IT Summary PDF

Summary

This document provides a summary of information technology law (IT law). It covers historical definitions of law, common features of law, and the key features of IT law. It also touches upon topics like global nature, mixed regulations of IT law, and self-regulation aspects.

Full Transcript

SLOT I
Why Study IT Law?
1.​ Technology Shapes Our Lives: From online shopping to social media and
education, digital tools are part of everything we do.
2.​ Legal Challenges in the Digital World: Traditional laws like those for contracts or
privacy don’t always fit the digital world. New issues like artificial intelligence and
cloud storage bring even more legal questions.
3.​ Why It Matters: IT law helps professionals and users understand what’s legally
allowed with technology, not just what’s possible.
4.​ Serious Consequences: Misusing technology or breaking IT laws can have major
impacts because technology is so important in daily life.
What is Law?
Historical Definitions of Law:
​ Han Dynasty Dictionary (3rd Century BCE): Law is associated with punishment.
​ Karl Marx: Law is a tool used by those in power to exploit the working class.
​ John Austin: Law is a rule created by a superior being to guide an inferior being.
​ Oliver Wendell Holmes: Law is a prediction of what courts will decide.
Modern Definitions of Law:
​ US Legal Dictionary: A set of binding rules of conduct enforced by an authority.
​ Oxford Dictionary: A system of rules recognized by a community or country to
regulate behavior, with penalties for violations.
​ Pietro Sirena: Law is a social framework designed to resolve conflicts and
encourage positive behavior among members of a society.
Common Features of Law:
1.​ Prescriptions and Sanctions: Law involves rules that prescribe behavior and
impose consequences for violations.
2.​ Connection to Society: Law exists to regulate and organize societal interactions.
Law as a Social Infrastructure:
​ Negative Function: Resolves conflicts to prevent societal disruption.
​ Positive Function: Promotes cooperation, unity, and welfare.
The Need for Rules:​
Rules define what is allowed, prohibited, or required, ensuring societal stability and
existence. These rules may take various forms, such as religious, moral, or legal, and act as
tools for social control.

Overlaps and Differences in Rules:
​ Religious and Moral: Helping the poor.
​ Moral (Good Manners): Giving up a seat for a pregnant woman.
 ​ Moral, Religious, and Legal: Keeping promises, paying debts.
​ Religious Only: Refusing blood transfusions.
These rules may align, differ, or conflict, shaping how society operates.
What is the key feature of a legal rule? What is the difference between a rule of
law and any other social rule?
The key feature that distinguishes legal rules from other social rules is the legitimate use of
force by authorities to enforce compliance. While many social rules impose consequences
for violations, only legal rules are backed by entities with the authority to use force, making
them effective in maintaining social order.
Key Points:
1.​ Sanctions: Legal rules impose strong consequences, but this alone does not
distinguish them from other social rules like religious or moral rules.
2.​ Universality: Legal rules are often intended to apply broadly but can also target
specific groups, contrary to the idea of universal application.
3.​ Authority: The defining characteristic of legal rules is that their enforcement and
sanctions are carried out by legitimate authorities.
4.​ Legal Systems:
○​ A society's collective set of legal rules is its legal system.
○​ National legal systems, shaped by state sovereignty, are the most significant
in regulating societal interactions.
○​ International law exists but is less comprehensive compared to national legal
systems.
5.​ Dynamic Nature of Law: Law evolves with society, reflecting its changing needs and
interactions; it is not fixed or universal.This is what is called the “social” or “political”
character of law.
What is IT Law?
IT law focuses on the legal challenges arising from using computers and the internet to
store, transmit, and manipulate data on a large scale. It involves creating specific rules for
new technologies and reinterpreting traditional laws, especially those related to contracts, to
fit the digital age.
Key Features:
1.​ Global Nature: Unlike traditional law tied to national boundaries, IT law addresses
issues in a global digital context, transcending territorial limits.
2.​ Lack of Uniformity: There is no universal international legal framework for IT law,
leaving regulation fragmented.
3.​ Self-Regulation: Much of IT law is shaped by the private rules set by IT providers
and users rather than by national or global laws.

Is Self-Regulation Enough in IT Law?
While IT devices play a vital role in everyday life and various fields, their regulation relies on
a mix of self-regulation (rules by IT providers/users) and national legal systems.
Key Points:
1.​ Mixed Regulation: IT law balances global self-regulation with national laws that
provide additional rules and protections.
2.​ Coordination Challenges: Despite international conventions aiming to harmonize IT
regulation, governance remains tied to national legal systems.
3.​ Ongoing Task: The primary challenge for legal experts is improving coordination
between different national legal systems to address IT issues effectively.
In summary, self-regulation is insufficient alone; stronger global coordination of national
policies is essential for effective IT governance.
Internet Governance
The internet is a global system connecting computers and devices worldwide, allowing
people to access information and services like websites, email, file sharing, and more. It is
made up of many smaller networks, both public and private, that work together.
What is Internet Governance?
Internet governance refers to the process of creating rules, policies, and standards for how
the internet works and how it is used. This is done by governments, businesses, and other
groups working together.
Key Features:
1.​ Decentralized Structure:
○​ No single authority governs the internet; it operates through cooperative
efforts among public and private entities.
○​ Governance is based on shared policies and standards to ensure global
interoperability.
2.​ Self-Governance:
○​ Without a global legal system, internet governance relies heavily on
self-regulation and collaboration across national systems and international
networks.
3.​ Broader than Formal Laws:
○​ Governance mechanisms include treaties, regulations, and judicial decisions
but also informal practices and cooperative agreements.
Scope of Internet Governance:
​ Infrastructure: Managing the systems that transmit data.
​ Content: Addressing issues like privacy, freedom of expression, and the liability of
service providers for illegal content.
SLOT II
The internet
The Internet is a specific modality for data transmission. The steering and management of
currently core elements of internet is fundamentally made of:
a.​ protocols for data transmission in the form of packet switching (Transmission Control
Protocol/Internet Protocol—TCP/IP), along with subsequent extensions of these
protocols (such as Hypertext Transmission Protocol—HTTP);
b.​ IP addresses and corresponding domain names
c.​ root servers
TCP/IP (Transmission Control Protocol/Internet Protocol):
The basic communication system that connects devices on the internet. It is used both on
the internet and private networks (like intranets).
-​ TCP: Handles data from applications (such as emails or web browsing).
-​ IP: Focuses on routing data across the network.
HTTP (Hypertext Transfer Protocol):
​ HTTP is the protocol used to transfer web pages on the World Wide Web.
​ It is a request-response protocol: When you open a website, your device (client)
sends a request to a server using HTTP, and the server sends back the requested
information (like a webpage).

Domain Names
Domain names are user-friendly, memorable translations of IP addresses, which are typically
a series of numbers (e.g., 153.110.179.30). While IP addresses are difficult for people to
remember, domain names make it easier for humans to identify and recall websites.
Key Functions of Domain Names:
1.​ Mnemonics: Domain names help people remember website addresses more easily.
2.​ Categorization: They improve how information is categorized, making network
administration more organized and helping users find information more efficiently.
3.​ Stability: While IP addresses can change, domain names remain stable and provide
consistent references, even if the associated IP address shifts. A domain name can
point to multiple IP addresses, allowing flexibility for the registrant.

Structure of Domain Names:
A domain name typically consists of two or three parts:
​ Top-Level Domain (TLD): The highest level, found at the end of the domain name
(e.g.,.com,.org).
​ Second-Level Domain (SLD): The part directly to the left of the TLD (e.g., "example"
in example.com).
​ Third-Level Domain: An optional part before the SLD, often used to create
subdomains (e.g., "www" in www.example.com).
There are many possible combinations of domain names, limited by the available character
set (26 letters, 10 numerals, and the dash symbol). The number of combinations increases if
the character set expands, as seen with "Internationalized Domain Names" (IDNs).
Types of Top-Level Domains (TLDs):
1.​ Generic TLDs (gTLDs): These include.com,.net,.org,.gov,.edu, and others. They
are used broadly and may also include sponsored TLDs for specific communities or
industries, such as.cat for the Catalan community and.mobi for mobile services.
2.​ Country Code TLDs (ccTLDs): These represent specific countries, such as.it
(Italy),.fr (France),.au (Australia), and.ru (Russia).
Additionally, some gTLDs are restricted to certain groups or sectors:
​.pro: For licensed professionals.
​.name: For individuals.
​.gov: For government institutions.
The Domain Name System (DNS)
The Domain Name System (DNS) is a system that translates domain names (like
"google.com") into numerical IP addresses, allowing computers to locate each other on the
internet. It works like a telephone directory, mapping names to numbers.
DHCP is a network protocol used to automatically assign IP addresses to devices on
a network.
DHCP allows for the reuse of IP addresses when devices are disconnected from the
network.

