Cybersecurity

What is the main goal of the GDPR?

To give individuals control over their personal data and create harmonized data protection rules across the EU.

What are Personal Data?

Any information relating to an identified or identifiable natural person (e.g., name, ID number, location data, online identifier).

What are Special Categories of Personal Data (Sensitive Data)?

Data revealing racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, sexual orientation. Their processing is prohibited unless a specific exception applies.

What is Processing of personal data?

Any operation performed on personal data (e.g., collection, recording, storage, use, disclosure, deletion).

Who is a Data Controller?

The entity that determines the WHY (purposes) and HOW (means) of data processing. (The "boss").

Who is a Data Processor?

An entity that processes data on behalf of the Controller, following the Controller's instructions. (The "contractor").

What are the 7 principles of data processing? (Acronym: L-FASTR)

1. Lawfulness, fairness and transparency

2. Purpose limitation

3. Data minimisation

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality (Security)

7. Accountability.

Imagine you want to collect data (like email addresses for a newsletter).

1. First, you must have a good, legal reason and be honest about it.

   • → Lawfulness, fairness and transparency

2. You can only collect the data for one specific reason.

   • → Purpose limitation (You can't use the emails for something else later without asking again).

3. Only take the data you absolutely need.

   • → Data minimisation (For a newsletter, you need an email, but you don't need the person's home address or medical history).

4. Make sure the data is correct.

   • → Accuracy (If someone gives you a new email, you must update it).

5. Don't keep the data forever.

   • → Storage limitation (If someone unsubscribes, you should delete their email after a reasonable time).

6. Keep the data safe and secure.

   • → Integrity and confidentiality (Protect the emails from hackers with passwords and encryption).

7. Finally, you are responsible for following all these rules and proving it.

   • → Accountability (This is the "umbrella" principle that covers all the others).

What is the Accountability principle?

The controller is responsible for and must be able to demonstratecompliance with all other GDPR principles.

Name the 6 lawful bases for processing personal data (focus on the first 3).

1. Consent

2. Contract

3. Legitimate Interests

4. Legal Obligation

5. Vital Interests

6. Public Task

What is valid Consent under GDPR?

Freely given, specific, informed, and an unambiguous affirmative action (e.g., ticking a box). It must be easy to withdraw. Pre-ticked boxes are invalid.

What is the "Legitimate Interests" basis?

A three-part test: 1) Purpose (is there a legitimate interest?), 2) Necessity (is processing necessary for it?), 3) Balancing (do your interests override the individual's rights?).

What is the AI Act?

The first comprehensive law on AI by the EU. It's a Regulation and uses a risk-based approach.

What is an AI System according to the AI Act?

A machine-based system that infers from input how to generate outputs (predictions, content, recommendations) that can influence physical or virtual environments.

What are the four levels of the AI Risk Pyramid?

1. Unacceptable Risk (Prohibited)

2. High-Risk (Strict requirements)

3. Limited Risk (Transparency obligations)

4. Minimal Risk (No obligations)

Give examples of Unacceptable Risk AI.

Social scoring by governments, manipulative subliminal techniques, real-time remote biometric identification in public spaces (with narrow exceptions).

Give examples of High-Risk AI.

AI used in critical infrastructure, education, employment, law enforcement, judiciary.

Give examples of Limited Risk AI.

Chatbots (must inform users they are interacting with an AI), deepfakes (must be labelled as such).

What are the 7 key requirements for High-Risk AI systems? (Based on the principles)

1. Human Oversight

2. Technical Robustness & Safety

3. Privacy & Data Governance

4. Transparency

5. Diversity, Non-discrimination, Fairness

6. Societal & Environmental Well-being

7. Accountability

What is the "Black Box" problem in AI?

The opacity of some AI systems where it's possible to see the input and output, but not the internal decision-making process, making it hard to understand why a decision was made.

What is the "Responsibility Gap"?

The difficulty in attributing legal responsibility for harm caused by an AI system due to its autonomy and complexity. It's unclear who is to blame: the developer, user, or owner.

What is Cyber-dependent crime?

Crimes that can only be committed using computers/networks (e.g., hacking, malware attacks, DDoS).

What is Cyber-enabled crime?

Traditional crimes that are facilitated by technology (e.g., online fraud, harassment, disinformation).

What is the Budapest Convention?

The first international treaty on cybercrime. It aims to harmonize national laws and improve international cooperation.

What is Illegal Access to a computer system (e.g., Art. 615-ter Italian CP)?

The unauthorized access to a computer system protected by security measures. The protected legal interest is the "digital domicile" or data privacy.

What is the main purpose of Criminal Law?

To punish the offender and deter crime. The state prosecutes. Standard of proof: Beyond a reasonable doubt.

What is the main purpose of Tort Law (Civil Liability)?

To compensate the victim for harm suffered. The individual sues. Standard of proof: Balance of probabilities (more likely than not).

