Tag: privacy

Editorial of April 2021

On By officialblogunioIn EditorialsLeave a comment 
Tiago Sérgio Cabral (Managing Editor)

The Council’s Position regarding the proposal for the ePrivacy Regulation: out of the frying pan and into the fire?

1. The Council’s Position

On 10 February 2021, the Council of the European Union (finally) agreed on a negotiating mandate regarding the proposal for a new ePrivacy Regulation (the Council’s text shall be referred to as the ‘Council’s Position’ and the original Commission proposal as the ‘ePrivacy Proposal’), breaking a multi-year deadlock and giving new breath to the proposal which is meant to replace the current ePrivacy Directive 2002/58 and establish a coherent framework between the lex specialis and the general rules contained in the General Data Protection Regulation 2016/679 (GDPR).

While some expectations could be noted due to the long-awaited agreement, public reactions to the Council’s Position were not exactly warm. Notably, the Federal Commissioner for Data Protection and Freedom, Ulrich Kelber, considered that the Council’s Position, if adopted, would be a blow for data protection across the European Union. Particularly controversial were the provisions of the Council’s Position which may allow for the implementation of cookie walls, the rules on data retention and ‘return’ of metadata processing without consent.

Continue reading “Editorial of April 2021”

Summaries of judgments: Privacy International | La Quadrature du Net and Others | R.N.N.S. and K.A. v Minister van Buitenlandse Zaken

On By officialblogunioIn Summaries of judgmentsLeave a comment 
Summaries of judgments made in collaboration with the Portuguese judge and référendaire of the CJEU (Nuno Piçarra and Sophie Perez)
 ▪

Judgments of the Court (Grand Chamber) of 6 October 2020 Privacy International (C‑623/17, EU:C:2020:790) and La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791)

Reference for a preliminary ruling – Processing of personal data in the electronic communications sector – Providers of electronic communications services – Hosting service providers and Internet access providers – General and indiscriminate retention of traffic and location data – Automated analysis of data – Real-time access to data – Safeguarding national security and combating terrorism – Combating crime – Directive 2002/58/EC – Scope – Article 1(3) and Article 3 – Confidentiality of electronic communications – Protection – Article 5 and Article 15(1) – Directive 2000/31/EC – Scope – Charter of Fundamental Rights of the European Union – Articles 4, 6, 7, 8 and 11 and Article 52(1) – Article 4(2) TEU

Facts

Following its judgments of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, of 21 December 2016, Tele2 Sverige and Watson and Others (C‑203/15 and C‑698/15, EU:C:2016:970), and of 2 October 2018, Ministerio Fiscal (C‑207/16, EU:C:2018:788), the ECJ ruled on four requests for a preliminary ruling from jurisdictions in three Member States in proceedings concerning the lawfulness of legislation adopted by those Member States in the field of processing of personal data in the electronic communications sector, laying down in particular an obligation for providers of electronic communications services to retain traffic and location data for the purposes of protecting national security and combating crime.

Continue reading “Summaries of judgments: Privacy International | La Quadrature du Net and Others | R.N.N.S. and K.A. v Minister van Buitenlandse Zaken”

Editorial of April 2020

On By officialblogunioIn EditorialsLeave a comment

scope-microscope-camera-experiment-sience

by Alessandra Silveira, Editor


Health-related personal data – regarding COVID-19 and digital surveillance

Article 9 of the Regulation (EU) 2016/679 – General Data Protection Regulation (hereinafter, “GDPR”) prohibits the processing of special categories of personal data, amongst them (and the ones relevant for the subject of this essay): genetic data; biometric data for the purpose of uniquely identifying a natural person; and data concerning health. However, this prohibition shall not apply if processing is necessary for the purposes of medical diagnosis; the provision of health care or treatment;  the management of health care systems; or pursuant to contract with a health professional, in accordance to point h), of Article 9/2 of GDPR and under the further conditions established in Article 9/3. In particular, the general prohibition shall not apply if the “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices”, under point i), of Article 9/2.
Continue reading “Editorial of April 2020”

A short introduction to accountability in machine-learning algorithms under the GDPR

On By officialblogunioIn EssaysLeave a comment

30212411048_96d9eea677_o

 by Andreia Oliveira, Master in EU Law (UMINHO)
 and Fernando Silva, Consulting coordinator - Portuguese Data  Protection National Commission

Artificial Intelligence (AI) can be defined as computer systems designed to solve a wide range of activities, that are “normally considered to require knowledge, perception, reasoning, learning, understanding and similar cognitive abilities” [1]. Having intelligent machines capable of imitating human’s actions, performances and activities seems to be the most common illustration about AI. One needs to recognise AI as being convoluted – thus, machine learning, big data and other terms as automatization must hold a seat when discussing AI.  Machine learning, for example, is defined as the ability of computer systems to improve their performance without explicitly programmed instructions: a system will be able to learn independently without human intervention [2]. To do this, machine learning develops new algorithms, different from the ones that were previously programmed, and includes them as new inputs it has acquired during the previous interactions.

The capabilities of machine learning may put privacy and data protection in jeopardy. Therefore, ascertaining liability would be inevitable and would imply the consideration of inter alia all plausible actors that can be called upon account.

