The Nexus Magazine - Spring 2018

SPRING 2018

MEET THE COMMITTEE The Nexus Magazine Editorial Team independently obtained and organized the content of this magazine, and is responsible for the publication of the Nexus Magazine. The opinions and ideas expressed by authors of articles in this magazine are solely the opinions and ideas of those authors and do not necessarily represent the opinions and ideas of this magazine or its editors publishers.

Contact Us:

MagazineCommitee.Nexus@Gmail.com / Nexus@rug.nl

EDITOR-IN-CHIEF JOCHELLE GREAVES SIEW

CREATIVE DIRECTION JOCHELLE GREAVES SIEW KONRAD TURNBULL SARAH GIBLIN

CONTRIBUTING WRITERS JOCHELLE GREAVES SIEW TATENDA MADONDO MERLIJN HOPPEMA MĂDĂLINA NICOLAI ANTONIA NEIDHART MATTHEUS SCHMIDHAMMER

WOODMAN - UK graduated from the LLB International and European law, and is currently pursuing his LLM at the University of Groningen.

SARAH - IRELAND is currently in the second year of her LLB International and European Law at the University of Groningen.

JOCHELLE - TRINIDAD and TOBAGO & USA is currently in the second year of her LLB International and European Law at the University of Groingen.

JESSICA - GERMANY is currently in the second year of her LLB International and European Law at the University of Groningen.

KONRAD - UK & USA is currently in the first year of his LLB International and European Law at the University of Groningen.

LISA AASENDEN SARAH GIBLIN WOODMAN DICKINSON KONRAD TURNBULL SPRING 2018

1

LET TER FROM THE EDITOR

Dear Readers, In this day and age, information about any person can be easily accessed online. In fact, most of us are guilty of insecurely storing our data on our smartphones, tablets and laptops. Some might argue that it is our responsibility for taking such a grave risk, while others put forth the notion that we have the right to protection of our data no matter what. This ongoing and relevant debate on data privacy is the inspiration behind The Nexus Magazine’s Spring 2018. The relevance of this debate is cemented by the various articles of which this issue is comprised. Woody’s piece sets the tone of the issue as it discusses the upcoming General Data Protection Regulation of the European Union and its repercussions. I have also written an article for this issue in which I consider whether common law or civil law systems provide better citizen protection against data privacy breaches. Merlijn delves into the right to be forgotten in European Union law in his piece, utilising the Google Spain case to analyse whether or not this right simply strengthens one’s privacy rights or also poses the threat of censorship. In addition, Konrad has written an informative piece on how much one’s data can be worth, whether it be your credit card information or webcam access, providing us with some startling facts and figures. Madalina’s article explores one of the largest, yet dramatically underreported, cybercrimes: sextortion. She examines why it is inherently dangerous to the policies of data protection and looks at the flaws of the U.S. justice system regarding the prosecution of such crimes. Aptly, this issue features the reasoned positions of Antonia, Lisa and Tatenda on whether or not Facebook should be allowed to utilise their users’ contents in any manner they see fit, including the right to transfer or sub-license its rights over a user’s content to another company or organization. Sarah has penned a telling commentary on Alessandro Acquisti’s TedTalk regarding how the line between what is public and private, both online and in real life, has become so blurred and why this matters. Finally, I would like to thank Konrad for his highlight piece on Nexus’ Career Day this month. I would also like to thank Mattheus for taking the time to write about his experience of studying abroad in Leipzig, Germany. Please feel free to contact us at magazinecommittee.nexus@gmail.com if you have any queries, comments or suggestions. We are always happy to hear from you! Make sure to stay tuned in to The Nexus Magazine Blog where we will continue posting our Faculty Feature interviews, along with other pieces.I also hope you take the chance to attend one of the very interesting summer schools planned by the Law Faculty. Warm wishes and happy reading, Jochelle Greaves Siew Editor-in-Chief – The Nexus Magazine

UPCOMING EVENTS 3

A highlight of all the importants events NEXUS are hosting. OPINION PIECES

26 Antonia, Lisa, & Tatenda: Three student opinions on privacy.

RUG SUMMER SCHOOL 4

An overview of the Faculty of Law’s two Summer Classes of 2018.

2

6

TEDx ANALYSIS 28 Future Data Privacy: Thoughts on Alessandro Acquisti’s TED Talk. STUDY ABROAD

NEXUS MAGAZINE

NEXUS CAREER DAY

30 A student’s recent experience studying abroad.

Remarks: Read Nexus Magazines’ coverage of the Nexus Career Day. ARTICLES

7 11 15 20 23

GDPR: Overview of EU’s data regulation update System: Common vs Civil approach to data Forget: An analysis of the Right to be Forgotten Cost: How much does stolen data sell for? Webcam: The sexploitation epidemic

UPCOMING NEXUS EVENTS

Save these dates! 31st March:

Last day to Apply for Committee of Auditors

15th April:

Last day to Apply for Board

18-19th April: Education Lecture: Refugee and Asylum Law 20th April:

Embassy Visit

25th April:

Conference: Environmental Law w/ Vintres

18-20th May: Active Members Weekend 23rd May:

Third GA

1 June:

Barbecue

7-8th June:

Final Notes Sale

https://www.nexusgroningen.nl/ Nexus@Rug.nl

SPRING 2018

3

RUG FACULTY OF LAW 2018 SUMMER SCHOOLS

The Faculty of Law is pleased to announce that it will be hosting two summer schools from July 9th to July 13th, 2018; Health and Human Rights: The Global

Crisis of Noncommunicable Diseases and International Law for Sustainable Societies: The Sustainable Development Goals. Deadline: May 1st, 2018 International Law for Sustainable Societies: The Sustainable Development Goals The percentage of people living on less than $1.25 a day fell from 43.1% to 20.6% in the last 25 years (World Bank). However, further progress needs to be made in improving the living conditions of people around the world. This summer school, organized by the Department of Transboundary Legal Studies (formerly titled International Law), aims to explore the contribution of international law to the implementation of the Sustainable Development Goals (SDGs). The SDGs set 169 targets for advancement, including universal access to food, water, health care and education; the sustainability of economic growth; ensuring protection of the environment; and the promotion of peace and justice. These goals intend to ameliorate everybody’s lives, in particular by ending extreme poverty, eradicating inequalities and injustice, and addressing the problem of climate change. The summer school intends to highlight both 4

NEXUS MAGAZINE

the prospects and challenges of implementation of the SDGs by analysing these in the light of human rights law, sustainable development law, the law of (international) peace and security, and international law more generally. As goals do not (necessarily) justify the means, we will approach international law and human rights not only as a facilitator enabling the implementation of the SDGs, but also in their roles to prevent arbitrary or unlawful actions. Throughout the programme, participants will be invited to actively discuss – with experts from international law, human rights law, international relations, civil society, and the (social) sciences – the legal and policy framework. Interested in this course? Please send your CV and a one page motivation letter to ILLS@rug.nl

Contact Information: For more information visit our website <https://goo.gl/ngmN32>. Alternatively, refer to the Summer School coordinators via ILLS@rug.nl

SUMMER SCHOOL Health and Human Rights: The Global Crisis of Noncommunicable Diseases Most deaths that currently occur globally are the result of chronic or ‘non-communicable’ diseases, in particular cardiovascular diseases, most cancers, chronic respiratory diseases and diabetes. Although medical science plays an important role in reducing these diseases, law and policy are also crucial, in particular as they can ensure access to prevention, treatment and care, and address behavioural risk factors such as smoking, excess alcohol consumption, unhealthy eating and a lack of physical exercise. The summer school (in the past known as Law & Lifestyle) gathers both academics and practitioners from the field to promote understanding about how law and policy can best be framed to address the global increase in chronic diseases. Taking a human rights approach, key focus areas include securing equitable access to essential medicines, as well as possibilities to regulate behavioural risk factors, in particular smoking and unhealthy diets.

