Tag: data protection

Again: on the prohibition of generalised and indiscriminate retention of metadata for the purpose of combating serious crime

On By officialblogunioIn Case notesLeave a comment 
By Alessandra Silveira (Editor) and Tiago Sérgio Cabral (Managing Editor)

The CJEU has recently added further pieces to the puzzle of retention of traffic and location data by providers of electronic communications services for the purpose of making them available to competent national authorities in the fight against serious crime.[1] In addition to reiterating its constant jurisprudence on the matter, this CJEU judgment is particularly valuable to Member States that are legislating in order to adapt to EU law – as is the case of Portugal (judgment of 20 September 2022, SpaceNet, joined cases C-793/19 and C‑794/19, ECLI:EU:C:2022:702).[2]

In several Recitals of the judgment, the CJEU left some clues as to its resistance to the generalised and indiscriminate retention of metadata, and it is possible to perceive that it lies in the uncontrolled profiling of users of electronic communications services. Profiling is often used to make such predictions about individuals. It involves the collection of information about a person and the assessment of their characteristics or behavioural patterns in order to place them in a certain category or group and drawing upon that an inference or prediction – be it of their ability to perform a task, of their interest or presumed behaviour.[3]

Continue reading “Again: on the prohibition of generalised and indiscriminate retention of metadata for the purpose of combating serious crime”

Evaluating the legal admissibility of data transfers from the EU to the USA

On By officialblogunioIn EssaysLeave a comment 
Alessandra Silveira (Editor) and João Marques (Lawyer, former member of Portuguese Data Protection Supervisory Authority)

1. The feud between Maximillian Schrems and the Irish Data Protection Supervisory Authority (Data Protection Commission – DPC), with Facebook always lingering in, has been detrimental to frame the legality of data flows from the European Union (EU) to the United States of America (USA), but also to any third country that replicates the shortcomings relating to the inexistence of a “level of protection essentially equivalent to that guaranteed within the European Union (…), read in the light of the Charter of Fundamental Rights of the European Union” [in the words of the Court of Justice of the European Union (CJEU)].[1]

2. The sole action of one man has brought down two different and sequential “transfer tools”, created in tandem by both the European Commission (EC) and the United States’ Government. In case C-362/14 the CJEU declared the Safe Harbour decision (Commission Decision 2000/520/EC of 26 July 2000) invalid, as the Court found that the USA’s legislation did not offer an essentially equivalent level of protection to that of the EU, also reminding all Data Protection Supervisory Authorities that their work is never done and that it is, in fact, upon their shoulders the task and the responsibility to constantly monitor if any given third country complies and remains compliant with the need to offer such an equivalency.

Continue reading “Evaluating the legal admissibility of data transfers from the EU to the USA”

Editorial of December 2021

On By officialblogunioIn Editorials1 Comment 
By Alessandra Silveira (Editor)

AI systems and automated inferences – on the protection of inferred personal data

On 23 November 2021 the European Commission published the consultation results on a set of digital rights and principles to promote and uphold EU values in the digital space – which ran between 12 May and 6 September 2021.[1] This public consultation on digital principles is a key deliverable of the preparatory work for the upcoming “Declaration on digital rights and principles for the Digital Decade”, which European Commission will announce by the end of 2021. The consultation invited all interested people to share their views on the formulation of digital principles in 9 areas: i) universal access to internet services; ii) universal digital education and skills for people to take an active part in society and in democratic processes; iii) accessible and human-centric digital public services and administration; iv) access to digital health services; v) an open, secure and trusted online environment; vi) protecting and empowering children and young people in the online space; vii) a European digital identity; viii) access to digital devices, systems and services that respect the climate and environment; ix) ethical principles for human-centric algorithms.  

Continue reading “Editorial of December 2021”

The Schrems II Judgment: First two investigations by the European Data Protection Supervisor

On By officialblogunioIn CommentsLeave a comment 

by Joana Campos e Matos (Senior Consultant at Vieira de Almeida & Associados)

On May 27, 2021, the European Data Protection Supervisor (“EDPS”) announced that it has opened two investigations regarding the use of Amazon and Microsoft services by European Union institutions (EUIs)[1].

In a press release, the EDPS announced the opening of two investigations, one concerning the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies and the other regarding the use of Microsoft Office 365 by the European Commission.

The EDPS underlined that these investigations are part of the EDPS’ strategy for EU institutions to comply with the “Schrems II” Judgement[2].

