Dr Michael Veale, Associate Professor in Digital Rights & Regulation UCL Faculty of Laws, 2022-23 Syllabus Updated 30 Jan 2023.

      |\      _,,,---,,_
ZZZzz /,`.-'`'    -.  ;-;;,_
     |,4-  ) )-,_. ,\ (  `'-'
    '---''(_/--'  `-'\\_)______

Reading importance labels — Check the labels beside each reading! Compulsory means “please do this before class”. Recommended means “if you’re interested, or if you’re writing an essay or revising this topic, have a look at this”. It does not mean “if you’re a really good student you’ll have done all the recommended reading as well as compulsory reading before class”. Optional means “if you’re writing an essay, or it interest you, this might be something you want look at, but you could also do your own research and find other sources too.”

Open access — Wherever possible, resources are accompanied by an open access link (‘OA link’). Some resources are available freely but only behind for-profit repositories such as SSRN, which heavily push users to register and log-in, and hide the download options for downloading without this in the bottom of the page. These are ‘OA-ish links’. Occasionally, a paper or book is too important not to recommend even though an OA version is unavailable. I have tried to minimise these resources throughout the reading list.

Organising your reading — This module has many different types of resources. I strongly recommend you organise them in a reference manager. The best reference manager is Zotero, which is free to install and use (I strongly recommend against the use of Mendeley and/or Endnote). UCL Library runs a range of Zotero training sessions if you wish to use these. It allows you to annotate and make notes on articles and chapters. Zotero can also can be used to organise your citations for your coursework.

L = Lectures. Slides accompanying the lecture are available on Moodle. T = Tutorials

Part 1: Infrastructures and Platforms

L1: Welcome to the Internet: Technologies and Histories

                               ,  
        ,-.       _,---._ __  / \  
       /  )    .-'       `./ /   \  
      (  (   ,'            `/    /|  
      \  `-"             \\'\   / |  
        `.              ,  \ \ /  |  
         /`.          ,'-`----Y   |  
        (            ;        |   '  
        |  ,-.    ,-'         |  /  
        |  | (   |            | /  
        )  |  \  `.___________|/  
        `--'   `--' is the internet in here? =^^=

We all use the Internet. But how many people know what it is; where it came from; how it works? This session will introduce the history of the Internet and the functioning of core Internet technologies. Why were they designed as they were; and with whose values at the core? We will start to see why and how these design decisions interact with law and policy concerning the online world; a theme that will recur throughout the module.

Learning Objectives

• What are the core technologies underpinning the Internet and how (in very rough terms) do they work? Note, as legal scholars we have to understand these technologies enough to be able to reason about how law and policy applies to them, not to be able to deploy them ourselves. So don’t worry if you don’t understand everything, or it seems too technical — focus on trying to get a general understanding.
• What is the difference between the Internet and the Web?
• What technical design principles underpin the Internet? Whose values do they reflect? How do these compare to broader values, for example those reflected in human rights regimes?
• What are some of the main actors and organisations that govern the Internet, and how do they make decisions?
• What is ‘cyberlibertarianism’?

Articles

• Compulsory Andrés Guadamuz, ‘Internet Regulation’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019). OA link
  • A useful and broad-ranging introduction into what it is to study Internet law and policy.
• Compulsory Corinne Cath-Speth, ‘Internet Histories: Partial Visions of People and Packets’ in Corinne Cath-Speth, Changing Minds and Machines: A Case Study of Human Rights Advocacy in the Internet Engineering Task Force (IETF) (DPhil Thesis, Oxford University, 2021) pages 27-51. OA link
  • Traces and critiques the cultural and historical values behind the Internet engineers often seen as the main characters in a predominantly white, male, biographical history of the Internet.
• Recommended William Lehr and others, ‘Whither the Public Internet?’ (2019) 9 Journal of Information Policy 1. read: pages 1-20 OA link
  • This article very usefully unpacks three different ways of understanding what “the Internet” is. Parts of this article use some difficult terminology: it is not key you understand it all.
• Recommended Malte Ziewitz and Ian Brown, ‘A Prehistory of Internet Governance’ in Research Handbook on Governance of the Internet (Edward Elgar Publishing 2013). OA link
  • A history of the Internet and its early governance, as well as the institutions involved. Perhaps the best of the many “great men” tales of Internet history critiques by Cath-Speth (2021).
• Optional Kieron O’Hara and Wendy Hall, Four Internets: Data, Geopolitics, and the Governance of Cyberspace (Oxford University Press 2021). paywall link / UCL link
  • A recent overview of the way in which the Internet as we know it is diverging as different nations and jurisdiction have different views on its development and trajectory.

