Tag: personal data

Can a judge’s request for a preliminary ruling be illegal and lead to disciplinary action? – The Court of Justice conclusions in case C-564/19

On By revistaunioIn Case notesLeave a comment 
By Joana Gama Gomes (Master in International and European Law from the University of Coimbra / Researcher at CIDEEFF - Centro de Investigação em Direito Europeu, Económico, Financeiro e Fiscal)

The request for a preliminary ruling was submitted by a Hungarian court in criminal proceedings brought against a Swedish national, for infringement of the provisions of Hungarian law governing the acquisition or transport of firearms or ammunition. Although the facts of this case seem unrelated to the problem at hand, subsequent developments in Hungary during the course of this procedure raised a fundamental issue of EU law.

A declaration of illegality from the Hungarian Supreme Court and disciplinary proceeding against the referring judge led him to ask the Court two crucial questions – whether EU law precludes a national court of last instance from declaring as unlawful a decision by which a lower court makes a request for a preliminary ruling, and whether the principle of judicial independence precludes disciplinary proceedings being brought against a judge for having made such a request for a preliminary ruling.

Continue reading “Can a judge’s request for a preliminary ruling be illegal and lead to disciplinary action? – The Court of Justice conclusions in case C-564/19”

Some additional thoughts on metadata retention – points to consider when adopting new legislation [on joined cases C‑793/19 and C‑794/19 (SpaceNet) and the German legislation on this matter]

On By officialblogunioIn Essays1 Comment 
By Alessandra Silveira (Editor) and Tiago Sérgio Cabral (Managing Editor)

As we have highlighted in this blog, in the recent judgment 268/2022 of 19 April, the Portuguese Constitutional Court finally declared the unconstitutionality of some provisions of Law 32/2008.  Law 32/2008 transposed the rules of Directive 2006/24, which were declared invalid eight years ago by the Court of Justice of the European Union (“CJEU”) in the Digital Rights Ireland judgment, for introducing a system of generalised and indiscriminate retention of personal data. This case-law of the CJEU has recently (again) been confirmed in the G. D. judgment, according to which: Article 15(1) of Directive 2002/58 (Directive on privacy and electronic communications), read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union (“CFREU”), must be interpreted as precluding legislative measures which, as a preventive measure for the purposes of combating serious crime and preventing serious threats to public security, provide for the general and indiscriminate retention of traffic and location data (recital 129).

Fortunately, the idea of amending the Portuguese Constitution to overcome the problem of the generalised and indiscriminate retention of metadata – which is, first and foremost, a matter of EU law – is losing steam. But there have been some voices that, surprisingly, suggest a change of course in the case-law of the CJEU and the Portuguese Constitutional Court. It is worth remembering that, in a State governed by the rule of law and a Union based on the rule of law, judicial decisions against which there is no appeal must be respected – whether one agrees with them or not. This is our most precious constitutional heritage. In fact, one could argue that if we had carefully considered the implications and respected the decision of the CJEU in Digital Rights Ireland when it was originally ruled, we could have avoided this entire issue.

Continue reading “Some additional thoughts on metadata retention – points to consider when adopting new legislation [on joined cases C‑793/19 and C‑794/19 (SpaceNet) and the German legislation on this matter]”

Editorial of May 2022

On By officialblogunioIn Editorials2 Comments 
By Alessandra Silveira (Editor) and Tiago Sérgio Cabral (Managing Editor)

Metadata retention is first and foremost a matter of EU law: a revision of the Portuguese Constitution will not solve the issue

In the recent judgment 268/2022 of 19 April, the Portuguese Constitutional Court finally declared the unconstitutionality of some provisions of Law 32/2008.[1] Law 32/2008 transposed Directive 2006/24, which was declared invalid eight years ago by the Court of Justice of the European Union (“CJEU”) in the Digital Rights Ireland judgment, for introducing a system of generalised and indiscriminate retention of personal data. Given the resistance of the Portuguese judicial authorities to abide by CJEU case law in this area – or even refer back to the CJEU in order to clarify any remaining interpretative doubt – the result achieved by the Portuguese Constitutional Court was not only necessary but also desirable.

What is the solution when addressing a situation of judicial deadlock such as the one Portugal was experiencing with regard to the generalised and indiscriminate retention of personal data incompatible with EU law? It would be for the Constitutional Court to declare the invalidity of the internal rules incompatible with EU law, due to the violation of the obligations to which Portugal was bound when it joined the EU – in particular, the European loyalty provided for in Article 4(3) TEU, which is reflected in Article 8(4) of the Portuguese Constitution. In this context, it should be noted that the problem was not originally solved by the ordinary courts, but by the independent public administration. Here it is worth highlighting the Deliberation 1008/2017, of the Portuguese Data Protection Supervisory Authority (“CNPD”), which still in 2017 decided to disapply Law 32/2008 in the situations submitted to it for appreciation.

