Skip to main content

Karen McCullagh

University of East Anglia, UEA Law School, Faculty Member

Followers

109

Following

22

Public Views

My research specialism is information rights: both the commercial and fundamental rights aspects of privacy and data protection particularly in the context of technology e.g. big data, biometrics, cloud computing and social media, and also Freedom of Information, as an aspect of public law.
I am a member of the Executive Committee of BILETA (British & Irish Law, Education & Technology Association), and the IT editor for the European Journal of Current Legal Interests (EJoCLI).
I am the Course Director for the LLM in Media Law, Policy & Practice at the University of East Anglia. I am module organiser for Internet Law & Governance and The Law of E-Commerce modules and teach on the Protection of Privacy & Reputation module on the LLM Programmes: Media Law Policy & Practice and IP & IT Law. I also teach on the Internet Law, Media Law and Constitutional & Administrative Law undergraduate modules. I also contributes to the 'Global Media and Communications Law' module as part of the University's International Summer School programmes.
I received a UEA Award for Excellence in Teaching in 2012-2013. The award panel praised my ‘extremely innovative approach to teaching, in particular the powerful effect of using multiple media approaches for teaching, which allows me to bring a highly personal approach to large class teaching, and noted that my feedback materials were models of clarity.’ They also commended my ‘impressive commitment to pastoral support and praised her exceptional and inspirational teaching.’
Address: UEA Law School
University of East Anglia
Norwich Research Park
Norwich
NR4 7TJ

less

InterestsView All (22)

Uploads

Papers by Karen McCullagh

Brexit: potential trade and data implications for digital and 'fintech' industries

Following the outcome of the historic ‘Brexit’ referendum on 23 June 2016 in which a majority of ... more Following the outcome of the historic ‘Brexit’ referendum on 23 June 2016 in which a majority of eligible voters in the UK voted to ‘Leave’, the
UK is potentially on course to leave the European Union (EU), but to ensure continued economic success it will seek to maintain a favourable trading relationship with the EU.
This article identifies and critically evaluates the various types of trade deals the UK might negotiate upon exit with a particular focus on trade in
services since financial and digital services are key components of the UK economy.
It also offers both pre- and post-exit guidance on the data protection permutations of each type of trade deal and concludes that post-withdrawal, the UK should ensure that its data protection law
is fully compliant with Regulation (EU) 2016/679. Forging its own data protection path could lead to isolation.

A tangled web of access to information: reflections on R (on the application of Evans) and another v Her Majesty's Attorney General

The Freedom of Information Act 2000 ('FOIA') came into force on 1 January 2005. It created, for t... more The Freedom of Information Act 2000 ('FOIA') came into force on 1 January 2005. It created, for the first time, a statutory right of access to information held by a wide range of public authorities. The right of access extends to all information held, regardless of how old the information is and the format in which it is held, unless one of the absolute exemptions listed in the Act is applicable, or the public interest test for disclosure is not satisfied in respect of a qualified exemption. Significantly, the Act also contains a power of ministerial veto, the effect of which is that orders to disclose information under the Act are rendered ineffective if a minister certifies that they have "reasonable grounds" for having formed the opinion that non-disclosure would not be unlawful. Prior to R (on the application of Evans) and another v Attorney General, [2] there was a lack of certainty regarding what constituted 'reasonable grounds' for the issuance of a ministerial certificate. As well as clarifying the threshold for reasonable grounds for issuing a veto, this judgment also engages in a discussion of the relationship between three fundamental constitutional principles: the rule of law, separation of powers and parliamentary sovereignty to determine the extent to which it is legally and constitutionally legitimate for a court exercising powers of judicial review to strike down a Government Minister's decision made under powers granted by Parliament to overturn an independent judicial tribunal's judgment. Thus, the decision is of interest to those seeking to assess its potential contribution to discourse on common law constitutionalism.

CROSS-BORDER DATA PROTECTION: APPLICABLE LAW AND TERRITORIAL POWERS OF NATIONAL DATA PROTECTION SUPERVISORS

An analysis of the European Court of Justice preliminary ruling in Case C-230/14 Weltimmo s.r.o. ... more An analysis of the European Court of Justice preliminary ruling in Case C-230/14 Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, on the interpretation of two important aspects of Directive 95/46/EC, namely, the applicable law, and territorial reach of national data protection authorities. The Court ruled that the data protection legislation of a member state may be applied by the national data protection authority to a foreign registered company which exercises, through stable arrangements, real and effective (albeit minimal) activity in that member state; a ruling that potentially increases compliance costs for entities operating across multiple European jurisdictions pending the introduction of the proposed General Data Protection Regulation.

