Regulations on E-Commerce Consumer Protection Rules in China and Europe Compared – Same Same but Different?

This article provides a comprehensive overview of the regulations on e-commerce protection rules in China and the European Union. It starts by giving a general overview of different approaches towards consumer protection in e-commerce. This article then scrutinizes the current legal system in China by mainly focusing on SAIC’s “Interim Measures for the Administration of Online Commodity Trading and Relevant Service Activities”. The subsequent chapter covers the supervision of consumer protection in e-commerce in China, which covers both the regulatory objects of online commodity trading and the applied regulatory mechanisms. While the regulatory objects include operating agents, operating objects, operating behavior, electronic contracts, intellectual property and consumer protection, the regulatory mechanisms for e-commerce in China combines market mechanism and industry self-discipline under the government’s administrative regulation. Further, this article examines the current European legal system in online commodity trading. It outlines the aim and the scope of EU legislation in the respective field. Subsequently, the paper describes the European approach towards the supervision of consumer protection in e-commerce. As there is no central EU agency for consumer protection in e-commerce transactions, the EU stipulates a framework for Member States’ institutions, thereby creating a European supervisory network of Member States’ institutions and empowers private consumer organisations to supervise the market on their behalf. Moreover, the EU encourages the industry to self- or co-regulate e-commerce by providing incentives. Consequently, this article concludes that consumer protection may be achieved by different means and different systems. However, even though at first glance the Chinese and the European system appear to differ substantially, a closer look reveals tendencies of convergence between the two systems.

EU Data Protection Law and Targeted Advertising: Consent and the Cookie Monster - Tracking the crumbs of online user behaviour

This article provides a holistic legal analysis of the use of cookies in Online Behavioural Advertising. The current EU legislative framework is outlined in detail, and the legal obligations are examined. Consent and the debates surrounding its implementation form a large portion of the analysis. The article outlines the current difficulties associated with the reliance on this requirement as a condition for the placing and accessing of cookies. Alternatives to this approach are explored, and the implementation of solutions based on the application of the Privacy by Design and Privacy by Default concepts are presented. This discussion involves an analysis of the use of code and, therefore, product architecture to ensure adequate protections.

The Feasibility of Applying EU Data Protection Law to Biological Materials: Challenging ‘Data’ as Exclusively Informational

Though controversial the question of applying data protection laws to biological materials has only gotten a little attention in data privacy discourse. This article aims to contribute to this dearth by arguing that despite absence of positive intention from the architects to apply the EU Data privacy law to biological materials, a range of developments in Molecular Biology and nano-technology—usually mediated by advances in ICT—may provide persuasive grounds to do so. In addition, paucity of sufficient explication of key terms like ‘data/information’ in these legislations may fuel such tendency whereby laws originally intended for the informational world may end up applying to the biological world. The article also analyzes various predicaments that may arise from applying data privacy laws to biological materials. A focus is made on legislative sources at the EU level though national laws are relied on when pertinent.

Impulses for an Effective and Modern Data Protection System

A substantial reform of data protection law is on the agenda of the European Commission as it is widely agreed that data protection law is faced by lots of challenges, due to fundamental technical and social changes or even revolutions. Therefore, the authors have issued draft new provisions on data protection law that would work in both Germany and Europe. The draft is intended to provide a new approach and deal with the consequences of such an approach. This article contains some key theses on the main legislatory changes that appear both necessary and adequate.

Missing Links in the Proposed EU Data Protection Regulation and Cloud Computing Scenarios: A Brief Overview

Applying location-focused data protection law within the context of a location-agnostic cloud computing framework is fraught with difficulties. While the Proposed EU Data Protection Regulation has introduced a lot of changes to the current data protection framework, the complexities of data processing in the cloud involve various layers and intermediaries of actors that have not been properly addressed. This leaves some gaps in the regulation when analyzed in cloud scenarios. This paper gives a brief overview of the relevant provisions of the regulation that will have an impact on cloud transactions and addresses the missing links. It is hoped that these loopholes will be reconsidered before the final version of the law is passed in order to avoid unintended consequences.

Personal Data and Encryption in the European General Data Protection Regulation

Encryption of personal data is widely regarded as a privacy preserving technology which could potentially play a key role for the compliance of innovative IT technology within the European data protection law framework. Therefore, in this paper, we examine the new EU General Data Protection Regulation’s relevant provisions regarding encryption – such as those for anonymisation and pseudonymisation – and assess whether encryption can serve as an anonymisation technique, which can lead to the non-applicability of the GDPR. However, the provisions of the GDPR regarding the material scope of the Regulation still leave space for legal uncertainty when determining whether a data subject is identifiable or not. Therefore, we inter alia assess the Opinion of the Advocate General of the European Court of Justice (ECJ) regarding a preliminary ruling on the interpretation of the dispute concerning whether a dynamic IP address can be considered as personal data, which may put an end to the dispute whether an absolute or a relative approach has to be used for the assessment of the identifiability of data subjects. Furthermore, we outline the issue of whether the anonymisation process itself constitutes a further processing of personal data which needs to have a legal basis in the GDPR. Finally, we give an overview of relevant encryption techniques and examine their impact upon the GDPR’s material scope.

Facebook’s Real Name Policy: Bye-Bye, Max Mustermann?

Facebook requires all members to use their real names and email addresses when joining the social network. Not only does the policy seem to be difficult to enforce (as the prevalence of accounts with people’s pets or fake names suggests), but it may also interfere with European (and, in particular, German) data protection laws. A German Data Protection Commissioner recently took action and ordered that Facebook permit pseudonymous accounts as its current anti-pseudonymous policy violates § 13 VI of the German Telemedia Act. This provision requires telemedia providers to allow for an anonymous or pseudonymous use of services insofar as this is reasonable and technically feasible. Irrespective of whether the pseudonymous use of Facebook is reasonable, the case can be narrowed down to one single question: Does German data protection law apply to Facebook? In that respect, this paper analyses the current Facebook dispute, in particular in relation to who controls the processing of personal data of Facebook users in Germany. It also briefly discusses whether a real name policy really presents a fix for anti-normative and anti-social behaviour on the Internet.

Oblivion, Erasure and Forgetting in the Digital Age

In light of the recent European Court of Justice ruling (ECJ C-131/12, Google Spain v Spanish Data Protection Agency),the “right to be forgotten” has once again gained worldwide media attention. Already in 2012, whenthe European Commission proposed aright to be forgotten,this proposal received broad public interest and was debated intensively. Under certain conditions, individuals should thereby be able todelete personal data concerning them. More recently – in light of the European Parliament’s approval of the LIBE Committee’samendments onMarch 14, 2014 – the concept seems tobe close to its final form.Although it remains, for the most part,unchanged from the previously circulated drafts, it has beenre-labelled as a“right of erasure”. This article argues that, despite its catchy terminology, the right to be forgotten can be understood as a generic term, bringing together existing legal provisions: the substantial right of oblivion and the rather procedural right to erasure derived from data protection. Hereinafter, the article presents an analysis of selected national legal frameworks and corresponding case law, accounting for data protection, privacy, and general tort law as well as defamation law. This comparative analysis grasps the practical challenges which the attempt to strengthen individual control and informational self-determination faces. Consequently, it is argued that narrowing the focus on the data protection law amendments neglects the elaborate balancing of conflicting interests in European legal tradition. It is shown thatthe attemptto implement oblivion, erasure and forgetting in the digital age is a complex undertaking.