Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by admin on luglio 18, 2017

E-commerce and contracts

(No comments)

The United Nations Commission on International Trade Law (UNCITRAL) adopted the UNCITRAL Model Law on Electronic Transferable Records (the “MLETR”) on 13 July at its fiftieth session in Vienna.

The MLETR legally enables the use of electronic transferable records that are functionally equivalent to transferable documents and instruments including bills of lading, bills of exchange, promissory notes and warehouse receipts.

The use of electronic transferable records may bring a number of benefits to electronic commerce including speed and security of transmission as well as the possibility of reusing the information contained therein. Electronic transferable records may be particularly relevant for certain business areas such as transport and logistics and finance (fintech). Moreover, their use allows for the establishment a fully paperless trade environment.

The MLETR sets forth the requirements for the use of an electronic transferable record. In particular, it defines control as the functional equivalent of possession of a transferable document or instrument. The MLETR also provides guidance on the assessment of the reliability of the method used to manage the electronic transferable record, on change of medium (electronic to paper and the reverse), and on cross-border aspects, among other items.

The MLETR builds upon fundamental principles underlying existing UNCITRAL texts in the area of electronic commerce. In particular, the adoption of the principle of functional equivalence allows the MLETR to operate without affecting the substantive law applicable to transferable documents and instruments, and the adoption of the principle of technology neutrality allows to accommodate the use of all methods and technologies, including distributed ledgers (blockchain).

The MLETR is accompanied by an Explanatory Note that provides background information to assist States in enacting its provisions and to offer guidance to other users of the text.

The work on the preparation of the MLETR was undertaken by UNCITRAL Working Group IV (Electronic Commerce) from its 45th session in 2011 until its 54th session in 2016. The final version of the MLETR will be made available at UNCITRAL website.

 

 

posted by admin on luglio 16, 2017

E-commerce and contracts

(No comments)

At its fiftieth session the UNCITRAL Commission adopted the Model Law on Electronic Transferable Records. This is the result of work done by Working Group IV on Electronic Commerce.

The Model Law represents a significant further step forward in the development of electronic commerce and removes the legal obstacles to the international circulation of electronic transferable records. The Model Law is based on the UNCITRAL technology neutrality principle and on the functional equivalent approach.

Professor Giusella Finocchiaro is the current Chair of the Working Group on Electronic Commerce.

The Working Group has dealt with the definition and regulation of electronic transferable records from 2011 to 2016. On the 13th of July 2017, the Commission approved and adopted the Model Law.

 

 

 

The 50th annual session of the UNCITRAL Commission will be held in Vienna from the 3rd to the 21th July 2017. During the session the Commission will consider the deliberations and decisions of its Working Group IV on Electronic Commerce regarding the finalization and adoption of a Model Law on Electronic Transferable Records.

In 2011, the Commission mandated the Working Group IV to undertake work on electronic transferable records. The Working Group has worked on that subject from its forty-fifth session (Vienna, 10-14 October 2011) to its fifty-fourth session (Vienna, 31 October-4 November 2016). At its fifty-fourth session, the Working Group asked the Secretariat to revise both the draft model law on electronic transferable records and explanatory materials contained in document and to transmit the revised texts to the Commission for consideration at its fiftieth session. For these reasons, the Working Group invited the UNCITRAL Secretariat to forward the text to all Member States and international organisations for their opinions, in order to submit their comments to the UNCITRAL Commission at its 50th session.

Meanwhile, in 2016, the UNCITRAL Commission assigned to the Working Group a new project regarding new identity management and trust services, as well as cloud computing, underlying that it would have been premature to prioritize between the two topics. Therefore the Commission asked the Secretariat and the Working Group to continue updating and conducting preparatory work on the two topics, assessing their parallel execution and reporting back to the Commission so that it could make an informed decision at a future session, including the priority to give to each topic. In that context, it was mentioned that priority should be based on practical needs, rather than on how interesting the topic was or upon the feasibility of work.

 

 

 

posted by admin on giugno 15, 2017

Privacy

(No comments)

The Article 29 Working Party of the European Data Protection Authorities (DPAs) has published a report on the public consultations held inside the Working Group in particular regarding critical aspects of the Privacy Regulation such as the concept of “consent”, compliance with notification of data breach and the profiling process.

