Faculty Profile

Samson Yoseph Esayas

Associate Professor - Department of Law and Governance

Publications

Esayas, Samson Yoseph (2019)

Data Privacy in European Merger Control: Critical Analysis of Commission Decisions Regarding Privacy as a Non-Price Competition

European Competition Law Review, 40(4), s. 166- 181.

In recent years, privacy has started to attract considerable attention in competition discussions, particularly in mergers involving data-rich industries. Prime examples of such mergers include Google/DoubleClick, Facebook/WhatsApp and the recent acquisition of LinkedIn by Microsoft. Given the central role that personal data plays in these mergers and associated privacy concerns for users, competition authorities have started to experiment with ways to incorporate privacy into merger assessment. One emerging approach is to factor in privacy as a non-price competition parameter. In its merger decisions involving Facebook/WhatsApp and subsequently Microsoft/LinkedIn, the European Commission held that data privacy constitutes a key parameter of non-price competition in the market for consumer communications and for professional social networks. This article provides a critical analysis of these decisions regarding the competition in privacy and Privacy Enhancing Technologies (PETs). The analysis is conducted from two angles: one looking at the Commission’s approach in defining the market, particularly on how competition in privacy and PETs is manifested and when two firms are considered competitors based on these parameters and thereby of interest to competition law. The second angle takes aim at the competitive assessment and the theories of harm, particularly when a merger is considered to lead to reduction in privacy as a non-price competition parameter. The article maintains that the Commission’s decision in Microsoft/LinkedIn represents a step forward in the discussion of privacy as a non-price (quality) competition parameter and the use of market power to harm such competition.

Esayas, Samson Yoseph & Svantesson, Dan Jerker B. (2018)

Digital Platforms under Fire – What Australia Can Learn from Recent Developments in Europe

Alternative Law Journal, 43(4), s. 275- 282. Doi: 10.1177/1037969X18813402

There is a clear trend of a hardening attitude towards digital platforms. In Australia this trend is exemplified by the Australian Competition and Consumer Commission’s current inquiry specifically into digital platforms. Further, it can also be seen in court decisions. Having discussed one such court decision, we give a brief overview of the Australian Competition and Consumer Commission’s digital platforms inquiry. We then seek to bring attention to a selection of particularly relevant European developments that may usefully inform how Australia proceeds in this arena and that may be considered in the Australian Competition and Consumer Commission’s final report due to be provided to the Treasurer on 3 June 2019.

Esayas, Samson Yoseph (2018)

Competition in (Data) Privacy: ‘Zero’ Price Markets, Market Power and the Role of Competition Law

International Data Privacy Law (IDPL), 8(3), s. 181- 199. Doi: https://doi.org/10.1093/idpl/ipy014

Firms compete by offering consumers lower prices but also high-quality products, and a wide range of choices. With the increasing commercialization of personal, there is a growing consensus that the level of privacy protection and deployment of Privacy Enhancing Technologies (PETs) could be subject to competition, as an element of quality, choice or innovation. A case in point is the recognition by the European Commission that data privacy constitutes a key parameter of non-price (quality) competition in markets for consumer communications and professional social networks. This development signifies that market power may be exerted by reducing the level of data privacy and foreclosing competition on PETs deployment. Despite this, how market power affects competition on privacy and PETs remains unclear. This is partially because microeconomic theory offers little help in predicting how market power or lack thereof affects quality (including choice and innovation). The aim of this article is to examine how market power in the underlying services that generate data impacts competition in data privacy and whether the proxies for assessing market power in these underlying services cater to data privacy interests. To this end, first, the article begins by highlighting some emerging but inconclusive literature shedding some light on the link between market structure and competition in data privacy. Secondly, the article identifies and discusses the structural and behavioural considerations that might hinder effective competition through data privacy and PETs. Finally, it examines the role that competition law can play in promoting and maintaining such competition.

