RSS

The New EU Proposal To Regulate Data Protection in the Law Enforcement Sector: Raises the Bar But Not High Enough

0 kommentarer Av Sparad i privacy & data protection 4 april 2012 @ 10:42

On January 25, 2012, the EU Commission set forth a proposal for a Directive to regulate data protection in the law enforcement sector.  The Proposal Directive is designed to replace the current Framework Decision enacted in 2008 which has been widely criticized for being laden with loopholes, difficult to apply in real-world situations and generally incoherent.  As such, it is unsurprising that when viewed in comparison to the Framework Decision, the Proposal Directive can be seen to raise the proverbial bar for data protection rights in the law enforcement context.

First, and most basically, the Proposal Directive will be capable of having direct effect which means that individuals should be able to enforce the rights conveyed in the Proposal Directive in the courts of EU Member States.  Furthermore, and in a substantial departure from the Framework Decision, the Proposal Directive will apply equally to both cross-border data processing and all data processing activities by the police and judiciary authorities at a purely national level.  The result of this new provision will be to eliminate many difficulties for the police and other competent authorities who have found it hard to distinguish between purely domestic and cross-border processing in practice.

Also unlike the Framework Decision, the Proposal Directive requires the distinction, as far as possible, between data based on facts and data based on opinions or personal assessments.  This will help clarify the accuracy and reliability of the data before it is made available in compliance with the data quality principle.  Similarly, the Proposal Directive distinguishes between personal data of different categories of data subjects (e.g. witnesses, victims).  This is relevant in determining, first, whether the processing of the personal data is proportionate to the objective pursued and, second, whether additional safeguards are required to protect the specific needs of individuals.  Furthermore, the Proposal Directive establishes supervisory authorities, attempts to address the complicated issue of profiling and seeks to increase transparency in the field by requiring, among other things,  data breach notifications.

The Proposal Directive, however, could have gone much further towards strengthening individual data protection rights.  By opting for a separate directive addressing data protection in the law enforcement context rather than creating a single, comprehensive regulation for data protection with general application across the EU, the Proposal Directive fails to recognize the growing involvement of the private sector in law enforcement.  That is, increasingly, data moves between the private sector to the law enforcement sector, the result of which has been a blurring of the different categories of data and an obfuscation of the legal rules.

While the Proposal Directive seeks to narrow the derogations to the purpose limitation principle that were set forth in the Framework Decision, there still remains a lack of legal certainty about the onward processing of personal data by law enforcement authorities beyond the initial purpose for which the data was collected.  This uncertainty is, of course, highly problematic from the perspective of the data subject who, pursuant to the basic guidelines of the Council of
Europe Convention No. 108, should be in a position to reasonably foresee how his or her data will be processed.  This is particularly true in the law enforcement context where the power of the State is at its pinnacle.

Furthermore, the Proposal Directive fails to sufficiency clarify the procedure for sending data to third countries which is especially disappointing in light of the increasingly global and networked environment.   It also creates a fragmented and uncertain legal environment to the extent that it does not apply to processing by Union institutions, bodies, offices and agencies.

For more analysis, please see a memo that I have written on this topic.

Law as a Service?

0 kommentarer Av Sparad i education & learning, supply of legal information, technology 30 mars 2012 @ 19:05

Historically law has been provided as a service allowing the state and individuals to enforce their rights or obligations. The online world has, however, changed the nature of legal services to some extent. Disputes can now occur purely in an online environment, individuals search for lawyers online, legal advice is given without human interaction, legal documents are created using online services.

There are both challenges and possibilities resulting from this development, both for lawyers who may provide some or all of these services online and for individuals who use the services to help them in their everyday legal matters. Lawyers face competitors outside the traditional legal market, whilst being able to reach a wider audience or a niche market. Individuals must be able to rely on the advice they receive, and will therefore want to know that those who offer online services are trusted legal professionals. At the same time, they may be able to avoid a legal problem entirely by taking advantage of such services at a much earlier stage than has traditionally been the case.

As discussed in LaaS – Law as a Service, Lov&Data Nr. 4/2011, for such online legal services to prosper, many changes are needed. To mention a few:

- making online services available to a wider audience,
- creating services that connect legal issues, rather than focusing solely on one topic,
- outsourcing some work from lawyers to technology,
- preparing lawyers and legal professionals better for their future careers e.g. through updating legal education.

