Regulatory and Legal Enforcement of Cyber Security in Countries of the European Union: The Experience of Germany and France

This article is devoted to the study of information security in the EU member states, in particular Germany and France, in the context of the analysis of their national legislation, state, national programs and regulations. Particular attention is paid to the study of the features of regulatory and legal security of information security of Germany and France in the context of the study of their national legislation in terms of economic security as an inherent component of national security. In the course of this study the peculiarities of the functioning of the institutional and legal mechanism of cyber defense in the context of the multi-vector system of international security and legal regulation of international cooperation are analyzed. The article substantiates the expediency of developing an integrated, coordinated information policy of the EU member states in order to unify approaches to information security.


Introduction
National information security networks able to quickly accumulate the forces and means of public authorities to counter a wide range of threats have been established in many EU countries. The operation of these networks is clearly regulated by a legal framework. The experience of EU member states (including Germany and France, the regulatory frameworks of which are described in this article) shows that ensuring a high level of information security is possible only with the adoption of a thorough and effective system of regulations in this area, as well as an effective functioning of state control bodies, which will be responsible for ensuring information security in a particular country.
But the events of recent years clearly indicate the existence of a crisis in the field of information security, both at the international and regional levels. Therefore, the solution of the issues of proper legislative provision of information security comes to the fore. At present, there are legal frameworks in this area in the EU member states, but there is a problem in a certain inconsistency of the laws among the EU member states in the approaches to addressing certain issues of information security, which significantly reduces the effectiveness of legal regulation in this sphere.
Thus, the creation of an effective and reliable system for maintaining the information security of our country seems extremely important in the context of the transformation of international security and foreign policy of our country before joining the European Union. In addition, the study of the experience of EU member states in this area becomes important, carried out in order to adapt the information security standards that are currently implemented in EU member states in the context .

Review of the research on cybersecurity as a component of information security
In domestic and foreign literature, a number of authors have focused on the study of information security in their works, including D. Vasylenko, T. Tkachuk, O. Zozulya, B. Kormych, M. Gorka, V. Pilliteli, M. Niles, T. Olavsrud, R. Lucas, and others. A. Lytvynenko has studied the case law of the European Court of Human Rights on this issue. However, there was a lack of a comprehensive study and comparison of the experience of EU member states in the field of information security in order to borrow their experience in domestic law.
Diego Acosta Arcarazo and Cian C. Murphy note that after the Lisbon Treaty entered into force, it has given the European Union new powers in the field of international security law. At the same time, the Stockholm Program is the latest framework program of EU action in the field of justice and home affairs, in particular in matters of cooperation between national criminal justice systems. And the combination of the new Treaty and the Program has made security and justice key areas of the legislative development in the EU (Arcarazo, Murphy, 2014, p. 17). This is also emphasized by Raphael Bossong, who notes that the intensive exchange of information between security agencies is an important element of security cooperation between the countries of the European Union (EU) (Bossong, 2018, p. 6).
In light of the development of new IT technologies, cybersecurity comes to define a new age of information security aimed at the digital environment that we actually inhabit. Today, cybersecurity is not only the protection of information itself, but also the protection of the entire system in the information field, generally in the IT field (computer technology field), and is responsible for three factors: systems, processes, and people.
Prof. Dr. Udo Helmbrecht notes that providing the European Union's network and information systems in the legal field is important to support the Internet economy through the introduction of new initiatives that would further improve cyber resilience and respond to cybersecurity threats (Helmbrecht, 2018). In this context, Marek Gorka defines a cybersecurity strategy as a basic document created in a government context that reflects the interests and rules of cybersecurity. It also lays the groundwork for future legislation, policies, standards, guidelines, and other recommendations on security and cybersecurity (Gorka, 2018, p. 76). In addition, the cybersecurity strategy is a policy document needed for the effective provision of information security in general, without which, in terms of regulations, authorities and enterprises, it is quite difficult to work due to the diverse interpretation of legislation, which ultimately leads to serious lawsuits at both the national and international levels.
Information security is one of the components of sustainable development of the whole state, and scientists usually invest the same approaches to understanding the meaning of the term "information security". Thus, in particular N. R. Nyznyk, В. Т. Belous under this term means "the state of legal norms and the corresponding security institutions that guarantee the constant availability of data for strategic decision-making and protection of information resources of the country" (Lipkan et al., 2006, p. 280). In essence, a similar view is supported by B. A. Kormich, who notes that information security should be understood as the "protection of statutory rules under which information processes take place in the state, providing constitutionally guaranteed conditions existence and development of man, the whole society and the state" (Kormych, 2004, p. 384). According this point of view, "information security" is the legislative and policy framework governing the use of information and communication technologies by institutions and agencies of the European Union in terms of their degree of information content and data privacy (Robinson, Gaspers, 2014, p. 1-2). This view is supported by K. Dempsey, who notes that information security is a legal and policy framework that regulates the legal field and simultaneously regulates the use of information and communication technologies with the appropriate degree of responsibility for confidentiality of data (Nieles et. al., 2017, p. 2-3). Finally, Michał Mazur quite aptly states that "information security, both real and legal, is a primary factor for the functioning of individuals and institutions, and especially for political organisms that are independent states and are based on legal regulations that can authorize the effective security of identified data" (Mazur, 2011, p. 64).

