Cyber Security, Artificial Intelligence, Data Protection & the Law

Table of Contents

1. Frontmatter

2. Cyber Security & Artificial Intelligence

   1. Frontmatter

   2. Chapter 1. Problem Definition, Structure and Methodology

      Robert Walters, Marko Novak

      Abstract

      Reconciling the differences between data protection, artificial intelligence (AI) and cyber security will be complex and needs to be finely balanced. More problematic is the balance between the free flow of personal data and the economic benefits this brings, with the need to protect that data. This book advocates for finding ways to better balance between these competing issues, particularly when smart home devices enter the market and are used within the home and office. Finding this balance is a formidable challenge and it may never be able to be achieved. This is because some in the community view our personal data as being lost to the large corporations that trade and use that data. In the contemporary world, this is becoming even more challenging, with many state actors going it alone, looking after their own sovereign needs. This Chapter discusses some of the challenges faced by state actors in relation to having to balance their sovereign needs while establishing data protection, AI and cyber security law that, is effective. The resulting effect has seen three competing forces emerge. First, is the rise in government surveillance of its citizens under the guise of national security. In other words, and what has emerged is that national security will come first and protecting people’s privacy and protecting personal data will come second. Secondly, the economic benefits that arise from AI, trade in personal data and development of cyber security infrastructure and systems are on the one hand intertwined technologically, while on the other hand very seprate at law. Third, the evolving expectation that individual’s personal data will be afforded a level of protection over the Internet varies form nation state to nation state. The challenges facing society are only beinging to be fully understood. That is, at the extreme end of AI, the lack of cyber security infrastructure and a robust legal framework, provides the potential for state actors, or, entities acting on behalf of state actors, to collect personal data that enables them to undertake subversive behaviour that undermines the social fabric and disrupts economic activity. In other words, there is a huge potential for these technologies to be used, in order to control populations, no matter where they are located in the world. This area is not well understood, and this book argues more is needed to better understand how states are to react to this behaviour. Contrary to this position is the evolving benefits from transnational flows of data. Yet, this is another area not well understood, and is outside the scope of this book.

   3. Chapter 2. Cyber Security

      Robert Walters, Marko Novak

      Abstract

      Cybersecurity has emerged as a global challenge and is becoming a tier one security threat for nation states. The modern-day cyber age will expose states to new challenges. Cyberspace and cyber attacks represent new ways of intruding on the sovereign prerogatives of states, and their citizens. It poses a threat to every area of society from government to the public and private sectors. Furthermore, it is undertaken by state actors, the private sector and individuals in the community. Cyber incursions are complex and difficult to detect. They are extremely subversive. These challenges are even enhanced by developing AI, which bring new tasks for cyber security specialists. It is the cyber attacks that pose the biggest challenge to states and their sovereignty, but also, and in our view, equally as pervasive is the challenge to personal data.

   4. Chapter 3. Artificial Intelligence and Law

      Robert Walters, Marko Novak

      Abstract

      Artificial Intelligence (AI) is rapidly developing. It is predicted that over the coming decade people will find AI technology in the home, office, business and general community on a large scale. It will pervade nearly every aspect of our lives. The world is seeing the transformation of AI technology being used by governments and the broader community for security. Over the past decade people only have to travel to the major airports around the world and through the central business districts of major cities to find AI surveillance at work.

      Today, AI can be found in many devices in our homes that we call “smart” because they operate in a more intelligent way, for example, smart phones, smart watches, robot vacuum cleaners and lawn mowers, self-driving cars, drones, etc. AI is very much used in robotics, technological industry, healthcare (in particular, medical diagnosing and surgery), transportation, military, video games, government and public administration, insurance, finance and economics, audit, advertising, art, amongst many others. Furthermore, it has been incrementally used in the area of law, such as predictive justice and the prediction of judicial decisions.

      This Chapter will discuss some of the issues emerging in this area of law and technology. It will demonstrate how there is a lack of a single definition of AI. The Chapter demonstrates that there is a lack of international agreement on what AI constitutes. This Chapter does not examine the international agreements or laws as to whether there has been some agreement or proposal put forward by states to clearly define what is and is not military AI. It demonstrates is how there has been little discussion or debate regarding how AI will meet the cur- rent day controls and protection of data protection [laws].

      Moreover, this Chapter highlights how the emerging area of AI is going to challenge individuals across the community, particularly vulnerable groups such as children, those with a disability and elderly along with racial and ethnic groups. These cohorts are only beginning to be captured by AI technology, whereby the use of their personal data is not fully understood. The potential ramifications for bias and discrimination based on sex, ethnicity, religion, amongst others could be enormous. As AI evolves a more comprehensive study will be needed to better understand whether the developers of the technology have been successful in building adequate safeguards into the systems and platforms to protect personal data from illegal collection and use. It will also require confirmation of whether current trade-consumer practices law is adequate to regulate this at the point of sale of these devices, particularly in relation to protecting personal data.

