28 November 2024
The Long and Winding Road
The Court of Justice’s Quadrature du Net judgements mark another key moment in the complex and long-lasting legal debate on mass data retention in the European Union. This blogpost critically discusses the “constitutionalisation path” outlined by the EU Judges as well as the fragmented roads taken by Member States, with specific attention to Italy. Ultimately, it demonstrates the need for a decisive EU legislators’ intervention, able to draw the future path of data retention regimes. Continue reading >>
0 
27 November 2024
Prioritising Member States Over Citizens
The classic story about the right to privacy and data protection in the EU is one of a high level of protection. Yet, this original rosy image is increasingly fading away, most visibly in the La Quadrature du Net litigation, which is a continuation of two dynamics. First, the Court is still cleaning up the residual mess that lingers on from the now annulled Data Retention Directive. Second, in so doing, it is incrementally allowing the Member States indiscriminately retain personal data. Hence, the Court is carving out space for Member States’ preferences to the detriment of the protection of the individual. Continue reading >>
0
29 February 2024
No Backdoor for Mass Surveillance
Bulk data retention is the evergreen of European security policy. On February 13, the European Court of Human Rights (ECtHR) – once again – ruled in Podchasov on Russia’s collection of and access to citizens’ private communication. The Court made it clear that weakening the encryption of all citizens cannot be justified. This sends an important message not only to the Russian state, but also to other European governments that contemplate installing “backdoors” on encrypted messenger services like Telegram, Signal or WhatsApp. Continue reading >>
0
21 August 2023
Trivialising Privacy through Tribunals in India
On 11th August 2023, India’s Digital Personal Data Protection Act, 2023 (‘DPDP Act’) has received Presidential assent. The Act’s passing is critical in light of increasing concerns about data security and surveillance in India, including allegations that the government has illegally been using spyware against activists. Moreover, the government and its agencies are major data fiduciaries, having access to various identification and biometric data that have in the past been breached on a large scale. Given this, it is vital that the DPDP Act is able to function effectively and independently against the government in cases of non-compliance. However, a novel provision bestowing appellate jurisdiction on a Tribunal that lacks both the necessary expertise and independence is likely to hinder this goal. Continue reading >>
0
12 May 2023
Squaring the triangle of fundamental rights concerns
Ex ante, the July 2022 ruling by the Court of Justice of the EU on Passenger Name Records had a very specific scope — the use of passenger name records by government agencies. Upon closer inspection, however, it has important implications for the governance of algorithms more generally. That is true especially for the proposed AI Act, which is currently working its way through the EU institutions. It highlights, ultimately, how national, or in this case European, legal orders may limit the scope for international regulatory harmonization and cooperation. Continue reading >>
0
12 May 2023
Automated predictive threat detection after Ligue des Droits Humains
The Ligue des droits humains ruling regarding automated predictive threat detection has implications for the European Travel Information and Authorisation System (ETIAS) Regulation and the EU Commission’s proposal for a Regulation on combating online child sexual abuse material (CSAM). Both legal instruments entail the use of potentially self-learning algorithms, and are spiritual successors to the PNR Directive (the subject of Ligue des droits humains). Continue reading >>
0
11 May 2023
EU Privacy and Public-Private Collaboration
Core state functions, such as law enforcement, are increasingly delegated to private actors. Nowhere is this more apparent than in the development and use of security technologies. This public-private collaboration harbours detrimental consequences for fundamental rights and the rule of law; in particular, for the principle of legality. The policy outcomes which result from this collaboration are not democratically accountable, and allow human rights to be superseded by private, profit-driven interests. Continue reading >>
0
11 May 2023
Challenging Bias and Discrimination in Automated Border Decisions
In Ligue des droits humains, the Court of Justice of the European Union explicitly addresses the fact that the use of AI and self-learning risk models may deprive data subjects of their right to effective judicial protection as enshrined in the Charter. The importance of this judgment cannot be understated for non-EU citizens and at the European borders more generally. Continue reading >>
0
10 May 2023
Foreseeability and the Rule of Law in Data Protection after the PNR judgment
The rule of law cannot be reconciled with the existence of secret laws, unclear laws and laws which cannot be obeyed. However, this may be difficult to realise in practice, where full transparency is at odds with the legislative goals; where a certain degree of flexibility of rules is necessary to address changing circumstances, in which these rules function; and where a disconnect occurs between the visions of the lawmaker and reality created by modern technologies that are utilized to pursue them. The CJEU's ruling in Lige des droits humains on Passenger Name Record Directive underscores the difficulty of foreseeability of algorithmic measures and the rule of law. Continue reading >>
0
10 May 2023
The European Legal Architecture on Security
As the European legal architecture on internal security is being built around large-scale databases, AI tools and other new technologies, the relationship between the public and private sectors has become increasingly complex. We examine one aspect of the Court of Justice of the European Union’s recent judgment in Ligue des droits humains, namely the data protection rules applicable to cooperation between the public and private entities in personal data sharing. The judgment enhances the ‘personal data autonomy’ of individuals and requires public authorities to justify to a high standard any obligations it seeks to place on the private sector to share personal data related, directly or indirectly, to travel by air. Continue reading >>
0