Masaryk University Journal of Law and Technology

People’s Republic of China and the adequacy – Why Chinese data protection law is not adequate within the meaning of the GDPR

Wojciech Panek — 2024-09-30

Chinese data protection seems to be problematic. On the one hand, it does exist, at least formally, especially after the reform initiated by the adoption of the Cybersecurity Law and finished by the Personal Information Protection Law entering into force. However, the mere adoption of personal data protection regulations does not guarantee that they provide personal data protection at an appropriate level. For EU law, the adequacy standard is the reference point for verifying personal data protection in a third country. Therefore, it is necessary to meet specific criteria summarising the term of essential equivalence, as introduced by the Court of Justice of the European Union. This article discusses the three most critical problems that result from comparing the provisions of the Chinese Cybersecurity Law, the Civil Code, the Data Security Law and the Personal Information Protection Law with the EU’s adequacy standard. The article consists of the introduction, four parts and closing remarks. The first part explains the methodology of research on Chinese data protection law and criteria applied to its examination. The second, third and fourth parts discuss the complicated relationships between the laws related to the protection of personal data, the status of state authorities as data controllers and multi-stakeholder supervision over personal data protection.

Of Hackers and Privateers: The Possible Evolution of the Problem of Cyber-Attribution

Jakub Vostoupal — 2024-09-30

The escalating severity of the cyber-attribution problem (a problem with attributing cyberattacks to states that ordered them) poses a significant challenge to international law and cyberspace security. However, amidst worsening international relations, a viable solution remains elusive. To address this predicament, the authors turn to a historical echo of the contemporary practice of employing hacker groups – namely, privateering. After an in-depth examination of this analogy’s suitability, they focus mainly on the factors that contributed to the decline of privateering. Their goal is to uncover parallels potentially applicable to mitigating modern challenges posed by state-sponsored cyberattacks and the exploitation of cyber-attribution problem. Among the key identified factors, the most crucial were the emergence of professional cyber-capacities (akin to post-Napoleonic emergence of professional navies) and the disruption of hackers’ safe havens. The paper concludes by introducing three prospective scenarios reflecting potential pathways for the future of the cyber-attribution challenges.

Shrouded in secrecy – does the comitology procedure for GDPR adequacy decisions fit its purpose?

Michal Czerniawski — 2024-09-30

With the entry into force of Directive 95/46/EC, the EU based its approach toward data transfers on adequacy decisions, unilateral acts of the European Commission, issued as implementing acts. The EU co-legislators subsequently copied this model into the GDPR and the LED. Since the very beginning, the adequacy procedure involves a comitology phase in which a committee consisting of representatives of Member States expresses its opinion about the Commission's draft implementing act. I argue that adequacy, designed as a technical process, evolved into a tool in which politics, including economic relations and commercial interests, play an ever-greater role. This goes against the concept of comitology, the legitimacy of which is built on denying the political nature of what is delegated. Taking into account the above, as well as other shortcomings of the EU adequacy model, I argue that it is the right time to rethink it. There is also the need for a separate discussion regarding the role of the Article 93 Committee in the adequacy procedure, to be conducted together with the debate on the role and accountability of the European Commission.