Computer Law & Security Review最新文献

When talking about digital transformation, data sovereignty considerations and data transfers cannot be excluded from the discussion, given the considerable likelihood that digital technologies deployed along the process collect, process and transfer (personal) data in multiple jurisdictions. An increasing number of nations, especially those within the BRICS grouping (Brazil, Russia, India, China, and South Africa) are developing their data governance and digital transformation approaches based on data sovereignty considerations, deeming specific types of data as key strategic and economic resources, which deserve particular protection and that must be leveraged for national development. From this perspective, this paper will try to shed light on how data sovereignty and data transfers interplay in the context of digital transformations. Particularly, we will consider the various dimensions that compose the concept of data sovereignty and will utilise a range of examples from the BRICS grouping to back some of the key considerations developed with empirical evidence. We define data sovereignty as the capacity to understand how and why (personal) data are processed and by whom, develop data processing capabilities, and effectively regulate data processing, thus retaining self-determination and control. We have chosen the BRICS grouping for three reasons. First, research on the grouping's data policies and digital transformation is still minimal despite their leading role. Second, BRICS account for over 40 % of the global population, or 3.2 billion people (which can be seen as 3.2 billion “data subjects” or data producers, depending on perspective, thus making them key players in data governance and digital transformation. Third, the BRICS members have realised that digital transformation is essential for the future of their economies and societies and have shaped specific data governance visions which must be considered by other countries, especially from the global majority, to understand why data governance is instrumental to foster thriving digital environments.

After representing the main country embracing a market-led approach to Open Banking, the U.S. is on the verge of switching to a regulatory-driven regime by mandating the sharing of financial data. Relying on the Section 1033 of the Dodd-Frank Act, the Consumer Financial Protection Bureau (CFPB) has, indeed, recently proposed a rulemaking on “Personal Financial Data Rights.” As the U.S. is, therefore, apparently following the EU, which has been at the forefront of the government-led Open Banking movement, the paper aims at analyzing the CFPB's proposal by taking stock of the EU experience. The review of the EU regulatory framework and its UK implementation provides useful insights about the functioning and challenging trade-offs of Open Banking, thus ultimately enabling us to assess whether the CFPB's proposal would provide significant added value for innovation and competition or would rather represent an unnecessary regulatory burden.

As a specific type of algorithmic discrimination, algorithmic proxy discrimination (APD) exerts disparate impacts on legally protected groups because machine learning algorithms adopt facially neutral proxies to refer to legally protected features through their operational logic. Based on the relationship between sensitive feature data and the outcome of interest, APD can be classified as direct or indirect conductive. In the context of big data, the abundance and complexity of algorithmic proxy relations render APD inescapable and difficult to discern, while opaque algorithmic proxy relations impede the imputation of APD. Thus, as traditional antidiscrimination law strategies, such as blocking relevant data or disparate impact liability, are modeled on human decision-making and cannot effectively regulate APD. The paper proposes a regulatory framework targeting APD based on data and algorithmic aspects.

In recent years, there has been extensive discourse on the moderation of abusive content online. Image-based Sexual Abuses (IBSAs) represent a type of abusive content that involves sexual images or videos. Platforms must moderate user-generated online content to tackle this issue effectively. One way to achieve this is by allowing users to report content, which can be flagged as abusive. In such instances, platforms may enforce their terms of service and prohibit certain types of content or users. Alongside these efforts, numerous countries have been making progress in defining and regulating this subject by implementing dedicated regulations. However, national solutions alone are insufficient for addressing a constantly increasing global emergency. Consequently, digital platforms create their own definitions of abusive conduct to overcome obstacles arising from conflicting national laws. In this paper, we use an ontological approach to model two types of abusive behavior. To do this, we applied the UFO-L patterns to build ontological models and based them on a top-level ontology, the Unified Foundational Ontology (UFO). The outcome is a set of ontological models that digital platforms can use to monitor and manage user compliance with the service provider’s code of conduct.

Generative AI with stronger responsiveness and emergent abilities has triggered a global boom and is facing challenges such as data compliance risks during the pretraining process and risks of generating fake information, which has raised concerns among global regulatory authorities. The European Union, United States, United Kingdom, and other countries and regions are gradually establishing risk-based, scenario-based, and outcome-based governance models for generative AI. China recently introduced new regulations for the management of generative AI, which adopt a governance model focusing on generative AI service providers. It suggests that China is continuing the principle of primary responsibility in Internet governance, which encompasses legal responsibility, contractual obligations, and ethical responsibility. However, the governance model based on primary responsibility emphasizes the accountability of generative AI model service providers, with relatively limited regulation on other important entities such as users and large-scale dissemination platforms, which may not be conducive to achieving China's regulatory goals for the AI industry. In comparison, the Meta-Regulation model could be an ideal alternative for China. As a classic theory explaining the public-private relationship, the ‘Meta-Regulation’ aligns with the generative AI governance requirements. Based on the Meta-Regulation theory, the governance of generative AI in China should move towards a direction of emphasizing safety, transparency, collaborative governance, and accountability. In line with this, it is necessary to include users and large-scale dissemination platforms within the regulatory scope and establish overarching governance objectives that ensure the responsible distribution of duties among stakeholders, with regulatory authorities assuming ultimate oversight responsibility and technical coordination. At the level of specific improvement measures, it is possible to integrate the three stages of model development, usage, and content dissemination of generative AI. During the model development stage, generative AI providers have specific transparency obligations. In the usage stage, a self-regulatory system centered around platform autonomy should be constructed. In the content dissemination stage, the proactive notification obligations of the dissemination platforms should be clearly defined. Additionally, the enforcement of technical interoperability requirements is necessary, thereby promoting the orderly development of generative AI applications.