Esayas, Samson Yoseph & Daly, Angela (2018)

The Proposed Australian Consumer Right to Access and Use Data: A European Comparison

European Competition and Regulatory Law Review (CoRe), 2(3), s. 187- 202. Doi: https://doi.org/10.21552/core/2018/3/6

This article examines the new Australian consumer Comprehensive right to access and use data, also known as the Consumer Data Right, recently proposed by the Australian Productivity Commission, and adopts a comparative analysis with data protection, competition and consumer developments in the European Union (EU). Firstly, a brief overview is given of the legal context and relevant Big Data developments in Australia. Then, current EU developments, particularly the data portability right under the General Data Protection Regulation (GDPR), and recent proposals from the Commission aiming at fostering access and transfer of data including the data producer’s right to use and authorise the data and the portability of non-personal data for professional users are considered. This is followed by an explanation of the Australian Productivity Commission’s proposed Consumer Right to access and use data, before an analysis is conducted to understand the extent to which this proposed right accords with the European situation. Given the coming into force of the GDPR and its extraterritorial reach, and the EU-Australia Free Trade Agreement currently under negotiation, as well as the transnational reach of Big Data and Cloud services, standardisation across the two jurisdictions is desirable. In this regard, the article examines to what extent the recent initiatives contribute to such standardisation and their implications for the extent to which Australia’s legal framework for data may be considered ‘adequate’ by the EU.

Esayas, Samson Yoseph (2017)

Competition in Dissimilarity: Lessons in Privacy from the Facebook/WhatsApp Merger

CPI Antitrust Chronicle, 1(2), s. 57- 64.

This note comments on the Commission’s decision in the Facebook/WhatsApp merger regarding the competition in privacy and privacy policies between the two firms. In assessing the competition between WhatsApp and Facebook Messenger, the Commission used the differences in privacy policies as a factor that makes the messaging services complementary rather than competitors. The Commission’s approach is based on the conventional view that the more identical the products are, the more substitutable they are and the more fiercely they compete. This article questions the application of such an approach to competition in privacy. First, if privacy and data security are competition parameters, one way this competition can be manifested is through deploying privacy enhancing technology (e.g. end-to-end encryption) and privacy policies (offering better conditions of data collection and processing). Thus, when it comes to privacy and privacy policies, dissimilarity either in the technology or policy can be just the beginning of a competition that exerts competitive pressure on others, rather than make the firms complementary. Secondly, when a service attempts to draw users from an established network by offering superior privacy, the existence of an established network such as Facebook, albeit with a different privacy policy, can still discipline the former’s behavior.

Esayas, Samson Yoseph (2017)

The Idea of ‘Emergent Properties’ in Data Privacy: Towards a Holistic Approach

International Journal of Law and Information Technology, 25(2), s. 139- 178. Doi: 10.1093/ijlit/eaw015 - Full text in research archive

‘The whole is more than the sum of its parts.’1 This article applies lessons from the concept of ‘emergent properties’ in systems for data privacy law. This concept, rooted in the Aristotelian dictum ‘the whole is more than the sum of its parts’, where the ‘whole’ represents the ‘emergent property’, allows systems engineers to look beyond the properties of individual components of a system and understand the system as a single complex. Applying this concept, the article argues that the current European Union data privacy rules focus on individual Processing activity based on a specific and legitimate purpose, with little or no attention to the totality of the processing activities—ie the whole—based on separate purposes. This implies that when an entity processes personal data for multiple purposes, each Processing must comply with the data privacy principles separately, in light of the specific purpose and the relevant legal basis. This (atomized) approach is premised on two underlying assumptions: (i) distinguishing among different processing activities and relating every piece of personal data to a particular processing is possible, and (ii) if each processing is compliant, the data privacy rights of individuals are not endangered. However, these assumptions are untenable in an era where companies process personal data for a panoply of purposes, where almost all processing generates personal data and where data are combined across several processing activities. These practices blur the lines between different processing activities and complicate attributing every piece of data to a particular processing. Moreover, when entities engage in these practices, there are privacy interests independent of and/or in combination with the individual processing activities. Informed by the discussion about emergent property, the article calls for a holistic approach with enhanced responsibility for certain actors based on the totality of the Processing activities and data aggregation practices.

