Browsing by master's degree program "Magisterprogrammet i internationell affärsjuridik"

Surveillance Capitalism, as described by Shoshana Zuboff, is a mutation of capitalism in which the main commodity to be traded is behavioural surplus, or personal data. As the forming of Surveillance Capitalism was significantly furthered by Artificial Intelligence (AI), AI is a central topic of the thesis. Personalisation that will oftentimes involve the use of AI tools is based on the collection of big amounts of personal data and bears several risks for data subjects. In Chapter I, I introduce the underlying research questions: Firstly, the question which effects the use of AI in Surveillance Capitalism has on democracy in the light of personalisation of advertisement, news provision, and propaganda. Secondly, the question whether the European Data Protection Regulation (GDPR) and the Charter of Fundamental Rights of the European Union react to these effects appropriately or if there is still need for additional legislation. In Chapter II, I determined a working definition of Artificial Intelligence. Additionally, the applicability of the GDPR together with potential problems are introduced. A special focus here lays on the underlying rationale of the GDPR. This topic is evaluated on several occasions during the thesis and reveals that the focus of the GDPR on enabling the data subject to exercise control over his or her information conflicts with the underlying rationale of Surveillance Capitalism. In Chapter III, four steps of examination follow. In a first step,I introduce the concept of Surveillance Capitalism. Personalized advertisement together with consent as a legal basis for processing of personal data are examined. During this examination, profiling, inferences, and the data processing principles of the GDPR are explored in the context of personalisation and AI. A focus in this examination is the question how individuals and democracy can be impacted. It is found that there is a lack of protection when it comes to the use of consent as a legal basis for privacy intrusive personalized advertisement and it is likely that the data subject will not be able to make an informed decision when asked for consent. Data minimisation, purpose limitation and storage limitation as important data processing principles proof to be at odds with the application of Artificial intelligence in the context of personalisation. Especially when it comes to the deletion of data further research in AI will be necessary to enable the adherence to the storage limitation.In a second step, I examined personalized news and propaganda according to their potential impacts on individuals and democracy. Explicit consent as a legal basis for processing of special categories is examined together with the concept of data protection by design as stipulated in article 25 GDPR. While explicit consent is found to likely suffer from the same weaknesses as the “regular consent”, I proposed that data protection by design could solve some of the arising issues if the norm is strengthened in the future.In a third step, I evaluate whether the right to receive and impart information laid down in the Charter of Fundamental Rights of the European Union provides for a right to receive unbiased, or unpersonalized, information. While there are indications that such a right could be acknowledged however, its scope is unclear so far. In a fourth step, I examine the proposal for a European Artificial Intelligence Act with the unfortunate outcome, that this Act might not be able to fill the discovered gaps left by the GDPR. I conclude that, taking into consideration all findings of the research, the use of AI in personalisation can significantly harm democracy by potentially impacting the freedom of political discourse, provoking social inequalities, and influencing legislation and science through heavy investment and lobbying. Ultimately, the GDPR does leave significant gaps due to the incompatibility of underlying rationales of the GDPR and Surveillance Capitalism and there is a need to protect data subjects additionally. I propose that future legislations on the use of AI in personalization should react appropriately to the rationale of Surveillance Capitalism.

The European Union’s (EU) General Data Protection Regulation (GDPR) guarantees a high level of data protection for individuals in the European Union (EU data subjects). Other jurisdictions may not guarantee an equivalent level of protection, and therefore the GDPR has mechanisms through which it ensures that personal data is protected when processed extraterritorially. The two main mechanisms examined in this research paper are the rules on territorial scope under Article 3(2) and those for international data transfers in Chapter V GDPR. The mechanisms may apply simultaneously, and their interplay is not regulated by the GDPR, resulting in confusion and inconsistent application of the two protective mechanisms. The confusion has resulted in two approaches to addressing how the mechanisms should interact when applied simultaneously: the ‘cumulative’ and the ‘compensatory’ approaches. The cumulative approach advocates for the simultaneous application of the two rules, while the compensatory advocates for the disapplication of Chapter V when Article 3(2) applies. The presence of two approaches may undermine the rule of law and the general reception of the data protection measures in a foreign jurisdiction, and thusly, clarifications of the law is needed. Considering the above, the aim of this work is to (1) ascertain the overlap between Article 3(2) and Chapter V, and (2) evaluate which of the two approaches –‘cumulative’ or ‘compensatory’ – better achieves the EU data protection framework’s objective of ensuring extraterritorial data protection. In chapter 2, the research evaluates the extent of the overlap between the two mechanisms by laying out their legal requirements and background. It is established that the extraterritorial application of the GDPR faces issues with enforcement and conflict of laws. In chapter 3, the ‘cumulative’ and ‘compensatory’ approaches are evaluated from a reformist legal doctrine perspective to account for the wider societal context in which the approaches operate in. The research concludes that, while the cumulative approach yields in a higher level of protection, the approach can be unnecessarily cumbersome for data controllers and processors from a cost and compliance perspective. The research recommends the adoption of a middle-ground approach, where the limitations of both cumulative and compensatory approaches are accounted for. The middle-ground approaches explored in this paper are: the development of a new data transfer instrument and regulatory reform. The research also recommends more in-depth research into the topic to aid the development of a new data transfer instrument or laws.