Key Points:
1.​ Translation: DNS converts domain names into IP addresses, enabling data to reach
the correct destination.
2.​ Consistency: It ensures that each domain name is unique and universally
recognizable across the internet.
3.​ Structure: DNS relies on a distributed database stored in root servers, which hold
information on how domain names map to IP addresses.
4.​ Hierarchy: Root servers are arranged hierarchically, with top-level root servers
managing files for each Top-Level Domain (TLD) (like.com,.org).
5.​ TLD Management: New TLDs are controlled by ICANN, based in California.
ICANN (Internet Corporation for Assigned Names and Numbers) is a nonprofit private
organization responsible for managing and maintaining key databases related to internet
namespaces, ensuring the stable and secure operation of the network.
Originally under US government oversight, ICANN became fully privatized in 2016 and now
operates as a private multistakeholder community. While some alternative root systems
exist (like New.Net, UnifiedRoot, and OpenNIC), they have a very small market share due to
networking and cost challenges.
Problematic Issues with Domain Names
The main legal issues surrounding the Domain Name System (DNS) stem from two areas:
1.​ Domain Name Allocation: The process by which domain names are assigned to
individuals or organizations.
2.​ Permitted Top-Level Domains (TLDs): Determining which TLDs and domain names
are allowed.
The conflict arises because domain names have evolved from simple address identifiers to
symbols of broader identity and value, such as trademarks. Although domain names are not
scarce in a technical sense, they have become scarce in an economic sense, with some
gaining significant financial value. This has led to judicial recognition of domain names as a
form of property.
Governance of DNS
The governance of the Domain Name System (DNS) is primarily contractual, especially for
managing generic Top-Level Domains (gTLDs), though some country-code Top-Level
Domains (ccTLDs) have a legislative basis.
IANA (Internet Assigned Numbers Authority), now a department within ICANN, manages the
allocation of gTLDs. Originally an independent entity, IANA's functions were transferred to
ICANN through contracts, which have been renewed multiple times.
IANA/ICANN distributes IP address blocks to Regional Internet Registries (RIRs), which
then allocate these addresses to Internet Service Providers (ISPs). ISPs, in turn, assign
them to smaller ISPs, corporations, and individuals.
To support ICANN’s mission, various contracts and informal agreements are in place with
other bodies. These agreements address key issues like:
​ Policy for IP address allocation
​ Coordination of technical parameters for universal Internet connectivity
​ Ensuring Internet stability
​ Rules for DNS assignment to users.
Conclusions on Internet Governance
Currently, there is no specific regulation by national legal systems for DNS and IP address
systems, meaning the Internet infrastructure is largely self-governed.
The European Union's Directive 2002/21/EC states that it does not assign new
responsibilities to national regulatory authorities for Internet naming and addressing (Recital
20). It encourages EU Member States to coordinate in international forums for issues related
to Internet numbering, naming, and addressing to ensure global interoperability (Article
10(5)).
However, the EU may soon change its approach, but for now, Internet governance remains
based on ICANN's contractual model.
ePrivacy
When you share personal data online, such as when opening a bank account or booking a
flight, questions arise about its use and protection. Data protection laws allow the collection,
storage, and use of personal data under strict conditions and legitimate purposes.
Organizations must safeguard this data and respect the rights of individuals.
As users share personal data and sensitive metadata online, two conflicting interests
emerge: (1) IT companies want to collect and use data to improve services and business,
and (2) users want maximum privacy and minimal data usage. Data protection laws aim to
balance these interests, with consent being a key element. Companies can only process
personal data with user consent, except in cases required by law.
However, finding this balance is challenging. Businesses seek to collect more data for
growth, while users demand stronger privacy protection due to concerns over data
confidentiality. At times, users also object to excessive privacy safeguards.
SLOT III
Jurisdictional Issues and Privacy Protection Techniques
When sharing personal data online, it is unclear which laws govern data protection and
surveillance. Key questions include whether it is the law of the user's location, the company's
jurisdiction, the server’s location, or an optional law chosen during data entry. Conflicting
rules across countries create problems in data collection and treatment, as different
jurisdictions enforce varying privacy policies. This can be difficult for businesses to manage
and may discourage individuals from sharing data if they are uncertain about which laws
apply.
To navigate these challenges, companies use techniques like de-identification,
anonymization, and pseudonymization to evade data protection regulations, especially under
major privacy laws like those in the US and EU.

Personal information
Personal information can be categorized into direct and indirect identifiers.
​ Direct identifiers: These are data that identify an individual without needing
additional information, such as a name, telephone number, or government-issued ID.
​ Indirect identifiers: These are data that identify a person indirectly, like date of birth,
gender, ethnicity, location, cookies, IP address, and license plate number.
It is important to note that de-identified data meets the standards required by US privacy
laws for protecting personal information, whereas anonymized data complies with the EU's
GDPR.
"Personal data" is the core of data protection laws. Only data considered personal is subject
to these regulations. Non-personal data, which cannot be linked to an individual, falls outside
the scope of data protection laws and can be freely processed.
Under Article 2(1) of the GDPR, personal data is defined as "any information relating to an
identified or identifiable natural person." This includes identifiers like names, identification
numbers, location data, and online identifiers, as well as information about physical,
physiological, genetic, mental, economic, cultural, or social identity.
Personal data can take any form—alphabetic, numeric, video, or image—and includes both
objective (e.g., name, identification number) and subjective information (e.g., opinions,
evaluations). The key point is that the data describes something valuable about an
individual.
While insignificant information may not be considered personal data, new technologies have
made it possible to collect and analyze seemingly trivial data that, when linked to a person,
can acquire significant value.
When Can an Individual Be Identifiable?
In the Breyer case (C-582/14), the European Court of Justice ruled that a dynamic IP
address qualifies as personal data. It stated that information enabling identification doesn't
need to be held by one individual, but should be assessed based on the totality of means
that could be used to identify the person.
The Court also highlighted that identification risk is minimal if it is legally prohibited or
practically impossible due to disproportionate efforts in time, cost, and manpower. Thus,
even "anonymous" data may still carry a risk of identification.
De-identification, Anonymization, and Pseudonymization
"De-identification" refers to processes that remove both direct and indirect personal
identifiers from data. It includes various approaches, tools, and algorithms, making it
possible for organizations like governments and businesses to share data, such as in
medical research.

"Anonymization" is a more advanced form of de-identification, where all personal identifiers
are removed and technical safeguards ensure that the data can never be re-identified.
Unlike de-identified data, anonymized data cannot be linked back to individuals.
"Pseudonymization" (subcategory of de-identification) replaces personal identifiers with
artificial identifiers or pseudonyms. This reduces identification risks and helps organizations
meet data protection requirements. The EU defines pseudonymization as processing
personal data so that it can't be linked to a specific individual without additional information,
which must be stored separately and protected.
These techniques can be ranked based on re-identification risk:
​ Personally Identifiable Data: (Data that contains personal direct and indirect
identifiers) High re-identification risk.
​ De-Identified Data: (Data from which direct and indirect identifiers have been just
removed) Undefined re-identification risk.
​ Pseudonymous Data: (Data from which identifiers are replaced with artificial
identifiers) Remote re-identification risk.
​ Anonymous Data: Zero re-identification risk.
Have these techniques been recognized as effective under US and EU privacy law?
US privacy law
The Federal Trade Commission (FTC) defines its privacy framework as applying to data that
is "reasonably linkable" to a consumer. Data is not considered "reasonably linkable" if a
company takes steps to de-identify it, commits publicly not to re-identify it, and contractually
prevents others from doing so. The FTC emphasizes that de-identification is successful
when there is reasonable confidence that the remaining data cannot identify an individual.
In 2010, the National Institute of Standards and Technology (NIST) outlined five
de-identification techniques, each with varying effectiveness:
 1.​ Suppression: Removing or replacing personal identifiers with random values.
2.​ Averaging: Replacing personal data with the average value for a group (e.g., age).
3.​ Generalization: Reporting data in ranges or categories (e.g., replacing names with
generic terms like "PERSON NAME").
4.​ Perturbation: Modifying data within a defined range (e.g., adjusting dates of birth by a
few years).
5.​ Swapping: Exchanging personal identifiers between records (e.g., swapping zip
codes).
EU Privacy Law
The General Data Protection Regulation (GDPR) mandates stricter standards for data
protection compared to US laws. GDPR does not apply to data that cannot identify an
individual, whether inherently anonymous or rendered anonymous through processes
ensuring zero re-identification risk. Unlike the US's "reasonable confidence" standard, the
GDPR requires full anonymization, not just de-identification, to exempt data from its scope.
In 2014, the Article 29 Working Party (WP29), now the European Data Protection Board
(EDPB), issued Opinion 05/2014 on anonymization techniques. It emphasized that
anonymization must irreversibly prevent identification. WP29 identified seven anonymization
techniques:
1.​ Noise Addition: Personal identifiers are made imprecise (e.g., weight +/-10 pounds).
2.​ Substitution/Permutation: Identifiers are shuffled or replaced with random values
(e.g., zip code "80629" becomes "Goldenrod").
3.​ Differential Privacy: Data sets are compared with anonymized data using controlled
noise and acceptable data leakage limits.
4.​ Aggregation/K-Anonymity: Identifiers are generalized into ranges or groups (e.g.,
salary $42,000 becomes $35,000–$45,000).
5.​ L-Diversity: Generalized data is diversified so each attribute within a class occurs at
least a set number of times (e.g., each property in a partition appears at least "l"
times).
6.​ Pseudonymization—Hash Functions: Identifiers are replaced with fixed-size
artificial codes (e.g., "Paris" becomes "01").
7.​ Pseudonymization—Tokenization: Identifiers are replaced with random tokens
stored in a secure vault (e.g., credit card number becomes "958392038").
The Case of Cookies: Purpose, Types, and Regulation
Purpose and Functionality
Cookies are small data packets enabling user identification, personalized web interactions,
and streamlined processes like login and page loading. When visiting a website, cookies
collect personal data (e.g., name, email) entered into forms, creating an "electronic
footprint."
Types of cookies:
1.​ Session Cookies: Temporary; expire when the browser closes.
2.​ Persistent Cookies: Stored long-term; have set expiration dates.
Regulation and Concerns
The rise of malicious cookies (e.g., spyware, adware) has led to regulations requiring
websites to:
​ Inform users about cookie data storage.
​ Obtain explicit user consent.
The EU’s Directive 2009/136/CE requires websites to get user cosent to store data,
however this measure has been criticized for causing "consent fatigue" and hindering
features like remembered shopping carts.
Proposed EU Reforms
Planned changes include:
​ Simplified browser settings to accept or refuse tracking cookies.
​ No consent needed for non-intrusive cookies that improve user experience.
The goal is to balance privacy protection with user convenience.

