Issue 5 / 2023

In the current CRi issue 5 (publication on: 15. Oktober 2023) you find the following articles and case law:



Sundara, Karishma / Narendran, Nikhil, The Digital Personal Data Protection Act, 2023: analysing India’s dynamic approach to data protection, CRi 2023, 129-141

This article examines the provisions of the DPDPA from the lens of a comparative study measuring it along the way against the GDPR. After a brief introduction (I.), the article begins with (II.) unpacking the applicability and scope of the DPDPA: identifying what is included, what is excluded and what is exempt, before moving on to (III.) extrapolating the bases for processing personal data; (IV.) explaining the obligations that apply to personal data of special categories of data principals; (V.) discussing data sharing and cross-border data transfers (VI.) outlining the obligations of data fiduciaries as well as (VII.) the rights and duties of data principals; and finally turning to (IX.) enforcement of the DPDPA by taking a look at the Board (VIII.) as well as at penalties and voluntary undertakings (XI.).

Lejeune, Mathias, AI Systems and their Output under U.S. Copyright Laws, CRi 2023, 141-148

Artificial Intelligence (AI) has recently received a lot of public awareness especially based on the program called ChatGPT. This article describes the problems which AI provides under the existing laws in the USA and in the EU especially in the context of Copyright Law.

Beardwood, John, Cyber breaches in Critical Infrastructure: It’s not just about Personal Data Breaches Anymore (Part 2), CRi 2023, 148-155

This article is the second of two parts, comparing recent global legislative developments in three key jurisdictions regulating cyber breaches which occur in critical infrastructure, specifically: in Canada (Bill C-26), in the U.S. (the U.S. Cyber Incident Reporting for Critical Infrastructure Act of 2022 – “CIRCIA”), and in the EU (the Network Infrastructure Security Directive 2.0 (EU) 2022/2055 – “NIS2 Directive”). The first part (Beardwood, CRi 2023, 109–114) provided an overview of the legislative background and purpose of CCSPA, CIRCIA and the NIS2 Directive (I.); compared the scope of their application, based on systems and entities (II.) as well as their respective definitions of incidents (III.); and concluded with an comparative analysis of these foundational scope elements of the Critical Infrastructure cyber breach regime (IV.). This Part 2 continues the analysis and compares the details of their reporting requirements, with a focus on report content, timing and exceptions (V.); contrasts the approaches to record keeping (VI.) and enforcement (VII.); compares their respective penalty regimes (VIII.); and finally concludes with a brief analysis of the challenges for any company facing a critical infrastructure cyber breach across all three jurisdictions (IX.).

Case Law

District Court Oslo v. 6 September 2023 - 23-114365TVI-TOSL/08, Norway: Ban for Facebook and Instagram of Processing Personal Data for Behavioral Marketing, CRi 2023, 155-158

District Court for the District of Columbia v. 18 August 2023 - No. 22-1564, USA: Copyrightability of AI, CRi 2023, 158-160

Verlag Dr. Otto-Schmidt vom 11.10.2023