The role of the data controller and data processor presents a serious problem with the protection of personal data in Cloud Computing. The Directive (EU) 2016/679 General Data Protection Regulation (GDPR) prioritises the responsibility and instructions that the controller gives to the processor, setting the latter’s scope of action. However, a Cloud Service Provider processes personal data from thousands of controllers who are paying customers for the processing service. In practice, it is impossible for such an overwhelming number of controllers-clients to give individual instructions to a large Cloud Computing Services Company. In reality, the Cloud provider-processor establishes standard terms and conditions in the contract (https://academic.oup.com/ijlit/article/26/1/45/4769343). Regulation for the protection of personal data should adapt to this new reality of "role investment". Therefore Article 28 of the GDPR needs to be reformulated to reflect the more predominant role of the processor with respect to appropriate technical and organisation measures. In addition, contracts need to establish that the Cloud Service Provider has the principle responsibility in such measures, and does not merely “assist the controller” in those obligations.

Cloud Computing Concerns

Perhaps the biggest concerns about cloud computing are security and privacy. The idea of handing over important data to another company worries some people. Corporate executives might hesitate to take advantage of a cloud computing system because they can’t keep their company’s information under lock and key.

The counterargument to this position is that the companies offering cloud computing services live and die by their reputations. It benefits these companies to have reliable security measures in place. Otherwise, the service would lose all its clients. It’s in their interest to employ the most advanced techniques to protect their clients’ data.

Privacy is another matter. If a client can log in from any location to access data and applications, it’s possible the client’s privacy could be compromised. Cloud computing companies will need to find ways to protect client privacy. One way is to use authentication techniques such as user names and passwords. Another is to employ an authorization format – each user can access only the data and applications relevant to his or her job.

Some questions regarding cloud computing are more philosophical. Does the user or company subscribing to the cloud computing service own the data? Does the cloud computing system, which provides the actual storage space, own it? Is it possible for a cloud computing company to deny a client access to that client’s data? Several companies, law firms and universities are debating these and other questions about the nature of cloud computing.

How will cloud computing affect other industries? There’s a growing concern in the IT industry about how cloud computing could impact the business of computer maintenance and repair. If companies switch to using streamlined computer systems, they’ll have fewer IT needs. Some industry experts believe that the need for IT jobs will migrate to the back end of the cloud computing system.

Another area of research in the computer science community is autonomic computing. An autonomic computing system is self-managing, which means the system monitors itself and takes measures to prevent or repair problems. Currently, autonomic computing is mostly theoretical. But, if autonomic computing becomes a reality, it could eliminate the need for many IT maintenance jobs.

Financial Intelligence Units (in charge of fighting and preventing money laundering and the financing of terrorism) and other government agencies are constantly monitoring personal data for public security purposes (preventing cross-border crimes, terrorism, etc.), always within a framework of strict safeguards. The Internet of Things allows a higher level of efficiency and welfare, but users must also have a greater duty of care regarding their personal data. Maybe it is excessive to require a Data Protection Impact Assessment for data subjects, but they should be conscious and responsible about the risks, in the same way that employees of companies that collect or process personal data are. A more active role is required by users: practises such as using your spouse’s date of birth as a password, or leaving passwords on post-its in visible places are clearly not good enough.

Our world is becoming increasingly interconnected, and that opens up some wonderful possibilities.  But there is also a downside.  What if we rapidly reach a point where one must be connected to the Internet in order to function in society?  Will there come a day when we can’t even do basic things such as buy, sell, get a job or open a bank account without it?  And what about the potential for government abuse?  Could an “Internet of Things” create a dystopian nightmare where everyone and everything will be constantly monitored and tracked by the government?  That is something to think about.

Consent to the use of cookies: suspicious minds?

People give their consent every day on numerous occasions: paying for the bus, buying cigarettes, turning on the television, etc. It would be not only impossible but also a waste of time to demand a detailed, informed and explicit consent for all the decisions we make on a daily basis. To get around this, the legal system has regulated consent under the “principle of reasonableness”, insisting on clear information only when risks are involved, or there are economic or moral consequences.

In this respect, special care should be taken when the consent refers to the processing of personal data and especially “sensitive” personal data. The European Union establishes two independent but related regulations regarding the collection and processing of personal data by cookies: the ePrivacy Directive 2002/58/EC, and the Directive 2016/679, General Data Protection Regulation (GDPR). The former emphasizes the protection of the fundamental right to privacy and the protection of personal data in electronic communications, and the GDPR focuses on the individual’s fundamental right to protection of their personal data.

The GDPR states that “consent” from the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

In this sense, the Court of Justice of the European Union, in the case C-673/17 “Planet49 v German Federation of Consumer Organisations (Bundesverband der Verbraucherzentralen und Verbraucherverbände), states that requiring an ‘indication’ of the data subject’s wishes clearly points to an active, rather than passive, action, and that consent given in the form of a preselected tick in a checkbox does not imply active behaviour on the part of a website user (http://curia.europa.eu/juris/liste.jsf?num=C-673/17).

