Øyvind Toftegaard , Guro Grøtterud , Bernhard Hämmerli
{"title":"Operational Technology resilience in the 2023 draft delegated act on cybersecurity for the power sector—An EU policy process analysis","authors":"Øyvind Toftegaard , Guro Grøtterud , Bernhard Hämmerli","doi":"10.1016/j.clsr.2024.106034","DOIUrl":"10.1016/j.clsr.2024.106034","url":null,"abstract":"<div><p>The EU’s 2020 Cybersecurity Strategy promotes cybersecurity as essential for building a resilient, green, and digital Europe. Cleaner energy sources such as wind and solar are more volatile and thus need digital integration with Industrial Control Systems (ICS) for grid balancing. However, the digitization and the properties of cyberspace provide the ability to coordinate disruptive cyberattacks against power grid infrastructures. Digital weapons may be launched against ICS to start multiple cascading outages with a keystroke, causing large-scale blackouts we have never seen before. To reduce risk, the EU’s Strategy describes three objectives for ICS: Secure-by-design, resilient, and timely patched. In the strategy, the European Commission suggests a ”network code,” i.e. a delegated act for the electric power sector, setting rules for cybersecurity in cross-border electricity flows. The draft delegated act of November 2023 presents security requirements for Information and Communication Technology (ICT) and Network and Information Systems (NIS). Although ICS systems are used directly to manage electricity flows, ICS is only mentioned in one of the delegated act’s recitals as a subcategory of ICT products. Suppose Information Technology (IT) rather than Operational Technology (OT) is the focus of the delegated act. In that case, policymakers may not fulfill the EU cybersecurity strategy’s ICS objectives, thus failing to improve the resilience of power grid infrastructures and cross-border electricity flows. This study is a policy process analysis, and its contribution is threefold. First, a literature review is conducted to understand the extent to which the delegated act covers OT. Second, a framework condition analysis is applied to understand why the delegated act lacks OT-specific security requirements. Third, the analysis is extended to understand whether OT is sufficiently covered to achieve the EU strategy’s ICS objectives. In conclusion, our analysis shows a strong intention to include OT-specific security in the preparatory work of the delegated act, but that a stronger position of the IT communities forced OT onto the sideline. Further, the study shows weak fulfillment of general secure-by-design principles and security patch management. These results indicate that OT coverage in the delegated act is not in line with the expectations of the EU’s cybersecurity strategy and the delegated act’s early preparatory work. Therefore, we have suggested three measures to increase OT resilience focus in the act: (a) Define the expressions NIS, ICT services, ICT processes, and ICT in general as umbrella terms that include OT, (b) The foreseen minimum and advanced cybersecurity controls should require OT-specific measures, including holistic secure-by-design principles and patch management covering all patching phases, (c) Develop an OT implementation guide for the delegated act. Our work can be used by policymakers to optimize cybersecurity ","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106034"},"PeriodicalIF":3.3,"publicationDate":"2024-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924001006/pdfft?md5=5e0c64e3d85ae578ddac4e98056a92a3&pid=1-s2.0-S0267364924001006-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142012809","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Pornography, sexual privacy and copyright","authors":"Abhilash Nair, James Griffin","doi":"10.1016/j.clsr.2024.105990","DOIUrl":"10.1016/j.clsr.2024.105990","url":null,"abstract":"<div><p>This article proposes a new paradigm in the consideration of privacy in pornographic works in copyright enforcement actions. It focuses particularly on attempts to threaten individuals with copyright infringement action based on a speculative invoicing model. We approach this issue from the perspective of the right to sexual privacy of alleged infringers, which, as we argue, is particularly pertinent for pornographic works. The courts in England and Wales have broadly recognised the role of individual privacy and embarrassment caused to alleged infringers in the leading cases of <em>Golden Eye</em> and subsequently in <em>Mircom</em>, but the law remains unclear with no real recognition of, or meaningful mechanisms in place to address, the underlying issues. The article points out that this is due to a fundamental lack of appreciation of sexual privacy at a conceptual level in the context of consumption of pornography in the internet age, and consequent failure to consider this in copyright enforcement proceedings. We argue that the law should achieve a balance between the right holder's interest and the sexual privacy of alleged infringers, and copyright enforcement actions need to be approached with this in mind. This calls for a fundamental reconceptualisation of the right to privacy, and we call upon the courts to recognise and balance the sexual privacy rights of the alleged infringers of copyright in pornographic works with the interests of the right holders in certain copyright enforcement actions to achieve fair and equitable outcomes.