Essential Rules and Principles in EU Data Protection Law

The type and amount of personal data a company may process depends on the legal basis
for processing and its intended use. Companies must adhere to the following principles:

​ Lawfulness, Fairness, and Transparency: Personal data must be processed
legally and transparently, ensuring fairness towards individuals.
​ Purpose Limitation: Data must be collected for specific, clearly communicated
purposes; undefined purposes are prohibited.
​ Data Minimization: Only data necessary for the specified purpose may be collected
and processed.
​ Accuracy: Personal data must be accurate, up-to-date, and corrected if found
inaccurate, considering the purpose of processing.
​ Purpose Compatibility: Data cannot be used for purposes incompatible with the
original intent.
​ Storage Limitation: Data must not be stored longer than necessary for its intended
purpose.
​ Integrity and Confidentiality: Companies must implement technical and
organizational safeguards to protect personal data from unauthorized processing,
accidental loss, destruction, or damage.

Information to the E-Customer
When collecting data from IT users, companies must provide clear and concise information,
including:
​ Company Details: Contact information, including the Data Protection Officer (DPO),
if applicable.
​ Purpose of Use: Reasons for processing personal data.
​ Data Categories: Types of personal data collected.
​ Legal Justification: Basis for data processing.
 ​ Retention Period: Duration for which the data will be kept.
​ Recipients: Entities who might receive the data.
​ International Transfers: Whether the data will be transferred outside the EU.
​ User Rights: Rights to access, copy data, lodge complaints with a Data Protection
Authority (DPA), and withdraw consent. Information on automated decision-making
and its consequences, where relevant.
This information must be delivered electronically (e.g., via emails, disclaimers, or privacy
policy links) in clear, accessible, and user-friendly language, free of charge.
Roles in Data Processing
EU data protection law defines two primary roles:
1.​ Data Controller: Determines the purposes and means of data processing (e.g., why
and how the data is processed). Employees within a company typically act on behalf
of the data controller.
2.​ Data Processor: Handles data on behalf of the controller, often as an external entity
(e.g., offering IT solutions or cloud storage). Processor obligations, such as
managing data post-contract termination, must be detailed in a legal contract.
Joint Controllers
When multiple entities collaboratively determine the purposes and means of data
processing, they act as joint controllers. They must create an arrangement detailing their
GDPR compliance responsibilities, and key aspects of this must be communicated to
affected individuals.
Example: Two companies share a platform for combined babysitting and DVD/game rental
services. By designing and managing the platform together, and sharing client data, they act
as joint controllers, jointly responsible for ensuring GDPR compliance.

SLOT IV

Data Protection by Design and Default
Companies should embed privacy and data protection safeguards into the design of their
processing operations from the outset (data protection by design). By default, companies
must ensure:
​ Personal data is processed with the highest privacy protection (e.g., minimal data
collection, short storage duration, limited accessibility).
​ Data is not accessible to an indefinite number of individuals unless necessary (data
protection by default).
Examples:
​ Privacy by Design: Pseudonymization, which protects confidentiality by replacing
identifiable information soon after data collection.
​ Data Protection by Default: A social media platform that sets profiles to the most
privacy-friendly settings by default, limiting visibility to others.
Data Breaches
A data breach occurs when a security incident compromises the confidentiality, availability,
or integrity of personal data.
Notification Requirements:
1.​ To Supervisory Authorities: Must be informed within 72 hours if the breach poses a
risk to individuals' rights and freedoms.
2.​ To Affected Individuals: Required if the breach poses a high risk, unless effective
protection measures (e.g., encryption) mitigate the risk.
Example of a Breach: A hospital employee publishes sensitive patient details online. Upon
discovery:
​ The hospital must inform the supervisory authority promptly.
​ Patients must also be notified, given the sensitive nature of the information (e.g.,
cancer or pregnancy status), unless the data was adequately protected (e.g.,
encrypted), reducing the material risk.
Sanctions under GDPR
The GDPR grants Data Protection Authorities (DPAs) various options for addressing
non-compliance with data protection rules:
​ Likely infringement: A warning may be issued.
​ Confirmed infringement: Penalties may include:
○​ A reprimand.
○​ A temporary or definitive ban on data processing.
○​ Fines: Up to €20 million or 4% of the business's total annual worldwide
turnover, whichever is higher.
Factors Considered for Sanctions
When determining the appropriate penalty, DPAs assess factors such as:
1.​ Nature, gravity, and duration of the infringement.
2.​ Intentional or negligent nature of the breach.
3.​ Actions taken to mitigate damages.
4.​ The organization's level of cooperation with the investigation.
Fines must be effective, proportionate, and dissuasive and may be imposed alone or in
combination with other corrective measures.
Example Case
A company selling household items online suffers a cyber-attack, compromising personal
customer data, including bank details. The DPA examines several factors to decide on
corrective action:
​ Seriousness of the IT system deficiencies.
​ Duration of exposure to risk.
​ Whether preventive tests were conducted.
​ Number of customers affected.
 ​ Type of data exposed (e.g., sensitive data).
These considerations guide the DPA in determining an appropriate response, such as a fine
or other sanctions.
eContracts and IT Contracts
The relationship between contracts and information technology can take several forms:
​ Standard software: License contracts.
​ Custom software: A combination of service and license contracts.
​ IT devices or hardware: Sale contracts paired with license contracts.
​ Software/hardware support: Service contracts.
​ Digital contracts: Contracts negotiated and concluded entirely through digital
resources.
Digital Contracts and E-Commerce
Digital contracts often pertain to e-commerce, which involves using online technologies to
sell or provide goods and services. These contracts raise legal and commercial questions
based on the parties involved:
​ B2B (Business-to-Business): Contracts between professionals or businesses.
​ B2C (Business-to-Consumer): Contracts between a business and a consumer.
​ C2C (Consumer-to-Consumer): An additional category that might involve
peer-to-peer transactions.
Example: Legal Issues in Online Purchases
A typical online purchase involves multiple actors, each connected by contracts in a complex
legal network:
1.​ Website owner (domain name).
2.​ Server owner (hosting the website).
3.​ Manufacturer or supplier of the goods.
4.​ Payment service provider.
5.​ Carrier for delivery.
Key Legal Challenges
These transactions raise several legal issues during the purchase, delivery, and after-sale
stages. A critical question is whether current laws can adequately address the complexities
of:
​ Multi-party contractual relationships.
​ Cross-jurisdictional legal systems.
​ Emerging legal concerns tied to digital and IT-driven commerce.
 E-COMMERCE, TEXTA
Overview of Tinexta Cyber
Tinexta Cyber, part of Tinexta SpA, focuses on secure digital innovation, helping businesses
transform digitally. It operates in 12 countries with nearly 3,000 employees, addressing
Digital Trust, Cybersecurity, and Business Innovation. Key entities include:
​ Corvallis: IT solutions for competitive business advantage.
​ Yoroi: Advanced cyber defense systems emphasizing human-centered strategies.
​ Swascan: Cloud-based cybersecurity testing with deep expertise in digital defense.

What is E-Commerce?
E-commerce refers to buying, selling, or transferring goods, services, and data online. It
spans five main business models:
1.​ B2C: Businesses sell directly to consumers (e.g., Amazon).
2.​ B2B: Transactions between businesses (e.g., Alibaba).
3.​ C2C: Consumers trade with one another (e.g., eBay, Airbnb).
4.​ C2B: Consumers provide goods or services to businesses (e.g., Shutterstock).
5.​ B2B2C: Businesses sell to other businesses, which then sell to consumers (e.g.,
welfare platforms).
Timeline of E-Commerce Evolution:
​ 1979: Concept introduced by Michael Aldrich.
​ 1994-2006: Growth of giants like Amazon, eBay, and platforms like Shopify.
​ 2014 onward: Introduction of social commerce, subscription models, and
pandemic-driven acceleration in 2020.

Business Models and Strategies
Strategic Considerations:
1.​ Define Objectives: Do you need your own store, or would partnering with a
marketplace suffice?
2.​ Market Maturity: Assess digital readiness, competitor strategies, and future
business model potential.
3.​ Marketplace vs. Online Store:
○​ Marketplaces like Amazon simplify operations but come with fees and
predefined policies.
 ○​ Online stores offer control and branding but demand operational
infrastructure.
Customer Journey and Experience:
​ Steps include Awareness, Consideration, Purchase, Retention, and Advocacy.
​ Focus on understanding customer pain points, showcasing unique selling points, and
building loyalty.

