Computer Law & Security Review最新文献

This article illustrates the developing Chinese cross-border data flow regulation regime deriving from a holistic national security conception to its balance with personal information protection and digital economic development. Under the pressuring demand of digital economy development and an increasing appeal to global data governance, China is progressively improving and modifying its original government-led and restrictive cross-border data regulations. Subsequent practices and the publication of the Provisions on Promoting and Regulating Cross-border Data Transfer (PPR) in March 2024 deliver a clear sign of relaxation on restrictions on cross-border data flow, especially on the subject of personal information outbound transfer. Detailed comparison with data provisions in the Regional Comprehensive Economic Partnership (RCEP), the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), and the Digital Economy Partnership Agreement (DEPA) demonstrates that global governance of cross-border data flows is unshaped but not unrealistic, even with current fragmented national approaches. China has established a complete personal information protection legal regime and is very close to integrating into transnational cooperation for a broader framework. In addition, by coordinating national provisions regarding cross-data transfer with international rules and piloting lenient cross-border data supervision mechanisms in numerous Pilot Free Trade Zone (PFTZ), China is ready to evolve its cross-border data flow regulations and contribute to global data governance step-by-step.

The emergence of non-fungible tokens (NFTs) in the blockchain environment has prompted many intriguing questions for private law scholars around the world. A question as basic as whether NFTs can be owned has proven difficult in many countries. This is the first research question of our article, which focuses on NFTs created in the Ethereum system by utilizing standard ERC-721. Because these NFTs are identifiable and distinguishable from all other tokens, the notion of owning an NFT is not unthinkable. Yet no universal answer can be offered. Whether NFTs qualify as objects of ownership must be studied at the level of individual legal systems. We argue that NFTs can be owned under Finnish law, with the same probably applying to many other legal systems. Starting with this notion, we pose two further research questions. As the second research question, we ask what problems of a patrimonial law nature may arise in attempts to connect different kinds of rights, even irrevocably, to owning or holding an NFT. Creditor rights seem relatively easy in this respect because most legal systems allow prospective debtors to obligate themselves as they wish. We also study whether a limited liability company could issue an NFT as a share certificate with legal effects corresponding to those of a physical (paper) share certificate. While an affirmative answer could be justified in some legal systems, Finnish law makes it difficult to tokenize a company's shares other than in the framework of a settlement system within the meaning of the European Union's DLT Pilot Regulation. Even greater difficulties arise in attempts to connect the ownership of a (material) thing and of an NFT so that a person who owns a token also owns the thing. Our third and final research question addresses tokenization of digital art, which gives rise to some special questions. We ask what rights the transferee of an NFT can receive in connection with tokenization of digital art. Here, our main finding is that digital art can be meaningfully tokenized even though digital copies are not regarded as possible objects of ownership.

This paper explores the evolution of China's Personal Information Protection Law (PIPL) and situates it within the context of global data protection development. It draws inspiration from the theory of ‘Brussels Effect’ and provides a critical account of its application in non-Western jurisdictions, taking China as a prime example. Our objective is not to provide a comparative commentary on China's legal development but to illuminate the intricate dynamics between the Chinese law and the EU's GDPR. We argue that the trajectory of China's Personal Information Protection Law calls into question the applicability of the Brussels Effect: while the GDPR's imprint on the PIPL is evident, a deeper analysis unveils China's nuanced, non-linear adoption that diverges from many assumptions of the Brussels Effect and similar theories. The evolution of the GDPR-inspired PIPL is not as a straightforward outcome of the Brussels Effect but as a nuanced, intricate interplay of external influence and domestic dynamics. We introduce a complementary theory of ‘gravity assist’, which portrays China's strategic instrumentalisation of the GDPR as a template to shape its unique data protection landscape. Our theoretical framework highlights how China navigates through a patchwork of internal considerations, international standards, and strategic choices, ultimately sculpting a data protection regime that has a similar appearance to the GDPR but aligns with its distinct political, cultural and legal landscape. With a detailed historical and policy analysis of the PIPL, coupled with reasonable speculations on its future avenues, our analysis presents a pragmatic, culturally congruent approach to legal development in China. It signals a trajectory that, while potentially converging at a principled level, is likely to diverge significantly in practice, driven by China's broader socio-political and economic agendas rather than the foundational premises of EU data protection law and its global aspirations. It thus indicates the inherent limitations of applying Brussels Effect and other theoretical frameworks to non-Western jurisdictions, highlighting the imperative for integrating complementary theories to more accurately navigate complex legal landscapes.

This article tracks developments at the national level in key European countries in the area of IT and communications and provides a concise alerting service of important national developments. It is co-ordinated by Herbert Smith Freehills LLP and contributed to by firms across Europe. This column provides a concise alerting service of important national developments in key European countries. Part of its purpose is to complement the Journal’s feature articles and briefing notes by keeping readers abreast of what is currently happening "on the ground" at a national level in implementing EU level legislation and international conventions and treaties. Where an item of European National News is of particular significance, CLSR may also cover it in more detail in the current or a subsequent edition.