Through interactive teaching methods, and against the backdrop of insights from health science, participants will fuel their desire to learn how human rights and domestic law can converge with the need to fight chronic diseases, and how a global and domestic response can best be defined and implemented. A range of key experts will give lectures in this course, including Prof. Brigit Toebes (UG), Dr. Marie Elske Gispen (UG), Dr. Machteld Hylkema (UMCG), Dr. Jasper Been (Erasmus MC), Mr. David Patterson (IDLO), and Mrs. Laura Houtenbos (Dutch Cancer Society). Interested in this course? Please send your CV and one page motivation letter to ncdandlaw@ rug.nl

Contact Information: For more information visit our website <https://goo.gl/ngmN32>. Alternatively, refer to the Summer School coordinators via ILLS@rug.nl

IMAGE CREDIT: DFID (UK)

SPRING 2018

5

C A R E E R D AY

NEXUS CAREERS DAY 2018 ANOTHER SUCCESSFUL YEAR FOR THE EVENT

The International and European Law program at the University of Groningen has drawn international students from around the globe, but with each country having its own legal requirements to practice law, the thought of beginning a career can seem a distant dream. Furthermore, law is such a broad field, with a myriad of potential specialisations, so when then the question “what do you want to do with your law degree?” arises, it is not unusual that the student does not know yet. That is why career days are invaluable for any budding student. They offer the opportunity to meet successful lawyers, to learn the realities of what the work entails, and gives a tangible idea on what is required to work in their respective fields. This past month, Nexus hosted their 2018 Career Day and, thanks to the hard work of the Nexus Board, it was a roaring success.

Highlights from the Day: Representation from: -European Union -United Nations -Residual Court for Sierra Leone -National Diplomats -Successful Alumni Keynote Speech from Max van den Berg -MP of EU Parliament 1999-2007 CV Workshop with the JFV

“This event made me really excited for everything to come“ -Nike Köhne/LLB 1 “It was dope“ -Arystan Jazin/LLB 1 6

NEXUS MAGAZINE

“I’m immensely proud of what we have achieved. Best year yet!“ -Ta t e n d a M a d o n d o / L L B 2

ARTICLE

THE GDPR:

WHAT DOES IT MEAN FOR DATA PROTECTION AND BUSINESSES? The General Data Protection Regulation, or GDPR, is set to come into force in just over two months. The GDPR strengthens the data protection framework currently in place in the EU and imposes a series of obligations on data controllers, some of which are so far-reaching that it has even been described as ‘apocalyptic’ for business. But is this description fair? What are the main changes that the GDPR brings in and what do they actually mean? The Current Framework Data protection has been regulated at the EU level since 1995, when the Commission responded to the difference in Member States’ implementation of the Council of Europe’s Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data by draftingharmonising legislation in the form of Directive 95/46/EC, better known as the Data Protection Directive. As the right to data protection was later enshrined in the EU Charter of Fundamental Rights, itshould come as no surprise that the European data protection regime is likely the most comprehensive in the world and far stricter than comparable legislation in the USA and other countries. For example, the Data Protection Directive severely restricts the right to collect ‘sensitive’ personal data such as religion or sexual orientation. It also imposes the duty of ‘fair collection’, which holds that data controllers should inform data subjects of their identity and the purposes for which their data will be used. Controllers are also required to have substantial levels of security that can prevent leaks of personal data. In addition, individuals are granted extensive rights they can rely upon against controllers. These include, for example, the right to access any data a controller holds on them, the right to have incorrect data corrected or erased (which is particularly important when dealing with, for example, credit scores, as incorrect data could have a very negative impact on someone’s life) and at least in theory the right to demand that

data processing be stopped. Additionally, the European Court of Justice famously read into Article 14(a) of the Directive the so-called ‘right to be forgotten’, which allows data subjects to request the deletion of data even if it is correct in certain circumstances. The Directive also provides for monetary compensation where these rights are violated. As noted earlier, the European system of data protection is already probably the strictest in the world – a 2012 study by law firm Taylor Wessing placed all but one EU Member State (Slovakia) in the top three tiers worldwide. It may therefore come as somewhat of a surprise that the EU has decided to replace the Data Protection Directive with the even stricter GDPR. What does the GDPR add? Scope The first change which should be noted is the widened territorial scope of the GDPR. The Data Protection Directive only applies to companies and firms which are established in an EU Member State. The Court of Justice has interpreted this quite broadly - for example, in the Costeja Gonzalez case it held that Google’s Spanish subsidiary came under the scope of the Directive even though it did not itself directly process personal data. However, the GDPR goes far further: Article 3(2) states that any company that offers goods or services in the EU or monitors the behaviour of EU residents is caught by the Regulation’s provisions. This in effect turns GDPR compliance into a prerequisite for doing business in the EU and is likely to cover, for example, American tech companies. Consent The GDPR imposes a higher threshold for determining that consent has been granted by data subjects to allow processing of their data. While the Data Protection Directive allows for consent to be inferred, the GDPR requires consent to be expressed by ‘a clear and affirmative action’ – which means that data processing is now very much opt-in rather than SPRING 2018

7

opt-out. Preticked boxes or tacit acceptance are no longer deemed to satisfy requirements. Another aspect of consent requirements that has been beefed up is the way requests for it must be presented. Multinational corporations are not allowed to present consumers with tenpage long documents full of six-syllable words, Latin phrases and legalese. Instead, requests for consent must be ‘clearly distinguishable’ from any other sections of a document they are in, and they must be expressed ‘in an intelligible and easily accessible form, using clear and plain language’. Consent requirements are even higher for special categories of personal data, namely those that provide information on (among others) an individual’s sexual orientation, religious and political views and trade union membership, as well as (unlike in the Directive their biometric data. Here, ‘explicit’ consent is necessary. The Article 29 Working Party (an advisory body made up of representatives from each of the Member States’ data protection authorities, the European Data Protection Supervisor and the Commission) defines explicit consent as ‘all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing.’ Lastly, companies cannot insist on being allowed to process data as a precondition of providing a service unless the data is indispensable for the service itself. New Rights for Individuals

The GDPR is not an attempt to reinvent the wheel when it comes to the core, substantive elements of EU data protection legislation. Most of the rights it grants to individuals can be found (and often in almost exactly the same form) in the Data Protection Directive. However, there are some new additions. The right to erasure (‘the right to be forgotten’), which had previously been read into the right to object by the ECJ, is now expressly codified in the GDPR. Another novelty is the right to data portability, which in essence means that data subjects can ask controllers for an easy to understand and machine-readable summary of all the data they hold on them. Security, Accountability and Governance Perhaps the biggest new burden on companies, however, is not any of the new rights (or rehashed old ones) directly granted to individuals, but rather the governance requirements the GDPR imposes. The Data Protection Directive does include a requirement for controllers to ‘implement appropriate technical and organisational measures’ to guarantee the security of personal data. The GDPR not only maintains this requirement, but goes further in depth by providing detailed guidance as to what exactly ‘appropriate’ might mean. Another way the GDPR goes further than the Directive is by requiring controllers to notify the authorities within 72 of hours of a security breach that could compromise the security of personal data – something which might seem particularly relevant given recent events involving Cambridge Analytica and Facebook, who did not disclose what is now proving to have been quite an important SPRING 2018

9

breach in 2015. Certain bodies (public authorities and companies whose main activities are or include the systematic and large scale processing of personal data) will be required to appoint a data protection officer, who must be an expert in the field and is required to be involved in all activities related to data processing. Article 38 of the GDPR essentially bans attempts to influence the data protection officer’s decisions (or sack him or her for doing his or her job properly) and states that he or she is to report directly to the highest level of management.

could become astronomical.

Data controllers will be further required to keep detailed internal records on data processing practices, and to carry out impact assessments before undertaking activities that are likely to lead to a high risk to the rights and freedoms of individuals. When the impact assessment in question suggests that the risk is indeed high, the competent supervisory authority must be consulted – and the authority will have the right to order controllers to impose additional measures if it sees fit.

Its effects on business will be serious and widespread. The theoretical possibility of a fine of up to €20 million (approximately 40 times the highest fine ever handed out in the UK for data protection issues, for example) means that companies will have to take note of its provisions. Importantly, this applies to firms – especially tech startups – worldwide, as GDPR compliance is effectively a requirement for selling products or services to EU consumers. The EU’s economic strength, coupled with this requirement and ‘adequacy’ provisions that regulate the transfer of data to third countries, means that we are likely to see a tightening of data protection regulation worldwide as more and more companies and countries strive to keep up.

