IT Law Slides PDF

Summary

These slides discuss IT law, including its definitions, features, and relation to society. The slides also describe how law differs from other social rules. These are notes from a lecture/presentation.

Full Transcript

Why studying IT Law?
Understanding the functioning of internet technologies and IT devices means at a certain point to
tackle these legal issues and matters, many of which are urging for new solutions and
approaches. IT law is therefore useful for every professional working in the eld of Information
Technology. Without a sound legal basis we could not understand if our practice or experience, as
users or players in the digital scenario, are permitted or not, although technically possible. Since
the power of the IT devices in our day by day reality, the consequences of a legal infringement
could be enormous and therefore the awareness of the legal framework within which the IT
practices work is of crucial importance.

What is law in general?
We can nd numbers of de nitions of law by reading texts and documents coming from di erent
cultures and di erent times. For instance:
-Dictionary of Han’s Dynasty (III century b.C.): Law is punishment
-Carl Marx: law is a tool of oppression to exploit the working class
-John Austin: A rule laid down for the guidance of an intelligent being by an intelligent being
having power over him.
-Oliver Wendell Holmes: The prophecies of what the courts will do

Modern de nitions of law:
-US Legal Dictionary: A body of rules of conduct of binding legal force and e ect, prescribed,
recognized, and enforced by controlling authority.
-Oxford Dictionary: The system of rules which a particular country or community recognizes as
regulating the actions of its members and which it may enforce by the imposition of penalties.
-Pietro Sirena: Law is a social infrastructure which binds its members in that it aims primarily
solving con icts among them and secondarily promoting their bene cial behavior.

Recurrent features:
-law is somehow connected to prescriptions and sanctions
-law is always in relation to a society
Every man needs to get into relation with the others. Humans are “social beings” at least in the
sense that getting what we need and wish requires to engage ourselves in relation with other
members of our community. Humans are relational beings.
society = typical organization of a community of men and women.
LAW is a social infrastructure which binds its members in order to solve con icts and and thus
impeding the disruption of society (negative function of law) and promoting cooperation among
the members of the society, its unity and welfare (positive function of law).

We need rules establishing what is permitted and what is prohibited, to what extent a member
of the society is free to do whatever he wants and what kind of behaviors are mandatory, and so
on. Without such rules no society can resist stable and even exist.
We have numbers of di erent kind of rules dealing with the organization of the society and the
relations among its members (religion, morality, customs, etc.). They all are techniques of social
control.
In our daily life we can appreciate that sometimes these rules matches perfectly, sometimes they
di er or even collide.

What is the key feature of a legal rule? What is the di erence between a rule of law and any
other social rule?
It is commonly said that the distinctive character of law is the provision of a sanction, a negative
consequence in case of violation of a legal rule, such as damages, imprisonment, nes,
restitutions, and so on.
The sanction in itself is not a typical consequence of infringing a rule of law, because all the social
sets of rules provide for such negative consequences.
We could say that the general scope of a rule of law makes the real di erence: a rules of law is
meant to be applied to everyone in a community. But it is not true; it occurs that a certain law
applies only to a limited number of people in the society.
ff
fi
fi
fl
ff
ff
fi
ff
fi
ff
fi
fl
ff
ff
fi
 The rules of law are the only social rules whose duties must be ful lled and whose sanction
are in icted by entities that can legitimately use the force to make people respect the rules
of law.
The legitimate use of the force by authorities is what makes a social rule a rule of law, and
what makes the rules of law so e ective and reliable to achieve the goal of the social order.
Legal system = the whole of the applicable rules of law in a society.
The legal system is therefore the law applicable to that speci c community of men and women,
to that particular society.
Nowadays, the most signi cant society = National State, and so the most important legal
systems in the world are the national legal systems which are the products of the State
sovereignty.
Di erent countries have di erent national legal systems. So that every time we talk about
“law” we tend inevitably to consider a speci c national legal system.
We can talk about international law, but the international legal system has not the same
completeness and importance than the national legal systems.
The fact that law is necessary to keep every society together, each society has a speci c set of
legal rules, aimed to regulate the relations among men and women in that speci c society.
Law is a product of social interactions; it is socially constructed. And since societies are not
static, but change continuously, law is not a set of immutable and universal rules. This is what
is called the “social” or “political” character of law.

What is IT law?
IT law means Information Technology law, and it can be de ned as that part of the law devoted
to the study of the legal problems coming from the use of computers to store, transmit and
manipulate data and information at a large scale and with particular attention to the use of
internet.
The di usion of the information technologies requires the creation of speci c legal rules t to
regulate these phenomena and seeks for a new interpretation and application of traditional rules
to the new technologies, rstly the discipline of contracts.
With respect to the classical de nition of law as the set of rules created to organize the life of a
community, and particularly of that important community we call national State, do you expect a
peculiarity from IT law?
Information Technologies and Internet are not familiar with territorial limitations. Their impact on
people and societies is inconsistent with the traditional partition of national legal systems. The
digital context is a global context.
We do NOT have a uniform and complete international legal framework of universal
application; therefore we cannot think to nd a global regulation of IT law. As a matter of fact, the
majority of the rules governing IT devices are the product of private self-regulation of IT
providers and users.