The General Data Protection Regulation: A Partial Success for Children on Social Network Sites?

Almost 20 years ago, the first social networking site (“SNS”) was launched in the U.S. Whilst dev... more Almost 20 years ago, the first social networking site (“SNS”) was launched
in the U.S. Whilst developers originally intended for SNSs to be used by
adults—which they are—they have also become an integral communication
platform in the lives of many children in EU Member States. Sharing personal information on SNSs is now a routine activity for many children and, whilst they are computer literate in a way that their parents are often not, a number of concerns have emerged. One of these concerns is that children are vulnerable since they lack the capacity to consent to the terms of SNS membership agreements regarding the processing of their personal data. A further concern is that children’s naïve confidence sometimes leads them to take risks—by sharing information about themselves—that adults would not take. This is particularly concerning as children may be ignorant about the fact that their profile and behavioural data is sold to data brokers who use that information to produce targeted adverts—and that these adverts may display age inappropriate content or even may not by recognised by the children as adverts.1
Directive 95/46/EC2 regulates the processing of the personal data of
EU citizens, including personal data posted on SNSs. Problematically, it
was drafted in a pre-SNS era and neither makes reference to children nor
considers them vulnerable data subjects whose personal data should be
subject to more stringent processing rules. The absence of specific legal
protection for children’s data on SNSs sparked concerns that children were
ignorantly disclosing personal data and being exposed to profiling and
advertising without adequate privacy and data protection safeguards in place. In response to these concerns, provisions aimed at safeguarding children’s privacy and data protection rights have been included in Regulation (EU) 2016/679 (hereafter “GDPR”),3 which will come into force on 25 May 2018.
This chapter provides a critical evaluation of the forthcoming measures to
address a knowledge gap that exists because of the novelty of these provisions and the fact that scholarship in this area is currently underdeveloped.4 It begins by providing an overview of SNSs and the problems posed by underage children’s access to them. In this regard, it will illustrate that the biological and psychosocial developmental changes that children experience as they progress through their teenage years and develop their capacity for freedom of expression makes them vulnerable to impulsive personal information disclosures and privacy invasions. After this, an exploration of the current legal protections for children’s privacy on SNSs from the perspective of privacy as information control will highlight deficiencies in Directive 95/46/EC. This leads to an analysis of the measures in the GDPR to determine whether they will, when introduced, realise the twin goals of legitimising the processing of children’s personal data and, at the same time, protecting their fundamental privacy and data protection rights. The compatibility of measures in the GDPR with provisions in the United
Nations Convention on the Rights of the Child (1989) (“the UNCRC”)
and the Charter of Fundamental Rights of the European Union (2000)
(“the EU Charter”) is considered as these provide a normative framework
for evaluating children’s legal rights. To comply with both legal frameworks,
data protection measures in the GDPR governing children’s activities on
SNSs should recognise their evolving capacity for freedom of expression
and privacy. This would allow them to express themselves with appropriate
safeguards in place, ensuring that their best interests are protected and that they are not subject to economic exploitation through activities such as profiling and advertising without consent. Specifically, the analysis presents a critical evaluation of the introduction of an age threshold, below which children are deemed to lack capacity to consent to the processing of their personal data; the conceptual coherence of relying on parental consent for children under the threshold age; the practical implications of Member States being permitted to set the threshold age within a range of ages; and the practical challenges posed by relying on verified parental consent.
The chapter concludes that measures in the GDPR are compatible
with provisions in the UNCRC and the EU Charter but that a number of
practical challenges remain unsolved. For instance, allowing Member States to set the threshold age means that the goal of simplifying and harmonising the regulatory environment for SNSs operating on a transnational basis will not be fully realised. Equally, reliance on parental consent and the consent of children over the threshold age is conceptually coherent, but it is dependent on the introduction of low-cost age-verification mechanisms being integrated into SNSs. It is also dependent on child data subjects (or their parents) being digitally literate enough to give unambiguous, specific consent to the processing of their personal data. Relatedly, whilst the GDPR includes measures to promote and increase the digital literacy of both parents and children, it remains to be seen how effective these will be in practice. For these reasons, the GDPR is an improvement on Directive 95/46/EC, but only a partial success.

