Lecturer in IT Law

Rechtsanwalt (non-practicing - Germany), Solicitor (non-practicing - England and Wales)
View my full research profile

Biography

Judith Rauhofer is a Lecturer in IT Law at the University of Edinburgh and an Associate Director of the Centre for Studies of Intellectual Property and Technology Law (SCRIPT). Her research interests include the commercial and fundamental rights aspects of online privacy and electronic surveillance, data protection, information security and all areas of e-commerce and internet law and policy. Judith is particularly interested in exploring the tensions between privacy as an individual right and as a common good. She is currently working on a project (with Prof. Lilian Edwards, Strathclyde) on "Privacy, Personal Data and the Freemium Model" as part of the inter-institutional Centre for Creativity, Regulation, Enterprise & Technology (CREATe).

At Honours level, Judith teaches Law, Information and Technology; at Masters level, she teaches Information Technology law (eLLM), Legal Challenges of information Technolgy (LLM) and Information: Control and Power (both LLM and eLLM). In 2015/16, she is programme director for the eLLM Information Technology Law and the eLLM Law.

Judith is qualified as a Rechtsanwalt in Germany and as a solicitor in England and Wales. She has worked in legal practice for several years, advising clients from the media and new media industries on aspects of e-commerce, data protection and IT law. She continues to provide consultancy services in the area of e-commerce and data protection compliance.

Judith is a member of the Executive of British and Irish Law, Eductation and Technology Association (BILETA) and of the Advisory Councils to the Open Rights Group (ORG) and the foundation for information policy research (fipr).

Judith is a Managing Editor of the European Data Protection Law Review. She also serves as a member of the Editorial Board of the European Journal of Law and Technology.

Willingness to take Ph.D. students: Yes

Websites

Ms Judith Rauhofer's Homepage at Edinburgh Law School

Research Interests

Data protection, privacy, surveillance

Courses Taught

Information: Control and Power (LLM) (Course Organiser)

The legal challenges of information technologies (LLM) (Course Organiser)

Law Information and Technology (Honours) (Course Organiser)

PhD Supervisees

Jiahong Chen  'Personal Data Protection in the Age of Big Data: Legal Challenges and Responses'

Laurence Diver  'Artificial Intelligence and compliance by design'

Daniel Torres Goncalves  'The role of law interpretation to the protection of Digital Identity Rights'

Matthew Jewell  'Dissent in the smart city: Contesting cyber-physical architectures'

Jesus Manuel Niebla Zatarain  'Intelligent Agents to Enforce Copyright on the Internet'

Articles

Judith Rauhofer, 'Editorial ', (2015), European Data Protection Law Review, Vol 1, pp 1-2
Abstract: Since January 2012, data protection lawyers have had a taste of what it is like to enjoy the infamous “15minutes of fame” once demanded for everyone by pop artist Andy Warhol. What has traditionally been seen as a quiet, unassuming discipline that was tucked away in some nook or cranny of the much greater subject area that is IT law, shot to prominence when the European Commission published it proposal for a new General Data Protection Regulation designed to revise the current EU data protection framework.

Judith Rauhofer, 'Of Men and Mice: Should the EU Data Protection Authorities’ Reaction to Google’s New Privacy Policy Raise Concern for the Future of the Purpose Limitation Principle?', (2015), European Data Protection Law Review, Vol 1, pp 5-15
Abstract: On 24 January 2012, Google publicly announced the consolidation of its existing privacy policies covering over 60 of its different services into one main privacy policy1. The changes were presented as an effort to “integrate [its] different products more closely so that [it] can create a beautifully simple, intuitive user experience across Google” as well as a reaction to feedback from global regulators, which had been calling for shorter, simpler privacy policies. The new policy was due to come into effect on 1 March 2012.

