Tag: data protection

Opinion on Opinion 28/2024 of the European Data Protection Board (EDPB): the HeLa of the mind (on the unknowing immortality of online language)

On By officialblogunioIn EssaysLeave a comment 
Bruno Saraiva [master’s student in European Union Law and Digital Citizenship & Technological Sustainability (CitDig) scholarship holder]

I.

Henrietta Lacks is a relatively obscure name, but one that is representative of the extraordinary impact an individual can have on human achievements, despite their recognition, in life and after death. Her legacy is one of immortality, a unique form of it: books have been written about her, her story is widely discussed, and her very cells are studied daily. Fragments of her body remain alive and will likely persist as long as modern civilisation endures.

Henrietta Lacks died in 1951, at the age of 31. Her passing would come from an extremely aggressive form of cervical cancer. An African American woman, she was born and laboured on her family’s tobacco farm, until the rising fortunes of post war America carried her to Baltimore where she would pass away, leaving her husband and five children. Neither her nor her loved ones would know the significance of her contribution to humanity. Glimpses would only come decades later, when her children’s lives were disrupted by researchers seeking medical data and tissue samples, while steadfastly refusing to divulge the intention behind their actions. Only in 1975, during a chance dinner conversation, would the Lacks family realise Henrietta’s enduring importance.

Continue reading “Opinion on Opinion 28/2024 of the European Data Protection Board (EDPB): the HeLa of the mind (on the unknowing immortality of online language)”

Commentary to the Bezirkshauptmannschaft Landeck judgment: a failure by the CJEU in appropriately balancing privacy, data protection and the interests of law enforcement [1]

On By officialblogunioIn EssaysLeave a comment 
Tiago Sérgio Cabral [Editor of this blog and Project Expert for the Portuguese team in the "European Network on Digitalization and E-governance" (ENDE)]

1. Background

The Court of Justice’s decision in Case C- 548/21 (Bezirkshauptmannschaft Landeck) probably got less attention than it deserved from legal scholars due to being issued at the same time as other high profile data protection cases and connected to Directive 2016/680/EU (the “Law Enforcement Directive”) instead of the GDPR. However, there are good reasons to engage in a deeper analysis of this case. The Bezirkshauptmannschaft Landeck judgment addresses access by law enforcement to mobile phones, which nowadays store large amounts of personal data that most people prefer to maintain private, but that law enforcement considers key for criminal investigation purposes. The Court of Justice’s conclusions regarding this issue are surprising as they seem out of step with previous case-law. Other less controversial but still relevant takeaways from this judgment, such as those regarding the scope of the concept of “personal data” may have relevance beyond data protection in the context of law enforcement.

    2. The Court of Justice’s Decision

    The case arises from a request for a preliminary ruling from the Regional Administrative Court of Tyrol (Austria). The factual background of the judgment is relatively straightforward: Austrian customs authorities seized a package for a data subject (CG) containing 85 grams of cannabis. Pursuant to this seizure, law enforcement conducted a search of CG’s residence, questioned him, and requested access to connection data on CG’s mobile telephone. CG refused and, as such, law enforcement seized his mobile phone, including SIM and SD cards.

    Continue reading “Commentary to the Bezirkshauptmannschaft Landeck judgment: a failure by the CJEU in appropriately balancing privacy, data protection and the interests of law enforcement [1]”

    On rebalancing powers in the digital ecosystem in recent CJEU case law (or on the battle between David and Goliath)

    On By officialblogunioIn EssaysLeave a comment 

    Alessandra Silveira  (Editor of this official blog, Academic Coordinator of Jean Monnet Centre of Excellence “Digital Citizenship & Technological Sustainability” - CitDig, Erasmus+)
               

    There is no doubt that European Union (EU) law is committed to a certain rebalancing of powers in the digital ecosystem. And why is that? Because today there is a clear imbalance of power in favour of digital service providers, which requires a strengthening of the position of users in their relationship with providers. The Internet has become a space made up of platforms, where unilaterally established and non-transparent business models are developed. This attempt to rebalance power in the digital ecosystem is an exercise in social justice that only the EU can foster. And this trend is particularly noticeable in the field of personal data protection.

    The emergence of a business model based on data – and profiling based on inferred data – reveals the imbalance of power between users and platforms. This has led some authors to recognise the quasi-public powers exercised by technology companies on the Internet: they regulate, enforce and resolve conflicts of interest, acting in an uncontrolled way that we would not even allow public authorities to do in the context of the rule of law. But the problem must be contextualised: what is personal data?

    Continue reading “On rebalancing powers in the digital ecosystem in recent CJEU case law (or on the battle between David and Goliath)”

    Summaries of judgments: Landeshauptstadt Wiesbaden | NADA e o.