As we know, the European Regulation 2016/679 on the processing of personal data, which has been in force since 24th May 2016, will take full effect from 25th May 2018. So, with the aim of taking prompt action to put in place the implementation of the GDPR, the Article 29 Working Party has organized a number of Fablab workshops with the objective of opening up dialogue with  representatives of European industry, the civil society, relevant associations and the academic world. More than 90 participants took part in the last Fablab session, which took place on April 5th and 6th in Brussels, where they discussed the priority issues of the European Regulation with the European DPAs.

With regard to the subject of “consent”, which constitutes the main legal basis for the processing of personal data, it emerged from the workshop that in certain cases the definition of “consent” contained in the Regulation might not in fact be a reliable basis for the use of personal data. Specific concerns have been raised about the processing of the personal data of a minor, since there is currently no way to either verify the exact age of individuals who give their consent online, or to confirm the identity of persons who declare online that they have parental responsibility.

With regard to consent for the processing of personal data for scientific research purposes, uncertainty was expressed about the secondary use of these data.

Participants also expressed uncertainty about the possibility of the withdrawal of already given consent and the possible consequences faced by those who refuse to grant it. Specific concerns were expressed about the situations in which those individuals who do not give their consent are not able to avail themselves of a particular service.

Further issue concerns have been raised about deals with data breach notifications. Participants asked for greater flexibility on the contents of notifications given the damage to their reputations companies which are victims of such attacks might suffer. They also asked for greater clarity both about methods of notification and the recipients of the notification in cases concerning data of data subjects from different Member States. Is notification required to be given to the Authorities of each Member State involved?

In addition, the workshop participants discussed the question of profiling as a particular form of processing of personal data. There are numerous types of profiling which differ from sector to sector and which cannot be subject to the same provision. For this reason, specific guidelines for each type of profiling have been requested. In addition the guidelines will have to take into account the different objectives for which profiling is made. On this subject, doubts have been expressed about whether there should be limitations to the types of data that can be used. In particular  regarding the personal data of minors. Participants also raised objections about there being no clear distinction between profiling processes based on human intervention and those which are completely automated.

The complete meeting report is available on the European Commission webpage dedicated to WP29.

 

posted by admin on marzo 31, 2017

computer crimes

(No comments)

The Italian DPA has imposed fines totalling over 11 million euros on five money transfer companies which had unlawfully processed more than one thousand users’ personal data in order to bypass anti money-laundering regulations.

These companies collected and transferred to China sums of money belonging to Chinese businessmen, violating both the anti money-laundering law and the data protection law. By using the technique of structuring (i.e. the technique of breaking up large amounts of money into several smaller transactions below the anti money-laundering legal threshold), companies allocated money transfers to more than 1,000 customers, who were completely unaware of these transactions, by illegally using their data.

These serious violations came to light during an investigation by the Procura di Roma (the Rome Public Prosecutor’s Office). The Currency Police Unit of the Italian Financial Police, authorised by the Judicial Authorities, ascertained that the names of the people these money transfers were registered to did not correspond to the real senders. In addition, in certain cases the transaction forms turned out not even to have been signed or to have been filled out by people who were either deceased or non-existent. The personal data used were taken from photocopies of id documents, which were stored in specific folders to be used when needed. Money transfers were carried out within seconds of each other and involved sums of money which were just under the legal threshold and addressed to the same recipient.

Due to this infringement of the Data Protection Law committed by the companies, the Italian Data Protection Authority was obliged to intervene and, in view of the seriousness of the violations, the number of parties involved whose personal data had been processed without their consent and the importance (and size) of the database, has imposed the following fines: 5,880,000 euros for the multinational corporation and fines of 1,590,000 euros, 1,430,000 euros, 1,260,000 euros and 850,000 euros respectively for the other four companies, for a total of over 11 million euros.

 

 

posted by admin on marzo 15, 2017

computer crimes

(No comments)

The latest report from Clusit (the Italian Association of Internet and IT Security) states that 2016 was the worst year ever for the evolution in cyber threats and their impact. The Interministerial Commitee for the Security of the Republic, chaired by Prime Minister Gentiloni, has devised a national cyber security plan.