Judith Rauhofer, Wiebke Abel, Ian Brown, 'A First Look at the Constitutional and Legal Implications of the Data Retention and Investigatory Powers Act 2014 ', (2014), SCRIPTed, Vol 11, pp 320-328

Daithi Mac Sithigh, Judith Rauhofer, 'The Data Retention Directive Never Existed ', (2014), SCRIPTed, Vol 11, pp 118-127
Abstract: Analysis of the decision of the Court of Justice of the European Union in Joined Cases C-293/12 (Digital Rights Ireland) and C-594/12 (Kärntner Landesregierung), on the validity of the Data Retention Directive.

Z. Kwecka, W. Buchanan, B. Schafer, J. Rauhofer, '"I am Spartacus": Privacy Enhancing Technologies, Collaborative Obfuscation and Privacy as a Public Good', (2014), Artificial Intelligence and Law, Vol 22, pp 113-39
Abstract: The paper introduces an approach to privacy enhancing technologies that sees privacy not merely as an individual right, but as a public good. This idea finds its correspondence in our approach to privacy protection through obfuscation, where everybody in a group takes a small privacy risk to protect the anonymity of fellow group members. We show how these ideas can be computationally realised in an Investigative Data Acquisition Platform (IDAP). IDAP is an efficient symmetric Private Information Retrieval protocol optimised for the specific purpose of facilitating public authorities' enquiries for evidence. © 2014 Springer Science+Business Media Dordrecht.

Judith Rauhofer, 'Look to Yourselves, That We Lose Not Those Things Which We Have Wrought: What do the Proposed Changes to the Purpose Limitation Principle mean for Public Bodies’ Rights to Access Third Party Data', (2014), International Review of Law, Computers and Technology, Vol 28, pp 144-159
Abstract: This article analyses the proposed changes to the purpose limitation principles contained in the draft Data Protection Regulation adopted by the European Commission in January 2012. It examines the historical motives for the introduction of the principle as part of the 1995 Data Protection Directive, and looks at the constitutional framework under which it operates both at EU and member state level. It considers the risks and long-term consequences that EU citizens may face if the principle is eroded or substantially abandoned.

Judith Rauhofer, 'One Step Forward, Two Steps Back?: Critical Observations on the Proposed Reform of the EU Data Protection Framework', (2013), Journal of Law and Economic Regulation, Vol 6, pp 57-84
Abstract: Recent changes in market dynamics of electronic and mobile commerce mean that users of online services are no longer “passive agents of consumption”. Instead online business models increasingly provide a platform for user interaction while simultaneously relying on the contributions made by those users for the population of those spaces. Like many other online services that form part of the Web 2.0 economy, SNS, in the main, are offered free at the point of access. Instead of charging their users a monetary fee, most SNS providers generate revenue through payments they receive from third parties in exchange for the right directly to display advertising to their users or in exchange for providing aggregated data on those users’ behaviour, likes and dislikes. This means that users now “pay’” for online services with the personal information they disclose. Despite repeated announcements by members of the SNS industry that they are committed to the protection of their users’ online privacy, it can therefore not be denied that, in practice, a high level of privacy protection is likely to be in stark conflict with SNS providers’ business objectives and that, in reality, most SNS providers are entirely dependent for their market position on promoting an environment that encourages “openness” and widespread information-sharing by their users through the use of default privacy settings and the subtle encouragement of maximum disclosure in the form of financial and non-financial incentives (for example, additional “free” functionality). This article will examine the implications of these technical, economical and social developments of internet users’ rights to privacy under the current EU data protection framework and whether the changes to that framework proposed by the European Commission in 2012 are likely to address the policy issues identified.

