Last week, the Court of Justice of the European Union published its long-awaited judgment in the Planet49 case, referred by a German Court in proceedings initiated by a non-governmental consumer protection organization representing the participants to an online lottery. It dealt with questions which should have been clarified long time ago, after Article 5(3) was introduced in Directive 2002/58 (the ‘ePrivacy Directive’) by an amendment from 2009, with Member States transposing and then applying its requirements anachronistically:
Is obtaining consent through a pre-ticked box valid when placing cookies on website users’ devices?
Must the notice given to the user when obtaining consent include the duration of the operation of the cookies being placed and whether or not third parties may have access to those cookies?
Does it matter for the application of the ePrivacy rules whether the data accessed through the cookies being placed is personal or non-personal?
The Court answered all of the above, while at the same time signaling to Member States that a disparate approach in transposing and implementing the ePrivacy Directive is not consistent with EU law, and setting clear guidance on what ‘specific’, ‘unambiguous’ and ‘informed’ consent means. Continue reading →
Fashion ID revolves around a German consumer protection organization, Verbraucherzentrale NRW (a public service organization), which filed a lawsuit against Fashion ID, an online fashion shop, about the placement of a Facebook “Like” button on the shop’s website. The inclusion of the like-button on Fashion ID’s website results in the transmission of personal data to Facebook’s servers when a visitor enters the website. This happens (i.) without the visitor being aware of that, (ii.) regardless of whether the visitor is a member of Facebook, and (iii.) regardless of whether the visitor actually clicks the like-button. According to the Verbraucherzentrale, the website operator has not provided information, nor collected consent for this processing of personal data, in accordance with its obligation under the Data Protection Directive (DPD). Continue reading →
L’intelligence artificielle (IA) est une nouvelle donnée qu’il n’est – depuis plusieurs années – plus possible de négliger. La croissance de la puissance de calcul, la maximisation ainsi que la disponibilité des données, la rapidité de traitements des informations et les progrès réalisés dans les algorithmes ont fait de l’IA l’une des technologies les plus stratégiques du 21ème siècle. Face à ce constat, l’Union européenne se doit ne pas rater cette révolution technologique, et, mieux encore, elle se doit de devenir un acteur de pointe sur la scène internationale afin de développer une IA performante, éthique et sûre, au profit tant du citoyen (dans sa vie privée et professionnelle) que de la société dans son ensemble.
A cet effet, la Commission européenne a pris plusieurs initiatives ces deux dernières années. La communication de la Commission européenne intitulée « L’intelligence artificielle pour l’Europe », publiée en avril 2018, préconisait de ce fait une stratégie européenne à l’appui de cet objectif, ainsi qu’un plan coordonné pour le développement de l’IA en Europe, présenté en décembre dernier. Plus récemment encore, en avril 2019 cette fois, la Commission a encore franchi une étape supplémentaire en souhaitant lancer sa phase pilote afin de faire en sorte que les lignes directrices en matière éthique pour le développement de l’IA sûre puissent être concrètement mises en œuvre dans la pratique (COM(2019) 168 final).
Au travers de ce bref article, nous ferons une première évaluation des diverses avancées concernant le déploiement de l’intelligence artificielle au sein de l’Union européenne. Nous analyserons notamment le fil conducteur de ce plan, ainsi que la liste d’évaluation et les lignes directrices en matière d’éthique récemment mises en avant par le groupe d’experts indépendants de haut niveau sur l’intelligence artificielle, afin de générer, selon leurs termes, « une IA digne de confiance » et « axée sur l’humain ». Face à cette dénomination, une question mérite d’être soulevée… Une IA axée sur autre chose – ou pour le dire autrement, une IA au service d’autre chose que l’humain – est-elle possible ? Continue reading →
On July 9, the Court of Justice for the European Union (CJEU) held eight hours of oral argument in hearing case C-311/18, on whether US surveillance practices violate the fundamental rights of EU citizens. This case could potentially rupture the mechanisms that allow personal data to flow across the Atlantic. Should the Court so decide, it would soon be illegal for companies and services we use every day to transfer personal data from the EU to the US. Such a determination, however, may result in an absurdity; EU citizens’ data could not travel to the US for fear of intrusive surveillance, but could flow unimpeded to China, a nation with surveillance practices ripped from the pages of a dystopian science fiction novel. Continue reading →
The case of Glawischnig-Piesczek v Facebook offers the opportunity for the Court of Justice to clarify the personal and material scope of monitoring obligations that may be imposed on Internet intermediaries, i.e. those private entities that ‘give access to, host, transmit and index content originated by third parties’. The decision of the Court will determine whether domestic courts can impose monitoring obligations on digital platforms, and of what nature, and how much power courts should be given in imposing their own standards of acceptable speech across national boundaries. The opinion of the Advocate General, rendered earlier this month, raises some concerns for on-line freedom of expression because of its expansive approach to both monitoring obligations and jurisdictional limitations. Continue reading →
Online platforms have become major economic players over the past decade. It is not surprising, therefore, that their business practices have captured the European Union’s attention. This attention resulted in a 2018 proposal for a Regulation on transparency and equity in relationships with online platforms, a political agreement on which has been reached between the Commission, Council and European Parliament on 13 February 2019 (see for the press release, http://europa.eu/rapid/press-release_IP-19-1168_en.htm). It is very likely that this Regulation will be adopted before the European Parliament elections of this year. Even though it may seem premature to comment on the Regulation’s content in an in-depth way (the final negotiations and fine-tuning are still in progress at this time), this contribution would like to flag an important gap that has seemingly withstood scrutiny so far. That gap concerns the fact that the proposed Regulation apparently – seemingly unintentionally – would not apply to ‘underlying service-attached intermediation activities’ offered by platforms such as Uber and Deliveroo. This is most surprising, as the Commission clearly wants them to fall within the scope of that Regulation (according to its press release mentioned above, the new instrument is to apply to ‘the entire online platform economy’ if and when adopted). This contribution uncovers that gap and proposes a way to close it. Continue reading →
