Editorial of June 2021

By Tiago Sérgio Cabral (Managing Editor)

Data Governance and the AI Regulation: Interplay between the GDPR and the proposal for an AI Act

It is hardly surprising that the recent European Commission’s proposal for a Regulation on a European Approach for Artificial Intelligence (hereinafter the “proposal for an AI Act”) is heavily inspired by the GDPR. From taking note of the GDPR’s success in establishing worldwide standards to learning from its shortcomings, for example by suppressing the stop-shop mechanism (arguably responsible for some of its enforcement woes).[1]

The proposal for an AI Act should not be considered a GDPR for AI for one singular reason: there is already a GDPR for AI, and it is called the GDPR. The scope and aims of the proposal are different, but there is certainly a high degree of influence and the interplay between the two Regulations, if the AI Act is approved, will certainly be interesting. In this editorial we will address one particular aspect where the interplay between the GDPR and the AI act could be particularly relevant: data governance and data set management.

Before going specifically into this subject, it is important to know that the AI Act’s proposed fines have a higher ceiling than the GDPR’s: up to 30,000,000 euros or, if the offender is company, up to 6% of its total worldwide annual turnover for the preceding financial year (article 71(3) of the proposal for an AI Act). We should note, nonetheless, that this specific value is applicable to a restricted number of infringements, namely:

Continue reading “Editorial of June 2021”

Editorial of April 2021

Tiago Sérgio Cabral (Managing Editor)

The Council’s Position regarding the proposal for the ePrivacy Regulation: out of the frying pan and into the fire?

1. The Council’s Position

On 10 February 2021, the Council of the European Union (finally) agreed on a negotiating mandate regarding the proposal for a new ePrivacy Regulation (the Council’s text shall be referred to as the ‘Council’s Position’ and the original Commission proposal as the ‘ePrivacy Proposal’), breaking a multi-year deadlock and giving new breath to the proposal which is meant to replace the current ePrivacy Directive 2002/58 and establish a coherent framework between the lex specialis and the general rules contained in the General Data Protection Regulation 2016/679 (GDPR).

While some expectations could be noted due to the long-awaited agreement, public reactions to the Council’s Position were not exactly warm. Notably, the Federal Commissioner for Data Protection and Freedom, Ulrich Kelber, considered that the Council’s Position, if adopted, would be a blow for data protection across the European Union. Particularly controversial were the provisions of the Council’s Position which may allow for the implementation of cookie walls, the rules on data retention and ‘return’ of metadata processing without consent.

Continue reading “Editorial of April 2021”

Summaries of judgments: J & S Service | VL v Szpital Kliniczny im. dra J. Babińskiego Samodzielny Publiczny Zakład Opieki Zdrowotnej w Krakowie

Summaries of judgments made in collaboration with the Portuguese judge and référendaire of the CJEU (Nuno Piçarra and Sophie Perez)

 ▪

Judgment of the Court (First Chamber) of 10 December 2020, J & S Service, Case C-620/19, EU:C:2020:1011.

Reference for a preliminary ruling – Personal data – Regulation (UE) 2016/679 – Article 23 – Restrictions – Important financial interest – Enforcement of civil law claims – National regulation referring to provisions of Union law – Tax data relating to legal persons – Incompetence of the Court

Facts

The dispute in the main proceedings opposes the Land Nordrhein‑Westfalen to D.‑H. T., acting as trustee in bankruptcy for J & S Service UG, in connection with a request for obtaining tax data concerning this company.

The tax administration having rejected this request, D.-H. T. appealed to the competent Verwaltungsgericht, which essentially upheld his appeal. The competent Oberverwaltungsgericht dismissed the appeal lodged by the Land Nordrhein-Westfalen against the judgment at first instance. This court considered in particular that the right of access to information, exercised on the basis of the law on freedom of information, was not precluded by existing specific rules in tax matters. Therefore, although the information requested was covered by tax secrecy, D.-H. T. was entitled, in his capacity as trustee in bankruptcy, to ask J & S Service for any information relating to the insolvency proceedings. The Land Nordrhein-Westfalen appealed against this decision to the Bundesverwaltungsgericht.

Continue reading “Summaries of judgments: J & S Service | VL v Szpital Kliniczny im. dra J. Babińskiego Samodzielny Publiczny Zakład Opieki Zdrowotnej w Krakowie”

Editorial of February 2021

Alessandra Silveira (Editor) and Alexandre Veronese (Professor at University of Brasília)

Thoughts regarding the right to deindexation and the weaknesses of the idea of “being forgotten” online – marking the Data Protection Day

28 January 2021 marks the 15th “Data Protection Day” and the 40th anniversary of the Council of Europe’s Convention 108 – the first international legal instrument regarding personal data protection – which was opened for signature on 28 January 1981.