A legal platform for information security and the protection of the cyberspace in developing the economic security of the European Union
The modern concept of the strategic management of economic security arose in response to the challenges and threats of the external and internal environment, caused by the total digitization of society. The information society is characterized by a permanent improvement of information technologies and the rapid pace of their implementation in all spheres of public life. The result is the virtualization of much of public relations and an increasing dependence of countries on electronic networks and information systems. Important trends of the current stage are also the intensification of cross-border information flows, as well as the spread of various methods and means of information exchange, which are virtually uncontrolled. As a result, new informational threats and challenges are spreading, which require the immediate response and application of non-standard measures and solutions from the EU and each member state in particular. In this regard, information security is becoming a priority in shaping the EU's economic security.
In this context, the main directions of European information security policy have been formed, in particular: 1. The development of a European system of warning and informing about new threats. 2. The provision of technological support. Priority is given to the development of research on network and information security. 3. The support for market-oriented standardization and certification. 4. Legal support. 5. Strengthening security at the state level. 6. The development of international cooperation on information security. The main task of the EU is to strengthen the European Commission's dialogue with international organizations and partners on the issue of network security and, in particular, on the growing dependence on electronic networks.
In this context, the organization of the process of the strategic management of the EU's economic security involves the following sequence: defining strategic goals → strategic analysis → determining the list and priority of threats to economic security → assessing the level of economic security → modeling scenarios for both EU and national economies → strategy and tactics to ensure the economic security of the European Union and EU countries → development of measures, tools, and mechanisms for implementing the country's economic security strategy → monitoring and control.
Today, in most countries, including countries of the European Union, cybersecurity legislation is under active development. The formation of legal support for cyber defense is based on national principles on the one hand and on the basis of a unified international platform on the other. In this context, an important factor in the development and formation of regulatory support for cybersecurity is that the issues related to improving cybersecurity cover different areas of law.
In this context, it should be noted that many countries have signed and are implementing an international agreement on what is considered a cybercrime, namely the Budapest Convention on Cybercrime (Convention On Cybercrime European, 2001). In particular, the Budapest Convention covers the following categories of cybercrime in the field of information security: -the violation of confidentiality, integrity, and the availability of computer data and systems; -computer-related crimes; -copyright infringement. This paper, which studies the legal framework for information security, is focused primarily on countries like Germany and France, because in our opinion, these member states have so far developed the highest level of legal standards of information security.

