Computer Law & Security Review最新文献

{"title":"Will the GDPR Restrain Health Data Access Bodies Under the European Health Data Space (EHDS)?","authors":"Paul Quinn,&nbsp;Erika Ellyne,&nbsp;Cong Yao","doi":"10.1016/j.clsr.2024.105993","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.105993","url":null,"abstract":"<div><p>The plans for a European Health Data Space (EHDS) envisage an ambitious and radical platform that will inter alia make the sharing of secondary health data easier. It will encourage the systematic sharing of health data and provide a legal framework for it to be shared by Health Data Access Bodies (HDABs) based in each of the Member States. Whilst this promises to bring about major benefits for research and innovation, it also raises serious questions given the intrinsic sensitivity of health data. Fears concerning privacy harms on the individual level and detrimental effects on the societal level have been raised. This article discusses two of the main protective pillars designed to allay such concerns. The first is that the proposal clearly outlines several contexts for which a Health Data Access Permit (HDAP) should and should not be granted. The second is that a request for an HDAP must also be compliant with the GDPR (inter alia requiring a valid legal basis and respecting data processing principles such as ‘minimization’ and ‘storage limitation’). As this article discusses, in some instances the need to have a valid legal basis under the GDPR may make it difficult to obtain a data access permit, in particular for some of the commercially orientated grounds outlined within the EHDS proposal. A further important issue concerns the ability of HDABs to analyse the compatibility permit requests under the GDPR and relevant national law at both speed and scale.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 105993"},"PeriodicalIF":3.3,"publicationDate":"2024-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141482974","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"ETIAS system and new proposals to advance the use of AI in public services","authors":"Clara Isabel Velasco Rico ,&nbsp;Migle Laukyte","doi":"10.1016/j.clsr.2024.106015","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106015","url":null,"abstract":"<div><p>Eu-LISA is launching the European Travel Information and Authorization System (ETIAS), which seems an example of a different, human rights-oriented approach to AI within the law enforcement. However, the reality is quite different: the usual problems of the use of AI—lack of transparency, bias, opacity, just to name a few—are still on board. This paper critically assesses these promises of ETIAS and argues that it has serious issues that have not been properly dealt with. So as to argue the need to address these issues, the paper addresses ETIAS within the wider context of human rights and solidarity-based data governance. In this respect, ETIAS is seen as a tool which uses data for high value purposes, such as EU safety and security, yet it also calls for serious risk mitigation measures. Indeed, the risks related to law enforcement on the borders and in migration management are extremely serious due to the vulnerability of people who escape from poverty, wars, regimes, and other disasters. In the third part of this article, we articulate three proposals of such risk mitigation measures. We argue in favour of strengthening critical general safeguards in ETIAS, then elaborate a principle that should guide AI-based public service development (P4P principle) and end with a few IPR-related requirements for private sector involvement in such services. Adopting these measures could contribute to reduce the risk of building EU AI expertise upon data coming from the most vulnerable social groups of our planet.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106015"},"PeriodicalIF":3.3,"publicationDate":"2024-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000815/pdfft?md5=49b2b58312c8697b7334418c2e13e052&pid=1-s2.0-S0267364924000815-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141482997","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"AI liability in Europe: How does it complement risk regulation and deal with the problem of human oversight?","authors":"Beatriz Botero Arcila","doi":"10.1016/j.clsr.2024.106012","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106012","url":null,"abstract":"<div><p>Who should compensate you if you get hit by a car in “autopilot” mode: the safety driver or the car manufacturer? What about if you find out you were unfairly discriminated against by an AI decision-making tool that was being supervised by an HR professional? Should the developer compensate you, the company that procured the software, or the (employer of the) HR professional that was “supervising” the system's output?</p><p>These questions do not have easy answers. In the European Union and elsewhere around the world, AI governance is turning towards risk regulation. Risk regulation alone is, however, rarely optimal. The situations above all involve the liability for harms that are caused by or with an AI system. While risk regulations like the AI Act regulate some aspects of these human and machine interactions, they do not offer those impacted by AI systems any rights and little avenues to seek redress. From a corrective justice perspective risk regulation must also be complemented by liability law because when harms do occur, harmed individuals should be compensated. From a risk-prevention perspective, risk regulation may still fall short of creating optimal incentives for all parties to take precautions.