Key assumption in IT law
a continuous slip from the supra-national and a-territorial IT context to a national based level of
additional regulation and protection.
IT law deals with the de nition of the relationship between the soft self-regulation of IT
devices and their hard national based regulation.
Many international conventions have been drafted to nd a way to coordinate the national policies
on IT regulation, but still the governance of IT issues remains strongly linked to national
instruments.
The challenge for the law and the lawyers today is to nd a way to strengthen the coordination
among the national legal systems

Internet Governance
Internet is the global system of interconnected computer networks which use a shared
protocol to link electronic devices worldwide with the aim to make information resources and
electronic services available to those who are in connection through it. It is frequently
de ned as a network of networks, better to say a global network of private and public local
networks.
ff
fi
fl
ff
fi
fi
fi
ff
fi
ff
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
Among the most signi cant information resources and services we can easily mention inter-linked
hypertext documents, the WorldWideWeb, e-mail, le sharing, internet telephony, internet
television, online music, digital newspaper.
Internet governance is de ned as: “the development and application by governments, the
private sector, and civil society, in their respective roles, of shared principles, norms, rules,
decision-making procedures and programs, that shape the evolution and utilization of the
Internet”.
The above de nitions is broad. Part of their breadth lies in the fact that the notion of
governance is wider than the traditional notions of formal regulation by state actors using
codes, statutes and laws.
There is no authority, private or public organization, running the Internet. There is no global
governing body setting and enforcing the rules for the shared connections and protocols. Its
governance is conducted by an international network of people and institutions, both public
and private, working in a cooperative way with the aim to create common policies and
standards to maintain the global interoperability for everyone’s sake.
Since we do not have a global law, but mainly the sum of national legal systems with some
international connections, we do not have a real global government of Internet. So that the
functioning of Internet is largely built on self-government.

Therefore Internet governance encompasses a vast range of mechanisms for management and
control, of which formal legal codes (like treaties, conventions, statutes, regulations, judicial
decisions) are but one, albeit important, instance.

What is the object of Internet governance?
Internet governance embraces issues not just concerned with the infrastructures for transmitting
data but also the information content of the transmitted data (e.g. privacy of electronic
communications, freedom of expression in Internet, liability of Internet service providers for
dissemination of data with illegal content, etc.).
fi
fi
fi
fi
Internet is a speci c modality for data transmission. The steering and management of
currently core elements of internet is fundamentally made of:
A. protocols for data transmission in the form of packet switching (Transmission Control
Protocol/Internet Protocol—TCP/IP), along with subsequent extensions of these protocols
(such as Hypertext Transmission Protocol—HTTP);
B. IP addresses and corresponding domain names
C. Root servers

TCP/IP
TCP/IP (Transmission Control Protocol/Internet Protocol), are the two fundamental suites of
communication protocols commonly used to interconnect network devices on the Internet. They
can also be used as a communications protocol in a private network.
TCP/IP is a set of data communication mechanisms, embodied in software, that let each one
of us use the Internet and other private similar networks.
- TCP focuses on processing and handling data from applications
- IP is more “network oriented” and it is designed to accommodate the transmission and receipt
of application data across a network.

HTTP
HTTP (Hypertext Transfer Protocol) is the application protocol over which the WorldWideWeb
is built upon. An Hypertext is structural text that uses logical links (Hyperlinks) between two or
more texts. HTTP is the protocol through which it is possible to exchange or transfer Hypertext.
HTTP is therefore a request-respond protocol. Once a request message is sent from a node
(client) of the Internet to a server by using the HTTP protocol, the server returns a response
message to the client. The response contains all the information about the request and so – for
instance - a website is uploaded on the client’s requesting computer.

Domain names
Domain names are essentially translations of IP numbers/addresses into a semantic and
more meaningful form. An IP address is a bit string represented by 4 numbers (from 0 to 255)
separated by dots → 153.110.179.30
Thus, the main reason for domain names is mnemonics; that is, domain names make it easier for
humans to remember identi ers. They are user-friendly.
Domain names have two other overlapping functions as well:
1. they enhance categorization of information, thus making administration of networks more
systematic and making it easier for people to nd information.
2. stability: IP addresses can frequently change, whereas domain names will tend to be more
stable reference points
Each domain name must be unique but need not be associated with just one single or
consistent IP number. It must simply map onto a particular IP number or set of numbers which
will give the result that the registrant of the domain name desires
A domain name has two main parts arranged hierarchically from right to left:
(a) a top‐level domain (TLD) and
(b) a second‐level domain (SLD).
It will commonly also have a third‐level domain. The ordinary number of domains is usually
between two and ve.
The potential number of domain name strings is huge (though not unlimited). The name set
currently operates with 37 characters: 26 letters, 10 numerals, and the dash symbol - , so
that there are 372 or 1,369 two‐character combinations, 373 or 50,653 three‐character
combinations, and 374 or 1,874,161 four‐character combinations. Obviously, the number of
combinations will increase signi cantly if the character set is increased— a possibility that is
currently being discussed and tested with respect to ‘Internationalized Domain Names’ (IDNs).
fi