Germany
The German legal framework applicable to cybersecurity includes laws applicable to monitoring, detection, prevention, mitigation and incident management. It includes, for example, data protection and e-privacy laws, intellectual property laws, confidentiality laws, information security laws and import / export controls, among others.
Cybersecurity is regulated by several German acts. The main legal act concerning cybersecurity is the German Security Act (IT-Sicherheitsgesetz) of 25 July 2015 / (Security Act (IT-Sicherheitsgesetz), 2015), which amended a number of laws, including the Act on Telemedia (Telemediengesetz) / Telemedia Act (Telemediengesetz) /, Telecommunications Act (Telekommunikationsgesetz) / Telecommunications Act (Telekommunikationsgesetz) /, EU General Data Protection Regulation (Datenschutz-Grundverordnung) / The EU General Data Protection Regulation (Datenschut) , Federal Law on Data Protection (Bundesdatenschutzgesetz) / Federal Data Protection Act (Bundesdatenschutzgesetz) /, and the Law on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik) / Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik) /, In addition, the sectoral cybersecurity sectors are regulated, for example, by The Banking Act (Kreditwesengesetz) / and the Securities Trading Act (Wertpapierhandelsgesetz). In this context, it should be noted that the disclosure of professional secrets is punishable under Art. 203 StGB (formerly the Strafgesetzbuch, p. 300) and is a crime of minor gravity. Interestingly, banking secrecy as such is not codified in this country and, according to case law, comes from Art. 2 (1) Grundgesetz Germany and does not require additional consolidation in the contract between the bank and the depositor (client) (OLG Frankfurt am Mein, 2004, paras. 34-36).
In addition to this official legislation, there are several important informal provisions on IT security in Germany. This is the BSI Baseline for Information Technology Security (Bundesamt für Sicherheit in der Informationstechnik -"BSI"), General Criteria for Information Technology Security Evaluation (2012), standardized as ISO / IEC 15408, and control of the information and related technology target ("COBIT"). In addition, The EU Cybersecurity Act Regulation (2019) provides the necessary powers to the European Union Agency for Cybersecurity ("ENISA") to establish cyber currency certification. Typically, ENISA will be the main point of contact on any cybersecurity issues.
The Federal Office of Information Security Act sets out specific cybersecurity requirements for critical infrastructure.
In this context, German and European legislation provides for a number of obligations for organizations to take measures to monitor, detect, prevent, and remedy the consequences of cyber incidents, in particular: • According to section 13 (7) of the Telemedia Act. 13 (7) of the Telemedia Act, telemedia service providers must ensure that unauthorized access to the technical equipment used for their telemedia services is not possible and that the protection of personal data from external cyber attacks is ensured.
• According to section 109 (1) of the Telecommunications Act / According to Sec. 109 (1) of the Telecommunications Act, telecommunications service providers shall apply technical safeguards to protect the confidentiality and personal data of telecommunications and to protect telecommunications and data-processing systems from unauthorized access. • Suppliers of multiple financial products are required to develop a risk management system focused on the IT sector (Section 25a of the Law on Banks (Kreditwesengesetz)) / (Sec. 25a of the Banking Act (Kreditwesengesetz)) / and (Section 80 of the Securities Trading Act (Wertpapierhandelsgesetz) ) /. The above requirements are provided by the Federal Office for Information Protection, the competent data protection authorities, and the Federal Network Agency.
• The Federal Office for Information Security is the main body for cybersecurity in Germany. This body plays a key role in precautionary security matters and is primarily responsible for receiving reports of security breaches in critical infrastructures. • Data protection authorities ensure compliance with all relevant data protection laws. In Germany, each federal state has a separate data protection authority.

• The Federal Grid Agency enforces telecommunications laws and is responsible for receiving
reports of security breaches in telecommunications networks and services. If the organization responsible for the IT system under attack does not respond appropriately to the incident -depending on the type of offense -the person concerned may file a lawsuit against the injunction to enforce the defendant's contractual and other obligations under the law. In addition, the person concerned may file a civil claim for damages if the incident arose due to the lack of an appropriate IT security model.