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 105990"},"PeriodicalIF":3.3,"publicationDate":"2024-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000578/pdfft?md5=aeba3b57cc50d5148f6bc266d84d45b6&pid=1-s2.0-S0267364924000578-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142006412","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"How might the GDPR evolve? A question of politics, pace and punishment","authors":"Gerard Buckley , Tristan Caulfield , Ingolf Becker","doi":"10.1016/j.clsr.2024.106033","DOIUrl":"10.1016/j.clsr.2024.106033","url":null,"abstract":"<div><p>The digital age has made personal data more valuable and less private. This paper explores the future of the European Union’s General Data Protection Regulation (GDPR) by imagining a range of challenging scenarios and how it might handle them. We analyse United States’, Chinese and European approaches (self-regulation, state control, arms-length regulators) and identify four key drivers shaping the future regulatory landscape: econopolitics, enforcement capacity, societal trust, and speed of technological development. These scenarios lead us to envision six resultant versions of GDPR, ranging from laxer protection than now to models empowering individuals and regulators. While our analysis suggests a minor update to the status quo GDPR is the most likely outcome, we argue a more robust implementation is necessary. This would entail meaningful penalties for non-compliance, harmonised enforcement, a positive case to counter the regulation-stifles-innovation narrative, defence of cross-border data rights, and proactive guidelines to address emerging technologies. Strengthening the GDPR’s effectiveness is crucial to ensure the digital age empowers individuals, not just information technology corporations and governments.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106033"},"PeriodicalIF":3.3,"publicationDate":"2024-08-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000992/pdfft?md5=0e110841ca9f0647a9535293139f5c91&pid=1-s2.0-S0267364924000992-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142001750","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Harmonizing innovation and regulation: The EU Artificial Intelligence Act in the international trade context","authors":"Qiang REN , Jing DU","doi":"10.1016/j.clsr.2024.106028","DOIUrl":"10.1016/j.clsr.2024.106028","url":null,"abstract":"<div><p>The European Union's Artificial Intelligence Act focuses on establishing harmonized rules across EU Member States so that AI systems are safe, transparent, and respectful of existing laws and fundamental rights. It introduces a risk-based regulatory approach, classifying AI applications by risk levels and imposing stringent compliance requirements on high-risk applications. The paper critically examines the Act's provisions, including its prohibitions on certain AI practices, requirements for high-risk AI systems, and mandates for transparency and human oversight. The paper examines the implications of the Act for international trade and technological regulation, particularly in the context of the World Trade Organization's Technical Barriers to Trade (TBT) Agreement. It addresses the Act's potential impact on developing countries, highlighting concerns that the Act's uniform standards could potentially exacerbate the digital divide and create barriers in global AI innovation and trade. The paper suggests incorporating flexibility and differential standards in the Act, enhancing technical assistance for developing countries, and advocating the EU's active participation in global standard-setting.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106028"},"PeriodicalIF":3.3,"publicationDate":"2024-08-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141991346","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The Fundamental Rights Impact Assessment (FRIA) in the AI Act: Roots, legal obligations and key elements for a model template","authors":"Alessandro Mantelero","doi":"10.1016/j.clsr.2024.106020","DOIUrl":"10.1016/j.clsr.2024.106020","url":null,"abstract":"<div><p>What is the context which gave rise to the obligation to carry out a Fundamental Rights Impact Assessment (FRIA) in the AI Act? How has assessment of the impact on fundamental rights been framed by the EU legislator in the AI Act? What methodological criteria should be followed in developing the FRIA? These are the three main research questions that this article aims to address, through both legal analysis of the relevant provisions of the AI Act and discussion of various possible models for assessment of the impact of AI on fundamental rights.</p><p>The overall objective of this article is to fill existing gaps in the theoretical and methodological elaboration of the FRIA, as outlined in the AI Act. In order to facilitate the future work of EU and national bodies and AI operators in placing this key tool for human-centric and trustworthy AI at the heart of the EU approach to AI design and development, this article outlines the main building blocks of a model template for the FRIA. While this proposal is consistent with the rationale and scope of the AI Act, it is also applicable beyond the cases listed in Article 27 and can serve as a blueprint for other national and international regulatory initiatives to ensure that AI is fully consistent with human rights.