fi

fi
fi
fi

 There are two main classes of top‐level domains (TLD):
a. generic (gTLD) = such as:.com,.net,.org,.gov,.edu,.mil,.int,.info, and.biz.
b. country code (ccTLD) = such as.it,.fr,.au,.ru,.uk.

The rst class also covers TLDs that are set up for use by a particular community or industry
(so‐ called sponsored TLDs). Examples are.cat (set up for use by the Catalan community in
Spain) and.mobi (set up for users and producers of mobile telecommunications services).
The generic TLDs may further be classi ed according to whether they are open to use by
anyone; some are reserved for use only by speci ed groups/sectors.
For example:.pro is restricted to licensed professional persons;.name is restricted to individual persons;.gov is restricted to public institutions.

The Domain Name System (DNS) is essentially a system for mapping, allocating, and
registering domain names.
Basically, it translates domain names into numerical addresses so that computers can nd
each other.
The fundamental design goal of the DNS is to provide the same answers to the same queries
issued from any place on the Internet. Accordingly, it ensures
(a) that no two computers have the same domain name
(b) that all parts of the Internet know how to convert domain names into numerical IP addresses,
so that packets of data can be sent to the right destination
The core of the system is a distributed database holding information over which domain names
map onto which IP numbers. The data les with this information are known as ‘roots’ and the
servers with these les are called ‘root servers’ or ‘root name servers’. The servers are arranged
hierarchically. The top root servers hold the master le of registrations in each TLD and provide
information about which other computers are authoritative regarding the TLDs in the naming
structure.
The addition of new TLDs may only be carried out by ICANN, which is headquartered in
California.
ICANN (Internet Corporation for Assigned Names and Numbers) is a nonpro t private
organization responsible for coordinating the maintenance and procedures of several
databases related to the namespaces of Internet, ensuring the network's stable and secure
operation.
ICANN has been originally subject to US government oversight – US Department of Commerce;
but in 2016 the process of its complete privatization has concluded and today ICANN is a pure
private multistakeholder community.
A handful of alternative root systems operating independently of ICANN regime do exist with
separate root servers and TLDs (for instance, New.Net, Uni edRoot, and OpenNIC), but they
have only a tiny share of the Internet user market due to high networking and cost factors.

Problematic issues with domain names
From the point of view of the law, the main points of con ict and controversy with respect to
operation of the DNS have largely arisen in two respects:
1. how domain names are allocated to persons/organizations
2. which TLDs (and thereby domain names) are permitted

The con ict over domain name allocation and recognition is due primarily to the changing function
of domain names. They have gone from being just easily remembered address identi ers to
signi ers of broader identity and value (such as trademarks).
At the same time, while they are not scarce resources technically, they are scarce resources in the
economic sense. And some have come to assume extremely large economic value and there are
some judicial recognition of domain names as a form of property
fi
fi
fl
fi
fi
fi
fi
fi
fi
fl
fi
fi
fi
 Governance of DNS
Governance of the DNS is largely contractual, at least with respect to management of gTLDs,
although some of the regimes for management of ccTLDs have a legislative footing.
IANA (Internet Assigned Numbers Authority), which is today a department of ICANN, is
responsible for the allocation of gTLDs. IANA was once an independent organization whose
functions have been transferred to ICANN through a contract, renewed many times.
IANA/ICANN distributes blocks of IP numbers to the RIRs (Regional Internet Registries) all
around the world, which then distribute IP numbers to main Internet Service Providers
(ISPs) in their respective regions. The ISPs further distribute the numbers to smaller ISPs,
corporations, and individuals. (IANA/ICANN → RIRs → ISPs → smaller ISPs, corporations and
individuals)
To ful ll ICANN's mission, a web of contracts and more informal agreements has been
launched between the corporation and the bodies with which it deals with.

These contracts/agreements deal with key issues and matters concerning the Internet
governance, such as:
- Establishment of policy for and direction of the allocation of IP number blocks;
- Coordination of the assignment of other Internet technical parameters as needed to maintain
universal connectivity on the Internet;
- Guaranteeing the stability of the Internet
- Rules in assignment of DNS to the users

Conclusions on Internet governance
At the moment there is no speci c regulation by national legal systems of DNS and IP
address system, so that the infrastructure of the Internet is basically self-governed. It is
meaningful what the European Union said about the Internet governance in the Preamble to the
Directive 2002/21/EC for electronic communications networks and services: ‘The provisions of
this Directive do not establish any new areas of responsibility for the national regulatory authorities
in the eld of Internet naming and addressing’ (Recital 20).”