France
The following are the most important laws in the field of cybersecurity in France that have formed its regulatory platform: • under the NIS Rules. • Digital service providers ("DSP"). According to the NIS Rules, these infrastructures must appoint a representative in the national territory of ANSSI if the supplier itself is established outside the European Union and has no representative within the European Union. According to the GDPR, the controller and the processor must take appropriate technical and organizational measures to ensure a level of security commensurate with the identified risk. NIS rules also require that OES and DSP: • form and maintain a list of network and information systems required to provide basic / digital services; • identified risks to the security of information systems; • ensure an appropriate level of security in accordance with existing risks, as well as implement technical and organizational measures necessary to prevent, manage and reduce risks; • avoid incidents and minimize their impact to ensure the continuity of their services; • Identify IT security risks that may affect their operations. CNIL monitors the proper application of FDPA and GDPR by data controllers and operators. It also provides opinions on bills or regulations. CNIL has significant power in monitoring and investigating incidents.
Finally, CNIL has significant powers over administrative and financial penalties and can make such decisions as the temporary or permanent suspension of data processing.
Regarding the application of the NIS Rules, ANSSI is the national body responsible for responding to cybersecurity cases targeting strategically important institutions. The Ministry of Defense and the Ministry of the Interior also take on the role of preventing all forms of cybercrime.
In some areas, cybersecurity prevention measures need to be substantially stringent. This is especially true for critical infrastructures that must comply with the NIS Rules or infrastructures that process confidential data (for example, health data or data related to criminal convictions, offenses, or security measures).
The financial services sector must meet several requirements, such as auditing IT systems, strengthening its resilience to cyber risks, developing protection adapted to the complexity of cyber attacks, and submitting several applications to ANSSI (Ministerial Order of 28 November 2016).
Under French law, the general rule of civil liability is set out in Article 1240 of the French Civil Code, according to which any act causing harm to another obliges the person who caused it to remove or compensate him. Moreover, under the GDPR (Article 79), a civil action can be brought in the event of an incident if the controller or data controller has not complied with the requirements of the GDPR. Finally, under the FDPA, the data subject has the right to authorize a non-profit body, organization or association to stop the breach and obtain compensation (Article 37).