What is Product Liability?

A type of strict liability where a manufacturer is held responsible for harm caused by a defective product, even without proven negligence.

What are the three types of product defects?

1. Design Defect (flaw in the blueprint)

2. Manufacturing Defect (error in making one specific product)

3. Marketing/Labeling Defect (faulty instructions or warnings)

What was the proposed AI Liability Directive meant to do?

To make it easier for victims to sue for AI-related harm by introducing a rebuttable presumption of causality (if you prove fault and damage, it's presumed the fault caused the damage).

What is "Electronic Personality"?

A controversial proposal to grant advanced autonomous AI systems a legal status similar to a company, so they could be held liable for damages directly.

What is a Data Breach under GDPR?

A security incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of/access to personal data. Must be reported to the authority within 72 hours if it poses a risk.

What is the "Control Dilemma" in AI?

The conflict between AI's Autonomy (ability to make own decisions), Automation (acting without human intervention), and Opacity ("Black Box" problem), which makes human oversight difficult.

What is a "Deepfake"?

AI-generated or manipulated image, audio, or video content that falsely appears to be authentic or truthful.

What is the main legal basis for the EU to create regulations like the AI Act and GDPR?

Article 114 TFEU - The harmonization of laws for the establishment and functioning of the Internal Market. (Чтобы не было разных законов в каждой стране ЕС и не мешало бизнесу).

What is the role of the Data Protection Officer (DPO)?

An independent expert who advises the organization on GDPR compliance, monitors its implementation, and acts as a contact point for the regulator and data subjects.

Name the two main types of "disinformation"

• Disinformation: False information spread with the intent to deceive.

• Misinformation: False information spread without malicious intent (the person believes it's true).

Who is Daniel Kahneman and why is he mentioned in the context of AI and disinformation?

A Nobel Prize-winning psychologist known for his work on cognitive biases and decision-making. He described "System 1" (fast, intuitive thinking) and "System 2" (slow, logical thinking). This is relevant because disinformation often targets our impulsive "System 1", and AI can be seen as a new "System 0" that influences us before our own intuition.

What is NAFO (North Atlantic Fella Organization)?

An informal, online group that uses memes and humor to counter Russian disinformation and propaganda. It's an example of how humor can be used as a tool in information warfare.

What are "Weapons of Math Destruction" (a term coined by Cathy O'Neil)?

Algorithms that are opaque, scalable, and cause harm (e.g., in criminal sentencing, credit scoring). They are a form of weaponization of informationbecause they can perpetuate bias and inequality under the guise of neutrality.

What was the key finding of the German Constitutional Court in 1983 regarding data protection?

It established the fundamental right to "informational self-determination". This means an individual has the authority to decide for themselves about the disclosure and use of their personal data.

What is the "Liability Gap" or "Responsibility Gap" in AI?

The problem that arises when an AI causes harm, but no human can be held legally responsible because control was lost over the AI's autonomous decision-making. (Сформулировано в работе Matthias, 2004).

What is the difference between "privacy" and "data protection" in the EU Charter of Fundamental Rights?

• Article 7 (Privacy): Right to respect for private and family life, home, and communications.

• Article 8 (Data Protection): A separate, specific right to the protection of your personal data, with its own rules (fair processing, access, independent oversight).

What is Convention 108+?

A binding international treaty by the Council of Europe that was the first legal instrument in the field of data protection. It is the foundation for modern laws like the GDPR.

What is the "Right to be Forgotten" (or Right to Erasure) in GDPR?

The right of a data subject to have the controller erase their personal data without undue delay (e.g., when the data is no longer necessary for the purpose it was collected).

What is a Data Protection Impact Assessment (DPIA)?

A process to identify and minimize the data protection risks of a project before it starts. It is a key tool for implementing "Privacy by Design".

What was the significance of the article "The Right to Privacy" by Warren and Brandeis (1890)?

It is a foundational text that first proposed a formal legal right to privacy, famously describing it as the "right to be let alone", largely in response to new technologies like photography.

What is a "Hybrid Threat"?

A mix of conventional and unconventional methods (cyberattacks, disinformation, economic pressure) used by state or non-state actors to destabilize a country. The main challenge is attribution (proving who is behind it).

What is the principle of "Human-in-the-loop" in the AI Act, and what is the main criticism of it?

A requirement for high-risk AI systems to be designed for effective human oversight. Criticism: It can become a "scapegoat" due to automation bias (over-relying on the AI) and the opacity of the AI, which makes meaningful oversight impossible.

What is the key difference between an EU Regulation and a Directive?

• Regulation (e.g., GDPR, AI Act): Directly applicable law, the same in all EU countries. Aims for uniformity.

• Directive (e.g., old Data Protection Directive): Sets a goal, but each EU country must pass its own laws to achieve it. Leads to harmonization but can cause fragmentation.