The IP/IT/Media Law Discussion Group is pleased to announce that Prof Burkhard Schafer (Edinburgh) will deliver a talk in our December session. The event will take place on Friday 4 December at 4.30pm in Neil MacCormick Room. Professor Schafer will present his latest work on the following topic:
‘We are the victim here – Data breach notification duties and the duties of victims in the criminal law of democratic states’
In 2002, California became the first country to enact a data security breach notification law. The law makes in a mandatory for “a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” In the European Union the Directive on Privacy and Electronic Communications (E-Privacy Directive) from 2009 contained a requirement to enact data breach notification laws for telecoms and Internet service providers
The discourse surrounding Data breach notification duties has been dominated by the technical issues that these laws create, especially in multi-jurisdiction environments. Seen from this perspective, it is just another compliance burden, not categorically different from myriads other reporting duties, such as suspicious bank transactions; or data retention duties.
What this compliance-focussed discussion hides is that Data breach notification duties are a legal anomaly, at least for liberal democracies. They create an active duty for what is after all a victim of a crime to actively participate in its investigation – even if this is in some versions of the law just a side effect of minimising the risk of the “secondary victims”, the people whose data was stolen.
Traditionally, liberal democracies have been hesitant to require from citizens pro-active engagement with crime investigations. Until recently, few systems had a duty on witnesses to report a crime or planned crime by a third party – only recently, “duty to inform” was introduced into UK law as part of terrorism legislation. In Germany, only a limited number of serious crimes obligate a citizen who has knowledge of them to contact the police.
Already limited in scope, these duties typically attach to third parties, not the victim of a crime. There is no general duty to report that one suffered a crime. The situation changes once an investigation has started, or court proceedings begin, but even the, active participation duties on victims are minimal
This paper will thus analyse Data breach notification duties from a jurisprudential perspective. Using ideas developed by Antony Duff and Sandra Marshal, it will ask what duties in a democratic society victims of crime can legitimately be given, and apply this framework to online service providers and their duty to inform either their customers or a state agency about data breaches.
The talk will be followed by a discussion and an informal wine reception! All students and staff welcome and no registration is required.