This last point is perhaps of most interest to us at IRI. It is not just about educating students in the letter of the law, but how law is presented to the public and the way in which legal advice is given both now and in the future. One next step, of course, would be law as an app

Pam Storr & Christine Kirchberger

Privacy and online copyright – Australia’s High Court leads the way (but in the wrong direction)

0 kommentarer Av Sparad i intellectual property, privacy & data protection 14 februari 2012 @ 13:19

In December 2011, the High Court of Australia heard an appeal by copyright-owning organisations against an Australian Internet Service Provider (Roadshow Films Pty Ltd & Ors v iiNet Limited, No. S288 of 2011 1 & 2) relating to whether internet service providers can be held liable for the alleged online piracy of their subscribers. Essentially, the copyright owners want the ISPs to disconnect those of their users who are accused, by the copyright owners, of having infringed copyright e.g. through illegal file sharing.

While we are still waiting for the judgment in the substantial dispute in focus, a few important questions have already been answered by the Court through the manner in which it dealt with the applications for leave to intervene that were made by no less than six organisations. All but one were refused leave to intervene.

The privacy issue

One organisation that sought leave to intervene as amicus curiae is the Australian Privacy Foundation (APF). Before going any further, I should proclaim my biased position as I am a Vice-Chair of the APF and the author of the APF’s application for leave to intervene.

Put simply, the basis for the APF’s application to be heard as amicus was that, since neither the collection of evidence by the appellants, nor the activities the appellants want the respondent to engage in, can take place without invasions of the privacy of individual Internet users, the Court’s decision will affect the privacy of virtually every Australian on a day to day basis.

The High Court of Australia, however, failed to recognise the importance of privacy in the matter and ordered that the “summons for leave to be heard as an amicus curiae by the Privacy Foundation should be dismissed on the basis that its submissions are not sufficiently relevant to the matters which the Court has to decide.” (para 7)

This is undoubtedly troubling as the Internet is a near perfect tool for surveillance, and privacy must be tended with care in every decision that impacts upon it, if our fundamental right of privacy is to be preserved in modern society. With the copyright holders acting as investigators and prosecutors, and ISPs being forced to take on the role as judge and jury, there may be little protection for the rights of individual Internet users. The idea of innocent until proven guilty will be lost If, when the copyright holders suspect that you, or someone else using your Internet connection, has downloaded illegal copies, the ISPs can be sued for not disconnecting you. This is particularly serious because being disconnected from the Internet these days is being disconnected from society.

In addition, the High Court’s approach highlights further that Australia’s attitude towards privacy protection does not meet the standard held in Europe. For example, in a case similar to the iiNet case (Case C‑70/10 Scarlet v SABAM [2011]), the European Court of Justice has recognised IP addresses as personal data, noting that: “It is common ground, first, that the injunction requiring installation of the contested filtering system would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data because they allow those users to be precisely identified.” (para 51).

The broader concern

Apart from the important privacy implications of the High Court’s approach, it is interesting to consider more broadly the repercussions of how the Court chose to deal with the applications to intervene.

The flaw in the HCA’s reasoning is obvious in para 6: “it is necessary to consider not only whether some legal interests of the applicant may be indirectly affected but also, and in this case critically, whether the applicant will make submissions which the Court should have to assist it to reach a correct determination. Ordinarily then, in cases like the present where the parties are large organisations represented by experienced lawyers, applications for leave to intervene or to make submissions as amicus curiae should seldom be necessary or appropriate”

This narrow-minded approach assumes that there are no relevant interests apart from the interests of the parties; a notion that does not survive even the lightest degree of scrutiny. Imagine, for example, that two oil tankers collide. Imagine further that in allocating the blame, the court hearing the matter can reach a conclusion that has the effect of placing a more onerous burden on all shipping companies transporting oil etc. on the seas. Of course neither of the parties (who no doubt would be large organisations represented by experienced lawyers) will argue for such an outcome, even though it may be the best outcome for society.

The simple fact is that, the role of courts is not merely to decide disputes – they are also tasked with setting down principles that govern society, and this holds true both in Common Law and Civil law countries. Consequently, a court that only considers the interests of the parties is failing to perform its function.

Concluding remarks

Based on the above, I can only reach the disappoint conclusion that, while it remains to be seen which of the parties win the iiNet case, it is already clear that the Australian public is the biggest loser.

Tanzania establishes Computer Emergency Response Team

0 kommentarer Av Sparad i information security 4 februari 2012 @ 22:01

Tanzania has joined global initiative to fight cyber crimes and strengthen cyber security by establishing the Computer Emergency Response Team (CERT).
The Tanzania CERT is established under section 124 of Electronic and Postal Communications Act (EPOCA), Act No.3 of 2010. Details of the Tanzania CERT composition and functions are provided for under the EPOCA CERT Regulations 2011, Government Notice No.419 of 2011.

