Computer Law & Security Review最新文献

The digital age has made personal data more valuable and less private. This paper explores the future of the European Union’s General Data Protection Regulation (GDPR) by imagining a range of challenging scenarios and how it might handle them. We analyse United States’, Chinese and European approaches (self-regulation, state control, arms-length regulators) and identify four key drivers shaping the future regulatory landscape: econopolitics, enforcement capacity, societal trust, and speed of technological development. These scenarios lead us to envision six resultant versions of GDPR, ranging from laxer protection than now to models empowering individuals and regulators. While our analysis suggests a minor update to the status quo GDPR is the most likely outcome, we argue a more robust implementation is necessary. This would entail meaningful penalties for non-compliance, harmonised enforcement, a positive case to counter the regulation-stifles-innovation narrative, defence of cross-border data rights, and proactive guidelines to address emerging technologies. Strengthening the GDPR’s effectiveness is crucial to ensure the digital age empowers individuals, not just information technology corporations and governments.

The European Union's Artificial Intelligence Act focuses on establishing harmonized rules across EU Member States so that AI systems are safe, transparent, and respectful of existing laws and fundamental rights. It introduces a risk-based regulatory approach, classifying AI applications by risk levels and imposing stringent compliance requirements on high-risk applications. The paper critically examines the Act's provisions, including its prohibitions on certain AI practices, requirements for high-risk AI systems, and mandates for transparency and human oversight. The paper examines the implications of the Act for international trade and technological regulation, particularly in the context of the World Trade Organization's Technical Barriers to Trade (TBT) Agreement. It addresses the Act's potential impact on developing countries, highlighting concerns that the Act's uniform standards could potentially exacerbate the digital divide and create barriers in global AI innovation and trade. The paper suggests incorporating flexibility and differential standards in the Act, enhancing technical assistance for developing countries, and advocating the EU's active participation in global standard-setting.

What is the context which gave rise to the obligation to carry out a Fundamental Rights Impact Assessment (FRIA) in the AI Act? How has assessment of the impact on fundamental rights been framed by the EU legislator in the AI Act? What methodological criteria should be followed in developing the FRIA? These are the three main research questions that this article aims to address, through both legal analysis of the relevant provisions of the AI Act and discussion of various possible models for assessment of the impact of AI on fundamental rights.

The overall objective of this article is to fill existing gaps in the theoretical and methodological elaboration of the FRIA, as outlined in the AI Act. In order to facilitate the future work of EU and national bodies and AI operators in placing this key tool for human-centric and trustworthy AI at the heart of the EU approach to AI design and development, this article outlines the main building blocks of a model template for the FRIA. While this proposal is consistent with the rationale and scope of the AI Act, it is also applicable beyond the cases listed in Article 27 and can serve as a blueprint for other national and international regulatory initiatives to ensure that AI is fully consistent with human rights.

Open Government Data (OGD) has evolved from the mere generation of public data to its active management, but the strategic evolution still needs to be explored. This article explores the intersection of government's digital transformation, the Sustainable Development Goals (SDGs), and the role of government open data initiatives. The study focuses on the Brazilian trajectory, employing the "data as a public good" approach to evaluate data governance and capabilities as facilitators of sustainable digital transformation. The GDB method aligns with the SDG Digital Acceleration agenda, providing insights into integrating data in society and digital transformation. The study concludes by indicating the need for more dialogue and synergy between data management and government strategies. It emphasizes integrating data management, privacy protection, transparency, and ethical considerations for sustainable impact.