    On By revistaunioIn Summaries of judgmentsLeave a comment 
    Summaries of judgments made in collaboration with the Portuguese judge and référendaire of the CJEU (Nuno Piçarra and Sophie Perez)

     ▪

    Judgment of the Court (Grand Chamber) of 21 March 2024, Landeshauptstadt Wiesbaden, Case C-61/22, EU:C:2024:251

    Reference for a preliminary ruling – Regulation (EU) 2019/1157 – Strengthening the security of identity cards of EU citizens – Validity – Legal basis – Article 21(2) TFEU – Article 77(3) TFEU – Regulation (EU) 2019/1157 – Article 3(5) – Obligation for Member States to include two fingerprints in interoperable digital formats in the storage medium of identity cards – Article 7 of the Charter of Fundamental Rights of the European Union – Respect for private and family life – Article 8 of the Charter of Fundamental Rights – Protection of personal data – Regulation (EU) 2016/679 – Article 35 – Obligation to carry out a data protection impact assessment – Maintaining the effects for a certain time of a regulation which has been declared invalid

    Facts

    The request for a preliminary ruling was made in proceedings between RL, a German national, and the Landeshauptstadt Wiesbaden (City of Wiesbaden, Land capital, Germany) concerning the rejection by the latter of RL’s application for an identity card which does not include RL’s fingerprints. The application was rejected due to a national provision according to which the inclusion of two fingerprints in the storage medium of identity cards is mandatory. This national provision transposes Article 3(5) of Regulation 2019/1157, on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement.

    RL brought an action before the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany), seeking an order requiring the Landeshauptstadt Wiesbaden to issue him with an identity card with no fingerprints being collected. The referring court had doubts regarding the validity of Regulation 2019/1157 or, at least, the validity of Article 3(5) thereof, on the grounds that, firstly, it was adopted on an incorrect legal basis, secondly, it violates Article 35 of the GDPR and, thirdly, it violates Articles 7 and 8 CFREU.

    Continue reading “Summaries of judgments: Landeshauptstadt Wiesbaden | NADA e o.”

    Again: on the prohibition of generalised and indiscriminate retention of metadata for the purpose of combating serious crime

    On By officialblogunioIn Case notesLeave a comment 
    By Alessandra Silveira (Editor) and Tiago Sérgio Cabral (Managing Editor)

    The CJEU has recently added further pieces to the puzzle of retention of traffic and location data by providers of electronic communications services for the purpose of making them available to competent national authorities in the fight against serious crime.[1] In addition to reiterating its constant jurisprudence on the matter, this CJEU judgment is particularly valuable to Member States that are legislating in order to adapt to EU law – as is the case of Portugal (judgment of 20 September 2022, SpaceNet, joined cases C-793/19 and C‑794/19, ECLI:EU:C:2022:702).[2]

    In several Recitals of the judgment, the CJEU left some clues as to its resistance to the generalised and indiscriminate retention of metadata, and it is possible to perceive that it lies in the uncontrolled profiling of users of electronic communications services. Profiling is often used to make such predictions about individuals. It involves the collection of information about a person and the assessment of their characteristics or behavioural patterns in order to place them in a certain category or group and drawing upon that an inference or prediction – be it of their ability to perform a task, of their interest or presumed behaviour.[3]

    Continue reading “Again: on the prohibition of generalised and indiscriminate retention of metadata for the purpose of combating serious crime”

    Evaluating the legal admissibility of data transfers from the EU to the USA

    On By officialblogunioIn EssaysLeave a comment 
    Alessandra Silveira (Editor) and João Marques (Lawyer, former member of Portuguese Data Protection Supervisory Authority)

    1. The feud between Maximillian Schrems and the Irish Data Protection Supervisory Authority (Data Protection Commission – DPC), with Facebook always lingering in, has been detrimental to frame the legality of data flows from the European Union (EU) to the United States of America (USA), but also to any third country that replicates the shortcomings relating to the inexistence of a “level of protection essentially equivalent to that guaranteed within the European Union (…), read in the light of the Charter of Fundamental Rights of the European Union” [in the words of the Court of Justice of the European Union (CJEU)].[1]

    2. The sole action of one man has brought down two different and sequential “transfer tools”, created in tandem by both the European Commission (EC) and the United States’ Government. In case C-362/14 the CJEU declared the Safe Harbour decision (Commission Decision 2000/520/EC of 26 July 2000) invalid, as the Court found that the USA’s legislation did not offer an essentially equivalent level of protection to that of the EU, also reminding all Data Protection Supervisory Authorities that their work is never done and that it is, in fact, upon their shoulders the task and the responsibility to constantly monitor if any given third country complies and remains compliant with the need to offer such an equivalency.