   5. Chapter 4. Data Protection

      Robert Walters, Marko Novak

      Abstract

      Data protection is a recent addition to national legal frameworks. Data protection has evolved as a tool of privacy over the Internet. Yet, privacy generally means different things to different people and nation states. The international community has in part developed high level agreed principles for protecting individual’s personal data online. However, there is a lack of international law in this area. The current approach is fragmented, inconsistent and incoherent. While many states have looked to the EU model, other models have emerged. This book will highlight, what in our view, are the models that have been developed by states to address the protection of personal data over the Internet (see Chap. 15).

3. Data Protection Law – Asia

   1. Frontmatter

   2. Chapter 5. South Korea

      Robert Walters, Marko Novak

      Abstract

      South Korea (This Chapter is from earlier work by Robert Walters, Data Protection law in South Korea, LexisNexis – Privacy Bulletin Vol 17 No 5:74–87 Sept 2020) has an amazing history being influenced by China, Japan, Russia and the West. Following WWII, they have developed and evolved into a highly sophisticated economy that has resulted in developing and using technology. Similar to other states they have had to grapple with how and to what impact the Internet has had to its citizens, particularly privacy and data protection. Today, the data protection laws of South Korea have, in part, had to evolve quite rapidly, in order for the country to continue to participate in the emerging technology and data economy. Their laws can be best described as being a hybrid of the European Union model and Singapore model.

   3. Chapter 6. Hong Kong

      Robert Walters, Marko Novak

      Abstract

      Hong Kong has a fascinating history. On January 25, 1841, a British naval party landed and raised the British flag on the northern shore of Hong Kong, a small island located in the Pearl River Delta in southern China. The next day, the commander of the British expeditionary force took formal possession of the island in the name of the British Crown (Carroll, JM, (2007) A Concise History of Hong Kong Rowman & Littlefield Publishers, 1.). Except for three and a half years during World War II when Hong Kong was part of the short-lived Japanese Empire, the British occupation would last until midnight on July 1, 1997, whereby Hong Kong became a Special Administrative Region of the People’s Republic of China.

      The data protection laws of Hong Kong are significantly different to that of the other data laws examined in this book. Data protection in Hong Kong began in 1995, with the implementation of the Personal Data (Privacy) Ordinance. It was the first comprehensive data protection law in the region with reference to the OECD Privacy Guidelines 1980 and the draft EU Data Protection Directive 1995. Arguably, the implementation of data protection law was necessary in order to discharge Hong Kong’s obligations for human rights and retain their status as an international trading centre. Thus, for Hong Kong one of their key objectives is to retain their international business status as a financial and services hub. Interestingly, the first laws came into effect 2 years before the handover of the territory from the former rule of the United Kingdom back to China.

      This Chapter begins by highlighting how Hong Kong was ruled by the British before being handed back to the China in 1997. This former British rule had a profound influence on the legal framework of Hong Kong. The current day data protection laws of Hong Kong reflect the framework set out by the OECD and the EU. However, the data protection laws of Hong Kong do significantly differ from other states in the Asia region. Going forward the question will be whether the data protection laws of Hong Kong remain as they are, or, move closer to the recently established laws of China. This Chapter discusses Definition of Personal Data, Public and Private, Transfer Matching and Transfer of Personal Data, Controller [Data User], Erasing Personal Data [Right to Be Forgotten], Data User Returns and Register of Data Users, Access and Correction of Personal Data, Consent and Direct Marketing, Privacy Commissioner, Enforcement and Security [Cyber].

   4. Chapter 7. Macau

      Robert Walters, Marko Novak

      Abstract

      Macau similar to its neighbor Hong Kong has a long history. Macau in more recent times was occupied by the Portuguese, which heavily influenced their current day legal framework. Today, they have largely retained their legal framework inherited by the Portuguese. Macau’s legal framework is based on the civil law tradition of continental European legal systems. It has also been influenced by Chinese law, Italian law, and some aspects of the common law.