Building an E-Commerce Platform
To create an effective e-commerce setup, companies need:
1.​ Key Components:
○​ Frontend Website: The store interface for customers.
○​ E-Commerce Engine: Manages processes like product selection and
checkout.
○​ Payment Gateway: Processes customer payments.
○​ Backoffice Tools: Handles invoicing, shipping, refunds, and inventory.
○​ Customer Support: Provides interaction channels (chat, email, etc.).
○​ Contracts and Policies: Ensures compliance with legal standards.
○​ Digital Products: Requires activation processes for services like
subscriptions.
2.​ System Integration: Existing systems (e.g., ERP, CRM, logistics) must integrate with
the e-commerce platform. Companies often need external partners for seamless
implementation.

Choosing the Best Solution
How to Decide:
​ Use tools like Gartner’s Magic Quadrant or Forrester reports for insights.
​ Consider vendors that align with your company size and existing systems.
​ Check real-world use cases and seek customer testimonials from similar businesses.
Key Drivers:
​ Match platform scale with business needs.
​ Avoid vendor lock-in unless it simplifies integration.
​ Digital products and services often need custom solutions as retail-focused platforms
might not work well.

Pain Points to Address
1.​ Customer Journey Mapping: Ensure the e-commerce channel fits seamlessly into
existing workflows. Missteps here can cause project failure.
 2.​ Purchase Experience: Payments should be quick and simple; registration should
ask for minimal data.
3.​ Legal Compliance: Involve legal teams early to avoid issues like GDPR violations
that could harm customer experience.
4.​ User Expectations: Customers expect seamless interactions, comparable to
platforms like Amazon or TikTok.
5.​ After-Sales Services: Provide support channels for order tracking, usage guidance,
and issue resolution.

GROUP 1: AI

Historical Context
AI and IT law have evolved since the 1970s. Early laws, such as the U.S. Computer Fraud
and Abuse Act (1986), addressed data security and intellectual property. The 1990s and
2000s brought laws regulating e-commerce and privacy, such as the EU Data Protection
Directive (1995) and HIPAA (1996).​
In the 2010s, challenges like algorithmic bias and transparency emerged, addressed by
frameworks like GDPR (2018). The focus shifted to AI ethics, risk management, and
accountability in the 2020s, with efforts like the EU’s AI Act (2021) targeting high-risk
applications.

Ethical Implications
Ethical principles in AI include fairness, transparency, and accountability. Key risks involve:
​ Bias: Historical data biases perpetuate social inequalities, requiring robust audits.
​ Discrimination: Particularly relevant in hiring and justice systems, where algorithm
transparency is critical.
​ Global Inequalities: Developing countries often lack regulations, which can
exacerbate inequalities.

Key Legal Issues in AI
1.​ Data Privacy: Massive data requirements raise consent and protection concerns.
Compliance with regulations like GDPR is critical.
2.​ Intellectual Property: Questions of ownership for AI-generated content challenge
traditional frameworks.
3.​ Accountability: Establishing liability for autonomous systems’ decisions is complex.
4.​ Discrimination: Ensuring AI fairness by mitigating bias is a central concern.
5.​ Transparency: Addressing AI’s “black box” nature is essential for trust and
accountability.
Global Approaches to AI Law
European Union (EU):
​ AI Act (2021): Regulates AI to ensure safety and responsibility, emphasizing
transparency and risk categorization:
○​ Unacceptable Risk: Banned systems like social scoring.
○​ High Risk: Critical systems like transport or hiring undergo strict
assessments.
○​ Limited Risk: Systems like chatbots require transparency.
○​ Minimum Risk: Simple tools like anti-spam filters to make data safe.
Asia:
​ China: Prioritizes AI leadership through strong government control and regulations in
social media and surveillance.
​ Japan: Promotes ethical AI use through collaborative guidelines emphasizing
human-centricity.
​ India: Focuses on AI for social development but lacks specific AI legislation.
Regional and International Cooperation
Many Asian countries have participated in several global initiatives toward ethical AI,
including those under the OECD AI Principles and GPAI (Global Partnership on AI). They
collaborate to develop common data privacy, ethical, and safety standards for AI
development.
United States:
​ No comprehensive federal law yet, but key initiatives include:
○​ National AI Initiative Act (2020): Promotes AI research and innovation.
○​ AI Risk Management Framework (2021): Voluntary guidelines for ethical AI
use.
○​ AI Bill of Rights Blueprint (2022): Focuses on anti-discrimination,
transparency, and privacy.
○​ AI Accountability Act (2023): Proposed legislation for transparent AI
algorithms.

Case Studies
1.​ Intellectual Property Disputes:
○​ Authors sued OpenAI and Meta for unauthorized use of copyrighted works.
○​ GitHub has sued Microsoft over Copilot, alleging that it illicitly reproduces
code without attribution or regard for open-source licences.
2.​ Privacy Concerns:
○​ X (formerly Twitter) was accused of training AI models using user data without
consent, violating GDPR.
 3.​ Predictive Analytics: AI tools have streamlined legal workflows, like document
reviews, showing potential and regulatory challenges.

GROUP 2: SMART PRODUCTS

Regulatory Frameworks
1. General Data Protection Regulation (GDPR):​
The GDPR is the EU’s comprehensive law for safeguarding personal data. It enforces strict
rules on how organizations collect, process, and store personal information. Its main
features include:
​ Informed Consent: Businesses must obtain clear consent before collecting personal
data.
​ User Rights: Individuals can access, modify, or delete their data and object to its use
in profiling.
​ Data Minimization: Organizations can only collect data necessary for specific
purposes.
​ Risk Mitigation: Companies are required to perform Data Protection Impact
Assessments (DPIAs) to identify and address data risks proactively.
2. NIS2 Directive (Network and Information Systems Directive):​
This 2022 directive enhances EU-wide cybersecurity by:
​ Setting higher standards for critical infrastructure sectors like healthcare, energy, and
transport.
​ Mandating coordinated vulnerability disclosure through national Computer Security
Incident Response Teams (CSIRTs).
​ Differentiating between "essential" and "important" entities to prioritize resources for
more impactful sectors.
3. California Consumer Privacy Act (CCPA):​
This U.S. state law grants residents significant control over their personal data, including
rights to:
​ Know what personal data is being collected.
​ Request data deletion.
​ Opt out of the sale of personal data.​
The CCPA mirrors GDPR in promoting transparency and accountability but is specific
to California residents.
National CSIRTs (Computer Security Incident Response Teams) coordinate these efforts,
ensuring vulnerabilities are addressed promptly and information is shared appropriately.
Cybersecurity:​
Smart devices are vulnerable to hacking, posing threats like:
​ Data Theft: Hackers can access sensitive information, including financial details and
health records.
 ​ Network Compromise: A single compromised device could expose entire systems.
Regulatory responses:
​ The EU Cybersecurity Act mandates that devices meet strict security certification
standards. (NIS2 Directive)
​ The California IoT Security Law requires unique default passwords and secure
settings to prevent unauthorized access.
Liability:​
Assigning responsibility for failures in autonomous devices is complex due to their reliance
on algorithms and external inputs. Causes of failure may include:
​ Faulty programming or inadequate training data.
​ Hardware malfunctions or environmental factors.​
The EU Product Liability Directive and the Consumer Rights Directive ensures
manufacturers are held accountable for defective products, providing consumer
protections.
Case Study: IoT Cybersecurity Breach
The 2018 Las Vegas casino cyberattack demonstrates the real-world risks of insecure smart
devices. Hackers exploited a vulnerability in an internet-connected aquarium thermostat to
access the casino’s central systems, extracting sensitive data.
Lessons from this breach include:
​ The importance of coordinated vulnerability disclosure, facilitated by CSIRTs.
​ Adopting a multi-risk approach to address various threats simultaneously, such as
physical, cyber, and operational risks.
​ Enhancing collaboration across sectors and nations to effectively manage
large-scale cyber security crises.
Legal Frameworks in Action:
​ The Radio Equipment Directive and the Electromagnetic Compatibility Directive
ensure that smart devices meet safety and performance standards.
​ Consumer protection laws, including the EU Consumer Rights Directive, enforce
transparency and user safety in smart device usage.

GROUP 3: CRYPTOCURRENCY
1.​ EU Regulatory Frameworks and Global Approaches
1.1 MiCA: Markets in Crypto-Assets Regulation​
MiCA is the EU’s initiative to standardize cryptocurrency regulations across member states.
It aims to:
​ Protect consumers and investors.
​ Enhance market integrity and stability.
​ Regulate utility tokens, stablecoins, and e-money tokens.
Key provisions include:
 ​ Licensing requirements for crypto service providers.
​ Strict standards for risk management, cybersecurity, and transparency.
​ Specific rules for stablecoin issuers, such as maintaining reserves equivalent to the
issued amount to protect user assets and market trust.
1.2 Comparisons to Global Frameworks
​ United States: Regulatory fragmentation among bodies like the SEC, CFTC, and
FinCEN creates inconsistencies.
​ United Kingdom: A unified approach led by the FCA and HM Treasury fosters
growth while maintaining oversight.
​ European Union: MiCA establishes uniform regulations, addressing market abuse,
consumer protection, and environmental concerns.
1.3 Global Systems
​ Financial Stability Board (FSB): Coordinates international efforts to mitigate risks
from stablecoins and crypto-assets but lacks enforcement authority.
​ International Monetary Fund (IMF): Advocates for collaboration on AML policies
and central bank digital currencies (CBDCs).
​ Financial Action Task Force (FATF): Implements AML standards like the "Travel
Rule" for transaction transparency, though privacy concerns remain.
​ Basel Committee on Banking Supervision (BCBS): Provides guidelines for
prudent banking practices in crypto activities.
1.4 Challenges and Future Directions​
Major issues include regulatory arbitrage, inconsistent enforcement, and the environmental
impact of crypto mining. International collaboration and environmentally conscious practices
are essential for addressing these challenges.