Judith Rauhofer, Daithi Mac Sithigh, 'Digital Future ', (2013), SCRIPTed, Vol 10, pp 307-309

Judith Rauhofer, 'Future-Proofing Privacy: Time for an Ethical Introspection?', (2012), Surveillance & Society, Vol 10, pp 351-55
Abstract: When trying to establish whether privacy is dead or whether it is merely evolving, we may very well be asking the wrong question. While there is considerable evidence that the concept of privacy is undergoing a sea change in the eyes of both individuals and policy makers, it could be argued that this is merely an expression of a much more fundamental issue that underpins the technological, political and economic changes we have witnessed over the past decade. It is true that anecdotal evidence suggests that individuals, both as citizens and consumers, no longer value their privacy the way they once did. Many claim that this is true in particular for younger people who seem increasingly comfortable with sharing even intimate details about themselves and their life with others, including a much wider range of “others” than their parents’ generation would have done. Nevertheless, successive studies have shown that the wish for control over one’s own information remains high with, for example, 78 per cent of respondents to a 2011 EU survey on privacy believing that their specific approval should be required before any kind of information about them is collected and processed. This article assesses the likely reasons for internet users increasing lack of trust in online providers' willingness and ability to keep their personal information secure and to use it only for purposes of which users are aware and which they have approved. It asks what the future for privacy and data protection law should look like and proposes that the existing defensive discourse around data protection should be replaced with a positive agenda for privacy based on an ethical enquiry into the kind of personal data processing that we, as a society, believe should be permitted.

Judith Rauhofer, Marie-Theres Tinnefeld, 'Whistleblower: Verantwortungsbewußte Mitarbeiter oder Denunzianten?', (2008), Datenschutz und Datensicherheit, Vol 32, pp 717-723
Abstract: Unter Whistleblower im Arbeitsleben werden Mitarbeiter verstanden, die über bestimmte Informationswege (Whistleblowing-Hotlines) vermeintliche oder bestehende Missstände an die Öffentlichkeit bringen. Die mit der Meldung einhergehende Verwendung von personenbezogenen Daten, insbesondere der Hinweisgeber und Beschuldigten, ist nicht nur eine wichtige Kernfrage des Datenschutzes. Sie hat auch Einfluss auf ethische und informationsrechtliche Regelungen in transnationalen Arbeitskulturen. Die Debatte um die Frage „Welche Verantwortung hat der Whistleblower, was darf er?“ wird an dieser Stelle vor allem im Kontext der anglo-amerikanischen und kontinental-europäischen Rechtskultur gestellt.

Judith Rauhofer, 'Privacy is Dead, Get Over It!: Information Privacy and the Dream of a Risk-free Society', (2008), Information and Communications Technology Law, Vol 17, pp 185-97
Abstract: The use of information and communications technology and the ‘digitalisation’ of everyday tasks has resulted in a paradigm shift where vast amounts of personal information about individuals, their opinions and habits is generated and stored in the databases of those providing online services. The mere existence of those data pools has created ‘unwholesome’ desires in both private and public organisations which cover that data for their own purposes. This article looks at the way in which the ‘market value’ of privacy seems to be falling as individuals are persuaded to disclose information about themselves in order to minimise real or perceived risks. It examines the way in which our perception of risk has changed in recent years and the way in which that perception may be manipulated. It analyses the link between risk perception, data processing and individual concepts of privacy as well as the dangers that increased privacy intrusion represents for the relationship between the individual and the state and the relationship between citizens.

Judith Rauhofer, 'Defence against the Dark Arts: How the British Response to the Terrorist Threat is Parodied in J K Rowling’s Harry Potter and the Half Blood Prince', (2007), International Journal of Liability and Scientific Enquiry, Vol 1, pp 94-113
Abstract: One explanation for the attraction of the Harry Potter books to the adult population could be that Rowling's description of an alternative society and its government traces recent events in contemporary society. The political thread going through the series largely focuses on the way in which the Ministry of Magic deals with Lord Voldemort's return. This paper examines the various aspects of the UK government's response to the terrorist threat and draws parallels between Rowling's depiction of anti-Voldemort security measures in the Potter books and the legal and political developments in the area of counter-terrorism in the UK since 2001.

