnet-related traffic. We thereby put data protection rules into perspective with current trends in European IT security regulation, specifically Directive 2022/2555/EU (NIS 2 Directive).</div><div>We find that the resulting legal landscape is complex and has not yet been sufficiently explored. Our analysis provides an initial evaluation of a wide range of emerging legal issues. In particular, we consider four typical processing scenarios, such as DNS sinkholing by a public authority or sharing of cybersecurity-related personal data, and discuss some of their legal problems, linking them as thoroughly as possible to potentially relevant case law of the European Court of Justice.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"56 ","pages":"Article 106080"},"PeriodicalIF":3.3,"publicationDate":"2024-11-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142701167","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Automated vehicles, the ‘driver dilemma’, stopping powers, and paradigms of regulating road traffic","authors":"Mark Brady , Kieran Tranter , Belinda Bennett","doi":"10.1016/j.clsr.2024.106076","DOIUrl":"10.1016/j.clsr.2024.106076","url":null,"abstract":"<div><div>This article examines the driver dilemma as it applies to the increasing automation of road traffic with a focus on roadside enforcement stopping powers. The driver dilemma exists where road traffic laws are expressed as directed toward human drivers. As automation increases, it becomes more problematic who is the driver, in fact and in law, for the purposes of international and national road traffic laws. An obvious solution to the driver dilemma is to enact reforms that deem automated driving systems ‘drivers’ under road traffic laws. This can be seen in recent amendments to the <em>Vienna Convention on Road Traffic</em>. However, the deeming solution has limitations. Through a case study on specific Australian provisions that authorise roadside enforcement officers to stop vehicles, two paradigms informing regulation of road traffic are revealed. The legacy paradigm, founded on the unity of driver and vehicle, conceives road transport involving individuals with an expectation of freedom of movement. The deeming solution attempts to preserve this paradigm. The case study also revealed an alternative paradigm of road traffic as a system that should be regulated to ensure overarching public policy goals. This alternative paradigm is evident in the specific passenger transport laws, where stopping powers are expressed as vehicle-centric. There is no driver proxy and no need for a further wrong for the powers to be enlivened. The article concludes that automated transport futures need this alternative paradigm of road traffic regulation and vehicle-centric rules should be a template for more adaptable road traffic laws.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"56 ","pages":"Article 106076"},"PeriodicalIF":3.3,"publicationDate":"2024-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142656447","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The dilemma and resolution of data circulation in China: Is data as consideration the solution?","authors":"Xueting Fu","doi":"10.1016/j.clsr.2024.106074","DOIUrl":"10.1016/j.clsr.2024.106074","url":null,"abstract":"<div><div>The circulation of data presents a significant challenge to the development of China's digital economy. On data exchanges, trading activity has declined. Off-exchange, stringent barriers between data-sharing consortia have resulted in data silos, producing crises of trust and legitimacy. Treating personal data as consideration, by incentivising individuals' motivation to share data through both financial gain and the protection of their personal rights, can establish a robust and comprehensive legal basis for extensive commercial data processing. Accordingly, this connects primary and secondary data element markets, facilitates data circulation, and strengthens the real economy. In the legal framework of personal data as consideration, the agreement between users and enterprises constitutes a bilateral contract, wherein individuals are obliged to \"provide personal data and/ or authorise processing\" as counter-performance. Through this exchange, enterprises, predicated on user authorisation, can secure one or more rights to hold, use or operate the data, thereby achieving a separation of data property rights. The data property rights enterprises acquire are governed by the principle of registration confrontation. The data subject's inheritors, prior or subsequent parties in transactions, and infringers are all third parties that could be confronted absolutely, while a subsequent licensee's ability to confront a prior licensee hinges on whether the pre-existing data property rights have been registered. Even when data property rights derive from a non-exclusive licence, the enterprise can still confront the bankruptcy administrator and proceed with data processing.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"56 ","pages":"Article 106074"},"PeriodicalIF":3.3,"publicationDate":"2024-11-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142656446","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Cross-border data flow in China: Shifting from restriction to relaxation?","authors":"Shuai Guo , Xiang Li","doi":"10.1016/j.clsr.2024.106079","DOIUrl":"10.1016/j.clsr.2024.106079","url":null,"abstract":"<div><div>This article examines China's latest development in the governance of cross-border data flow. Under the general framework of Cyber Security Law, Data Security Law, and Personal Data Protection Law, China established its own regime of cross-border data flow. In recent years, contrary to the general international perception that China imposes strict restrictions especially due to national security concerns, China has been de facto relaxing its regulations on cross-border data flow, especially for digital trade. This article suggests three underlying incentives. First, China is in an increasing need to gain economic growth through international trade and investment. Second, China intends to compete in technology development and take the lead in shaping international rules on data governance. Third, China is seeking to adhere to international standards, particularly those prescribed in international free trade agreements. This article further submits that this paradigm shift would have international implications. First, China's practices need to be examined under the domestic regulatory frameworks of international free trade agreements. Second, China's current legislative and judicial practices are multifaceted, taking into account various factors, including international business, national security, and data protection, which may contribute to the further development of international cross-border data flow rules.