Lastly, the GDPR imposes the requirements of ‘data protection by design and by default’. In broad terms, this means that data controllers will have to take data protection issues into account from the first step of designing a new product or service rather than just treating it as an afterthought or mere addition, and that the default is to process the bare minimum of personal data that is required for the purposes of the current action. Sanctions It’s safe to say that these companies are likely to take the above changes seriously, as the sanctions the GDPR envisages for breaches are significant. The Data Protection Directive allows the Member States to decide how to punish noncompliance, and there has obviously been concern that they have been too reluctant to do so properly, as the GDPR sets out much more detailed guidelines on the matter. While the highest fine ever handed out for the infringement of data protection legislation in the UK, for example, is £400,000, the GDPR explicitly provides for fines of up to €20 million or 4% of global turnover. What’s more, the recitals of the Regulation mandate that regulators should follow the definitions of ‘undertaking’ that stem from Articles 101 and 102 of the Treaty on the Functioning of the European Union, which means that companies that form part of the same group even if they are on paper independent could be counted as one – so fines 10 N E X U S M A G A Z I N E

Effects While the GPDR does create some new rights for individuals (and strengthens others), its main effects on the use of personal data are more likely to be process-based. The biggest difference it introduces is requiring controllers to be more mindful of data protection concerns in a systematic way than any right that a subject could invoke in a courtroom.

It is fair to say that GDPR compliance will increase costs on companies (and provide a lot of business to law firms; it is certainly a good time to be a data protection lawyer). Ultimately, however, this must be balanced with the idea of more robust protection of what is after all a fundamental right of the European Union, and in my view the benefits outweigh the costs. Additionally, there is an argument to be made that customers are more likely to consent to the processing of their data if they know it will be properly protected. This could, in the long run, go at least some way to mitigating many of the costs companies will face in becoming GDPR compliant.

Article by Woodman Dickinson /LLM

ARTICLE

PRIVACY PLEASE:

A COMPARATIVE OVERVIEW OF THE COMMON LAW AND CIVIL LAW APPROACHES TO DATA PRIVACY BREACHES

This piece constitutes a comparative analysis into whether common law or civil law systems provide better citizen protection against data privacy breaches. As it will become evident, the various examples examined in this essay tend to confirm that, in most instances, common law and civil law jurisdictions have similar theoretical privacy rights protections. Privacy breaches are a highly publicised 21st century digital age fact of life. Such breaches occur in one of multiple ways. Examples include: (i) third parties wrongfully manipulating personal data available through social networking sites such as Facebook; (ii), commercial enterprises’ customer data (notably credit card or banking information) being ‘hacked’; and (iii), surreptitious personal data gathering carried out by digital technology companies, including ‘tracking’ user movements to determine consumer habits. For present comparative analysis purposes, these privacy breaches are conceptually distinguished from physical intrusions made on individual privacy which may include media efforts to secure photographs of celebrity taken at otherwise private events (celebrity weddings or other private gatherings), or publishing well-known person’s private information in ways that breach confidence (even where related to public places). The subtler issue demanding attention is exactly how civil and common law systems tend to interpret and apply these similar human rights protections and their mechanisms. For this

reason, England and Wales (EW) act as representation of the common law jurisdiction with relevant comparisons made to Germany, a civil law jurisdiction. The significance of the comparison made between these countries is strengthened by the fact that Article 8 of the European Convention on Human Rights (ECHR) and the General Data Protection Regulation (GDPR) reflect standards of rights which are common to both jurisdictions. It must be noted that other countries will be mentioned as examples regarding more specific aspects of both jurisdictions in order to give a broader view. Common Data Privacy Common law evolution is often characterised as incremental, as opposed to a systematic approach, or based on codified legal principles that provide civil law jurisdictions with their structural foundation. Individual common law judges and appellate courts contribute to legal principles’ development by seeking solutions to specific legal issues. Precedent is a primary means by which the common law maintains its predictability, certainty, and general cohesion. It is suggested that the ‘pre-GDPR’ EW data breach authorities tend to reflect traditional common law interpretive approaches. The EW ‘personal data’ definition as explored in Durant v FSA is a useful example. The applicant had sought a court order requiring the respondent Authority to provide him with certain information in its files. The Court of Appeal rejected the SPRING 2018

11

applicant’s argument that the Data Protection Act’s definition of ‘personal data’ was sufficiently broad to include any information retrieved as resulting from searches involving his name, or any related files in which he could be identified. This restrictive definitional approach (one upheld in subsequent EW cases), is consistent with the common law philosophy that courts should resist interpreting legislation more broadly than is required to resolve a specific legal dispute. EW attitudes previously expressed regarding an evolving ‘right to be forgotten’, as articulated in 2014 European Court of Justice’s reasoning in Google Spain, are also instructive in this comparative context. Google Spain advanced the following proposition. Private citizens possess the right to challenge how EU data processors (such as Google, and its search engines that link data bases to users seeking information regarding any individual) permit public access to potentially obsolete or incorrect personal data. The Parliamentary Select Committee rejected the Google Spain reasons as being inconsistent with EW privacy protection principles. The Committee also resisted the notion that general rules were required to ensure effective data protection, preferring that individual claims should be resolved on their own merits. Now, the German data protection approaches are considered. The Deutsch Example As the EW common law examples suggest, civil code systems, such as Germany’s, emphasise how specific legislative rules must be applied uniformly in a given proceeding. In the pre-GDPR 2016 era, this civil code philosophy tended to encourage a more interventionist judicial attitude than that evidenced by the EW law. The German obligations imposed on data protection officers (DPOs)- the persons responsible for maintaining data protection compliance standards in their companies- are much higher than those applicable to similar EW DPOs. The German DPO approach was more proactive than what EW data protection regulators promoted. As Belke observed, German regulators had interpreted the previous European Commission (EC) regulation (the 1995 Directive) more expansively, whereby German DPOs were expected to ensure both the 1995 Directive spirit and letter of the law were upheld. The impression created by reading the German authorities is one that appears to favour the defined consumer interests, in

12 N E X U S M A G A Z I N E

preference to limiting business data protection obligations owed to the individuals whose data the business controlled. A relatively recent German court decision contributes to this impression. In its 2015 Re Google reasons, the Cologne Administrative Court held that email service providers were ‘telecommunications services’. On this basis, Google and similarly positioned email services are subject to the same regulatory supervision, and corresponding data protection obligations, as traditional German telecommunications providers. A Berlin court adopted a similarly aggressive approach in its interpretation of the scope permitted by German data protection laws. The Court held that German data protection law (and not the Irish law that Ireland-based Facebook claimed was applicable) governed how Facebook was permitted to use data gathered from cookies placed on German users’ computers. The Court appears to endorse the view that Facebook is sufficiently wellresourced to take the data protection steps German law imposes in these circumstances. Notification of Data Privacy Breaches In Europe, the term ‘data breach’ refers to instances “where personal data has been subject to unauthorized access, collection, use or disclosure.” These breaches can be caused by “inadvertent or deliberate actions that result in data being stolen, lost or disclosed”, such as theft of storage devices, infiltration of computer systems or inadequate data security practices. The notification of a data breach serves different purposes. The main purpose of notifying public authorities is to enable them to exercise their regulatory oversight functions, such as identifying security problems and taking actions to address them. Individuals should be notified so that they are able to decrease the risk of harm that can be possibly caused by the breach. In addition, notification can motivate organizations to implement more effective security measures in order to protect personal data and prevent another breach. Civil Law Currently, there is no general breach notification requirement across the European Union (EU). However, specific Member States have established several different laws and approaches to the issue. Some countries have adopted laws that oblige organizations to

report data breaches such as Germany. Data breach notification was introduced as law in Germany in 2009 and applies to both private sector businesses and particular federal state agencies, including public electricity providers. Both individuals and data protection authorities must be notified without undue delay. Notification is required for breaches that may lead to “serious impediments for privacy and other individual interests.” The types of data, as well as the possible consequences of the breach (for example, damage or identity theft) must be considered when determining if such “serious impediments” exist. In cases where a large number of individuals are affected, public announcements in at least two national newspapers can replace individual notices. In other countries, solely voluntary guidance issued by data protection authorities exists. For instance, Spanish law sets out a mandatory procedure for management of data breaches but does not require notification of the data protection authority or the individuals. Other Member States are still considering whether and how to introduce breach notification obligations. Common Law Similarly, common law countries approach the issue of data breach notification in different manners. In 2009, The United Kingdom Information Commissioner ’s Office (ICO) issued non-binding guidance on how organizations should manage and notify a data security breach, recommending that all “serious” breaches are brought to its attention. A “serious” breach is determined based on the potential for harm to individuals, the number of individuals affected by the breach, and the sensitivity of the data. The guidance does not specify a timeframe for notifying the ICO and/or the affected individuals nor the method of notification. Since April 2010, the ICO has had the power to impose monetary penalties of up to GB£500,000 for breaches of the Data Protection Principles enshrined in the UK Data Protection Act. On the contrary, in the