</p><p>Because risk regulation is not enough, scholars and regulators around the world have highlighted that AI regulations should be complemented by liability rules to address AI harms when they occur. Using a law and economics framework this Article examines how the recently proposed AI liability regime in the EU – a revision of the Product Liability Directive, and an AI Liability effectively complement the AI Act and how they address the particularities of AI-human interactions.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106012"},"PeriodicalIF":3.3,"publicationDate":"2024-06-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000797/pdfft?md5=4672fdb50a5856a23c27094c7201b057&pid=1-s2.0-S0267364924000797-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141482996","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Stuxnet vs WannaCry and Albania: Cyber-attribution on trial","authors":"Jakub Vostoupal","doi":"10.1016/j.clsr.2024.106008","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106008","url":null,"abstract":"<div><p>The cyber-attribution problem poses a significant challenge to the effective application of international law in cyberspace. Rooted in unclear standards of proof, evidence disclosure requirements, and deficiencies within the legal framework of the attribution procedure, this issue reflects the limitations of some traditional legal concepts in addressing the unique nature of cyberspace. Notably, the <em>effective control test</em>, introduced by the ICJ in 1986 and reaffirmed in 2007 to attribute the actions of non-state actors, does not adequately account for the distinctive dynamics of cyberspace, allowing states to use proxies to evade responsibility.</p><p>The legal impracticality and insufficiency of the attribution procedure not only give rise to the cyber-attribution problem but also compel states to develop new attribution tactics. This article explores the evolution of these cyber-attribution techniques to assess whether contemporary state practices align with the customary rules of attribution identified by the ICJ and codified by the ILC within ARSIWA, or whether new, cyber-specific rules might emerge. By analyzing two datasets on cyber incidents and three distinct cases – Stuxnet, WannaCry, and the 2022 cyberattacks against Albania – this article concludes that the <em>effective control test</em> cannot be conclusively identified as part of customary rules within cyberspace due to the insufficient support in state practice. Furthermore, it is apparent that the rules of attribution in the cyber-specific context are in a disarray, lacking consistent, widespread and representative practice to support a general custom. However, emerging state practice shows some degree of unification and development, suggesting the potential for the future establishment of cyber-specific rules of attribution.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106008"},"PeriodicalIF":3.3,"publicationDate":"2024-06-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141482976","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Evolving Threats, Emerging Laws: Poland's 2023 Answer to the Smishing Challenge","authors":"Sebastian Zieliński","doi":"10.1016/j.clsr.2024.106013","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106013","url":null,"abstract":"<div><p>In the face of rising cybersecurity threats like 'smishing'—SMS-based phishing attacks—this article examines how legislative efforts can effectively address these challenges. This article provides a comprehensive analysis of cybersecurity challenges, focusing on the still growing phenomenon of 'smishing', within the legislative context. In particular, it explores the legal landscape of cybercrime through the lens of Poland's recently enacted Act on Combating Abuses in Electronic Communication, as well as the European Union's Cybersecurity Strategy for the Digital Decade. The first one serves as a significant case study for examining legislative efforts aimed at mitigating cybersecurity risks in the field of electronic communications. The article describes the multi-layered, collaborative business-state approach of the Polish law, which can provide a solid framework for addressing current and future cyber security threats. The act stands as a promising tool for fortifying national cybersecurity infrastructure and could serve as a useful example for other jurisdictions grappling with similar issues. The law also engages citizens actively in its cybersecurity initiatives, promoting collective responsibility. In the broader European Union context, while the Polish Act undergoes scrutiny, this analysis also seeks to explore its alignment with the objectives outlined in the 2020′s European Union's Cybersecurity Strategy for the Digital Decade. This examination aims to evaluate the extent to which the Polish legislative framework resonates with the overarching goals set forth by the European Union, thereby contributing to a deeper understanding of the synergy between national initiatives and the broader European cybersecurity strategy context.