http://journals.ed.ac.uk/script-ed <p>Intellectual Property, Information Technology, Medical Law - SCRIPTed’s <a href="http://journals.ed.ac.uk/script-ed/about/editorialTeam">Editorial Board</a> is assisted by an Advisory Board of internationally-renowned experts drawn from the disciplines of intellectual property, information technology, medical law, artificial intelligence, communications law and E-commerce. Submissions are invited on any aspect of the relationships between law, policy, society, ethics, and technologies.</p> University of Edinburgh en-US SCRIPTed: A Journal of Law, Technology & Society 1744-2567 http://journals.ed.ac.uk/script-ed/article/view/8982 Ayça Atabey Şimal Efsane Erdoğan ##submission.copyrightStatement## http://creativecommons.org/licenses/by-nc-nd/4.0 2023-08-10 2023-08-10 20 2 282 284 10.2218/scrip.20.2.2023.8982 http://journals.ed.ac.uk/script-ed/article/view/8983 Ayça Atabey Şimal Efsane Erdoğan Mihail Dishev ##submission.copyrightStatement## http://creativecommons.org/licenses/by-nc-nd/4.0 2023-08-10 2023-08-10 20 2 285 288 10.2218/scrip.20.2.2023.8983 http://journals.ed.ac.uk/script-ed/article/view/8908 <p>It’s not uncommon for the same piece of personal data to relate to more than one individual. Opinions, feedback and reputation involve statements by one identifiable person about another; genetic data contain information about an individual, but also their relatives, ancestors and descendants; data about communications relate to both the sender and recipient; observations of one person may be used to make predictions about others. Privacy cases and papers have found these situations troubling, but analyse them by applying data protection law to a single data subject. This paper instead treats “entangled” personal data as involving multiple perspectives, examining how data protection principles apply simultaneously to different subjects of the same data. Where the perspectives are the same – as in a case on examination scripts – few problems are likely. Where there are significant differences this approach confirms the problems found by others but also suggests how these can be reduced: aligning the perspectives by changing data sources or processing, adopting voluntary limitations or safeguards. By quickly identifying problems that may not be apparent from a single-data-subject analysis, and identifying possible mitigations, an entangled analysis provides theoretical and practical guidance: suggesting safer ways to use this increasingly common form of personal data.</p> Andrew Cormack ##submission.copyrightStatement## http://creativecommons.org/licenses/by-nc-nd/4.0 2023-07-07 2023-07-07 20 2 289 324 10.2218/scrip.20.2.2023.8908 http://journals.ed.ac.uk/script-ed/article/view/8978 <p>Public private partnerships (PPPs) are increasingly common in health research, with large European investment over the last 20 years and renewed focus in the wake of the global health crisis COVID-19. PPPs have been used for health research that seeks to collect, analyse and share personal data from research participants, often on the basis of informed or broad consent. PPPs are underpinned by contracts, both to govern the use of data and samples necessary for health research, and to govern the agreement between the public and private contracting parties of a project. This raises the question of how far contracts adequately protect public interests, for example in privacy and data protection when patient data are exposed to a broader range of potential uses from the private sector. A core principle of contract law is that you cannot contract for unlawful activity. As such, contracts could be void if their design or performance entails a breach of statute or common law, for example data protection and privacy laws or the common law duty of confidentiality. This paper analyses the implications of this general principle of illegality for contracts underpinning PPPs in health research, particularly to understand the extent to which it could operate to protect the public interest as conceived by privacy and data protection law. The paper will show how this heavily policy-driven doctrine has scope to ensure that contracts and contract terms that are contrary to public policy are void or unenforceable which, in the context of PPPs using personal information for health innovation and research, is a welcome, though limited, accountability mechanism in private law that could operate to serve the public interest.</p> Jessica Bell Miranda Mourby Jane Kaye ##submission.copyrightStatement## http://creativecommons.org/licenses/by-nc-nd/4.0 2023-08-08 2023-08-08 20 2 325 351 10.2218/scrip.20.2.2023.8978 http://journals.ed.ac.uk/script-ed/article/view/8979 <p>The General Data Protection Regulation (GDPR) requires an organisation that suffers a data breach to notify the competent Data Protection Authority. The organisation must also inform the relevant individuals, when a data breach threatens their rights and freedoms. This paper focuses on the following question: given the goals of the GDPR’s data breach notification obligation, what are its strengths and weaknesses? We identify six goals of, or rationales for, the GDPR`s data breach notification obligation, and we assess the obligation in the light of those goals. We refer to insights from information security and economics, and present them in a reader-friendly way for lawyers. Our main conclusion is that the GDPR’s data breach rules are likely to contribute to the goals. For instance, the data breach notification obligation can nudge organisations towards better security; such an obligation enables regulators to perform their duties; and such an obligation improves transparency and accountability. However, the paper also warns that we should not have unrealistic expectations of&nbsp;the possibilities for people to protect their interests after a data breach notice. Likewise, we should not have high expectations of people switching to other service providers after receiving a data breach notification. Lastly, the paper calls for Data Protection Authorities to publish more information about reported data breaches. Such information can help to analyse security threats.</p> Frederik Zuiderveen Borgesius Hadi Asghari Noël Bangma Jaap-Henk Hoepman ##submission.copyrightStatement## http://creativecommons.org/licenses/by-nc-nd/4.0 2023-08-10 2023-08-10 20 2 352 382 10.2218/scrip.20.2.2023.8979 http://journals.ed.ac.uk/script-ed/article/view/8980 <p>As digital technologies become the dominant driver of the global economy, Africa finds itself once again faced with the prospect of developmental stagnation. In an increasingly technological age, parallels to the colonial era can be made, particularly in reference to the detrimental impact on the African economy and the continent’s developmental trajectory. AI, which drives these technologies, is informed by algorithms. The biases inherent in these algorithms lead to digital discrimination. This discrimination has resulted in a new form of colonialism, referred to as digital neocolonialism, which denotes the exclusionary barrier that has been created by algorithms. This work challenges algorithmic bias through the application of postcolonial theory, which calls for a dismantling of colonial imposition by reimagining and reframing the concept of the ‘other’. The gaps in current AI systems, and the power imbalances created, are interrogated through an analysis of bias and its impact. Through a postcolonial lens, a call is made for more inclusive AI systems, and datasets that challenges the assumed neutrality of algorithms.</p> Sunita Menon ##submission.copyrightStatement## http://creativecommons.org/licenses/by-nc-nd/4.0 2023-08-10 2023-08-10 20 2 383 399 10.2218/scrip.20.2.2023.8980 http://journals.ed.ac.uk/script-ed/article/view/8981 Claudia González-Márquez ##submission.copyrightStatement## http://creativecommons.org/licenses/by-nc-nd/4.0 2023-08-10 2023-08-10 20 2 400 407 10.2218/scrip.20.2.2023.8981