Computer Law & Security Review最新文献

If it ain’t broke, don’t fix it? Ten improvements for the upcoming tenth anniversary of the General Data Protection Regulation 如果没坏，就不修？即将到来的《通用数据保护条例》十周年的十项改进

IF 3.2 3区社会学

Computer Law & Security Review Pub Date : 2026-04-01 Epub Date: 2026-01-23 DOI: 10.1016/j.clsr.2025.106251

Dariusz Kloza (ed.) , Laura Drechsler (ed.) , Elora Fernandes (ed.) , Arian Birth , Julien Rossi , Pierre Dewitte , Jarosław Greser , Lisette Mustert , Gianclaudio Malgieri , Heidi Beate Bentzen

{"title":"If it ain’t broke, don’t fix it? Ten improvements for the upcoming tenth anniversary of the General Data Protection Regulation","authors":"Dariusz Kloza (ed.) , Laura Drechsler (ed.) , Elora Fernandes (ed.) , Arian Birth , Julien Rossi , Pierre Dewitte , Jarosław Greser , Lisette Mustert , Gianclaudio Malgieri , Heidi Beate Bentzen","doi":"10.1016/j.clsr.2025.106251","DOIUrl":"10.1016/j.clsr.2025.106251","url":null,"abstract":"<div><div>As the General Data Protection Regulation (GDPR) approaches its tenth anniversary, the European legislator is considering reforms thereto. This article offers a set of research-based suggestions for what such reforms could look like, based on two assumptions. First, that the GDPR is overall a solid piece of legislation that upholds the enduring objectives and principles of data protection law. Second, that any improvement cannot compromise the level of protection of fundamental rights currently offered. To this end, ten scholars from across Europe were invited to choose a provision of the GDPR, write about what works well and what does not, and why, as well as to suggest a solution for a concrete amendment of the text. The resulting wish-list discussing ten provisions (i.e., those concerning conditions for consent, children’s consent, automated decision-making, data protection by design, data security, data protection impact assessment and prior consultation, derogations for data transfers, dispute resolution by the European Data Protection Board, representation of data subjects and processing for scientific purposes) is necessarily random and far from exhaustive. However, it lays the groundwork for a constructive debate, and we invite others to build on the list with their own proposals.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"60 ","pages":"Article 106251"},"PeriodicalIF":3.2,"publicationDate":"2026-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146022500","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Safe and inclusive or unsafe and discriminatory? European digital identity wallets and the challenges of ‘sole control’ 安全、包容还是不安全、歧视？欧洲数字身份钱包和“独家控制”的挑战

IF 3.2 3区社会学

Computer Law & Security Review Pub Date : 2026-04-01 Epub Date: 2025-11-29 DOI: 10.1016/j.clsr.2025.106235

Marte Eidsand Kjørven , Kristian Gjøsteen , Tone Linn Wærstad

{"title":"Safe and inclusive or unsafe and discriminatory? European digital identity wallets and the challenges of ‘sole control’","authors":"Marte Eidsand Kjørven , Kristian Gjøsteen , Tone Linn Wærstad","doi":"10.1016/j.clsr.2025.106235","DOIUrl":"10.1016/j.clsr.2025.106235","url":null,"abstract":"<div><div>To promote autonomy, safety, and inclusion in the digital age, the eIDAS 2.0 Regulation obliges all member states to provide citizens with a European Digital Identity Wallet (EDIW). A central principle underpinning this framework is <em>sole control</em>, which ensures that the use of EDIWs – as well as electronic IDs and signatures – can be attributed to their rightful users. While the cryptographic understanding of <em>sole control</em> focuses on technical safeguards, its real-world application is far more complex. Practical control over one’s digital identity is often out of reach for individuals with limited digital skills, disabilities, or for those who rely on third-party assistance. Others may fall victim to fraud, coercion, or social engineering attacks.</div><div>This paper critically examines how the cryptographic concept of <em>sole control</em> has shaped Scandinavian legal frameworks, turning a debatable assumption about user behaviour into a legal obligation. The result is increased exclusion and a troubling shift in legal responsibility from perpetrators to victims of identity theft and abuse. eIDAS 2.0 risks replicating this dynamic, raising serious human rights concerns across the EU.</div><div>We explore how exclusion, fraud, and coercion can be mitigated through a combination of legal and technical safeguards. We propose a balanced approach – one that acknowledges the inevitability of some fraudulent use without placing the legal responsibility on end users. Otherwise, the EDIW may end up deepening digital inequality or compromising security, thus failing those it was meant to empower.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"60 ","pages":"Article 106235"},"PeriodicalIF":3.2,"publicationDate":"2026-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145618738","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Balancing privacy and platform power in the mobile ecosystem: The case of Apple’s App Tracking Transparency 在移动生态系统中平衡隐私和平台力量：以苹果的应用跟踪透明度为例

