Schrems II and Surveillance: Third Countries’ National Security Powers in the Purview of EU Law, European Law Blog external link

2020

Abstract

On 16 July 2020 the Court of Justice of the European Union (CJEU) composed as Grand Chamber delivered its landmark ruling Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (case C-311/18, “Schrems II”). The focus of my commentary will be on the aspect that EU law on cross-border transfers of personal data to a third country is not deferential to national security powers of that third country. This judgment is remarkable provided that electronic surveillance conducted by Member States’ intelligence authorities for the purpose of national security is off limits for EU law and that exceptions in international agreement are fairly regularly made for national security. This contribution will deal with the embedded assessment of a third country’s national security powers under the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and will address the criticism that a third country is held to stricter standards than a Member State of the Union.

adequacy decision, C-311/18, Charter of Fundamental Rights, Facebook, frontpage, GDPR, General Data Protection Regulation, national security, Privacy Shield, Schrems II, Standard Contractual Clauses, Surveillance, united states

Bibtex

Online publication{Irion2020c, title = {Schrems II and Surveillance: Third Countries’ National Security Powers in the Purview of EU Law, European Law Blog}, author = {Irion, K.}, url = {https://europeanlawblog.eu/2020/07/24/schrems-ii-and-surveillance-third-countries-national-security-powers-in-the-purview-of-eu-law/}, year = {0724}, date = {2020-07-24}, abstract = {On 16 July 2020 the Court of Justice of the European Union (CJEU) composed as Grand Chamber delivered its landmark ruling Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (case C-311/18, “Schrems II”). The focus of my commentary will be on the aspect that EU law on cross-border transfers of personal data to a third country is not deferential to national security powers of that third country. This judgment is remarkable provided that electronic surveillance conducted by Member States’ intelligence authorities for the purpose of national security is off limits for EU law and that exceptions in international agreement are fairly regularly made for national security. This contribution will deal with the embedded assessment of a third country’s national security powers under the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and will address the criticism that a third country is held to stricter standards than a Member State of the Union.}, keywords = {adequacy decision, C-311/18, Charter of Fundamental Rights, Facebook, frontpage, GDPR, General Data Protection Regulation, national security, Privacy Shield, Schrems II, Standard Contractual Clauses, Surveillance, united states}, }

Harnessing the collective potential of GDPR access rights: towards an ecology of transparency external link

Mahieu, R. & Ausloos, J.
Internet Policy Review, 2020

Abstract

The GDPR’s goal of empowering citizens can only be fully realised when the collective dimensions of data subject rights are acknowledged and supported through proper enforcement. The power of the collective use of data subjects’ rights, however, is currently neither acknowledged nor properly enforced. This is the message we sent to the European Commission in response to its call for feedback for its two-year review of the GDPR. In our submission entitled Recognising and Enabling the Collective Dimension of the GDPR and the Right of Access – A call to support the governance structure of checks and balances for informational power asymmetries, we demonstrate the collective potential of GDPR access rights with a long list of real-life examples.

frontpage, GDPR, Privacy, transparantie

Bibtex

Article{Mahieu2020, title = {Harnessing the collective potential of GDPR access rights: towards an ecology of transparency}, author = {Mahieu, R. and Ausloos, J.}, url = {https://policyreview.info/articles/news/harnessing-collective-potential-gdpr-access-rights-towards-ecology-transparency/1487}, year = {0717}, date = {2020-07-17}, journal = {Internet Policy Review}, abstract = {The GDPR’s goal of empowering citizens can only be fully realised when the collective dimensions of data subject rights are acknowledged and supported through proper enforcement. The power of the collective use of data subjects’ rights, however, is currently neither acknowledged nor properly enforced. This is the message we sent to the European Commission in response to its call for feedback for its two-year review of the GDPR. In our submission entitled Recognising and Enabling the Collective Dimension of the GDPR and the Right of Access – A call to support the governance structure of checks and balances for informational power asymmetries, we demonstrate the collective potential of GDPR access rights with a long list of real-life examples.}, keywords = {frontpage, GDPR, Privacy, transparantie}, }