2.​ Cryptocurrencies and AML Compliance
2.1 Risks and Anonymity​
Cryptocurrencies’ pseudonymity is exploited for money laundering, often through services
that obscure fund origins or blockchain “chain switching.”
2.2 EU AML Directives​
To combat these risks, the EU’s MiCA and AML directives require:
​ User identification through documentation like IDs and proof of residence.
​ Enhanced due diligence for high-risk transactions.
​ Real-time blockchain analytics to detect suspicious activity.
2.3 Challenges with DeFi Platforms​
Decentralized finance (DeFi) platforms, lacking central oversight, present challenges for
AML compliance. Continued advancements in regulation and international cooperation are
needed to enhance transparency and security.

3.​ Taxation of Cryptocurrencies in the EU
3.1 Classification and Taxation​
EU countries vary in how they classify and tax cryptocurrencies, usually treating them as
assets rather than currency. Examples:
​ Germany: Exempts long-term crypto holdings from capital gains tax.
​ France: Taxes frequent crypto trades as income, with occasional users paying a flat
rate of 30%.
​ Italy: Exempts gains under €2,000 but taxes larger amounts at 26%.
3.2 DAC8 Directive​
This EU directive, effective in 2026, will require crypto platforms to report transaction data to
tax authorities, closing loopholes and aligning with global efforts like the OECD’s
Crypto-Asset Reporting Framework.
3.3 VAT and Income Tax​
A 2015 European Court ruling exempts crypto trades from VAT, treating them as a means of
payment. However, cross-border transactions complicate taxation, and partial anonymity
challenges authorities in tracking earnings and enforcing compliance.

4.​ Consumer Protection in Cryptocurrency
4.1 MiCA Provisions​
MiCA increases consumer protection by regulating:
​ Asset-referenced tokens, stablecoins, and utility tokens.
​ Transparency in transactions and authorization processes.
​ Environmental impact disclosures.
Crypto service providers must obtain authorization to operate and safeguard client assets.
The EBA maintains a public database of non-compliant providers.
4.2 Market Manipulation and Advertising​
The EU’s revised Consumer Rights Directive and Unfair Commercial Practices Directive
address:
​ Deceptive marketing, including inflated returns and minimized risks.
​ Prohibition of insider trading, pump-and-dump schemes, and market manipulation.
​ Transparency in digital advertising under the Digital Services Act (DSA), requiring
clear labeling of paid promotions.

5.​ Privacy and Data Protection Laws
5.1 GDPR Challenges with Blockchain​
Blockchain’s immutability conflicts with GDPR principles like the "right to be forgotten" and
data correction. Solutions like off-chain storage and encryption offer partial compliance, but
full alignment remains difficult.
5.2 Pseudonymity vs. Anonymity​
Blockchain transactions, though pseudonymous, are often traceable with sufficient context,
keeping them under GDPR regulation.
5.3 Cross-Border Data Transfers​
Blockchain networks replicate data globally, complicating GDPR compliance regarding
transfers to regions with weaker data protections.

GROUP 4: CROWDFUNDING
1.​ Types of Crowdfunding
a.​ Equity-Based Crowdfunding:​
Contributors invest in exchange for a stake in the business. This model allows
startups to secure capital while offering investors ownership and potential
returns. Example: Wefunder.
b.​ Lending Model (Peer-to-Peer Lending):​
Individuals lend directly to businesses or other individuals, bypassing
traditional banks. Borrowers gain easier access to funds, and lenders earn
returns. Examples: Prosper and SoFi.
c.​ Reward-Based Crowdfunding:​
Contributors receive non-financial rewards, often the product or service being
developed. This model is popular for creative ventures, product launches, and
startups, enabling campaigns to gather pre-orders and ensure cash flow.
d.​ Donation-Based Crowdfunding:​
Contributors donate without expecting financial or material returns. This
model supports charitable causes, community projects, or personal
campaigns.
2. Legal Framework Governing Crowdfunding
2.1 EU Legislation
The Regulation (EU) 2020/1503 provides a unified legal framework for crowdfunding
service providers (CSPs) across all EU member states.​
Key provisions include:
​ Authorization: CSPs must be licensed by regulatory authorities and act with
integrity, equity, and professionalism.
​ Conflict of Interest: Platforms cannot direct users to specific projects for personal
gain or invest in campaigns hosted on their platforms.
​ Due Diligence: Platforms must verify project owners and conduct checks before
hosting projects.
​ Risk Management: Providers must secure user funds and manage risks associated
with third-party services.
​ Reporting: Annual reports on financed projects are mandatory, and records must be
kept for at least five years.
2.2 Italian Legislation
Italian crowdfunding operates under Regulation (EU) 2020/1503, with additional rules from
CONSOB and the TUF (these are some of its articles):
​ Art. 1, c. 5-novies: Defines equity crowdfunding portals as platforms enabling SMEs
and social enterprises to raise funds from non-professional investors.
 ​ Art. 50-quinquies: Requires portal managers to register with CONSOB, adhere to
strict transparency rules, and avoid handling funds directly.
​ Art. 100-ter: Regulates Public Tender Offers (PTO), ensuring acquiring entities in
listed companies protect minority shareholders through fair pricing and compliance.
These rules promote transparency, investor protection, and market integrity.
3. Platform Operators and Intermediaries
3.1 Roles and Responsibilities
Crowdfunding platforms must:
​ Obtain authorization to operate in their respective jurisdictions.
​ Ensure transparency in project selection, evaluation, and risk analysis.
​ Offer clear exit mechanisms for investors.
3.2 Issues
Common challenges include:
​ Investment Failure: Campaigns may fail, especially if backed by inexperienced
investors.
​ Fraud: Rare but possible, including fraudulent campaigns and financial scams.
Preventive measures include compulsory audits, using authorized platforms, and
monitoring fraud risks.
4. Data Privacy and Security
4.1 Data Collection
Crowdfunding platforms collect various types of data:
​ Personal information (e.g., name, email, phone number).
​ Financial data for donations or investments.
​ Behavioral data through tracking technologies, cookies, and social media integration.
4.2 Data Usage
Data is used to enhance user experiences by:
​ Offering personalized recommendations.
​ Streamlining payment processes with stored information.
​ Customizing communication with updates on campaigns and offers.
​ Improving platform features through user feedback and data analysis.
4.3 Privacy and Security Issues
Key concerns include:
​ Surveillance Risks: Platforms may over-monitor user behavior using AI.
​ Unauthorized Data Use: Personal information may be sold to third parties without
consent.
​ Information Asymmetry: Users are often unaware of what data is being collected
and how it is used.
4.4 GDPR Compliance
The EU’s GDPR ensures data protection and privacy by requiring:
​ Explicit user consent for data collection.
​ Transparency through clear privacy policies.
​ Data minimization (only essential information collected).
​ Strong security measures, including encryption and breach notifications.
​ Accountability through compliance documentation and appointment of Data
Protection Officers (DPOs) where needed.
5. Ethical and Social Implications
5.1 Accessibility vs. Inequality
Crowdfunding democratizes fundraising, enabling individuals to secure funds without
traditional financial barriers. However, campaigns from underrepresented regions may face
biases and limited visibility, perpetuating inequalities.
5.2 Fraud Risks
Ethical crowdfunding requires truthfulness and transparency. Regulatory bodies like the FTC
(USA) and SEC enforce anti-fraud measures to protect contributors.
5.3 Donor Rights and Platform Responsibilities
Donors are entitled to fraud prevention systems, refund mechanisms, and transparency.
Platforms must conduct audits, use anti-fraud technologies, and collaborate with authorities
(SEC) to ensure campaign integrity.
6. Case Studies
6.1 U.S. Crowdfunding Violations
In 2022, Wefunder Portal LLC was fined $1.4 million and StartEngine Capital LLC
$350,000 by FINRA for regulatory breaches.
​ Wefunder: Exceeded funding limits under Regulation Crowdfunding by $20 million
and failed to return funds to investors.
​ StartEngine: Provided misleading information and inaccurate investment tools.
These cases highlight the need for strict compliance to protect investors and market integrity.
6.2 Italy’s Approach
Since 2019, CONSOB has shut down 970 unauthorized financial websites.
​ The "Decreto Crescita" (Growth Decree) requires Internet providers to block
unregulated platforms, reducing investor risks and ensuring compliance.
Both U.S. and Italian actions underline the importance of strong oversight in crowdfunding.
7. Future Developments
Crowdfunding is set to grow with advancements in technology and regulation. Key
developments include:
​ Blockchain Technology: Enhances transparency and security by creating
immutable transaction records, increasing trust and reducing fraud.
 ​ Artificial Intelligence (AI): Optimizes campaigns by analyzing user behavior to
boost engagement and success rates.
​ Regulatory Evolution: Collaboration between platforms and regulators will create
standardized guidelines to better protect investors.
​ New Investment Areas: Expansion into sectors like real estate and green energy
will broaden crowdfunding’s scope to meet diverse needs.
These changes will strengthen crowdfunding by balancing innovation with accountability.