The Directive goes on to encourage EU Member States, “where and appropriate in order to ensure
full global interoperability of services, to coordinate their positions in international organizations
and forums in which decisions are taken on issues relating to the numbering, naming and
addressing of electronic communications networks and services” [Article 10(5)].
However, there may be indications that the European Union is preparing to depart from this
hands‐o policy in the near future, but at the moment the situation remains ICANN-based
contractual governance of the Internet.

ePrivacy
Whenever you open a bank account, join a social network or book a ight online, you hand over
vital personal information such as your name, address, and credit card number.
What happens to this data? Could they fall into the wrong hands? What rights do you have
regarding your personal information?

All the legal systems recognize protection to personal data (privacy law or data protection
law). Generally speaking, these regulations provide that personal data can be legally gathered,
stored and used under strict conditions and for a legitimate purpose.
Subjects collecting and managing other people’s personal information must protect it from misuse
and must respect certain rights of the data owners which are guaranteed by the law.
Every day businesses, public authorities as well as private individuals share great amounts of
personal data on the Internet, in popular communication systems such as WhatsApp or in social
networks like Facebook or Instagram.

In sharing communication contents, the users are sharing metadata, e.g. time of a call and
location, as sensitive as the personal data and information themselves.
Here we have two con icting interests:
fi
fi
ff
fl
fi
fl
1. The interest of the IT companies to collect personal data and information of the clients in
order to use them to both complete the service asked by the client (e.g. billing or delivery),
and to provide additional services (e.g. insurance policies), and to develop their business
(e.g. selling data or statistics on the communication contents to other companies)
2. The interest of the users to the maximum possible con dentiality of the shared data and
information, not to be used more than what strictly necessary to receive the service.

The data protection legislations are generally oriented to nd the balance between the two
interests with a particular attention to the users’ interests. The key concept in data protection
law is CONSENT.
The IT companies can store, manage and use personal data and information gathered by
clients as far as clients gives their consent accordingly.
So that the only way for the IT business to process users’ data and information is to get their
consent, with the only exception of the communication contents requested to comply with
mandatory provisions under the law (e.g. personal data used by Courts and Tribunals or by the
Tax Authorities).

fi
fi
 Moreover, in some jurisdictions, such as the EU, additional conditions are asked to process
communication contents in some particularly delicate situations (e.g. explicit authorization from
Privacy Authorities, as for processing data in hospitals).
Finding the right balance is not simple anyway.
1. On one side the business sector pushes to use more personal data and information from the
clients, since these communication contents mean great opportunities for them.
2. On the other side, IT users are asking the legislators to grant an even higher level of protection
of their privacy, feeling that the pervasive use of IT devices is putting in danger the
con dentiality of their data (so called digitalization of privacy).
But there are also cases where IT users protest against a too high level of protection than
expected.
Every time a person, by using an IT device, is asked to communicate personal data and
information it is not clear under which law the matter of protection and surveillance of the shared
data and information will be governed:
- the law of the place where the client is located when data and information are shared online?
- the national law of the user?
- the law under which the company managing the digital device “asking” for data/information is
incorporated?
- the law of the place where the server hosting the website is located?
- an optional legislation selected during the insertion of data and information?
Con icting rules in di erent countries can create severe problems in data collection and
treatment. Di erent legislations provide for di erent levels of protection and enforce
di erent privacy policies.
For the business sector these discrepancies are sometimes extremely di cult to manage due to
the speci c territorial scope of application of these rules. Sometimes a legislation seeks for
application whenever the subject in charge with the treatment of the communication contents
resides within the territory of that jurisdiction; in other cases, a legislation ask for application of
its rules only if the release of the data and information occur within the territory of that legal
system. The risk of legislative overlapping is very high, with even the consequence that individuals
might at the end be unwilling to share personal data online if they are uncertain about the
applicable rules.