McGillivray, Kevin; Esayas, Samson Yoseph & Mahler, Tobias (2016)

Give Me a Sign: Expressing Contract Terms and Data Protection Requirements Visually in Cloud Computing

Senter for Rettsinformatikk.

McGillivray, Kevin; Esayas, Samson Yoseph & Mahler, Tobias (2016)

Is a Picture Worth a Thousand Terms? Visualising Contract Terms and Data Protection Requirements for Cloud Computing Users

Lecture Notes in Computer Science, 9881, s. 39- 56. Doi: 10.1007/978-3-319-46963-8_4

The following article evaluates two models for providing purchasers of online digital content, including cloud computing services, with visual notice of contract terms and data collection practises. Visualisation of contract terms and privacy policies has the potential to provide cloud consumers with an improved means of understanding the contract terms they are accepting when entering into an agreement with a Cloud Service Provider (CSP). The following paper examines two concrete proposals or models for the visualisation of contract terms and privacy practises as compliance tools in the European context. The article focuses primarily on consumer and data protection law. Although the visualisation models are not currently binding or legally required, they start an important conversation on how such terms can be more effectively conveyed.

Esayas, Samson Yoseph; Mahler, Tobias, Seehusen, Fredrik, Bjørnstad, Frode & Brubakk, Veda (2015)

An integrated method for compliance and risk assessment

Samarati, Pierangela & Noubir, Guevara (red.). 2015 IEEE Conference on Communications and Network Security (CNS), Florence, 28-30 September, 2015

This paper presents an integrated method for risk and compliance assessment and its evaluation in a case study. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a riskbased approach to compliance where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modeling compliance risks have been developed. The lack of methodological and tool support means the compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. As part of the integrated method, a structured approach for the identification of compliance risks and their graphical modelling is provided. The main goal of the structured approach is to facilitate the identification and assessment of compliance risks and their subsequent documentation in a consistent and reusable fashion. The method is applied in a case study with the aim of assessing the compliance concerns in adopting cloud services. Our experience in the case study demonstrates that the integrated method enables a better structuring in the identification of compliance risks and yields reusable results. As well, the method facilitates communication among different expertise and mitigates subjectivity in making compliance decisions.

Esayas, Samson Yoseph (2015)

The Role of Anonymisation and Pseudonymisation under the EU Data Privacy Rules: Beyond the ‘All or Nothing’ Approach

European Journal of Law and Technology, 6(2)

Substantial uncertainty exists on the role of anonymised or pseudonymised data in the data privacy discourse; this is all the more so as de-anonymisation science advances and the ubiquity of information increases. Such uncertainty affects not only the wider usage of such measures but also creates the temptation, both on the part of the entities and the individuals, to downplay privacy risks associated with anonymised or pseudonymised data. Crucial to mitigating such risks and promoting the use of anonymisation and pseudonymisation as privacy-enhancing techniques is understanding the role of such measures under data privacy rules. This article aims to contribute towards the achievement of such an objective by examining the role of anonymisation and pseudonymisation under the EU data privacy rules, particularly the Data Protection Directive, Regulation 611/2013, the eIDAS Regulation, and the proposed General Data Protection Regulation. This article identifies three major roles of anonymisation and pseudonymisation under the current and en route rules. First, anonymisation and pseudonymisation can serve as a safe harbour from the entire application of data privacy rules provided they are used to irreversibly prevent identification, although achieving this goal seems increasingly challenging in the current state of technological advancement. Second, anonymisation and pseudonymisation can provide a safe harbour from certain data privacy obligations, such as the notification of personal data breaches, provided they are engineered appropriately and complemented by adequate organisational measures. Third, anonymisation and pseudonymisation can constitute mandated measures for compliance with data privacy obligations, such as the data security and purpose specification and limitation principles. All legal perspectives are drawn at EU level, although examples are given from member states when relevant.