L2: An Unregulable Network?

     \\_______/
 `.,-'\\_____/`-.,'
  /`..'\ _ /`.,'\
 /  /`.,' `.,'\  \
/__/__/ nice\\__\\__\\__
\  \  \web  /  /  /
 \  \\,'`._,'`./  /
  \\,'`./___\\,'`./
 ,'`-./_____\\,-'`.
     /       \

The Internet is sometimes described by politicians as a “Wild West”; a regulation-free land that has long resisted control. According to some, it needs bringing to heel. This is an overly simplistic story. In this session, we will build on the previous session’s understanding of Internet technologies and their design principles to think both about the ways in which this network has resisted control, and the ways in which is has been controlled by both public and private actors.

Learning Objectives

• Does code ‘regulate’? How does this differ from the types of regulation that lawyers are more familiar with discussing?
• What does it mean to say the Internet is ‘generative’? What are the policy implications of generative technologies?
• Which actors are well-positioned to regulate the Internet, and why? What factors make it easier or harder for these actors to alter the working of these networks?

Articles

• Compulsory Jonathan L Zittrain, ‘The Generative Internet’ (2006) 119 Harv L Rev 1974. OA link
  • This article is in some ways a prediction of how ‘walled gardens’ online might emerge. Was Zittrain right?
• Compulsory Julie E Cohen, ‘“Piracy,” “Security,” and Architectures of Control’ in Configuring the Networked Self: Law, Code, and the Play of Everyday Practice (Yale University Press 2012). OA link
  • A strong critique of a variety of ways of looking at ‘code’ and ‘law’ - this might be worth coming back to after we talk about these topics some more as it’s a very dense and rewarding read.
• Recommended Michèle Finck, ‘Blockchains as a Regulatable Technology’ in Blockchain Regulation and Governance in Europe (Cambridge University Press 2018). paywall link / UCL link
  • This chapter looks at ‘regulatory access points’ in relation to blockchains, which we don’t look at much in this course, but the readings and framework proposed by Finck is more generally accessible.
• Optional Lawrence Lessig, Code: Version 2.0 (Basic Books 2006) OA link
  • I suggest looking at pages 61-137 (chapters 5-7). Lessig is referred to a lot in the other readings, and if writing about him you should have a look at what he says in his own words.
• Optional Niels ten Oever, ‘“This is Not How We Imagined It”: Technological Affordances, Economic Drivers, and the Internet Architecture Imaginary’ (2021) 23 New Media & Society 344. OA link
  • This paper is good for those interested in some of the ways in which the technical sides of standards are value laden and contested.
• Optional Clément Perarnaud and others, ‘“Splinternets”: Addressing the Renewed Debate on Internet Fragmentation’ (European Parliamentary Research Service, 2022).

T1: D’oH! Code, Law and Politics of Encrypted DNS

                             __
                   _ ,___,-'",-=-.
       __,-- _ _,-'_)_  (""`'-._\ `.
    _,'  __ |,' ,-' __)  ,-     /. |
  ,'_,--'   |     -'  _)/         `\
,','      ,'       ,-'_,`           :
,'     ,-'       ,(,-(              :
     ,'       ,-' ,    _            ;
    /        ,-._/`---'            /
   /        (____)(----. )       ,'
  /         (      `.__,     /\ /,
 :           ;-.___         /__\\/|
 |  d'oh   ,'      `--.      -,\ |
 :        /            \    .__/
  \      (__            \    |_
   \       ,`-, *       /   _|,\
    \    ,'   `-.     ,'_,-'    \
   (_\\,-'    ,'\\")--,'-'       __\
    \       /  // ,'|      ,--'  `-.
     `-.    `-/ \\'  |   _,'         `.
        `-._ /      `--'/             \
          ,'           |              \
          /             |               \
       ,-'              |               /
      /                 |             -'

Tutorial Questions

Make notes on these three topics to bring to the tutorial to discuss. - What is DNS? What is important to know about DNS in relation to law and policy? How is DNS used in Internet blocking? - What kind of body is the Internet Watch Foundation? Is it a regulator? - Who decides whether encrypted DNS systems, such as DNS-over-HTTPS (DoH) are introduced? What does this mean for the power of private firms vis-a-vis the state? - The UK’s Internet blocking regime is heavily built on DNS filtering. Should this be considered when encrypted DNS is introduced? Who should consider it, and how? How might this work internationally? - Many countries have recently been talking about digital sovereignty (also souveraineté numérique in France). Do you think that DNS illustrates a loss, or highlights a lack, of nation states’ digital sovereignty?

