15 April 2024
GDPR Overreach?
After Meta introduced this model for its social networking services Facebook and Instagram in November 2023, several national data protection authorities called on the EDPB to clarify the compatibility of this model with the GDPR. Data protection law is to be used as a lever to prohibit media companies or online service providers from offering a service that is more data-minimalist than the traditional business model. Data protection authorities are therefore faced with the question of whether the GDPR should address "social justice" concerns. Continue reading >>
0
10 April 2024
Enforcement of the Digital Markets Act
Since March 2024, the undertakings Alphabet/Google, Amazon, Apple, Byte-Dance/TikTok, Meta, and Microsoft must comply with the obligations of the Digital Markets Act (DMA). Within the first month after the 6-months implementation period has ended, the European Commission opened investigations against Alphabet/Google, Apple, and Meta for non-compliance with the obligations in the DMA. All proceedings can be traced back to related competition law cases. However, only two proceedings follow the same reasoning as their competition law role models, while the case against Meta reveals that the approaches under the DMA can and will deviate significantly to those under competition law and data protection law. Continue reading >>
0
21 August 2023
Trivialising Privacy through Tribunals in India
On 11th August 2023, India’s Digital Personal Data Protection Act, 2023 (‘DPDP Act’) has received Presidential assent. The Act’s passing is critical in light of increasing concerns about data security and surveillance in India, including allegations that the government has illegally been using spyware against activists. Moreover, the government and its agencies are major data fiduciaries, having access to various identification and biometric data that have in the past been breached on a large scale. Given this, it is vital that the DPDP Act is able to function effectively and independently against the government in cases of non-compliance. However, a novel provision bestowing appellate jurisdiction on a Tribunal that lacks both the necessary expertise and independence is likely to hinder this goal. Continue reading >>
0
07 July 2023
Competition law as a powerful tool for effective enforcement of the GDPR
It looks like a good week for data protection. On Tuesday, the Commission presented a new proposal for a Regulation on additional procedural rules for the GDPR, and a few hours later, the ECJ published its decision C-252/21 on Meta Platforms v Bundeskartellamt (Federal Cartel Office). While the Commission's proposal to improve enforcement in cross-border cases should probably be taken with a pinch of salt, the ECJ ruled on some things with remarkable clarity. The first reactions to the ruling were quite surprising; few had expected the ECJ to take such a clear stance against Meta's targeted advertising business model. It does however represent a consistent interpretation of the GDPR in the tradition and understanding of power-limiting data protection. Continue reading >>
0
12 May 2023
Squaring the triangle of fundamental rights concerns
Ex ante, the July 2022 ruling by the Court of Justice of the EU on Passenger Name Records had a very specific scope — the use of passenger name records by government agencies. Upon closer inspection, however, it has important implications for the governance of algorithms more generally. That is true especially for the proposed AI Act, which is currently working its way through the EU institutions. It highlights, ultimately, how national, or in this case European, legal orders may limit the scope for international regulatory harmonization and cooperation. Continue reading >>
0
12 May 2023
Automated predictive threat detection after Ligue des Droits Humains
The Ligue des droits humains ruling regarding automated predictive threat detection has implications for the European Travel Information and Authorisation System (ETIAS) Regulation and the EU Commission’s proposal for a Regulation on combating online child sexual abuse material (CSAM). Both legal instruments entail the use of potentially self-learning algorithms, and are spiritual successors to the PNR Directive (the subject of Ligue des droits humains). Continue reading >>
0
11 May 2023
EU Privacy and Public-Private Collaboration
Core state functions, such as law enforcement, are increasingly delegated to private actors. Nowhere is this more apparent than in the development and use of security technologies. This public-private collaboration harbours detrimental consequences for fundamental rights and the rule of law; in particular, for the principle of legality. The policy outcomes which result from this collaboration are not democratically accountable, and allow human rights to be superseded by private, profit-driven interests. Continue reading >>
0
11 May 2023
Challenging Bias and Discrimination in Automated Border Decisions
In Ligue des droits humains, the Court of Justice of the European Union explicitly addresses the fact that the use of AI and self-learning risk models may deprive data subjects of their right to effective judicial protection as enshrined in the Charter. The importance of this judgment cannot be understated for non-EU citizens and at the European borders more generally. Continue reading >>
0
10 May 2023
Foreseeability and the Rule of Law in Data Protection after the PNR judgment
The rule of law cannot be reconciled with the existence of secret laws, unclear laws and laws which cannot be obeyed. However, this may be difficult to realise in practice, where full transparency is at odds with the legislative goals; where a certain degree of flexibility of rules is necessary to address changing circumstances, in which these rules function; and where a disconnect occurs between the visions of the lawmaker and reality created by modern technologies that are utilized to pursue them. The CJEU's ruling in Lige des droits humains on Passenger Name Record Directive underscores the difficulty of foreseeability of algorithmic measures and the rule of law. Continue reading >>
0
10 May 2023
The European Legal Architecture on Security
As the European legal architecture on internal security is being built around large-scale databases, AI tools and other new technologies, the relationship between the public and private sectors has become increasingly complex. We examine one aspect of the Court of Justice of the European Union’s recent judgment in Ligue des droits humains, namely the data protection rules applicable to cooperation between the public and private entities in personal data sharing. The judgment enhances the ‘personal data autonomy’ of individuals and requires public authorities to justify to a high standard any obligations it seeks to place on the private sector to share personal data related, directly or indirectly, to travel by air. Continue reading >>
0