Judith Rauhofer, 'Blowing the Whistle on Sarbanes-Oxley: Anonymous Hotlines and the historical Stigma of Denunciation in Modern Germany', (2007), International Review of Law, Computers and Technology, Vol 21, pp 363-76
Abstract: The Sarbanes-Oxley Act requires listed US companies as well as non-US companies listed on a US stock exchange to establish procedures for dealing with confidential, anonymous employee submissions regarding questionable accounting or auditing matters. Companies failing to comply with these ‘whistleblowing’ requirements are subject to heavy sanctions. This paper examines the compatibility of whistleblowing requirements contained in the US Sarbanes-Oxley Act with German data protection, employment and constitutional law, and analyses the roots of the historical unease with and the stigma attached to whistleblowing schemes in Germany which result from its experiences with denunciation during the Third Reich and in the former GDR.

Judith Rauhofer, 'Just Because You're Paranoid, Doesn't Mean They're Not After You: Legislative Developments in Relation to the Retention of Communications Data', (2006), SCRIPTed, Vol 3, pp 322-43
Abstract: In the wake of the terrorist attacks in New York, Madrid and London the mandatory retention of communication data by communications service providers has become a contentious issue between the governments of nation states and the communications industry and civil rights campaigners. While the former claim that such retention is necessary for the purpose of national security and the detection and investigation of crime, the latter argue that data retention represents an attack on the rights and freedoms of individuals without evidence that measures will indeed increase the security of citizens. This paper explores the legislative developments, which have taken place in the UK and the European Union in recent years, focusing in particular on the draft Directive on data retention which was adopted in February 2006.

Judith Rauhofer, 'Die Vorratsdatenspeicherung als Instrument sozialer Kontrolle - Eine deutsch/britische Perspektive ', (2006), Datenschutz Nachrichten, Vol 2, pp 56-59

Chapters

Judith Rauhofer, 'Round and round the garden? Big data, small government and the balance of power in the information age' in Erich Schweighofer, Franz Kummer, Walter Hoetzendorfer (ed.) Transparenz (Österreichische Computer Gesellschaft 2014) 607-616
Abstract: With personal data caught in a revolving door between private and public sector access, the privacy harms arising from the monitoring of individuals are more difficult to qualify than ever. Concepts of personal data that depend on identifiability permit practices where governments and companies can single out otherwise unidentified persons on the basis of their behaviour or interests. Concepts of harm that rely on evidence of material damage ignore the way in which access to data not only maintains but re-enforces existing power imbalances. This article will look at the notion of privacy harms from an EU perspective taking into account the discussions on the role of personal data in the context of the ongoing revision of the EU data protection framework

Smita Kheria, Daithi Mac Sithigh, Judith Rauhofer, Burkhard Schafer, '(Mis)appropriation Art? Copyright and Data Protection implications of 'CCTV Sniffing' as Art' in E Schweighofer, F Kummer, W Hötzendorfer (ed.) Abstraktion und Applikation (OCG 2013) 489-98
Abstract: This paper discusses the legal implications of CCTV sniffing and war walking, legally problematic uses of wireless networks, for the purpose of art. Using Bitnik’s “surveillance chess” as starting point, it asks if new forms of computer enabled art require new forms of protection, especially in countries without constitutional guarantee of freedom of art.

Judith Rauhofer, Burkhard Schafer, Zbigniew Kwecka, William Buchanan, 'Schutz der Anonymität als Gemeinschaftsaufgabe - eine neue Generation von PETs? ' in Matthias Horbach (ed.) Informatik angepasst an Mensch, Organisation und Umwelt (Köllen 2013) 2134-48

Judith Rauhofer, 'Diskriminierende Auswertung der Überwachung im öffentlichen Raum ' in F Hutter, H Tretter (ed.) Nothing to Hide - Nothing to Fear? (Böhlau Verlag 2011) 63-73

Judith Rauhofer, 'The Retention of Communications Data in Europe and the UK ' in Lilian Edwards, Charlotte Waelde (ed.) Law and the Internet (Hart 2009) 575-600