BREXIT: POTENTIAL IMPLICATIONS FOR DIGITAL AND 'FINTECH' INDUSTRIES

Following the outcome of the historic 'Brexit' referendum on 23 rd June 2016 in which a majority ... more Following the outcome of the historic 'Brexit' referendum on 23 rd June 2016 in which a majority of eligible voters in the UK voted to 'Leave,' the United Kingdom is potentially on course to leave the European Union, but to ensure continued economic success it will seek to maintain a favourable trading relationship with the EU. This article identifies and critically evaluates the various types of trade deals the UK might negotiate upon exit with a particular focus on trade in services since financial and digital services are key components of the UK economy. It also offers both pre and post exit guidance on the data protection permutations of each type of trade deal and concludes that post-withdrawal, the UK should ensure that its data protection law is fully compliant with Regulation (EU) 2016/679. Forging its own data protection path could lead to isolation.

Information access rights in FOIA and FOISA – fit for purpose?

In this article, Dr Mc Cullagh examines whether the Freedom of Information Act 2000 (FOIA) and Fr... more In this article, Dr Mc Cullagh examines whether the Freedom of Information Act 2000 (FOIA) and Freedom of Information (Scotland) Act 2002 (FOISA) are fit for purpose as they enter their second decade. A two-fold approach is used to make this determination. Firstly, an assessment of the degree of compliance of both Acts against a set of UN endorsed principles is undertaken. This reveals that neither Act is fully compliant with the normative principles. Secondly, the Acts are compared against each other. The comparative analysis demonstrates that the Acts are creatures of their respective parliaments and that their evolution has been shaped by the distinct political cultures in which they operate. It concludes that at present FOISA offers stronger information rights but that both Acts should be amended to ensure full compliance with the UN endorsed principles if both jurisdictions are to have information rights that are fit for purpose as they enter their second decade.

Edinburgh Law Review: http://www.euppublishing.com/doi/10.3366/elr.2017.0389

Blogs: A privacy perspective

Click happy?: an analysis of the use of an Electronic Voting System (EVS) in large group lectures to improve interaction and engagement

This paper outlines the findings from an action research study conducted at Salford Law School; r... more This paper outlines the findings from an action research study conducted at Salford Law School; reporting the responses of students to the inclusion of an electronic voting
system (hereafter referred to as ‘clickers’) in large group Undergraduate Public Law
lectures.
The paper begins reflecting upon my current lecture practice in the context of existing
literature and by reviewing feedback from previous cohorts of students. This reveals that the traditional, didactic lecture style, commonly employed by law lecturers in the UK has been criticized for fostering student passivity and resulting in surface learning
(Ramsden, 1992). In contrast, studies carried out in pure science disciplines; medicine, engineering and mathematics (Hake, 1998; Crouch and Mazur, 2001) indicate positive results from use of clicker quizzes, in terms of increasing student interaction and engagement.
Accordingly, I decided to incorporate clicker quizzes into lectures, and measure student
responses to this change in teaching practice. The findings indicate that clicker usage
increased student interaction and engagement. This study concludes that clickers
should be used on an ongoing basis in Public law lectures, and also indicates positive
support from students regarding the use clickers in other undergraduate law subjects.
Furthermore, although the findings from this action research study are not
generalisable, the responses suggest that clickers could be an effective teaching tool in
large group sessions in other disciplines, since they replicate findings from previous
studies in other disciplines.

Legal regulation and education: Doing the right thing?

International Review of Law, Computers & Technology, 2015

Protecting ‘privacy’ through control of ‘personal’ data processing:

The development of a frontier-free internal market and of the so-called ‘information society’ hav... more The development of a frontier-free internal market and of the so-called ‘information society’ have resulted in an increase in the flow of personal data between EU member states. To remove potential obstacles to such transfers, data protection legislation was introduced. One of the underpinning principles of Directive 95/46/EC is the protection of privacy. Yet, the legislation does not provide a conclusive understanding of the terms ‘privacy’ or ‘private’ data. Rather, privacy protection is to be achieved through the regulation of the conditions under which personal data may be processed. An assessment of whether, 10 years after the enactment of the Data Protection Act 1998 (DPA 1998), a coherent understanding of the concept of personal data exists, necessitated an analysis of the decisions in Durant v. FSA ([2003] EWCA Civ 1746) and CSA v. SIC ([2008] 1 WLR 1550, [2008] UKHL 47). Furthermore, in order to examine the effectiveness of the legislation, this article examines whether the term ‘personal’ is synonymous with the term ‘private’ data and whether control over processing of personal information protects privacy. By drawing on interviews with privacy and data protection experts, and from the findings of a survey of bloggers, it will be shown that a review of the assumptions and concepts underpinning the legislation is necessary.

