10 May 2023
Foreseeability and the Rule of Law in Data Protection after the PNR judgment
The rule of law cannot be reconciled with the existence of secret laws, unclear laws and laws which cannot be obeyed. However, this may be difficult to realise in practice, where full transparency is at odds with the legislative goals; where a certain degree of flexibility of rules is necessary to address changing circumstances, in which these rules function; and where a disconnect occurs between the visions of the lawmaker and reality created by modern technologies that are utilized to pursue them. The CJEU's ruling in Lige des droits humains on Passenger Name Record Directive underscores the difficulty of foreseeability of algorithmic measures and the rule of law. Continue reading >>
0
10 May 2023
The European Legal Architecture on Security
As the European legal architecture on internal security is being built around large-scale databases, AI tools and other new technologies, the relationship between the public and private sectors has become increasingly complex. We examine one aspect of the Court of Justice of the European Union’s recent judgment in Ligue des droits humains, namely the data protection rules applicable to cooperation between the public and private entities in personal data sharing. The judgment enhances the ‘personal data autonomy’ of individuals and requires public authorities to justify to a high standard any obligations it seeks to place on the private sector to share personal data related, directly or indirectly, to travel by air. Continue reading >>
0
09 May 2023
Caution: Safeguards may appear more robust than they are
At a time when the European security architecture is evolving, and when national lawmakers must pay greater attention to an evolving set of common standards and safeguards to prevent disproportionate government access to data, it is essential to shed critical light on their implementation in actual practice. As different as the EU PNR Directive and the German legal framework are, they both include provisions that seek to prevent disproportionate government access and to ensure effective and independent review of data collection and subsequent data processing. Continue reading >>
0
09 May 2023
Passengers Name Records and Security
The EU Passenger Name Records Directive is based on the logic of preventive security. Th CJEU ruling, Ligue des droits humains, offers an opportunity for national judges to question more radically the idea of generalised preventive security that seeks to anticipate human behaviour through the creation of risk profiles and statistical correlations (instead of causality). Continue reading >>
0
08 May 2023
Machine learning and profiling in the PNR system
Automated processing of personal data, which is what Passenger Name Record data are, can lead to forms of profiling; certain individuals or groups of people are more likely to be excluded based on the transfer of their data than others. In its Passenger Name Record judgment, the CJEU extensively discusses discrimination risks, and it set a number of conditions to prevent them. Unfortunately, not all of its considerations are perfectly clear and some of the solutions the CJEU proposes are not entirely satisfactory. Continue reading >>
0
08 May 2023
Automated predictive threat detection after Ligue des Droits Humains
On 21 June 2022, the Court of Justice of the European Union released its judgment regarding the compatibility of the EU Directive on Passenger Name Record Data with the rights to privacy and personal data protection. Ligue des droits humains has already qualified as a landmark decision, where the Court had the opportunity, among other aspects, to provide comprehensive guidelines on how large-scale predictive policing should take place. The ruling could be used as an inspiration for the legal assessment of various new security law instruments which require automated predictive threat detection instruments. Continue reading >>
0
08 May 2023
The Future of the European Security Architecture: A Debate Series
This debate series is dedicated to Ligue des Droits Humains – a case in which the Court of Justice of the European Union decided on the fate of one of the main drivers of this development: the Directive on on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. The PNR Directive, being one of the first major EU-wide examples of predictive policing, is not just interesting in itself. It exemplifies the emergence and gradual consolidation of a new security architecture in Europe. Continue reading >>07 April 2023
Squaring the Circle
The Italian Data Protection Authority banned ChatGPT for violating EU data protection law. As training and operating large language models like ChatGPT requires massive amounts of (personal) data, AI's future in Europe, to an extent, hinges upon the GDPR. Continue reading >>28 February 2023
“Like Handing My Whole Life Over”
On 16 February 2023, the German Federal Administrative Court (BVerwG) ruled that the practice of regularly analysing data carriers, including mobile phones, by the Federal Office for Migration and Refugees (BAMF) when registering asylum applicants is illegal (BVerwG 1 C 19.21). The judgement arrives after the Gesellschaft für Freiheitsrechte’s (GFF) efforts to reveal this practice’s details and take legal action against its use in the asylum procedure. In this post, we briefly overview this practice and analyse this judgement and its implications. We argue that although this judgement represents an important victory for asylum seekers’ and refugees’ data protection and privacy, some controversial aspects of this practice still require clarification. Continue reading >>
0
24 February 2023
A Unique Identification Number for Every European Citizen
On 3 June 2021, the European Commission issued a proposal for a European Digital Identity Regulation, which seems to not have raised much discussion among legal scholars, even though digital identity raises several fundamental rights implications. The introduction of a unique and persistent identifier may be understandable from a practical point of view, but cannot be accepted due to its risks and the fact that it potentially infringes the German prohibition on general unique identifiers. Continue reading >>
0