Many techniques have been developed and employed by the companies in order to escape data
protection regulation, and particularly the two main privacy laws worldwide, the US and the EU
ones.
Among the most frequently used we can mention:
- De-identi cation
- Anonymization
- Pseudonymization
Personal information contains either direct or indirect identi ers.
1. “Direct identi ers” are data that identify a person without additional information.
Examples of direct identi ers include name, telephone number, and government issued ID.
2. “Indirect identi ers” are data that identify an individual indirectly. Examples of indirect
identi ers include date of birth, gender, ethnicity, location, cookies, IP address, and license
plate number.
It is important to note that de-identi ed data meets the standards required under US privacy
laws for the safeguarding of personal information while only anonymized data meets the
standards required under EU laws, including the GDPR.
“Personal data” is the material scope of data protection law: only if the data subjected to
processing is “personal data” the data protection regulations will apply.
“Data” that is not personal data — we can call non-personal data — can be freely processed, it
fall outside the scope of application of data protection laws.
Under Article 2(1) of the GDPR, personal data means “any information relating to an identi ed or
identi able natural person (“data subject”); an identi able natural person is one who can be
identi ed, directly or indirectly, in particular by reference to an identi er such as a name, an
identi cation number, location data, an online identi er, or to one or more factors speci c to the
ff
fi
fl
fi
fi
fi
fi
fi
fi
ff
fi
fi
ff
fi
fi
ff
fi
fi
fi
fi
ffi
fi
fi
 physical, physiological, genetic, mental, economic, cultural, or social identity of that natural
person”
Starting with this normative de nition, we learn that personal data is information about a
natural person (not a legal person); it can take any form and be alphabetic, numeric, video or
images; it includes both objective information (name, identi cation numbers, etc.) and subjective
information (opinions, evaluations, etc.).
The relevant element is that this information describes something about a subject that has
value and meaning. Insigni cant information, which has no meaning, should not be considered
personal data, but new technologies have changed the way of attributing value to information
because through them it is possible to collect, measure and analyze a lot of apparently
‘insigni cant’ heterogeneous information that, reconnected to a person, are able to produce
‘value’.

When an individual can be identi able?
Breyer case (Case C-582/14) European Court of Justice The Court was asked to decide whether a
dynamic IP address should be considered personal data, and the conclusion was that a dynamic
IP address should be considered personal data.
In this case, the Court expressly stated, for the rst time, that information that allows the
identi cation of a person does not need to be in the hands of a single individual, and to
determine whether a person is identi able, ‘consideration should be given to the totality of
the means likely reasonably to be used by the controller or others to identify the person’.
At the same time, the Court reiterates that the risk of identi cation appears, in reality, to be
insigni cant if the identi cation of the data subject was prohibited by law or practically impossible
on the account of the fact that it requires a disproportionate e ort in terms of time, cost and man-
power.
In essence, the Court, as well as for the GDPR, admits that there can be a remaining risk of
identi cation even in relation to ‘anonymous’ data.

“De-identi cation” of data is a generic expression which refers to any process used to
remove personal identi ers, both direct and indirect. De-identi cation is not a single
technique, but rather a collection of approaches, tools, and algorithms that can be applied to
di erent kinds of data with di ering levels of e ectiveness.
De-identi cation procedure remove the individual’s name and identity details from the relevant
transactional data.
De-identi cation is especially important for government agencies, businesses, and other
organizations that seek to make data available to outsiders (but protecting the privacy). For
example, signi cant medical research resulting in societal bene t is made possible by the sharing
of de-identi ed patient information

“Anonymization” of personal data refers to a subcategory of de-identi cation whereby
direct and indirect personal identi ers have been removed and technical safeguards have
been implemented such that data can never be re-identi ed (e.g., there is zero re-
identi cation risk). This di ers from merely and generally de-identi ed data, which may be re-
linked to individuals using a key (e.g., a code or an algorithm). Hence re-identi cation of
anonymized data is not possible with anonymization.

“Pseudonymization” of data refers to another subcategory of de-identi cation by which
personal identi ers are replaced with arti cial identi ers or pseudonyms. Pseudonymization
can reduce risks to the data subjects concerned and help controllers and processors meet their
data protection obligations.
The EU data protection law de nes pseudonymization as “the processing of personal data in such
a way that the data can no longer be attributed to a speci c data subject without the use of
additional information, provided that such additional information is kept separately and is subject
to technical and organizational measures to ensure that the personal data are not attributed to an
identi ed or identi able natural person”.
These concepts can be expressed in a hierarchy based on the re-identi cation risk associated
with each concept in the following manner:
ff
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
ff
fi
ff
fi
fi
fi
fi
fi
fi
ff
fi
fi
fi
ff
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
 1. Personally Identi able Data—Data that contains personal direct and indirect identi ers
(absolute or high Re-Identi cation Risk);
2. De-Identi ed Data—Data from which direct and indirect identi ers have been just removed
(unde ned Re-Identi cation Risk);
3. Pseudonymous Data—Data from which identi ers are replaced with arti cial identi ers, or
pseudonyms, that are held separately and subject to technical safeguards (remote Re-
Identi cation Risk);
4. Anonymous Data—De-Identi ed data where technical safeguards have been implemented
such that data can never be re-identi ed (zero Re-Identi cation Risk).

Have these techniques been recognized e ective under US and EU privacy law?
US privacy Law
The Federal Trade Commission (FTC) indicated in its 2012 report, Protecting Consumer Privacy
in an Era of Rapid Change: Recommendations for Businesses and Policymakers, that the FTC’s
privacy framework only applies to data that is “reasonably linkable” to a consumer. The
report explains that “data is not ‘reasonably linkable’ to the extent that a company:
(1) takes reasonable measures to ensure that the data is de-identi ed;
(2) publicly commits not to try to re-identify the data;
(3) contractually prohibits downstream recipients from trying to re- identify the data.