IP addresses and personal data: K.U. v Finland

Classifying IP addresses as personal data could have serious implications for search engines and ... more Classifying IP addresses as personal data could have serious implications for search engines and many other electronic businesses, in particular, the personalised advertising business model of the Internet. Recent court decisions have not clarified the position, so businesses that log IP addresses should proceed with caution.

Blogging: self presentation and privacy

Blogs are permeating most niches of social life, and addressing a wide range of topics from schol... more Blogs are permeating most niches of social life, and addressing a wide range of topics from scholarly and political issues1 to family and children’s daily lives. By their very nature, blogs raise a number of privacy issues as they are easy to produce and disseminate, resulting in large amounts of sometimes personal information being broadcast across the Internet in a persistent and cumulative manner. This article reports the preliminary findings of an online survey of bloggers from around the world. The survey explored bloggers’ subjective sense of privacy by examining their blogging practices and their expectations of privacy when publishing online. The findings suggest that blogging offers individuals a unique opportunity to work on their self-identity via the degree of self-expression and social interaction that is available in this medium. This finding helps to explain why bloggers consciously bring the ‘private’ to the public realm, despite the inherent privacy risks they face in doing so.

Data Sensitivity: Proposals for Resolving the Conundrum

The EU Directive 95/46/EC specifically demarcates categories of sensitive data meriting special p... more The EU Directive 95/46/EC specifically demarcates categories of sensitive data meriting special protection. It is important to review the continuing relevance of existing categories of sensitive data in the light of changes in societal structures and advances in technology. This paper draws on interviews with privacy and data protection experts from a range of countries and disciplines and findings from the Information Commissioner’s annual telephone survey of the British public in order to explore satisfaction with the current categories of sensitive data. It will be shown that the current classification of sensitive data appears somewhat outdated and thus ineffective for determining the conditions of data processing. Finally, possible reform proposals will be reviewed, including a purpose-based approach and context-based approach.

Developing European legal information markets based on government information

This article examines the Directive on re-use of public sector information in light of an EU fund... more This article examines the Directive on re-use of public sector information in light of an EU funded project under the eContent programme (ADD-WIJZER). In outline, the Directive will allow commercial (and other) information providers low cost access to government copyrighted works. Copyright will remain with the relevant government but it will not normally be able to prevent re-use of this material through exclusive licences etc. The aim of the Directive is to increase the production of information products and thus help develop the information marketplace in Europe. Such a legal information marketplace would be expected to have a customer base wider than that of the legal profession. The research in this article represents a series of interviews with a representative sample of those who might be expected to be part of a growing ‘legal information marketplace’ and what might be the ‘added value’ which commercial suppliers of legal information might provide to attract them to these envisaged products.
Importantly, we start from the position that in order to compete successfully in the marketplace it will be necessary for information providers to understand how the legal market place utilises legal information at present and what users perceive as being of potential ‘added value’. We will briefly use the conceptual structure of the ‘technology acceptance model’ to analyse our interview material.
We will also note that a tension exists between the private and public sector over the dissemination of public sector information and that the Directive needed to resolve several issues if the eContent programme of the information society is to succeed. Such issues include: access rights, copyright,
competition rules and pricing policies. These have not been attacked in the Directive and we thus feel that it - in comparison to the Proposal for a Directive - offers little to either the public or to commercial re-users of information that is not already on offer at present. The Directive is, perhaps, a failed project in terms of the ultimate aims of the Information Society.

E-democracy: potential for political revolution?

This article focuses on the traditional notions of democracy and governance in the context of the... more This article focuses on the traditional notions of democracy and governance in the context of the recent shock first-round election results in France. The results prima facie suggest voter apathy and disengagement from the democratic process. However, the spontaneous street protests confirm that voters are not apathetic about democracy, rather they are dissatisfied with the current model of government and the unresponsive nature of government. It will be argued that the interactive nature of Internet technology has the potential to reinvigorate the democratic process and re-engage citizens positively in political life.

A study of data protection: harmonisation or confusion?

Proceedings of the 21st BILETA Conference on …, Jan 1, 2006

Identity information: the tension between privacy and the societal benefits associated with biometric database surveillance

20th BILETA Conference, Jan 1, 2005

Developing European Legal Information Markets Based on Government Information: First Findings from the Add-Wijzer Project

18th BILETA Conference: Controlling …, Jan 1, 2003

Protecting 'privacy'through control of 'personal'data processing: A flawed approach

International Review of Law, Computers & …, Jan 1, 2009

The development of a frontier-free internal market and of the so-called &#x27;information soc... more The development of a frontier-free internal market and of the so-called &#x27;information society&#x27; have resulted in an increase in the flow of personal data between EU member states. To remove potential obstacles to such transfers, data protection legislation was introduced. One of the ...