GROUP 5: NFT

Introduction: What Are NFTs?
Non-Fungible Tokens (NFTs) are unique digital assets representing proof of ownership
stored on the blockchain. Unlike fungible assets like cryptocurrencies, NFTs cannot be
exchanged one-for-one as they are unique.​
Uses:
​ Digital art and collectibles.
​ Tickets for exclusive events.
​ Gaming assets (e.g., characters or skins).
​ Verification of physical assets.​
Popular Marketplaces:
​ Ethereum: High transaction fees, widely used (e.g., OpenSea, Rarible).
​ Solana: Faster transactions, lower fees (e.g., Magic Eden).
​ Polygon: Low fees, suitable for beginners.

Blockchain Technology and NFTs
A blockchain is a decentralized and distributed ledger that securely records transactions
across multiple computers. Transactions are grouped into "blocks," which are linked together
using cryptographic hashes.​
Key Features:
​ Transparency and traceability.
​ Permanence ensures authenticity and ownership history.
​ Decentralization prevents manipulation by a central authority.

Ownership and Copyright Issues in NFTs
NFTs create challenges for traditional intellectual property (IP) laws, particularly around
ownership and copyright.
What Does NFT Ownership Include?
When you buy an NFT, you own the token itself, but not the copyright to the associated
content (e.g., digital art). You cannot reproduce or sell the content unless the creator grants
those specific rights.
Legal Ambiguity
Current laws, like the Copyright, Designs, and Patents Act 1988 (UK), don’t clarify how
copyright applies to NFTs. Typically, copyright remains with the creator unless transferred,
leading to confusion over the extent of rights included in an NFT purchase.
Global and Jurisdictional Challenges
NFTs operate globally on decentralized platforms, making it hard to enforce IP laws across
different jurisdictions. International cooperation is necessary to protect creators' and buyers'
rights.
Opportunities for Improvement
NFTs could streamline IP management through:
​ Patent Tokenization: NFTs can automate royalties and improve transparency in IP.
​ Clear Licensing: Including detailed usage rights in smart contracts could reduce
confusion.
AI-Generated Content
AI-generated NFTs complicate copyright, as U.S. law requires human authorship for
copyright. Legal updates are needed to address ownership and authorship for AI-created
works.

Right to Privacy and NFTs
NFTs present significant privacy challenges due to blockchain’s immutability,
decentralization, and traceability, which conflict with privacy laws like the GDPR.
Conflicts with Privacy Laws
Blockchain data cannot be modified or deleted, which directly conflicts with the GDPR’s
"right to be forgotten". Since blockchain transactions are permanent, it’s impossible to fully
comply with this privacy right unless off-chain storage or data obfuscation methods are used,
though these might not meet GDPR standards.
Anonymity vs. Traceability
While blockchain transactions are pseudonymous, traceability can link wallet addresses to
individuals, potentially exposing sensitive data. This transparency challenges privacy, as
personal identities may be revealed through linked transactions.
Potential Solutions:
1.​ Zero-Knowledge Proofs (ZKPs): Cryptographic methods that verify data without
revealing personal details, preserving both privacy and transparency.
2.​ Advanced Cryptography: New cryptographic techniques could enhance privacy, but
they are not widely used in NFTs yet.
Decentralized Governance and Privacy Issues
In decentralized blockchains, no central authority exists to ensure compliance with privacy
laws, making GDPR enforcement difficult. Private or consortium blockchains may provide
more control but reduce decentralization, compromising blockchain’s benefits.
GDPR Compliance Challenges
Without a central authority, GDPR compliance is difficult in decentralized systems. Private
blockchains offer more oversight but at the cost of blockchain’s core value of
decentralization.
Security Risks
Although blockchain is secure, wallet security remains a concern. NFTs are tied to wallet
addresses, offering privacy, but hacks can lead to theft, which is often irrecoverable.

International Legal Aspects of NFTs
NFTs face challenges in a global, decentralized environment, especially regarding data
protection, cybersecurity, and e-commerce. Different countries have varying regulations
for digital assets like NFTs.
European Union
The GDPR is one of the strictest data privacy laws globally, protecting user rights such as
data access and deletion.
​ Impact: The GDPR was highlighted when Meta was fined €1.2 billion for illegal data
transfers in 2023.
​ However, enforcing GDPR on decentralized platforms, like NFTs, is difficult.
United States
The U.S. lacks a unified federal data protection law, leading to state-specific regulations like
the CCPA.
​ Challenges: The 2017 Equifax breach highlighted gaps in consumer data
protection.
Asia
​ China: The PIPL emphasizes data localization and state control, complicating
cross-border data flow for NFTs.
​ Japan: The APPI balances privacy and innovation, while India is working on the
Digital Personal Data Protection Act, though enforcement is challenging.
Global Regulatory Challenges
​ Lack of Harmonization: The EU focuses on privacy, the U.S. prioritizes
innovation, and China enforces state control over data.
​ International Cooperation: Better global collaboration is needed to align regulations
and improve protection for consumers and businesses.
Regulation and Fraud
NFT markets face fraud challenges, including:
​ Rug Pulls: Developers abandon projects after collecting funds.
 ​ Wash Trading: Inflated trading volumes to mislead buyers.
​ Phishing: Fake sites stealing wallet credentials.
Legal Gaps:
​ Existing consumer protection and IP laws address some issues but lack consistency,
especially internationally.
​ Stronger regulations, like Know Your Customer (KYC) checks, and blockchain tools
for ownership authentication are needed.
What’s essential is to have an international collaboration to establish legal frameworks and
definitions of NFTs and to educate users about potential risks in order to prevent and protect
themselves from them.

Taxation of NFTs
NFT taxation varies globally:
​ USA: NFTs are taxed as property.Creators are taxed on sales and royalties as
income, potentially subject to self-employment tax.
​ EU: Inconsistent taxation:
○​ France and Germany apply VAT and treat profits as taxable income.
○​ Italy : In Italy, gains from NFT transactions exceeding €2,000 are subject to
capital income tax, with VAT applied to commercial activities related to NFTs.
​ Asia: Mixed approaches (nfts are generally taxed as digital assets); China taxes NFT
as business or individual income, while Japan applies VAT and income tax.
Authorities must clarify rules to prevent tax evasion and provide consistency for global
markets.

NFTs and Environmental Impact
NFTs, especially on Ethereum and Proof of Work (PoW) blockchains like Bitcoin, consume
significant energy due to the computational requirements of minting, transferring, and selling
NFTs.
NFT Lifecycle and Energy Consumption:
1.​ Minting: Creating and storing an NFT on the blockchain requires high energy.
2.​ Tokenization: Creating keys for access to a wallet and minting the NFT.
3.​ Listing: Displaying the NFT on a marketplace for sale.
4.​ Buying/Selling: Transactions that validate and transfer ownership also consume
energy.
The PoW (Proof of Work) mechanism is the main contributor to the energy used in NFT
processes.
 GROUP 6: SOCIAL NETWORKS
1. Definition and Importance
​ Definition: Social networks are digital platforms enabling user profiles, content
sharing, and interactions across distances.
​ Importance: They drive global connectivity, amplify voices, support activism, and
foster professional and personal networks. Beyond communication, they influence
public opinion, education, and commerce.

2. History and Development
​ Early Tools (1970s, BBS let people log in and interact): UseNet (1979) enabled
discussions without central servers.
​ First Social Networks (1995-2000): Classmates.com and SixDegrees allowed
profiles and friend connections.
​ Growth in the 2000s: Platforms like MySpace (creativity), Facebook (real-life
connections), and LinkedIn (professional networking) tailored to specific needs.
​ Specialization by 2010s: Platforms like YouTube (video sharing) and TikTok
(short-form videos) emerged, adapting to evolving user demands.

3. Societal Effects
Positive Impacts:
​ Global Connectivity: Enables cross-cultural exchanges, learning, and emergency
communication.
​ Activism and Awareness: Platforms like Twitter amplify movements (#MeToo,
#BlackLivesMatter).
​ Business Growth: Small businesses reach larger audiences directly.
Negative Impacts:
​ Mental Health: Links to depression, anxiety, and body image issues due to curated
online comparisons.
​ Misinformation: Rapid spread fuels polarization and confusion.
​ Privacy Concerns: Data breaches and cyberbullying persist.

4. Relationships, Culture, and Censorship
​ Relationships: Social networks bridge geographical divides but risk reducing real-life
interactions.
 ​ Culture: Promote cultural homogenization, blending global trends but threatening
local traditions.
​ Censorship: Governments control platforms during unrest (e.g., Arab Spring,
Internet shutdowns in India).

5. Legal and Regulatory Aspects
​ Data Privacy: GDPR ensures data protection, transparency, and cross-border
compliance.
​ Content Moderation: Balances free speech with harmful content removal (e.g., EU
Digital Services Act).
​ Emerging Technologies: AI, blockchain, and metaverse introduce privacy, security,
and ownership concerns.
​ Cybersecurity: Regulations like the EU NIS2 Directive and the U.S. CISA demand
strong user data protections and incident reporting.
​ Ethics: Platforms must balance information flow with protection from harm
(misinformation, cyberbullying).

6. Privacy and Cybersecurity
​ Privacy Risks: Public visibility exposes users to scams and phishing. Third-party
apps may misuse data.
​ Cybersecurity Measures: Strong privacy settings, vigilance, and robust passwords
reduce risks.

