Law, Privacy and Identity Flashcards
What is legal certainty?
The biggest characteristic of law. It promises certainty about the content of the law (you can find all rules within the e.g. statute), about its enforcement and that it is applied consistently (similar cases are treated similarly).
What is the legal syllogism?
It represents the most important form of legal reasoning. It’s an argument with 2 premises (the formulation of a legal rule in t he format IF condition THEN legal consequence; and the description of the facts of a case) and 1 conclusion (the legal consequences that result from applying the rule on the facts).
What is classification?
Translating the concrete case description to the abstract case description that matches the rule conditions.
What does it mean to use grammatical interpretation of a rule?
It means to match the literal meaning of the words in the rule.
What does it mean to use legislative intent interpretation of a rule?
To interpret the rule in a way that suits the original intent of the legislator.
What does it mean to use purposive interpretation of a rule?
The judge tries to determine the purpose of the task and can possibly find the circumstances of the specific case and the interests of the people involved important enough to override parts of the rule.
What does it mean to reason by analogy?
If there is strictly no rule to apply on a case and it resembles another previous case, the same reasoning/ruling can be applied.
What does it mean to distinguish situations?
The judge focuses on the differences between cases and applies different rules.
What does it mean to broaden a rule?
The court treats cases which weren’t obviously similar as similar.
What is the “Lex superior” rule?
It dictates that in the case of rule conflicts, the hierarchy among lawmakers must be followed. Thus, a law by a higher entity / ruling made by higher court overrides one by a lower entity / court.
What is the “Lex specialis” rule?
It dictates that in the case of rule conflicts, the more specific rule overrides the more general one.
What is private law?
It concerns relations between citizens. In it, the government as such doesn’t play a role. It includes property, contract, tort law, etc.
What is public law?
It concerns the nation as a whole or a class of individuals. In it the government as such plays a role. It includes criminal, constitutional, administrative law, etc.
What is procedural law?
It consists of rules for court proceedings, the organization of the judiciary, etc. There are branches of procedural law for each of the major branches of substantive law.
What are human (=fundamental) rights?
They are rights that every person has by virtue of existing. They aim to secure for that person certain benefits or freedoms that are of fundamental importance to any human being.
What is substantive law?
It consists of rules that give people rights or determine what people should do.
What critiques are there for human rights?
They are suboptimal since they infringe the rights of individuals.
They are undemocratic since courts are authorized to ignore/invalidate democratically made legislation because if infringes individual rights.
They are parochial, not universal: it’s unfair to impose normative expectations on non-western countries with different history and traditions.
What are negative (=liberty) rights?
They demand the state to refrain from doing something (inaction). E.g. no cencorship.
What are positive (=welfare) rights?
They demand that the state does something (action). E.g. promote pluralism in the media.
What are the (informal) 6 categories of human rights?
- Rights to the integrity of the person
- Freedom rights
- Political rights
- Welfare rights
- Equality and non-discrimination rights
- Fair trial and administration of justice
What are the 3 stages in court proceedings in ECHR?
- Admissibility: the court has to decide whether the claim satisfies formal requirements for being considered by the court.
- Merits of the case: did the state comply with the requirements for limiting a right? Was there legitimate aim, was it proportional?
- Remedy: if the court finds that a right was violated, compensation is given.
What are EU regulations, how are they applied?
They are binding legislative acts which are immediately applicable in all member states and overrule national laws.
What are EU directives and how are they applied?
They are legislative acts setting objectives that all member states must reach and translate into their national legislation within a defined time frame - so the implementation is up to the member to a certain degree.
What is the GDPR and what is its goal?
The General Data Protection Regulation is a regulation (so it applies directly to the whole EU) which sets data security laws. While its focus is on protection of personal data, its aim is also fair treatment and protection of human rights.
What is data processing?
Almost anything that can be done with personal data falls within the definition of processing, automated or not.
Advantages and disadvantages to how general the GDPR is?
It applies to private and public sector as soon as personal data is processed - it’s good that it has such a broad application. There is no need for a new law whenever some new technology is produced.
However, the rules are quite abstract and up to interpretation or further clarification by data users, which isn’t always ideal.
What are the weak points of the GDPR?
- Compliance is lacking and there’s enforcement deficit (as not much money is poured into this).
- It only applies to personal data, so data that doesn’t immediately reference people (e.g. “people living in area with postal code X”) is still being used and sold.
- Explaining AI decisions is very hard, sometimes impossible.
What is the EDPB?
The European Data Protection Board has members from all national DPAs from all states. It helps for harmonized application of the GDPR and provides explanations of it when needed, as well as guidelines (=soft laws, not traditional sources of law) on how to apply it.
What is the EDPS?
The European Data Protection Supervisor has the main role to ensure compliance when EU institutions process personal data and give input when the European Commission is adopting new legislation.