United States, 46 states, as well as the District of Columbia, Puerto Rico and the US Virgin Islands have enacted laws imposing notification obligations on organizations that discover, or are notified about, a breach of security involving personal information. Most of these laws are modelled after the California security breach notification law which came into force on 1 July 2003 which mandates the notification of affected individuals regarding security breaches involving unauthorized acquisition of computerized data including certain types of personal information relating to individuals residing in California. Notably, the law does not apply to any public authorities. Additionally, a number of states do not require notification when the security breach is not likely to cause harm, such as identity theft. The Facilitation of Change through The GDPR 2016 This Regulation represents a comprehensive EC and EU Member State commitment to strike an effective balance between competing consumer convenience and business enterprise interests. Thus, it is highly plausible that the Regulation will change the way European and non-European companies trade and store data within Europe, thereby affecting the ways in which customer and employee data are handled. When fully implemented (April 2018), the GDPR will both reinforce and extend the protections currently enacted under EU Member State national laws (the UK DPA 1998), and the German 2017 Federal Data Protection Act. The average citizen will benefit from more stringent laws as organizations will be allowed to store a greater portion of personal data. Additionally, individuals will have more control over their data concerning credit card usage, social media activity and mobile devices once these changes are implemented. The GDPR 2016 is framed by six data protection principles. Two principles are highlighted here: (i) all personal data must be processed “fairly,

SPRING 2018

13

lawfully and in a transparent manner”, as concerns private individuals; (ii) such data must be processed in ways that ensure its “appropriate security” against (a) unauthorised, or unlawful processing, and (b) accidental loss, destruction or damage. Under the GDPR, the Data Controller will be legally obliged to notify the Supervisory Authority without undue delay. More specifically, the reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours after having become aware of the data breach with individuals having the right to be notified if adverse impact is determined. However, this is not necessary if the data controller has implemented appropriate technical and organizational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption. In addition, the data processor must inform the controller without undue delay after becoming aware of a personal data breach. The overarching GDPR 2016 philosophy reflected by the Regulation’s principles is also reasonably aligned with broader ECHR Article 8 personal privacy expectations. As Loideain notes, Article 8 privacy guarantees are subject to the ongoing, relentless challenges posed by digital technological developments. This tension, one that is also directly linked to the broader convenience – data protection conflicts, apprises the specific EW and German examples considered. Whilst the pre-GDPR 2016 authorities strongly suggest that the German civil law system has adopted a more rigorous data protection approach than is evident from the cited EW examples, the pending GDPR 2016 enactments are likely to encourage far greater common law – civil law convergence than may have been the previous case. Where the EU common law Member States, such as Ireland, and civil law jurisdictions may have adopted different data protection approaches in the past, GDPR 2016 includes the following guidance. The Regulation seeks to promote objectives that include (i) freedom, security and justice, (ii) greater economic union, (iii) further economic and social progress, and a strengthened “convergence of the EU economies”. The ways in which digital technologies have evolved, within all EU Member States (common and civil law systems), are a clear indication that societies expect data protection will be similar no matter where an individual may reside. 14 N E X U S M A G A Z I N E

Conclusion The privacy breaches examined here engage an intriguing, combined legal and human rights issue, one that arguably influences the extent to which common law and civil jurisdictions each enforce individual privacy rights. On one hand, modern consumers have embraced convenience as an important reason for using digital communications in all types of transactions. Online shopping, as driven by transaction ease and efficiency, has emerged as a vital modern economy feature. There is a powerful commonsense argument to be made in this respect, one that echoes ancient assumption of risk (volenti non fit injuria) principles: digital network users beware, and take all reasonable precautions against data breaches. The contrasting argument is more persuasive, and its core premise has propelled modern data protection – privacy breach understandings. Governments and commercial enterprises alike have promoted digital technology as a key ingredient in all future global economic growth. The GDPR 2016 (amongst other legislation), particularly emphasises how digital consumer markets contribute greater EU “economic and social integration”. This encouragement thus creates a corresponding business obligation to protect consumer data, and motivate States to provide meaningful data protection enforcement mechanisms. The common and civil law approaches to data protection revealed by the pre-GDPR 2016 authorities noted here were consistent with the respective philosophies at the heart of each system. Theoretically, both jurisdictions seem to have a fairly similar approach. Yet, the German case law examples suggest a more comprehensive, pro-private rights approach than endorsed by the EW courts and legislators. However, the pending GDPR 2016 enactments suggest greater data protection convergence between the common law and civil law approaches is now likely in this legal sphere.

Article by Jochelle Greaves Siew /LLB 2

ARTICLE

THE RIGHT TO BE FORGOTTEN IN EUROPEAN UNION LAW The Google Spain judgement and its implementations for the development of fundamental rights in the digital age Introduction In 2014 the Court of Justice of the European Union delivered a judgement that sparked a heated debate, ranging from outrage to euphoria, about privacy in the digital age. In the case of Google v. Agencia Española de Protecciόn de Datos (AEPD) and Mario Costeja Gonzalez, mostly referred to as the Google Spain judgement, the Court agreed with the applicant granting him a right which is popularly termed the „right to be forgotten“. While some celebrate it as a huge milestone in human rights development and see it as strengthening the privacy rights of individuals, others fear it as the beginning of a creeping censorship. In the light of this passionate debate it is worth taking a step back to get a clear sight on the matter and ask ourselves what is actually true about the allegations of both sides. The Law The European Commission defines the right to be forgotten as ‘‘The right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes.“ In order to understand its content and range, it is worthwhile to have a more detailed look at the infamous Google Spain judgement and the law that it was based on. The case originated in Spanish citizen Mario Costeja Gonzalez requesting the de-listing of Google search results to two webpages of a newspaper that reported about the auction of his house as a result of his inability to pay social security debts. The Spanish Data Protection Agency (AEPD) complied with his request and ordered Google to remove the respective links. Google appealed against that decision and eventually the European Court of Justice was called upon to clarify the matter from the angle of EU law. The Court was essentially asked to rule on three main questions: whether EU law applied to a company as Google, the main server of which is located outside the Union’s territory, whether the EU privacy and data protection law was applicable to search engines such as Google and, lastly and most importantly, whether individuals have the right to

demand that certain information about them will be deleted online. The Court answered all the questions mentioned in the affirmative, effectively granting the right to be forgotten to the applicant and placing an obligation on Google to give effect to it. The judgement was mostly based on the 1995 Data Protection Directive. In respect to the right to be forgotten article 12(b) of the directive is of a special interest. It grants citizens of the Union the right to receive access to their data, placing an obligation on the Member States of the Union to ensure to citizens “as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data.“ It is, however, noteworthy that the Court based its judgement on this provision while applying it to a situation in which no inaccurate information was concerned. The information about Mr. Costeja Gonzalez was objectively correct, the decision to rule in his favour, therefore, arguably goes beyond the letter of the provision, laying a bigger focus on his privacy. This is why, additionally, articles 7 and 8 of the EU Charter of Fundamental Rights should be mentioned. While the right to respect for private life, as contained in article 7, is a right that can nowadays frequently be found in various human rights instruments, article 8 is very interesting as the status of the right to data protection, which this article provides, as a human right is much more debated. The EU is quite unique in accepting this as a fundamental right and it shows that the EU has a history of progressive protection of the data of individuals in the internet age. The Right to be forgotten as a Fundamental Right This far-reaching protection of online privacy in the EU rights regime bears questions concerning its compatibility with other human rights and its practicability. As is so often the case in human rights law, also the right to be forgotten is a weighing of opposing interests. SPRING 2018

