Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by admin on gennaio 8, 2018

New technologies

(No comments)

More than a half century ago, Bob Dylan’s “A hard rain’s a-gonna fall” reflected a dark and turbulent world facing a potential nuclear attack, the rising threat of environmental pollution, a rapid shifting of the international order, a growing divisiveness within society and the dawning of new socio-political paradigms and power centers. Does this sound like today? Or is the falling rain the source of new opportunities?

Nomisma asked prominent experts from around the world to share their views on major trends which will affect the global agenda in the next year. Giusella Finocchiaro is the author of the chapter regarding Internet Law in 2018. All contributions are collected in a book edited by Andrea Goldstein and Julia K. Culver.

The book can be freely downloaded by clicking HERE.

The presentation of the book will take place in Milan, on the 12th of January 2018. For more information, please visit NOMISMA website.

 

posted by admin on dicembre 15, 2017

Privacy

(No comments)

The European Parliament has endorsed the opening of negotiations between the Parliament itself and the Council concerning the procedure for adopting the proposal for the Regulation on Privacy and Electronic Communications.

The current directive on e-Privacy was last reviewed in 2009 and the proposal for review, which was submitted on the 10th January 2017, replaces this directive with a Regulation which complements and particularises the European framework on data protection bringing it into line with the General Data Protection Regulation (“GDPR”) which will apply from 25th May 2018.

The Regulation on Privacy and Electronic Communications submitted by the Commission, will increase the protection of people’s private life and open up new opportunities for business. The measures presented aim at revising current rules, extending the scope to all communication service providers. The rules on privacy will now also apply to new operators who provide electronic communication services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage and Viber. The current e-Privacy Directive, which now only applies to traditional communication service providers, will be updated.

The objective is to increase trust in and the security of the Digital Single Market striking the right balance between a high level of protection for consumers and the opportunity for businesses to innovate. In addition, the proposal provides that personal data processing carried out by European institutions and bodies will ensure the same level of protection as that guaranteed by single Member States, as laid down in the General Data Protection Regulation (GDPR) and it defines a strategic approach to questions regarding the cross-border transfer of personal data.

 

 

posted by admin on novembre 15, 2017

Accountability, Privacy

(No comments)

The following is an analysis of a proposal for a regulation “for a framework on the free flow of non-personal data in the European Union”.

The objective of the regulation is the liberalisation of data flows. It is worth noting that this liberalisation suffers from two intrinsic limitations in the proposal: on the one hand it only refers to non-personal data, which, for clear reasons of consistency, are defined as “data other than those defined in art. 4, Regulation EU 2016/679”; and on the other hand it solely pertains to the movement of data within the European Union borders, whereas it in no way affects the exchange of data outside the Union.

The Commission identifies two main obstacles to businesses and public administrations having full freedom to choose the location where they store and manage their data.

The first obstacle is represented by the unjustified restrictions on data localisation imposed by public authorities in Member States. Over the years, the reasons which have moved Member States to impose the mandatory local storage of their data on national businesses and public administrations, include maintaining higher levels of security and facilitating easier monitoring by national authorities. For example, this includes the storage measures for financial statements and accounting data provided for in Germany, Denmark, Belgium and other northern European countries, which require that data be filed within national borders. In the same way, in countries such as Bulgaria, Poland and Romania data localisation requirements are imposed on winnings and user transactions. In Bulgaria for example, an applicant for a gaming license must assure that all data related to operations in Bulgaria is retained on a server located within the country. In addition, even when no specific territorial restriction is in place, business practice and common sense have in any case led in the direction of favouring localised data storage, turning down the chance of alternative cross- border offers.

The second obstacle to data liberalisation derives from private market limitations, which prevent data portability across IT systems by means of so-called vendor lock-in (aka proprietary lock-in or customer lock-in) practices. This widespread business phenomenon (e.g. Microsoft, Apple, Google, Nvidia, even hotels!) has its origin in providers wanting to create a condition of artificial dependence, which makes customers virtually totally dependent on them for the goods or services they provide. Customers are put in such a position that they cannot purchase goods or services from a competitor without incurring both the substantial costs and cumbersome and inconvenient organisational difficulties involved in switching to a new provider. Providers implement this sort of “forced loyalty” both by means of adopting technologies or standards differ from those used by competitors and the inclusion of contractual conditions which are particularly penalising in case of a switch.

Thus, in order to curb the spread of such practices and arrangements, with this proposal the Commission wants to tackle the problems through four lines of action.