1. Legal framework for international data transfers by EUIs

According to the Regulation (EU) 2018/1725 [3], international data transfers[4] are only permitted if the third country to which the data are transferred, ensures that the conditions set out in the Regulation are respected, in such a way that the level of protection of natural persons guaranteed by the Regulation is not undermined (Article 46). Thus, data transfers to countries located outside the European Economic Area (“EEA”) can only occur within the strict terms provided for by the Regulation.

Continue reading “The Schrems II Judgment: First two investigations by the European Data Protection Supervisor”

Editorial of June 2021

On By officialblogunioIn EditorialsLeave a comment 
By Tiago Sérgio Cabral (Managing Editor)

Data Governance and the AI Regulation: Interplay between the GDPR and the proposal for an AI Act

It is hardly surprising that the recent European Commission’s proposal for a Regulation on a European Approach for Artificial Intelligence (hereinafter the “proposal for an AI Act”) is heavily inspired by the GDPR. From taking note of the GDPR’s success in establishing worldwide standards to learning from its shortcomings, for example by suppressing the stop-shop mechanism (arguably responsible for some of its enforcement woes).[1]

The proposal for an AI Act should not be considered a GDPR for AI for one singular reason: there is already a GDPR for AI, and it is called the GDPR. The scope and aims of the proposal are different, but there is certainly a high degree of influence and the interplay between the two Regulations, if the AI Act is approved, will certainly be interesting. In this editorial we will address one particular aspect where the interplay between the GDPR and the AI act could be particularly relevant: data governance and data set management.

Before going specifically into this subject, it is important to know that the AI Act’s proposed fines have a higher ceiling than the GDPR’s: up to 30,000,000 euros or, if the offender is company, up to 6% of its total worldwide annual turnover for the preceding financial year (article 71(3) of the proposal for an AI Act). We should note, nonetheless, that this specific value is applicable to a restricted number of infringements, namely:

Continue reading “Editorial of June 2021”

Editorial of April 2021

On By officialblogunioIn EditorialsLeave a comment 
Tiago Sérgio Cabral (Managing Editor)

The Council’s Position regarding the proposal for the ePrivacy Regulation: out of the frying pan and into the fire?

1. The Council’s Position

On 10 February 2021, the Council of the European Union (finally) agreed on a negotiating mandate regarding the proposal for a new ePrivacy Regulation (the Council’s text shall be referred to as the ‘Council’s Position’ and the original Commission proposal as the ‘ePrivacy Proposal’), breaking a multi-year deadlock and giving new breath to the proposal which is meant to replace the current ePrivacy Directive 2002/58 and establish a coherent framework between the lex specialis and the general rules contained in the General Data Protection Regulation 2016/679 (GDPR).

While some expectations could be noted due to the long-awaited agreement, public reactions to the Council’s Position were not exactly warm. Notably, the Federal Commissioner for Data Protection and Freedom, Ulrich Kelber, considered that the Council’s Position, if adopted, would be a blow for data protection across the European Union. Particularly controversial were the provisions of the Council’s Position which may allow for the implementation of cookie walls, the rules on data retention and ‘return’ of metadata processing without consent.

Continue reading “Editorial of April 2021”

Summaries of judgments: J & S Service | VL v Szpital Kliniczny im. dra J. Babińskiego Samodzielny Publiczny Zakład Opieki Zdrowotnej w Krakowie

On By officialblogunioIn Summaries of judgmentsLeave a comment 
Summaries of judgments made in collaboration with the Portuguese judge and référendaire of the CJEU (Nuno Piçarra and Sophie Perez)

 ▪

Judgment of the Court (First Chamber) of 10 December 2020, J & S Service, Case C-620/19, EU:C:2020:1011.

Reference for a preliminary ruling – Personal data – Regulation (UE) 2016/679 – Article 23 – Restrictions – Important financial interest – Enforcement of civil law claims – National regulation referring to provisions of Union law – Tax data relating to legal persons – Incompetence of the Court

Facts

The dispute in the main proceedings opposes the Land Nordrhein‑Westfalen to D.‑H. T., acting as trustee in bankruptcy for J & S Service UG, in connection with a request for obtaining tax data concerning this company.