Readings

• Compulsory Debate in Hansard on “Internet Encryption” (citation: HL Deb 14 May 2019, vol 797, cols 1492–1495) OA link
  • A good opportunity to see one of the strangest legislative chambers in the world talk about a highly technical issue.
• Compulsory Open Rights Group, ‘DNS Security — Getting it Right’ (24 June 2019) OA link
  • The Open Rights Group (ORG)is a UK-based digital rights NGO. This report outlines many of the technical aspects of DNS, and the consequences of this, written from the standpoint of a digital rights advocacy organisation.
• Compulsory Internet Watch Foundation, ‘Briefing on DNS-over-HTTPS’ OA link
  • A briefing that in many ways poses a counterpoint to the Open Rights Group paper.
• Recommended Vijay Gurbani and others, ‘When DNS Goes Dark: Understanding Privacy and Shaping Policy of an Evolving Protocol’ (2021) TPRC48: The 48th Research Conference on Communication, Information and Internet Policy. OA-ish link
  • This is a useful academic paper going a little deeper than the ORG work into the different protocols and some of the broader implications of them.
• Optional Tanya Verma and Sudheesh Singanamalla, ‘Improving DNS Privacy with Oblivious DoH in 1.1.1.1’ (The Cloudflare Blog, 12 August 2020) OA link
  • This blog outlines a protocol even newer than DoH or DoT, which also seeks to obscure the identity of the computer querying a website from the DNS resolver (e.g. Cloudflare, Google, or your ISP). You may not understand it all but see if you can understand the rough outline of how and why it works.

L3: Net Neutrality: Is the Internet Just a Series of Tubes?

      /` _`\
     |  (_()| .-.
      \\_  _/_/   \
        ||=\[_\]   |
        || | |   |
        ||/   \  |
        ||`---'  /
    .--'||-.___.'
  /`  .-||-.   internet is just
  '-/`.____.`\  dumb pipes?
    '.______.'

Learning Objectives

• In which ways are internet access providers like historical common carriers — and in which ways are they not?
• Are you convinced by the human rights issues with zero rating? Do they apply similarly to all forms of zero rating, or should some forms be permissible? Under what conditions?
• How do net neutrality laws sit with the emerging (and arguably not empirically ‘neutral’) architecture of the internet, such as content delivery networks?
• Is net neutrality still an important principle to fight for online, or has it been displaced by other concerns?

Bonus Watch the early viral 2006 YouTube remix ‘Series of Tubes’, mocking the anti-net neutrality speech by Sen. Ted Stevens (R-Alaska) (obituary on it here).