Esayas, Samson Yoseph & Mahler, Tobias (2015)

Modelling compliance risk: a structured approach

Artificial Intelligence and Law, 23(3), s. 271- 300. Doi: 10.1007/s10506-015-9174-x

This article presents a structured and systematic approach for identifying and modelling compliance risks. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to increasing and diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a risk-based approach to compliance, where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modelling compliance risks have been developed. Due to the lack of methodological and tool support, compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. The proposed approach consists of a five-step process for the structured identification and assessment of compliance risks. This process aims at facilitating the identification of compliance risks and their documentation in a consistent and reusable fashion. As part of the process, the article provides a systematic approach for a graphical modelling of compliance risks, which aims at facilitating communication among experts from different backgrounds. The creation of graphical models can be partly automated based on natural language patterns for regulatory requirements. Furthermore, the structuring of the compliance requirement in a template aims at simplifying the modelling of compliance risks and facilitating a potential future automated model.

Esayas, Samson Yoseph (2015)

Breach Notification Requirements under the European Union Legal Framework: Convergence, Conflicts and Complexity in Compliance

The John Marshall Journal of Computer & Information Law, 31(3), s. 317- 368.

The European Union (EU) legal landscape on data privacy and information security is undergoing significant changes. A prominent legislative development in recent years is the introduction of breach notification requirements within a number of regulatory instruments. In only the past two years, the Community legislator has adopted, and proposed, four different regulatory instruments containing breach notification requirements. There are also existing requirements for the telecom sector. This creates a complex mesh of regulatory frameworks for breach notification where different aspects of the same breach within the same company might have to be dealt with under different regulatory instruments, making compliance with such requirements challenging. In this article, the existing and en route breach notification requirements under the EU legal framework are examined – elaborating their potential areas of convergence or conflict and the resulting complexity in compliance with such requirements. To this end, the article examines the scope of the notification regimes, the types of breaches, when a breach is considered to occur under the relevant rules, and the relevant requirements to notify stakeholders. Furthermore, the article examines why a proactive approach to compliance with breach notification requirements is essential and suggests the need to address breach notification requirements in conjunction with security risk analysis, which is being mandated in most of the regulatory instruments.

Esayas, Samson Yoseph (2014)

Structuring Compliance Risk Identification Using the CORAS Approach: Compliance as an Asset

O'Conner, Lisa (red.). Proceedings IEEE 25th International Symposium on Software Reliability Engineering Workshops ISSREW 2014, 3-6 November, 2014, Naples, Italy

The global scale of modern business and information technology enables companies to trade across borders but at the risk of being subject to laws in diverse jurisdictions. The regulatory requirements with which businesses have to comply are drastically increasing not only in sheer number but also in complexity, confronting businesses with the need to adapt to a complex, evolving regulatory environment. Crucial to a business’s survival and profitability in such environment are understanding and managing legal and compliance risks. This need has spurred significant recent interest in integrated governance, risk, and compliance (GRC) management. A central element in integrated GRC management is following a risk-based approach to compliance which prioritizes compliance requirements based on their level of risk. Despite the need for risk-based compliance, few specific methods or approaches for identifying compliance risks have been developed. This paper presents a structured method for identifying compliance risks from compliance requirements and the business environment.

Esayas, Samson Yoseph (2014)

Utilizing Security Risk Analysis and Security Testing in the Legal Domain

Bauer, Thomas; Grossman, Jürgen, Seehusen, Fredrik, Stølen, Ketil & Wendland, Marc-Florian (red.). Risk Assessment and Risk-Driven Testing. First International Workshop, RISK 2013. Held in Conjunction with ICTSS 2013, Istanbul, Turkey, November 12, 2013. Revised Selected Papers

In recent years, businesses have faced large regulatory fines as a result of information security breaches. This signifies the need for businesses to account for legal issues when addressing their information security risks and to ensure that their day-to-day business operations do not violate legal norms of relevance to information security, such as data privacy laws. This paper offers a twofold contribution to this issue. First, it purposes that organizations’ security risk analysis should be accompanied by an assessment of the legal implications of identified security risks. This enables organizations understand the associated legal risks they would face if the identified security risks were to materialize and prioritize the risks accordingly. Second, the paper underlines the need for security testing to support compliance checking. Particularly, the use of conformance testing would enhance organizations’ level of assurance regarding their compliance with legal norms of relevance to information security.