IF 3.2 3区社会学

Computer Law & Security Review Pub Date : 2026-04-01 Epub Date: 2025-12-24 DOI: 10.1016/j.clsr.2025.106255

Julia Krämer

{"title":"Balancing privacy and platform power in the mobile ecosystem: The case of Apple’s App Tracking Transparency","authors":"Julia Krämer","doi":"10.1016/j.clsr.2025.106255","DOIUrl":"10.1016/j.clsr.2025.106255","url":null,"abstract":"<div><div>In 2021, Apple shook up the AdTech industry by introducing the iOS 14.5 update, which not only changed the default access to an app's advertising identifier but also restructured the process of user consent within mobile apps through the App Tracking Transparency (ATT) framework. Given that Apple dominates one of the main mobile operating systems (iOS), and one of the major mobile app store (Apple App Store) in the European Union (EU), the question arises to what extent such a powerful private party is able to govern privacy standards at this scale. While the introduction of the ATT has already raised competition concerns, its impact on privacy and data protection within the EU legal order remains largely unexplored. Therefore, this article investigates how the ATT affects EU privacy and data protection compliance and explores the extent of the General Data Protection Regulation (GDPR) in restricting the privacy regulator role of app stores and mobile operating systems. While the ATT limits certain privacy risks by limiting disclosures to third-parties, Apple is redefining core privacy concepts such as tracking. This may lead to the emergence of “walled gardens”, closed ecosystems which are managed and curated by their owners, which may alter the structure of the mobile ecosystem in general. The paper contributes to the overall discussion about the impact of private sector-led initiatives and powerful private actors in setting privacy standards.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"60 ","pages":"Article 106255"},"PeriodicalIF":3.2,"publicationDate":"2026-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145840349","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Engineering the law-machine learning translation problem: developing legally aligned models 设计法律-机器学习翻译问题：开发符合法律的模型

IF 3.2 3区社会学

Computer Law & Security Review Pub Date : 2026-04-01 Epub Date: 2025-12-25 DOI: 10.1016/j.clsr.2025.106252

Mathias Hanson , Gregory Lewkowicz , Sam Verboven

{"title":"Engineering the law-machine learning translation problem: developing legally aligned models","authors":"Mathias Hanson , Gregory Lewkowicz , Sam Verboven","doi":"10.1016/j.clsr.2025.106252","DOIUrl":"10.1016/j.clsr.2025.106252","url":null,"abstract":"<div><div>Organizations developing machine learning-based (ML) technologies face the complex challenge of achieving high predictive performance while respecting the law. This intersection between ML and the law creates new complexities. As ML model behavior is inferred from training data, legal obligations cannot be operationalized in source code directly. Rather, legal obligations require \"indirect\" operationalization. However, choosing context-appropriate operationalizations presents two compounding challenges: (1) laws often permit multiple valid operationalizations for a given legal obligation—each with varying degrees of legal adequacy; and, (2) each operationalization creates unpredictable trade-offs among the different legal obligations and with predictive performance. Evaluating these trade-offs requires metrics (or heuristics), which are in turn difficult to validate against legal obligations. Current methodologies fail to fully address these interwoven challenges as they either focus on legal compliance for traditional software or on ML model development without adequately considering legal complexities. In response, we introduce a five-stage interdisciplinary framework that integrates legal and ML-technical analysis during ML model development. This framework facilitates designing ML models in a legally aligned way and identifying high-performing models that are legally justifiable. Legal reasoning guides choices for operationalizations and evaluation metrics, while ML experts ensure technical feasibility, performance optimization and an accurate interpretation of metric values. This framework bridges the gap between more conceptual analysis of law and ML models’ need for deterministic specifications. We illustrate its application using a case study in the context of anti-money laundering.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"60 ","pages":"Article 106252"},"PeriodicalIF":3.2,"publicationDate":"2026-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145840350","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Artificial intelligence and adjudication: A new pathway to justice in China? 人工智能与裁判：中国司法的新途径？