For more information see:  http://www.tcra.go.tz/regulation/cert.pdf or http://www.tcra.go.tz/policy/epoca.pdf

The EU Commission’s Proposal For Sweeping Data Protection Reform

0 kommentarer Av Sparad i privacy & data protection 30 januari 2012 @ 10:58

The annual conference, Computers, Privacy & Data Protection  was held in Brussels last week.   The purpose of the conference is to create a forum where various individuals can exchange ideas about key issues in the fields of privacy, data protection, technology and society.  This year, of course, the biggest topic of discussion was the European Commission’s proposal for a comprehensive reform of EU data protection rules which was announced on the first day of the meeting.

On January 25, Ms. Francoise Le Bail, Director-General for DG Justice, gave a key-note speech where she highlighted some of the major goals in the Commission’s proposal.  First, she emphasized that the proposal is unequivocally designed to modernize the EU’s data protection regime and to strengthen the rights of individuals.  She explained that one way to achieve these goals is to require “explicit” consent in order to process data, despite the fact that this may be burdensome for data processors (how many pop-up boxes requiring consent constitutes “explicit” consent?).   Second, she emphasized that the use of a “single rule” (i.e. the use of a regulation rather than a directive ) would help to reinforce the rights of individuals, save companies money and reduce “red tape” insofar as it would create a “one stop shop” for data protection regulation and enforcement.  Third, she highlighted the proposal’s goal of strengthening the powers of national data protection authorities who, pursuant to the draft document, would be empowered to fine companies that violate EU data protection rules up to €1 million or up to 2% of the company’s global annual turnover.  Finally, Ms. Le Bail stated that the proposal seeks to facilitate the free flow of data among the member states and to third countries to the extent that it is designed to reduce authorizations, facilitate binding corporate rules and clarify adequacy decisions.  For more, see the Commission’s press release.

Privacy and data protection advocates at the conference, at least, generally, seem to applaud the Commission’s sweeping reform and viewed it as an excellent starting point for a modern EU data protection regime.  These individuals seemed particularly pleased with the application of a regulation which would allow all EU citizens to receive the same high level of data protection regardless of their country of residence.  Privacy advocates also welcomed the proposal’s call for increased accountability on behalf of data controllers and its ambition to strengthen enforcement powers of national data protection authorities.  For more see, European Data Protection Supervisor’s press release.

The business reaction at the conference was mixed.  Businesses seemed pleased with the prospect of reduced administrative burdens facilitated by the “one stop shop” approach.  On the other hand, there was a feeling that the proposal creates a gulf between the theory and practice of data processing.  Christopher Kuner  noted that while Privacy Impact Assessments (PIAs) can be useful and necessary in many instances, the provisions on PIAs in the proposal might overly burden small and medium sized businesses.  He also stated that many EU companies might to have to renegotiate their contracts in order to adapt to the reallocation of duties between data controllers and processors. He further stated that provisions concerning “the right to be forgotten” and the security breach notifications appeared to be problematic (at least from his cursory view of the proposal which was announced just hours before his speech).  Finally, he noted that the data transfer issues posed by cloud computing did not appear to be adequately addressed by the regulation.

Ultimately, it will probably be another year or two before the Commission’s proposal is adopted so we will have to stayed tuned to see what happens.

Shedding Light on Internet Regulation in Belarus

0 kommentarer Av Sparad i access to information & transparency, freedom of expression, international issues 30 januari 2012 @ 10:14

By Aleksey Ponomarev, LL.M in Law and Information Technology from Stockholm University

Since the beginning of January 2012 a new Belarusian Internet regulation has been at the center of attention of various online media resources. However, it appears that the rules of the previously enacted President Edict N 60 have been interpreted in a wrong way, which has caused serious confusion in the world media. The sensation from Belarus named “Belarus Bans Browsing of All Foreign Websites” is being widely discussed and has been republished by various online media resources (BBC, Washington Post, Forbes, La Stampa, ZDNet, The Next Web, Mashable, TorrentFreak, etc.) The initial source of incorrect assumptions surprisingly seems to be the reputable resource of the US Library of Congress, which published the article “Belarus: Browsing Foreign Websites a Misdemeanor”[1] referring to Belarusian “yellow pages” Interfax news agency as source. The speed with which the misleading story filled the mainstream media was truly remarkable and in a few days more than 50 resources from different states have republished the incorrect information without being properly checked.