Esayas, Samson Yoseph (2014)

The IP Address Divide: The Quest of Developing Countries for an ITU-based Distribution Regime

Journal of Information Technology & Politics, 11(1), s. 102- 122. Doi: 10.1080/19331681.2013.873362

There is discontentment among certain developing countries with regard to the geographical distribution of IPv4 addresses. They blame the IPv4 policies for creating an imbalanced distribution between developed and developing nations. With the introduction of IPv6, there are no signs of these concerns becoming things of the past, as evidenced in various initiatives that call for a UN-based address distribution regime. By reviewing the respective policies for IPv4 and IPv6 distribution, this article argues that at the heart of such concerns and initiatives lies the fact that the core policy features in IPv4 distribution, which are considered responsible for creating the imbalance, have made their way into IPv6 distribution policies. In addition, the assessment of other distribution alternatives reveals that an ITU-based IP address regime or at least the ITU-based proposals on the table thus far do not address the concerns raised by developing countries. Efforts to address such a concern should rather be directed at introducing policy options that would ensure a balanced distribution of IP addresses into the current regime. Ultimately, this article seeks to contribute to the discussion on future directions by suggesting a policy option that the current regime could embrace to alleviate such a genuine concern.

Esayas, Samson Yoseph (2012)

Running Out of Address Space: the Depletion of IPv4 Addresses and What it Entails for Developing Countries

Schartum, Dag Wiese & Bekken, Anne Gunn Berge (red.). Yulex 2012

Esayas, Samson Yoseph (2012)

A walk in to the cloud and cloudy it remains: The challenges and prospects of ‘processing’ and ‘transferring’ personal data

Computer Law and Security Review, 28(6), s. 662- 678. Doi: 10.1016/j.clsr.2012.09.007

McGillivray, Kevin; Esayas, Samson Yoseph & Mahler, Tobias (1)

Using Technology to Enhance Confidentiality and Regulatory Compliance by Design

Lov & Data [Kronikk]

Esayas, Samson Yoseph; Mahler, Tobias & Solhaug, Bjørnar (1)

An Integrated Approach for Compliance and Security Risk Assessment

Lov & Data [Kronikk]

Organizations that rely on ICT infrastructures need to maintain a high level of information security and protection from cyber-attacks. This is not only due to the self-interest of protecting business critical infrastructures; it is also due to laws that deal with information security. For this reason, technical and legal risks often need to be understood in combination. The RASEN project proposes an approach to integrate compliance and security risk assessment.

Esayas, Samson Yoseph (2018)

Market Power in 'Zero' Price Markets and Competition in (Data) Privacy

[Academic lecture]. Amsterdam Privacy Conference.

Esayas, Samson Yoseph (2018)

Privacy as a Non-Price Competition Parameter: Theories of Harm in Mergers

[Academic lecture]. International Conference on Competition, Digital Platforms and Big Data.

It is widely accepted that firms compete by offering consumers lower prices, high-quality products, and a wide range of choices. With the increasing commercialization of personal, there is now a growing consensus that the level of privacy protection and deployment of Privacy Enhancing Technologies (PETs) could be subject to competition by companies. A case in point is the recognition by the European Commission that data privacy constitutes a key parameter of non-price competition in the market for consumer communications and for professional social networks. This approach treats privacy as a quality, choice or innovation component of the product/service offered to consumers and certain privacy harms as reductions in these parameters that need to be accounted for in the competition analysis. However, little attention has been paid in laying out a concrete theory of harm that outlines how data privacy can be incorporated into competition analysis as a non-price parameter and what constitutes reduction in privacy. This paper is an attempt to fill in this apparent gap. To this end, the paper provides a critical analysis, in light of EU competition law, of three theories harm for incorporating privacy as a non-price competition parameter into merger assessment, namely the privacy-as-a-quality, the consumer choice theory and the maverick-firm theory. Additionally, the paper examines what dimensions of privacy are relevant for competition and what is the (added) value of incorporating privacy into competition analysis.

Esayas, Samson Yoseph (2018)

THE SURVEILLANCE SOCIETY: For Profit Surveillance

[Academic lecture]. Public seminar.