The GDPR requires controlling companies or data processors to obtain clear and informed consent from the user or subscriber. This goes against the common website practice of placing a banner indicating that “by continuing to use the page constitutes consent” or “by using this page you are accepting cookies”.

The survey carried out by the Information Commissioner’s Office (ICO) in November 2017 (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/11/ico-survey-shows-most-uk-citizens-don-t-trust-organisations-with-their-data/), found that only one fifth of the UK public (20%) have trust and confidence in companies and organisations storing their personal information. The survey also shows that less than one in ten (8%) UK adults say they have a good understanding of how their personal data is made available to third parties and the public by companies and organisations in the UK.

We need a happy medium. Nobody wants to be bombarded by sterile requests for consent on cookies, a practice which only leads to apathy in the web user. Nor should the voracious greed of companies be allowed to prejudice the right of individuals to consent about their personal data.

On January of 2018, Facebook apologized because its automatic algorithm identified and removed as “hate speech” a post from the Texas newspaper “The Liberty County Vindicator” that collected a passage from the U.S. Declaration of Independence. Specifically, the post contained the phrase “merciless Indian savages”, written by Thomas Jefferson in the context of King George III abuses against American colonies. Facebook apologized and reinstated the post on its platform, and had to declare the removal of a post that “went against our Community standards” as a “mistake”. Despite the benefits automated algorithms for monitoring hate speech and defamation content can offer, it is reasonable that people -and not machines- make final decisions about determining the harmfulness of content. Otherwise, freedom of expression will be affected.

In the absence of Mark Zuckberg at the Facebook’s international hearing on the 28th Nov 2018, Richard Allan (Facebook’s vice-president of policy solutions) stepped into answer questions relating to fake news. An MP from Singapore, Edwin Tong, grilled Mr Allan over a Facebook’s failing to remove hate speech related content on Facebook that was in relation to race issues in Sri Lanka.

The Court of Justice of the European Union (CJEU) in the case Scarlet Extended SA v Société bilge des auteurs, compositeurs et éditeurs SCRL (SABAM), discusses the scope of Internet Service Provider (ISP) powers to establish technological measures to supervise exchanges of unauthorized music files between customers, when the content is protected. The CJEU clarifies that copyrights are not superior to human rights -such as the access to information- and therefore states that it is contrary to Community principles to impose restrictions to prevent the exchange of information in order to block the exchange of pirated content. This judgment reaffirms that European Union law precludes an injunction (technological measure) ordering an internet provider to establish a filter system for all electronic communications that pass through its services for its own account and with no time limit. (https://eulaws.eu/?p=1153)

What You Ought to Know about Illegal Music Downloads

They say that music is the universal language and it is now made more accessible to people wherever they are.  In the past, we had no choice but to turn on the radio whenever we want to listen to our favorite tunes.  If we do not like what a particular station is playing, we can always switch to the next station.  Today, however, we can be our own disk jockey or DJ.  We no longer have to rely on what we hear in the radio.  Thanks to the invention of MP3 players, iPod and now, the iPad, we can listen to whatever music that we like.  That means no longer waiting for the DJ to play our favorite songs.

Although there is nothing wrong with the invention of iTunes and those MP3 players, it did cause an increase in the download of illegal music now that they have the option to carry it around as they run, go to the gym or commute.  Sure, there is a legal way to download music through iTunes but that means having to pay for the song or the album.  By downloading it illegally, that means not having to pay a thing.

Illegal music downloads are done using programs that run on torrents.  That way, peers can share their programs and their songs.  Think of it as the compilation of all songs all over the world and all that you have to do is download your picks for free.  In all honestly, downloading music illegally is beneficial to the person downloading (unless he or she gets caught of course).  After all, they get to listen to their favorite tunes and not have to pay for a single cent.  However, think of it from the point of view of the artist who spent time and effort creating the song.  Downloading their music for free is actually stealing from their intellectual property.  It does not matter whether you are downloading to sell the music or if you are downloading just for your own enjoyment.  In the eyes of the law, the mere fact that you are already downloading is already a crime.  That is one of the misconceptions that people have about downloading music.  The RIAA or the Recording Industry Association of America clearly states that one does not have to be a distributor of illegally downloaded music to be punished by the law.  Mere listening to it or streaming it already a crime. 

Admittedly, it is extremely difficult to track and put people who illegally download music and put them to justice.  However, look at it this way, every person who illegally downloads music lessens the income of the artist and the music company who invested on the artist.  Hence, they will have less capital to invest on other music that they will create in the future. 

Get your music only from legal sources.  That is the only way to ensure the continuance of a healthy music industry.