RIPA v HRA: An Analysis of Kennedy v UK

Brexit: potential trade and data implications for digital and 'fintech' industries

Following the outcome of the historic ‘Brexit’ referendum on 23 June 2016 in which a majority of ... more Following the outcome of the historic ‘Brexit’ referendum on 23 June 2016 in which a majority of eligible voters in the UK voted to ‘Leave’, the
UK is potentially on course to leave the European Union (EU), but to ensure continued economic success it will seek to maintain a favourable trading relationship with the EU.
This article identifies and critically evaluates the various types of trade deals the UK might negotiate upon exit with a particular focus on trade in
services since financial and digital services are key components of the UK economy.
It also offers both pre- and post-exit guidance on the data protection permutations of each type of trade deal and concludes that post-withdrawal, the UK should ensure that its data protection law
is fully compliant with Regulation (EU) 2016/679. Forging its own data protection path could lead to isolation.

A tangled web of access to information: reflections on R (on the application of Evans) and another v Her Majesty's Attorney General

The Freedom of Information Act 2000 ('FOIA') came into force on 1 January 2005. It created, for t... more The Freedom of Information Act 2000 ('FOIA') came into force on 1 January 2005. It created, for the first time, a statutory right of access to information held by a wide range of public authorities. The right of access extends to all information held, regardless of how old the information is and the format in which it is held, unless one of the absolute exemptions listed in the Act is applicable, or the public interest test for disclosure is not satisfied in respect of a qualified exemption. Significantly, the Act also contains a power of ministerial veto, the effect of which is that orders to disclose information under the Act are rendered ineffective if a minister certifies that they have "reasonable grounds" for having formed the opinion that non-disclosure would not be unlawful. Prior to R (on the application of Evans) and another v Attorney General, [2] there was a lack of certainty regarding what constituted 'reasonable grounds' for the issuance of a ministerial certificate. As well as clarifying the threshold for reasonable grounds for issuing a veto, this judgment also engages in a discussion of the relationship between three fundamental constitutional principles: the rule of law, separation of powers and parliamentary sovereignty to determine the extent to which it is legally and constitutionally legitimate for a court exercising powers of judicial review to strike down a Government Minister's decision made under powers granted by Parliament to overturn an independent judicial tribunal's judgment. Thus, the decision is of interest to those seeking to assess its potential contribution to discourse on common law constitutionalism.

CROSS-BORDER DATA PROTECTION: APPLICABLE LAW AND TERRITORIAL POWERS OF NATIONAL DATA PROTECTION SUPERVISORS

An analysis of the European Court of Justice preliminary ruling in Case C-230/14 Weltimmo s.r.o. ... more An analysis of the European Court of Justice preliminary ruling in Case C-230/14 Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, on the interpretation of two important aspects of Directive 95/46/EC, namely, the applicable law, and territorial reach of national data protection authorities. The Court ruled that the data protection legislation of a member state may be applied by the national data protection authority to a foreign registered company which exercises, through stable arrangements, real and effective (albeit minimal) activity in that member state; a ruling that potentially increases compliance costs for entities operating across multiple European jurisdictions pending the introduction of the proposed General Data Protection Regulation.

The General Data Protection Regulation: A Partial Success for Children on Social Network Sites?