The plans for a European Health Data Space (EHDS) envisage an ambitious and radical platform that will inter alia make the sharing of secondary health data easier. It will encourage the systematic sharing of health data and provide a legal framework for it to be shared by Health Data Access Bodies (HDABs) based in each of the Member States. Whilst this promises to bring about major benefits for research and innovation, it also raises serious questions given the intrinsic sensitivity of health data. Fears concerning privacy harms on the individual level and detrimental effects on the societal level have been raised. This article discusses two of the main protective pillars designed to allay such concerns. The first is that the proposal clearly outlines several contexts for which a Health Data Access Permit (HDAP) should and should not be granted. The second is that a request for an HDAP must also be compliant with the GDPR (inter alia requiring a valid legal basis and respecting data processing principles such as ‘minimization’ and ‘storage limitation’). As this article discusses, in some instances the need to have a valid legal basis under the GDPR may make it difficult to obtain a data access permit, in particular for some of the commercially orientated grounds outlined within the EHDS proposal. A further important issue concerns the ability of HDABs to analyse the compatibility permit requests under the GDPR and relevant national law at both speed and scale.

Eu-LISA is launching the European Travel Information and Authorization System (ETIAS), which seems an example of a different, human rights-oriented approach to AI within the law enforcement. However, the reality is quite different: the usual problems of the use of AI—lack of transparency, bias, opacity, just to name a few—are still on board. This paper critically assesses these promises of ETIAS and argues that it has serious issues that have not been properly dealt with. So as to argue the need to address these issues, the paper addresses ETIAS within the wider context of human rights and solidarity-based data governance. In this respect, ETIAS is seen as a tool which uses data for high value purposes, such as EU safety and security, yet it also calls for serious risk mitigation measures. Indeed, the risks related to law enforcement on the borders and in migration management are extremely serious due to the vulnerability of people who escape from poverty, wars, regimes, and other disasters. In the third part of this article, we articulate three proposals of such risk mitigation measures. We argue in favour of strengthening critical general safeguards in ETIAS, then elaborate a principle that should guide AI-based public service development (P4P principle) and end with a few IPR-related requirements for private sector involvement in such services. Adopting these measures could contribute to reduce the risk of building EU AI expertise upon data coming from the most vulnerable social groups of our planet.

Who should compensate you if you get hit by a car in “autopilot” mode: the safety driver or the car manufacturer? What about if you find out you were unfairly discriminated against by an AI decision-making tool that was being supervised by an HR professional? Should the developer compensate you, the company that procured the software, or the (employer of the) HR professional that was “supervising” the system's output?

These questions do not have easy answers. In the European Union and elsewhere around the world, AI governance is turning towards risk regulation. Risk regulation alone is, however, rarely optimal. The situations above all involve the liability for harms that are caused by or with an AI system. While risk regulations like the AI Act regulate some aspects of these human and machine interactions, they do not offer those impacted by AI systems any rights and little avenues to seek redress. From a corrective justice perspective risk regulation must also be complemented by liability law because when harms do occur, harmed individuals should be compensated. From a risk-prevention perspective, risk regulation may still fall short of creating optimal incentives for all parties to take precautions.

Because risk regulation is not enough, scholars and regulators around the world have highlighted that AI regulations should be complemented by liability rules to address AI harms when they occur. Using a law and economics framework this Article examines how the recently proposed AI liability regime in the EU – a revision of the Product Liability Directive, and an AI Liability effectively complement the AI Act and how they address the particularities of AI-human interactions.

The cyber-attribution problem poses a significant challenge to the effective application of international law in cyberspace. Rooted in unclear standards of proof, evidence disclosure requirements, and deficiencies within the legal framework of the attribution procedure, this issue reflects the limitations of some traditional legal concepts in addressing the unique nature of cyberspace. Notably, the effective control test, introduced by the ICJ in 1986 and reaffirmed in 2007 to attribute the actions of non-state actors, does not adequately account for the distinctive dynamics of cyberspace, allowing states to use proxies to evade responsibility.

The legal impracticality and insufficiency of the attribution procedure not only give rise to the cyber-attribution problem but also compel states to develop new attribution tactics. This article explores the evolution of these cyber-attribution techniques to assess whether contemporary state practices align with the customary rules of attribution identified by the ICJ and codified by the ILC within ARSIWA, or whether new, cyber-specific rules might emerge. By analyzing two datasets on cyber incidents and three distinct cases – Stuxnet, WannaCry, and the 2022 cyberattacks against Albania – this article concludes that the effective control test cannot be conclusively identified as part of customary rules within cyberspace due to the insufficient support in state practice. Furthermore, it is apparent that the rules of attribution in the cyber-specific context are in a disarray, lacking consistent, widespread and representative practice to support a general custom. However, emerging state practice shows some degree of unification and development, suggesting the potential for the future establishment of cyber-specific rules of attribution.