Judith Rauhofer, 'Intrusion in the Sphere of Personal Communications ' in Dionysios Politis (ed.) Socioeceonomic and Legal Implications of Electronic Intrusion (Information Science Reference 2009) 25-46

Judith Rauhofer, 'Privacy and Surveillance Legal and Socioeconomic Aspects of State Intrusion into Electronic Communications' in Lilian Edwards, Charlotte Waelde (ed.) Law and the Internet (Hart 2009) 545-574

Judith Rauhofer, Lilian Edwards, Majid Yar, 'Recent Developments in UK Cybercrime Law ' in Yvonne Jewkes, Majid Yar (ed.) Handbook of Internet Crime (Willan 2009) 413-37

Judith Rauhofer, 'History does not matter to them Moves towards the adoption of mandatory communications data in the European union' in Peter Sint, Erich Schweighofer (ed.) Knowledge Rights - Legal, Societal and Related Technological Aspects (Österreichische Computer Gesellschaft 2006) 203-215
Abstract: In the wake of the terrorist attacks in new York, Madrid and London the mandatory retention of communications data by communications service providers has become a contentious issue between the governments of nation states and the communications industry and civil rights campaigners. While the former claim that such retention is necessary for the purpose of national security and the detection and investigation of crime, the latter argue that data retention represents an attack on the rights and freedoms of individuals without evidence that measures will indeed increase the security of citizens. This paper explores the legislative developments, which have taken place in the European Union in recent years, focussing in particular on the draft Directive on data retention, which was proposed by the European Commission in September 2005.

Judith Rauhofer, 'The Possibility of a Registered Partnership under German Law ' in Leslie Moran, Daniel Monk, Sarah Bereford (ed.) Legal Queeries (Continuum International Publishing Group Ltd 1998)

Working Papers

Judith Rauhofer, Daithi Mac Sithigh, 'The Data Retention Directive Never Existed ' 2014
Abstract: Analysis of the decision of the Court of Justice of the European Union in Joined Cases C-293/12 (Digital Rights Ireland) and C-594/12 (Kärntner Landesregierung), on the validity of the Data Retention Directive.The Court of Justice of the European Union (ECJ) has ruled that the 2006 Data Retention Directive is invalid. The basis of invalidity was the exceeding of the limits imposed by the principle of proportionality in the light of Articles 7, 8 and 52(1) of the EU Charter of Fundamental Rights (Charter). The decision was in respect of two joined preliminary references, one from Ireland and the other from Austria.

Judith Rauhofer, 'Round and Round the Garden?: Big Data, Small Government and the Balance of Power in the Information Age' 2014
Abstract: With personal data caught in a revolving door between private and public sector access, the privacy harms arising from the monitoring of individuals are more difficult to qualify than ever. Concepts of personal data that depend on identifiability permit practices where governments and companies can single out otherwise unidentified persons on the basis of their behaviour or interests. Concepts of harm that rely on evidence of material damage ignore the way in which access to data not only maintains but re-enforces existing power imbalances. This article will look at the notion of privacy harms from an EU perspective taking into account the discussions on the role of personal data in the context of the ongoing revision of the EU data protection framework.

Smita Kheria, Daithi Mac Sithigh, Judith Rauhofer, Burkhard Schafer, '“CCTV Sniffing”: Copyright and Data Protection Implications' 2013
Abstract: This paper discusses the legal implications of CCTV sniffing and war walking, legally problematic uses of wireless networks, for the purpose of art. Using Bitnik’s “surveillance chess” as starting point, it asks if new forms of computer enabled art require new forms of protection, especially in countries without constitutional guarantee of freedom of art.