IF 3.2 3区社会学

Computer Law & Security Review Pub Date : 2026-04-01 Epub Date: 2026-01-19 DOI: 10.1016/j.clsr.2026.106260

Yi Chen

{"title":"Artificial intelligence and adjudication: A new pathway to justice in China?","authors":"Yi Chen","doi":"10.1016/j.clsr.2026.106260","DOIUrl":"10.1016/j.clsr.2026.106260","url":null,"abstract":"<div><div>The application of artificial intelligence (AI) in the judicial system has become an inevitable trend in the digital era. This article analyzes the institutional background and practical drivers behind the rapid development and wide application of AI in China’s judicial system, examines its concrete use in adjudication, and critically discusses its limitations and potential challenges to due process, the right to a fair trial, and judicial independence. It argues that the rapid growth and deep integration of AI in the judicial field result from both top-level policy design and the judiciary’s need to address structural pressures. While AI may accelerate case handling and improve efficiency, its application is constrained by algorithmic limitations and institutional conditions, introducing risks to procedural fairness, substantive justice, and judges’ discretion and independence. Despite the Chinese judiciary's emphasis on AI as a merely auxiliary tool, judicial performance evaluations and accountability mechanisms may still encourage judges to rely on it excessively, leading to mechanical adjudication and neglect of case-specific circumstances. In light of these concerns, this article concludes that, beyond technical safeguards, institutional measures are also required to protect fair trial rights and judicial independence, ensuring that AI enhances rather than undermines justice.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"60 ","pages":"Article 106260"},"PeriodicalIF":3.2,"publicationDate":"2026-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146022501","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Assessing data protection impact assessments: Lessons from COVID-19 contact tracing apps 评估数据保护影响评估：来自COVID-19接触者追踪应用的经验教训

IF 3.2 3区社会学

Computer Law & Security Review Pub Date : 2026-04-01 Epub Date: 2025-12-12 DOI: 10.1016/j.clsr.2025.106233

Michael Spratt, TJ McIntyre

引用次数: 0

Regulatory regimes for disruptive IT: A framework for their design and evaluation 颠覆性IT的监管制度：设计和评估的框架

IF 3.2 3区社会学

Computer Law & Security Review Pub Date : 2026-04-01 Epub Date: 2026-01-08 DOI: 10.1016/j.clsr.2025.106231