Remember These?

http://audio.tutsplus.com/articles/general/top-10-places-to-buy-music/

Usually copyright infringement in the digital environment has criminal penalties in more than one legal body and in more than one jurisdiction.    In the case of “Megaupload”, Kim Dotcom’s defence argues that there is no criminal liability for secondary copyright infringement, but only civil liability. The defence also claims that the criminal infringement of copyright requires that an intentional infringement has occurred, and that the deactivation of Megaupload offline had produced an unconstitutional effect of denying legitimate users of the site access to their data. This case raises the problem of the delimitation of criminal jurisdiction for copyright infringements, and the need for better harmonization on a global level through international treaties that equalize the definitions and nature of those crimes.

The Justice Department is building its case against Megaupload, the hugely popular file-sharing site that was indicted earlier this year on multiple counts of copyright infringement and related crimes. The company’s servers have been shut down, its assets seized and top employees arrested. And, as is usual in such cases, prosecutors and their allies in the music and movie industries have sought to invoke the language of “theft” and “stealing” to frame the prosecutions and, presumably, obtain the moral high ground.

Whatever wrongs Megaupload has committed, though, it’s doubtful that theft is among them.

The Court of Justice of the European Union (CJEU) in the Deckmyn v Vandersteen (C-201/13) judgment,  stresses that the application of the parody exception set out in the Directive must strike a fair balance between the interests and rights of authors and the freedom of expression of the subject seeking to benefit from the exception. The judgment notes that if a parody conveys a discriminatory message, the right holders of the original work have a legitimate interest in the work not being associated with a vexatious message. The problem arises when freedom of expression and, in turn, the universal right to defence of anyone who feels outraged are promoted at the same time.

Therefore, in these situations, the principle of proportionality should be applied, in the sense of balancing and giving due weight to the fundamental rights at stake. The inherent risk for a person holding public functions must be harmonized with the protection of the right to honour, personal and family life, privacy and self-image. The parody exception to intellectual property law cannot be used as a tool to infringe fundamental rights. This weighting should take special care in protecting the fundamental rights of the author of the original work, not only for economic interests, but in order to safeguard the right to self-determination.

This relates to indirect damage, insofar as the author of the work can cause – through parody – damage that he could not foresee or want. When a conflict arises, having established that the work is of a particular author, the burden of proof in respect of compliance with the requirements of Article 5 rests with the person who elaborates the parody.

Another aspect is possibly a tort action, by which the moral damage caused by the illegitimate and abusive exercise of parody to the author of a work must be compensated for.

The unlawful use of parody against the legitimate interest of copyright is also related to the misappropriation offence. A work subject to intellectual property generates a fiduciary duty on behalf of the creator, in that he expects his work to be used in good faith and for a legitimate purpose. In this sense, in parody, a duty of trust to the owner of the original work is violated, when it is used beyond the field of reasonable humour, and falls into the sphere of discrimination, which affects the dignity of the first author.

The exhaustion of intellectual property rights: problems and solutions

In 2004, when the famous Chilean painter Carmen Aldunate appeared on a television program, one of the panellists admitted to owning a fake of one of her paintings. How would anyone find out about this fake in normal circumstances? The same question might be asked when we watch a leased film and see the warning message reminding viewers of the severe penalties imposed for reproducing film illegally (as illustrated in the parody of the first scene of the movie "The Fight Club"). But, is enforcement of such penalties realistic?

The regulation of intellectual property on software has to balance innovation, ownership and the free movement of goods, and to achieve this the exhaustion theory of the right of distribution has been applied. According to this theory, the benefit of the copyright holder is exhausted with the first sale, if the initial acquirer sells the copy with legitimate purposes and eliminates the possibility of reproducing the original copy, as determined by the Court of Justice of the European Union (CJEU) in the UsedSoft versus Oracle case. However, this case did not solve the problematic aspect of how to apply the theory of exhaustion to the ubiquitous digital environment of the internet, nor how to prove the legitimate intention of the third-party acquirer. Strict regulation could start a witch hunt.

Under the Software Directive 2009/24/EC, the exhaustion theory applies a “regionalist” territorial approach, i.e. it has legal effects only in the member countries of the European Union, which could illegally promote the cloud computing market and trade outside the EU. The question then arises as to how to enforce and prove that the initial acquirer has eliminated the possibility of reproducing the copy of the purchased software. One alternative is to allocate the burden of proof on the buyer, in the sense that he must prove that no copies of the resold software have been left. The initial acquirer must have made a sale in accordance with the law and prove that he did so.  

With regard to open source software products, one alternative that safeguards the author’s interests is “Copyleft”, a tool that  offers people the right to freely distribute copies and modified versions of a work with the stipulation that the same rights be preserved in derivative works that are created at a later date. Another option is the General Public Licence (GPL), which aims to guarantee the freedom to share and modify software beyond the immediate contractual scope by ensuring that the software is also free for other subsequent users. Berkeley Software Distribution (BSD) licenses are also an option: they give sole credit and recognition to the authors.

Finally, it could be argued that none of these proposed solutions would mean effective compliance without a socio-cultural change that raises awareness that regardless of what is being is bought or sold, if it is done in violation of the author’s rights it harms society as a whole.