CST2531 Compliance and

Project Management

Lecture Week 3
International Organisations and
Laws
Dr Elke Duncker
 Cybercrime

• International
• Wide range of
criminal activities
• New laws being put
in place
• New types of criminal
activities faster than
laws can be made or
adapted
 Laws to fight Cybercrimes
• International crimes need international
laws
• International laws can be at odds with
local national laws
• Harmonisation to avoid this
 International Harmonisation
seeks to
• coordinate international laws, regulations
and standards with the local ones
• eliminate major differences between the
international laws, regulations and
standards with the local ones.
• Create new laws, regulations and
standards and adapt existing ones, where
necessary
 International Activites
• UN – UN treaty on Cybercrime
See https://www.unodc.org/unodc/en/cybercrime/ad_hoc_committee/home

• UNODC – Harmonization of Laws

See https://www.unodc.org/e4j/en/cybercrime/module-3/key-
issues/harmonization-of-laws.html

• EU – Harmonization of all Laws including

Cybercrime Laws
See https://european-union.europa.eu/institutions-law-budget/law_en
 Questions I:
• Which organisations can initiate
harmonisation of laws?
– Everybody involved, from local private
initiatives to EU bodies or UN bodies.
• Which organisations can legislate the
harmonisation of laws?
– The legislator of the relevant organisation or
nation
Harmonisation at various levels
• International harmonisation
• UN-General Assembly is the main policy making legal
body, but harmonisation is done by UNODC
• International Standards bodies such as the ISO and
the IEC
• EU harmonisation
• proposed by the European Commission
• approved by the Council of the European
Union and European Parliament to become law.
• Local harmonisation
– The local legislator, In democratic countries the
parliament
 Types of Harmonisation
• Full harmonisation: All aspects have to be
incorporated into the national laws
• Minimal harmonisation: The minimum is to
be harmonised to leave enough room for
national ways of incorporating the
minimum into the national laws.
• How does the EU harmonise their laws?
– Mostly minimal harmonisation with very few
exceptions of full harmonisation
 The European Cybersecurity
Act
• Regulation (EU) 2019/881 of the European Parliament and
of the Council of 17 April 2019
– on ENISA- European Network and Information Security Agency- (the
European Union Agency for Cybersecurity) and on information and
communications technology cybersecurity certification:
– Deals with standards. It established a European cybersecurity certification
framework for the development of schemes.
• The EC will adopt schemes concerning specific groups of
ICT products, ICT services and ICT processes. These
should be implemented and supervised by national
cybersecurity certification authorities, with certificates
issued under these schemes valid throughout the EU.
• https://ec.europa.eu/digital-single-market/en/eu-
cybersecurity-act
 EU Regulation on ENISA and
Cyber Security Certification
• The new ‘EU Regulation on ENISA and Cyber Security
Certification’ aims to help improve the cyber security of EU
member states.
– Sets out a new, strengthened role for ENISA, the EU’s cyber
security agency
– Sets out new rules on Information and Communication Technology
and Cyber Security Certification
• https://www.gov.uk/government/publications/eu-regulation-on-enisa-and-cyber-
security-certification
 The Directive on security of
network and information systems
(NIS Directive)
• The NIS Directive is the first piece of EU-
wide legislation on cybersecurity. It
provides legal measures to boost the
overall level of cybersecurity in the EU.
• https://ec.europa.eu/digital-single-market/en/network-and-information-
security-nis-directive
 NIS Directive
• The NIS Directive provides legal measures
to boost cybersecurity in the EU by
ensuring:
– Member States' preparedness.
– Cooperation among all the Member States.
– A culture of security across sectors which are
vital for our economy and society and moreover
rely heavily on ICTs, such as energy, transport,
water, banking, financial market infrastructures,
healthcare and digital infrastructure.
 UN Work on CyberSecurity
• UN https://www.un.org/counterterrorism/cybersecurity
• United Nations Office on Drugs and
Crime Harmonization of Laws
https://www.unodc.org/e4j/en/cybercrime/module-3/key-
issues/harmonization-of-laws.html
https://www.unodc.org/unodc/en/cybercrime/global-
programme-cybercrime.html
• Global Cybersecurity Index (GCI), Not a law a measure
of effectiveness and commitment to cybersecurity
• https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-
cybersecurity-index.aspx
 International harmonization of
cybercrime legislation and
regulation.
• Cybercrime law identifies standards of acceptable
behaviour for information and communication technology
(ICT) users; establishes socio-legal sanctions for
cybercrime; protects ICT users, in general, and mitigates
and/or prevents harm to people, data, systems, services,
and infrastructure, in particular; protects human rights;
enables the investigation and prosecution of crimes
committed online (outside of traditional real-world
settings); and facilitates cooperation between countries
on cybercrime matters (UNODC, 2013, p. 52).
https://www.unodc.org/e4j/en/cybercrime/module-3/key-issues/the-role-of-
cybercrime-law.html
 Countries working together
• Cybercrime does not respect national
boundaries.
• Laws and legal practises are mostly based
on national practices.
• Some attempts at harmonisation, don’t
always work.
• What are the obstacles for harmonisation?
 Obstacles to Harmonisation
• Political changes - in local governments
• Experience within the respective agency – lack of experts in a country
• Regional regulation – harmonisation not getting on national political agendas
• Collaboration among agencies – Disruption of collaboration between nations
• Insufficient resources – Constraints on national and international resources such
as human, financial, and infrastructure
• Technology – implementation of new technologies is deficient
• Socioeconomic aspects – Costs and fees established by each national agency to
evaluate procedures and services when changes have been introduced.
• National Identity – Frequently, the concept of national identity may be an
obstacle for global harmonization as the acceptance of directives different from
the internal initiative of the country it is often thought as an infringement or
violation of the nationalist thinking. See UK-Brexit
 Computer Misuse Act 1990
• An Act to make provision for securing computer material against
unauthorised access or modification; and for connected purposes.
https://www.legislation.gov.uk/ukpga/1990/18/contents