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106013"},"PeriodicalIF":3.3,"publicationDate":"2024-06-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141482975","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"EU sanctions in response to cyber-attacks as crime-based emergency measures","authors":"Yuliya Miadzvetskaya","doi":"10.1016/j.clsr.2024.106010","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106010","url":null,"abstract":"<div><p>This contribution seeks to explore the growing use of administrative measures in response to cybercrimes by analysing the specific case of sanctions in response to cyber-attacks. They constitute a novel crime-based sanctions regime, laying the foundations of personalised deterrence with respect to malicious cyber actors and consist in asset freezes and visa bans. This article reflects on the hazy boundary between crime-based sanctions as administrative or criminal law measures. The paper argues that while crime-based sanctions in response to cyber-attacks present certain similarities with criminal law measures, they remain complementary crime prevention instruments. Their administrative nature allows for an emergency response to malicious cyber operations that would not be permissible if a more stringent evidentiary standard was required.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106010"},"PeriodicalIF":3.3,"publicationDate":"2024-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141434316","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The reform of consumer protection in mobile payment services in China: Legislation, regulation, and dispute resolution","authors":"Ningyao Ye ,&nbsp;Zeyu Zhao","doi":"10.1016/j.clsr.2024.106007","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106007","url":null,"abstract":"<div><p>In China, mobile payment services, based on a rapid development of financial technology, have been playing an essential role in Chinese residents’ daily life, creating a cashless society. Unlike many advanced countries having a clear legal definition of financial consumers and incorporating consumers of mobile payment services into financial consumers, China, as one of the largest markets for mobile payment services, has not had a clear legal definition of financial consumers with no clarity regarding whether consumers of mobile payment services belong to financial consumers. This article not only provides a legal analysis of consumers of mobile payment services in China, but also outrightly explores the prospective reform of financial consumer protection with reference to other countries’ successful experience and standards. By the analysis, this article attempts to find out solution for the Chinese financial consumer protection scheme and argues that the Chinese financial consumer protection scheme has to be well designed to maintain a balance between consumers and mobile payment giants.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106007"},"PeriodicalIF":2.9,"publicationDate":"2024-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141323264","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Developing China's Approaches to Regulate Cross-border Data Transfer:Relaxation and Integration","authors":"Meng Chen (Associate Professor)","doi":"10.1016/j.clsr.2024.105997","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.105997","url":null,"abstract":"<div><p>This article illustrates the developing Chinese cross-border data flow regulation regime deriving from a holistic national security conception to its balance with personal information protection and digital economic development. Under the pressuring demand of digital economy development and an increasing appeal to global data governance, China is progressively improving and modifying its original government-led and restrictive cross-border data regulations. Subsequent practices and the publication of the Provisions on Promoting and Regulating Cross-border Data Transfer (PPR) in March 2024 deliver a clear sign of relaxation on restrictions on cross-border data flow, especially on the subject of personal information outbound transfer. Detailed comparison with data provisions in the Regional Comprehensive Economic Partnership (RCEP), the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), and the Digital Economy Partnership Agreement (DEPA) demonstrates that global governance of cross-border data flows is unshaped but not unrealistic, even with current fragmented national approaches. China has established a complete personal information protection legal regime and is very close to integrating into transnational cooperation for a broader framework. In addition, by coordinating national provisions regarding cross-data transfer with international rules and piloting lenient cross-border data supervision mechanisms in numerous Pilot Free Trade Zone (PFTZ), China is ready to evolve its cross-border data flow regulations and contribute to global data governance step-by-step.