The interest of this thesis is to investigate how the transparency framework of the GDPR is able to support effective accountability of ADM systems. To do this, I pose the following question: What are the limits of the transparency framework, presented in the GDPR, to effectively achieve accountability of automated decision-making systems? ADM is nowadays used to decide on many aspects of our lives. With the employment of algorithmic technologies, such as ML, these systems are now able to use available data as a defining factor for future decisions. Compared to human decision-making, ML-based ADM can be more efficient and save resources for businesses and governments. However, these systems have their own risks. They can be opaque about how data is processed and what are the reasons behind their decisions. This opacity gives systems’ owners the opportunity to have undesirable powers over individuals. In fact, even unintentionally, sometimes algorithmic decision systems can be biased and result in unfair or discriminatory decisions due to their technically complex nature. To counteract such information and power asymmetries between decision-makers and subjects, the demanded solutions have long been, transparency and accountability. The former to access and observe systems, and the latter to justify, challenge, and correct them. These ideals have been adopted by the GDPR as guiding data protection principles underlying the regulation framework. In this work, I observe that the GDPR protects individuals’ rights and freedoms by guaranteeing accountable ADM. But at the same time, accountability goals are dependent on how the regulation supports systems’ transparency. Thus, to determine the success of accountability, the transparency platform should be assessed. For this assessment, I start by setting a theoretical baseline, namely, the necessary level of transparency required to achieve the accountability of ADM systems. Based on the work of other authors, I establish that the legislation should optimally provide for transparency to; detect and correct potential discrimination, justify decisions, and allow contestation and correction of these decisions when necessary. Additionally, this baseline contains specific elements of ADM systems that should be allowed to be evaluated for such accountability. Against this background, an analysis of the law is performed to test to what extent can the GDPR’s transparency framework attain the standards set in the baseline. The analysis includes articles 12, 14, 15, 22, 25, and 35, for considering those with the most significant transparency implications for ADM. After looking at the content of the law, in conjunction with interpretations offered by EU authorities and the legal theory. The findings of the test are that the GDPR contains important individual rights to contest and correct decisions. However, the law has some phrasing limitations that result in a constraint to offer the disclosure of the elements necessary for the proper justification of decisions. Making it difficult for individuals to enforce their rights. Furthermore, the legislation lays data controllers’ obligations to continuously evaluate systems to assess and address their potential risks. As well as an obligation to design for more transparent and accountable systems. These could aid in the detection and correction of potential discrimination. Yet, these obligations are also limited by the text of the law to effectively offer less opaque and complex ADM systems. As a result, I conclude that, while the GDPR offers significant steps towards accountability. Its transparency framework is still limited to support the evaluation, justification, and thus, correction of complex ADM systems and their decisions. Significantly diminishing the legislation’s accountability promises.

Tämä tutkielma käsittelee rahanpesun ehkäisemistä ja etenkin raportointivelvollisten yritysten ja yksityissektorin roolia siinä. Tutkielma käsittelee rahanpesua yleistasolla, moderneja rahanpesun muotoja, ja vaikutuksia yhteiskunnalle. Tämän lisäksi tutkielma esittelee EU-lainsäädäntöä aiheeseen liittyen erityisesti EU:n neljättä, viidettä ja kuudetta rahanpesudirektiiviä, ja niiden asettamia vaatimuksia. Tutkielma esittelee ja arvioi yritysten AML-compliance prosesseja kuten asiakkaan tunnistamista, riskiarvion tekemistä, tilitapahtumien seurantaa sekä epäilyttävien tapahtumien raportointia. Tämän lisäksi, tutkielma arvioi rahanpesun ehkäisemistä corporate governance – näkökulmasta, sekä arvioi compliance-prosessista syntyviä kuluja sekä riskejä yrityksille, sekä näiden perusteella rahanpesun ehkäisemisen tehokkuutta. Johtavatko nämä varsin tiukat vaatimukset ja korkeat compliance-kulut tehokkaaseen lopputulokseen? This master’s thesis discusses and analyzes the topic of anti-money laundering, and especially the role of obliged entities and private sector. The thesis will introduce the general topic of money laundering, its modern methods, impact to the society and why preventing money laundering is of utmost importance. The thesis will present the relevant EU legislation, from which the obligations for obliged entities spring from, mainly, the fourth, fifth and sixth anti-money laundering directives. In addition to presenting the phases of companies’ compliance processes such as know your customer, risk assessment, transaction monitoring and suspicious activity reporting, the thesis will analyze the issue from a point of view of corporate governance and evaluate the costs and risks for obliged entities, and on the basis of these, the efficiency of the framework and process for prevention of money laundering. Do strict requirements towards obliged entities and their high compliance costs lead to an efficient result in preventing money laundering.