Under the General Data Protection Regulation (GDPR), the principle of accountability is intrinsically linked to the principle of transparency. Transparency empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data. Accountability requires transparency of processing operations, however transparency does not constitute accountability [3]. On the contrary, transparency acts as an accountability’ helper – e.g. helping to avoid barriers, such as opacity.
Continue reading “A short introduction to accountability in machine-learning algorithms under the GDPR”

The US CLOUD Act and EU Law

On By officialblogunioIn ReviewsLeave a comment

37845654022_5f25c5d30d_o

 by Alexandre Veronese, Professor at University of Brasília

In March 2018, the President of the United States of America signed into Law a Bill approved by the Congress, which amended two parts of the US Code, the consolidation of the federal statutory norms of the country. The Clarifying Lawful Overseas Use of Data Act – CLOUD Act – was the third version of two preceding bills. Those prior bills tried to solve a grave contemporary issue: the difficulty to access electronic data that could be necessary to criminal investigations and prosecution. The new CLOUD Act changes mainly two passages of the US Code. It creates the possibility that the United States and foreign countries could sign executive agreements to grant mutual assistance in order to authorize the gathering of overseas data. In addition, the CLOUD Act creates standards to those agreements.

The United States of America have a long standing right to due process of law entrenched in the Fourth Amendment of its Constitution. The debate about the limits to access information captured by the means of new ways of communication is rather old in the US. The Federal Wiretap Act came to the US Code amidst the Omnibus Crime Control and Safe Streets Act of 1968. It was a huge alteration of the Title 18 of US Code, which is the Crimes and Criminal Procedures federal statutory law. Therefore, the federal statutory law received provisions that could regulate the lawful wiretapping in criminal investigations and the use of them between agencies and jurisdictions. Notwithstanding, the passing of time and the evolution of technologies showed the aging of those legal norms. A lot of the information that matters to seize, in order to archive effective evidence to use in investigations, came to be electronic. It was necessary to modify the Wiretap Act and, in 1986, it came the Electronic Communications Privacy Act. The new Act modernized the Law and it regulated the criminal features related to stored electronic information – the Stored Communications Act. The Patriot Act (2001 and 2006) brought to light some provisions regarding to overseas information that were made more detailed with the amendments signed into law in 2008.
Continue reading “The US CLOUD Act and EU Law”

Editorial of July 2018

On By officialblogunioIn EditorialsLeave a comment

artificial-intelligence-698122_960_720

 by Alessandra Silveira, Editor 
 and Sophie Perez Fernandes, Junior Editor


Artificial intelligence and fundamental rights: the problem of regulation aimed at avoiding algorithmic discrimination

The scandal involving Facebook and Cambridge Analytica (a private company for data analysis and strategic communication) raises, among others, the problem of regulating learning algorithms. And the problem lies above all in the fact that there is no necessary connection between intelligence and free will. Unlike human beings, algorithms do not have a will of their own, they serve the goals that are set for them. Though spectacular, artificial intelligence bears little resemblance to the mental processes of humans – as the Portuguese neuroscientist António Damásio, Professor at the University of Southern California, brilliantly explains[i]. To this extent, not all impacts of artificial intelligence are easily regulated or translated into legislation – and so traditional regulation might not work[ii].

In a study dedicated to explaining why data (including personal data) are at the basis of the Machine-Learning Revolution – and to what extent artificial intelligence is reconfiguring science, business, and politics – another Portuguese scientist, Pedro Domingos, Professor in the Department of Computer Science and Engineering at the University of Washington, explains that the problem that defines the digital age is the following: how do we find each other? This applies to both producers and consumers – who need to establish a connection before any transaction happens –, but also to anyone looking for a job or a romantic partner. Computers allowed the existence of the Internet – and the Internet created a flood of data and the problem of limitless choice. Now, machine learning uses this infinity of data to help solve the limitless choice problem. Netflix may have 100,000 DVD titles in stock, but if customers cannot find the ones they like, they will end up choosing the hits; so, Netflix uses a learning algorithm that identifies customer tastes and recommends DVDs. Simple as that, explains the Author[iii].
Continue reading “Editorial of July 2018”

Data Protection Officer according to GDPR

On By officialblogunioIn CommentsLeave a comment

hacking-2077124_1920

by André Mendes Costa, masters student at University of Minho
 ▪

In an ever changing world of information technologies, privacy and data protection inevitably attracts considerable attention.

The Portuguese Data Protection Law and the EU Directive 95/46 will be soon replaced by a new European and National legal framework. In fact, the new General Data Protection Regulation (GDPR) alters profoundly the paradigm of the personal data protection legal regime. The 679/2016 Regulation (GDPR) is part of a new European community legislative package which also includes a directive that lays down the procedures for dealing with personal data by the competent authorities for the purposes of prevention, research, detection and prosecution of criminal offences or the execution of criminal penalties. The Regulation came into force on 25th May and establishes a vacancy period of 2 years, providing the necessary time for the public and private sectors to equip themselves to face the new regulatory demands.

This brief analysis concentrates on the post of the data protection officer (DPO), on his/her duties and competencies and on those entities who are responsible for his/her appointment.

In the new European legislation there is an important change of paradigm in the protection of personal data namely the suppression – with a few exceptions contained in the Regulation – of the requisite of pre notification to the National Commission of Data Protection (NCDP). This change assigns to the person responsible for the processing of data the onus of legal guarantor of his/her cases, thus fully observing the Regulation. In fact, in the cases where there is no prior notification to the competent authority (NCDP), the Regulation has found other forms of guarantying that the processing of personal data is legally protected by creating the post of a data protection officer (DPO).
Continue reading “Data Protection Officer according to GDPR”