The tax administration having rejected this request, D.-H. T. appealed to the competent Verwaltungsgericht, which essentially upheld his appeal. The competent Oberverwaltungsgericht dismissed the appeal lodged by the Land Nordrhein-Westfalen against the judgment at first instance. This court considered in particular that the right of access to information, exercised on the basis of the law on freedom of information, was not precluded by existing specific rules in tax matters. Therefore, although the information requested was covered by tax secrecy, D.-H. T. was entitled, in his capacity as trustee in bankruptcy, to ask J & S Service for any information relating to the insolvency proceedings. The Land Nordrhein-Westfalen appealed against this decision to the Bundesverwaltungsgericht.

Continue reading “Summaries of judgments: J & S Service | VL v Szpital Kliniczny im. dra J. Babińskiego Samodzielny Publiczny Zakład Opieki Zdrowotnej w Krakowie”

Editorial of February 2021

On By officialblogunioIn EditorialsLeave a comment 
Alessandra Silveira (Editor) and Alexandre Veronese (Professor at University of Brasília)

Thoughts regarding the right to deindexation and the weaknesses of the idea of “being forgotten” online – marking the Data Protection Day

28 January 2021 marks the 15th “Data Protection Day” and the 40th anniversary of the Council of Europe’s Convention 108 – the first international legal instrument regarding personal data protection – which was opened for signature on 28 January 1981.

What began as a European celebration is now a yearly commemoration all around the world. This year, to mark the occasion, the Ibero-American Network for Data Protection and the Council of Europe promoted an event targeted to Latin America. It is interesting to know that, coincidentally, the Brazilian Federal Supreme Court (STF) will hear on 3 February a case regarding a type of “right to be forgotten.” This right is the subject inspiring this essay. In light of this fact, it is essential to assess the (jus)fundamental dimension of the right to deindexation and the weakness of the idea of “being forgotten” online.[i]

Continue reading “Editorial of February 2021”

Summaries of judgments: Privacy International | La Quadrature du Net and Others | R.N.N.S. and K.A. v Minister van Buitenlandse Zaken

On By officialblogunioIn Summaries of judgmentsLeave a comment 
Summaries of judgments made in collaboration with the Portuguese judge and référendaire of the CJEU (Nuno Piçarra and Sophie Perez)
 ▪

Judgments of the Court (Grand Chamber) of 6 October 2020 Privacy International (C‑623/17, EU:C:2020:790) and La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791)

Reference for a preliminary ruling – Processing of personal data in the electronic communications sector – Providers of electronic communications services – Hosting service providers and Internet access providers – General and indiscriminate retention of traffic and location data – Automated analysis of data – Real-time access to data – Safeguarding national security and combating terrorism – Combating crime – Directive 2002/58/EC – Scope – Article 1(3) and Article 3 – Confidentiality of electronic communications – Protection – Article 5 and Article 15(1) – Directive 2000/31/EC – Scope – Charter of Fundamental Rights of the European Union – Articles 4, 6, 7, 8 and 11 and Article 52(1) – Article 4(2) TEU

Facts

Following its judgments of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, of 21 December 2016, Tele2 Sverige and Watson and Others (C‑203/15 and C‑698/15, EU:C:2016:970), and of 2 October 2018, Ministerio Fiscal (C‑207/16, EU:C:2018:788), the ECJ ruled on four requests for a preliminary ruling from jurisdictions in three Member States in proceedings concerning the lawfulness of legislation adopted by those Member States in the field of processing of personal data in the electronic communications sector, laying down in particular an obligation for providers of electronic communications services to retain traffic and location data for the purposes of protecting national security and combating crime.

Continue reading “Summaries of judgments: Privacy International | La Quadrature du Net and Others | R.N.N.S. and K.A. v Minister van Buitenlandse Zaken”

Artificial intelligence: 2020 A-level grades in the UK as an example of the challenges and risks

On By officialblogunioIn Comments1 Comment 
by Piedade Costa de Oliveira (Former official of the European Commission - Legal Service)
Disclaimer: The opinions expressed are purely personal and are the exclusive responsibility of the author. They do not reflect any position of the European Commission

The use of algorithms for automated decision-making, commonly referred to as Artificial Intelligence (AI), is becoming a reality in many fields of activity both in the private and public sectors.

It is common ground that AI raises considerable challenges not only for the area for which it is operated in but also for society as a whole. As pointed out by the European Commission in its White Paper on AI[i], AI entails a number of potential risks, such as opaque decision-making, gender-based bias or other kinds of discrimination or intrusion on privacy.

In order to mitigate such risks, Article 22 of the GDPR confers on data subjects the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them[ii].

Continue reading “Artificial intelligence: 2020 A-level grades in the UK as an example of the challenges and risks”