Thirty whole weeks of news in IT Law, twenty-something whole weeks of data protection in the spotlight. We know where the hypothetical honorable mention is going, at least.
🤖 Artificial Intelligence
The EDPB published a TechDispatch on explainable artificial intelligence. The document addresses the challenges posed by AI systems that function as black boxes. Explainable AI aims to make AI’s decision-making understandable to humans, countering the risks of opaque AI systems that may lead to biased, inaccurate, or discriminatory outcomes. The guidelines underscore the importance of transparency, interpretability, and explainability in AI, distinguishing between them and detailing how they contribute to AI systems’ accountability and compliance with data protection principles. Various approaches to explainable AI are discussed, including self-interpretable (“white box”) models and post hoc explanations. While explainable AI can enhance transparency and trust, it must be implemented with care to avoid misinterpretation, exploitation of AI systems, disclosure of trade secrets, and over-reliance on AI. The human factor remains paramount in ensuring that AI systems are ethically designed and operated in alignment with human rights and data protection standards.
🔐 Cybersecurity
EU Member States agreed on a targeted amendment to the EU’s Cybersecurity Act to include European certification schemes for managed security services. These services are essential for cybersecurity incident management and the amendment aims to enhance the EU’s cyber resilience. The Council’s amendments clarify the definition of these services, align them with the revised NIS 2 Directive, and modify requirements for conformity assessment bodies. The agreement paves the way for negotiations on the final legislation, which seeks to prevent market fragmentation and promote trusted cybersecurity service providers through a unified certification framework.
🔏 Data Protection & Privacy
CJEU ruled that decisions taken by a supervisory authority in the context of the indirect exercise of the rights of the data subject are legally binding and must be subject to judicial review. This ensures that individuals can challenge the authority’s assessment of the data processing’s legality and any corrective action taken. In short, a Belgian citizen was denied security clearance and sought to access his personal data. The supervisory authority checked the lawfulness of the data processing but did not provide detailed findings. The citizen’s legal challenge was initially dismissed. On appeal, the EU Court of Justice ruled that such decisions by supervisory authorities are binding and must allow for judicial review, enabling individuals to contest the lawfulness of data processing and the adequacy of the authority’s review.
noyb filed a complaint against the EU Commission for using unlawful micro-targeting on X (formerly Twitter) to promote its chat control regulation. The Commission allegedly targeted users based on sensitive data, such as political views and religious beliefs, which contradicts GDPR protections. noyb argues the campaign aimed to sway public opinion and influence the EU legislative process, threatening the integrity of EU democratic procedures. Despite X’s policies against using such data for ad targeting, the campaign reached hundreds of thousands, leading noyb to seek an investigation and possible fines by the EDPS.
The EDPB submitted Guidelines on the Technical Scope of Art. 5 (3) of the ePrivacy Directive for public consultation. The guidelines elaborate on the key elements required for the application of Article 5(3)—information, terminal equipment, access, and storage—and analyze how this applies to common techniques such as URL and pixel tracking, local processing, IP-based tracking, IoT reporting, and unique identifiers. This is aimed at addressing data protection concerns and removing ambiguities in the directive’s application to modern tracking methods.
The FTC took action against global Tel*Link Corp. for failing to adequately secure data as well as failing to notify consumer after their personal data were breached. Global Tel*Link Corp., a prison communications firm, was mandated by the FTC to inform consumers of future data breaches under a proposed settlement. In 2020, they inadequately protected sensitive data stored in the cloud, which was later accessible online and found on the dark web. The FTC’s proposed order requires the company to upgrade their data security, notify all affected users, offer credit monitoring services, and promptly inform about any future breaches. The consent agreement is open for public comment before the FTC finalizes it.
🛒 E-Commerce & Digital Consumer
The Netherlands Authority for Consumers & Markets (“ACM”) took action against websites that use fake discounts. The ACM identified widespread use of fake discounts by online sellers, which they considered a structural problem. ACM’s enforcement will target such deceptive practices, which mislead consumers and undermine confidence in the marketplace, also constituting unfair competition. Since January 2023, ACM has reinforced rules requiring discounts to be based on the lowest price in the previous 30 days, barring specific exceptions. Violations discovered in sectors like clothing and electronics will now lead to fines or penalties from ACM, aiming to preserve genuine discount practices and prevent consumer deception. Just in time for the Black Friday and Cyber Monday sales?
The Turkish Competition Authority opened up an investigation into some of the biggest e-commerce companies in Türkiye: Hepsiburada, Trendyol & Amazon Turkey. The companies are under scrutiny over the use of automatic pricing mechanisms. Ditto, last paragraph, last sentence
🐆 Tech in the Wild
Make way for mind-controlled robots. Yes, you can now operate robots by just thinking about it. At the 2023 Conference on Robot Learning (CoRL), a team from Stanford University presented “NOIR: Neural Signal Operated Intelligent Robots for Everyday Activities.” This innovative system enables humans to command robots to perform daily tasks using brain signals detected by electroencephalography (EEG). The interface is part of an extensive study showing robots can be directed through neural signals to execute a variety of household activities like cooking and cleaning. please pass the wait list.
📄 Recommended Readings
Here’s a couple –in no particular order– of recent publications that piqued my interest this week. Remember to grab a cuppa and settle in for some riveting reading.
Government Access to Personal Data and Transnational Interoperability: An Accountability Perspective by Christopher Docksey and Kenneth Propp
Detecting Dark Patterns Using Generative AI: Some Preliminary Results by Stuart Mills & Richard Whittle
Disclaimer: I am in no way affiliated with the authors or publishers in sharing these, and do not necessarily agree with the views contained within. I try to include mostly open access publications due to, well you know, accessibility of knowledge and science.
So there you have it, folks – another week in the fascinating realm of IT Law. You may want to remember to pop back next week for your latest dose of legal updates.
If you have any thoughts or suggestions on how to make this digest more enjoyable, feel free to drop a line. Your feedback is always welcome!
Featured image generated using DALL·E 3.