Firstly, the proposal introduces a general principle of free circulation of data among Member States which allows businesses free choice of where to process or store their data. Legally provided restrictions will have to be be carefully scrutinised and will only be legitimate in cases when public and/or national security are at stake.

Secondly, with the intention of reassuring national legislators, the proposal guarantees that the competent authorities (of each Member State) will have access to data stored or processed in another Member State on the same conditions of access guaranteed nationally.

Thirdly, the proposal encourages the elaboration of self-regulatory codes of conduct which would smooth portability conditions and therefore, for example, switches of cloud service providers. The aim is that of also building a sort of “right to data portability” for non-personal data, in the same way as that provided for by the privacy Regulation for personal data. The need is to make sure that that customers’ freedom of choice is in place not only at the start of a contractual relationship, but that it is maintained and made technically possible for the entire duration of the relationship.

Lastly, the proposal establishes a central point of contact for each Member State, in order to guarantee the successful application of the new rules on the free flow of non-personal data.

In conclusion, there is no doubt that the regulation proposal is aimed first and foremost at businesses and public administrations, with significantly lower impact on individual citizens. However, if it is seen in the light of and in coordination with the European data framework, the proposal takes on much more general relevance. In fact, thanks to this new formulation, a number of the principles contained in the privacy Regulation, such as those regarding free data circulation and data portability, would be strengthened as a result of an extension of their scope of application.

 

 

posted by admin on ottobre 23, 2017

Events

(No comments)

More than 20 speakers will discuss cybersecurity at the 2017 China-EU School of Law Conference “Personal Data Protection in Times of Big Data” which will be held in Beijing on the 3rd of November 2017. Gao Hongbing, Vice President of Chinese internet giant Alibaba, is one of them.

At the 2017 China-EU School of Law Academic Conference, legal scholars and entrepreneurs from China and Europe will examine the legal challenges massive data collection poses to the protection of personal data. In speeches and panels, they will ask questions such as: Who owns collected data? How safe are databases? How can personal data be protected? What data can be analysed? Which legal framework can regulate this? China’s 2017 Cybersecurity Law and the EU’s 2018 General Data Protection Regulation play a key role in this debate.

Zhang Fusen, Former Minister of Justice of the People’s Republic of China, Hinrich Julius, Professor of Law and Project Coordinator of the China-EU School of Law Consortium Office are slated to open the conference. Giusella Finocchiaro is one of the panel speakers.

The conferece will start at 9 a.m., it will end at 5 p.m.. Conference venue is the Jingyi Hotel, No. 9 Dazhongsi East Road, Hai Dian District, in Beijing.

 

posted by admin on ottobre 2, 2017

Privacy, Right to oblivion

(No comments)

Time is not the only element which needs taking into consideration when examining cases concerning the right to be forgotten, since in addition to which, the public role of the parties involved and the current relevance of the news itself are also important factors that need taking into account.

Although the time elapsed since the facts reported in the press is the most important element in evaluating whether an application for the “right to be forgotten” will be successful, in a recent decision the Italian DPA has pointed out that other circumstances also need to be evaluated.

The decision concerns the appeal made by a high-ranking public official who requested Google to remove certain search results obtained by typing in his name. The point in question was a link to articles reporting news of a court case dating back 16 years, which had terminated with the conviction of the official, whose name had then been fully cleared in the course of the following years. One of the articles, the removal of which had been requested, had been published at the time of the facts while other more recent ones had picked up the story again at the time of the public official’s appointment to an important new post.

The Italian DPA stated that in evaluating a case involving the right to be forgotten it is necessary to take into account all search results found by typing in the first name and second name of the data subject concerned, which are also associated with other descriptive terms, such as the office held or the circumstances of the conviction.

This is an interpretation in line with the widely known decision by the European Court of Justice of 13th May 2014, known as “Google Spain”, in which the judges handed down a ruling ordering the search engine to remove from the list of results of a search made starting with the name of a person, those links to web pages published by third parties and containing data relating to that person, also in the case in which the name or the data are not previously or simultaneously withdrawn from the web pages and also when their being made available on those web pages is legal to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

According to the ruling all urls reachable through a search “starting from the name” must be considered, and so without excluding the possibility that other descriptive terms may be linked to the name in order to find more specific results.

