Computer Law & Security Review最新文献

In the face of rising cybersecurity threats like 'smishing'—SMS-based phishing attacks—this article examines how legislative efforts can effectively address these challenges. This article provides a comprehensive analysis of cybersecurity challenges, focusing on the still growing phenomenon of 'smishing', within the legislative context. In particular, it explores the legal landscape of cybercrime through the lens of Poland's recently enacted Act on Combating Abuses in Electronic Communication, as well as the European Union's Cybersecurity Strategy for the Digital Decade. The first one serves as a significant case study for examining legislative efforts aimed at mitigating cybersecurity risks in the field of electronic communications. The article describes the multi-layered, collaborative business-state approach of the Polish law, which can provide a solid framework for addressing current and future cyber security threats. The act stands as a promising tool for fortifying national cybersecurity infrastructure and could serve as a useful example for other jurisdictions grappling with similar issues. The law also engages citizens actively in its cybersecurity initiatives, promoting collective responsibility. In the broader European Union context, while the Polish Act undergoes scrutiny, this analysis also seeks to explore its alignment with the objectives outlined in the 2020′s European Union's Cybersecurity Strategy for the Digital Decade. This examination aims to evaluate the extent to which the Polish legislative framework resonates with the overarching goals set forth by the European Union, thereby contributing to a deeper understanding of the synergy between national initiatives and the broader European cybersecurity strategy context.

This contribution seeks to explore the growing use of administrative measures in response to cybercrimes by analysing the specific case of sanctions in response to cyber-attacks. They constitute a novel crime-based sanctions regime, laying the foundations of personalised deterrence with respect to malicious cyber actors and consist in asset freezes and visa bans. This article reflects on the hazy boundary between crime-based sanctions as administrative or criminal law measures. The paper argues that while crime-based sanctions in response to cyber-attacks present certain similarities with criminal law measures, they remain complementary crime prevention instruments. Their administrative nature allows for an emergency response to malicious cyber operations that would not be permissible if a more stringent evidentiary standard was required.

In China, mobile payment services, based on a rapid development of financial technology, have been playing an essential role in Chinese residents’ daily life, creating a cashless society. Unlike many advanced countries having a clear legal definition of financial consumers and incorporating consumers of mobile payment services into financial consumers, China, as one of the largest markets for mobile payment services, has not had a clear legal definition of financial consumers with no clarity regarding whether consumers of mobile payment services belong to financial consumers. This article not only provides a legal analysis of consumers of mobile payment services in China, but also outrightly explores the prospective reform of financial consumer protection with reference to other countries’ successful experience and standards. By the analysis, this article attempts to find out solution for the Chinese financial consumer protection scheme and argues that the Chinese financial consumer protection scheme has to be well designed to maintain a balance between consumers and mobile payment giants.

This article illustrates the developing Chinese cross-border data flow regulation regime deriving from a holistic national security conception to its balance with personal information protection and digital economic development. Under the pressuring demand of digital economy development and an increasing appeal to global data governance, China is progressively improving and modifying its original government-led and restrictive cross-border data regulations. Subsequent practices and the publication of the Provisions on Promoting and Regulating Cross-border Data Transfer (PPR) in March 2024 deliver a clear sign of relaxation on restrictions on cross-border data flow, especially on the subject of personal information outbound transfer. Detailed comparison with data provisions in the Regional Comprehensive Economic Partnership (RCEP), the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), and the Digital Economy Partnership Agreement (DEPA) demonstrates that global governance of cross-border data flows is unshaped but not unrealistic, even with current fragmented national approaches. China has established a complete personal information protection legal regime and is very close to integrating into transnational cooperation for a broader framework. In addition, by coordinating national provisions regarding cross-data transfer with international rules and piloting lenient cross-border data supervision mechanisms in numerous Pilot Free Trade Zone (PFTZ), China is ready to evolve its cross-border data flow regulations and contribute to global data governance step-by-step.

The emergence of non-fungible tokens (NFTs) in the blockchain environment has prompted many intriguing questions for private law scholars around the world. A question as basic as whether NFTs can be owned has proven difficult in many countries. This is the first research question of our article, which focuses on NFTs created in the Ethereum system by utilizing standard ERC-721. Because these NFTs are identifiable and distinguishable from all other tokens, the notion of owning an NFT is not unthinkable. Yet no universal answer can be offered. Whether NFTs qualify as objects of ownership must be studied at the level of individual legal systems. We argue that NFTs can be owned under Finnish law, with the same probably applying to many other legal systems. Starting with this notion, we pose two further research questions. As the second research question, we ask what problems of a patrimonial law nature may arise in attempts to connect different kinds of rights, even irrevocably, to owning or holding an NFT. Creditor rights seem relatively easy in this respect because most legal systems allow prospective debtors to obligate themselves as they wish. We also study whether a limited liability company could issue an NFT as a share certificate with legal effects corresponding to those of a physical (paper) share certificate. While an affirmative answer could be justified in some legal systems, Finnish law makes it difficult to tokenize a company's shares other than in the framework of a settlement system within the meaning of the European Union's DLT Pilot Regulation. Even greater difficulties arise in attempts to connect the ownership of a (material) thing and of an NFT so that a person who owns a token also owns the thing. Our third and final research question addresses tokenization of digital art, which gives rise to some special questions. We ask what rights the transferee of an NFT can receive in connection with tokenization of digital art. Here, our main finding is that digital art can be meaningfully tokenized even though digital copies are not regarded as possible objects of ownership.