What began as a European celebration is now a yearly commemoration all around the world. This year, to mark the occasion, the Ibero-American Network for Data Protection and the Council of Europe promoted an event targeted to Latin America. It is interesting to know that, coincidentally, the Brazilian Federal Supreme Court (STF) will hear on 3 February a case regarding a type of “right to be forgotten.” This right is the subject inspiring this essay. In light of this fact, it is essential to assess the (jus)fundamental dimension of the right to deindexation and the weakness of the idea of “being forgotten” online.[i]

Continue reading “Editorial of February 2021”

Summaries of judgments: Privacy International | La Quadrature du Net and Others | R.N.N.S. and K.A. v Minister van Buitenlandse Zaken

Summaries of judgments made in collaboration with the Portuguese judge and référendaire of the CJEU (Nuno Piçarra and Sophie Perez)
 ▪

Judgments of the Court (Grand Chamber) of 6 October 2020 Privacy International (C‑623/17, EU:C:2020:790) and La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791)

Reference for a preliminary ruling – Processing of personal data in the electronic communications sector – Providers of electronic communications services – Hosting service providers and Internet access providers – General and indiscriminate retention of traffic and location data – Automated analysis of data – Real-time access to data – Safeguarding national security and combating terrorism – Combating crime – Directive 2002/58/EC – Scope – Article 1(3) and Article 3 – Confidentiality of electronic communications – Protection – Article 5 and Article 15(1) – Directive 2000/31/EC – Scope – Charter of Fundamental Rights of the European Union – Articles 4, 6, 7, 8 and 11 and Article 52(1) – Article 4(2) TEU

Facts

Following its judgments of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, of 21 December 2016, Tele2 Sverige and Watson and Others (C‑203/15 and C‑698/15, EU:C:2016:970), and of 2 October 2018, Ministerio Fiscal (C‑207/16, EU:C:2018:788), the ECJ ruled on four requests for a preliminary ruling from jurisdictions in three Member States in proceedings concerning the lawfulness of legislation adopted by those Member States in the field of processing of personal data in the electronic communications sector, laying down in particular an obligation for providers of electronic communications services to retain traffic and location data for the purposes of protecting national security and combating crime.

Continue reading “Summaries of judgments: Privacy International | La Quadrature du Net and Others | R.N.N.S. and K.A. v Minister van Buitenlandse Zaken”

Artificial intelligence: 2020 A-level grades in the UK as an example of the challenges and risks

by Piedade Costa de Oliveira (Former official of the European Commission - Legal Service)
Disclaimer: The opinions expressed are purely personal and are the exclusive responsibility of the author. They do not reflect any position of the European Commission

The use of algorithms for automated decision-making, commonly referred to as Artificial Intelligence (AI), is becoming a reality in many fields of activity both in the private and public sectors.

It is common ground that AI raises considerable challenges not only for the area for which it is operated in but also for society as a whole. As pointed out by the European Commission in its White Paper on AI[i], AI entails a number of potential risks, such as opaque decision-making, gender-based bias or other kinds of discrimination or intrusion on privacy.

In order to mitigate such risks, Article 22 of the GDPR confers on data subjects the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them[ii].

Continue reading “Artificial intelligence: 2020 A-level grades in the UK as an example of the challenges and risks”

The “mandatory” contact-tracing App “StayAway COVID” – a matter of European Union Law

by Alessandra Silveira, Joana Covelo de Abreu (Editors) and Tiago Sérgio Cabral (Managing Editor)

1. During the previous week there as been plenty of controversy regarding a proposal by the Portuguese Government to make the installation of the App “StayAway COVID” (“App”) – a mobile contact-tracing application designed to fight the pandemic – mandatory for large sections of the population. While the Government appears to have backed down from this idea (for now) the issue of European Union Law (“EU Law”) has been surprisingly absent from most of the debate around a measure of this nature, even though it should be front and centre and precedes even the issue of constitutionality.

As we will show in this text, it is difficult to argue against the conclusion that this subject should be considered as a matter of EU Law – and, consequently, that this is a question of fundamental rights protected by the European Union (“EU”). In the EU’s legal framework, privacy and personal data protection are fundamental rights enshrined within Article 16 of the Treaty on the Functioning of the EU and Articles 7 and 8 of the Charter of Fundamental Rights of the EU (CFREU). Since it is a matter regulated at EU level, the EU’s standard of fundamental rights’ protection is applicable before and above even the national constitutional standards of protection[i]. So, this is not just a Portuguese constitutional problem that can be solved in the light of the Portuguese Constitution – it is an issue of relevance to all European citizens which needs to be resolved in the light of the EU´s (jus)fundamental standards (see Article 51 CFREU).[ii] It is important to be aware that the Court of Justice of the EU (“ECJ”), in the past, struck down constitutional provisions from Member States to ensure the adequate protection of fundamental rights of privacy and personal data protection[iii]. This is because all Member States do not have the same level of (jus)fundamental protection.

2. Under the current legal framework in the EU, enforcing the use of any contact-tracing application to the general public (or to large sections of the general public such as the entire population inserted within the labour market, academia, schools and public administration) would always face some serious challenges.