Continue reading “Editorial of May 2022”

A short introduction to accountability in machine-learning algorithms under the GDPR

On By officialblogunioIn EssaysLeave a comment

30212411048_96d9eea677_o

 by Andreia Oliveira, Master in EU Law (UMINHO)
 and Fernando Silva, Consulting coordinator - Portuguese Data  Protection National Commission

Artificial Intelligence (AI) can be defined as computer systems designed to solve a wide range of activities, that are “normally considered to require knowledge, perception, reasoning, learning, understanding and similar cognitive abilities” [1]. Having intelligent machines capable of imitating human’s actions, performances and activities seems to be the most common illustration about AI. One needs to recognise AI as being convoluted – thus, machine learning, big data and other terms as automatization must hold a seat when discussing AI.  Machine learning, for example, is defined as the ability of computer systems to improve their performance without explicitly programmed instructions: a system will be able to learn independently without human intervention [2]. To do this, machine learning develops new algorithms, different from the ones that were previously programmed, and includes them as new inputs it has acquired during the previous interactions.

The capabilities of machine learning may put privacy and data protection in jeopardy. Therefore, ascertaining liability would be inevitable and would imply the consideration of inter alia all plausible actors that can be called upon account.

Under the General Data Protection Regulation (GDPR), the principle of accountability is intrinsically linked to the principle of transparency. Transparency empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data. Accountability requires transparency of processing operations, however transparency does not constitute accountability [3]. On the contrary, transparency acts as an accountability’ helper – e.g. helping to avoid barriers, such as opacity.
Continue reading “A short introduction to accountability in machine-learning algorithms under the GDPR”

The first steps of a revolution with a set date (25 May 2018): the “new” General Data Protection regime

On By officialblogunioIn Comments, News, ReviewsLeave a comment

regulation-3246979_1280

by Pedro Madeira Froufe, Editor


1. Homo digitalis[i] is increasingly more present in all of us. It surrounds us, it captures us. Our daily life is digitalising rapidly. We live, factually and considerably, a virtual existence… but very real! The real and the virtual merge in our normal life; the frontiers between these dimensions of our existence are bluring. Yet, this high-tech life of ours does not seem to be easily framed by law. Law has its own time – for now barely compatible with the speed of technologic developments. Besides, in face of new realities, it naturally hesitates in the pursuit of the value path (therefore, normative) to follow. We must give (its) time to law, without disregarding the growth of homo digitalis.

2. Well, today (25 May 2018) the enforcement of Regulation 2016/679 (GDPR) begins. Since 25 January 2012 (date of the presentation of the proposal for the Regulation) until now the problems with respect to the protection of fundamental rights – in particular the guarantee of personal data security (Article 8 CFREU) – have been progressively clearer as a result of the increase in the digital dimension of our lives. Definitely, the personal data became of economic importance that recently publicized media cases (for example, “Facebook vs. Cambridge Analytics”) underline. Its reuse for purposes other than those justifying its treatment, transaction and crossing, together with the development of the use of algorithms (so-called “artificial intelligence” techniques) have made it necessary to reinforce the uniform guarantees of citizens, owners of personal data, increasingly digitized.
Continue reading “The first steps of a revolution with a set date (25 May 2018): the “new” General Data Protection regime”

The ultimate guide(line) to DPIA’s

On By officialblogunioIn CommentsLeave a comment

11484777313_9b3f7f8f67_o

by João Marques, member of the Portuguese Data Protection National Commission and member of CEDU

Although merely advisory in its nature, the Article 29 Working Party (WP 29) has been a major force in guaranteeing a minimum of consistency in the application of the Directive 95/46/CE, allowing member states’ public and private sectors to know what to expect from their supervisory authorities perspectives on various data protection subjects. Its independence has played a major role in the definition of its views and opinions, focusing on the fundamental rights at stake and delivering qualified feedback to the difficult issues it has faced.

The new European legal framework on data protection has produced a step forward on this regard by instituting a new formal EU Body – the European Data Protection Board – EDPB (Art. 68 of the General Data Protection Regulation – GDPR). This will represent a significant step forward in the European institutional landscape concerning data protection but it does not mean that the WP 29 is already dead and buried, quite the opposite.

As it is already known, the EDPB will have far reaching powers designed to guarantee consistency and effectiveness to the rules of the regulation across the EU. One of the said powers translates into the issuance of guidelines in several matters [Art. 70 (1)(d), (f), (g), (h), (i), (j), (k), (m) of the GDPR].