   5. Chapter 8. The Philippines

      Robert Walters, Marko Novak

      Abstract

      The Philippines have a long and diverse history. The state is a member of the ASEAN community and located in a region of the world that is diverse culturally. They have been heavily influenced by the United States, and is an archipelago compromising of 7100 islands. It has a land area of 300,000 square kilometres, 92% of which is found on the 11 largest islands. The country can be grouped geographically into the three major islands groups: Luzon, Visayas, and Mindanao. Philippines culture is the result of traditions of the pre-Hispanic villages and regions and a variety of foreign influences including Islam, Catholicism, and Spanish, American, Chinese and Japanese rule. The Philippine legal system can be best described as a blend of customary usage, Roman (civil law) and Anglo-American (common law) systems. Although, in some Southern parts, Islamic law is observed.

      The modern-day Constitution, was established in 1987, and provides for a Bill of Rights. Section 3 and 7 are of importance as they go some way to ensuring a level of privacy and data protection of its citizens. Section 3 states that the privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law. In addition, section 7 provides the right of the people to information on matters of public concern shall be recognized. In addition, there is other important legislation whereby citizens’ right to privacy is also protected. This includes the Civil Code (Republic Act No. 386), Revised Penal Code (Act No. 3185), Republic Act No. 8505, Rape Victim Assistance and Protection Act of 1998; Republic Act No. 9344, and Juvenile Justice and Welfare Act of 2006. They have criminalized privacy in certain circumstances, whereby, there is a need to protect the most vulnerable in the community, such as children and disability.

      Nonetheless, the Republic Act (RA) No. 10173 or also known as Data Privacy Act, came into effect in 2012. The 2012 Act created the National Privacy Commission, which is responsible for promoting, regulating, and monitoring data privacy compliance of both government agencies and private institutions. Some commentators are of the view that the Philippines data protection laws are based on the EU’s framework. Importantly, the Philippines is a member of the APEC Cross Border Privacy Enforcement Arrangement, the government backstop enforcement network developed for the Cross-Border Privacy Rules.

      This Chapter examines the current data protection laws of the Philippines, particularly in relation to the onset of AI. For instance, compared to other countries discussed in this book the law treats both kinds of personal information (general and sensitive) differently. Personal information may be processed, provided that the requirements of the Data Privacy Act are complied with. Yet, the processing of sensitive personal information is generally restricted.

   6. Chapter 9. Taiwan

      Robert Walters, Marko Novak

      Abstract

      This Chapter expands on the other states data protection laws within the Asia region. Taiwan, similar to many other nation states throughout the Asian region have a long and complex history that dates back centuries. Privacy as a concept and right has gained traction in Taiwan. It must be noted that this Chapter does not in any way discuss the current political tensions between mainland China and Taiwan. It only examines the current day data protection laws of Taiwan.

      They were a prefecture of Imperial China’s Fujian province from the late seventeenth century and formally became a province beginning in 1884. China ceded the island to Japan after losing the Sino-Japanese War of 1894–95. During World War II, the government of the Republic of China, led by Generalissimo Chiang Kai-shek and dominated by his Nationalist Party, declared the return of Taiwan to China as one of its aims. What followed, Franklin Roosevelt readily agreed because he wanted China’s help in preserving post-war peace. The Cairo Conference of late 1943 ratified this decision, in the process denying the people of Taiwan a say in their future. Taiwan returned to Chinese jurisdiction soon after the United States dropped nuclear bombs on Hiroshima and Nagasaki in 1945. They have also been ruled and influenced by both the Dutch and Portuguese at various times. Thus their current day legal framework has been influenced by civil and common law traditions.

      The right to privacy across the territory of Taiwan is alive. Taiwan has adopted the title of Personal Data Protection Act in 1995 (PDPA). Since then, the PAPDA has only been amended twice, with the most recent changes in 2015. The PDPA generally follows the privacy principles approved by the Asia-Pacific Economic Corporation (APEC) in 200426 and the EU legal framework. The PDPA not only regulates private entities but also imposes rules for data collection, use, and disclosure by the public sector. The PDPA was designed to provide an overarching protection of personal data with an extensive scope but has faced a number of problems regarding its implementation due to incorrect perception of the law. Taiwan have, similar to other states, been grappling to balance the need for national security while protecting personal data. In other words, where a country is threatened by terrorism plans to establish a national biometric database, where all citizens will be required to submit their facial and other physical identifiers for national security or prevention of crime, it is much more difficult to justify a privacy breach. It will not be easy to strike a balance between these prominent interests.