The European Travel Information and Authorisation System, along with the automated decision-making system for immigration filtering, is soon to become a guardian controlling entry into Europe. In the digital realm of issuing travel authorisations, a central question arises: does streamlining the process of using an authoritative decision through IT tools and artificial intelligence simplify administrative decision-making, or does it raise more profound legal issues? The pressing question is whether algorithms will ultimately determine human destinies, or if we have not reached that point yet. This paper examines the set of rules for making a decision on the refusal of a travel permit, considering the obligations tied to providing reasons for such decisions. It emphasizes that the rationale should be built upon a combination of factual and legal foundations, which would entail revealing data linked to profiling. While explicit rights for explanations might not be granted, having substantial information gives the ability to contest decisions. To ensure decisions are well-founded, the methodology used for profiling must support these determinations, as general system descriptions are inadequate for clarifying specific cases. Therefore, the paper concludes that the complex interaction between the ETIAS screening process, data protection laws, and national security concerns presents a challenging situation for procedural rights. Fundamental rights, such as accessing records and receiving decision explanations, clash with the necessity to safeguard national security and build a so-called security union for Europe, it establishes a feeling of insecurity about respect for EU values.

This column provides a country by country analysis of the latest legal developments, cases and issues relevant to the IT, media and telecommunications' industries in key jurisdictions across the Asia Pacific region. The articles appearing in this column are intended to serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.

This paper focuses on the legal aspects of responsible vulnerability disclosure, bug bounty programs and legal risks associated with their implementation in the Czech Republic. Firstly, the authors introduce the basics of vulnerability disclosure procedures, identify different organisational models, and identify risks that may arise on the part of the organisation launching the bug bounty program or the hackers participating in it. The identified risks are divided into those arising from civil law, administrative law, and criminal law. For each identified risk, the authors then propose appropriate technical, organisation or legal solutions that can be applied to eliminate or reduce these risks. Nevertheless, the authors identified two areas that cannot be sufficiently mitigated through existing tools and laws and are likely to require legislative intervention – the matter of safeguarding the anonymity of reporters through confidentiality, and the problematic ability to consent to the testing procedures by the public bodies.

The continued progress of Artificial Intelligence (AI) can benefit different aspects of society and various fields of the economy, yet pose crucial risks to both those who offer such technologies and those who use them. These risks are emphasized by the unpredictability of developments in AI technology (such as the increased level of autonomy of self-learning systems), which renders it even more difficult to build a comprehensive legal framework accounting for all potential legal and ethical issues arising from the use of AI. As such, enforcement authorities are facing increased difficulties in checking compliance with applicable legislation and assessing liability, due to the specific features of AI, – namely: complexity, opacity, autonomy, unpredictability, openness, data-drivenness, and vulnerability. These problems are particularly significant in areas, such as financial markets, in which consequences arising from malfunctioning of AI systems are likely to have a major impact both in terms of individuals' protection, and of overall market stability. This scenario challenges policymaking in an increasingly digital and global context, where it becomes difficult for regulators to predict and face the impact of AI systems on economy and society, to make sure that they are human-centric, ethical, explainable, sustainable and respectful of fundamental rights and values. The European Union has been dedicating increased attention to filling the gap between the existing legal framework and AI. Some of the legislative proposals in consideration call for preventive legislation and introduce obligations on different actors – such as the AI Act – while others have a compensatory scope and seek to build a liability framework – such as the proposed AI Liability Directive and revised Product Liability Directive. At the same time, cross-sectorial regulations shall coexist with sector-specific initiatives, and the rules they establish. The present paper starts by assessing the fit of the existing European liability regime(s) with the constantly evolving AI landscape, by identifying the normative foundations on which a liability regime for such technology should be built on. It then addresses the proposed additions and revisions to the legislation, focusing on how they seek to govern AI systems, with a major focus on their implications on highly-regulated complex systems such as financial markets. Finally, it considers potential additional measures that could continue to strike a balance between the interests of all parties, namely by seeking to reduce the inherent risks that accompany the use of AI and to leverage its major benefits for our society and economy.

The purpose of this article is to explain, through a doctrinal review of the EU sustainability and cybersecurity legal framework, how the cybersecurity obligations contribute to the cybersecurity content and quality of the sustainability reporting. Previous studies are limited to voluntary cybersecurity disclosure in annual reports because they date back to before the adoption of CSRD. The CSRD harmonized sustainability reporting in the EU and introduced the ESRS, the standards for sustainability disclosure. As stated in the ESRS S4, the sustainability reporting should now address how the company manages the risks linked to data usage and data collection. Therefore, cybersecurity measures must be included in the sustainability report. This information can be used by stakeholders to assess the risk appetite and the potential long-term profitability of the company. The cybersecurity measures adopted by companies must comply with the cybersecurity obligations of the EU legal framework. While it is out of the scope of these cybersecurity obligations to inform ex ante the stakeholders of a company of how the company is managing cyber risks, these same obligations can improve the quality and content of the sustainability discourse.

This article examines the use of automatic hack backs under international law on necessity. Hack backs are a form of active defence measure adopted in response to cybersecurity threats that involve effects outside the victim's systems or networks designed to mitigate or prevent the cybersecurity threat. Automatic hack backs are systems that, once activated, are capable of performing these functions without direct human control. The plea of necessity under international law on State responsibility provides a basis on which States can adopt measures that would otherwise be unlawful in order to respond to cyber operations that constitute a grave and imminent against their essential interests. This article argues that the use of automatic hack backs can be justified on the basis of necessity, however, the system would need to be capable of making a range of complex assessments to ensure it meets the strict criteria required by international law. The complexity of systems capable of making these assessments carries a risk unintended effects and escalation of conflict at machine speed.