Articles

• Compulsory Christopher T Marsden, ‘[Introduction: neutrality, discrimination and common carriage]((https://www.manchesteropenhive.com/view/9781526105479/9781526105479.00020.xml)’, in Network Neutrality: From Policy to Law to Regulation (Manchester University Press 2017).
  • This chapter outlines the broad debate and shape of net neutrality issues - what is at stake, and what are the main developments and actors?
• Compulsory Toussaint Nothias, ‘Access Granted: Facebook’s Free Basics in Africa’ (2020) 42 Media, Culture & Society 329.
  • This article focusses on net neutrality issues in relation to Facebook’s mobile offering on the African continent, documenting some of the civil society twists and turns concerning it.
• Recommended William Lehr and others, ‘Whither the Public Internet?’ (2019) 9 Journal of Information Policy 1. read: pages 1-20
  • This article introduces three ‘lenses’ on the Internet - what do we, consumers, businesses, other actors, really mean when we say we are seeking to regulate the Internet?
• Recommended Helani Galpaya, ‘Zero-Rating in Emerging Economies’ [2017] Global Commission on Internet Governance Paper Series, Chatham House (No 47).
• Recommended Podcast POLITICO, ‘Big Tech v Telecoms Battle’, EU Confidential (Podcast) (4 August 2022) from 9min 30 until end.
  • A debate on whether Big Tech should pay more given they are popular destinations for users to request traffic from. Featuring in favour of the propsal, Alessandro Gropelli from the European Telecommunications Network Operators’ Association (ETNO) and Jan-Niklas Steinhauer, head of policy and regulatory affairs at the German Broadband Association (BREKO); and against the proposal, Christian Borggreen from the Computer and Communications Industry Association (CCIA), and Thomas Lohninger, executive director of the digital rights NGO epicenter.works.
• Optional Vipulya Chari, ‘Internet.Org and the Rhetoric of Connectivity’ (2022) 19 Communication and Critical/Cultural Studies 54. UCL link
• Optional Oles Andriychuk, Angela Daly and Arletta Gorecka, ‘Net Neutrality in New Times: Revisiting the Open Internet Regulation in the UK’ (Leverhulme Research Centre for Forensic Science, 30 September 2021).
• Optional Christopher T Marsden,Network Neutrality: From Policy to Law to Regulation (Manchester University Press 2017).
  • The whole book beyond the Introduction is very useful, in particular, Chapter 5 (Three Wise Monkeys of Net Neutrality) and Chapter 7 (Zero Rating).
• Optional Julianne Romanosky and Marshini Chetty, ‘Understanding the Use and Impact of the Zero-Rated Free Basics Platform in South Africa’ in (ACM Press 2018) Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18. pages 5-10
• Optional Peter Cihon and Helani Galpaya, ‘Navigating the Walled Garden: Free and Subsidized Data Use in Myanmar’ (LIRNEasia, 2017).
• See chapters in Luca Belli and Primavera De Filippi (eds), Net Neutrality Compendium: Human Rights, Free Competition and the Future of the Internet (Springer 2016).

Case Law

• Recommended One of
  • Case C‑34/20 Telekom Deutschland GmbH ECLI:EU:C:2021:677;
  • Case C‑854/19 Vodaphone (Roaming) ECLI:EU:C:2021:675;
  • Case C‑5/20 Vodafone (Tethering) ECLI:EU:C:2021:676.
  • (They are effectively all the same and were delivered on the same day)
• Optional Joined Cases C-807/18 and C-39/19 Telenor Magyarország Zrt v Nemzeti Média- és Hírközlési Hatóság Elnöke, ECLI:EU:C:2020:708.

Statute

• Compulsory Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union, OJ L 310/1, recitals 1-17 and art 3.
• Optional The Open Internet Access (EU Regulation) Regulations 2016.
  • Subordinate legislation to the above EU Regulation, which is part of retained direct EU legislation in EU law. It has been amended by The Open Internet Access (Amendment etc.) (EU Exit) Regulations 2018 to remove references to e.g. BEREC.

T2: Bugs in our Pockets: Debating Client-Side Scanning.

        .--.       .--.
    _  `    \     /    `  _
     `\\.===. \\.^./ .===./`
            \\/`"`\\/
         ,  |     |  ,
        / `\\|;-.-'|/` \
       /    |::\  |    \
    .-' ,-'`|:::; |`'-, '-.
        |   |::::\\|   | 
        |   |::::;|   |
        |   \\:::://   |
        |    `.://'   |
       .'             `.
    _,'                 `,_

Encryption technologies, when deployed correctly, allow one entity to send a message to another where the content cannot be examined even if the message is obtained in transit. More and more services online are encrypted ‘end-to-end’, with the defined sender and recipients being the people who want to talk or interact. Signal, WhatsApp, iMessage are all examples of this. Law enforcement agencies have claimed that this hampers their ability to analyse messages for illegal content, although that ability has only been possible due to the migration of messaging onto computers, and the fairly recent development of large-scale analytic techniques. This is often called “going dark”. Attempts to weaken encryption to allow access by third parties to data, often known as introducing “backdoors”, have long been controversial, as weakening encryption can bring significant social and economic consequences for those that rely on secure communication. A recent set of proposals instead suggests “client-side scanning”, a set of technologies where the end-points, such as a mobile phone, are told to scan content after it has been decrypted by the recipient or before it has been sent by the sender, and take some action based on what they find. In this tutorial, we will consider the debates around this technology, particularly in the emerging policy context of child sexual exploitation and abuse.