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"56 ","pages":"Article 106079"},"PeriodicalIF":3.3,"publicationDate":"2024-11-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142656445","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Illegal loot box advertising on social media? An empirical study using the Meta and TikTok ad transparency repositories","authors":"Leon Y. Xiao","doi":"10.1016/j.clsr.2024.106069","DOIUrl":"10.1016/j.clsr.2024.106069","url":null,"abstract":"<div><div>Loot boxes are gambling-like products inside video games that can be bought with real-world money to obtain random rewards. They are widely available to children, and stakeholders are concerned about potential harms, <em>e.g.</em>, overspending. UK advertising must disclose, if relevant, that a game contains (i) any in-game purchases and (ii) loot boxes specifically. An empirical examination of relevant adverts on Meta-owned platforms (<em>i.e.</em>, Facebook, Instagram, and Messenger) and TikTok revealed that only about 7 % disclosed loot box presence. The vast majority of social media advertising (93 %) was therefore non-compliant with UK advertising regulations and also EU consumer protection law. In the UK alone, the 93 most viewed TikTok adverts failing to disclose loot box presence were watched 292,641,000 times total or approximately 11 impressions per active user. Many people have therefore been repeatedly exposed to prohibited and socially irresponsible advertising that failed to provide important and mandated information. Implementation deficiencies with ad repositories, which must comply with transparency obligations imposed by the EU Digital Services Act, are also highlighted, <em>e.g.</em>, not disclosing the beneficiary. How data access empowered by law can and should be used by researchers is practically demonstrated. Policymakers should consider enabling more such opportunities for the public benefit.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"56 ","pages":"Article 106069"},"PeriodicalIF":3.3,"publicationDate":"2024-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142656444","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The emergence of EU cybersecurity law: A tale of lemons, angst, turf, surf and grey boxes","authors":"Lee A. Bygrave","doi":"10.1016/j.clsr.2024.106071","DOIUrl":"10.1016/j.clsr.2024.106071","url":null,"abstract":"<div><div>Using a series of metaphors, this opinion piece charts patterns, trends and obstacles shaping the development of EU cybersecurity law over the last three decades. It shows that this development is more than simply a function of the EU's increasing regulatory capacity. It argues that, to a large degree, the development has been a reactive, gap-filling process, which is partly due to the piecemeal character of the regulatory areas in which the EU legislates, combined with smouldering ‘turf wars’ over regulatory competence. An overarching point is that EU cybersecurity law is far from reminiscent of a well-kempt forest; rather, it resembles a sprawling jungle of regulatory instruments interacting in complex, confusing and sometimes disjointed ways. Thus, this field of regulation underlines the fact that increased regulatory capacity does not necessarily beget optimal regulatory coherence. Nonetheless, the paper also identifies multiple positive traits in the legislative development—traits that signal Brussels’ ability to learn from weaknesses with previous regulatory instruments.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"56 ","pages":"Article 106071"},"PeriodicalIF":3.3,"publicationDate":"2024-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142656443","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Techno-authoritarianism & copyright issues of user-generated content on social- media","authors":"Ahmed Ragib Chowdhury","doi":"10.1016/j.clsr.2024.106068","DOIUrl":"10.1016/j.clsr.2024.106068","url":null,"abstract":"<div><div>Lawrence Lessig in “Code: Version 2.0” presents “code” as the new law and regulator of cyberspace. Previously, techno-authoritarianism represented state sponsored authoritarian use of the internet, and digital technologies. It has now experienced a takeover by private entities such as social media platforms, who exercise extensive control over the platforms and how users interact with them. Code, akin to the law of cyberspace emboldens social media platforms to administer it according to their agenda, the terms of use of such platforms being one such example. The terms of use, which are also clickwrap agreements, are imposed unilaterally on users without scope of negotiation, essentially amounting to unconscionable contracts of adhesion. This paper will focus on one specific angle of the impact brought upon by the terms of use, user-generated content on social media platforms, and their copyright related rights. This paper will doctrinally assess the impact the “terms of use” of social media platforms has on user-generated content from a copyright law perspective, and consider whether the terms amount to unconscionable contracts of adhesion. This paper revisits, or reimagines this problem surrounding copyrightability of user-generated content and social media platform terms of use from the lens of techno-authoritarianism and the influence of code.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"55 ","pages":"Article 106068"},"PeriodicalIF":3.3,"publicationDate":"2024-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142572608","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}