15

Proponents argue that one should not be haunted by one’s pasts and should not have to suffer for one’s entire life for mistakes that occurred years ago. Additionally, the example of a family, whose deceased daughter’s picture was publicised in the news for weeks after a deadly accident, could make use of their right to have these photos removed to ease their pain and find closure. Opponents, on the other hand, fear a growing infringement on the freedom of speech and the freedom of the press. This is especially so since the content and nature of the right to be forgotten is very vague and has yet to be developed. Terms as the “right of oblivion”, meaning the right of individuals to request at any time that any personal information about them shall be deleted, and the “right to erasure”, implying a right to have personal data processed without explicit consent of the individual by third parties erased, often come up in the debate about the right to be forgotten. The relationship between these notions is unclear and it is questionable whether the right to be forgotten (RTBF) leans more towards the one or the other, whether it is a combination of both or whether it is something new all together. critics see the right to be forgotten as a step going further than traditional privacy and data protection rights and certainly disagree with the claim that it was already contained in article 12 of the Data Protection Directive and that the Court did not create a new right. In the most extreme form the RTBF implies that every individual should be in complete control of their own information and what the world get to know about them. This notion, however, constitutes a problem in the sense that some information is of a concern to the public and that one of the basic functions of the free press is to inform the public about this kind of information. As the CJEU is also aware of this dilemma and has attached conditions to the RTBF. In paragraph 91 of the Google Spain judgement the

16 N E X U S M A G A Z I N E

Court held that if information, though accurate, was “inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes“(for which they ones were collected) there exists a right under EU law to have them removed. The Court, furthermore, stressed that this test is to be applied on a case by case basis taking factors as the individual’s public relevance and the importance of the respective information into account. It is, therefore, safe to say that the right to be forgotten is far from being an absolute right and other factors such as the freedom of the press remain to play an important role, also post Google Spain. However, the case by case assessment may hide some unwanted dangers as critics warn. Not every request by an individual of personal information to be deleted from a website or the search results of a search engine can be evaluated by a judge. In the first year after the Google Spain judgement alone nearly 350,000 requests to this effect were received by Google. So who is to judge whether information is inadequate, irrelevant, no longer relevant or excessive in relation to those purposes? The answer to this question is as it now stands the search engines themselves. Opponents of the RTBF point out that such an important decision as to what amounts to information of public interest should not be made by private actors. Actual examples seem to back their argument. The case of a German journalist accused of shady methods may serve as an example. He requested of Google to remove a search result leading to a website that aims at uncovering this kind of practices which had him on a black list. He used the Google Spain judgement to back his claims and succeeded. This is one example of how the right to be forgotten, at least in the vague shape as it stands, can actually prevent valuable journalistic work from coming to be known to the public. An additional problem regarding this matter concerns the geographic dimension of the

internet. As it is by definition accessible from not only one country the question soon arises as to the actual usefulness of this right. The ruling in “Google Spain” merely confirmed a right to be de-listed from search engines, an obligation of the website owners to delete the content, effectively amounting in what has been phrased as the right to oblivion, cannot be deducted from the judgement. If the search results stay as they were in all other countries, except for the country in which a request was made (or in this case the European Union) or, most importantly, can simply be found by using for example the website of Google. com instead of Google.es the right is essentially useless. Especially, in order to exclude the latter option from happening European data authorities ordered search engines to introduce geolocation blockers to prevent all access from the territory of the Union regardless of what version of a search engine is used. The former option is even heavier debated. The French information authority has already fined Google in the past for not applying French requests for removal of links in their services worldwide, arguing that geoblocking is not sufficient. Opponents are alarmed; they are afraid that if claims as the French one become more established, less democratic governments could attempt to impose their views on the world following this principle. Google’s general counsel Kent Walker warned of a “global race to the bottom, harming access to information that is perfectly legal to view in one’s own country”. Other critics as the Rossel group even fear that this might be the start of a “rewriting of history”. Conclusion Claims as those of the Rossel group and Google itself might, arguably, be overly drastic and exaggerated. The CJEU clearly set boundaries to the exercise of the right, stressed

its non-absolute nature and the necessity to balance it against the interests of the public as is required in a democratic society. The French Data Protection Authority pointed out that there can be no threat to the freedom of the press as no information is actually deleted. Nevertheless, it is undeniable that the notion of the RTBF posses a potential to be abused. Opponents of the right criticise the argument of the French authority as overly idealistic which does not take into account the power that search engines such as Google posses in regard to obtaining information online. They, moreover, raise the issues of whether companies should be the judge of what constitutes irrelevant information, warn of the possibility that crucial information might be hidden from the many for the benefit of the few and point to the potential threat of authoritarian regimes spreading their ideologies worldwide. This does not change the fact, however, that, at the latest since the Google Spain judgement, the right to be forgotten is a legal and factual reality in the EU. That does not take away that is still at an infant stage. It is, therefore, still vague and partly undefined which confronts companies, lawyers and every interested individual with considerable problems in the practical exercise of it. It can be considered undebatable, however, that as technology evolves, the debate about online privacy and protection of data will only gain relevance and so will the right to be forgotten. Its further development remains interesting and is worth keeping a close eye on.

Article by Merlijn Hoppema /LLB 2

SPRING 2018

17

ARTICLE

DATA FOR DOLLARS An exploration of how much stolen data can be worth

From a metaphysical perspective, it could be considered nigh impossible to attribute a value to a human life. However, in contemporary society, bearing in mind humanity’s ever expanding digital footprint, individual’s identities are being stolen and sold to the highest bidder. This appropriated data has found a home on the dark web, where a sophisticated economy has emerged and a person’s data is dissected into parts, each with its own marketdefined value. This most troubling factor is how easily data can be breached, as evidenced by some of the gargantuan data breaches in the past decade such as Yahoo, JP Morgan, and Ebay. Surprisingly, such sensitive information is relatively inexpensive to acquire; especially considering the potential damage that identity theft can cause a victim. On May of 2018, Regulation (EU) 2016/679, the reformed General Data Protection Regulation (GDPR) will enter into application, presenting updated rights for EU citizens and offering potential recourse against companies that compromise citizen’s data. Below, a breakdown of potential data compromises and their respective costs. Credit Card Information As of 2015, the largest bulk of stolen card information originated from Argentina, Britain, Brazil, Canada, and Georgia. In Europe and 18 N E X U S M A G A Z I N E

Asia, the average VISA or MasterCard retails for roughly €14.50-€16.25, whilst card information from the United States can be valued as low as €3.25. Premium cards, with limits of €60,000 or more, can ironically be obtained for a fraction of the card’s spending potential at €32.50. Furthermore, purchased cards also come with the victim’s address so that the perpetrator can avoid the risk of triggering a fraud alert by using the sstolen card geographically close to the victim’s residence. The ‘Fullz’ Dossier The fullz provides the purchaser with all the documentation required to assume another’s identity. This includes the social security number, full name, date of birth, and banking credentials of a victim. All of which can be bought for the price of €24.50 for United States citizen, and worldwide the fullz dossier can be priced anywhere from €32.50 to €36.50. Initially, it may be surprising how cheap such information can be, particularly when considering the gravity of the information. Conversely, assuming another’s identity bears significantly more risk than merely using a stolen credit card, hence the equitable price point. Biometric Data Passwords are constantly compromised, thus requiring increased preventative security measures. Whilst biometric data is used

extensively in criminal investigations, it has become the vogue for biometric data to be used in a household’s everyday electronical devices. Computers utilize facial recognition; mobile phones require fingerprints and track eye movements. Unfortunately, this cuttingedge security technology comes with one major flaw: biometric data is static. Fingerprints, faces, and retinas are all intrinsically locked into a human’s DNA, and, unless major reconstructive surgery is undertaken, can be replicated. The University of Michigan replicated 3D fingerprints for under €400, and facial recognition technology can easily be beaten, for free, by utilizing the images from a victim’s social media account. Cloud Storage In 2014, the celebrity world was shaken due to a collection of over 500 photos, with many of which being explicit, of celebrities being leaked online. In this event, dubbed ‘Celebgate’, all of the celebrities’ data was taken from their personal iCloud accounts through phishing attacks. With the public nature of fame, many of the celebrities’ security questions were simple to deduce by simply searching for the information online. Other celebrities were directed by a fake email account called ‘appleprivacysecurity’ to give their private information. The social and legal response to this attack was immense and acted as the impetus for an important dialogue on contemporary data crime. Moreover, this crime underlined the fallibility of humanity, and how very simple oversights on personal