Clusit stresses the phenomenal rise (+1,166%) in phishing attacks – by means of which cyber scammers persuade victims to hand over personal and financial data or login credentials by masquerading as bona fide companies – and social engineering scams – i.e. techniques of studying individual people’s behaviour in order to extort information. Malevolent common malware virus attacks also rose (+116%), and were not only small scale attacks, but also aimed at attacking important targets with significant impact.

There was a dramatic rise even in cyber warfare related attacks (+ 117%), which aim to increase geopolitical pressure or manipulate public opinion. Examples of cyber warfare attacks include those on political parties’ or institutions’ email accounts, but potential targets also include critical infrastructure such as energy, water, communications and transport services, attacks on which rose by + 15% compared to 2015.

So-called cybercrime – i.e. offences committed in order to extort money or information – represented 72% of global attacks in 2016. There has been a consistent upward trend in cybercrime since 2011, when the percentage was 36%. 32% of attacks use unknown techniques, which is 45% up on 2015.

In 2016 the healthcare sector was under increased serious attack (+ 102%) from ransomware – i.e. viruses that encrypt data on victims’ devices only released if the victims pay a ransom – and data theft. There was also a substantial rise in attacks against large scale retail distribution (+70%) and the banking and financial sector (+64%).

In geographical terms, in the second half of 2016 attacks against European targets rose from 13% to 16% and against Asian targets from 15% to 16%, whereas the number of victims in the USA seems to have dropped slightly, even if the USA remains the area most hit by cyber attacks. The tendency to attack mostly important and transnational targets was confirmed. An example of one of the most important global attacks was that against the Italian Ministry of Foreign Affairs.

The Interministerial Commitee for the Security of the Republic (Cisr) has launched a multi phase national plan for cyber security with a new decree – “indications for cybernetics protection and national information security”, which replaces the old Council of Ministers Presidential Decree of January 24th, 2013.

The new measure acknowledges the NIS (Network and Information Security) European Directive and reinforces the role of the Cisr which will issue directives with the aim of raising the level of national cyber security and will avail itself of the support of interministerial coordination on the part of the so-called “Cisr tecnico” (the Technical Interministerial Commitee for the Security of the Republic) and the Security Intelligence Department (Dis).

The new decree assigns the Director General of the DIS the task of defining appropriate courses of action to ensure the required levels of security in both public and private strategic systems and networks, identifying and removing their vulnerabilities. So as to successfully carry out these initiatives the involvement of both the academic world and the world of research is envisaged, as is the idea to use top quality resources in addition to setting up extensive co-operation with businesses in the cyber sector.

At an operational level, the Cyber Security Unit (Nsc) – now part of the Dis – will guarantee a coordinated joint response to any significant cyber attack on national security, together with specialists from all relevant Government Departments.

 

 

posted by admin on marzo 1, 2017

Privacy

(No comments)

ratingBlackMirrorThe Italian Data Protection Authority has established that a “reputation rating” project violates the provisions of the Personal Data Protection Code and impacts negatively on human dignity.

The project, which was devised by an organisation structured as an association and a company appointed for its management, is based on a web platform and a database which gathers vast amounts of personal data either uploaded by users or obtained from the web, on various types of individual – from job candidates to business people, freelance professionals and private individuals. By means of a specific algorithm the system would then be able to objectively measure people’s reliability in the economic and professional fields, by assigning a score (“rating”) to their online reputation.

The DPA observed that the system would create significant problems in relation to privacy due to the confidential nature of the information, the pervasive impact on the interested parties and the method of processing. Essentially, the system implies the massive collection – also online – of information open to significantly impacting on the economic and social representation of thousands of people. Such processed reputation ratings might have serious repercussions on the lives of those who had been rated, since it might influence other people’s choices as well as jeopardising access for rated parties to services and benefits.

The DPA also expressed a number of doubts about the objectivity claimed for the ratings, stressing that the company could not prove the effectiveness of the algorithm used to regulate the settings of the “ratings”, which would be calculated without rated parties having any chance to freely give their consent. Given the complexity and sensitivity of measuring situations and variables which are not easy to classify, any rating might be based on incomplete or flawed documents and certificates with the consequent risk of creating inaccurate profiles which do not correspond to the real social identity of the rated parties.

