Prof Burkhard Schafer on Data Breach Notification mechanism

The IP/IT/Media Law Discussion Group is pleased to announce that Prof Burkhard Schafer (Edinburgh) will deliver a talk in our December session. The event will take place on Friday 4 December at 4.30pm in Neil MacCormick Room. Professor Schafer will present his latest work on the following topic:

‘We are the victim here – Data breach notification duties and the duties of victims in the criminal law of democratic states’


In 2002, California became the first country to enact a data security breach notification law. The law makes in a mandatory  for  “a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” In the European Union the Directive on Privacy and Electronic Communications (E-Privacy Directive) from 2009 contained a requirement to enact data breach notification laws for telecoms and Internet service providers

The discourse surrounding Data breach notification duties has been dominated by the technical issues that these laws create, especially in multi-jurisdiction environments. Seen from this perspective, it is just another compliance burden, not categorically different from myriads other reporting duties, such as suspicious bank transactions; or data retention duties.

What this compliance-focussed discussion hides is that Data breach notification duties are a legal anomaly, at least for liberal democracies. They create an active duty for what is after all a victim of a crime to actively participate in its investigation – even if this is in some versions of the law just a side effect of minimising the risk of the “secondary victims”, the people whose data was stolen.

Traditionally, liberal democracies have been hesitant to require from citizens pro-active engagement with crime investigations. Until recently, few systems had a duty on witnesses to report a crime or planned crime by a third party – only recently,  “duty to inform” was introduced into UK law as part of terrorism legislation. In Germany, only a limited number of serious crimes  obligate a citizen who has knowledge of them to contact the police.

Already limited in scope, these duties typically attach to third parties, not the victim of a crime. There is no general duty to report that one suffered a crime. The situation changes once an investigation has started, or court proceedings begin, but even the, active participation duties on victims are minimal

This paper will thus analyse  Data breach notification duties from a jurisprudential perspective. Using ideas developed by Antony Duff and Sandra Marshal, it will ask what duties in a democratic society victims of crime can legitimately be given, and apply this framework to online service providers and their duty to inform either their customers or a state agency about data breaches.

The talk will be followed by a discussion and an informal wine reception! All students and staff welcome and no registration is required.

Upcoming talk focuses on ‘creative autonomy’ in copyright theory and reality

The next IP/IT/Media Law Discussion Group event will take place on Friday 13 November at 4.30pm in Neil MacCormick RoomMary Gani, PhD Candidate at Queen Mary University of London, will present on the following topic:

‘Copyright Theory and Reality: Trading Creative Autonomy in the Popular Music industry’


Theories traditionally canvassed for the justification of copyright have highlighted authorial personality on the one hand, and economic efficiency on the other. It has been argued that creativity appears to be a fluid process by which authors may reflect their individual vision in their work, and this argument bears remarkable similarity to notions of authorial personality. However a trade-off may occur in the contractual interactions between performing authors and record label executives; where executive decisions of record labels are influenced by popular music trends, enforcing such executive notions and preferences may stifle the autonomy of performing authors, and deprive society of new works in both an economic and cultural sense.

The thesis therefore examined the notion of creative autonomy in copyright theory, and mapped out the structural framework of creative and executive roles specifically in the Nigerian popular music industry, as a foundation for the empirical analysis of the notion. It identified the industry gatekeepers that determine how songs are written and released. Subsequently, it scrutinised aspects of copyright law and recording contracts utilised by record labels, in order to determine whether their parameters may frustrate creative autonomy. On the basis of the observations made, the thesis made recommendations for copyright law and policy.

The talk will be followed by a Q&A section and refreshments will be provided! All students and staff welcome!