Pitching trade against privacy: reconciling EU governance of personal data flows with external trade external link

International Data Privacy Law, vol. 10, num: 3, pp: 201-221, 2020

Abstract

This article positions EU’s external governance of personal data flows against the backdrop of the international controversy on digital trade versus strict privacy laws. Now that the EU has defined its position on horizontal provisions on cross-border data flows and personal data protection, it is both timely and essential to reassess its strategy on the international transfers of personal data in the purview of its future trade agreements. For its own normative approach and regulatory autonomy, the EU has a pivotal role to play in shaping the interface between trade and privacy before the ‘free trade leviathan’ can restrict the policy choices not only of individual states but also of the EU itself. Our contribution aims to break through the present compartmentalization of privacy scholarship and trade lawyers because it situates personal data flows in both disciplines.

Cross-border data flow, Digital trade, EU law, frontpage, GDPR, international trade law, Personal data, Privacy

Bibtex

Article{Irion2020bb, title = {Pitching trade against privacy: reconciling EU governance of personal data flows with external trade}, author = {Irion, K. and Yakovleva, S.}, doi = {https://doi.org/https://doi.org/10.1093/idpl/ipaa003}, year = {0401}, date = {2020-04-01}, journal = {International Data Privacy Law}, volume = {10}, number = {3}, pages = {201-221}, abstract = {This article positions EU’s external governance of personal data flows against the backdrop of the international controversy on digital trade versus strict privacy laws. Now that the EU has defined its position on horizontal provisions on cross-border data flows and personal data protection, it is both timely and essential to reassess its strategy on the international transfers of personal data in the purview of its future trade agreements. For its own normative approach and regulatory autonomy, the EU has a pivotal role to play in shaping the interface between trade and privacy before the ‘free trade leviathan’ can restrict the policy choices not only of individual states but also of the EU itself. Our contribution aims to break through the present compartmentalization of privacy scholarship and trade lawyers because it situates personal data flows in both disciplines.}, keywords = {Cross-border data flow, Digital trade, EU law, frontpage, GDPR, international trade law, Personal data, Privacy}, }

Strengthening legal protection against discrimination by algorithms and artificial intelligence external link

The International Journal of Human Rights, 2020

Abstract

Algorithmic decision-making and other types of artificial intelligence (AI) can be used to predict who will commit crime, who will be a good employee, who will default on a loan, etc. However, algorithmic decision-making can also threaten human rights, such as the right to non-discrimination. The paper evaluates current legal protection in Europe against discriminatory algorithmic decisions. The paper shows that non-discrimination law, in particular through the concept of indirect discrimination, prohibits many types of algorithmic discrimination. Data protection law could also help to defend people against discrimination. Proper enforcement of non-discrimination law and data protection law could help to protect people. However, the paper shows that both legal instruments have severe weaknesses when applied to artificial intelligence. The paper suggests how enforcement of current rules can be improved. The paper also explores whether additional rules are needed. The paper argues for sector-specific – rather than general – rules, and outlines an approach to regulate algorithmic decision-making.

algoritmes, Artificial intelligence, discriminatie, frontpage, GDPR, Privacy

Bibtex

Article{Borgesius2020, title = {Strengthening legal protection against discrimination by algorithms and artificial intelligence}, author = {Zuiderveen Borgesius, F.}, url = {https://doi-org.proxy.uba.uva.nl:2443/10.1080/13642987.2020.1743976}, year = {0329}, date = {2020-03-29}, journal = {The International Journal of Human Rights}, abstract = {Algorithmic decision-making and other types of artificial intelligence (AI) can be used to predict who will commit crime, who will be a good employee, who will default on a loan, etc. However, algorithmic decision-making can also threaten human rights, such as the right to non-discrimination. The paper evaluates current legal protection in Europe against discriminatory algorithmic decisions. The paper shows that non-discrimination law, in particular through the concept of indirect discrimination, prohibits many types of algorithmic discrimination. Data protection law could also help to defend people against discrimination. Proper enforcement of non-discrimination law and data protection law could help to protect people. However, the paper shows that both legal instruments have severe weaknesses when applied to artificial intelligence. The paper suggests how enforcement of current rules can be improved. The paper also explores whether additional rules are needed. The paper argues for sector-specific – rather than general – rules, and outlines an approach to regulate algorithmic decision-making.}, keywords = {algoritmes, Artificial intelligence, discriminatie, frontpage, GDPR, Privacy}, }