Tutorial Questions

• What is client-side scanning? How does it differ from alternatives to scanning content, and why has it been proposed now?
• What are the main issues with client-side scanning that critics identify?
• How does client-side scanning connect to discussions of ‘code’ as regulation?
• Do you agree that client-side scanning ‘must be treated like wiretapping’?
• What are the practical challenges of deploying client-side scanning? Who might be involved in deciding how it works, particularly in a global context?

Readings

• Compulsory Hal Abelson and others, ‘Bugs in Our Pockets: The Risks of Client-Side Scanning’ (arXiv, 14 October 2021) (pp 3-14, 21-39) OA link
  • A paper by a group of academic privacy and security engineers analysing issues with client-side scanning that they see from multiple perspectives.
• Compulsory Ian Levy and Crispin Robinson, ‘Thoughts on Child Safety on Commodity Platforms’ (arXiv, 19 July 2022) OA link s 2.5 (pp 21-22), s 5 and s 6 (pp 33-47) (optional for context and further information, sections 2 and 8)
  • A paper from the main scientific leads at GCHQ and the National Cyber Security Centre in the UK, arguing in favour of client-side scanning. It is in part a response to Abelson et al.
• Recommended Ross Anderson, ‘Chat Control or Child Protection?’ (University of Cambridge Computer Lab, 13 October 2022) link
  • This is in turn a rebuttal to Levy and Robinson, questioning some of their empirical assumptions.
• Recommended Kashmir Hill, ‘A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal.’ The New York Times (21 August 2022) link.
• Optional European Data Protection Board and European Data Protection Supervisor, EDPB-EDPS Joint Opinion 4/2022 on the Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse (2022) link
  • A critical report by two EU bodies tasked with overseeing data protection issues in Member States and Union institutions respectively. Focusses on privacy and data protection concerns but with important analysis of proportionality.
• Optional European Commission, Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse (COM(2022) 209 final, 11 May 2022). link particuarly arts 7–10, 44.
  • The proposed legislation by the European Commission which would allow client-side scanning to be implemented through ‘detection orders’.

L4: Intermediary Liability: With Great Power Comes Great Responsibility?

 ____
||""||
||__||--------?------
[ -=.]`)   who intermediates
 ====== 0    your messages?

Learning Objectives

• What was the initial logic behind intermediary liability laws? Was that logic legitimate at the time, and does it remain so today?
• What factors have the CJEU indicated do not compromise the shielding of intermediaries? Do you agree with these judgments?
• What is the concept of the CJEU has built? Are modern platforms neutral in this way?

Articles and Chapters

• Compulsory Lilian Edwards, ‘“With Great Power Comes Great Responsibility?”: The Rise of Platform Liability’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019). UCL link
  • This chapter looks over the history of intermediary liability law. Does not quite go up to present day; particularly since then the Digital Services Act, Copyright in the Digital Single Market Act, and Terrorist Content Regulation (all in the EU); and in the UK, the Online Safety Bill, all interact with this.
• Recommended Philippe Jougleux, ‘Intermediaries’ Liability: Where Is My Chair?’ in Philippe Jougleux (ed), Facebook and the (EU) Law: How the Social Network Reshaped the Legal Framework (Springer International Publishing 2022). .
  • A slightly more up to date overview than the Edwards chapter above, with EU focus.
• Recommended Aleksandra Kuczerawy, ‘From “Notice and Take Down” to “Notice and Stay Down”: Risks and Safeguards for Freedom of Expression’ in The Oxford Handbook of Intermediary Liability Online (Oxford University Press 2020). OA-ish link / UCL link
• Optional Jennifer Urban and others, ‘Notice and Takedown in Everyday Practice’ (UC Berkeley Public Law Research Paper No. 2755628, 2017) OA link
  • Read the introduction & executive summary (pp 1-13) and delve into the bits that interest you - it’s a long report.
• Optional Ben Wagner and others, ‘Regulating Transparency? Facebook, Twitter and the German Network Enforcement Act’ (2020) Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency. OA-ish link / UCL link / 8 min talk on the paper
• Optional Sophie Stalla-Bourdillon, ‘Internet Intermediaries as Responsible Actors? Why It Is Time to Rethink the E-Commerce Directive as Well’ in Mariarosaria Taddeo and Luciano Floridi (eds), The Responsibilities of Online Service Providers (Springer 2017). OA-ish link / UCL link
• Optional Graham Smith, ‘5.6 Liability of Online Intermediaries’ in Internet Law and Regulation (Sweet and Maxwell 2020) Book available on Westlaw UK
  • Part of a practitioner textbook on Internet Law. Goes into heavy detail on the jurisprudence in the area.
• Optional Nico van Eijk and others, Hosting Intermediary Services and Illegal Content Online: An Analysis of the Scope of Article 14 ECD in Light of Developments in the Online Service Landscape : Final Report. (European Commission 2019). OA link