With respect to the rst aspect of the test, the FTC clari ed that this “means that a company must
achieve a reasonable level of justi ed con dence that the data cannot reasonably be used to
infer information about, or otherwise be linked to, a particular consumer, computer, or other
device.”
Thus, the FTC recognizes that while it may not be possible to remove the disclosure risk
completely, de-identi cation is considered successful when there is a reasonable basis to
believe that the remaining information in a particular record cannot be used to identify an
individual.
In 2010, the National Institute of Standards and Technology (NIST) identi ed the following ve
techniques that can be used to de-identify records of information with varying degrees of
e ectiveness:
1. Suppression: The personal identi ers are suppressed, removed, or replaced with completely
random values;
2. Averaging: The personal identi ers of a selected eld of data can be replaced with the average
value for the entire group of data (e.g., the ages of 3, 6, and 12 are expressed as the age of 7 for
every individual in the data set).
3. Generalization: The personal identi ers can be reported as being within a given range or as a
member of a set (e.g., names can be replaced with “PERSON NAME”).
4. Perturbation: The personal identi ers can be exchanged with other information within a
de ned level of variation (e.g., date of birth may be randomly adjusted –5 or +5 years).
5. Swapping: The personal identi ers can be replaced between records (e.g., swapping the zip
codes of two unrelated records).

EU Privacy Law
The current General Data Protection Regulation - GDPR (Regulation EU/2016/679 entered into
force on May 25, 2018) is clear in saying that it is not applicable to data that “does not relate
to an identi ed or identi able natural person or to data rendered anonymous in such a way
that the data subject is not or no longer identi able.” The zero re-identi cation risk standard
under the GDPR is a stricter criterion than the US reasonable level of justi ed con dence
standard. Thus, the GDPR requires that a data set be anonymized, and not just de-identi ed,
for it to fall outside the scope the Regulation.
In 2014, the Article 29 Working Party (WP29) [today European Data Protection Board – EDPB]
released the Opinion 05/2014 on Anonymization Techniques that examines e ectiveness and
limits of various anonymization techniques in relation to the legal framework of the European
Union. The opinion states that anonymization results in processing personal data in a
manner to “irreversibly prevent identi cation.”
ff
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
ff
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
ff
fi
fi
fi
fi
fi
fi
 The WP29 identi ed the following seven techniques that can be used to anonymize records of
information with varying degrees of e ectiveness:
1. Noise Addition: The personal identi ers are expressed imprecisely (e.g., weight is expressed
inaccurately –10 or +10 pounds).
2. Substitution/Permutation: The personal identi ers are shu ed within a table or replaced
with random values (e.g., a zip code of 80629 is replaced with “Goldenrod”).
3. Di erential Privacy: The personal identi ers of one data set are compared to an anonymized
data set held by a third party with instructions of the noise function and acceptable amount of
data leakage.
4. Aggregation/K-Anonymity: The personal identi ers are generalized into a range or group
(e.g., a salary of $42,000 is generalized to $35,000–$45,000).
5. L-Diversity: The personal identi ers are rst generalized, then each attribute within an
equivalence class is made to occur at least “l” times (e.g., properties are assigned to personal
identi ers, and each property is made to occur with a dataset, or partition, a minimum number
of “l” times).
6. Pseudonymization—Hash Functions: The personal identi ers of any size are replaced with
arti cial codes of a xed size (e.g., Paris is replaced with “01”, London is replaced with “02”,
and Rome is replaced with “03”).
7. Pseudonymization—Tokenization: The personal identi ers are replaced with a non-sensitive
identi er that traces back to the original data, but are not mathematically derived from the
original data (e.g., a credit card number is exchanged in a token vault with a randomly
generated token “958392038”).

Key Di erences
1. Legal Context:
- NIST: Focused on U.S. privacy laws, like HIPAA or CCPA.
- WP29: Aligned with GDPR requirements in the EU.
2. Stringency:
- WP29 places greater emphasis on irreversibility and ensuring re-identi cation is impossible.
- NIST focuses on balancing privacy and utility, allowing some techniques (like
pseudonymization) that are reversible.
3. Scope:
- NIST: Focuses more on practical methods for data de-identi cation.
- WP29: A broader perspective, covering anonymization comprehensively under GDPR.