The amended Digital Identity Framework Regulation (“eIDAS 2″) is expected to be implemented by 2026, including its new solution of the Digital Identity Wallet from each Member State for its residents, citizens, and businesses. Widely used public key cryptosystems including those in the current EUDI Wallet prototypes are using electronic signatures and authentication that will need to be replaced by post-quantum resistant cryptography (PQC). In April 2024, the EU recommended general action by the Member States to prepare for quantum capability. We suggest that the European Digital Identity Wallet could be the starting point for an impactful debut of hybrid “quantum resistant” cryptography tools to align the Member States in the transition. We look at the awareness campaigns of ENISA and national cybersecurity authorities in the USA, Spain, UK and Germany on the transition to PQC using a hybrid approach. There seems to be some early consensus that NIST's PQC algorithms are likely to set the international standard. Given the eIDAS 2′s flexible, technologically neutral language, it allows the timely implementation of new secure encryption methods. The Wallet could be an exemplary model for large businesses, or app developers, and SMEs that also must transition to PQC to render secure those asymmetrically encrypted quantum-vulnerable digital assets. A very large and relatively fast uptake of the EUDI Wallet system is expected, and if it holds the promises of functionality, user friendliness, and security across the changing technological world, the EUDI Wallet's approach could become a benchmark for the transition to post-quantum capacity.

Advancements in artificial intelligence (AI) have drastically simplified the creation of synthetic media. While concerns often focus on potential misinformation harms, ‘non-consensual intimate deepfakes’ (NCID) – a form of image-based sexual abuse – pose a current, severe, and growing threat, disproportionately impacting women and girls. This article examines the measures implemented with the recently adopted Online Safety Act 2023 (OSA) and argues that the new criminal offences and the ‘systems and processes’ approach the law adopts are insufficient to counter NCID in the UK. This is because the OSA relies on platform policies that often lack consistency regarding synthetic media and on platforms’ content removal mechanisms which offer limited redress to victim-survivors after the harm has already occurred. The article argues that stronger prevention mechanisms are necessary and proposes that the law should mandate all AI-powered deepfake creation tools to ban the generation of intimate synthetic content and require the implementation of comprehensive and enforceable content moderation systems.

It came somewhat unexpected when Dutch Booking's acquisition of Swedish Etraveli was blocked in the EU as the parties operated in two separate segments of the online economy, hotel accommodation and flight booking, making the merger unproblematic under normal circumstances. However, in the digital economy, nothing is normal as enforcement has tightened, mostly vis-à-vis US tech giants but apparently also vis-à-vis European undertakings. Interestingly, customers' unwillingness to shop around for offers, as otherwise accepted by, e.g., the UK authority, played a role in the outcome. The decision has been challenged before the EU's General Court, providing a case to watch.

Recent years have seen a surge in the development and use of companion chatbots, conversational agents specifically designed to act as virtual friends, romantic partners, life coaches or even therapists. Yet, these tools raise many concerns, especially when their target audience is comprised of vulnerable individuals. While the recently adopted AI Act is expected to address some of these concerns, both compliance and enforcement are bound to take time. Since the development of companion chatbots involves the processing of personal data at nearly every step of the process, from training to fine-tuning to deployment, this paper argues that the General Data Protection Regulation (“GDPR”), and data protection by design more specifically, already provides a solid ground for regulators and courts to force controllers to mitigate these risks. In doing so, it sheds light on the broad material scope of Articles 24(1) and 25(1) GDPR, highlights the role of these provisions as proxies to Fundamental Rights Impact Assessments (“FRIAs”), and peels off the many layers of personal data processing involved in the companion chatbots supply chain. That reasoning served as the basis for a complaint lodged with the Belgian data protection authority, the full text and supporting evidence of which are provided as supplementary materials.

The General Law for the Protection of Personal Data (LGPD), issued in Brazil in August 2018, establishes as one of the legal bases for the processing of personal data the execution of public policies by the State. A systematic review of the literature identified the existence of six critical points that represent challenges for public managers in the elaboration and implementation of policies that require the processing of personal data. The objective of this research is to establish the levels of criticality of the factors identified by the literature review, as well as to verify the existence of other critical points on which the literature has not yet advanced. To this end, a group of 11 specialists was selected to participate in the research that used the Delphi Method, a technique that consists of applying a set of questionnaires sequentially and individually, in order to establish a dialog between the participants and build a collective response. The results indicate a coherence between what was verified in the theory and the perception of the specialists. Another 10 critical points for the processing of personal data by the government were mentioned by the participants. In general, the main elements of tension identified addressed the lack of training of public officials and the sharing of personal data.