Almost 20 years ago, the first social networking site (“SNS”) was launched in the U.S. Whilst dev... more Almost 20 years ago, the first social networking site (“SNS”) was launched
in the U.S. Whilst developers originally intended for SNSs to be used by
adults—which they are—they have also become an integral communication
platform in the lives of many children in EU Member States. Sharing personal information on SNSs is now a routine activity for many children and, whilst they are computer literate in a way that their parents are often not, a number of concerns have emerged. One of these concerns is that children are vulnerable since they lack the capacity to consent to the terms of SNS membership agreements regarding the processing of their personal data. A further concern is that children’s naïve confidence sometimes leads them to take risks—by sharing information about themselves—that adults would not take. This is particularly concerning as children may be ignorant about the fact that their profile and behavioural data is sold to data brokers who use that information to produce targeted adverts—and that these adverts may display age inappropriate content or even may not by recognised by the children as adverts.1
Directive 95/46/EC2 regulates the processing of the personal data of
EU citizens, including personal data posted on SNSs. Problematically, it
was drafted in a pre-SNS era and neither makes reference to children nor
considers them vulnerable data subjects whose personal data should be
subject to more stringent processing rules. The absence of specific legal
protection for children’s data on SNSs sparked concerns that children were
ignorantly disclosing personal data and being exposed to profiling and
advertising without adequate privacy and data protection safeguards in place. In response to these concerns, provisions aimed at safeguarding children’s privacy and data protection rights have been included in Regulation (EU) 2016/679 (hereafter “GDPR”),3 which will come into force on 25 May 2018.
This chapter provides a critical evaluation of the forthcoming measures to
address a knowledge gap that exists because of the novelty of these provisions and the fact that scholarship in this area is currently underdeveloped.4 It begins by providing an overview of SNSs and the problems posed by underage children’s access to them. In this regard, it will illustrate that the biological and psychosocial developmental changes that children experience as they progress through their teenage years and develop their capacity for freedom of expression makes them vulnerable to impulsive personal information disclosures and privacy invasions. After this, an exploration of the current legal protections for children’s privacy on SNSs from the perspective of privacy as information control will highlight deficiencies in Directive 95/46/EC. This leads to an analysis of the measures in the GDPR to determine whether they will, when introduced, realise the twin goals of legitimising the processing of children’s personal data and, at the same time, protecting their fundamental privacy and data protection rights. The compatibility of measures in the GDPR with provisions in the United
Nations Convention on the Rights of the Child (1989) (“the UNCRC”)
and the Charter of Fundamental Rights of the European Union (2000)
(“the EU Charter”) is considered as these provide a normative framework
for evaluating children’s legal rights. To comply with both legal frameworks,
data protection measures in the GDPR governing children’s activities on
SNSs should recognise their evolving capacity for freedom of expression
and privacy. This would allow them to express themselves with appropriate
safeguards in place, ensuring that their best interests are protected and that they are not subject to economic exploitation through activities such as profiling and advertising without consent. Specifically, the analysis presents a critical evaluation of the introduction of an age threshold, below which children are deemed to lack capacity to consent to the processing of their personal data; the conceptual coherence of relying on parental consent for children under the threshold age; the practical implications of Member States being permitted to set the threshold age within a range of ages; and the practical challenges posed by relying on verified parental consent.
The chapter concludes that measures in the GDPR are compatible
with provisions in the UNCRC and the EU Charter but that a number of
practical challenges remain unsolved. For instance, allowing Member States to set the threshold age means that the goal of simplifying and harmonising the regulatory environment for SNSs operating on a transnational basis will not be fully realised. Equally, reliance on parental consent and the consent of children over the threshold age is conceptually coherent, but it is dependent on the introduction of low-cost age-verification mechanisms being integrated into SNSs. It is also dependent on child data subjects (or their parents) being digitally literate enough to give unambiguous, specific consent to the processing of their personal data. Relatedly, whilst the GDPR includes measures to promote and increase the digital literacy of both parents and children, it remains to be seen how effective these will be in practice. For these reasons, the GDPR is an improvement on Directive 95/46/EC, but only a partial success.

BREXIT: POTENTIAL IMPLICATIONS FOR DIGITAL AND 'FINTECH' INDUSTRIES

Following the outcome of the historic 'Brexit' referendum on 23 rd June 2016 in which a majority ... more Following the outcome of the historic 'Brexit' referendum on 23 rd June 2016 in which a majority of eligible voters in the UK voted to 'Leave,' the United Kingdom is potentially on course to leave the European Union, but to ensure continued economic success it will seek to maintain a favourable trading relationship with the EU. This article identifies and critically evaluates the various types of trade deals the UK might negotiate upon exit with a particular focus on trade in services since financial and digital services are key components of the UK economy. It also offers both pre and post exit guidance on the data protection permutations of each type of trade deal and concludes that post-withdrawal, the UK should ensure that its data protection law is fully compliant with Regulation (EU) 2016/679. Forging its own data protection path could lead to isolation.

Information access rights in FOIA and FOISA – fit for purpose?