In the last years those companies that pay close attention to transition of their business models to circular economy have adopted good practices to deal with waste prevention and management. High voluntary standards are set and enforced throughout the supply chain. However, good practices and high voluntary standards are taken seriously by the limited number of companies, predominantly, by those who want to be on rider’s seat and show example to peers. The recent EU Circular Economy Action Plan, released in March 2020, emphasizes that scaling up the circular economy from front-runners to the mainstream economic players will make a decisive contribution to transition to circular economy that will help to achieve climate neutrality by 2050, decoupling economic growth from resource use, keeping resource consumption within planetary boundaries. The Master Thesis departs from the assumption that there is a need for legal reform in the fields of circular economy law and company law to enhance circular economy for business. It is essential to turn modern policies that are in place into reality on the ground. The project aims to answer the question what legal reforms are necessary and should be prioritized.

This master’s thesis is a study with respect to prospectus regulation in the EU and Australia. This thesis sets out to discover whether a prospectus summary drawn up in accordance with EU standards could be utilised in a secondary listing in Australia. The thesis utilises legal dogmatics as a basis point for the analysis for the regulatory framework in the EU. Methods of comparative law is also utilised to highlight similarities and differences between the pragmatic functionality of the two jurisdictions’ prospectus regulation regimes. The thesis first analyses the current regulatory framework in the EU with respect to prospectuses with a focus on prospectus summaries as well as investigates the policy reasons for recent regulatory reforms. Based on the analysis of the current regulation on prospectus summaries in the EU, the thesis presents an example summary. The thesis then goes on to examine the example summary in the Australian context, analyses whether the example summary may be utilised in Australia, and what are the policy reasons behind any necessary changes. Lastly, the thesis compares the two jurisdictions’ regulatory framework from a policy point of view to analyse what objectives are driving the legislative outcomes. The thesis found that the example summary compiled in accordance with the EU prospectus regulation can be made compatible with the Australian standards with minor additions and adjustments and that overall, the two regulatory frameworks share the objectives of investor protection and market efficiency which are reflected in the regulatory texts.