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 105997"},"PeriodicalIF":2.9,"publicationDate":"2024-06-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141291115","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Non-fungible tokens, tokenization, and ownership","authors":"Janne Kaisto ,&nbsp;Teemu Juutilainen ,&nbsp;Joona Kauranen","doi":"10.1016/j.clsr.2024.105996","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.105996","url":null,"abstract":"<div><p>The emergence of non-fungible tokens (NFTs) in the blockchain environment has prompted many intriguing questions for private law scholars around the world. A question as basic as whether NFTs can be owned has proven difficult in many countries. This is the first research question of our article, which focuses on NFTs created in the Ethereum system by utilizing standard ERC-721. Because these NFTs are identifiable and distinguishable from all other tokens, the notion of owning an NFT is not unthinkable. Yet no universal answer can be offered. Whether NFTs qualify as objects of ownership must be studied at the level of individual legal systems. We argue that NFTs can be owned under Finnish law, with the same probably applying to many other legal systems. Starting with this notion, we pose two further research questions. As the second research question, we ask what problems of a patrimonial law nature may arise in attempts to connect different kinds of rights, even irrevocably, to owning or holding an NFT. Creditor rights seem relatively easy in this respect because most legal systems allow prospective debtors to obligate themselves as they wish. We also study whether a limited liability company could issue an NFT as a share certificate with legal effects corresponding to those of a physical (paper) share certificate. While an affirmative answer could be justified in some legal systems, Finnish law makes it difficult to tokenize a company's shares other than in the framework of a settlement system within the meaning of the European Union's DLT Pilot Regulation. Even greater difficulties arise in attempts to connect the ownership of a (material) thing and of an NFT so that a person who owns a token also owns the thing. Our third and final research question addresses tokenization of digital art, which gives rise to some special questions. We ask what rights the transferee of an NFT can receive in connection with tokenization of digital art. Here, our main finding is that digital art can be meaningfully tokenized even though digital copies are not regarded as possible objects of ownership.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 105996"},"PeriodicalIF":2.9,"publicationDate":"2024-06-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000633/pdfft?md5=838d6e36f0dd3951b89091ec34f342ef&pid=1-s2.0-S0267364924000633-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141291117","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"From brussels effect to gravity assists: Understanding the evolution of the GDPR-inspired personal information protection law in China","authors":"Wenlong Li ,&nbsp;Jiahong Chen","doi":"10.1016/j.clsr.2024.105994","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.105994","url":null,"abstract":"<div><p>This paper explores the evolution of China's Personal Information Protection Law (PIPL) and situates it within the context of global data protection development. It draws inspiration from the theory of ‘Brussels Effect’ and provides a critical account of its application in non-Western jurisdictions, taking China as a prime example. Our objective is not to provide a comparative commentary on China's legal development but to illuminate the intricate dynamics between the Chinese law and the EU's GDPR. We argue that the trajectory of China's Personal Information Protection Law calls into question the applicability of the Brussels Effect: while the GDPR's imprint on the PIPL is evident, a deeper analysis unveils China's nuanced, non-linear adoption that diverges from many assumptions of the Brussels Effect and similar theories. The evolution of the GDPR-inspired PIPL is not as a straightforward outcome of the Brussels Effect but as a nuanced, intricate interplay of external influence and domestic dynamics. We introduce a complementary theory of ‘gravity assist’, which portrays China's strategic instrumentalisation of the GDPR as a template to shape its unique data protection landscape. Our theoretical framework highlights how China navigates through a patchwork of internal considerations, international standards, and strategic choices, ultimately sculpting a data protection regime that has a similar appearance to the GDPR but aligns with its distinct political, cultural and legal landscape. With a detailed historical and policy analysis of the PIPL, coupled with reasonable speculations on its future avenues, our analysis presents a pragmatic, culturally congruent approach to legal development in China. It signals a trajectory that, while potentially converging at a principled level, is likely to diverge significantly in practice, driven by China's broader socio-political and economic agendas rather than the foundational premises of EU data protection law and its global aspirations. It thus indicates the inherent limitations of applying Brussels Effect and other theoretical frameworks to non-Western jurisdictions, highlighting the imperative for integrating complementary theories to more accurately navigate complex legal landscapes.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 105994"},"PeriodicalIF":2.9,"publicationDate":"2024-06-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S026736492400061X/pdfft?md5=9c7fcdd53bcd61a59b343d95a6550735&pid=1-s2.0-S026736492400061X-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141291116","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}