Scarce regulatory resources: tactical enforcement and hybrid data governance in the cloud

By Dr Asma Vranaki, Lecturer in Law (University of Bristol Law School).

© Ben O’Bryan

European data protection authorities (EU DPAs) play crucial roles in protecting personal data rights. However, many EU DPAs do not have adequate access to resources in order to be effective data privacy protectors. Although the data privacy law literature recognizes that many EU DPAs operate within such constraints, to date, there has been a dearth of empirical studies on how limited resources can impact on enforcement. A new article* makes a modest attempt to address this empirical gap by analysing selected empirical findings of a recent project which examined the investigations of multinational cloud providers by EU DPAs (Cloud Investigations).

This article draws on the fields of socio-legal studies and regulation to interpret these empirical findings and advances three arguments. First, due to their fiscal constraints, some EU DPAs often have to make tactical enforcement decisions about initiating Cloud Investigations as well as the foci and methods of Cloud Investigations. The decision-making process can be very complex for some EU DPAs as they have to not only consider but also at times balance a broad range of factors including external pressures, law and enforcement styles. Second, hybrid forms of data governance can often emerge during Cloud Investigations as EU DPAs delegate their regulatory tasks to private and governmental (other than EU DPAs) actors due to the limited resources. Finally, this article suggests that hybrid data governance needs to be carefully designed in order to ensure effective and robust data governance. Suggestions are made on how the ‘regulatory space’ can be designed in order to promote accountability, trust, robust data protection and effective multi-actor collaboration.

* This article is derived from the work which Dr Vranaki undertook for the ‘Accountability for Cloud’ research project which was funded by the European Commission Seventh Framework Programme. It can be freely downloaded from https://www.researchgate.net/publication/325451273_Scarce_regulatory_resources_tactical_enforcement_and_hybrid_data_governance_in_the_cloud.

Analysis of the New EU General Data Protection Regulation

By Mr Andrew Charlesworth, Reader in IT Law (University of Bristol Law School).

On Friday 25 May 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679), commonly referred to by its acronym of GDPR, comes into force across the EU. In the UK, this will be accompanied by the coming into force of the Data Protection Act 2018 which received Royal Assent on 23 May 2018. The new Act repeals the existing Data Protection Act 1998 and revokes the secondary legislation made under the 1998 Act.

The GDPR is directly applicable, which means that with the exception of limited areas of Member State discretion, it applies in the UK without further need for national legislation. The Data Protection Act 2018 addresses those areas of Member State discretion, and also implements the new Data Protection Directive for Police and Criminal Justice Authorities (Directive (EU) 2016/680), which is designed to protect individuals’ personal data when their data is being processed by police and criminal justice authorities, and to improve cooperation in the fight against terrorism and cross-border crime in the EU by enabling police and criminal justice authorities in EU countries to exchange information necessary for investigations efficiently and effectively.

Andrew Charlesworth, Reader in IT law at the University of Bristol Law School, is currently actively engaged in the analysis of the new rules through a series of short articles on the GDPR in conjunction with Cloudview (UK) Limited. Andrew is also providing key expertise in the development of the Privacy Flag initiative. You can access Andrew’s analysis and other work through the links provided in this post. (more…)

Tesco Bank and Cybercrime

By Mr Andrew Charlesworth, Reader in IT Law, and Prof Keith Stanton, Professor of Law (University of Bristol Law School).

© Tesco Bank
© Tesco Bank

The day has arrived on which a cyber attack has succeeded in breaching a bank’s security with the result that customers’ money has been taken from their accounts. According to press reports the accounts of around 40,000 customers of Tesco Bank have been accessed and the bank has refunded £2.5 million to 9,000 who have had money removed.

Banks’ IT systems are an obvious target for cybercriminals.  The fact that such systems contain both money and data on customers makes them extremely tempting. As banks have developed new channels for delivery of services, such as websites, mobile applications and social media, these have often been added, or linked, to existing out-dated systems. This increased complexity may mean that new avenues of attack are inadvertently created, and make it difficult for a bank to rapidly pinpoint the source of system risks and breaches. The increased use of distributed computing, with multiple systems running across multiple servers, can also create new system risks and simultaneously increase the number of staff requiring access.  While external threats are increasing, it appears that industry insiders remain responsible for a significant share of bank fraud.  How the Tesco cyber attack was carried out remains unclear, but the scale and speed of the transfer of funds suggests a degree of sophistication. (more…)