The changes occurred during the last decades have made data one of the most important business assets. With this evolution, together with the no man's land that the Internet was in its early years, came the awareness of the inherent dangers and potential damages involved in collecting and transferring data. Therefore, the attention of lawmakers has focused more and more on addressing the various risks related to this new asset. Limitations exist under different perspectives, sometimes protecting private interests, sometimes public. Rules impose limitations on the basis of traffic in arms; trade secret; copyright and author's rights; and, most prominently, the protection of personal data. The last topic is particularly complex. The Internet has drastically changed the landscape for the protection of personal data, and the existing patchwork of rules is no longer adequate. The very ownership of the data has been overthrown, making it hard to understand where liability rests. The changing context calls for a major revision of the existing rules on data protection. The European Union is discussing the reform, with provisions that are more high-level, but introducing significant penalties for violations. However, the reform is facing delays and difficulties, and it is still unknown when it will enter into force.
Privacy is a concept that has evolved a lot in the past century: from the original right to seclusion and to one's own self-determination without external invasion of private spaces, the technological changes occurred in society have transformed it into a complex set of rights to provide individuals with some degree of control over the processing and the flow of their own personal data. After a long delay in adopting data protection laws when compared to other countries, Italy put up a steep pace and introduced a novelty in the law currently in force, d.lgs. 196/03: the principle of necessity. This provision, significantly located among the three "top principles" in data protection, imposes on data controllers a limitation on the use of personal data, requiring the processing of anonymous data whenever possible. The principle has been in force since 2003, and the Italian authority for the protection of personal data is firm in its enforcement, invoking it in many decisions. The present work slowly zooms in on the principle of necessity: it starts from a broad history of the concept of privacy up to the current times; then it surveys the various approaches to a privacy law in the international scene, with a major attention to the European context; a timeline of the Italian legislation, with a summary of the current discipline, follows. Finally, the focus is centered on art. 3 of the law, containing the principle of necessity: from a general explanation to theoretical literature on the subject, not forgetting the application performed so far by the Guarantor with a number of examples in several fields. The conclusive analysis tries to highlight the strengths and weaknesses of the provision by putting it in the perspective of its natural application field: a society where information, and even more the Internet, have dramatically changed the business models and favored the birth of new, opposing interests.
The increasing demand of reliable software services and the dependability that our daily personal and professional life have on them is bringing significant changes in the domain of software service engineering. One of the most revolutionary is the introduction of regulations, repeating what in the past has concerned the product market. Regulations need to find a balance between the interests of several roles and reduce the inevitable tensions that would otherwise arise among them, as well as to defend the right of the weakest parties (normally the end users). There are multiple interests to balance: the interests of end users, the protection of intellectual property, a fair competition against other enterprises, just to name a few. While some of these requirements concern the structure and organization of the enterprise, some of them are fit to penetrate into the software development life cycle. This would serve multiple purposes: allow the enterprise to design services which already take the legal requirements into account; visually represent the requirements and their interaction with the functionality of the system; develop the software components using tools and methodologies that are able to deal with those requirements; define metrics to measure the degree to which such requirements are met; measure the impact of the requirements on the functionality of the service and on other parameters of the service (such as performance or storage occupation); verify and monitor whether the legal requirements are met; and, last but not least, to have an argument to be used in case of a complaint in a court or at a competent authority. Before being considered in the software service life cycle, legal requirements must undergo a preprocessing phase in which they are translated into some form which is compatible with the tools and methodologies proper of the software engineering, for instance being modelled into a formalism that makes them processable by a machine. There is a significant amount of interdisciplinary topics that need to be combined together to reach an integration between regulation and software life cycle. In particular, at least from three complementary perspectives are needed. One perspective requires the analysis of the provisions of the law, the extraction of the legal requirements classified according to the stakeholders affected, and the translation of those requirements into some formal model that can be processed using appropriate software tools. A second perspective requires a study of the legal requirements from the point of view of requirements engineering techniques, also defining metrics to measure them. The third concerns the models used in the various stages of software engineering (design, modeling, development, validation and testing), which need to be extended to accommodate the legal requirements in their formal representation. Only by putting together these perspectives a comprehensive approach to deal with legal requirements in software engineering is possible.
Recently, the Court of Justice of the European Union issued decision C-131/12, which was considered a major breakthrough in Internet data protection. The general public welcomed this decision as an actualization of the controversial "right to be forgotten", which was introduced in the initial draft for a new regulation on data protection and repeatedly amended, due to objections by various Member States and major companies involved in massive processing of personal data. This paper attempts to delve into the content of that decision and examine if it indeed involves the right to be forgotten, if such a right exists at all, and to what extent it can be stated and enforced.
