Cyber Babel: Finding the Lingua Franca in Cybersecurity Regulation

Cybersecurity regulations have proliferated over the past few years as the significance of the threat has drawn more attention. With breaches making headlines, the public and their representatives are imposing requirements on those that hold sensitive data with renewed vigor. As high-value targets that hold large amounts of sensitive data, financial institutions are among the most heavily regulated. Regulations are necessary. However, regulations also come with costs that impact both large and small companies, their customers, and local, national, and international economies. As the regulations have proliferated so have those costs. The regulations will inevitably and justifiably diverge where different governments view the needs of their citizens differently. However, that should not prevent regulators from recognizing areas of agreement. This Note examines the regulatory regimes governing the data and cybersecurity practices of financial institutions implemented by the Securities and Exchange Commission, the New York Department of Financial Services, and the General Data Protection Regulations of the European Union to identify areas where requirements overlap, with the goal of suggesting implementations that promote consistency, clarity, and cost reduction

Tackling food marketing to children in a digital world: trans-disciplinary perspectives. Children’s rights, evidence of impact, methodological challenges, regulatory options and policy implications for the WHO European Region

There is unequivocal evidence that childhood obesity is influenced by marketing of foods and non-alcoholic beverages high in saturated fat, salt and/or free sugars (HFSS), and a core recommendation of the WHO Commission on Ending Childhood Obesity is to reduce children’s exposure to all such marketing. As a result, WHO has called on Member States to introduce restrictions on marketing of HFSS foods to children, covering all media, including digital, and to close any regulatory loopholes. This publication provides up-to-date information on the marketing of foods and non-alcoholic beverages to children and the changes that have occurred in recent years, focusing in particular on the major shift to digital marketing. It examines trends in media use among children, marketing methods in the new digital media landscape and children’s engagement with such marketing. It also considers the impact on children and their ability to counter marketing as well as the implications for children’s rights and digital privacy. Finally the report discusses the policy implications and some of the recent policy action by WHO European Member States

Big data for monitoring educational systems

This report considers “how advances in big data are likely to transform the context and methodology of monitoring educational systems within a long-term perspective (10-30 years) and impact the evidence based policy development in the sector”, big data are “large amounts of different types of data produced with high velocity from a high number of various types of sources.” Five independent experts were commissioned by Ecorys, responding to themes of: students' privacy, educational equity and efficiency, student tracking, assessment and skills. The experts were asked to consider the “macro perspective on governance on educational systems at all levels from primary, secondary education and tertiary – the latter covering all aspects of tertiary from further, to higher, and to VET”, prioritising primary and secondary levels of education

From opt-in to obligation? : Examining the regulation of globally operating tech companies through alternative regulatory instruments from a material and territorial viewpoint

Modern society’s ever-increasing reliance on technology raises complex legal challenges. In the search for an efficient and effective regulatory response, more and more authorities – in particular the European Union – are relying on alternative regulatory instruments (ARIs) when engaging big tech companies. Materially, this is a natural fit: the tech industry is a complex and rapidly-evolving sector and – unlike the rigid classic legislative process – ARIs allow for meaningful ex ante anticipatory constructions and ex post enforcement due to their unique flexibility. However, from a territorial point of view several complications arise. Although the use of codes of conduct to regulate transnational private actors has a rich history, the way in which such codes are set out under articles 40 and 41 of the EU’s GDPR implies a ‘hardening’ of these soft law instruments that has repercussions for their relationship to the principles of territorial jurisdiction. This contribution serves as a first step for further research into the relationship between codes of conduct, the regulation of the tech industry and the territorial aspects related thereto

Genomic sequencing capacity, data retention, and personal access to raw data in Europe

Whole genome/exome sequencing (WGS/WES) has become widely adopted in research and, more recently, in clinical settings. Many hope that the information obtained from the interpretation of these data will have medical benefits for patients and—in some cases—also their biological relatives. Because of the manifold possibilities to reuse genomic data, enabling sequenced individuals to access their own raw (uninterpreted) genomic data is a highly debated issue. This paper reports some of the first empirical findings on personal genome access policies and practices. We interviewed 39 respondents, working at 33 institutions in 21 countries across Europe. These sequencing institutions generate massive amounts of WGS/WES data and represent varying organisational structures and operational models. Taken together, in total, these institutions have sequenced ∼317,259 genomes and exomes to date. Most of the sequencing institutions reported that they are able to store raw genomic data in compliance with various national regulations, although there was a lack of standardisation of storage formats. Interviewees from 12 of the 33 institutions included in our study reported that they had received requests for personal access to raw genomic data from sequenced individuals. In the absence of policies on how to process such requests, these were decided on an ad hoc basis; in the end, at least 28 requests were granted, while there were no reports of requests being rejected. Given the rights, interests, and liabilities at stake, it is essential that sequencing institutions adopt clear policies and processes for raw genomic data retention and personal access