The confusion can be explained by the lack of objective and qualified information on the Belarusian Internet regulation, on the one hand, and the ambiguity of the provisions of law regulating the Internet, on the other hand. It is important to understand that the Presidential Edict No 60 on Measures to Improve the Use of the National Segment of the Internet Network (hereinafter referred to as the Edict) entered into force on 1 July, 2010, and its provisions have been in force for the past year and a half. Since entering into force the Edict, being supported by subordinate legislation, has neither brought any radical changes to the Belarusian online market nor heavy limitations of human rights and freedoms. Contrary to media reports neither is visiting foreign websites is considered as a violation of the law nor has any of foreign websites been blocked, as both these measures are not prescribed by the Edict.

Meanwhile the Edict was left without reasonable attention of the foreign media; the enforcement of sanctions for violation of provisions of the Edict became the subject of hot discussions in January 2012. The Law Amending the Administrative Offences Code (hereinafter mentioned as the Law) which entered into force on 6 January, 2012, enacted the sanctions for violation of the provisions of the Edict in the form of a fine (approx EUR 32 to EUR 96) as the only possible legal sanctions applicable for violation of the rules prescribed by the Edict. Any kind of other sanctions in the form of blockage of access to foreign websites or other measures are prescribed neither by the Edict nor by the Law.

The full version of this article is available at the pages of the blog on Information Technology law and Internet regulation in Belarus available at www.ITlaw.by.

[1] Roudik, Peter, Belarus: Browsing Foreign Websites a Misdemeanor, available at: http://www.loc.gov/lawweb/servlet/lloc_news?disp3_l205402929_text

Förslag till förändrat PSI-direktiv publicerat

3 kommentarer Av Sparad i e-förvaltning, rätt till insyn & öppenhet 20 januari 2012 @ 10:36

Av Lars Klasén

Den 12 december publicerade EU-kommissionen ett förslag till ändringar i det nuvarande s k PSI-direktivet, direktiv 2003/98/EG om vidareutnyttjande av information från den offentliga sektorn. Inriktningen är att det nya direktivet ska börja gälla den 1 januari 2013. Därefter får medlemsstaterna 18 månader på sig att implementera det.

Bakgrunden är den översyn av direktivets tillämpning som genomfördes under 2009, följd av ett omfattande samråd med allmänheten hösten 2010. Slutsatsen blev att “mycket återstår för att göra för att maximera potentialen i vidareutnyttjandet” och att flera av direktivets  bestämmelser “behöver ändras eller förtydligas”. Frågan om avgiftsbeläggning gav inga samstämmiga svar, så här var slutsatsen bara att “skillnaderna mellan informationsinnehavarnas och vidareutnyttjarnas behov måste beaktas för att inte hämma vidareutnyttjandet av data”.

Viktiga ingredienser i det ändrade direktivet

- En allmän regel om att alla dokument som är tillgängliga hos myndigheter får återanvändas oavsett syfte, kommersiellt eller ickekommersiellt, såvida de inte skyddas av en tredje parts upphovsrätt.

- Även handlingar som finns vid bibliotek, muséer och arkiv, för vilka de innehar de immateriella rättigheterna, omfattas. Dessa institutioner är undantagna idag.

- Handlingarna bör tillgängliggöras i maskinläsbart format tillsammans med tillhörande metadata, när så är möjligt och lämpligt, i ett format som garanterar kompatibilitet.

- Om avgift tas ut ska den begränsas till marginalkostnaderna för reproduktion och spridning. Idag gäller självkostnadsprincipen. De flesta uppgifter ska dock tillhandahållas gratis eller nästan gratis.

- Bevisbördan för att avgifterna tas ut enligt ovan åligger den myndighet som tar ut avgift. En myndighets beslut ska kunna överprövas vid en särskild, oberoende, kontrollmyndighet. Denna ska också ha ansvaret för att medge undantag från direktivets regler, t ex för sådana myndigheter som är beroende av intäkter för sin drift.

- Licenser får användas, men bara om det är nödvändigt.

- Myndigheterna ska tillhandahålla möjlighet att söka efter vilka handlingar som finns tillgängliga för vidareutnyttjande, t ex via register eller förteckningar.

Kommentarer

Den grundläggande bevekelsegrunden  för direktivet är, som tidigare, i första hand knutet till den offentligt producerade informationens ekonomiska potential, uttryckt så här i EU-kommissionen pressrelease 2011-12-12: “Europas offentliga myndigheter sitter på en guldgruva av ekonomiska möjligheter som inte utnyttjas: de stora mängder information som det stora antalet offentliga myndigheter och tjänster har samlat in.”

