This article seeks to demystify the recently enacted Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in March 2018 by the U.S. government in an effort to address challenges faced by law enforcement in accessing data located across borders. It explains the two parts of the act, dealing with: (i) U.S. access to data located outside the United States; and (ii) foreign government access to data held by U.S. companies within the United States. As the article highlights, the CLOUD Act offers a model for both responding to law enforcement needs and setting – and raising – baseline privacy protections. In that regard, it is a step in the right direction, although there is much more work to be done.

In September 2018, the European Commission presented a draft Regulation on preventing the dissemination of terrorist content online. The proposal builds on EU-level initiatives to foster the voluntary cooperation of service providers in stopping the dissemination of terrorist content online, and it echoes ongoing national developments which go a step further in imposing obligations – underpinned by considerable fines – on service providers. This article describes the main features of the proposal and highlights some of the policy challenges, legal questions, and technological concerns it is likely to face on the road to adoption.

Although the significance of electronic evidence for criminal investigations of any type of criminal offence has been steadily growing for years, respective legal frameworks in all EU Member States are only fragmented – if they exist at all. There is an urgent need for comprehensive legislation that takes into account the various grades of data sensitivity. For various reasons, the common distinction between subscriber data, traffic data, and content data is not suitable for this purpose. Instead, a new classification is necessary.
The article analyzes the relevant backgrounds and provides an overview of the current issues. More importantly, it proposes a new classification with five categories of electronic data. The key criterion for determining the sensitivity of a dataset − the data subject’s reasonable expectation of confidentiality – allows a distinction as follows: (1) data of core significance for private life, (2) secret data, (3) shared confidential data, (4) data of … Read more

Some EU Member States have already adopted broad-ranging whistleblowing legislation because of financial or public health scandals. In this context, the European Parliament suggested a draft directive to protect whistleblowers by offering a “horizontal” approach covering all public and private sectors. In 2018, the European Commission, by contrast, proposed widening the existing EU sectoral approach and including the protection of the financial interests of the European Union in a directive “on the protection of persons reporting on breaches of Union law.” The author argues that this broader sectoral approach − while making a step forward − still raises a number of issues.

Recent scandals, such as Dieselgate, Luxleaks, the Panama Papers, and Cambridge Analytica, came to light thanks to whistleblowers who “raised the alarm” over unlawful activities in the organisation for which they worked. From their position as "insiders," whistleblowers can provide enforcement authorities with key information that can lead to the effective detection, investigation, and prosecution of breaches of law − and they can be crucial sources for investigative journalists − thus contributing to protecting the public from harm.
Yet, whistleblowers very often face many different forms of retaliation for their reporting: they may lose their job and their source of income, and they may suffer damage to their reputation and their health. Fear of such consequences discourages people from coming forward with their concerns. Unfortunately, the protection offered in the EU is fragmented and insufficient. Most EU Member States do not have comprehensive legislation in place that provides whistleblowers with the … Read more