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106020"},"PeriodicalIF":3.3,"publicationDate":"2024-08-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000864/pdfft?md5=8d7f252655f8baa66bbefaa915063643&pid=1-s2.0-S0267364924000864-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141991345","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Open government data in the Brazilian digital government: Enabling an SDG acceleration agenda","authors":"Larissa Galdino de Magalhães Santos","doi":"10.1016/j.clsr.2024.106029","DOIUrl":"10.1016/j.clsr.2024.106029","url":null,"abstract":"<div><p>Open Government Data (OGD) has evolved from the mere generation of public data to its active management, but the strategic evolution still needs to be explored. This article explores the intersection of government's digital transformation, the Sustainable Development Goals (SDGs), and the role of government open data initiatives. The study focuses on the Brazilian trajectory, employing the \"data as a public good\" approach to evaluate data governance and capabilities as facilitators of sustainable digital transformation. The GDB method aligns with the SDG Digital Acceleration agenda, providing insights into integrating data in society and digital transformation. The study concludes by indicating the need for more dialogue and synergy between data management and government strategies. It emphasizes integrating data management, privacy protection, transparency, and ethical considerations for sustainable impact.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106029"},"PeriodicalIF":3.3,"publicationDate":"2024-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141953186","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The protection of vulnerable algorithmic groups through collective data protection in the onlife world: A Brazilian perspective","authors":"Diego Machado","doi":"10.1016/j.clsr.2024.106027","DOIUrl":"10.1016/j.clsr.2024.106027","url":null,"abstract":"<div><p>The aim of this doctrinal legal study is to analyze the interplay between the vulnerability of groups in algorithmic systems and the protection of collective interests in data protection law in Brazil's legal system. Two research questions are raised: (i) Is the protection of personal data regulation applicable to data processing activities related to algorithmic groups? and (ii) can algorithmic groups be regarded as groups with vulnerability under the LGPD legal regime? This article is divided into three parts apart from the introduction, and combines three strands of research, namely group rights theory, vulnerability studies, and law and technology perspective. This combination is key to outline, in Sections 2 and 3, a theoretical framework that elucidates the concepts of collective data protection and group vulnerability mapping both onto the notion of algorithmic groups. Section 2 argues for the collective dimension of the right to the protection of personal data as the foundation of a collective data protection. Section 3, in turn, explores the conceptualization of group vulnerability and how this discourse resonates with algorithmic groups in the onlife world. I draw on vulnerability studies, and on Mireille Hildebrandt's law and technology perspective to delineate what do I mean by group vulnerability and how do I articulate theoretically this notion with algorithmic groups and the affordances of algorithmic systems. Section 4 examines the relation between collective data protection and vulnerability of algorithmic groups under the data protection legal framework in Brazil. To answer the research questions, the analysis is concentrated on three aspects of Brazilian data protection law: (i) the “collectivization of data protection”; (ii) the integration of group vulnerability in the data protection legal framework; (iii) data protection impact assessments in the context of LGPD's risk-based approach. The collective dimension of the right to personal data protection is increasingly recognized in Brazilian law through class-action litigation, particularly in the context of addressing vulnerabilities caused by new data-driven technologies. This collective dimension should guide courts and the Brazilian DPA in interpreting and applying the LGPD, especially Art. 12, § 2, regarding group data processing by algorithmic profiling systems. Data protection law in Brazil acknowledges that groups of data subjects may face vulnerability, requiring special protection and safeguards to mitigate risks and violations. Group vulnerability signals contexts deserving special attention and serves as a source of obligations and rights. Within LGPD's risk-based approach, mandatory DPIAs in ML-based algorithmic profiling systems help identify vulnerable groups and implement appropriate safeguards to mitigate risks of harm or rights violations. Non-compliance with safeguard implementation obligations should be considered a breach of Brazilian data