Once this important point had been clarified, the DPA ordered Google to deindex the url with the single direct link to the only article carrying the news of the plaintiff’s criminal conviction. In fact, the DPA considered that, due to the time elapsed and the fact that the plaintiff’s name had been cleared, the news was no longer relevant to the current situation.

Conversely, with regard to the other articles indicated by the applicant, the DPA recognised that, although referring to the same court case, these “contain the story in a broader context of information, in which other information is also provided”, which is connected to the public role held by the interested party and that those results were without doubt of public interest “in addition due to the role in public life held by the applicant”. Therefore, with regard to the request for their removal, the DPA dismissed the complaint as unfounded.

 

 

posted by admin on settembre 15, 2017

Privacy

(No comments)

On July 18th, Quotidiano Nazionale, the Italian daily newspaper that groups together three other dailies, Il Resto del Carlino, Il Giorno and La Nazione, published an analysis by Professor Giusella Finocchiaro of the legal implications relating to the unauthorised online publication of photographs taken from an email box.

It is neither possible nor right to comment on the technical-legal aspects of a sentence, the motivations of which are still not known and which will only be filed within the next 90 days. This is the reason we must wait. We have read that the Court of Milan has acquitted three bloggers accused by the Public Prosecutor of illegally stealing photographs of George Clooney and Elisabetta Canalis’s party from the email account of one of the party’s guests. But we have no further details. The precise nature of the charges concerned unauthorised access to an IT system, illegal interception of communications and violation of correspondence. From the first press leaks we read that on the one hand the judge appears to have partly opted for acquittal because the case was unfounded and on the other hand has deemed the conduct of the accused to constitute the less serious offence of disclosure of other parties’ correspondence, consequently acquitting the accused, since, in the absence of a formal complaint from the aggrieved parties, the offence would not have been prosecutable.

Thus, partly (at least), basically technical reasons. We do not even have any knowledge of the evidence produced in court and the presentation of electronic evidence in the trial is still ground to be fully explored. Of course a general consideration does need to be made: the Internet is not the Wild West and all the rules including procedural rules are also valid online. The same rules that apply outside the Web also apply on the Web, with the difficulties that this at times entails (we only need to remember the case of Tiziana Cantone). So, if the judges have decided on acquittal we can be in no doubt that there is appropriate legal reasoning. But certainly, unauthorised distribution of photographs or a violation of correspondence, which have been satisfactorily proven during the proceedings, are illegal both on and outside the Internet.

 

 

posted by admin on luglio 18, 2017

E-commerce and contracts

(No comments)

The United Nations Commission on International Trade Law (UNCITRAL) adopted the UNCITRAL Model Law on Electronic Transferable Records (the “MLETR”) on 13 July at its fiftieth session in Vienna.

The MLETR legally enables the use of electronic transferable records that are functionally equivalent to transferable documents and instruments including bills of lading, bills of exchange, promissory notes and warehouse receipts.

The use of electronic transferable records may bring a number of benefits to electronic commerce including speed and security of transmission as well as the possibility of reusing the information contained therein. Electronic transferable records may be particularly relevant for certain business areas such as transport and logistics and finance (fintech). Moreover, their use allows for the establishment a fully paperless trade environment.

The MLETR sets forth the requirements for the use of an electronic transferable record. In particular, it defines control as the functional equivalent of possession of a transferable document or instrument. The MLETR also provides guidance on the assessment of the reliability of the method used to manage the electronic transferable record, on change of medium (electronic to paper and the reverse), and on cross-border aspects, among other items.

The MLETR builds upon fundamental principles underlying existing UNCITRAL texts in the area of electronic commerce. In particular, the adoption of the principle of functional equivalence allows the MLETR to operate without affecting the substantive law applicable to transferable documents and instruments, and the adoption of the principle of technology neutrality allows to accommodate the use of all methods and technologies, including distributed ledgers (blockchain).

The MLETR is accompanied by an Explanatory Note that provides background information to assist States in enacting its provisions and to offer guidance to other users of the text.

The work on the preparation of the MLETR was undertaken by UNCITRAL Working Group IV (Electronic Commerce) from its 45th session in 2011 until its 54th session in 2016. The final version of the MLETR will be made available at UNCITRAL website.

 

 

posted by admin on luglio 16, 2017

E-commerce and contracts

(No comments)

At its fiftieth session the UNCITRAL Commission adopted the Model Law on Electronic Transferable Records. This is the result of work done by Working Group IV on Electronic Commerce.