   7. Chapter 10. Lao

      Robert Walters, Marko Novak

      Abstract

      Formerly known as Laos, the Lao People’s Democratic Republic (Lao PDR) is a small developing country in South East Asia. Over the past decade, Lao has established a number of laws to strengthen their response to cyber security intrusions and to a lesser extent the protection of personal data. That is, the Government of the Lao PDR has enacted a slew of technology and data related laws including: (a) the Law on Electronic Transactions (No. 02/NA, 7 December 2012); (b) Law on Prevention and Combating of Cyber Crime (No. 61/NA, 15 July 2015); (c) Law on Information and Communication Technology (No. 02/NA, 7 November 2016); and (d) Law on the Protection of Electronic Data (No. 25/NA, 12 May 2017). Furthermore, the Ministry of Post and Telecommunications has also implemented the Instruction on Computer Security (No. 3623/MPT, 11 December 2017), under Law on Prevention and Combating of Cyber Crime.

      Lao finds itself in a region of the world where the growth in digital technology is growing at one of the fastest rates. Southeast Asia is the world’s fastest growing Internet region with nearly four million new users coming online every month over the coming years (Ibid). This translates into a user base of 480 million. There are over 700 million active mobile connections in Southeast Asia. (Ibid) Online spending is expected to reach US$ 200 billion by 2025. This means that there will be a flourishing digital economy if every one of the 480 million users are secure and cross- border transactions are not hijacked by hackers (Ibid).

      However, these laws are silent with respect to artificial intelligence and given the nature of how laws are issued it is likely that in due course new laws will be introduced to cover this activity. Assessing how these laws operate has been problematic given the lack of publicly available information.

      Noteworthy too, is the emerging area of specific data protection law in the state of Lao. That is, it appears there is little to no appetite for dedicated data protection laws. The current legal framework is further limited as they do not fully accept and account for the OECD or ASEAN data protection principles outlined in Chap. 3. This, could in itself be problematic as the region becomes increasingly digitised. Furthermore, the laws in Lao are structured differently form the other states that have been examined in this book.

   8. Chapter 11. Vietnam

      Robert Walters, Marko Novak

      Abstract

      Vietnam, located in South East Asia and a member of ASEAN has a complex history. Vietnam is the easternmost country on the Indochina Peninsula of South East Asia. With an estimated 90.5 million inhabitants, it is the world’s 14th-most- populous country, and the eighth-most-populous Asian country (Yılmaz, O, History of Vietnam and Socialist Republic of Vietnam ed. https://www.academia.edu/22247531/History_of_Vietnam_and_Socialist_Republic_of_Vietnam-Ed._Oğuzhan_Yılmaz). The name Vietnam translates as “Southern Viet” (synonymous with the much older term Nam Viet); it was first officially adopted in 1802 by Emperor Gia Long. The name was formally adopted again in 1945 with the founding of the Democratic Republic of Vietnam under Ho Chi Minh.

      There is no specific constitutional recognition of a right to privacy in Vietnam. They have, to date, taken a sectorial approach to personal data regulation. More importantly, there is no specific data protection laws. Over a relatively short period of time, a series of laws have been issued which regulate personal data. Commencing in 2005 the Law of E-Transactions asserted that data messages could be used to form contracts and they could also be used as evidence before the court. In addition, the use of digital certificates and signatures was established. The Civil Code, Law No. 33/2005/QH11 has also established rights for the citizens of Vietnam. Two years later, the 2007 Information Technology Law was enacted and identified prohibited acts and specified that data could only be acquired with consent and that it had to be securely stored. Furthermore, the law recognized the need for children’s privacy to be protected. Disabled people were also to be provided with a favourable environment online.

      Three years later, the 2010 Law on protection of Consumer Rights extended information handling principles that had been previously introduced. In 2016 the Law on Network Information Security significantly expanded state controls on information. This included use of cryptography. Conducting business in network information security required a government license and company’s core staff had to be Vietnamese citizens permanently residing in Vietnam. These efforts were further strengthened by the 2018 Law on Cybersecurity. This law came into effect on 1 January 2019, and identifies various threats and attacks. Most controversially it requires service providers to monitor the flow of information and to prevent certain prohibited materials from being distributed. Service providers, both foreign and domestic are also required to authenticate the identity of their users. Records must also be kept in Vietnam of user activities. This data is also to be provided to Government agencies upon request. There are no presently existing laws with respect to artificial intelligence. Given the pace within which laws have been issued recently, regulations regarding the use of artificial intelligence may be expected. Thus, this Chapter highlights that, yet another country has adopted a sectorial approach to protecting personal data.

   9. Chapter 12. China

      Robert Walters, Marko Novak

      Abstract

      China (This chapter comes from earlier publication, Robert Walters, Current status of China’s cybersecurity-data protection laws, Privacy Law Bulletin 17(4):60–64 (5 pages) 04 Aug 2020. They have embraced technology to advance their sovereign needs. China and its people have a remarkable story emerging from third world status to arguably first world status in a very short period of time, when compared to many western countries. They have lifted more than 1 billion people out of poverty in less than 50 years. Thus, the resulting effect has seen the development of quite different laws for the protection and management of personal data.

