ISM W32 JUST LAW + W23 (kept it super simple) Flashcards
(24 cards)
BREXIT
Eventhough UK left EU in 2020, the UK made te ‘European Union (Withdrawal) Act 2018’, to keep the relevant EU law as domestic law
e.g. An example: the EU GDPR (General Data Protection Regulation) ⇒ the UK GDPR
The EU law continues to have profound influence on law markers in the UK and elsewhere, ESPEIALLY ON ISM-RELEVANT LAW.
Terminology: Legal acts of the EU
REGULATIONS: immediately enforceable NO NATIONAL LEGISLATION REQUIRED (though countries still have their own sometimes)
(Recent EU regulations are increasingly called “Acts”).
DIRECTIVES: legally binding but need to be
implemented individually by each EU member state (usually as national legislation)
DECISIONS: legally binding but applied to individuals
RECOMMENDATIONS: legally non-binding
OPINIONS: legally non-binding
TERMINOLOGY: LEGAL ACTS OF THE UK
ACTS OF PARLIAMENTt: primary legislation passed by the UK Parliament in Westminster
ACTS OF DEVOLVED LEGISLATURES IN THE UK: (one form of Secondary/subordinate legislation in the UK)
(theres also one for scotland, wales and northern ireland, and aparently the northern ireland ones are bare long).
STATUTORY INSTRUMENTS: secondary (delegated) legislation made by an executive authority (rather than a legislature)
(They are often called “regulations” which is bullshit cause its a totally different thing to EU regulations. I get the impression that EU regulations are BIG NEWS whereas these UK ones are BULL :)
- There is limited parliamentary control (approving or rejecting)… SEE WHAT I MEAN
List of ISM-RELEVANT LAWS: mostly for KEYWORDS
- Cybercrime laws
- Digital investigation laws
- UK Online Safety Act 2023
- EU eIDAS Regulation and UK eIDAS Regulations
- EU NIS / NIS2 Directives and the UK NIS Regulations
- Data protection and privacy laws
- Freedom of information laws
- E-commerce/Fintech/digital services/market laws
- AI law
- Intellectual property laws
- Anti-terrorism laws
WHAT IS A CYBERCRIME?
CLASSIFICATION (UK LAW ENFORCEMENT)
CYBER DEPENDANT CRIME
(≈ computer as a target)
CYBER ENABLED CRIME
(≈ computer as a tool)
KEYWORD SPAM!!!!!!!!!!!!!!!!!!!!!!!!!!
- Cybercrime / cyber crime
- Digital crime / Computer crime / Electronic crime / e-crime / ICT crime
- Online crime / Internet crime
- High tech crime / White collar crime
UK COMPUTER MISUSE ACT (CMA) 1990 (but amended several times since 2006, 2015 etc.)
BASICALLY ABOUT AUTHORISATION - (e.g. hacking can be ethical and legal if it is authorised).
CRIMINAL OFFENCES
UNAUTHORISED ACCESS to computer material, unauthorised access to computer material with intent to commit
or facilitate commission of further offences.
UNAUTHORISED ACTS with intent to impair operation of computer etc.
This was a biggy!!! Used as a reference by many other nations (Republic of
Ireland, Canada, etc.) to create their cybercrime laws,
UK SCA (Serious Crime Act) 2015
CREATES NEW OFFENCE OF UNAUTHORISED ATTACKS IN RELATION TO A COMPUTER THAT RESULT, EITHER DIRECTLY OR INDIRECTLY, IN SERIOUS DAMAGE
- to the economy, the environment,
- national security or human welfare,
- or creates a significant risk of such damage.
MAXIMUM SENTANCE OF LIFE IMPRISONMENT for cyber attacks
causing loss of life, serious illness or injury or serious damage to national security,
14 YEARS IMPRISONMENT for cyber attacks causing, or creating a significant risk of, severe economic/environmental damage or social disruption.
UK IPA (Investigatory Powers Act) 2016
It regulates electronic surveillance powers of UK intelligence agencies and police.
ABOVE SENTANCE SUMS IT UP ^^^^^^^^^^^^^^^^
REFERRED TO INFORMALLY AS SNOOPER’S CHARTER - you can infer the rest……………………………………………dodge
SELECTED KEY POINTS IF UR INTERESTED:
- New powers for targeted and bulk interception of communication and
collection of communication data
- Requiring CSPs/ISPs to retain Internet connection records for one year
- Allowing many authorities to see Internet connection records without a
warrant.
