Hello from the second week of 2023, which felt like two weeks in itself. I found myself asking whether it was Friday one time too many. Hands up anyone else? IT Law, that’s who.
🔏 Data Protection & Privacy
The CJEU has announced the initiation of use fictional names instead of initials in identification of cases that have been anonymised for reasons relating to the protection of personal data. The press release includes that the measure will make it easier to recall the names of those cases and cite them both in case-law and elsewhere. In a nutshell, it’s the best of both worlds- data protection and distinctive case names that are not just numbers. Little dance of joy.
CJEU in Case C-154/21 (Österreichische Post): Everyone has the right to know to whom their personal data have been disclosed. Unless it is impossible to identify the recipients or the request is manifestly unfounded or excessive. The Court reiterated that the right of access is necessary to enable the data subject to exercise their rights under the GDPR.
Member States take note 📝: Administrative and civil remedies under the GDPR may be exercised concurrently with and independently of each other, per the CJEU in Case C‑132/21 (Budapesti Elektromos Művek). CJEU ruled Member States need to ensure that the parallel exercise of remedies does not prejudice the consistent and homogeneous application of the GDPR.
The Austrian Constitutional Court held that journalism activities do not prompt full exemption from the GDPR. Adversely, the GDPR obliges Member States to define the relationship between data protection and freedom of expression in more detail to ensure appropriate balance between conflicting fundamental rights. The decision (German).
TIKTOK has been fined €5 million by the The French Supervisory Authority (“CNIL”) over, yes you guessed it, cookies. According to the CNIL, users were not given options to refuse cookies as easily as accepting them. It was also found that users were not informed in a sufficiently precise manner of the purposes of the different cookies. Side note: the investigations were carried out on the website and not on the app.
EDPB’s binding decisions, adopted last month (remember, remember the 5th of December?), has been published (see for Instagram & Facebook). The decisions elaborate on lawfulness and transparency of processing for behavioral advertising. In a teeny tiny nutshell and in no way an exhaustive summary: Behavioral advertising is not required for performance of a contract (in the case of Meta) and thus cannot be relied on as a legal basis to process personal data.
🔐 Cybersecurity
Fourth round of negotiations for a UN Cybercrime Convention opened this week. The session will consist of negotiations on chapters covering criminalisation, general provisions, and procedural measures and law enforcement. Tune in next week to see whether NGOs’ fears of States’ extensive investigative powers hold ground. In the meantime, access the consolidated text as of 13th January, here.
🛒 E-Commerce & Digital Consumer
ISO to launch Privacy by Design as ISO 31700, an international privacy standard for the protection of consumer products and services. Seems the original seven principles of Privacy by Design have been detailed and morphed into thirty requirements. The launch event will be accompanied by a webinar, which is unsurprisingly sold out. Still, hello data protection through technology design!
💻 Tech
UK removes fax from USO (“Universal Service Obligations”). Telecoms providers are no longer required to provide fax services to customers. The move comes after the initiation of the move of landline calls from the public switched telephone network to Voice over Internet Protocol. I don’t remember the last time I faxed, still feels bittersweet.
📑 Policy
Draft UNIDROIT Principles on Digital Assets and Private Law had been published and is now open to comments. The Principles touch up on proprietary aspects, private international law, control, transfer and secured transactions, and custodians. Aaand, digital assets as being susceptible to being the subject of proprietary rights, without addressing whether they are considered ‘property’ under the other law of a State. Though the Principles are not supposed to provide coverage for all digital assets, only those that meet the threshold of control. The private lawyer in me is very excited to see the outcome.
📄 Recommended Readings
Here is a couple of recent publications that caught my eye this week that may be of interest (wild guess, now that you have reached the end of this page).
Investigating Deceptive Design in GDPR’s Legitimate Interest by Lin Kyi, Sushil Ammanaghatta Shivakumar, Franziska Roesner, Cristiana Santos, Frederike Zufall, and Asia J. Biega.
Selling Surveillance by Asaf Lubin.
I am in no way affiliated with the authors or publishers in sharing these, and I try to include mostly open access publications due to, well you know, accessibility of knowledge and science.
One thought to “Berry Picks in IT Law #6”