The case law of the European Court of Human Rights in the field of information security
The territorial jurisdiction of the ECtHR extends to all signatory states to the European Convention on Human Rights, and the substantive jurisdiction of the Court relates to human rights violations enshrined in its provisions, including its additional protocols.
At present, only a small number of cases involving the Internet address the issue of "jurisdiction". In particular, we can mention the case of Breyer v. Germany (Breyer v. Germany, 2020). In this case, the National Legal Obligation of Service Providers to Keep Personal Data of Users of Their Prepaid Mobile SIM Cards was examined.
In June 2004, amendments to the Telecommunications Act introduced a legal obligation for telecommunications service providers to collect and store the personal data of all their customers. The applicants challenged this obligation in the Federal Constitutional Court, which found that such an obligation was incompatible with the Basic Law.
The Court found that the legal obligation under Article 111 of the Telecommunications Act did not contravene Article 8 of the Convention. This decision is noteworthy because it concerns a new problem of personal data protection. It also contains a comprehensive review of case law under Article 8 concerning the protection of privacy in the collection of personal data, in particular the principle of information self-determination (Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland, 2017).
As to the nature of the interference with the rights provided for in Article 8, the Court reiterated that the mere storage of data concerning a person's private life per se constitutes an interference with the right to privacy (see ECtHR in Leander v. Sweden, 1987); however, the right to privacy is by no means absolute, and in some cases may be legitimately restricted. In this connection, the European Court also drew attention to the conclusion of the Federal Constitutional Court of Germany that the degree of protection of the right to information self-determination under national law was not limited to information.
As to the lawfulness of the interference, the Court found that the storage of the data itself was justified by the Law (section 111 of the Telecommunications Act), which was sufficiently clear and predictable.
In assessing proportionality, the Court confirmed that, in the context of national security, national authorities exercised a degree of discretion in choosing the means to achieve a legitimate aim in the absence of a consensus among the Council of Europe countries on the retention of prepaid SIM customers. The Court thus agreed that the obligation to keep subscribers' information under section 111 of the Telecommunications Act as a whole was an appropriate response to changes in the conduct of communications and in the means of telecommunications.
In conclusion, the Court concluded that the interference was, although not trivial, limited in nature. In this context, the Court emphasized certain guarantees.
First, the Court noted that there was no technical danger to the retention of data, the duration of such retention was limited to the end of the calendar year and the retained data were essentially limited to the information necessary to clearly identify the subscriber concerned.
Second, the Court has examined the possibilities for future access to the use of stored data, in particular information requests that may be made under Articles 112 and 113. The Court explained that the level of verification and control was important, but not decisive, as an element of assessing the proportionality of the collection and storage of a limited set of data, such as in this case. With regard to the applicable regime in particular, the Court noted that the Federal Network Agency was competent to verify the admissibility of data transmission if necessary, that each search query and relevant search information was recorded in order to monitor data protection by the relevant independent data protection authorities.
According to A. Lytvynenko, there are plenty of examples of lawsuits concerning the disclosure of professional secrets in the practice of the European Court of Human Rights, in particular cases related to the disclosure of banking secrecy, as well as a large part concerning medical secrecy (Lytvynenko, 2020, p. 185-215). Banking secrecy belongs to the field of professional secrecy, as well as a number of others (e.g., legal or medical secrecy). In the case of Michaud v. France, the EctHR indeed recognizes that the confidentiality of the legal relationship between a lawyer and a client is covered by Art. 8 (1) of the European Convention for the Protection of Human Rights and Fundamental Freedoms. At the same time, the concept of "privilege" in the interpretation of the ECtHR, judging by the case of Michaud v. France, applies to all information arising from the legal relationship between a lawyer and a client (Michaud v. France, Judgment, 2012). Thus in the case of the ECtHR's G.S.B v. Switzerland, the plaintiff, a US and Saudi national living in Miami, California, sued the ECtHR in Switzerland because his bank account details had been transferred to the ATF (Swiss Federal Tax Service) as part of a request from Switzerland for administrative assistance from the American side. The ECtHR stated that since the relevant agreements had been signed and ratified between the United States and Switzerland, it could not be said that the data was collected illegally. In addition, the Court also unequivocally agreed that all the plaintiff's bank details belonged to his "personal data". The court also ruled that the "interference" was indeed sanctioned under bilateral agreements between the United States and Switzerland (G.S.B. v. Switzerland, 2015).
A. Lytvynenko also notes that the issues of information security in the field of intellectual property protection are also important (Lytvynenko, 2020, p. 185-215). Thus, in the case of Coty Germany Gmbh v. Stadtsparkasse Magdeburg (2015), the Federal Court of Germany referred the case to the European Court of Justice with a request on how to interpret the provisions of Art. 8 (3) (e) Directive № 004/48 / EC on the protection of intellectual property rights (Directive № 2004/48 / EC), which may be interpreted by a court as derogating from national law, which in turn allows the bank not to provide information on the name and address of the bank account holder under Art. 8 (1) (c) of this Directive (Directive № 2004/48 / EC). The European Court of Justice noted that the contents of Art. 8 (1) (c) of EU Directive № 2004/48 / EC on the enforcement of intellectual property rights ; it appears that in the event of an infringement of an intellectual property right and a reasoned request from the plaintiff, the court may order that information on the origin of the infringement be provided by any person who provides services on a commercial basis. The court then raises the question of how to properly combine the rights of some (in relation to intellectual property) with the fact that the confidentiality of these depositors of the bank may be significantly affected. The European Court of Justice assessed the situation as follows: the provisions of the German Code of Civil Procedure, which allowed banks not to testify or provide information in civil proceedings, did not have any exceptions to the rules, which precluded the plaintiff's satisfaction of intellectual property rights. Because of this, in the opinion of the court, the provisions do not correspond to the fair balance specified in Art. 8 EU Directive № 2004/48 / EC on the protection of intellectual property rights. Therefore, the European Court of Justice ruled that the provisions of Art. 8 (3) (e) of the EU Directive 2004/48 / EC should be interpreted as derogating from a provision of national law, which would allow banks to freely and unrestrictedly use banking secrecy as a justification for refusing to provide the information requested by the claimant.