What is DPA?
Data Protection Authorities enforce the application of the GDPR on a state level. Each state has its own DPA (except Germany where there are multiple).
What laws are there to fight AI-related discrimination?
- Non-discrimination laws. They easily ban direct discrimination, but indirect one is more tricky so the ban is more nuanced and vague.
- Data privacy laws. GDPR has specific revision with rules on automated decision-making. People also have the right to explanation (the organization must provide meaningful explanation on the logic involved in automatic decision making) but it has loopholes.
What does it mean to identify?
Matching a person against a list / dataset of stored individuals. Can be done based on identifying numbers, biometry, pseudonyms, attributes, anonymously (using one-time-use numbers, for example).
What is authentication?
Proving who you are, based on something you have, something you know or something you are.
What is verification?
Matching a person against 1 particular stored template (information about individual).
What is identity management, what are its aspects?
Organizing access of humans to computer systems. It includes identification, authentication, authorization, personalization, provisioning.
What are the pros and cons to identity management?
It has centralization of control, it is easy to use for the users, it reduces costs and has structed roles within the organization.
However, there’s possible reliability reduction (since there’s a single point of failure) and linking of activities (which harms privacy).
What is an identity?
The set of all attributes that hold for a person at a particular time.
What are attributes?
Properties of people with some level of stability (name, address, nationality, etc.) which can be identifying or not.
What is reputation?
A set of opinions about a person based on their past actions. Digitally, it’s in the form of score / rating which is used to formalize trust in the sharing economy and on platforms.
What is zero-knowledge proof?
Proving knowledge of something without revealing it so that no one (and the verifier in particular) overhears/sees it/ etc. It is a complete and sound proof.
Who are the players in an attribute-based identity management?
- User: the individual who collects attributes locally and discloses them secretively.
- Issuer: a trusted party that issues attributes to the user.
- Verifier: an organization that accepts attributes from users as part of its authorization process for transactions.
List the requirements for attribute-based identity management.
- Non-transferability of attributes: other people shouldn’t be able to use my attribute.
- Issuer-unlinkability: the issuer shouldn’t be able to track where I use which attribute.
- Multi-show unlinkability: service providers shouldn’t be able to connect usage at different providers.
- Revocation: outdated attributes should be blockable.
Challenges in attribute-based identity management?
- How to prevent over-asking by verifiers?
- Are assurance levels and data minimalization linked?
- If GDPR requires privacy by design does that allow only for decentralized architectures?
- Should the digital identity be based on non-profit basis?
- Should the identity management be open source?
What are the 3 power organizations in NL?
- Police (which has internal monopoly on the use of force).
- Army (which has external monopoly on the use of force).
- Intelligence (which investigates and collects information).
What are the tasks of the police? (in NL)
- Enforcing the law (under supervision of the state)
- Maintaining public order and safety (under supervision of the local government)
- Special powers: physical coercion can be used to arrest; investigative powers
What are the tasks of the army? (in NL)
- Territorial defense (national and of allies)
- Maintaining international order and stability (via UN peace keeping missions)
- Assisting public authorities in emergency situations (pandemic, flood, etc)
- Assisting the police when needed (and in those cases the army is subordinate to the police)
What are the tasks of intelligence services? (in NL)
- Protecting democratic order and national security
- International investigations to learn hidden political agendas based on national priorities
- Espionage (spying) to protect democracy from foreign threats
What is the relation between intelligence services and IT?
Intelligence services are basically IT organizations:
- They process huge amounts of information
- The work involves analysis of info like advanced search, classification based on machine learning, etc.
- Use hacking, planting bugs, decryption, etc. to acquire information
What are the key oversight concepts? (for Intelligence services)
- Necessity: only act if action is needed
- Proportionality: the means must be in relation to the goals
- Subsidiarity: there should be no lighter means available
- Discrimination: the means must be well-targeted
Who carries out intelligence oversight?
Independent institutions (TIB checks if minister’s organizations are justified prior mission, and STIVD gets access to all data, public reports, complaints post/during mission) and the parliament.
Why use hacking in intelligence services?
Human intelligence is slow, risky and not too reliable. Hacking can be done remotely, under the radar without much risk. It yields more reliable information and a position can be re-exploited. However, there’s some oversight challenges like unknown vulnerabilities, use of commercial tools, unpredictability of how much will be found.
What is the standard procedure when applying the GDPR on a specific case for data processing?
- Check if the GDPR can be applied at all (i.e. is this about personal data? are the people/companies involved in EU, etc) (in articles 1-3)
- See what kind of processing of data is allowed (basis for processing, article 6) and whether the case abides by that
- See whether they are processing the data in the proper way (article 5)
(Optionally, might want to take a look at whether sensitive data is used - article 9; whether it’s automatic - articles 21-22, whether there’s a leak, etc. - articles 32-35)