Continue reading “The “mandatory” contact-tracing App “StayAway COVID” – a matter of European Union Law”

Is the European Union’s legal framework ready for AI-enabled drone deliveries? A preliminary short assessment – from the Commission Implementing Regulation 2019/947/EU to data protection

19793862459_d3350b1a38_o

 by Marília Frias, Senior Associate at Vieira de Almeida & Associados
 and Tiago Cabral, Master in EU Law, University of Minho

1. As we are writing this short essay, a significant percentage of the world population is at home, in isolation, as a preventive measure to stop the spread of the COVID-19 pandemic. Of course, for isolation to be effective, people should only leave their houses, when strictly necessary, for instance, to shop essential goods and, frequently, preventive measures include orders of closure directed to all non-essential businesses.

2. Unfortunately, the European Union (hereinafter, “EU”) is one of the epicentres of the pandemic. As a result, some European citizens are turning to e-commerce to buy goods not available in the brick-and-mortar shops that are still open. Meanwhile, others opt to bring their shopping into the online realm simply to reduce the risk of contact and infection. Currently, sustaining the market as best as possible under these conditions to avoid a (stronger) economic crisis should be one of the key priorities. Furthermore, with a growing number of people working remotely, it is also vital to guarantee that the necessary supplies can arrive in time and with no health-related concerns attached.

3. Nowadays, most delivery services work based on humans who physically get the product from point A and deliver it to point B. The system is more or less the same, whether the reader orders a package from China or delivery from the pizza place 5 minutes away from the reader’s house. Obviously, more people will be involved in the delivery chain in our first example, but it is still, at its core, a string of people getting the order from point A to point B. This is a challenge for those working in the delivery and transportation businesses who have to put their health on the line to ensure swift delivery of products to the ones who are at home.
Continue reading “Is the European Union’s legal framework ready for AI-enabled drone deliveries? A preliminary short assessment – from the Commission Implementing Regulation 2019/947/EU to data protection”

Editorial of April 2020

scope-microscope-camera-experiment-sience

by Alessandra Silveira, Editor


Health-related personal data – regarding COVID-19 and digital surveillance

Article 9 of the Regulation (EU) 2016/679 – General Data Protection Regulation (hereinafter, “GDPR”) prohibits the processing of special categories of personal data, amongst them (and the ones relevant for the subject of this essay): genetic data; biometric data for the purpose of uniquely identifying a natural person; and data concerning health. However, this prohibition shall not apply if processing is necessary for the purposes of medical diagnosis; the provision of health care or treatment;  the management of health care systems; or pursuant to contract with a health professional, in accordance to point h), of Article 9/2 of GDPR and under the further conditions established in Article 9/3. In particular, the general prohibition shall not apply if the “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices”, under point i), of Article 9/2.
Continue reading “Editorial of April 2020”

Editorial of December 2019

data-protection-regulation-3413077_1920

by João Marques, member of the Portuguese Data Protection National Commission


Portuguese DPA won’t apply the country’s GDPR law

In spite of its nature[i], the GDPR leaves some room of manoeuvre to the Member States. This European legal instrument has even been called a hybrid[ii] between a directive and a regulation, precisely because there is a significant amount of issues where national legislation can in fact diverge from the general solutions the GDPR brings to the table. Although such leeway is not to be misunderstood for a “carte blanche” to the Member States, there is nevertheless a relevant part to be played by national legislators.

From the definition of a minimum legal age for children’s consent to be considered valid for its personal data to be processed (in relation to information society services), which can vary between 13 and 16 years of age, to the waiver on fines being applied to the public sector (Article 83, 7), there is a vast array of subjects left for the Member States to determine. In fact, a whole chapter of the GDPR[iii] is dedicated to these subjects, namely: Processing and freedom of expression and information (Article 85); Processing and freedom of expression and information (Article 86); Processing of the national identification number (Article 87); Processing in the context of employment (Article 88); Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 89); Obligations of secrecy (Article 90) and Existing data protection rules of churches and religious associations (Article 91).

Additionally, matters of procedural law, according to the Principle of Conferral (Article 5 of the Treaty on the European Union) are almost entirely left for Member States to regulate, with few exceptions such as the deadlines and the (in)formalities of the reply to a data subject rights request (Article 12) and, most notably, the one-stop shop procedure (instated in Article 60) and all its related and non-related issues that are undertaken by the European Data Protection Board, the new European Union Body provided by the GDPR (section 3 of Chapter VII).

The task that lied ahead of the Portuguese legislator, concerning the national reform of the Data Protection Law[iv], was therefore demanding but framed in a way that should have helped steer its drafting in a comprehensive and relatively straightforward manner[v].

The legislative procedure in Portugal took some time to be jumpstarted and it wasn’t until the 22nd of March 2018 that a proposal from the government was finally approved and forwarded to the Parliament, as this is a matter of its competence under Article 165(1)(b) of the Portuguese Constitution.
Continue reading “Editorial of December 2019”