protecti","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106027"},"PeriodicalIF":3.3,"publicationDate":"2024-08-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141961484","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The many features which make the eIDAS 2 Digital Wallet either risky or the ideal vehicle for the transition to post-quantum encryption","authors":"Giovanni Comandè , Margaret Varilek","doi":"10.1016/j.clsr.2024.106022","DOIUrl":"10.1016/j.clsr.2024.106022","url":null,"abstract":"<div><p>The amended Digital Identity Framework Regulation (“eIDAS 2″) is expected to be implemented by 2026, including its new solution of the Digital Identity Wallet from each Member State for its residents, citizens, and businesses. Widely used public key cryptosystems including those in the current EUDI Wallet prototypes are using electronic signatures and authentication that will need to be replaced by post-quantum resistant cryptography (PQC). In April 2024, the EU recommended general action by the Member States to prepare for quantum capability. We suggest that the European Digital Identity Wallet could be the starting point for an impactful debut of hybrid “quantum resistant” cryptography tools to align the Member States in the transition. We look at the awareness campaigns of ENISA and national cybersecurity authorities in the USA, Spain, UK and Germany on the transition to PQC using a hybrid approach. There seems to be some early consensus that NIST's PQC algorithms are likely to set the international standard. Given the eIDAS 2′s flexible, technologically neutral language, it allows the timely implementation of new secure encryption methods. The Wallet could be an exemplary model for large businesses, or app developers, and SMEs that also must transition to PQC to render secure those asymmetrically encrypted quantum-vulnerable digital assets. A very large and relatively fast uptake of the EUDI Wallet system is expected, and if it holds the promises of functionality, user friendliness, and security across the changing technological world, the EUDI Wallet's approach could become a benchmark for the transition to post-quantum capacity.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106022"},"PeriodicalIF":3.3,"publicationDate":"2024-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141961483","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"When non-consensual intimate deepfakes go viral: The insufficiency of the UK Online Safety Act","authors":"Beatriz Kira","doi":"10.1016/j.clsr.2024.106024","DOIUrl":"10.1016/j.clsr.2024.106024","url":null,"abstract":"<div><p>Advancements in artificial intelligence (AI) have drastically simplified the creation of synthetic media. While concerns often focus on potential misinformation harms, ‘non-consensual intimate deepfakes’ (NCID) – a form of image-based sexual abuse – pose a current, severe, and growing threat, disproportionately impacting women and girls. This article examines the measures implemented with the recently adopted Online Safety Act 2023 (OSA) and argues that the new criminal offences and the ‘systems and processes’ approach the law adopts are insufficient to counter NCID in the UK. This is because the OSA relies on platform policies that often lack consistency regarding synthetic media and on platforms’ content removal mechanisms which offer limited redress to victim-survivors after the harm has already occurred. The article argues that stronger prevention mechanisms are necessary and proposes that the law should mandate all AI-powered deepfake creation tools to ban the generation of intimate synthetic content and require the implementation of comprehensive and enforceable content moderation systems.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106024"},"PeriodicalIF":3.3,"publicationDate":"2024-07-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000906/pdfft?md5=e8c861b6693900d176a62ac2f6801b2e&pid=1-s2.0-S0267364924000906-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141954621","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The blocking of Booking/Etraveli – When the first victim of EU's anti-US tech stand was a European","authors":"Dr. Christian Bergqvist","doi":"10.1016/j.clsr.2024.106025","DOIUrl":"10.1016/j.clsr.2024.106025","url":null,"abstract":"<div><p>It came somewhat unexpected when Dutch <em>Booking</em>'s acquisition of Swedish <em>Etraveli</em> was blocked in the EU as the parties operated in two separate segments of the online economy, hotel accommodation and flight booking, making the merger unproblematic under normal circumstances. However, in the digital economy, nothing is normal as enforcement has tightened, mostly vis-à-vis US tech giants but apparently also vis-à-vis European undertakings. Interestingly, customers' unwillingness to shop around for offers, as otherwise accepted by, e.g., the UK authority, played a role in the outcome. The decision has been challenged before the EU's General Court, providing a case to watch.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106025"},"PeriodicalIF":3.3,"publicationDate":"2024-07-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000918/pdfft?md5=988f2f479691439097c5872023c102cd&pid=1-s2.0-S0267364924000918-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141953090","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}