Kristina Irion

The Governance of Network and Information Security In the European Union: The European Public-Private Partnership for Resilience (EP3R)

In public policy information and communications technology (ICT) infrastructures are typically regarded as critical information infrastructures and, thus, require security and protection against cyberthreats. The European Union (EU) Network and Information Security (NIS) policy combines public and private policies at the level of the operators which are highly interdependent. Any NIS policy success rests to an overwhelming degree on the commitment and compliance of the ICT infrastructure operators. Increasingly, policy makers have to pay attention to the supporting governance system which would give best effect to the NIS policy objectives. This contribution focuses on NIS governance in the EU and explores mechanisms of cooperation between public and private operating ICT infrastructure through the lens of governance theory. It concludes that NIS governance objectives can be pursued in public-private partnerships, but not all functions of NIS policy can be suitably performed at the EU level. Any engagement with the industry needs to be supported by appropriate governance mechanisms that deliver high levels of commitment and compliance by private stakeholders. Against this backdrop this paper critically assesses the European Public-Private Partnership for Resilience (EP3R) NIS and offers recommendations for EU policy makers on a suitable Europe-wide multi-stakeholder governance framework to promote NIS strategy and highlevel policy.

The Best of Both Worlds? Free Trade in Services, and EU Law on Privacy and Data Protection

The article focuses on the interplay between European Union (EU) law on privacy and data protection and international trade law, in particular the General Agreement on Trade in Services (GATS) and the WTO dispute settlement system. The argument distinguishes between the effects of international trade law in the EU legal order on the one hand, and, on the other hand, how EU data protection law would fare in a hypothetical challenge under the GATS. The contribution will apply international trade law and the general exception in GATS Article XIV to typical requirements stemming from EU data protection law, especially on transfers of personal data to third countries. The article enumerates the specific legal risks for defending EU law on privacy and data protection and explains the practical implications of its hypothetical challenge under the GATS. These insights could be useful for the EU’s negotiators of the future bi- or multilateral free trade agreements, notably the Transatlantic Trade and Investment Partnership and the Trade in Services Agreement.

Your digital home is no longer your castle: how cloud computing transforms the (legal) relationship between individuals and their personal records

In line with the overall trend individuals’ personal affairs, too, are composed of digital records to an increasing amount. At about the same time, the era of local storage in end user equipment is about to give way to remote computing where data resides on third party equipment (cloud computing). Once information, and even the most personal one, is no longer stored on personal equipment the relationship between individual users and their digital assets belonging to them is becoming increasingly abstract.This contribution focuses on the implications of cloud computing for individuals’ unpublicized digital records. The question to be answered is whether - taken together - the progressing virtualization and the disruption of physical control produce a backslide for individual positions of rights. The paper introduces the legal treatment of users’ digital personal records and how a technical transformation in combination with disparate legal protection and prevailing commercial practices are bound to impact the distribution of rights and obligations.

Mitbestimmung des Betriebsrats bei der Einrichtung einer Facebook-Seite

Eine vom Arbeitgeber betriebene Facebookseite, die es den Nutzern von Facebook ermöglicht, über die Funktion »Besucher-Beiträge« Postings zum Verhalten und zur Leistung der beschäftigten Arbeitnehmer einzustellen, ist eine technische Einrichtung, die zur Überwachung der Arbeitnehmer i. S. d. § 87 Abs. 1 Nr. 6 BetrVG bestimmt ist. Die Bereitstellung der Funktion »Besucher-Beiträge« unterliegt der Mitbestimmung des Betriebsrats. BAG, Beschluss vom 13. Dezember 2016 – 1 ABR 7/15 (LAG Düsseldorf)