7. Business Applications
​ Customer Engagement: Interactive tools (polls, live chats) foster loyalty and
advocacy.
​ E-commerce: Integrates with shoppable posts and in-app purchases, enhancing the
buyer journey and enabling impulse purchases.

8. Political Influence and Activism
​ Social networks transform political campaigns, enabling direct voter interaction and
rapid protest mobilization.
​ Examples:
○​ Nigeria’s 2015 election leveraged social media for anti-corruption
campaigns.Parties utilised these tools to address issues like corruption and
security, engaging millions through targeted campaigns.
○​ India’s 2014 elections engaged tech-savvy youth.

9. Fake News and Disinformation
Social networks amplify fake news through algorithms that prioritize sensational content for
engagement.
Causes:
​ Algorithms: Promote eye-catching but false information.
​ Cognitive Biases: Users share unverified content aligning with their beliefs.
​ Trust Default: People trust information from their networks.
Impacts:
​ Erodes Trust: Undermines institutions and fosters division.
​ Critical Events: Disinformation in elections and crises threatens democracy and
safety.
GROUP 7: HATE SPEECH

1. Definition of Hate Speech
Hate speech includes communication (speech, writing, or behavior) that uses discriminatory
or pejorative language to attack individuals or groups based on their identity (e.g., religion,
ethnicity, race, gender).
Hate Speech in Italy
​ The rise of online hate speech has spurred debates on balancing freedom of
speech with stricter regulations.
​ Proposed laws aimed at combating hate speech face opposition due to concerns
about infringing on free expression.
2. Spread of Hate Speech Through Networks
Social networks facilitate the spread of hate speech due to:
1.​ Algorithms:
○​ Filter Bubbles: Reinforce existing beliefs by prioritizing similar content.
○​ Echo Chambers: Create isolated communities that amplify hateful ideas.
2.​ Anonymity: Allows users to express hateful views without fear of accountability.
3.​ Network Effects:
○​ Real-time dissemination of messages.
○​ Hateful content resurfaces even after deletion due to its "sticky" nature.
Impacts:
​ Encourages offline discrimination and violence.
​ Social media struggles to balance free expression with content moderation.
Solutions:
​ Stricter regulations.
​ Improved technological moderation (AI/ML).
 ​ Education and promotion of positive speech.

3. Role of Social Media Platforms
Each platform tackles hate speech based on its community standards:
1.​ Facebook:
○​ Flags hate speech targeting groups (e.g., "I hate Christians") but not
ideologies (e.g., "I hate Christianity").
○​ Manual moderation; often reactive rather than proactive.
○​ Critics argue it addresses systemic hate as a personal issue (e.g., blocking).
2.​ YouTube:
○​ Allows criticism of governments but flags racial or religious hate speech.
○​ Heavy reliance on user reports; harmful content often lingers too long.
3.​ Twitter:
○​ Includes hate speech under abusive behavior policies.
○​ Uses both algorithms and human moderation, often suspending accounts
temporarily instead of banning.
4. Case Study: Caroline Criado-Perez
Caroline Criado-Perez faced abuse after campaigning for a woman’s image on UK
banknotes:
​ Received 50 abusive tweets/hour for 12 hours, including death and rape threats.
​ Two offenders were jailed, highlighting the psychological toll of online hate speech.
​ Resulted in Twitter updating its rules and adding a report abuse button.
5. Social and Psychological Impact
1.​ Individual Effects:
○​ Anxiety, depression, PTSD, low self-esteem.
○​ Chronic exposure leads to physical health issues (e.g., insomnia, heart
disease).
2.​ Social Effects:
○​ Polarization and decline in trust.
○​ Normalization of prejudice.
3.​ Community and Societal Effects:
○​ Fractures social bonds and silences marginalized voices.
○​ Incites fear, violence, and cultural division.
Mitigation Measures:
​ Education to combat hate normalization.
​ Laws for toxic discourse regulation.
 ​ Community programs to rebuild trust.
6. Hate Speech Legislation
United States:
​ Protected under the First Amendment(The courts justify this by stating the First
Amendment actively prohibits the government from censorship of the public debate
on issues of social importance), unless it:
○​ Incites violence or lawless action.
○​ Includes "fighting words" likely to provoke violence.
○​ Harasses or defames individuals.
​ Critics argue the lack of bans on general hate speech allows harmful discourse
online.
European Union:
​ Governed by the European Convention on Human Rights (ECHR).
​ Council Framework Decision (2008/913/JHA): Criminalizes hate speech,
incitement to violence, and genocide denial.
​ Digital Services Act (DSA):
○​ Mandates the removal of illegal content (e.g., hate speech) within 24 hours of
notification from online platforms.
○​ Requires platforms to perform risk assessments and increase transparency.
7. Technological Solutions and Challenges
​ AI and Machine Learning: Tools analyze text, audio, and images for harmful
content.
○​ Natural Language Processing (NLP) assesses context and sentiment.
○​ Tools like BERT detect patterns in annotated datasets.
Challenges:
​ Sarcasm, coded language, and cultural nuances confuse AI.
​ Detection biases lead to false positives (censorship) or false negatives (missed
content).
​ Scalability issues on large platforms.
Future Directions:
​ Adaptive AI for evolving hate speech trends.
​ Multimodal Approaches: Combine text, image, and audio analysis.
​ Collaboration among governments, companies, and researchers.
GROUP 8: CLOUD COMPUTING
1. Introduction to Cloud Computing
 ​ Definition: A technology that provides remote storage and processing power,
enabling users to access data and run applications via the internet. Examples include
Google Docs, iCloud, and Instagram.
​ Benefits:
○​ Scalability: Expands based on user needs.
○​ Cost Efficiency: Eliminates physical infrastructure investment.
○​ Accessibility: Enables global access and supports developers with tailored
solutions.
​ Types of Clouds:
○​ Public Cloud: Shared infrastructure accessible over the internet.
○​ Private Cloud: Dedicated to a single organization.
○​ Hybrid Cloud: Combines public and private clouds.
​ Service Models:
○​ IaaS: Infrastructure as a Service (e.g., servers, storage).
○​ PaaS: Platform as a Service (e.g., development tools).
○​ SaaS: Software as a Service (e.g., applications).

2. Cloud Computing Regulatory Framework
European Union (EU):
​ Governed by the General Data Protection Regulation (GDPR), requiring robust
measures to protect personal data.
​ Cross-border data transfers allowed only under specific conditions (e.g., Standard
Contractual Clauses).
United States (US):
​ No overarching data protection law like the GDPR; regulations are sector-specific:
○​ HIPAA: Protects health information.
○​ COPPA: Safeguards children’s data.
○​ CLOUD Act: Allows government access to data stored by US companies,
even abroad.
Legal Challenges:
​ The invalidation of the EU-US Privacy Shield (2020) complicated cross-border data
transfers between the UE and the US.
​ Organizations must address these regulatory gaps via data localization, encryption,
and legal counseling.

3. Intellectual Property (IP) Issues in Cloud Computing
​ Ownership of Data:
 ○​ Contracts must clearly define data and application ownership to avoid
disputes.
○​ Customers usually retain ownership of their data, while providers grant limited
access.
Security Concerns:
​ Compliance with ISO/IEC 27001 reduces risks like IP theft or unauthorized access.
​ Compliance with international cybersecurity standards, such as ISO/IEC 27001, can
reduce these risks by ensuring the right handling of sensitive information.
​ Jurisdictional differences complicate IP protection, especially in countries with weaker
enforcement.
Termination Clauses:
​ Contracts should specify the safe deletion or return of data upon service termination
to prevent IP misuse.

4. Legal and Contractual Responsibilities
Liability in Cloud Contracts:
​ Providers limit their liability, while clients seek broader guarantees.
​ Indemnification Clauses: explaining the responsibilities in cases such as data
breach or service outage.
Key Risks in Contracts:
​ Ambiguous terms and evolving services create discrepancies between promised and
delivered outcomes.
Dispute Resolution:
​ Contracts should include clear multi-tiered escalation procedures for disputes.
​ Must comply with jurisdiction-specific laws to ensure enforceability.
Adapting to New Regulations:
​ Contracts must allow updates to align with future regulatory changes (e.g., stricter
cybersecurity standards).

5. Ethical Concerns in Cloud Computing
Government Access to Data:
​ Authorities can request access for national security or criminal investigations, raising
privacy concerns.
​ Transparency: Providers must disclose policies on government data requests.
​ Responsibility: Companies need internal guidelines to ensure legitimate and
proportional access.

GROUP 9: IOT
1. Introduction to IoT
​ Definition: IoT connects everyday physical objects to the internet, enabling them to
collect, share, and analyze data autonomously. Examples include smart homes,
wearables, healthcare devices, industrial systems, and smart cities.
​ Key Components:
1.​ Device (Thing): Equipped with sensors (data collection) and actuators (action
execution).
2.​ Gateway: Transfers data to the cloud.
3.​ Cloud: Provides storage and processing power.
4.​ Analytics: Interprets data for actionable insights.
5.​ User Interface: Enables user monitoring and control.

2. History of IoT
​ 1960s: ARPANET, the precursor to today’s internet, laid the foundation.
​ 1980s: Early IoT examples like Carnegie Mellon University’s connected Coca-Cola
machine.
​ 1999: Kevin Ashton coined "Internet of Things," advocating radio-frequency
identification chips for inventory tracking.
​ 2008: IoT devices surpassed the global population in number.

