Search Results

This chapter considers how restrictions on cross-border transfers of data work, or perhaps don't work, in cloud environments and how they might be improved. The concept of ‘transfer’ and the prohibition on transfers of personal data to countries that fail to provide an adequate level of protection for personal data are explained. Various exception to, and derogations from, the transfer prohibition rule are evaluated, including consent, the US Safe Harbor, model contract clauses, and Binding Corporate Rules (BCR).

This chapter considers what information in clouds is, and what should be, classified as personal data under European Union data protection laws. It is crucial to tackle this question first as the rights and obligations arising under EU national data protection laws apply only to personal data and tend to do so on an ‘all or nothing’ basis depending on whether a particular individual is identified or identifiable. The use in cloud computing of encryption, anonymisation, data fragmentation and other techniques has an impact on this threshold issue.

Cloud computing technologies and service models are sufficiently complex that it is often the case that a provider of the whole or part of a multi-layered cloud service will not even know whether its systems are being used to process personal data. With that in mind, this chapter seeks to identify who is regulated as a ‘data controller’ and / or as a ‘data processor’ in various situations, and how those roles might be mapped onto typical cloud computing arrangements.

Data protection laws in the EU adopt a distinctive location-based approach to regulation. Jurisdiction depends either on where a controller or processor is ‘established’, in which case the relevant national law has global reach to regulate activities carried on in the course of that establishment, or the mere use of equipment located in the EU to process personal data may trigger regulation of activities of controllers with no EU establishment. This chapter looks at the international impact of European data protection legislation and consider which laws apply to personal data in clouds.

Several lines of evidence suggest that acetylcholine (ACh) neurotransmission is important to the normal functioning of memory, and loss of ACh-producing cells in the basal forebrain (nucleus basalis) is a consistent finding in patients with Alzheimer’s disease and other dementias. The most successful approach to increasing ACh in vivo has been to develop drugs that reduce its degradation by the synaptic enzyme acetylcholinesterase (AChE). Four cholinesterase inhibitors are available to treat memory and other cognitive symptoms in dementia patients. They may also stabilize or prevent the onset of milder non-cognitive neuropsychiatric or behavioral symptoms, although their use as exclusive agents for the more severe forms of the latter is not recommended. A recent Consensus Panel has articulated sound clinical principles regarding the use of these drugs in the context of the broader treatment of Alzheimer’s dementia (Lyketsos et al., 2006). Tacrine, donepezil, rivastigmine, and galantamine have been approved by the U.S. Food and Drug Administration (FDA) for the treatment of Alzheimer’s disease. Tacrine should not ordinarily be used in light of the associated high risk of hepatotoxicity, its complex titration, and the availability of bettertolerated alternatives. The other three cholinesterase inhibitors seem similar in efficacy. All appear to modestly improve cognitive symptoms in 15% to 20% of patients, sometimes quite notably. In addition, they may either improve patient function and delay the emergence of behavioral symptoms or reduce the severity of the latter. The evidence does not support their use as single agents to treat more severe neuropsychiatric symptoms such as depression or delusions, although patients with apathy and visual hallucinations may respond. Any benefit of cholinesterase inhibitors to the long-term progression of dementia has not been shown conclusively. Some studies suggest that they may attenuate the long-term slope of cognitive or functional decline, but those studies have been flawed due to high levels of dropout and the use of historical untreated comparison groups. One brain imaging study, part of a clinical trial, has suggested that they may affect the size of the hippocampus or the integrity of hippocampal neurons. In the absence of replication or a better understanding of the imaging measures involved, these data are not conclusive.

This chapter explores the development of European data protection, both as a codified form of regulation and as a human right, from its inception to the present day. In contrast to more ʻclassicalʼ rights, such as freedom of expression and even privacy, data protection only emerged as a discrete concept with the rise of computer power in the 1970s. The focus in Europe from this time has been on elaborating a progressively more detailed and harmonized regulatory code to govern the processing of personal data across the EU and wider European Economic Area (EEA). Advisory Council of Europe Resolutions in the 1970s led to a binding but optional Data Protection Convention in the 1980s, to a mandatory Data Protection Directive in the 1990s, and finally to a General Data Protection Regulation (GDPR) in the 2010s which is directly applicable across the EU. In addition, data protection has increasingly been recognized as a fundamental right and, in particular, was included within the EU Charter that was drafted in 2000 and acquired pan-EU legal status in 2009. These developments have dovetailed with the emergence of a significant body of relevant Court of Justice of the EU (CJEU) jurisprudence. However, the regulatory Data Protection Authorities (DPAs) also remain critical interpretative actors and have issued a number of important opinions including through the Article 29 Working Party that under the GDPR has become the European Data Protection Board.

This chapter focuses on the various types of laws that Indonesian institutions can make, the processes for their issuance, and the bodies that issue them. Most of these laws, including national statutes, emergency laws, and government, presidential, and regional regulations, appear on Indonesia’s ‘hierarchy of laws’, which ranks them by their relative authority. This chapter highlights significant problems in the operation of the hierarchy, deriving primarily from: unclear delineation of the relative jurisdictions of Indonesia’s multiple lawmakers; the use of laws that do not appear on the hierarchy; and the lack of effective mechanisms to resolve conflicts between laws and jurisdictional disputes between the bodies that make them. These problems are the root cause of much of Indonesia’s legal dysfunction, identified in other chapters of this book.

Chapter VI is a new chapter in the EIR. Its presence signals the importance that data protection law has gained in Europe since the adoption of the Data Protection Directive 95/46/EC (DPD) and Regulation 45/2001. Although the DPD is not—though it comes close to—a maximum harmonisation directive, its implementation by Member States by the end of 1998 increased data protection standards on national levels as well. Yet the concrete reason that led to the addition of this Chapter is the expanded scope of the EIR as far as the exchange and publication of personal data is concerned. The expansion and thus the enhanced need for data protection is due in particular to the provision made in the recast EIR for newly established interconnected national insolvency registers, accessible via the European e-Justice Portal. This provision has been made at a time when data protection law is increasingly recognised as a ‘stand-alone’ subject, emancipated from privacy law, as expressed indirectly also by the popularisation of the ‘data protection’ nomenclature originating in the German term ‘Datenschutz’. This has clear implications for private and commercial law, including insolvency law.