26 November 2024
Eyes Everywhere
Ten years after its groundbreaking judgment declaring the Data Retention Directive incompatible with the EU Charter, the Full Court significantly eased its previously strict requirements. On 30 April 2024, it issued La Quadrature Du Net II and, for the first time, declared the general and indiscriminate retention of IP addresses permissible for the purpose of fighting general crime. Given the CJEU’s fundamental change of heart, we have gathered a range of scholars to contextualize the judgment and situate it within the broader debate on mass data retention, online surveillance, and anonymity. Continue reading >>
0 
14 August 2024
In the Shadows
Recent investigations by Netzpolitik and the German public service broadcaster Bayerischer Rundfunk into the company Datarade have shed light on a part of the digital economy that has so far operated mainly in the background: data trading. The key players in this sector are data brokers, whose business model is to trade in (non-)personal data. Data trading is a multi-billion-dollar component of the global digital economy and not a new phenomenon. This article outlines the legal implications of data trading in the context of the GDPR, the DSA and the AI Act. Continue reading >>
0
19 July 2024
Proximity, Amicable Settlements, and how the EU Guts GDPR Enforcement
The EU legislator is working on a new Regulation to modify the GDPR. Unfortunately, the reform features deeply troubling elements. It seeks to mainstream a controversial Irish approach to dealing with data protection complaints, namely “amicable settlements” between individuals and digital corporations. Further, and rather problematically, the reform foreshadows the end of the principle of proximity. Gutting – or at least eroding – the proximity principle should ring alarm bells for anyone concerned with effective judicial remedies in the EU. Continue reading >>
0
15 April 2024
GDPR Overreach?
After Meta introduced this model for its social networking services Facebook and Instagram in November 2023, several national data protection authorities called on the EDPB to clarify the compatibility of this model with the GDPR. Data protection law is to be used as a lever to prohibit media companies or online service providers from offering a service that is more data-minimalist than the traditional business model. Data protection authorities are therefore faced with the question of whether the GDPR should address "social justice" concerns. Continue reading >>
0
10 April 2024
Enforcement of the Digital Markets Act
Since March 2024, the undertakings Alphabet/Google, Amazon, Apple, Byte-Dance/TikTok, Meta, and Microsoft must comply with the obligations of the Digital Markets Act (DMA). Within the first month after the 6-months implementation period has ended, the European Commission opened investigations against Alphabet/Google, Apple, and Meta for non-compliance with the obligations in the DMA. All proceedings can be traced back to related competition law cases. However, only two proceedings follow the same reasoning as their competition law role models, while the case against Meta reveals that the approaches under the DMA can and will deviate significantly to those under competition law and data protection law. Continue reading >>
0
21 August 2023
Trivialising Privacy through Tribunals in India
On 11th August 2023, India’s Digital Personal Data Protection Act, 2023 (‘DPDP Act’) has received Presidential assent. The Act’s passing is critical in light of increasing concerns about data security and surveillance in India, including allegations that the government has illegally been using spyware against activists. Moreover, the government and its agencies are major data fiduciaries, having access to various identification and biometric data that have in the past been breached on a large scale. Given this, it is vital that the DPDP Act is able to function effectively and independently against the government in cases of non-compliance. However, a novel provision bestowing appellate jurisdiction on a Tribunal that lacks both the necessary expertise and independence is likely to hinder this goal. Continue reading >>
0
07 July 2023
Competition law as a powerful tool for effective enforcement of the GDPR
It looks like a good week for data protection. On Tuesday, the Commission presented a new proposal for a Regulation on additional procedural rules for the GDPR, and a few hours later, the ECJ published its decision C-252/21 on Meta Platforms v Bundeskartellamt (Federal Cartel Office). While the Commission's proposal to improve enforcement in cross-border cases should probably be taken with a pinch of salt, the ECJ ruled on some things with remarkable clarity. The first reactions to the ruling were quite surprising; few had expected the ECJ to take such a clear stance against Meta's targeted advertising business model. It does however represent a consistent interpretation of the GDPR in the tradition and understanding of power-limiting data protection. Continue reading >>
0
12 May 2023
Squaring the triangle of fundamental rights concerns
Ex ante, the July 2022 ruling by the Court of Justice of the EU on Passenger Name Records had a very specific scope — the use of passenger name records by government agencies. Upon closer inspection, however, it has important implications for the governance of algorithms more generally. That is true especially for the proposed AI Act, which is currently working its way through the EU institutions. It highlights, ultimately, how national, or in this case European, legal orders may limit the scope for international regulatory harmonization and cooperation. Continue reading >>
0
12 May 2023
Automated predictive threat detection after Ligue des Droits Humains
The Ligue des droits humains ruling regarding automated predictive threat detection has implications for the European Travel Information and Authorisation System (ETIAS) Regulation and the EU Commission’s proposal for a Regulation on combating online child sexual abuse material (CSAM). Both legal instruments entail the use of potentially self-learning algorithms, and are spiritual successors to the PNR Directive (the subject of Ligue des droits humains). Continue reading >>
0
11 May 2023
EU Privacy and Public-Private Collaboration
Core state functions, such as law enforcement, are increasingly delegated to private actors. Nowhere is this more apparent than in the development and use of security technologies. This public-private collaboration harbours detrimental consequences for fundamental rights and the rule of law; in particular, for the principle of legality. The policy outcomes which result from this collaboration are not democratically accountable, and allow human rights to be superseded by private, profit-driven interests. Continue reading >>
0