4. Data Protection Law – North America

   1. Frontmatter

   2. Chapter 13. Canada

      Robert Walters, Marko Novak

      Abstract

      Canada, another country that has a remarkable story, with a rich and diverse history that dates back centuries. Canada is unique in that even though it a Western democratic country it has adopted both the common and civil law. Privacy and data protection have been an evolving part of Canadian society. During the 1960s and 1970s, there was considerable debate regarding the extensive use of listening devices by private agencies. A common example often cited is how car salesmen would bug cars to determine how much customers would pay for them, to dance studios that eavesdropped on customers’ conversations to determine the most effective sales pitch. During the 1950s and 1960s, the police employed electronic listening devices when investigating criminal activity, however, there was limited success. Canada has embraced the concept of the right to privacy, along with the need to protect its citizens’ personal data and information over the Internet. This Chapter explores the current data protection laws of Canada. It does not examine the equivalent laws in Quebec.

   3. Chapter 14. The United States

      Robert Walters, Marko Novak

      Abstract

      The right to privacy in the United States (US) can be traced to the late 1800s. However, and while the right to privacy has a long history in the US, it would not have been conceived that today the right has become one of the most important and contested rights. This is because it competes with many other policy areas of government such as national security and the economy. Nonetheless, the US is home to some of the largest Internet companies in the world. The data protection laws in the US can be vest described as being sectorial based. To date this has served the state well, however as there are increasing concerns in relation to the misuse and abuse of personal data, governments and regulators have sat up and taken note of the many anomalies.

      Due to the breadth and depth of the sectorial approach to data protection, this Chapter while generally focuses solely on the laws of the Federal Trade Commission and Health. The Chapter briefly highlights the other laws that consider personal data such as the Children’s Online Privacy Protection Act, amongst others. The Chapter further outlines how some states such as California have developed specific data protection laws.

      In considering the wider cybersecurity and AI risks posed by new technology, this Chapter, consistent with the other chapters will discuss the definition of personal data and the concept of consent. Despite the sectorial approach taken by the US, they have thought about the implications to children from smart home appliances, toys and other AI devices that will come onto the market. This Chapter briefly highlights some of the work that has been undertaken by the US in this area of policy and the law.

      Moreover, further work is needed by the US to also consider what and how smart home technology such as fridges, televisions, to toys and robots will have an impact more generally to Americans. This work is urgently needed to better understand the potential impacts to the disabled and elderly members of society. On the other side, one of the most vulnerable group, in our view are children, and the sectorial regulatory approach may no longer be viable to protect this cohort. Arguably, of all the laws discussed and compared in this book, the US is the most complex to understand what and where a data subjects right to data protection lies. With the implementation of the new state-based privacy laws of California, it remains to be seen whether this will result in major changes at the federal level. There have been calls for more specific data protection laws at the federal level.

   4. Chapter 15. Comparison, Challenges and a Way Forward

      Robert Walters, Marko Novak

      Abstract

      This Chapter compares the data protection laws of the Canada, China, Hong Kong, Lao, Macao, Taiwan, The Philippines, South Korea, United States and Vietnam. It does not provide a comprehensive discussion of the policy or legal gaps between the respective jurisdictions. However, it will focus on comparing the key principles and concepts outlined in each of the jurisdictions. Due to the breadth and depth of the privacy law, it will address the following concepts and principles:

      • • Privacy and Data Protection Laws;
      • • Application to Public and Private Sectors;
      • • Definition of Personal Data;
      • • Consent.
      • • Data Localization;
      • • Rights-Right to be Forgotten, Correction and Deletion; and
      • • Data Transfers.

      This Chapter has limited the comparative analysis to the above concepts and principles because they are considered the most important at this early stage of AI technology being developed. These principles and concepts are considered to be the most vulnerable to cyber security intrusions. This Chapter argues that a further and more comprehensive study is required to determine what other provisions of data protection law will need to be reviewed to ensure adequate protection is retained over personal data. It calls for a review of the current day data protection laws to determine whether the current definition of personal data and the concept of consent are adequate, in the context of AI devices in the home. It must be noted that this Chapter will duplicate some of the law that has been discussed in the country specific chapters.

      Chapter 15 is one of the most important chapters of this book because it identifies a limited pathway forward. One of the most pressing challenges is the lack of understanding and impact that AI have on children and the most vulnerable in the community. It will identify not only the challenges that lie ahead, but touch of some of the issues that need to be reconciled to ensure personal data is protected when that data is captured and used by AI devices.

5. Backmatter