    Continue reading “Evaluating the legal admissibility of data transfers from the EU to the USA”

    Editorial of December 2021

    On By officialblogunioIn Editorials1 Comment 
    By Alessandra Silveira (Editor)

    AI systems and automated inferences – on the protection of inferred personal data

    On 23 November 2021 the European Commission published the consultation results on a set of digital rights and principles to promote and uphold EU values in the digital space – which ran between 12 May and 6 September 2021.[1] This public consultation on digital principles is a key deliverable of the preparatory work for the upcoming “Declaration on digital rights and principles for the Digital Decade”, which European Commission will announce by the end of 2021. The consultation invited all interested people to share their views on the formulation of digital principles in 9 areas: i) universal access to internet services; ii) universal digital education and skills for people to take an active part in society and in democratic processes; iii) accessible and human-centric digital public services and administration; iv) access to digital health services; v) an open, secure and trusted online environment; vi) protecting and empowering children and young people in the online space; vii) a European digital identity; viii) access to digital devices, systems and services that respect the climate and environment; ix) ethical principles for human-centric algorithms.  

    Continue reading “Editorial of December 2021”

    The Schrems II Judgment: First two investigations by the European Data Protection Supervisor

    On By officialblogunioIn CommentsLeave a comment 

    by Joana Campos e Matos (Senior Consultant at Vieira de Almeida & Associados)

    On May 27, 2021, the European Data Protection Supervisor (“EDPS”) announced that it has opened two investigations regarding the use of Amazon and Microsoft services by European Union institutions (EUIs)[1].

    In a press release, the EDPS announced the opening of two investigations, one concerning the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies and the other regarding the use of Microsoft Office 365 by the European Commission.

    The EDPS underlined that these investigations are part of the EDPS’ strategy for EU institutions to comply with the “Schrems II” Judgement[2].

    1. Legal framework for international data transfers by EUIs

    According to the Regulation (EU) 2018/1725 [3], international data transfers[4] are only permitted if the third country to which the data are transferred, ensures that the conditions set out in the Regulation are respected, in such a way that the level of protection of natural persons guaranteed by the Regulation is not undermined (Article 46). Thus, data transfers to countries located outside the European Economic Area (“EEA”) can only occur within the strict terms provided for by the Regulation.

    Continue reading “The Schrems II Judgment: First two investigations by the European Data Protection Supervisor”

    Editorial of June 2021

    On By officialblogunioIn EditorialsLeave a comment 
    By Tiago Sérgio Cabral (Managing Editor)

    Data Governance and the AI Regulation: Interplay between the GDPR and the proposal for an AI Act

    It is hardly surprising that the recent European Commission’s proposal for a Regulation on a European Approach for Artificial Intelligence (hereinafter the “proposal for an AI Act”) is heavily inspired by the GDPR. From taking note of the GDPR’s success in establishing worldwide standards to learning from its shortcomings, for example by suppressing the stop-shop mechanism (arguably responsible for some of its enforcement woes).[1]

    The proposal for an AI Act should not be considered a GDPR for AI for one singular reason: there is already a GDPR for AI, and it is called the GDPR. The scope and aims of the proposal are different, but there is certainly a high degree of influence and the interplay between the two Regulations, if the AI Act is approved, will certainly be interesting. In this editorial we will address one particular aspect where the interplay between the GDPR and the AI act could be particularly relevant: data governance and data set management.

    Before going specifically into this subject, it is important to know that the AI Act’s proposed fines have a higher ceiling than the GDPR’s: up to 30,000,000 euros or, if the offender is company, up to 6% of its total worldwide annual turnover for the preceding financial year (article 71(3) of the proposal for an AI Act). We should note, nonetheless, that this specific value is applicable to a restricted number of infringements, namely:

    Continue reading “Editorial of June 2021”

    Editorial of April 2021

    On By officialblogunioIn EditorialsLeave a comment 
    Tiago Sérgio Cabral (Managing Editor)

    The Council’s Position regarding the proposal for the ePrivacy Regulation: out of the frying pan and into the fire?

    1. The Council’s Position

    On 10 February 2021, the Council of the European Union (finally) agreed on a negotiating mandate regarding the proposal for a new ePrivacy Regulation (the Council’s text shall be referred to as the ‘Council’s Position’ and the original Commission proposal as the ‘ePrivacy Proposal’), breaking a multi-year deadlock and giving new breath to the proposal which is meant to replace the current ePrivacy Directive 2002/58 and establish a coherent framework between the lex specialis and the general rules contained in the General Data Protection Regulation 2016/679 (GDPR).

    While some expectations could be noted due to the long-awaited agreement, public reactions to the Council’s Position were not exactly warm. Notably, the Federal Commissioner for Data Protection and Freedom, Ulrich Kelber, considered that the Council’s Position, if adopted, would be a blow for data protection across the European Union. Particularly controversial were the provisions of the Council’s Position which may allow for the implementation of cookie walls, the rules on data retention and ‘return’ of metadata processing without consent.

    Continue reading “Editorial of April 2021”