The case of cookies
Web cookies are messages to a web browser or a web server to identify users and help
customizing web pages, or speeding their uploading or saving site users’ login information.
When we enter a website using cookies we are asked to release personal information (e.s.
name and email address) by lling out a form. These data are packed in a cookie and sent to the
web browser/server. The next time the same user will go to that website, the cookies will
operate as an electronic footprint of the user (for instance, instead of seeing a generic welcome
page the user might see a customized page with reference to his name). Some cookies are just
“session cookies” expiring when the user closes the web browser – cookies are just stored in
temporary memory and not retained after the single web session. Other cookies are “persistent
cookies” not erased when the user closes the web session, although they are usually set with
expiration dates.
Due to the growing trend of malicious cookies (e.s. spyware or adware) – cookies set to track
users activity online and carry numbers of additional information from them – many legal
systems obliged web servers to release full information to the users as for how the
information are to stored in cookies and ask for explicit consent from the web users
anytime cookies are used when a webpage is opened. In the EU this rule entered into force –
in di erent times case by case - according to the Directive 2009/136/CE. In Italy it came into force
in 2015.
Many think that these provisions result in an overload of consent for internet users and prevent
positive e ects on IT users (e.g. remember shopping cart history) and the EU is now ready to
introduce new more user-friendly provisions: browser settings will provide for an easy way to
ff
fi
ff
fi
fi
ff
ff
fi
fi
fi
fi
fi
ff
fi
fi
fi
fi
fi
fi
fi
ffl
fi
 accept or refuse tracking cookies and other identi ers, and no consent will be necessary
for non-privacy intrusive cookies improving internet experience.

Essential rules and principles in EU Data protection law
The type and amount of personal data a company may process depends on the reason for
processing it (legal reason used) and the intended use. The company must respect several key
rules:
personal data must be processed in a lawful and transparent manner, ensuring fairness
towards the individuals whose personal data is being processed (‘lawfulness, fairness and
transparency’);
there must be specific purposes for processing the data and the company must indicate
those purposes to individuals when collecting their personal data. A company can’t simply
collect personal data for unde ned purposes (‘purpose limitation’);
the company must collect and process only the personal data that is necessary to ful ll that
purpose (‘data minimization’);
the company must ensure the personal data is accurate and up-to-date, having regard to the
purposes for which it is processed, and correct it if not (‘accuracy’);
the company can’t further use the personal data for other purposes that aren’t compatible with
the original purpose;
the company must ensure that personal data is stored for no longer than necessary for the
purposes for which it was collected (‘storage limitation’);
the company must install appropriate technical and organizational safeguards that ensure the
security of the personal data, including protection against unauthorized or unlawful processing
and against accidental loss, destruction or damage, using appropriate technology (‘integrity and
con dentiality’)

Information to the e-customer
At the time of collecting their data, the IT users must be informed clearly about at least:
who the company is (the contact details, and those of the DPO if any);
why the company will be using their personal data (purposes);
the categories of personal data concerned;
the legal justification for processing their data;
for how long the data will be kept;
who else might receive it;
whether their personal data will be transferred to a recipient outside the EU;
that they have a right to a copy of the data (right to access personal data) and other basic
rights in the eld of data protection (see complete list of rights);
their right to lodge a complaint with a Data Protection Authority (DP A);
their right to withdraw consent at any time;
where applicable, the existence of automated decision- making and the logic involved,
including the consequences thereof.
The information may be provided by electronic communications (emails, disclaimers on a web
page, link to the privacy policy page, alerts via social media, etc.). The IT company must do that in
a concise, transparent, intelligible and easily accessible way, in clear and plain language and
free of charge.
EU data protection law identi es two di erent entities involved in data processing: data controller
and data processor:
1. The data controller determines the purposes for which and the means by which personal
data is processed. If an IT company decides ‘why’ and ‘how’ the personal data should be
processed, that company is the data controller. Employees processing personal data within
your organization do so to ful ll your tasks as data controller (data managers).
2. The data processor manages personal data on behalf of the controller. The data
processor is usually a third party external to the IT company/data controller.

The duties of the processor towards the controller must be speci ed in a contract or another
legal act. For example, the contract must indicate what happens to the personal data once the
fi
fi
fi
fi
fi
ff
fi
fi
fi
contract is terminated. A typical activity of processors is o ering IT solutions, including cloud
storage.
We can also have the situation of joint controlling the data when more organizations determine
‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an
arrangement setting out their respective responsibilities for complying with the GDPR rules. The
main aspects of the arrangement must be communicated to the individuals whose data is
being processed.

ff
 Companies are encouraged to implement technical and organizational measures, at the
earliest stages of the design of the processing operations, in such a way that safeguards
privacy and data protection principles right from the start (data protection by design).
By default, companies should ensure that personal data is processed with the highest
privacy protection (for example only the data necessary should be processed, short storage
period, limited accessibility) so that by default personal data isn’t made accessible to an
inde nite number of persons (data protection by default).
The use of pseudonymization is a typical example of privacy by design, since it creates the
conditions to protect the con dentiality of the data by using a method which soon after the data
are collected in whatever ways.
An example of data protection by default recurs when a social media platform sets users’ pro le
settings in the most privacy-friendly setting by limiting from the start the accessibility of the users’
pro le so that it isn’t accessible by default to an inde nite number of people.
A data breach occurs when the data for which the company is responsible su ers a security
incident resulting in a breach of con dentiality , availability or integrity. If that occurs, and it is
likely that the breach poses a risk to an individual’ s rights and freedoms, the company has to
notify the supervisory authority without undue delay, and at the latest within 72 hours after
having become aware of the breach. If the company is a data processor it must notify every data
breach to the data controller.
If the data breach poses a high risk to those individuals affected then they should all also be
informed, unless there are e ective technical and organizational protection measures that have
been put in place, or other measures that ensure that the risk is no longer likely to materialize.