Jag tror att dagens kommersiella informationsförmedlare är relativt tillfreds med de förändringar som föreslås. De får skarpare vapen i sin hand när de slåss mot de ofta motsträviga myndigheterna, inte bara vad gäller att få ut data utan också vad gäller avgifter. Kontrollmyndigheten är, som jag uppfattar det, fundamental i sammanhanget. Att idag driva sin sak gentemot en  myndighet är mycket omständligt. Men de som framför allt gynnas är en rad andra aktörer, ideella eller kommersiella, privatpersoner eller företag, som vill nyttja ”rådata” för att bygga applikationer, e-tjänster, etc.

Ett av mina husorgan, Computer Sweden, berör allt oftare ämnet. T ex skriver ledaren den 11/2 under rubriken ”Öppna data ger
nya utvecklarjobb” att ”Vi uppmanar regeringen att tillsätta en expertgrupp som tar fram en plan för att skapa standardiserade
programmeringsgränssnitt för att ge både företag och medborgare tillgång till rådata”. Så lättvindigt går det naturligtvis inte – se bara hur ”segt” det har gått enbart inom rättsinformationen, ett litet område i sammanhanget – men ändå, det är ett tecken i tiden.

Om man ska tala om förlorare så är det väl de enskilda myndigheterna. Frånsett att det nog för många bär emot bara att lämna ut ”sin” information så kan ju de nya kraven innebära nya arbetsuppgifter som det är svårt att få kostnadstäckning för. För att inte tala om arbetet med att skapa tillgångsförteckningar, funktioner för uttag av rådata samt, i extremfall, de ”standariserade
programmeringsgränsnitt” som Computer Sweden efterlyser …

Kanske är det därför det är så tyst om ändringsförslaget? Inte ens Kungliga biblioteket eller Biblioteksföreningen, som brukar vara alerta med synpunkter, har reagerat. Men det som förvånar mest är att e-delegationen, som har som uppgift ”att främja och samordna myndigheternas arbete med att förbättra förutsättningarna för vidareutnyttjande av information från den offentliga förvaltningen”, inte med ett ord berör förslaget på sin webbplats.

Kommande ADBJ seminarium: “Dataspelens värld”

0 kommentarer Av Sparad i privacy & data protection, technology 19 januari 2012 @ 13:12

Tisdagen den 31 januari 2012, kl. 17:30

Advokatfirman Delphi, Regeringsgatan 30-32. Stockholm

Per Strömbäck, talesperson för Dataspelsbranschen, belyser spel- och branschutvecklingen, med nedslag i kultur, juridik och ekonomi. Han tar bland annat upp frågor kring ensamrättens betydelse, integriteten och integrationen med sociala medier.

Mer information om ADBJ kan hittas på: http://www.adbj.se/adbjweb/index.php

 

 

SubTech 2012 Conference in New York

0 kommentarer Av Sparad i education & learning, technology 18 januari 2012 @ 9:39

The Twelfth International Conference on Substantive Technology in Legal Education and Practice (SubTech 2012), will be held
Thursday through Saturday, July 26-28, at New York Law School in New York City. (http://www.nyls.edu/ )

The SubTech Conference has been held since 1990 and is arranged bi-annually. It alternates between a US destination the one year followed by a European one the next. The Conference focuses on the use of technology in legal education and examines how technology can best be utilized in order to produce better legal graduates who have a greater understanding of technology and prepare them for the technologically advanced law firm or court room.

Some previous SubTech destinations include: Salzburg, Chicago, Paris, Montreal, Stockholm, Cambridge (MA), Warwick (UK), Seattle, Oslo, Williamsburg, and Zaragoza.

General Data Protection Regulation Delayed

0 kommentarer Av Sparad i privacy & data protection 17 januari 2012 @ 15:54

The European Commissions’s proposed Regulation on Data Protection has been delayed. It was scheduled to be adopted in January but it has now been delayed until February/March 2012. It is assumed that criticism of the new posposed legislation during the internal legislative process is at the root of this decision.

More information regarding this can be found at the following link:

http://us2.campaign-archive2.com/?u=957214c9b3f3f5477a8fcc16d&id=fe2165ea59&e=40f331d5c7

Läs äldre poster

Copyright © blawblaw
Nyheter om, från och kring institutet för rättsinformatik

Byggt på Notes Blog Core
Powered by WordPress