In this article, Dr Mc Cullagh examines whether the Freedom of Information Act 2000 (FOIA) and Fr... more In this article, Dr Mc Cullagh examines whether the Freedom of Information Act 2000 (FOIA) and Freedom of Information (Scotland) Act 2002 (FOISA) are fit for purpose as they enter their second decade. A two-fold approach is used to make this determination. Firstly, an assessment of the degree of compliance of both Acts against a set of UN endorsed principles is undertaken. This reveals that neither Act is fully compliant with the normative principles. Secondly, the Acts are compared against each other. The comparative analysis demonstrates that the Acts are creatures of their respective parliaments and that their evolution has been shaped by the distinct political cultures in which they operate. It concludes that at present FOISA offers stronger information rights but that both Acts should be amended to ensure full compliance with the UN endorsed principles if both jurisdictions are to have information rights that are fit for purpose as they enter their second decade.

Edinburgh Law Review: http://www.euppublishing.com/doi/10.3366/elr.2017.0389

Blogs: A privacy perspective

Click happy?: an analysis of the use of an Electronic Voting System (EVS) in large group lectures to improve interaction and engagement

This paper outlines the findings from an action research study conducted at Salford Law School; r... more This paper outlines the findings from an action research study conducted at Salford Law School; reporting the responses of students to the inclusion of an electronic voting
system (hereafter referred to as ‘clickers’) in large group Undergraduate Public Law
lectures.
The paper begins reflecting upon my current lecture practice in the context of existing
literature and by reviewing feedback from previous cohorts of students. This reveals that the traditional, didactic lecture style, commonly employed by law lecturers in the UK has been criticized for fostering student passivity and resulting in surface learning
(Ramsden, 1992). In contrast, studies carried out in pure science disciplines; medicine, engineering and mathematics (Hake, 1998; Crouch and Mazur, 2001) indicate positive results from use of clicker quizzes, in terms of increasing student interaction and engagement.
Accordingly, I decided to incorporate clicker quizzes into lectures, and measure student
responses to this change in teaching practice. The findings indicate that clicker usage
increased student interaction and engagement. This study concludes that clickers
should be used on an ongoing basis in Public law lectures, and also indicates positive
support from students regarding the use clickers in other undergraduate law subjects.
Furthermore, although the findings from this action research study are not
generalisable, the responses suggest that clickers could be an effective teaching tool in
large group sessions in other disciplines, since they replicate findings from previous
studies in other disciplines.

Legal regulation and education: Doing the right thing?

International Review of Law, Computers & Technology, 2015

Protecting ‘privacy’ through control of ‘personal’ data processing:

The development of a frontier-free internal market and of the so-called ‘information society’ hav... more The development of a frontier-free internal market and of the so-called ‘information society’ have resulted in an increase in the flow of personal data between EU member states. To remove potential obstacles to such transfers, data protection legislation was introduced. One of the underpinning principles of Directive 95/46/EC is the protection of privacy. Yet, the legislation does not provide a conclusive understanding of the terms ‘privacy’ or ‘private’ data. Rather, privacy protection is to be achieved through the regulation of the conditions under which personal data may be processed. An assessment of whether, 10 years after the enactment of the Data Protection Act 1998 (DPA 1998), a coherent understanding of the concept of personal data exists, necessitated an analysis of the decisions in Durant v. FSA ([2003] EWCA Civ 1746) and CSA v. SIC ([2008] 1 WLR 1550, [2008] UKHL 47). Furthermore, in order to examine the effectiveness of the legislation, this article examines whether the term ‘personal’ is synonymous with the term ‘private’ data and whether control over processing of personal information protects privacy. By drawing on interviews with privacy and data protection experts, and from the findings of a survey of bloggers, it will be shown that a review of the assumptions and concepts underpinning the legislation is necessary.

IP addresses and personal data: K.U. v Finland

Classifying IP addresses as personal data could have serious implications for search engines and ... more Classifying IP addresses as personal data could have serious implications for search engines and many other electronic businesses, in particular, the personalised advertising business model of the Internet. Recent court decisions have not clarified the position, so businesses that log IP addresses should proceed with caution.

Blogging: self presentation and privacy

Blogs are permeating most niches of social life, and addressing a wide range of topics from schol... more Blogs are permeating most niches of social life, and addressing a wide range of topics from scholarly and political issues1 to family and children’s daily lives. By their very nature, blogs raise a number of privacy issues as they are easy to produce and disseminate, resulting in large amounts of sometimes personal information being broadcast across the Internet in a persistent and cumulative manner. This article reports the preliminary findings of an online survey of bloggers from around the world. The survey explored bloggers’ subjective sense of privacy by examining their blogging practices and their expectations of privacy when publishing online. The findings suggest that blogging offers individuals a unique opportunity to work on their self-identity via the degree of self-expression and social interaction that is available in this medium. This finding helps to explain why bloggers consciously bring the ‘private’ to the public realm, despite the inherent privacy risks they face in doing so.