Computer misuse offences

– 1. Unauthorised access to computer material.
– 2. Unauthorised access with intent to commit or facilitate
commission of further offences.
– 3. Unauthorised acts with intent to impair, or with recklessness
as to impairing, operation of computer, etc.
• 3ZA.Unauthorised acts causing, or creating risk of, serious
damage
• 3A.Making, supplying or obtaining articles for use in offence
under section 1, 3 or 3ZA
 Computer Misuse Act 1990
• Jurisdiction
– 4. Territorial scope of offences under this Act.
– 5. Significant links with domestic jurisdiction.
– 6. Territorial scope of inchoate offences related to offences
under this Act.
– 7. Territorial scope of inchoate offences related to offences
under external law corresponding to offences under sections 1 to
3.
– 8. Relevance of external law.
– 9. British citizenship immaterial.

Inchoate = undeveloped, incoherent, unclear

 Unauthorised access to
computer material
(1)A person is guilty of an offence if—
• (a)he causes a computer to perform any function with intent to
secure access to any program or data held in any computer [F1, or
to enable any such access to be secured] ;
• (b)the access he intends to secure [F2, or to enable to be
secured,] is unauthorised; and
• (c)he knows at the time when he causes the computer to perform
the function that that is the case.
(2)The intent a person has to have to commit an offence under this
section need not be directed at—
• (a)any particular program or data;
• (b)a program or data of any particular kind; or
• (c)a program or data held in any particular computer.
 Unauthorised access to
computer material
• [F3(3)A person guilty of an offence under this section
shall be liable—
• (a)on summary conviction in England and Wales, to
imprisonment for a term not exceeding 12 months or to a
fine not exceeding the statutory maximum or to both;
• (b)on summary conviction in Scotland, to imprisonment
for a term not exceeding [F412] months or to a fine not
exceeding the statutory maximum or to both;
• (c)on conviction on indictment, to imprisonment for a
term not exceeding two years or to a fine or to both.]
Data Protection Act and General
Data Protection Regulation
• Data protection is about ensuring people can trust you to use their data
fairly and responsibly.
• If you collect information about individuals for any reason other than your
own personal, family or household purposes, you need to comply.
• The UK data protection regime is set out in the DPA 2018, along with the
GDPR (which also forms part of UK law). It takes a flexible, risk-based
approach which puts the onus on you to think about and justify how and
why you use data.
• The ICO regulates data protection in the UK. We offer advice and guidance,
promote good practice, carry out audits and advisory visits, consider
complaints, monitor compliance and take enforcement action where
appropriate.
• https://ico.org.uk/
• https://www.gov.uk/government/collections/data-protection-act-2018
• https://gdpr-info.eu/
Data Protection Act and General
Data Protection Regulation
• Digital technology has transformed almost every
aspect of our lives in the twenty years since the
last Data Protection Act was passed.
• Our new Data Protection Act:
– makes our data protection laws fit for the digital age in which an
ever increasing amount of data is being processed
– empowers people to take control of their data
– supports UK businesses and organisations through the change