Knowledge theory has made its way into modern computing, through the use of models and annotations to organize it. The bottom layer of knowledge organizations makes use of ontologies, which are models based on a formal language structure and designed to express the concepts pertaining to a domain and the relationships between them. The use of ontologies is popular also in the legal domain to organize legal documents and as a support to legal reasoning. A legal topic which is currently under the limelight at the European level is data protection. Under the pressure of the last years' technological developments, the data protection legislation has shown its weaknesses, and is currently undergoing a long and complex reform that is finally approaching its completion. The reform will urge businesses dealing with personal data to comply with the new Regulation. The aim of the current paper is to provide a basic ontology for the upcoming data protection legislation, highlighting the duties of the data controller, to ease the transition of systems and services from the existing legislation to the new one.
Recently, the Court of Justice of the European Union issued decision C-131/12, which was considered a major breakthrough in Internet data protection. The general public welcomed this decision as an actualization of the controversial "right to be forgotten", which was introduced in the initial draft for a new regulation on data protection and repeatedly amended, due to objections by various Member States and major companies involved in massive processing of personal data. This paper attempts to delve into the content of that decision and examine if it indeed involves the right to be forgotten, if such a right exists at all, and to what extent it can be stated and enforced.
In: Bartolini C., Lenzini G., Santos C., An Agile Approach to Validate a Formal Representation of the GDPR. In: Kojima K., Sakamoto M., Mineshima K., Satoh K. (eds) New Frontiers in Artificial Intelligence. JSAI-isAI 2018. Lecture Notes in Computer Science, vol 11717. Springer, 2019
Data is a modern form of wealth in the digital world, and massive amounts of data circulate in cloud environments. While this enormously facilitates the sharing of information, both for personal and professional purposes, it also introduces some critical problems concerning the ownership of the information. Data is an intangible good that is stored in large data warehouses, where the hardware architectures and software programs running the cloud services coexist with the data of many users. This context calls for a twofold protection: on one side, the cloud is made up of hardware and software that constitute the business assets of the service provider (property of the cloud); on the other side, there is a definite need to ensure that users retain control over their data (property in the cloud). The law grants protection to both sides under several perspectives, but the result is a complex mix of interwoven regimes, further complicated by the intrinsically international nature of cloud computing that clashes with the typical diversity of national laws. As the business model based on cloud computing grows, public bodies, and in particular the European Union, are striving to find solutions to properly regulate the future economy, either by introducing new laws, or by finding the best ways to apply existing principles.
The modelling of a legal text into a machine-processable form, such as a list of logic formulæ, enables a semi-automatic reasoning about legal compliance but might entail some anticipation of legal interpretation in the modelling. The formulæ need therefore to be validated by legal experts, but it is unlikely that they are familiar with the formalism used. This calls for an interdisciplinary validation methodology to ensure that the model is legally coherent with the text it aims to represent but that could also close the communication gap between formal modellers and legal evaluators. This paper discusses such a methodology, providing an human-readable representation that preserves the formulæ's meaning but that presents them in a way that is usable by non-experts. We exemplify the methodology on a use case where Articles of the GDPR are translated in the Reified I/O logic encoded in LegalRuleML.
Autonomous vehicular technology significantly stresses the issue of safety. Although the use of driverless cars raises considerable expectations of a general improvement in safety, new challenges concerning the safety aspects stem from the changing context. On the one and, the paper addresses regulatory issues raised by the impact of technological changes, particularly standardization problems. On the other hand, the issue of liability questions is investigated as it might cause today's main legal obstacle for the wide spreading of autonomous cars, especially as autonomous cars might jeopardize the existing approaches to vehicular liability. The aim of this paper is to scrutinize the basic problems in both fields. We provide what, at the current state-of-the-art, appear to be reasonable recommendations from the perspective of technological regulation and law, in order to deal with the main problems that might hamper the development of autonomous transport technology.
The Research Center for Autonomous Road Vehicles (RECAR) was founded in 2015 upon the initiative of the Faculty of Transportation Engineering and Vehicle Engineering of Budapest University of Technology and Economics. The research center is supported by industrial partners and other academic partners targeting research and educational purposes. In complement to this project, the construction of a new automotive test track is also under development especially for autonomous road vehicle testing serving as automotive proving ground in Zalaegerszeg, Hungary. Accordingly, an intensive research has been started in RECAR center in the field of autonomous vehicle technology. The paper's goal is to share the main practical and methodological experiences with the scientific audience as well as the industrial sector. Based on the initial research actions we intend to enlighten the upcoming research challenges of driverless vehicles and automated intelligent transport system. Basically, three main topics are concerned. Firstly, the main issues concerning autonomous vehicle research are summarized. Secondly, the requirements for autonomous test track design are concluded. Thirdly, the legal questions that emerge with the appearance of driverless vehicles are investigated, especially concerning liability.