- Permitting targeted equipment interference (i.e., “hacking”)
- Maintaining an existing requirement for CSPs to remove encryption (applied by CSPs)
- New criminal offences related to access to Internet data
In April 2018, UK high court ruled the act is incompatible with EU law.
- Data Retention and Acquisition Regulations 2018 was passed as a response of the UK Government
UK RIPA (Regulation of
Investigatory Powers Act) 2000
It regulates public bodies’ powers on surveillance and investigation.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ yeah
SOME KEY POINTS:
- enables certain public bodies to demand that an ISP provide access to a customer’s communications in secret;
- enables mass surveillance of communications in transit;
- enables certain public bodies to demand ISPs fit equipment to facilitate surveillance;
- enables certain public bodies to demand that someone hand over keys to protected information;
- allows certain public bodies to monitor people’s Internet activities;
- prevents the existence of interception warrants and any data collected with them from being revealed in court.
UK OSA (Online Safety Act) 2023
Its aim “to make the UK the safest place in the world to be online while defending free expression.”
HIGHLY CONTROVERSIAL AS ‘threat to freedom of expression’
‘the act undermines privacy guarantees and, indeed, safety online’.
………………………………………………………………….
TYPES OF ONLINE CONTENT THAT ACT TACKLES: (DSIT, 2024)
- Illegal content
- Content that is harmful to children + age-inappropriate content
- Suicide and self-harm content
- Penalties of offences
- Up to max(£18m, 10% of annual global turnover)
- The original bill was drafted in 2021, and the act was passed in 2023.
- The defined independent regulator is Office of Communications (Ofcom), which is implementing the law by 2025.
UK eIDAS Regulations
was amended from EU to UK after Brexit
(Officially known as Directive (EU) 2016/1148)
NIS = (Security of) Network and Information Systems
- The first EU-wide cyber security legislation
- Main goal is to boost the overall level of cyber security of the whole EU, ensured by
- Preparedness + cooperation + culture across sectors
- It requires EU member states to have a national CSIRT and a competent national NIS authority.
- Updated in 2022 to Directive (EU) 2022/2555 (also known
as NIS2 or NIS 2 Directive)
UK NIS Regulations 2018
Yeah this ones a bit bookie - the bit ive put at the top here seems the most important:
- DIGITAL SERVICE PROVIDERS: Information Commissioner’s Office (ICO)
- ICO is also in charge of data protection and freedom of information laws.
- DIGITAL INFRASTRUCTURE: Office of Communications (Ofcom)
………………………………………………………………..
- The UK’s implementation of the EU NIS Directive 2016
- Part of the UK’s National Cyber Security Strategy 2016-2021
Multiple competent NIS authorities for different sectors
- DIGITAL SERVICE PROVIDERS: Information Commissioner’s Office (ICO)
- ICO is also in charge of data protection and freedom of information laws.
- DIGITAL INFRASTRUCTURE: Office of Communications (Ofcom)
- Other sectors: drinking water supply and distribution, energy (electricity, gas, oil), health, transport (air, maritime, road, rail)
- The NIS authorities are often different for the four countries in the UK.
Other ISM-relevant EU laws (keyword spam)
- Privacy and data protection related laws
- Cybersecurity Act 2019 = Regulation (EU) 2019/881
- Data Governance Act 2022 = Regulation (EU) 2022/868
- Digital Markets Act 2022 = Regulation (EU) 2022/1925
- Digital Services Act 2022 = Regulation (EU) 2022/2065
- Digital Operational Resilience Act (DORA) 2022 =
Regulation (EU) 2022/2554 - Artificial Intelligence Act 2024 = Regulation (EU) 2024/1689
- Cyber Resilience Act 2024 = Regulation (EU) 2024/2847
- Cyber Solidarity Act 2025 = Regulation (EU) 2025/38
Other ISM-relevant UK laws
(im not being funny but theres so many of these fucking laws that if you remembered frequently used years and key words of the laws you very well blag some marks here)
;)
PRIVACY AND DATA PROTECTION RELATED LAWS
- Telecommunications (Security) Act 2021
“about the security of public electronic communications networks and public
electronic communications services”
CYBER SECURITY AND RESILIENCE BILL (announced in 2024, to be
introduced in the UK Parliament in 2025)
- Can be seen as an alignment of the UK NIS Regulation 2018 with the EU
NIS2 Directive 2022.