Data Sensitivity: Proposals for Resolving the Conundrum

The EU Directive 95/46/EC specifically demarcates categories of sensitive data meriting special p... more The EU Directive 95/46/EC specifically demarcates categories of sensitive data meriting special protection. It is important to review the continuing relevance of existing categories of sensitive data in the light of changes in societal structures and advances in technology. This paper draws on interviews with privacy and data protection experts from a range of countries and disciplines and findings from the Information Commissioner’s annual telephone survey of the British public in order to explore satisfaction with the current categories of sensitive data. It will be shown that the current classification of sensitive data appears somewhat outdated and thus ineffective for determining the conditions of data processing. Finally, possible reform proposals will be reviewed, including a purpose-based approach and context-based approach.

Developing European legal information markets based on government information

This article examines the Directive on re-use of public sector information in light of an EU fund... more This article examines the Directive on re-use of public sector information in light of an EU funded project under the eContent programme (ADD-WIJZER). In outline, the Directive will allow commercial (and other) information providers low cost access to government copyrighted works. Copyright will remain with the relevant government but it will not normally be able to prevent re-use of this material through exclusive licences etc. The aim of the Directive is to increase the production of information products and thus help develop the information marketplace in Europe. Such a legal information marketplace would be expected to have a customer base wider than that of the legal profession. The research in this article represents a series of interviews with a representative sample of those who might be expected to be part of a growing ‘legal information marketplace’ and what might be the ‘added value’ which commercial suppliers of legal information might provide to attract them to these envisaged products.
Importantly, we start from the position that in order to compete successfully in the marketplace it will be necessary for information providers to understand how the legal market place utilises legal information at present and what users perceive as being of potential ‘added value’. We will briefly use the conceptual structure of the ‘technology acceptance model’ to analyse our interview material.
We will also note that a tension exists between the private and public sector over the dissemination of public sector information and that the Directive needed to resolve several issues if the eContent programme of the information society is to succeed. Such issues include: access rights, copyright,
competition rules and pricing policies. These have not been attacked in the Directive and we thus feel that it - in comparison to the Proposal for a Directive - offers little to either the public or to commercial re-users of information that is not already on offer at present. The Directive is, perhaps, a failed project in terms of the ultimate aims of the Information Society.

E-democracy: potential for political revolution?

This article focuses on the traditional notions of democracy and governance in the context of the... more This article focuses on the traditional notions of democracy and governance in the context of the recent shock first-round election results in France. The results prima facie suggest voter apathy and disengagement from the democratic process. However, the spontaneous street protests confirm that voters are not apathetic about democracy, rather they are dissatisfied with the current model of government and the unresponsive nature of government. It will be argued that the interactive nature of Internet technology has the potential to reinvigorate the democratic process and re-engage citizens positively in political life.

A study of data protection: harmonisation or confusion?

Proceedings of the 21st BILETA Conference on …, Jan 1, 2006

Identity information: the tension between privacy and the societal benefits associated with biometric database surveillance

20th BILETA Conference, Jan 1, 2005

Developing European Legal Information Markets Based on Government Information: First Findings from the Add-Wijzer Project

18th BILETA Conference: Controlling …, Jan 1, 2003

Protecting 'privacy'through control of 'personal'data processing: A flawed approach

International Review of Law, Computers & …, Jan 1, 2009

The development of a frontier-free internal market and of the so-called &#x27;information soc... more The development of a frontier-free internal market and of the so-called &#x27;information society&#x27; have resulted in an increase in the flow of personal data between EU member states. To remove potential obstacles to such transfers, data protection legislation was introduced. One of the ...

RIPA v HRA: An Analysis of Kennedy v UK

'How and why to research with online surveys'

The response rates to traditional survey methods - postal and telephone - have been in decline ov... more The response rates to traditional survey methods - postal and telephone - have been in decline over the past decade, and for many types of research are not cost effective.
The session focused on the potential advantages of using an online survey to collect data, as if it is used innovatively, for example, promoted through YouTube and through high-profile bloggers and discussion boards, it can become self-promoting and generate high levels of responses

“Data sensitivity: resolving the conundrum”

“Using Online Surveys in ESLR,”

Social Networks: Data Protection & Privacy

“Blog archives and privacy” New Kinds of Social Data: from blogs to administrative data”

Facebook: Privacy settings v Privacy threats