This paper explores the evolution of China's Personal Information Protection Law (PIPL) and situates it within the context of global data protection development. It draws inspiration from the theory of ‘Brussels Effect’ and provides a critical account of its application in non-Western jurisdictions, taking China as a prime example. Our objective is not to provide a comparative commentary on China's legal development but to illuminate the intricate dynamics between the Chinese law and the EU's GDPR. We argue that the trajectory of China's Personal Information Protection Law calls into question the applicability of the Brussels Effect: while the GDPR's imprint on the PIPL is evident, a deeper analysis unveils China's nuanced, non-linear adoption that diverges from many assumptions of the Brussels Effect and similar theories. The evolution of the GDPR-inspired PIPL is not as a straightforward outcome of the Brussels Effect but as a nuanced, intricate interplay of external influence and domestic dynamics. We introduce a complementary theory of ‘gravity assist’, which portrays China's strategic instrumentalisation of the GDPR as a template to shape its unique data protection landscape. Our theoretical framework highlights how China navigates through a patchwork of internal considerations, international standards, and strategic choices, ultimately sculpting a data protection regime that has a similar appearance to the GDPR but aligns with its distinct political, cultural and legal landscape. With a detailed historical and policy analysis of the PIPL, coupled with reasonable speculations on its future avenues, our analysis presents a pragmatic, culturally congruent approach to legal development in China. It signals a trajectory that, while potentially converging at a principled level, is likely to diverge significantly in practice, driven by China's broader socio-political and economic agendas rather than the foundational premises of EU data protection law and its global aspirations. It thus indicates the inherent limitations of applying Brussels Effect and other theoretical frameworks to non-Western jurisdictions, highlighting the imperative for integrating complementary theories to more accurately navigate complex legal landscapes.

This article tracks developments at the national level in key European countries in the area of IT and communications and provides a concise alerting service of important national developments. It is co-ordinated by Herbert Smith Freehills LLP and contributed to by firms across Europe. This column provides a concise alerting service of important national developments in key European countries. Part of its purpose is to complement the Journal’s feature articles and briefing notes by keeping readers abreast of what is currently happening "on the ground" at a national level in implementing EU level legislation and international conventions and treaties. Where an item of European National News is of particular significance, CLSR may also cover it in more detail in the current or a subsequent edition.

The European Travel Information and Authorisation System, along with the automated decision-making system for immigration filtering, is soon to become a guardian controlling entry into Europe. In the digital realm of issuing travel authorisations, a central question arises: does streamlining the process of using an authoritative decision through IT tools and artificial intelligence simplify administrative decision-making, or does it raise more profound legal issues? The pressing question is whether algorithms will ultimately determine human destinies, or if we have not reached that point yet. This paper examines the set of rules for making a decision on the refusal of a travel permit, considering the obligations tied to providing reasons for such decisions. It emphasizes that the rationale should be built upon a combination of factual and legal foundations, which would entail revealing data linked to profiling. While explicit rights for explanations might not be granted, having substantial information gives the ability to contest decisions. To ensure decisions are well-founded, the methodology used for profiling must support these determinations, as general system descriptions are inadequate for clarifying specific cases. Therefore, the paper concludes that the complex interaction between the ETIAS screening process, data protection laws, and national security concerns presents a challenging situation for procedural rights. Fundamental rights, such as accessing records and receiving decision explanations, clash with the necessity to safeguard national security and build a so-called security union for Europe, it establishes a feeling of insecurity about respect for EU values.

This column provides a country by country analysis of the latest legal developments, cases and issues relevant to the IT, media and telecommunications' industries in key jurisdictions across the Asia Pacific region. The articles appearing in this column are intended to serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.

This paper focuses on the legal aspects of responsible vulnerability disclosure, bug bounty programs and legal risks associated with their implementation in the Czech Republic. Firstly, the authors introduce the basics of vulnerability disclosure procedures, identify different organisational models, and identify risks that may arise on the part of the organisation launching the bug bounty program or the hackers participating in it. The identified risks are divided into those arising from civil law, administrative law, and criminal law. For each identified risk, the authors then propose appropriate technical, organisation or legal solutions that can be applied to eliminate or reduce these risks. Nevertheless, the authors identified two areas that cannot be sufficiently mitigated through existing tools and laws and are likely to require legislative intervention – the matter of safeguarding the anonymity of reporters through confidentiality, and the problematic ability to consent to the testing procedures by the public bodies.