Moreover, the DPA was concerned about the unreliability of allowing an automated system to decide upon such complex and sensitive issues relating to individuals’ reputations.

The system’s security measures which are principally based on “weak” authentication systems (user ids and passwords) and on encryption techniques only for judicial data, were found to be totally inadequate in the DPA’s opinion. Finally, further critical issues were detected in the time period for data storage and privacy policies for interested parties.

Therefore, in conclusion, the DPA has banned all present and future processing operations related to the reputation rating project.

 

 

posted by admin on gennaio 30, 2017

Labour law and digital world

(No comments)

On 1st January 2017 France brought into force a law on the “right to disconnect”, which aims at banning office emails outside working hours.

Conceived as a means to combat an increase in stress, linked to compulsive out-of-hours email checking, the new legislation requires all companies with more than 50 employees to start negotiations in order to define the rights of employees to ignore their smartphones out of working hours.

As is well known, replying to emails outside working hours is not usually considered as overtime and therefore generally remains unpaid. Moreover, employee availability during off-hours is nowadays considered “a duty” by many employers. For this reason the new law requires companies to reach an agreement with their employees, in which the out-of-hours times when employees are required to reply to office communications must be explicitly detailed. The new measure also aims to protect digital professionals, who work remotely and are therefore more exposed to off-hours calls.

The law was introduced after Labour Minister Myriam El Khomri had commissioned a report on the health impact of the uninterrupted flow of digital information, so-called “info-obesity”, coming from the workplace. The excessive use of digital devices on which employees are reachable 24/7 has been considered the cause of any number of health conditions from “burnout”, to sleeplessness and relationship problems.

A number of multinational companies based in France have already announced that they have already taken steps to put in place innovative solutions such as a “curfew” on evening communications or systems that automatically delete emails sent to employees when they are on holiday or not working.

 

 

posted by admin on dicembre 15, 2016

Privacy

(No comments)

The Privacy Shield agreement, which regulates cross border data transfer flows between the European Union and the United States and which recently replaced the previous Safe Harbor agreement, is once again under discussion.

Only a few months after the text came into force, the European Court of Justice has been called upon to decide on the adequacy of the level of protection guaranteed by the Privacy Shield agreement.

A number of companies working in the digital sector and performing the transfer of personal data abroad (among which the by now well known Digital Rights Ireland Ltd.) argue that the Privacy Shield agreement does not offer an adequate level of protection, contrary to what was deemed to be the case by the European Commission, which on the 12th July 2016 implemented the adequacy decision, making legitimate the transfer of data towards the United States and those American organizations endorsing the new agreement.

In particular, the claimants maintain that the EU-US Privacy Shield does not fully implement those principles and rights regarding personal data protection included in directive 96/46/EC (which will be repealed from 2018 by means of recent EU Regulation 679/2016) and consequently, does not adequately safeguard the rights of European citizens. In the appeals it is also brought into question that the agreement does not exclude indiscriminate access to electronic communications by foreign authorities, thus in violation of the right to privacy, to the protection of personal data and the freedom of expression as set out in the Charter of Fundamental Rights of the European Union.

For the abovementioned reasons the said companies appealed challenged the Commission’s adequacy decision in accordance with art. 263 TFUE, which grants interested parties the right to appeal against the Commission’s acts and obtain their annulment within two months from their entry into force or their publication.

It is worth recalling that the Article 29 Working Party had already expressed its fears regarding certain aspects of the agreement, which had not been modified, despite repeated requests for review. Immediately following the implementation of the Privacy Shield agreement, in a statement on the 26th July 2016, the Group of European DPAs underlined that no concrete security measures to prevent the general collection of data had been provided and that the independence of the role and powers of important redress bodies (such as the Ombudsperson) had not been guaranteed.

As a consequence, the new system does not seem to have helped to establish a climate of certainty regarding the legal framework regulating cross border data transfer flows to the United States, a country, which has clearly not yet gained the trust of European operators. The decision by the Court of Justice is now awaited since it might either consider the appeals inadmissible due to a lack of legitimization or groundless motivations or decide to uphold them.

 

 

  • Recent comments

  • Popular posts

    • None found