The Model Law represents a significant further step forward in the development of electronic commerce and removes the legal obstacles to the international circulation of electronic transferable records. The Model Law is based on the UNCITRAL technology neutrality principle and on the functional equivalent approach.

Professor Giusella Finocchiaro is the current Chair of the Working Group on Electronic Commerce.

The Working Group has dealt with the definition and regulation of electronic transferable records from 2011 to 2016. On the 13th of July 2017, the Commission approved and adopted the Model Law.

 

 

 

The 50th annual session of the UNCITRAL Commission will be held in Vienna from the 3rd to the 21th July 2017. During the session the Commission will consider the deliberations and decisions of its Working Group IV on Electronic Commerce regarding the finalization and adoption of a Model Law on Electronic Transferable Records.

In 2011, the Commission mandated the Working Group IV to undertake work on electronic transferable records. The Working Group has worked on that subject from its forty-fifth session (Vienna, 10-14 October 2011) to its fifty-fourth session (Vienna, 31 October-4 November 2016). At its fifty-fourth session, the Working Group asked the Secretariat to revise both the draft model law on electronic transferable records and explanatory materials contained in document and to transmit the revised texts to the Commission for consideration at its fiftieth session. For these reasons, the Working Group invited the UNCITRAL Secretariat to forward the text to all Member States and international organisations for their opinions, in order to submit their comments to the UNCITRAL Commission at its 50th session.

Meanwhile, in 2016, the UNCITRAL Commission assigned to the Working Group a new project regarding new identity management and trust services, as well as cloud computing, underlying that it would have been premature to prioritize between the two topics. Therefore the Commission asked the Secretariat and the Working Group to continue updating and conducting preparatory work on the two topics, assessing their parallel execution and reporting back to the Commission so that it could make an informed decision at a future session, including the priority to give to each topic. In that context, it was mentioned that priority should be based on practical needs, rather than on how interesting the topic was or upon the feasibility of work.

 

 

 

posted by admin on giugno 15, 2017

Privacy

(No comments)

The Article 29 Working Party of the European Data Protection Authorities (DPAs) has published a report on the public consultations held inside the Working Group in particular regarding critical aspects of the Privacy Regulation such as the concept of “consent”, compliance with notification of data breach and the profiling process.

As we know, the European Regulation 2016/679 on the processing of personal data, which has been in force since 24th May 2016, will take full effect from 25th May 2018. So, with the aim of taking prompt action to put in place the implementation of the GDPR, the Article 29 Working Party has organized a number of Fablab workshops with the objective of opening up dialogue with  representatives of European industry, the civil society, relevant associations and the academic world. More than 90 participants took part in the last Fablab session, which took place on April 5th and 6th in Brussels, where they discussed the priority issues of the European Regulation with the European DPAs.

With regard to the subject of “consent”, which constitutes the main legal basis for the processing of personal data, it emerged from the workshop that in certain cases the definition of “consent” contained in the Regulation might not in fact be a reliable basis for the use of personal data. Specific concerns have been raised about the processing of the personal data of a minor, since there is currently no way to either verify the exact age of individuals who give their consent online, or to confirm the identity of persons who declare online that they have parental responsibility.

With regard to consent for the processing of personal data for scientific research purposes, uncertainty was expressed about the secondary use of these data.

Participants also expressed uncertainty about the possibility of the withdrawal of already given consent and the possible consequences faced by those who refuse to grant it. Specific concerns were expressed about the situations in which those individuals who do not give their consent are not able to avail themselves of a particular service.

Further issue concerns have been raised about deals with data breach notifications. Participants asked for greater flexibility on the contents of notifications given the damage to their reputations companies which are victims of such attacks might suffer. They also asked for greater clarity both about methods of notification and the recipients of the notification in cases concerning data of data subjects from different Member States. Is notification required to be given to the Authorities of each Member State involved?

In addition, the workshop participants discussed the question of profiling as a particular form of processing of personal data. There are numerous types of profiling which differ from sector to sector and which cannot be subject to the same provision. For this reason, specific guidelines for each type of profiling have been requested. In addition the guidelines will have to take into account the different objectives for which profiling is made. On this subject, doubts have been expressed about whether there should be limitations to the types of data that can be used. In particular  regarding the personal data of minors. Participants also raised objections about there being no clear distinction between profiling processes based on human intervention and those which are completely automated.

The complete meeting report is available on the European Commission webpage dedicated to WP29.

 

  • Recent comments

  • Popular posts

    • None found