Data protection and the legitimate interest of data controllers: much ado about nothing or the winter of rights?

EU data protection law is in a process of reform to meet the challenges of the modern economy and rapid technological developments. This study analyses the legitimate interest of data controllers as a legal basis for processing personal data under both the current data protection legislation and its proposed reform. The relevant provision expands the scope of lawful processing, but is formulated ambiguously, creating legal uncertainty and loopholes in the law. The new proposed regime does not resolve the problem.Taking a“rights” perspective, the paper aims to show that the provision should be narrowly interpreted in light of the ECJ case law, and to give effect to the Charter of Fundamental Rights; a rephrasing of the norm is desirable. The provision on the legitimate interest of data controllers weakens the legal protection of data subjects

Behind Enemy Phone Lines: Insider Trading, Parallel Enforcement, and Sharing the Fruits of Wiretaps

Two key trends were present in the successful prosecution of Raj Rajaratnam and his coconspirators in one of the largest insider-trading conspiracies in history: the use of wiretaps to investigate and prosecute insider trading and a joint effort between the Department of Justice (DOJ) and the Securities & Exchange Commission (SEC) to conduct the investigation. Despite the close working relationship between the DOJ and the SEC, the DOJ never disclosed the fruits of the wiretaps to the SEC, presumably due to its belief that Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (as amended, the “Wiretap Act”)—the comprehensive framework that authorizes the government to conduct wiretaps in certain circumstances—prohibited it from doing so. Though the Second Circuit in SEC v. Rajaratnam ultimately held that the SEC could obtain wiretap materials from the criminal defendants as part of civil discovery, the question of whether direct disclosure of the wiretap materials from the DOJ to the SEC is prohibited has been raised but not yet addressed. This Note analyzes previous cases addressing the construction of the Wiretap Act’s disclosure provisions and concludes that direct disclosure from the DOJ to the SEC is not prohibited by the Act. It further proposes a process by which civil enforcement agencies, such as the SEC, can request disclosure of wiretap materials through the DOJ in such a way that balances the benefits of disclosure against the privacy interests of the parties whose conversations were intercepted

The right to privacy whithin criminal investigations: an approach from Strasbourg

The final degree paper analyzes the protection to the right to privacy within the criminal investigation process. During the investigations, the right to privacy of the suspect might be in danger due to the necessity of obtaining evidences for the future trial. For assessing the limits of the right to privacy in this purpose, the rules established by the European Convention of Human Rights and the interpretation of the Strasbourg Court will be taken into accoun

Protecting Information Privacy

This report for the Equality and Human Rights Commission (the Commission) examines the threats to information privacy that have emerged in recent years, focusing on the activities of the state. It argues that current privacy laws and regulation do not adequately uphold human rights, and that fundamental reform is required. It identifies two principal areas of concern: the state’s handling of personal data, and the use of surveillance by public bodies. The central finding of this report is that the existing approach to the protection of information privacy in the UK is fundamentally flawed, and that there is a pressing need for widespread legislative reform in order to ensure that the rights contained in Article 8 are respected. The report argues for the establishment of a number of key ‘privacy principles’ that can be used to guide future legal reforms and the development of sector-specific regulation. The right to privacy is at risk of being eroded by the growing demand for information by government and the private sector. Unless we start to reform the law and build a regulatory system capable of protecting information privacy, we may soon find that it is a thing of the past

The right to privacy whithin criminal investigations: an approach from Strasbourg

The final degree paper analyzes the protection to the right to privacy within the criminal investigation process. During the investigations, the right to privacy of the suspect might be in danger due to the necessity of obtaining evidences for the future trial. For assessing the limits of the right to privacy in this purpose, the rules established by the European Convention of Human Rights and the interpretation of the Strasbourg Court will be taken into accoun

Reconciling U.S. Banking and Securities Data Preservation Rules with European Mandatory Data Erasure Under GDPR

United States law, which requires financial institutions to retain customer data, conflicts with European Union law, which requires financial institutions to delete customer data on demand. A financial institution operating transnationally cannot comply with both U.S. and EU law. Financial institutions thus face the issue that they cannot possibly delete and retain the same data simultaneously. This Note will clarify the scope and nature of this conflict. First, it will clarify the conflict by examining (1) the relevant laws, which are Europe’s General Data Protection Regulation (GDPR), the U.S. Bank Secrecy Act, and Securities and Exchange Commission (SEC) regulations, (2) GDPR’s application to U.S. financial institutions, and (3) U.S. law’s extraterritorial application to financial institutions operating in Europe, under the U.S. Supreme Court’s Morrison-Kiobel two-step analysis. Second, it will propose a solution by examining international law and U.S. foreign relations law. United States law subjects financial institutions to multiple data retention requirements. Securities regulations require broker-dealers to retain customer account and complaint records. The Bank Secrecy Act of 1970 requires financial institutions to retain customer data for at least five years. Sometimes, banks must permanently retain certain records. GDPR empowers individuals to demand that companies erase their data. Couched in the theory of a right to erasure, GDPR lets customers withdraw their consent for a financial institution to process or retain their data. Violators may face fines of 4 percent of their worldwide revenue. GDPR applies broadly to U.S. data-processors that either (1) are established in the European Union, or (2) monitor or offer to sell goods or services to individuals in the European Union. Establishment is broadly construed by European courts and may be met by “a single representative in the European Union.” In U.S. law, a two-step analysis determines whether and to what extent federal statutes govern conduct abroad. First, courts analyze whether the presumption against extraterritoriality has been rebutted. The presumption derives from the canon that a statute, “unless a contrary intent appears, is meant to apply only within the territorial jurisdiction” of the United States. If the presumption is not rebutted, the court proceeds to the second step, when the court considers the statute’s “focus” and whether the case involves the statute’s domestic application. United States law has domestic application to data stored domestically, and sometimes possibly to data stored internationally; such data operations may also fall under GPDR’s jurisdiction. Then, if a customer asks a financial institution to delete data, the financial institution will face conflicting laws. This Note seeks to resolve the conflict, recommending that courts approach resolution from the framework of the Restatement (Third) of Foreign Relations Law

Beyond \u3ci\u3eMicrosoft\u3c/i\u3e: A Legislative Solution to the SCA’s Extraterritoriality Problem

The Stored Communications Act governs U.S. law enforcement’s access to cloud data, but the statute is ill equipped to handle the global nature of the modern internet. A pending U.S. Supreme Court case, United States v. Microsoft, raises the question whether a warrant under the statute may be used to reach across international borders to obtain data that is stored in another country, regardless of the user’s nationality. While the Court will determine whether this is an impermissible extraterritorial application of the current law, many have called for a legislative resolution to this issue. Due to the insufficiency of the current law, the limits of traditional judicial doctrines, and the inherent advantages the legislature has over the judiciary in addressing technological change, this Note also recommends a legislative resolution. Building upon a legislative proposal, this Note proposes a framework with two separate sets of legal procedures based on user identity. These separate domestic and extraterritorial procedures provide a framework that would set clear guidelines for law enforcement and service providers while giving due respect to foreign sovereignty