- “expanding … to protect more digital services and supply chains; putting
regulators on a strong footing to ensure essential cyber safety measures
are being implemented; mandating increased incident reporting …”
ARTIFICIAL INTELLIGENCE (REGULATION) BILL (introduced to the UK
Parliament in 2025)
- Inspired by the EU AI Act 2024
THE FUTURE - Self-sovereign identity (SSI) AND Verifiable credentials (VCs)
Self-sovereign identiTY (SSI)
Self-sovereign = Giving control back to users!
- Claim-issuers issue identities to users.
- Each user controls her/his own identities.
- A user presents (part of) her/his identity to a verifier so that the latter can verify the presented identity (i.e., relevant attribute(s)).
- Such user-controlled identities can be represented in the form of verifiable credentials
Verifiable credential VC
- Electronic credentials that individual users can hold and get them verified by others when needed in the context of SSI.
- W3C Verifiable Credentials Data Model 2.0 (25 February 2025)
USE CASES
- Age verification
- Parking permits
- COVID immunity passports
EU GDPR 2016
Data subject’s rights (UK ICO
guidelines)
1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure
(“Right to be forgotten”)
5. Right to restrict processing
6. Right to data portability
7. Right to object
8. Rights related to automated
decision making including
profiling
UK DPA 1998:
- Right of access to
personal data - Right to prevent
processing likely to cause
damage or distress - Right to prevent
processing for purposes of
direct marketing - Rights in relation to
automated decision-taking - Right to request incorrect
information be rectified,
blocked, erased or
destroyed - Rights to request
compensation for failure to
comply with certain
requirement
The historical timeline
1948: UN UDHR
1950: Council of Europe ECHR ⇒ UK Human Rights Act 1998
2000: Charter of Fundamental Rights of the EU
1995: EU Data Protection Directive ⇒ UK Data Protection Act (DPA) 1998
2016: EU GDPR (General Data Protection Regulation)
UK Data Protection Act (DPA) 2018 + UK GDPR (2021-)
2002: EU ePrivacy Directive ⇒ UK Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003
2017-?: EU ePrivacy Regulation (to replace ePrivacy Directive 2002, still in the proposal stage
UN UDHR 1948
UDHR = UN UDHR 1948 = Universal Declaration of Human Rights
- One of the most fundamental documents made by the UN (United Nations)
- The other three fundamental documents: UN Charter, Convention on the Rights of the Child, Statute of the International Court of Justice
- “ Article 12.
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour or reputation. Everyone has the
right to the protection of the law against such interference or attacks.”
Council of Europe ECHR 1950
ECHR = European Convention on Human Rights
Official title: “The Convention for the Protection of Human Rights and Fundamental Freedoms”
- Came into force from 1953.
- Implementation in the UK: Human Rights Act 1998
“Article 8 – Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
Charter of Fundamental Rights of the
European Union (2000)
“Article 7
Respect for private and family life
- Everyone has the right to respect for his or her private and family life, home and communications.”
- “Article 8
Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an
independent authority.”
EU Data Protection Directive 19950
Official title
“Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such
data”
- 3 principles for processing personal data
- Transparency
- Legitimate purpose
- Proportionality
- Supervisory authority and the public register of processing operations
- Information Commissioner’s Office (ICO) in the UK
- Transfer of personal data to third countries
- Only if the third country has an adequate level of protection.
EU Data Protection Directive 1995
Personal data and data subject
- “any information relating to an identified or identifiable natural person (‘data
subject’); an identifiable person is one who can be identified, directly or indirectly,
in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (Article 2a)
Processing of personal data
- “any operation or set of operations which is performed upon personal data, whether
or not by automatic means, such as collection, recording, organization, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction” (Article 2b)
(Data) Controller
- “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of
personal data” (Article 2d)
(Data) Processors
- “a natural or legal person, public authority, agency or any other body which
processes personal data on behalf of the controller” (Article 2e)
UK Data Protection Act 1998
Exemptions
Exemptions
- National security
- Domestic
- Crime
- Health
- Tax
- Social work
- Students
- Research
- Statistical purpose
- Journalism (public interest)
- Employment references
- Staff planning
