The US CLOUD Act and EU Law

37845654022_5f25c5d30d_o

 by Alexandre Veronese, Professor at University of Brasília

In March 2018, the President of the United States of America signed into Law a Bill approved by the Congress, which amended two parts of the US Code, the consolidation of the federal statutory norms of the country. The Clarifying Lawful Overseas Use of Data Act – CLOUD Act – was the third version of two preceding bills. Those prior bills tried to solve a grave contemporary issue: the difficulty to access electronic data that could be necessary to criminal investigations and prosecution. The new CLOUD Act changes mainly two passages of the US Code. It creates the possibility that the United States and foreign countries could sign executive agreements to grant mutual assistance in order to authorize the gathering of overseas data. In addition, the CLOUD Act creates standards to those agreements.

The United States of America have a long standing right to due process of law entrenched in the Fourth Amendment of its Constitution. The debate about the limits to access information captured by the means of new ways of communication is rather old in the US. The Federal Wiretap Act came to the US Code amidst the Omnibus Crime Control and Safe Streets Act of 1968. It was a huge alteration of the Title 18 of US Code, which is the Crimes and Criminal Procedures federal statutory law. Therefore, the federal statutory law received provisions that could regulate the lawful wiretapping in criminal investigations and the use of them between agencies and jurisdictions. Notwithstanding, the passing of time and the evolution of technologies showed the aging of those legal norms. A lot of the information that matters to seize, in order to archive effective evidence to use in investigations, came to be electronic. It was necessary to modify the Wiretap Act and, in 1986, it came the Electronic Communications Privacy Act. The new Act modernized the Law and it regulated the criminal features related to stored electronic information – the Stored Communications Act. The Patriot Act (2001 and 2006) brought to light some provisions regarding to overseas information that were made more detailed with the amendments signed into law in 2008.
Continue reading “The US CLOUD Act and EU Law”

Advertisements

Editorial of July 2018

artificial-intelligence-698122_960_720

 by Alessandra Silveira, Editor 
 and Sophie Perez Fernandes, Junior Editor


Artificial intelligence and fundamental rights: the problem of regulation aimed at avoiding algorithmic discrimination

The scandal involving Facebook and Cambridge Analytica (a private company for data analysis and strategic communication) raises, among others, the problem of regulating learning algorithms. And the problem lies above all in the fact that there is no necessary connection between intelligence and free will. Unlike human beings, algorithms do not have a will of their own, they serve the goals that are set for them Though spectacular, artificial intelligence bears little resemblance to the mental processes of humans – as the Portuguese neuroscientist António Damásio, Professor at the University of Southern California, brilliantly explains[i]. To this extent, not all impacts of artificial intelligence are easily regulated or translated into legislation – and so traditional regulation might not work[ii].

In a study dedicated to explaining why data (including personal data) are at the basis of the Machine-Learning Revolution – and to what extent artificial intelligence is reconfiguring science, business, and politics – another Portuguese scientist, Pedro Domingos, Professor in the Department of Computer Science and Engineering at the University of Washington, explains that the problem that defines the digital age is the following: how do we find each other? This applies to both producers and consumers – who need to establish a connection before any transaction happens –, but also to anyone looking for a job or a romantic partner. Computers allowed the existence of the Internet – and the Internet created a flood of data and the problem of limitless choice. Now, machine learning uses this infinity of data to help solve the limitless choice problem. Netflix may have 100,000 DVD titles in stock, but if customers cannot find the ones they like, they will end up choosing the hits; so, Netflix uses a learning algorithm that identifies customer tastes and recommends DVDs. Simple as that, explains the Author[iii].
Continue reading “Editorial of July 2018”

Data Protection Officer according to GDPR

hacking-2077124_1920

by André Mendes Costa, masters student at University of Minho
 ▪

In an ever changing world of information technologies, privacy and data protection inevitably attracts considerable attention.

The Portuguese Data Protection Law and the EU Directive 95/46 will be soon replaced by a new European and National legal framework. In fact, the new General Data Protection Regulation (GDPR) alters profoundly the paradigm of the personal data protection legal regime. The 679/2016 Regulation (GDPR) is part of a new European community legislative package which also includes a directive that lays down the procedures for dealing with personal data by the competent authorities for the purposes of prevention, research, detection and prosecution of criminal offences or the execution of criminal penalties. The Regulation came into force on 25th May and establishes a vacancy period of 2 years, providing the necessary time for the public and private sectors to equip themselves to face the new regulatory demands.

This brief analysis concentrates on the post of the data protection officer (DPO), on his/her duties and competencies and on those entities who are responsible for his/her appointment.

In the new European legislation there is an important change of paradigm in the protection of personal data namely the suppression – with a few exceptions contained in the Regulation – of the requisite of pre notification to the National Commission of Data Protection (NCDP). This change assigns to the person responsible for the processing of data the onus of legal guarantor of his/her cases, thus fully observing the Regulation. In fact, in the cases where there is no prior notification to the competent authority (NCDP), the Regulation has found other forms of guarantying that the processing of personal data is legally protected by creating the post of a data protection officer (DPO).
Continue reading “Data Protection Officer according to GDPR”