The present study examines the legality of direct marketing to other Member States of the European Union by holders of an Estonian virtual currency service provider license, regulated by the Estonian Financial Intelligence Unit ("FIU") in accordance with the Act on Prevention of Money Laundering and Terrorist Financing ("MLTFPA"), in order to assess the feasibility of such a practice. In more detail, this study is intended to provide an overview of the Estonian crypto regulations in relation to direct marketing compliance, as well as a description of how the forthcoming regulations of the Estonian Parliament and Council on markets in crypto assets and amending Directive (EU) 2019/1937 may affect direct marketing compliance for crypto license holders in Estonia. Compliance is vital to establish worldwide standards, protecting consumers, preventing fraudulent activity (such as anti-money laundering, anti-terrorism funding), and promoting fair competition among businesses, such as anti-bribery and financial transparency. The selection of Estonia for this study is twofold: firstly, Estonia is one of the most digitized countries in the European Union, and secondly, it's also a leading destination for cryptocurrency businesses as well as one of the top destination countries in Europe for Fintech start-ups. Estonia has taken a leading role in the European Union's crypto licensing arena through its advanced policies towards cryptocurrencies. Estonia's foresight led to the issuance of crypto licenses as early as 2017, a landmark achievement which significantly accelerated the process for companies aiming to acquire an Estonian license. With relatively basic requirements in place for such a permit, businesses can easily operate without any encumbering legal impediments. The ease in obtaining Estonian crypto licenses proved rivaled by no other, creating a catalytic effect on worldwide crypto operations that were previously deterred and impeded by complex, time-consuming legal processes. In this way, Estonia's proactive stance in designing regulatory procedures unlocked doors to new horizons in the industry, vastly affecting large numbers of innovative startups looking to expand their business operability. Therefore, it is evident that a commitment to creating a conducive environment boosted Estonia's reputation as a superior hub for the dynamic domain of crypto, ahead of alternative actors available in different regions around the world. As cryptocurrency use has grown and evolved, so too has the legislation. It is possible to see that by comparing how the 2022 regulation differs significantly from the 2017 version. In 2020, Estonia's crypto regulatory system underwent a significant change when the entity responsible for the regulation of crypto moved from the Ministry of Interior to the Financial Intelligence Unit under the Ministry of Finance. The majority of crypto licenses were now revoked by the Financial Intelligence Unit in 2020. On March 15, 2022, an amendment was made to Estonia's Law on Preventing the Financing of Terrorism to include under the scope of the licensing system virtual currency providers as "obligated entities" in Sections 2(10) ("Application of this Act") and 72 ("Own funds requirements for a virtual currency service provider"). Therefore, making virtual currency providers subject to Estonian Money Laundering Act. An additional amendment to MLTFPA has been approved by the Estonian government on March 15th, 2022, which governs the cryptocurrency services offered by Estonian companies. By complying with these amendments as effectively as possible, the risk of money laundering and terrorist financing can be significantly reduced during cryptocurrency transactions within Estonian companies. As a matter of fact, this topic is of great significance mainly since there are a number of crypto companies that have been developed in Estonia, and there have been discussions about how these companies operate on the market with or without a government license. The aim of this investigation is to analyze the significance of insufficient objective information regarding the validity of Virtual Assets Service Providers' ("VASP") marketing services outside Estonia. The goal is to bring attention to the potential effects of the present situation where virtual currency companies pursue promotional activities in other EU regulated zones while abstaining from directly advertising their VASP offerings. To be precise, this research will explore how consumer protection and regulatory effectiveness have been impacted by such actions, particularly the ones enforced by the Estonian authorities - FIU and MLTFPA regulation. Moreover, there is, at the moment, no harmonized European Union legislation that regulates crypto marketing to so called “grey areas"' – meaning countries where cryptocurrencies are not regulated. In the context of the global trend focused on the active development of the digital economy, the relevance of issues related to the formation of approaches to the legal regulation of the use of the latest financial technologies (FinTech) seems indisputable. However, the European Parliament has taken significant action towards addressing this regulatory gap by approving the Markets in Crypto Assets (MiCA) Regulation in April 2023. This regulation represents a progressive effort to harmonize and standardize the governance of cryptocurrencies across the entire European Union, thereby ushering in a new period of regulatory clarity and transparency in the crypto market. The blockchain technology presents not only new possibilities but also new challenging conditions for traditional approaches to the provision of financial services. The development of cryptocurrencies, modern forms of attracting investments in the form of ICO (Initial Coin Offering) in the actual absence of a legal framework, brings potential risks to both private and public interests, namely: high volatility of the cryptocurrency rate, implication of investors in illegal activities, the unavailability of legal mechanisms to protect investors, jeopardizing global economic stability, etc. In this regard, it is interesting to consider the positions already formed on the legal regulation of the use of FinTech in European countries with the necessary experience in this area, in particular in Estonia, which is a member of the European Union. The positions of financial regulators and established requirements of the European Union and Estonia to ICOs are discussed in detail. Conclusions on the appropriateness of legal regulation of new phenomena, including at the international level, are formulated. Recommendations on the implementation of the Estonian experience in the regulation of ICOs and cryptocurrencies in the European Union system are made. Thus, it seems reasonable to observe the principle of technological neutrality in the formation of the legal framework of regulation of ICO and cryptocurrency, to consider bitcoin trading as a business activity subject to compulsory licensing, etc. The following recommendations are made for the implementation of the Estonian experience in the regulation of ICO and cryptocurrency in the European Union legal system. To sum up, Estonia's crypto regulations have experienced considerable progress since the introduction of licensure in 2017, and changes to the Money Laundering and Terrorist Financing Prevention Act in March 2022 reinforced it further, applying to virtual currency providers. Nevertheless, there still exist apprehensions concerning legality of marketing services supplied by Virtual Assets Service Providers beyond the Estonian land boundaries. The above mentioned regulation, passed by the European Parliament in April 2023, is expected to facilitate standards governing cryptocurrencies across all EU members. Given that direct advertising is a crucial aspect of the crypto industry, compliance with these upcoming regulations will be essential for enterprises operating in this territory, including those licensed in Estonia. It is therefore critical for these license holders to remain aware of regulatory developments and ensure their direct marketing practices comply with both Estonia's and the entire European Union's laws. Direct advertising is integral to the crypto industry as it is a key means of promoting and differentiating products and services, and therefore its regulation is of utmost importance for ensuring transparency and consumer protection, additionally the consequences of noncompliance with above mentioned legislation may lead to brand damage, regulatory fines, civil liability, and criminal charges.