Law and the Internet Flashcards
Civil Evidence Act 1968
Computer records became admissible in civil trials
List the six principles of GDPR
Data must be:
1. Fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept in a form that identifies people for longer than necessary
6. Processed securely and protected against loss or damage
What does GDPR stand for?
General Data Protection Regulation
GDPR includes a requirement to keep internal records of your databases. What does this include?
- Who you are, the type of data and who provided it
- Retention schedules
- Security arrangements
- Details of transfers
GDPR makes it essential to identify why processing is allowed. What does this include?
- Consent: for each purpose must be freely given, specific, informed and unambiguous
- Contract
- Legal compliance
List the rights that GDPR provides for individuals
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
What is meant by the right to be informed?
Need to have a privacy notice that explains your processing
What is meant by the right of access?
Systems need to be designed for this right to be exercisable
What is meant by the right to rectification?
Errors need to be corrected and passed on if the data was passed on
What is meant by the right to erasure?
Right to be forgotten - delete data when there is no compelling reason to keep it
What is meant by the right to restrict processing?
You can keep data, but not otherwise process it unless you have to
Who does GDPR state that firms processing data at scale must appoint? What is their job?
Data Protection Officer. They advise on GDPR obligations, monitor compliance with GDPR and report to the board
What characterises offences that fall into Section 1 of the Computer Misuse Act 1990?
- Unauthorised access to a program or data
- Requires knowledge that is unauthorised
What characterises offences that fall into Section 2 of the Computer Misuse Act 1990?
As Section 1, but with intent to commit another serious offence
What characterises offences that fall into Section 3 of the Computer Misuse Act 1990?
Unauthorised modification of data Eg. virus writing, denial of service, making/distributing hacking tools
What was Whitaker convicted under the Computer Misuse Act 1990 for?
Not disclosing a time-lock that froze bespoke software when client was late in making payments.
Explain the Wimbledon case
After an appeal it was found that “mail bombing” is a Section 3 offence - test of unauthorised becomes “if I were to ask, would they say yes”
What was Cuthbert convicted of under the Computer Misuse Act 1990?
Section 1 offence for trying out ../../../ URLs
Electronic Communications Act 2000
Electronic signatures shall be admissible as evidence
Investigatory Powers Act 2016
- Deals with interception and communications data
- Permits equipment interference under a warrant
- Permits bulk interception, bulk acquisition, bulk equipment interference and collection of bulk personal datasets
What is communications data?
Metadata about communications. Needs a retention regime
What is interception?
Revealing content to someone other than sender/receiver
How must interception be authorised under the Investigatory Powers Act 2016?
By a warrant signed by the Secretary of State ie. Home Secretary. Power can only be delegated very temporarily
Give 2 examples of interception
- Tapping a telephone
- Copying an email
What relevant power does GCHQ have?
They can scan international communications for “factors”
How must regulators undertake lawful business practice with respect to the Investigatory Powers Act 2016?
- Regulations prescribe how not to commit an offence under IPA
- Must make all reasonable efforts to tell all users of system that interception may occur
Which party of the Regulation of Investigatory Powers Act 2000 is still in force?
The part that deals with encryption
Regulation of Investigatory Powers Act 2000
Basic requirement is to “put this material into an intelligible form”. You can supply the key instead. Keys can be demanded
Consumer Rights Directive 2011
- Remote seller must identify themselves
- Details of contract must be delivered
- Right to cancel unless service already delivered
E-Commerce Directive 2002
Online selling and advertising is subject to UK law if you are established in the UK - whoever you sell to. There are complexities if selling to foreign consumers if you specifically marketed to them
Privacy and Electronics Communications Regulations 2003
Bans unsolicited marketing emails to natural persons
What does legislation say about cookies?
- Must give clear and comprehensive information
- Must have consent unless cookies are strictly necessary for provision of an information society service that has been requested
Give 2 examples where cookies may be used without permission
- Shopping carts
- Security on bank websites
Give 3 examples where cookies may not be used without permission
- First and third party advertising
- Analytics
- Personalisation