“This includes the social security number, full name, date of birth, and banking credentials of a victim. All of which can be bought for the price of €24.50” security can have lasting consequences. Webcam Access It has now become an increasingly popular practice for individuals to cover their webcams to act as a safeguard from potential hackers. Whilst awareness has risen, data is scarce on just how epidemic webcam hacking truly is. Currently, hackers sell access to a woman’s webcam for €0.80 and, for the same price, access to the webcams of 100 men. The criminality of such acts is clear, but also incredibly unsettling when taking into consideration the age of some of the victims. Holding Data Hostage Just as data can be taken, it can also be withheld. In the past few years, a number of high stake heists have crippled institutions, holding their data hostage until a sizable ransom is paid. The most notable of which is the 2016 Hollywood

SPRING 2018

19

“Currently, hackers sell access to a woman’s webcam for €0.80 and, for the same price, access to the webcams of 100 men. ” Presbyterian Medical Center attack, where the hospital’s internal data and systems were held hostage until the ransom of 9000 bitcoin (which today translates to €69,932,276) was paid. Luckily, there were no casualties in the attack, but the occurrence has acted as a catalyst for more copycat data seizures. When focusing on such negative aspects of data privacy, the future can seem quite dire. Although everything may have a price, there are protections in place to prevent data being compromised. Webcams can be covered, passwords can be encrypted, and security software updated. It is also important to highlight that many of these monumental hacks and breaches could have easily been prevented if it had not been for basic human errors. The Hollywood Presbyterian Medical Center hack was successful because an employee mistakenly opened a malicious email, the Ebay hack, too, was caused by the manipulation of employees to open malware on company computers. Human error, too, is widespread in personal protection, as demonstrated by the oversimplified passwords and complacency of individuals. The European Union is attempting to combat 20 N E X U S M A G A Z I N E

the misuse of personal data with the upcoming EU Data Protection Reform that will afford new rights to EU citizens. These new rights include the right to access the data an organization has about you, the right to receive clear and understandable information on how your data is being used, the right to be ‘forgotten’ (where you can ask for your personal data to be deleted from a company’s database), and that companies must get clear consent from you when utilizing your data. Furthermore, if personal data is lost or stolen by a company then they could face considerable penalties and have an obligation to pay for any incurred damages. The most immediate use of these newly afforded rights could be in the prevention of direct marketing so that, for example, your recent purchases or searches cannot be used to saturate your social media account with related advertisements. Whereas it has yet to be seen how effective these new regulations will be, it, nonetheless, offers a uniformity across the EU in the treatment of citizen’s data and will conceivably offer clarity for companies, whilst simultaneously holding them accountable. Like the law that creates them, protections will evolve, but so too will the efforts to undermine them; hopefully the people, public, and politicians can remain proactive by supporting policy and education on the topic of data protection.

Article by Konrad Tur nbull /LLB 1

ARTICLE

SEXTORTION:

THE FBI’S LARGEST GROWING THREAT AND ANOTHER REASON TO COVER YOUR WEB CAMERA A teenager named Ashley begins to receive ominous messages announcing that the sender is in possession of explicit pictures of her. Threatening to release the video to her friends and family if she doesn’t comply with their demands, the unknown tormentor coerces his new victim to provide him with more images of sexual nature. Perhaps, for many of you, this little anecdote has produced an eerie effect of familiarity. That’s either because you are a fan of the TV Show “Black Mirror” or because you have been keeping a close watch on Lucas Michael Chansler, also known as the man who has victimised approximately 350 teen girls in a “sextortion” scheme. Proclaimed by the FBI and Europol as one of the most threatening forms of online exploitation that has emerged in the past 10 years, sextortion remains dramatically understudied both by academics and law enforcement agencies. Nevertheless, the (unfortunately) vast amount of victim statements and police reports have assisted private advocates and judges to assemble a preliminary definition of this offence. Sextortion is a ramification of online exploitation, where individuals are coerced into providing their online tormentors with sexual images or favours. In case of failure to comply with their demands, the victim is threatened with the distribution of sexual pictures of the victim, which have been acquired by the predators beforehand. In some cases, the offenders will approach their victims on various internet platforms and establish amicable relationships through flattery and romance, in order to entice the victims into sharing nude pictures. Otherwise, the offenders may hack into the victims’ computers by means of malicious software and gain access to personal and sensitive materials. The crime of sextortion has been lurking in the penumbra of revenge porn and stalking for years, with no legal definition or federal law to at least recognize its existence. However, as the FBI is still seeking to identify the victims of Mr Chansler after 8 years of his conviction, lawyers and anti-virus providers call for the recognition of the inherent danger that sextortion poses to data privacy and cybersecurity. The modus 22 N E X U S M A G A Z I N E

operandi used by the online sex predators is as self-explanatory as the concept of “sextortion”the predator illicitly obtains intimate images of the victim that are later used for extortion of more images or sexual interactions. Their tool kit includes malware and hacking techniques that enable surreptitious keystroke recording and access to the webcam or microphone of any electronic device. Thereby, online sex predators inflict a two-fold assail on data privacy, acquiring access to any personal data stored on the electronic device, as well as continuous streaming via webcams. As a result, the perpetrators are able to achieve a level of seeming omniscience in the lives of their victims. Furthermore, as web cameras and microphones have become the ubiquitous components of any electronic devices, and the laptops have acquired permanent residence in the bedroom area, any internet user automatically fulfils the prerequisites of sextortion; for example, computer hacking accounts for approximately 43% of reported cases of sextortion involving adults. Therefore, it is essential to enlarge the scope of data protection policies in order to adapt to new forms of online sexual extortion. Moreover, it is of imperative importance to ensure that cybersecurity does not remain exclusively focused on governments and multimillion corporations, abut rather encompasses the inexperienced and vulnerable internet users: children and young adults. In this context, cybersecurity vulnerability of internet users inevitably invites sexual victimization. While there are no grounds for denying the despicability of the crime and its flagrant infringement of data privacy laws, there is no holistic approach towards the criminalization of sextortion within national legal statutes. Moreover, the crime is often lost within the definition of other cyber crimes, such as revenge porn or cyber extortion. Firstly, the actus reus of sextortion does not require the distribution of the explicit content. Instead, the despicability of the crime stems from the forced, non-consensual creation of explicit material, as victims often receive instructions on how to fulfil the sexual gratification of the perpetrator. Secondly, sextortion entails the commercialization of nonconsensual pornography and uses sexual material as a currency for blackmail. Such form of

manipulation, therefore, is not merely limited to data privacy infringement, but also undermines human autonomy and dignity. Moreover, the expansion of global connectivity construed a universal platform for victim-perpetrator dynamics, as evidenced by the recently exposed blackmail scam between an organised group in Manila and a Scottish teenager, who has soon after committed suicide. Subsequently, sextortion differs from the conventional cyber extortion threats and becomes eerily akin to physical sexual assault, albeit performed via a web camera. The failure to grant sextortion a clearly delineated spot on the spectrum of cybercrime compels the judiciary to rely on intuitive application of cyber sex crimes’ definitions and interpretation through analogy. As an illustration of this idea, the US federal laws lack an express definition of sextortion, implying that justice is often performed in a legislative vacuum. Therefore, sextortion cases are sometimes prosecuted as computer intrusions, sometimes as stalking, and sometimes under child pornography laws. Indeed, many cases of sextortion include online exploitation of children for purposes of sexual gratification, hence displaying the core elements of child pornography. However, the arbitrary application of cybercrime laws will inevitably undermine the principle of legality and predictability of law. The data collected by Brookings Institution represents an alarming exposé of the sentencing gap evident in the prosecution of the crime of sextortion; thereby, an online sex predator can expect the average sentence of approximately 8 months in a state court, and a sentence of 349 months in a federal court. The sentencing gap is further widened by considerations of the age of the victim. As a quintessential illustration, the online sex predator Lucas Michael Chancler, has received 105 years of prison under the clause of child-pornography laws. In the meantime, other extortionists, such as Luis Mijangos, who victimised more than 100 young adults received 6 years of prison time in a case brought to the court only one year later under the clause of wiretapping and computer hacking. As a result, the targeting of adult