On 14 February the Court of Justice of the EU (CJEU) handed down its decision in Buivids, a case which pitted an amateur individual online publisher against the Latvian Data Protection Authority (DPA). This important case raises fundamental questions concerning the scope of European data protection, the ambit of the personal/household exemption, the legal definition of journalism and the role of data protection as regards to this and also related academic, artistic and literary expression. The Court’s answers to these questions highlight the close and tense interface between European data protection and freedom of expression. At the same time, they provide only relatively limited insight as to how the serious tension between data protection, special expression and freedom of expression more broadly should be resolved. What they do suggest, however, is that not only national legislators but also courts and regulators have active and important roles toplay within this space. The full implications of this, as well as further guidance on how to balance data protection and special expression, should be provided in the forthcoming case of Stunt which will require the Court to consider whether national courts should disapply the ban on pre-publication injunctions against special expression processing which is set out in UK data protection legislation. In addition, Grand Chamber CJEU judgments on internet search engines and data protection are awaited both in relation to sensitive data and the geographical reach of any remedy here. In sum, slowly but surely, an albeit messy corpus of European jurisprudence on data protection and freedom of expression is in the process of gestation. Continue reading →
On Monday 23 April 2018, the European Commission released its proposal on the protection of persons reporting on breaches of Union law. The proposal of the European Commission comes after pressure of the European Parliament and other organisations calling for a coherent protection of whistle-blowers at the EU level. This pressure results partially from different scandals that were revealed by whistle-blowers such as Panama Papers or the case of the Pilatus Bank in Malta. The Commission’s proposal aims to set common minimum standards to protect whistle-blowers when they report breaches of EU law. It has several legal bases and covers a wide-range of EU areas such as consumer protection, financial services and the protection of privacy and data. The reporting procedure follows the ‘classic’ three-tier model for whistle-blowing, that is reporting firstly internally, then to the designated authorities and as a last solution to the public. The text is innovative in the sense that it proposes a wide definition of the whistle-blower ranging from trainees to ex-employees. The European Commission regards whistle-blowing as an enforcement tool for the prevention, detection and prosecution of illegalities affecting EU law.
For the future, it is compelling to pursue the negotiations between the two co-legislators of the EU (European Parliament and Council) in order to follow the challenges on the question of whistle-blowing at the national and European level. These negotiations could take many years. This post aims to introduce the reader to the proposal for a Directive on the protection of whistle-blowers by cross-referring to the case of the Pilatus Bank where a journalist and a whistle-blower are involved. The purpose is to highlight that there is a need for an EU Directive on the protection of whistle-blowers and to demonstrate that the proposed EU Directive would have better protected the Pilatus Bank whistle-blower. Furthermore, this contribution will demonstrate the problematic nature of money laundering and banking supervision at the EU level. Following the creation of the Banking Union, the interconnectivity of banks is a fact and a problem in one country can create a domino effect to the others. For example, the Pilatus Bank scandal does not only concern Malta but the European banking system as a whole. Continue reading →
This is not entirely surprising: due to the increased use of all kinds of online services and information and communication technologies (ICTs), police and judicial authorities are confronted on a daily basis with the problem to collect electronic evidence, as the data they are looking for are often processed, transmitted and/or stored by foreign service providers, including big global technology companies such as Google, Facebook, Microsoft or Amazon. To compel a foreign person to cooperate in a criminal investigation is not obvious – the enforcement jurisdiction of police and judicial authorities is, in principle, limited to their own national territory.
This post will present the highlights of the double e-evidence proposal that is on the table and the first reactions to the proposals, at a moment where the institutional negotiations are picking up speed. Continue reading →
Compulsory retention, by ICT-providers, of all non-content user and traffic data, to ensure that that data will be available for subsequent use by law enforcement or intelligence, has been a controversial issue in the EU for several years now. On 19 July 2018 the Belgian Constitutional Court requested a preliminary ruling from the CJEU. Basically, it asks the EU Court to further clarify its earlier case law. The Belgian constitutional judges indicate that they find some aspects of the CJEU’s previous decisions puzzling and they also offer a new angle by explicitly linking the matter to the positive obligations of member states under the European Convention on Human Rights. The implied suggestion seems that the CJEU did not give those obligations enough weight when it found blanket data retention obligations disproportionate. Continue reading →
Last week, the European Court of Human Rights (ECtHR) issued an important, highly anticipated judgment, condemning the United Kingdom for its mass surveillance program.
Following Edward Snowden’s revelations regarding the United States-United Kingdom intelligence surveillance and intelligence sharing programme, 16 organizations and individuals (including the NGO Big Brother Watch) filed an application against the United Kingdom before the ECtHR. The 212page-long judgment published on September 13, 2018 is rich and deals with a great variety of important issues. Several among them are directly linked to some major legal questions examined in the past by the Court of Justice of the European Union (CJEU) or currently pending before it – not to mention the ongoing debate about whether the EU-US data transfer agreement known as Privacy Shield provides an “adequate level of protection”. The objective of this piece is to provide some first thoughts focusing on the strategic place of this judgment in the European legal landscape. Continue reading →