Esayas, Samson Yoseph (2018)

The Commercialization of Personal Data and its Theoretical and Practical Implications for Data Privacy Law and Competition Law

[Academic lecture]. Internal seminar.

Esayas, Samson Yoseph (2018)

The Commercialization of Personal Data and the Idea of Emergent Properties in Data Privacy Law

[Academic lecture]. Lunch seminar.

Esayas, Samson Yoseph (2018)

The Commercialization of Personal Data and its Implications for Data Privacy Law

[Academic lecture]. Guest lecture.

Esayas, Samson Yoseph (2017)

Commercialization of Personal Data and its Implications for the Foundations and Policy Boundaries of Data Privacy Law and Competition Law

[Academic lecture]. Nordic Academic Network in Competition Law Conferenc.

Esayas, Samson Yoseph (2017)

Competition Law: Its Impact on Data Sharing and the Data Economy

[Academic lecture]. XXXII Nordic Conference on Legal Informatics.

Esayas, Samson Yoseph (2017)

Reigning in FinTech through Data Protection Law and Competition Law

[Academic lecture]. Jon Bing Seminar.

Esayas, Samson Yoseph (2015)

An Integrated Method for Compliance and Risk Assessment: Experiences from a Case Study

[Academic lecture]. 2015 IEEE CNS.

Esayas, Samson Yoseph (2015)

The Role of Anonymisation and Pseudonymisation under the EU Data Privacy Rules

[Academic lecture]. Public Seminar on Legal Aspects of Cloud Computing.

Esayas, Samson Yoseph (2014)

What's With the 32-Bit Numbers That the Internet Keeps Defying?

[Article in business/trade/industry journal]. CircleID Internet Infrastructure

Esayas, Samson Yoseph (2013)

Utilizing Security Risk Analysis and Security Testing in the Legal Domain

[Academic lecture]. 1st International Workshop on Risk Assessment and Risk-driven Testing (RISK).

In recent years, businesses have faced large regulatory fines as a result of information security breaches. This signifies the need for businesses to account for legal issues when addressing their information security risks and to ensure that their day-to-day business operations do not violate legal norms of relevance to information security, such as data privacy laws. This paper offers a twofold contribution to this issue. First, it purposes that organizations’ security risk analysis should be accompanied by an assessment of the legal implications of identified security risks. This enables organizations understand the associated legal risks they would face if the identified security risks were to materialize and prioritize the risks accordingly. Second, the paper underlines the need for security testing to support compliance checking. Particularly, the use of conformance testing would enhance organizations’ level of assurance regarding their compliance with legal norms of relevance to information security.

Esayas, Samson Yoseph (2013)

Legal Risk Management: a Method for Proactive Management of Legal Risks

[Academic lecture]. SASSI13 – Security Assessment for Systems, Services and Infrastructures.

It is commonplace that legal services are often sought reactively i.e. when a legal problem has already occurred. Such an approach has not always been viewed as satisfactory because disputes and litigation consumes time and resources which could otherwise be used more productively. In the book ‘The Future of Law’, Richard Susskind predicts a paradigm shift in the approach to a legal problem: from problem solving to problem prevention: where understanding legal problems and identifying associated risks and controlling them before any question of escalation becomes a priority. This raises the questions of what kind of methods a lawyer can employ to ensure legal risk management. One possibility is to supplement the conventional legal method of identifying which law applies to a given case with methods for risk analysis developed in other disciplines, such as IT Security. In such disciplines, the risks can be identified, analyzed and addressed in a structured way. The question remains: to what extent, and in which way, such methods for risk management may be applied within the legal domain.

Esayas, Samson Yoseph (2012)

A Cloud Challenge to the EU Regime on Cross-border Flow of Personal Data

[Academic lecture]. Tirsdagskaffeseminar (TKS).

Esayas, Samson Yoseph (2012)

IPv4 depletion and Ipv6 deployment: impact on developing countries

[Academic lecture]. Igov2 Symposium.

Academic Degrees
Year Academic Department Degree
--N/A-- NA Other