Conclusions
Information security is a phenomenon that has existed in legal systems for several centuries. Initially, it concerned the non-disclosure of patient health information or legal secrecy (which courts in the early 19 th century called "office secrecy"), which included all the information a lawyer received from his client -not necessarily within the confines of his office (Sieur Hardy c. Sieur Jean, p. 106); the lawyer would be prohibited from disclosing such information, even as a witness at trial, except for a number of exceptions elaborated in jurisprudence (usually the provisions of criminal codes or lawyers' professional ethics did not contain such provisions -it was given to the courts). Subsequently, when information becomes a commodity, it was recognized by the courts as property (Exchange Telegraph Co. v. Gregory & Co., p. 264) and became a subject of offenses and crimes more and more often. This is especially true regarding the rapid development of information systems and complex computer technologies, when information security offenses are becoming more predatory, and the weak level of information systems security can cause significant damage to individuals, businesses, and government agencies. That is why, since the 1970s, the information policy of many countries around the world includes system-forming information security strategies, on the basis of which relevant legislation is developed and adopted to strengthen the level of information security in both the public and private sectors.
In the context of defining information security in relevant international legislation, it can be noted that in light of the globalization of the information space, the emphasis of information security lies in the field of cybersecurity, which requires a qualitatively new regulatory platform for information security relations within the framework of protecting national security and mechanisms for eliminating threats by legal means.
Cross-border cases present a cross-border element that raises, inter alia, questions about the circumstances in which a court may exercise jurisdiction over a defendant who is registered in another state where the alleged crime has been lodged or a civil offense committed over the internet. These issues should be decided primarily by national courts that apply the relevant principles of private international law to a jurisdiction that does not directly concern the European Court of Human Rights.
Based on the analysis, the following trends can be identified: • Domestic security requirements evolve and often arise from national cybersecurity strategies, but all countries adopt legislation and instead rely on the development of industry standards to establish a level of actual security requirements. Although it should be noted that the absence of a strict law does not necessarily mean the absence of cybersecurity measures. • There is an important difference and therefore some significant contradictions between the requirements of internal security, on the one hand, and the interests of national security on the other. The first concerns the level of security that the country seeks to achieve, but at the same time is neutral with regard to information service operators and their nationality and citizenship. The second type of measures is based on the interests of national security and on what will logically be used to eliminate the perceived risks associated with operators from certain countries.

Regulatory and Legal Enforcement of Cyber Security in Countries of the European Union: The Experience of Germany and France
Sviatoslav Kavyn (Ivan Franko University of Lviv)

Anatoliy Lytvynenko (Baltic International Academy of Riga, Robert Gordon University of Aberdeen)
S u m m a r y The events of recent years clearly indicate the existence of a crisis in the field of information security, both at the international and regional levels. Therefore, it seems that a solution is needed to addresss the issues of a proper legislative provision of information security. Currently, there are legal frameworks in the EU in this area, but there is a problem in a certain inconsistency of the EU's legislation in approaches to addressing certain issues of information security, which significantly reduces the effectiveness of legal regulation in this area.
The article is devoted to the study of information security in the EU in the context of the analysis of their state, national programs and regulations. This study analyzes the features of the functioning of the institutional and legal mechanism of information security in the EU in the context of a multi-vector system of international security. The expediency of developing an integrated coordinated information policy of the EU member states in order to unify approaches to information security is substantiated.
Particular attention is paid to the analysis of legal norms that provide effective cybersecurity protection as a component of the information security of the state. In particular, the peculiarities of the functioning of the institutional and legal mechanism of cyber defense in the context of legislative regulation of international cooperation between state institutions and national security structures are analyzed. The necessity of developing a coherent cyber security policy of the European Union in the context of the general information policy of the EU in order to unify approaches to information security and improve the regulatory framework for information security in the field of cyber security is substantiated.
The study analyzes the legal platform for information security and the protection of cyberspace in the formation of the economic security of the European Union as an immanent component of national security, in particular in terms of diversifying external relations in a multi-vector system of international security.
Particular attention is paid to the study of the case law of the European Court of Human Rights in the field of information security. In particular, the case law of the European Court of Human Rights in cases related to the internet is considered.
At the same time, the current realities of European Union policy require comprehensive research in the context of ensuring national interests, developing effective mechanisms for protecting the information space, and legal mechanisms for forming a system of economic security as a strategic factor of national security. Accordingly, the approaches to information security adopted in the European Union are currently not unified due to the geopolitical specifics of the EU. Therefore, the research, evaluation, and implementation of the positive experience of Germany and France in this area are important in building the information security system of the European Union.
Anatoliy A. Lytvynenko is a PhD candidate and teaching assistant at the Ivan Franko National University of Lviv, a PhD candidate at the Faculty of Law of the Baltic International Academy in Riga, and a PhD candidate at the Robert Gordon University of Aberdeen. In 2022, he will be defending his doctoral thesis titled The Concept of Sensitive Personal Data: A Comparative Analysis of National and International Case-Law. In 2018, he began his PhD studies at the department of Law at RGU University of Aberdeen, Scotland under the specialty of medical law. The preliminarily title of his forthcoming doctoral thesis is Could Various Rights of Patients be Summoned under the Umbrella of the Right to Autonomy? His main research interests include medical law, data privacy law, history of law, bioethics law, and banking law.