3. Security and Privacy Challenges in IoT
​ Key Threats:
1.​ Weak Authentication: Exploitable passwords.
2.​ Shared Network Access: IoT devices as entry points for cyberattacks.
3.​ Limited Device Management: Difficulty in detecting vulnerabilities and
unauthorized access.
​ Protection Techniques:
1.​ Multi-Layered Security: Multi-factor authentication and biometric verification.
2.​ VPNs: Secure networks reduce exposure to hackers.
3.​ Mobile Device Management (MDM): Centralized security for devices.
4.​ Regular Updates: Fix vulnerabilities promptly.

4. Legal Frameworks for IoT
European Union (EU):
1.​ GDPR (2018): Governs data collection, requiring user consent and offering deletion
rights.
 2.​ Cybersecurity Act (CSA): Introduced certification schemes for IoT device security.
3.​ Digital Market Act (DMA): Ensures fairness, transparency, and interoperability in IoT
markets.
4.​ Artificial Intelligence Act: Classifies AI-powered IoT systems by risk level and
mandates transparency.
United States (US):In order to ensure and assure data quality, the government has to play a
double role. The first one is the user role, which means that it must decide how IoT should
be employed and list the requirements for assuring highly reliable IoT products and
solutions.The second role is the infrastructure provider role, in which the government must
provide regulations for every device used for Connection to the IoT.
1.​ White House IoT Principles (2012):
○​ Data use must respect the user’s context in which it has been collected and
consent.
○​ Emphasizes transparency, security, and accountability.
2.​ IoT Cybersecurity Improvement Act (2020): Sets minimum security standards for
federal IoT devices.

5. IoT Applications
Smart Homes:
​ Features: Automation, security, energy efficiency via protocols like Wi-Fi, Zigbee,
and Bluetooth.
​ Devices: Smart assistants (Alexa, Siri), connected appliances, and sensors.
​ Regulations:
○​ ISO/IEC 30118-5:2021: Compatibility standards and smooth operation.
○​ GDPR: User data protection and informed consent.
○​ The Radio Equipment Directive (RED) makes sure wireless devices meet
strict safety and performance standards.
○​ The Restriction of Hazardous Substances (RoHS) Directive limits harmful
materials in electronic devices.
Healthcare (IoMT):
​ Advantages: Early diagnosis, remote monitoring, and reduced hospital burden.
​ Devices: Wearable sensors (e.g., SpO2, heart rate).
​ Challenges: Data security, system reliability, and device integration.
​ Regulations: FDA cybersecurity guidelines for connected devices to ensure patient
safety.
Agriculture:
​ Uses: Precision farming, livestock tracking, irrigation automation, pest detection, co2
levels adjustment.
​ Technologies: IoT sensors for soil quality and weather conditions.
 ​ Challenges: High costs and limited rural connectivity.
Smart Cities:
​ Applications:
1.​ Traffic Management: Adaptive signals reduce congestion.
2.​ Environmental Monitoring: Pollution sensors guide policies.
3.​ Energy Efficiency: Smart grids and streetlights save energy.
4.​ Predictive Maintenance: AI and IoT prevent infrastructure failures.
Industry:
​ Advantages: Real-time data analysis, predictive maintenance, inventory
management, and worker safety.
​ Challenges: Data security and high costs.
​ Future Enhancements: 5G, edge computing, and digital twins.

6. Ethical and Future Considerations
​ Ethical Concerns:
○​ Lack of transparency in data collection.
○​ Need for regulations to balance innovation with user privacy and safety.
​ Future Trends:
○​ Integration with AI for predictive analytics.
○​ Development of global standards to ensure device interoperability and
security.
○​ Sustainable IoT solutions to address energy consumption.

GROUP 10: DIGITAL IDENTITY
1. What is Digital Identity?
Digital identity is the online version of your identity. It’s how systems recognize you when you
log into apps, websites, or services. Think of it like a digital ID card that allows you to access
resources, prove who you are, and interact with systems securely.
It includes two types of information:
1.​ Direct Identifiers: Your name or ID number, which clearly identifies you.
2.​ Indirect Identifiers: Things like your IP address, which don’t directly identify you but
can still track your activity.
For example, when you log into a website with your email, that email is part of your digital
identity.

2. How Digital Identity Developed Over Time
The concept of identity verification has existed for centuries, evolving with technology:
 ​ In Ancient Times: Tattoos and jewelry were used to show status or identity.
​ Modern Milestones:
○​ 1960s: PINs (Personal Identification Numbers) were introduced for banking.
○​ Usernames and Passwords: Allowed secure access to digital systems.
○​ Biometrics: Fingerprints and face scans, like Apple’s Face ID, made logging
in more secure and convenient.
○​ Social Logins: Using accounts like Facebook or Google to access multiple
websites.
Now, digital identity is moving towards digital wallets—secure apps that store your
credentials and give you control over who accesses your data.

3. How the EU Handles Digital Identity
The European Union (EU) is leading the way in making digital identity systems safe and
user-friendly:
​ In 2018, the EU created eIDAS, a system that allows EU countries to recognize each
other’s national IDs online.
​ In 2021, the EU proposed a Digital Identity Wallet that:
○​ Lets citizens prove their identity online and offline.
○​ Stores important information, like proof of residence or work authorization.
○​ Allows all EU citizens to use one secure app for these services by 2026.
This system helps people across the EU access services easily while keeping their data
secure.

4. Why Digital Identity is Useful
Digital identity has many uses in everyday life:
1.​ Banking: Helps people without physical IDs open bank accounts and access
financial services.
2.​ Government Services: Makes filing taxes or applying for benefits faster and easier.
3.​ Healthcare: Ensures doctors can securely access your medical records, saving time
and reducing errors.
4.​ Education and Jobs: Verifies your qualifications when applying for jobs or schools.
5.​ Property Ownership: Digitizes records to prevent disputes and encourage
investment.

5. Challenges and Risks
While digital identity is helpful, it also comes with risks:
​ Data Misuse: Some companies use your information without your permission,
eroding trust.
 ​ Cyber Threats: Hackers can steal your identity, leading to financial fraud or
damaged reputations.
​ Multiple Accounts: Without a universal system, users have to manage many
different IDs for various platforms.
​ Social Issues: Fake profiles and online harassment are common problems tied to
digital identity misuse.

6. How to Protect Your Digital Identity
To stay safe online, follow these tips:
1.​ Share your personal information only when necessary.
2.​ Keep your devices and apps updated to prevent hackers from exploiting old systems.
3.​ Use secure, encrypted connections, especially on public Wi-Fi.
4.​ Create strong, unique passwords for every account, and don’t reuse them.
5.​ Be cautious when downloading apps or sharing personal details on social media.

7. What’s Next for Digital Identity?
The future of digital identity is focused on making it safer and easier to use:
​ Blockchain Technology: This technology adds extra security by decentralizing data,
making it harder to hack.
​ Password-Free Systems: Biometrics like fingerprints and facial recognition are
replacing traditional passwords.
​ AI in Security: Artificial intelligence can detect fraud or suspicious activity in real
time, protecting users from scams.
Governments are also updating regulations. For example:
​ The EU aims to provide interoperable digital wallets for 80% of Europeans by 2030.
​ Many countries are creating standards to ensure secure and fair systems worldwide.

8. How Digital Identity Powers Smart Cities
Smart cities use technology to improve urban living, and digital identity is key to making this
work.
​ Uses: Lets people securely access city services like real-time traffic updates or public
healthcare.
​ Environmental Impact: Helps cities reduce waste with smart energy grids and
environmental monitoring.
​ Examples:
○​ Singapore uses sensors to track cleanliness and crowd levels.
○​ Zurich integrates heating and cooling systems to cut energy use.
As cities grow, digital identity will play a crucial role in making urban areas more efficient and
sustainable.

9. Digital Identity in China
China’s digital identity system combines efficiency with advanced technology but raises
privacy concerns:
Key Features:
1.​ From Centralized to Distributed Systems:
○​ Initially controlled by a single government body, recent systems now give
users greater control over their data.
2.​ Digitized IDs:
○​ Digital versions of national IDs are integrated into platforms like WeChat Pay
and Alipay, enabling secure transactions and access to:
​ Government Services: Healthcare and welfare benefits.
​ Banking: Verification for accounts and payments.
​ Transportation: Simplified ticketing.
3.​ Blockchain Integration:
○​ Ensures data security and reduces fraud risks through decentralization.
Significance:
China’s system improves efficiency and security but raises concerns about government
surveillance due to centralized access to user data.

10. Twitter’s Paid Verification System
Elon Musk’s changes to Twitter’s verification process reveal risks in poorly managed identity
systems:
Key Issues:
1.​ Trust Undermined:
○​ Paid verification allows anyone to appear legitimate, making it harder to
identify genuine accounts.
2.​ Misinformation:
○​ Fake verified accounts spread false information, as seen when impersonators
caused financial damage to real companies.
3.​ Regulatory Concerns:
○​ Violates the EU Digital Services Act (DSA), which requires proper identity
verification to prevent fraud.
○​ Conflicts with the GDPR, which emphasizes transparency and data
protection.
Lessons:
Platforms must ensure verification prioritizes authenticity and security, balancing innovation
with compliance to maintain user trust.