– ensures that the UK is prepared for the future after we have left
the EU
– The text of the Data Protection Act and related documents can
be found here on legislation.gov.uk. Historical documents
relating to the passage of the Act can be found on the Parliament
website.
 The Privacy and Electronic
Communications Regulations
2003
• The Privacy and Electronic Communications Regulations (PECR)
(EU) sit alongside the GDPR (EU).
• Relevant UK law is the Data protection act 2018
• Together they give people specific privacy rights in relation to
electronic communications.
– There are specific rules on:
– marketing calls, emails, texts and faxes;
– cookies (and similar technologies);
– keeping communications services secure; and
– customer privacy as regards traffic and location data, itemised
billing, line identification, and directory listings.
• http://www.legislation.gov.uk/uksi/2003/2426/contents/made
• https://ico.org.uk/for-organisations/guide-to-pecr/
 Links to European and
Legislation Follow
• The EU Cybersecurity Act
– The Cybersecurity Act strengthens the EU
Agency for cybersecurity (ENISA) and
establishes a cybersecurity certification
framework for products and services.
• https://digital-
strategy.ec.europa.eu/en/news/cybersecurity-
act-strengthens-europes-cybersecurity
• https://eur-lex.europa.eu/eli/reg/2019/881/oj
Human
Rights
 Human Rights
• Universal Declaration of Human Rights – 30 Articles
– The Universal Declaration of Human Rights - WorldAtlas
• European Convention on Human Rights (ECHR)
– https://www.equalityhumanrights.com/en/human-rights/human-
rights-act
• Human Rights Act 1998 incorporates the ECHR into
domestic British law
– https://www.legislation.gov.uk/ukpga/1998/42/contents
 Brief Detour
• Primary and Secondary Sources in the
context of laws, regulations and standards
• [Also relevant in the context of
Referencing for dissertation and essay
writing]
 Primary Sources
• Are the laws and the standards
themselves coming from the official
bodies who created them.
• Examples: International and local treaties,
regulations, legal texts, government
documents, international and local
standards
 Secondary Sources
• Are considered background resources
• Illustrate, describe, evaluate and analyse the
primary sources.
• Examples: Legal handbooks and encyclopaedias,
textbooks, journal articles. Standardisation
literature, Watson and Jones “Digital Forensics”
• a good way to begin
• often have primary sources citations.
 When to use Primary or
Secondary Sources
• Always use the original source for the text
of the laws.
• The text of the law will not tell you whether
and how the laws work. For that we will
need to look at either regulations related to
that law or secondary sources
• Both, primary and secondary sources are
useful for you.
• Wikipedia is a secondary source
 Work Required
This week you have to:

1. Read up about the laws presented in this

lecture. Keep the next slide in mind (4
hrs)
2. If you have not already started your first
assignment, start now! Submission in
week 8! (4 hrs)
 Reading up on International
Laws
• Select 5 international Laws presented in this
lecture, worldwide and EU
• Read the full text (or as much as you can bear,
but not less than 20 minutes).
• Consider the meaning of each text and make
notes
• Read either the Wikipedia entry for the law or a
textbook
• Consider how the international laws [presented
in this lecture] work together with local laws.
Make notes.
Thanks for Your Attention!