For example, a hospital employee decides to copy patients’ details and publishes them online.
The hospital nds it out a few days later. As soon as the hospital nds out, it has hours to inform
the supervisory authority and, since the personal details contain sensitive information such as
whether a patient has cancer , is pregnant, etc., it has to inform the patients as well. In that case,
there would be doubts about whether the hospital has implemented appropriate technical and
organizational protection measures. If it had indeed implemented appropriate protection measures
(for example encrypting the data), a material risk would be unlikely and it could be exempt from
notifying the patients.

Data Protection O cer (DPO)
A company needs to appoint a DPO, whether it's a controller or a processor, if its core
activities involve processing of sensitive data on a large scale or involve large scale, regular
and systematic monitoring of individuals (for instance, a hospital processing large sets of
sensitive data, a security company responsible for monitoring shopping centers and public
spaces). In that respect, monitoring the behavior of individuals includes all forms of tracking and
pro ling on the internet, including for the purposes of behavioral advertising.
Public administrations always have an obligation to appoint a DPO, except for courts acting
in their judicial capacity. The DPO may be a sta member of the company or may be contracted
externally on the basis of a service contact (more frequent solution).
The DPO assists the controller or the processor in all issues relating to the protection of personal
data.
In particular , the DPO must:
inform and advise the controller or processor, as well as their employees, of their
obligations under data protection law;
monitor compliance of the company with all legislation in relation to data protection, including
in audits, awareness-raising activities as well as training of sta involved in processing
operations;
act as a contact point for requests from individuals regarding the processing of their
personal data and the exercise of their rights.
The DPO must not receive any instructions from the controller or processor for the exercise
of their tasks and it reports directly to the highest level of management of the company.
fi
fi
fi
fi
ffi
ff
fi
fi
ff
fi
fi
ff
ff
fi
 Sanctions
GDPR provides the Data Protection Authorities (DPA) with di erent options in case of non-
compliance with the data protection rules:
likely infringement: a warning may be issued;
infringement: the possibilities include a reprimand, a temporary or de nitive ban on processing
and a ne of up to €20 million or 4% of the business’ s total annual worldwide turnover.
It is worth noting that in the case of an infringement, the DPA may impose a monetary ne instead
of, or in addition to, the reprimand and/or ban on processing.
The authority must ensure that nes imposed in each individual case are effective, proportionate
and dissuasive. It will take into account a number of factors such as the nature, gravity and
duration of the infringement, its intentional or negligent character, any action taken to mitigate the
damage su ered by individuals, the degree of cooperation of the organization, etc.

A company sells online household material. Through its website, consumers can buy kitchen appliances, tables, chairs
and other domestic goods by entering their bank details. The website su ered a cyber-attack leading to personal
details being rendered available to the attacker. In this case, the lack of appropriate technical measures by the company
seems to have been the cause of the data loss.
In this instance, various factors will be considered by the supervisory authority before deciding what corrective tool to
use. Factors such as: how serious was the de ciency in the IT system? How long had the IT infrastructure been
exposed to such a risk? Were tests carried out in the past to prevent such an attack? How many customers had their
data stolen/disclosed? What type of personal data was a ected – did it include sensitive data? All these and other
considerations will be taken into account by the supervisory authority.

eContracts
The association between contracts and information technology con be di erently shaped:
- the object of a contract can be standard software (license contracts)
- the contract can provide for a tailor made software (service contract + license contract)
- the object of a contract can be an IT device or in general a hardware (sale contract + license
contract)
- the contract can provide for software/hardware assistance (service contract)
- the contract can be concluded in a digital context (digital contract)
Digital contracts or pure IT contracts = contracts entirely negotiated and concluded through
digital resources, contracts concluded online
E-commerce (direct or indirect) is the name usually given to the general use from business and
professional subjects to sell and provide online goods and services. It is made of all the legal
and commercial issues connected to the use of online digital technologies in contracts.
These kinds of contracts encompass di erent legal issues depending on the fact that the digital
contract is concluded in between business/professional actors (B2B) or between a business/
professional actor and a consumer (B2C).
fi
ff
fi
ff
fi
ff
ff
ff
fi
ff
fi