women victims is systemically undervalued in sentencing relative to similar conduct against minors. The American “Interstate Sextortion Prevention Act” of 2016 was a logically anticipated attempt at amending inconsistent prosecutions and was expected to initiate the integration of sextortion into federal law. However, up to this day, there is no legislative initiative commensurate with the proportions and the impact of the crime. The Internet and its diverse web platforms have always required its users to be equipped with vigilance and a befitting amount apprehension in order to withstand any attacks on privacy and integrity; furthermore, it seems that vigilance bordering on apprehension will soon have to characterise our daily interactions with our electronic devices. Right now, against the backdrop of global connectivity and overabundance of personal information floating around, cybercrimes seem to have reached new milestones of flagrant violations of data privacy, encroaching on human dignity and autonomy. Most importantly, domestic authorities are clearly not enabled to eradicate cybercrimes and curtail their ramifications. However, what the law can do is to provide legal certainty and a reliable safety net for victims of cybersex crimes. At this point, sextortion finds itself in a state of limbo, as the urgency of the situation has galvanized law enforcement agencies and national governments into action, yet the legislation remains passive on the matter of criminalization. Therefore, it is essential that data privacy standards and national laws are applied cumulatively in order to detect new forms of cyber crimes and infringement of cyber security.

Article by Mădălina Nicolai /LLB 1

SPRING 2018

23

OPINION

RIGHT TO USE

We asked Antonia, Lisa and Tatenda to offer their reasoned positions on whether or not Facebook should be allowed to utilise their users’ contents in any manner they see fit, including the right to transfer or sub-license its rights over a user’s content to another company or organization. Here are their arguments: Every time I post a picture to Facebook I think about whether I can live with this picture being immortalized on a server somewhere in Silicon Valley. Every couple of months, I check my privacy settings, change my password and review my activity log to make sure my online presence is “presentable” and won’t come back to haunt me. Last week my roommate did the same and deleted an old picture of herself distastefully celebrating the Dutch “Zwarte Piet” tradition when she was younger. However, this picture will still be saved on those mysterious Silicon Valley servers and she will probably never be able to change that. This is not due to her lack of diligently deleting old pictures, but rather a lack of transparency and information in regard to the Facebook terms and their IP License. The fact that Facebook has a “transferable, sub-licensable, royalty-free, worldwide license” is problematic in itself, but the most worrying part of this, in my opinion, is the lack of transparency on the issue. When I signed up to Facebook I was 13 years old and would definitely not have understood IP license terms. Teenagers today post everything and more on social media, counting and waiting for like and comments, without knowing that with every interaction there is one more hurdle to having their pictures or videos permanently deleted. At age 13, the minimum age to join Facebook today, we do not hold children accountable for crimes committed; we do not give them the capacity to drink or consent to sex, yet Facebook attributes them with the capacity to give the company a license to, ultimately infinitely, use and give away their content? At 23, if I put a silly picture on the internet without thinking then I will live with the consequences and hold myself to a higher standard in the future. At 13, we don’t expect teenagers to understand what IP is, so why are we allowing companies like Facebook to implement license policies like these. In my opinion, such policies are not fair, nor transparent enough; however, as these won’t be changing anytime soon, these policies should at a minimum not be legal or effective for content posted by anyone underage.

LLM International and European Law Antonia Neidhart

24 N E X U S M A G A Z I N E

The emergence of social media has more underlying difficulties than at first sight. The fact that the social platform Facebook uses the information and data in which users upload to its own benefit should come as no surprise, although the public is considerably uninformed about what the personal content they upload can be used for. Hence, it is reasonable to argue that there should be an increased awareness of the fact that users lose more or less all the rights of their content when it is uploaded to this social media platform. On the other hand, it could be argued that it is the users themselves which should be more apprehensive about the content which is uploaded. There should be easier methods of removing oneself and one’s personal content from the internet, especially social media sites such as Facebook, without the consequence of the content still being held by Facebook. Nevertheless, it is also my firm belief that one must think carefully about what one chooses to upload online. It is important to reiterate that the internet is the most accessible and revolutionary source of information there is in the present day. The extent of information Facebook and other alike platforms gather are likely even more than disclosed, and the fact that dereferencing oneself from the internet is so difficult is alarming with regards to the right to privacy. Therefore, due to the fact that Facebook and other social media platforms have this extensive right to the content uploaded in their license, one must think twice before sharing information or endure the consequences.

LLB 2 International and European Law Lisa Aasenden

It is not out of the norm for social media platforms to exercise discretion regarding how they use the content uploaded by their users. Whether or not the terms and conditions are read upon joining the platform, users, in this case Facebook users, agree to have their photos and videos become the property of Facebook the moment their account is created. As a for-profit company, they are essentially within their right to then use said content in “any way it seems fit”, as the statement reads. This also includes lending the content to other companies. However, the resulting issues at hand here concern the privacy of the users and the limits that Facebook has, or at least should have, when it comes to users’ content. In my opinion, Facebook and its users ought to strike a balance. Facebook users should be aware of the license that Facebook has on each picture ad video they upload and should thus choose their content accordingly. Knowing that their picture(s) may be used for other purposes outside of the intended profile picture and so on, should result in the user taking greater care and consideration in the photos they choose to put on their profiles. Despite this, Facebook users should not have to feel overly restricted when using their personal page. Though their content becomes part of Facebook’s property, there should be limitations with regards to which content Facebook should be able to use. For instance, there are features on the site that allow users to limit and choose the audience of their content. With this in mind, I believe that users should also have the liberty to choose the content Facebook can use. Facebook must take into consideration the privacy concerns of its users in this regard. It is one thing for Facebook to have a license over its users’ content, but it is unfair for other companies and organisations to potentially have access to content of private persons who may not even be subscribed to them. There must be equal care taken on both sides regarding the content that is used and posted online but it is up to the platform to ensure they respect its users, for without them, that platform would not reach the level of success that it has.

LLB 2 International and European Law Ta t e n d a M a d o n d o

SPRING 2018

25

EXCHANGE

ERASMUS EXCHANGE REPORT:

UNIVERSITY OF LEIPZIG - WINTER 2017-2018 Planning an exchange starts well in advance. Before making my decision, I had previously considered numerous options, both outside and inside Europe, including places like Taiwan, Indonesia, Austria and the UK. In comparison, a place like Leipzig doesn’t seem nearly as exotic or appealing as the other warm weather, culture shock locations. However, without a doubt, Leipzig ranked as an amazing experience, and without a doubt would make the top of my list again if choosing an Erasmus destination. While many don’t consider it due to the German language requirement, if you start early enough (1st year), language competence is achievable with no prior German knowledge. I started my exchange experience at the University of Leipzig already in the month of September, although classes only officially start from the 1st of October. The University offered a ‘Sprach und Orientierungskurs’ to a limited amount of Erasmus students (around 110) who had signed up well in advance. It was a great opportunity to meet fellow Erasmus students before classes began, get an orientation for the University and city, and register at the University and ‘Burgeramt’ hassle free. With regard to Courses, the Law Faculty offers a wide range to Erasmus students. My exams were oral and scheduled at the end of January, so unlike many others, I had practically no