Getting Data Subject Rights Right: A submission to the European Data Protection Board from international data rights academics, to inform regulatory guidance external link

Ausloos, J., Veale, M. & Mahieu, R.
JIPITEC, vol. 10, num: 3, 2019

Abstract

We are a group of academics active in research and practice around data rights. We believe that the European Data Protection Board (EDPB) guidance on data rights currently under development is an important point to resolve a variety of tensions and grey areas which, if left unaddressed, may significantly undermine the fundamental right to data protection. All of us were present at the recent stakeholder event on data rights in Brussels on 4 November 2019, and it is in the context and spirit of stakeholder engagement that we have created this document to explore and provide recommendations and examples in this area. This document is based on comprehensive empirical evidence as well as CJEU case law, EDPB (and, previously, Article 29 Working Party) guidance and extensive scientific research into the scope, rationale, effects and general modalities of data rights.

GDPR, gegevensbescherming, Privacy

Bibtex

Article{Ausloos2020, title = {Getting Data Subject Rights Right: A submission to the European Data Protection Board from international data rights academics, to inform regulatory guidance}, author = {Ausloos, J. and Veale, M. and Mahieu, R.}, url = {https://www.jipitec.eu/issues/jipitec-10-3-2019/5031}, year = {1231}, date = {2019-12-31}, journal = {JIPITEC}, volume = {10}, number = {3}, pages = {}, abstract = {We are a group of academics active in research and practice around data rights. We believe that the European Data Protection Board (EDPB) guidance on data rights currently under development is an important point to resolve a variety of tensions and grey areas which, if left unaddressed, may significantly undermine the fundamental right to data protection. All of us were present at the recent stakeholder event on data rights in Brussels on 4 November 2019, and it is in the context and spirit of stakeholder engagement that we have created this document to explore and provide recommendations and examples in this area. This document is based on comprehensive empirical evidence as well as CJEU case law, EDPB (and, previously, Article 29 Working Party) guidance and extensive scientific research into the scope, rationale, effects and general modalities of data rights.}, keywords = {GDPR, gegevensbescherming, Privacy}, }

Toward Compatibility of the EU Trade Policy with the General Data Protection Regulation external link

AJIL Unbound, vol. 114, pp: 10-14, 2020

Abstract

The European Union’s (EU) negotiating position on cross-border data flows, which the EU has recently included in its proposal for the World Trade Organization (WTO) talks on e-commerce, not only enshrines the protection of privacy and personal data as fundamental rights, but also creates a broad exception for a Member’s restrictions on cross-border transfers of personal data. This essay argues that maintaining such a strong position in trade negotiations is essential for the EU to preserve the internal compatibility of its legal system when it comes to the right to protection of personal data under the EU Charter of Fundamental Rights and the recently adopted General Data Protection Regulation (GDPR).