Roger Clarke

{"title":"Regulatory regimes for disruptive IT: A framework for their design and evaluation","authors":"Roger Clarke","doi":"10.1016/j.clsr.2025.106231","DOIUrl":"10.1016/j.clsr.2025.106231","url":null,"abstract":"<div><div>The pervasiveness and the impactfulness of information technology (IT) have been growing steeply for decades. Recent forms of IT are highly obscure in their operation. At the same time, IT-based systems are being permitted greater freedom to draw inferences, make decisions, and even act in the real world, without meaningful supervision. There are prospects of serious harm arising from misconceived, mis-designed or misimplemented projects.</div><div>Organisations developing and applying IT need to be subject to obligations to take degrees of care, prior to deploying impactful initiatives, that are commensurate with the risks involved. They also need to be subject to accountability mechanisms that act as strong disincentives against reckless behaviour by executives and professionals alike. This article presents a framework whereby practitioners can evaluate the efficacy of regulatory regimes for impactful IT-based systems, design new regimes, and adapt existing ones. The author has matured the framework over several decades, applied early variants of it in multiple contexts, and published articles on many of those projects.</div><div>The article commences by defining regulation and the kinds of entities and behaviour to which it is applied, and identifying the criteria for an effective regulatory mechanism. This is followed by presentation of models of the layers of regulatory measures from which regimes are constructed, and the players in the processes of regime formation and operation. Observations are also provided concerning the nature of the principles and rules that need to be established in order to provide substance within the regulatory frame. An evaluation form is provided as an Appendix. Also provided as Appendices are pilot applications of the evaluation form in several diverse contexts. A companion article (Clarke 2025b) applies the framework to a technology of current concern.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"60 ","pages":"Article 106231"},"PeriodicalIF":3.2,"publicationDate":"2026-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145925292","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Mapping the meaning of human dignity at the European Court of Human Rights: An unsupervised learning approach 在欧洲人权法院描绘人类尊严的意义：一种无监督学习方法

IF 3.2 3区社会学

Computer Law & Security Review Pub Date : 2026-04-01 Epub Date: 2026-01-17 DOI: 10.1016/j.clsr.2025.106253

Gustavo Arosemena , Foivos Ioannis Tzavellos , Rohan Nanda

引用次数: 0

Escaping the simplification trap: A playbook for the EU’s digital rulebook 摆脱简化陷阱：欧盟数字规则手册的剧本

IF 3.2 3区社会学

Computer Law & Security Review Pub Date : 2026-04-01 Epub Date: 2025-12-04 DOI: 10.1016/j.clsr.2025.106245

Kai Zenner

引用次数: 0

The regulation of fine-tuning: Federated compliance for modified general-purpose AI models 微调的规则：修改的通用AI模型的联邦遵从性

IF 3.2 3区社会学

Computer Law & Security Review Pub Date : 2026-04-01 Epub Date: 2025-12-02 DOI: 10.1016/j.clsr.2025.106234

Philipp Hacker , Matthias Holweg

{"title":"The regulation of fine-tuning: Federated compliance for modified general-purpose AI models","authors":"Philipp Hacker , Matthias Holweg","doi":"10.1016/j.clsr.2025.106234","DOIUrl":"10.1016/j.clsr.2025.106234","url":null,"abstract":"<div><div>This paper addresses the regulatory and liability implications of modifying general-purpose AI (GPAI) models under the EU AI Act and related legal frameworks. We make five principal contributions to this debate. First, the analysis maps the spectrum of technical modifications to GPAI models and proposes a detailed taxonomy of these interventions and their associated compliance burdens. Second, the discussion clarifies when exactly a modifying entity qualifies as a GPAI provider under the AI Act, which significantly alters the compliance mandate. Third, we develop a novel, hybrid legal test to distinguish substantial from insubstantial modifications that combines a compute-based threshold with consequence scanning to assess the introduction or amplification of risk. Fourth, the paper examines liability under the revised Product Liability Directive (PLD) and tort law, arguing that entities substantially modifying GPAI models become “manufacturers” under the PLD and may face liability for defects. The paper aligns the concept of “substantial modification” across both regimes for legal coherence and argues for a one-to-one mapping between “new provider” (AI Act) and “new manufacturer” (PLD). Fifth, the recommendations offer concrete governance strategies for policymakers and managers that propose a federated compliance structure, based on joint testing of base and modified models, implementation of Failure Mode and Effects Analysis and consequence scanning, a new database for GPAI models and modifications, robust documentation, and adherence to voluntary codes of practice. The framework also proposes simplified compliance options for SMEs while maintaining their liability obligations. Overall, the paper aims to map out a proportionate and risk-sensitive regulatory framework for modified GPAI models that integrates technical, legal, and wider societal considerations.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"60 ","pages":"Article 106234"},"PeriodicalIF":3.2,"publicationDate":"2026-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145685490","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0