26 N E X U S M A G A Z I N E

holiday between the end of my exchange and the beginning of the semester in Groningen. These were the courses I followed while on exchange: -BGB1(German Civil Law part 1) -Umweltrecht (Environmental Law) -Einführung in das Deutsche Recht (Introduction to German Law) -Vertragsgestatung ins Gesellschaftrecht (Contract formation in Company Law) -Einführung in der Rechtsvergleichung (Introduction to Comparative Law) These courses ended up adding up to a total of 37.5 ECTS credits, and there were others who did even more. The standard of teaching was quite high, even better than Groningen I would say, as well as classroom and lecture facilities being top notch. I would advise any future Erasmus student to take at least a couple Introductory legal courses (especially BGB1), as these provide a good and clear insight into German law for those who have not studied it before. All of my professors were very highly qualified, and it reflected very well on the University that they were able

to solicit the teaching services of individuals who were at the top of their respective fields. With regard to the Living expenses, rent in a student house would generally be in the region of 220-350 category. For 216 euros I was able to have a semester of unlimited travel within a specified zone in and around Leipzig. The Mena (cafeteria at the University) provided very good eating options for incredibly cheap prices. I hardly ever cooked myself, such was the quality and price. An appropriate monthly budget for Leipzig inclusive of rent would be anywhere from 600-900 euros. Leipzig is very well located, and thus there were many options for travel. For example, Prague was two and a half hours by bus, as well as Berlin Airport providing many regional and international connections. Leipzig has its own airport, but the connections were understandably fewer, and more expensive. Leipzig is well located if one wants to explore not just Germany, but Europe on a whole. Culturally, Leipzig has a rich history, with many museums available for free to students. German culture is of course very unique in its own right, and one gains an even better historical understanding of pre- unified Germany and the former East German Republic. Another plus was the existence of “RB Leipzig”, one of the best football teams in the German Bundesliga. Even for those not interested in football, to experience a live game in such a large stadium

would be an amazing spectacle, and provides a first-hand understanding of what an integral part of German society and culture football plays! Noteworthy sights in Leipzig are for example, the “Völkerschlachtdenkmal”, or a huge monument commemorating the defeat of Napoleon at Leipzig in the war of the Sixth Coalition. The student life in Leipzig was probably its best quality, and I would say on par or even better than Groningen depending on your music/ nightlife tastes. There is a huge underground party scene, but it would be best to make a few local friends to learn about it. For me, the mainstream clubs and Erasmus parties were enough, and I found every night out enjoyable. As an exchange student in Leipzig, as with most every other Exchange destination, the opportunity to make many friends from a variety of backgrounds. Wherever one goes on Erasmus, expect that your friends will more than likely be made up of people also on exchange. Consequently, you benefit from having friends from all around central Europe, who you can then visit, or can come to visit you! In closing, I would definitely recommend Leipzig as an exchange option. It had the perfect mix for incoming exchange students. I could not have asked for much more from a University and City than what was offered in Leipzig.

Article by Mattheus Schmidhammer/LLB 3

SPRING 2018

27

A N A LYS I S

ALESSANDRO ACQUISTI’S TED TALK ON PRIVACY Privacy is, without a doubt, one of the most hotly debated issues of our time. The more technology we develop, the more relevant the issue of privacy becomes. Some of us are incredibly conscious of what is posted about us online, whilst others don’t have a care in the world. However, it may be time to start caring, as it is becoming increasingly easy to find information about each other online. Alessandro Acquisti cleverly begins his TED Talk, ‘What will a future without secrets look like?’, with a discussion about ‘the notorious privacy incident of Adam & Eve’. He describes how Adam & Eve, one day in the Garden of Eden, realise that they are naked, freak out and the rest is history. He goes on to discuss how nowadays, Adam and Eve would probably act differently: It cannot be denied that we reveal more information about ourselves online than ever before. We post pictures of where we are, who we’re with and even what we’re eating. It has become such a massive element of our culture that it seems somewhat bizarre to go on a holiday or out for a meal and not post about it on social media. The question is: ‘Just how easy is it to find someone online?’. The majority of us internet users connect the information available about us online to our name. When we think about what people can find out about us on the internet, we think of them going to Google and typing in our name. In fact, just to illustrate my point: if you type my name into Google, you will likely not find me, a second year LLB student studying in Groningen, but Sarah Giblin, the hipster founder of the Riutbag, a secure laptop backpack. Naturally, because it’s not easy to find me on the basis of a simple Google search, I thought I didn’t have too much to worry about! That was until I watched Alessandro Acquisti’s talk. Alessandro Acquisti is a Professor of Information Technology and Public Policy at Carnegie Mellon University. The University carries out a number of experiments in relation to privacy and social networks. In his talk, he describes the drastic increase in the number of photos that have been uploaded online in the past ten years and the fact that computers’ ability to identify people in photos has 28 N E X U S M A G A Z I N E

improved by three orders of magnitude. This is quite a scary thought, I think we can all agree, as facial recognition software allows someone to find information about you without so much as your name (just imagine how easy it would be to find that cute guy you met in a bar, but whose name you didn’t catch!). One of Acquisti’s experiments involves stopping university students on campus and asking them to participate in a study. The conductors of the experiment photographed the subjects with a webcam and asked them to fill out a survey on a laptop. Whilst the subjects filled out the survey, the conductors uploaded their photo to a cloudcomputing cluster and used a facial recogniser to match that shot to a database of hundreds of thousands of images that they downloaded from Facebook profiles. By the time the subject had reached the last page of the survey, the page displayed the 10 best matching photos that the recogniser had found and the subjects were asked to identify themselves in the photos. The computer recognised 1/3 subjects. So what does this mean? It basically tells us that we can start off with a picture of an anonymous face and using facial recognition software, we can give a name to that face thanks to the incredible amount of social media data available to us at the touch of a button. Perhaps, it doesn’t seem like such a big deal to

have someone find your name and your social media accounts. However, Acquisti goes on to discuss a previous experiment in which they started from social media data, combined it statistically with data from U.S. Government social security and ended up predicting social security numbers. Therefore, the question becomes whether you can start from a face, find a name and publicly available information and using that information find nonpublically available information i.e. sensitive information? The answer is yes you can, this is exactly what the researchers at Carnegie Mellon University did. They even created an app which would do all this for you, merely as a proof of concept though, not to make it available to the public! As we all know technology is developing rapidly and we may not be too far away from a world of Google Glasses and smart contact lenses. Normally, we greet technological developments with open arms as they make our lives easier, but we often forget that these developments lead to the collection of our personal data. Some people may argue that having more information on a person leads to better, more objective decision-making. However, Acquisti’s third experiment proves that this is not, in fact, the case. For the final experiment, the researchers created Facebook profiles, manipulating people’s traits (for example one candidate may have a picture of their child on their profile and another may not) and then sent résumés out to companies in the U.S. and they monitored whether they were searching for their candidates and whether they were acting on the information that they had found on social media. They concluded that they were acting on such information and that discrimination was occurring through social media for equally skilled candidates. It merely wishful thinking to believe that a potential employer will only see the good in what they find out about you on social media. In reality, one factor about your life, such as having a family, may become an obstacle to you getting a job, despite being as highly skilled as the next candidate. Acquisti goes on to discuss how the current policy mechanisms that exist to protect ourselves from the abuses of personal information can be compared to “bringing a knife to a gun fight”. For example, transparency – telling people what you are going to do with their data. Although, this is necessary it is not a sufficient form of protection. As we know, companies are far from being the ‘good guys’ and have a tendency to nudge people into disclosing more information than the companies

A N A LYS I S

themselves require. However, it’s not all doom and gloom, explains Acquisti, “Coming to the realisation that these manipulations occur is already halfway through the process of being able to protect yourself”. He points out that privacy is not incompatible with the benefits of big data, as some may lead you to believe. In the last 20 years, researchers have created technology that allows virtually any electronic transaction to take place in a way that preserves your privacy, we can browse the internet anonymously and we can send emails that not even the NSA can read! Therefore, there is no plausible excuse for the severe lack of protection afforded to us whilst we are using apps such as Snapchat, Facebook or Instagram. “Privacy is both the means and the price to pay for freedom”, says Acquisti. We sacrifice our privacy without thinking of the consequences. To sum up his point, he shares with us a quote from “Brave New World” by the author Aldous Huxley, “regaining autonomy and freedom is possible, although the price to pay is steep”. “One of the defining fights of our time, will be the fight for the control over our personal information, the fight over whether big data will become a force for freedom, rather than a force that will hiddenly manipulate us.”

Article by Sarah Giblin /LLB 2

SPRING 2018

29

FINALLY, WE WOULD LIKE TO THANK ALL WRITERS AND READERS FOR MAKING THE COMPLETION OF THIS MAGAZINE POSSIBLE. WE MAKE THIS MAGAZINE FOR YOU, THEREFORE WE RELY ON YOUR FEEDBACK, COLLABORATION, INPUT AND COMMENTS IN ORDER TO KEEP PRODUCING MAGAZINES THAT YOU WANT TO READ. SO, PLEASE BE IN TOUCH!

- The Nexus Magazine Editorial Team

30 N E X U S M A G A Z I N E

SPRING 2018

31