EU law, external trade, frontpage, GDPR, international trade law, WTO

Bibtex

Article{https://doi.org/10.1017/aju.2019.81, title = {Toward Compatibility of the EU Trade Policy with the General Data Protection Regulation}, author = {Yakovleva, S. and Irion, K.}, url = {https://www.cambridge.org/core/journals/american-journal-of-international-law/article/toward-compatibility-of-the-eu-trade-policy-with-the-general-data-protection-regulation/04D5070244733CAEFDAA14C533BAFF7E/share/b44381ff85510e8580104599385baab8c1e3179e}, doi = {https://doi.org/https://doi.org/10.1017/aju.2019.81}, year = {0109}, date = {2020-01-09}, journal = {AJIL Unbound}, volume = {114}, pages = {10-14}, abstract = {The European Union’s (EU) negotiating position on cross-border data flows, which the EU has recently included in its proposal for the World Trade Organization (WTO) talks on e-commerce, not only enshrines the protection of privacy and personal data as fundamental rights, but also creates a broad exception for a Member’s restrictions on cross-border transfers of personal data. This essay argues that maintaining such a strong position in trade negotiations is essential for the EU to preserve the internal compatibility of its legal system when it comes to the right to protection of personal data under the EU Charter of Fundamental Rights and the recently adopted General Data Protection Regulation (GDPR).}, keywords = {EU law, external trade, frontpage, GDPR, international trade law, WTO}, }

Access and Reuse of Machine-Generated Data for Scientific Research external link

Erasmus Law Review, num: 2, pp: 155-165, 2019

Abstract

Data driven innovation holds the potential in transforming current business and knowledge discovery models. For this reason, data sharing has become one of the central points of interest for the European Commission towards the creation of a Digital Single Market. The value of automatically generated data, which are collected by Internet-connected objects (IoT), is increasing: from smart houses to wearables, machine-generated data hold significant potential for growth, learning, and problem solving. Facilitating researchers in order to provide access to these types of data implies not only the articulation of existing legal obstacles and of proposed legal solutions but also the understanding of the incentives that motivate the sharing of the data in question. What are the legal tools that researchers can use to gain access and reuse rights in the context of their research?

frontpage, GDPR, Internet of Things, machine-generated data, Personal data, Privacy, scientific research

Bibtex

Article{Giannopoulou2019bb, title = {Access and Reuse of Machine-Generated Data for Scientific Research}, author = {Giannopoulou, A.}, url = {https://www.ivir.nl/publicaties/download/Erasmus_Law_Review_2019.pdf}, doi = {https://doi.org/10.5553/ELR.000136}, year = {1220}, date = {2019-12-20}, journal = {Erasmus Law Review}, number = {2}, abstract = {Data driven innovation holds the potential in transforming current business and knowledge discovery models. For this reason, data sharing has become one of the central points of interest for the European Commission towards the creation of a Digital Single Market. The value of automatically generated data, which are collected by Internet-connected objects (IoT), is increasing: from smart houses to wearables, machine-generated data hold significant potential for growth, learning, and problem solving. Facilitating researchers in order to provide access to these types of data implies not only the articulation of existing legal obstacles and of proposed legal solutions but also the understanding of the incentives that motivate the sharing of the data in question. What are the legal tools that researchers can use to gain access and reuse rights in the context of their research?}, keywords = {frontpage, GDPR, Internet of Things, machine-generated data, Personal data, Privacy, scientific research}, }

The right to protection of personal data: the new posterchild of European Union citizenship? external link

Irion, K. & Granger, M.-P.
Edward Elgar Publishing, 1031

Abstract

In this chapter we argue that the right to data protection is the posterchild of EU citizenship in the digital era. We start by providing a brief overview of the gradual construction of the right to personal data protection in the EU. We then identify a range of actors who have played a particular role in the building process, including EU citizens themselves. Next, we review the current legal ‘architecture’ of the right to the protection of personal data and discuss whether it could serve as a model for the future development of EU citizenship, notwithstanding remaining challenges at the level of national implementation and public and private compliance with EU rules. Finally, we reflect on the future of the right to data protection, and its contribution to the development of EU citizenship as a legal regime.