The problem is, of course, that this new EU Body will only exist from May 2018 onwards, leaving a gap of two years (from May 2016, when the regulation entered into force) to be filled by the current legal and institutional frameworks. As such the WP29 took it into its hands to materialize these particular tasks of the EDPB during this transitional phase, fully aware that the guidelines it may issue for the time being could still be rebutted by the EDPB members. Nevertheless this is a calculated risk as the members currently sitting in the WP 29 will almost certainly be the ones who’ll be sitting in the EDPB.

Continue reading “The ultimate guide(line) to DPIA’s”

Implications of the declaration of invalidity of the Directive 2006/24 on the retention of personal data (metadata) in the EU Member States: an approach to the judgment Tele 2 of 21 December 2016

On By officialblogunioIn Case notes1 Comment

6498637005_ab8645216a_o

by Alessandra Silveira, Editor
and Pedro Freitas, Member of CEDU

In the decision Digital Rights Ireland of 2014[i], the ECJ was called upon to assess the validity of the Directive 2006/24 (on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks) in the light of Articles 7 (Respect for private and family life) and 8 (Protection of personal data) of the Charter of Fundamental Rights of the European Union (CFREU) and considered that the obligation imposed by the Directive 2006/24 on providers of electronic communications services constituted an interference with the aforementioned fundamental rights. [ii]

The issue at hand is that the directive concerned all those who used electronic communications services in Europe – even those whose conduct were not in any way linked with criminal activities.  Furthermore, while seeking to fight against serious crime, the Directive did not provide for any differentiation, limitation or exception to the retention of data of persons whose communications are subject to professional secrecy. In addition to a general absence of limits, the Directive 2006/24 did not lay down any objective criterion to limit the access of the competent national authorities to the data and its subsequent use. Furthermore, the Directive did not require that the data in question should be kept within the territory of the Union, and thus a supervision by an independent body was not fully guaranteed.

While it is true that the fight against serious crime is of prime importance in ensuring public safety and that its effectiveness may depend on the use of modern investigative techniques, such objective, be that as it may, cannot in itself justify a retention measure such as the one established by Directive 2006/24 as necessary for those purposes[iii]. By adopting Directive 2006/24, the European Union legislature had exceeded the limits imposed by the principle of proportionality in the light of Articles 7, 8 and 52(1) of the CFREU, and for that reason the ECJ ruled the invalidity of the directive, without reservations as to the temporal effects of its decision (ex tunc).

However, following the judgment in the Digital Rights Ireland case, the reaction of the Member States was not consensual, which led to an unlawful differentiation of treatment between European citizens. The decision of the ECJ raised the problem of the effects of that invalidity in relation to the national provisions transposing the directive. According to data released by the Portuguese Public Prosecutor’s Office, ten of the EU Member States have declared invalid the national laws that transposed the data retention directive, either by parliamentary decision or through their constitutional courts. In other Member States, including Portugal, this was not the case because the substantial requirements of the ECJ’s decision were deemed satisfied by the national legislation that transposed it. [iv]

Continue reading “Implications of the declaration of invalidity of the Directive 2006/24 on the retention of personal data (metadata) in the EU Member States: an approach to the judgment Tele 2 of 21 December 2016”

Protecting our personal data in the 21st century: why the new EU legal framework matters

On By officialblogunioIn CommentsLeave a comment 
by Rita de Sousa Costa, law student at UMinho
and Tiago Sérgio Cabral, law student at UMinho

Most people do not have any idea of how much the processing of their personal data affects their daily life. In today’s world, our e-mail has the ability to distinguish between important and unimportant e-mails based on our previous communications. When we want to read the news our phones and tablets are able to predict the events and sources that we would be interested in. Facebook knows more about our friends than we do. If you want to watch a movie, Netflix has a broad selection and may give you some tips based on your previously watched list, same with Youtube. If we have a favorite supermarket chain it probably knows what we like to buy through our customer cards. Our keyboards are able to predict the very words we will type[i].

We would find a rather different scenario if we looked to the world in 1995. Twenty years ago, the Internet was still in its early stages of development and was rather different from what we know and use today[ii]. E-mail and instant messaging were unknown to the general population. Google (and search engines as we know them today) did not exist. Social networking and smartphones did, but only in science fiction movies. With this in mind, it is rather astonishing that the EU legal framework regarding the protection of personal data managed to stay, more or less, unchanged for more than twenty years. In these twenty years, the Directive 95/46/CE ensured the protection of personal data for EU citizens fulfilling the required by the Article 16 of the TFUE and the Article 8 of the EUCFR[iii]/[iv].

Continue reading “Protecting our personal data in the 21st century: why the new EU legal framework matters”