Judith Rauhofer, 'One Step Forward, Two Steps Back?: Critical Observations on the Proposed Reform of the EU Data Protection Framework' 2013
Abstract: Recent changes in market dynamics of electronic and mobile commerce mean that users of online services are no longer “passive agents of consumption”. Instead online business models increasingly provide a platform for user interaction while simultaneously relying on the contributions made by those users for the population of those spaces. Like many other online services that form part of the Web 2.0 economy, SNS, in the main, are offered free at the point of access. Instead of charging their users a monetary fee, most SNS providers generate revenue through payments they receive from third parties in exchange for the right directly to display advertising to their users or in exchange for providing aggregated data on those users’ behaviour, likes and dislikes. This means that users now “pay’” for online services with the personal information they disclose. Despite repeated announcements by members of the SNS industry that they are committed to the protection of their users’ online privacy, it can therefore not be denied that, in practice, a high level of privacy protection is likely to be in stark conflict with SNS providers’ business objectives and that, in reality, most SNS providers are entirely dependent for their market position on promoting an environment that encourages “openness” and widespread information-sharing by their users through the use of default privacy settings and the subtle encouragement of maximum disclosure in the form of financial and non-financial incentives (for example, additional “free” functionality). This article will examine the implications of these technical, economical and social developments of internet users’ rights to privacy under the current EU data protection framework and whether the changes to that framework proposed by the European Commission in 2012 are likely to address the policy issues identified.

Judith Rauhofer, Caspar Bowden, 'Protecting Their Own: Fundamental Rights Implications for EU Data Sovereignty in the Cloud' 2013

Judith Rauhofer, 'Look to Yourselves, That We Lose Not Those Things Which We Have Wrought: The Proposed Changes to the Purpose Limitation Principle in Data Protection and Public Bodies’ Rights to Access Third Party Data' 2013
Abstract: This article analyses the proposed changes to the purpose limitation principles contained in the draft Data Protection Regulation adopted by the European Commission in January 2012. It examines the historical motives for the introduction of the principle as part of the 1995 Data Protection Directive, and looks at the constitutional framework under which it operates both at EU and member state level. It considers the risks and long-term consequences that EU citizens may face if the principle is eroded or substantially abandoned.

Judith Rauhofer, 'Response to the consultation by the Department for Business Innovation and Skills regarding its proposals for implementing the revised EU Electronic Communications Framework ' 2010
Abstract: With Chris Marsden.This is a collaborative submission from a group of academics based in the UK with expertise in information technology law and related areas. The preparation of this response has been funded by the Information Technology Think Tank, which is supported by the Arts and Humanities Research Council and led by the SCRIPT/AHRC Centre for Research in Intellectual Property and Technology, University of Edinburgh.

Judith Rauhofer, 'Response to the consultation by the Home Office regarding its proposals amend the Regulation of Investigatory Powers Act 2000 to address deficiencies identified by the European Commission ' 2010
Abstract: This is a collaborative submission from a group of academics based in the UK with expertise in information technology law and related areas. The preparation of this response has been funded by the Information Technology Think Tank, which is supported by the Arts and Humanities Research Council and led by the SCRIPT/AHRC Centre for Research in Intellectual Property and Technology, University of Edinburgh.

Conference Papers

Judith Rauhofer, Lilian Edwards, Andrew Black, 'Privacy, Personal Data Collection and the Freemium Business Model for Web 2.0 ' presented at CREATe All Hands Conference 2014 Glasgow United Kingdom 2014

Judith Rauhofer, 'Blowing the Whistle on Sarbanes-Oxley: Anonymous Hotlines and the Historical Stigma of Denunciation in Modern Germany' presented at BILETA Annual Conference University of Hertfordshire United Kingdom 2007
Abstract: The Sarbanes-Oxley Act requires listed US companies as well as non-US companies listed on a US stock market to establish procedures for dealing with confidential, anonymous employee submissions regarding questionable accounting or auditing matters. Companies failing to comply with these “whistleblowing” requirements are subject to heavy sanctions. This paper examines the compatibility of whistleblowing requirements contained in the US Sarbanes-Oxley Act with EU data protection rules, and analyses the roots of the historical unease with and the stigma attached to whistleblowing schemes in Germany which result from its experiences with denunciation during the Third Reich and in the former GDR.