citizenship, EU law, frontpage, GDPR, Privacy

Bibtex

Chapter{Irion2018c, title = {The right to protection of personal data: the new posterchild of European Union citizenship?}, author = {Irion, K. and Granger, M.-P.}, url = {https://www.ivir.nl/publicaties/download/The-right-to-protection-of-personal-data-prepub.pdf}, doi = {https://doi.org/10.4337/9781788113441.00019}, year = {1031}, date = {2018-10-31}, abstract = {In this chapter we argue that the right to data protection is the posterchild of EU citizenship in the digital era. We start by providing a brief overview of the gradual construction of the right to personal data protection in the EU. We then identify a range of actors who have played a particular role in the building process, including EU citizens themselves. Next, we review the current legal ‘architecture’ of the right to the protection of personal data and discuss whether it could serve as a model for the future development of EU citizenship, notwithstanding remaining challenges at the level of national implementation and public and private compliance with EU rules. Finally, we reflect on the future of the right to data protection, and its contribution to the development of EU citizenship as a legal regime.}, keywords = {citizenship, EU law, frontpage, GDPR, Privacy}, }

Tracking walls, take-it-or-leave-it choices, the GDPR, and the ePrivacy regulation external link

Zuiderveen Borgesius, F., Kruikemeier, S., Boerman, S.C. & Helberger, N.
European Data Protection Law Review, vol. 2017, num: 3, pp: 353-368, 2017

Abstract

On the internet, we encounter take-it-or-leave-it choices regarding our privacy on a daily basis. In Europe, online tracking for targeted advertising generally requires the internet users’ consent to be lawful. Some websites use a tracking wall, a barrier that visitors can only pass if they consent to tracking by third parties. When confronted with such a tracking wall, many people click ‘I agree’ to tracking. A survey that we conducted shows that most people find tracking walls unfair and unacceptable. We analyse under which conditions the ePrivacy Directive and the General Data Protection Regulation allow tracking walls. We provide a list of circumstances to assess when a tracking wall makes consent invalid. We also explore how the EU lawmaker could regulate tracking walls, for instance in the ePrivacy Regulation. It should be seriously considered to ban tracking walls, at least in certain circumstances.

europe, frontpage, GDPR, Privacy, tracking walls

Bibtex

Article{Borgesius2017b, title = {Tracking walls, take-it-or-leave-it choices, the GDPR, and the ePrivacy regulation}, author = {Zuiderveen Borgesius, F. and Kruikemeier, S. and Boerman, S.C. and Helberger, N.}, url = {https://www.ivir.nl/publicaties/download/EDPL_2017_03.pdf}, doi = {https://doi.org/https://doi.org/10.21552/edpl/2017/3/9}, year = {1019}, date = {2017-10-19}, journal = {European Data Protection Law Review}, volume = {2017}, number = {3}, pages = {353-368}, abstract = {On the internet, we encounter take-it-or-leave-it choices regarding our privacy on a daily basis. In Europe, online tracking for targeted advertising generally requires the internet users’ consent to be lawful. Some websites use a tracking wall, a barrier that visitors can only pass if they consent to tracking by third parties. When confronted with such a tracking wall, many people click ‘I agree’ to tracking. A survey that we conducted shows that most people find tracking walls unfair and unacceptable. We analyse under which conditions the ePrivacy Directive and the General Data Protection Regulation allow tracking walls. We provide a list of circumstances to assess when a tracking wall makes consent invalid. We also explore how the EU lawmaker could regulate tracking walls, for instance in the ePrivacy Regulation. It should be seriously considered to ban tracking walls, at least in certain circumstances.}, keywords = {europe, frontpage, GDPR, Privacy, tracking walls}, }

About finding practical solutions (without the GDPR) external link

European Data Protection Law Review, vol. 2017, num: 3, pp: 310-312, 2017

frontpage, GDPR, Privacy, privacy bridges

Bibtex

Article{vanEijk2017b, title = {About finding practical solutions (without the GDPR)}, author = {van Eijk, N.}, url = {https://www.ivir.nl/publicaties/download/edpl_2017_03_foreword.pdf}, doi = {https://doi.org/https://doi.org/10.21552/edpl/2017/3/5}, year = {1019}, date = {2017-10-19}, journal = {European Data Protection Law Review}, volume = {2017}, number = {3}, pages = {310-312}, keywords = {frontpage, GDPR, Privacy, privacy bridges}, }