The Agreement Establishing the African Continental Free Trade Area (AEAfCFTA) is a revolutionary treaty of the African Union (AU) which creates an African single market to guarantee the free movement of persons, capital, goods and services. The AEAfCFTA is geared towards enabling seamless trade among African countries. The single market relies heavily on the processing of the personal data of persons resident within and outside the AU, thereby necessitating an effective data protection regime. However, the data protection regime across Africa is fragmented, with each country either having a distinct data protection framework or none at all. This lack of a uniform continental framework threatens to clog the wheels of the African Continental Free Trade Area (AfCFTA), because by demanding compliance with the various data protection laws across Africa, free trade will be inhibited, the very problem the AEAfCFTA seeks to remediate. These concerns are considered and applicable solutions are proposed to ensure the successful implementation of the AfCFTA.

As humanitarian organizations become more active in the digital domain and reliant upon new technologies, they evolve from simple bystanders to full-fledged stakeholders in cyberspace, able to build on the advantages of new technologies but also vulnerable to adverse cyber operations that can impact their capacity to protect and assist people affected by armed conflict or other situations of violence. The recent hack of the International Red Cross and Red Crescent Movement's Restoring Family Links network tools, potentially exposing the personal data of half a million vulnerable individuals to unauthorized access by unknown hackers, is a stark reminder that this is not just a theoretical risk but a very real one.1

The 2020 cyber operation affecting SolarWinds, a major US information technology company, demonstrated the chaos that a hack can cause by targeting digital supply chain components. What does the hack mean for the humanitarian cyberspace, and what can we learn from it? In this article, Massimo Marelli, Head of the International Committee of the Red Cross's Data Protection Office, draws out some possible lessons and considers the way forward by drawing on the notion of “digital sovereignty”.

This article examines the extent to which international law protects international organizations (IOs) from hacking operations committed by States. First, it analyzes whether hacking operations undertaken by member States and host States breach the privileges and immunities granted to IOs by their constitutive treaties, headquarters agreements, and conventions on privileges and immunities concerning the inviolability of their premises, property, assets, archives, documents and correspondence. The article also explores the question of whether hacking operations carried out by non-member States breach these provisions on the basis that they have passed into customary international law or because they attach to the international legal personality of IOs. Second, the article considers the question of whether hacking operations breach the principle of good faith. In this regard, it discusses the applicability of the principle of good faith to the relations between IOs, member States, host States and non-member States, and then considers how hacking operations impinge on a number of postulates emanating from good faith such as the pacta sunt servanda rule, the duty to respect the legal personality of IOs, the duties of loyalty, due regard and cooperation, and the duty not to abuse rights. Finally, the article examines the question of whether the principle of State sovereignty offers IOs indirect protection insofar as hacking can breach the sovereignty of the host State or the sovereignty of the State on whose cyber infrastructure the targeted data is resident.

In our data-driven society, personal data affecting individuals as data subjects are increasingly being collected and processed by sizeable and international companies. While data protection laws and privacy technologies attempt to limit the impact of data breaches and privacy scandals, they rely on individuals having a detailed understanding of the available recourse, resulting in the responsibilization of data protection. Existing data stewardship frameworks incorporate data-protection-by-design principles but may not include data subjects in the data protection process itself, relying on supplementary legal doctrines to better enforce data protection regulations. To better protect individual autonomy over personal data, this paper proposes a data protection-focused data commons to encourage co-creation of data protection solutions and rebalance power between data subjects and data controllers. We conduct interviews with commons experts to identify the institutional barriers to creating a commons and challenges of incorporating data protection principles into a commons, encouraging participatory innovation in data governance. We find that working with stakeholders of different backgrounds can support a commons’ implementation by openly recognizing data protection limitations in laws, technologies, and policies when applied independently. We propose requirements for deploying a data protection-focused data commons by applying our findings and data protection principles such as purpose limitation and exercising data subject rights to the Institutional Analysis and Development (IAD) framework. Finally, we map the IAD framework into a commons checklist for policy-makers to accommodate co-creation and participation for all stakeholders, balancing the data protection of data subjects with opportunities for seeking value from personal data.

In May 2012, a former research assistant contacted the Montréal police about an interview he had conducted with Luka Magnotta for the SSHRC-funded research project Sex Work and Intimacy: Escorts and their Clients four years previously. That call ultimately resulted in the Parent and Bruckert v R and Magnotta case. Now, a decade later, we are positioned to reflect on the collective lessons learned (and lost) from the case. In this paper, we provide a lay of the Canadian confidentiality landscape before teasing out ten lessons from Parent c R. To do so, we draw on personal archives, survey results from sixty researchers, twelve key informant interviews with qualitative sociolegal and criminology researchers, and documentary analysis of university research policies. The lessons, which range from the clichéd, to the practical, to the frustrating, have implications for the individual work of Canadian researchers and for the collective work of academic institutions.

Data localization hurts foreign investment and brings potential economic advantages to domestic corporations relative to foreign corporations. This leads to the argument that data localization violates the national treatment principle in international investment treaties. By applying the ‘three-step’ approach to assess the legality of data localization with respect to the national treatment principle, this article finds that the legality of data localization depends on certain circumstances, including the domestic catalogues of foreign investment, the definition of data localization in domestic legislation, and whether international investment treaties explicitly or implicitly incorporate data protection through exceptions for the protection of the state's essential security interests, public order, or public morals. China's acceleration of its legislation processes to regulate cross-border data transfer has significant implications for the negotiations and modifications of Chinese international investment treaties.

This article makes the counterintuitive argument that the millennia-old approach of Jewish law to regulating surveillance, protecting communications, and governing collection and use of information offers important frameworks for protecting privacy in an age of big data and pervasive surveillance. The modern approach to privacy has not succeeded. Notions of individual “rights to be let alone” and “informational self-determination” offer little defense against rampant data collection and aggregation. The substantive promise of a “fundamental human right” of privacy has largely been reduced to illusory procedural safeguards of “notice” and “consent”—manipulable protections by which individuals “agree” to privacy terms with little understanding of the bargain and little power to opt out. Judaism, on the other hand, views privacy as a societal obligation and employs categorical behavioral and architectural mandates that bind all of society's members. It limits waiver of these rules and rejects both technological capacity and the related notion of “expectations” as determinants of privacy's content. It assumes the absence of anonymity and does not depend on the confidentiality of information or behavior, whether knowledge is later used or shared, or whether the privacy subject can show concrete personal harm. When certain types of sensitive information are publicly known or cannot help but be visible, Jewish law still provides rules against their use. Jewish law offers a language that can guide policy debates. It suggests a move from individual control over information as the mechanism for shaping privacy's meaning and enforcement, to a regime of substantive obligations—personal and organizational—to protect privacy. It recognizes the interconnected nature of human interests and comprehends the totality of the harm that pervasive surveillance wreaks on individuals and social relations. It offers a conceptual basis for extending traditional privacy protections to online spaces and new data uses. And it provides a language of dignity that recognizes unequal bargaining power, rejects the aggregation and use of information to create confining personal narratives and judgments, and demands equal protection for all humans.