Case Law

European Union

• Compulsory Case C-682/18 YouTube and Cyando ECLI:EU:C:2021:503 paras 18-39, 103-118.
  • A case concerning whether certain platform features give an “active role” to intermediaries.
• Recommended Case C‑70/10 Scarlet Extended ECLI:EU:C:2011:771
  • On attempted general monitoring obligations applied to mere conduits (a Belgian ISP).
• Optional Case C-360/10 Netlog ECLI:EU:C:2012:85
  • same issue as Scarlet, relates to hosting on Netlog, a now-defunct Belgian social network.
• Recommended Joined Cases C-236/08 and C-238/08 Google France ECLI:EU:C:2010:159
  • Focus on paras 22-32 and 106-120, you don’t need to understand the relevant trademark law.
• Recommended Case C‑324/09 L’Oréal SA v eBay ECLI:EU:C:2011:474
• Optional Case C-314/2 Telekabel ECLI:EU:C:2014:192 paras 26-50, 106-114
• Optional Case C-484/14 Mc Fadden ECLI:EU:C:2016:689

Tip Reading the Advocate General opinions for these cases can elaborate on how they link to previous case law, and they are written in a less robotic way than the CJEU (although remember that the Court does not always follow the reasoning of the AG.) You can access these on the CJEU’s own webpage using the Curia search by entering the case number.

United Kingdom

• Optional Godfrey v Demon Internet Ltd [1999] EMLR 542
• Optional Payam Tamiz v Google Inc [2013] EWCA Civ 68
• Optional Cartier International AG & Ors v British Telecommunications Plc & Anor [2018] UKSC 28

European Court of Human Rights

• Recommended Delfi AS v Estonia ECLI:CE:ECHR:2015:0616JUD006456909
• Recommended Sanchez v France ECLI:CE:ECHR:2021:0902JUD004558115
  • Referred to the Grand Chamber on 17 Jan 2022.
• Optional MTE v Hungary ECLI:CE:ECHR:2016:0202JUD002294713
• Optional Pihl v Sweden ECLI:CE:ECHR:2017:0207DEC007474214

Statute

European Union

• Compulsory Digital Services Act TO ADD LINK AND FULL REFERENCE, ARTICLES, AFTER COUNCIL APPROVAL.
• Optional Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) [2000] OJ L 178/1 (focus on recitals 40-49, arts 1, 12–15).
  • Note that this has now been superseded by the Digital Services Act, although technically the applicable law is still the e-Commerce Directive until the Digital Services Act is commenced. The transposition of the e-Commerce Directive is still the relevant law in the UK, although with caveats discussed in the lecture.

United States

• Recommended 47 U.S.C. 230(c) (‘Section 230’) OA link

United Kingdom

• Optional The Electronic Commerce (EC Directive) Regulations 2002 OA link
  • These are currently the same as the EU e-Commerce Directive at the time of writing; this is for reference purposes only. Note that Article 15 of the e-Commerce Directive on general monitoring, which forbids Member States from passing certain kinds of laws (as well as judicial authorities from making certain kinds of orders) was never transposed and so has not been clearly retained.

L5: General Monitoring: The Blindfold is Off?

            ______              
         .-'      `-.           
       .'            `.         
      /                \        
     ;                 ;`       
     | illegal content |;       
     ;                 ;|
     '\               / ;       
      \\`.           .' /        
       `.`-._____.-' .'         
         / /`_____.-'           
        / / /                   
       / / /
      / / /
     / / /
    / / /   or is it?
   / / /
  / / /
 / / /
/ / /
\\/_/

Learning Objectives

• Why might a prohibition on general monitoring obligations be justified? What kind of issues it is trying to prevent?
• Has the CJEU changed its understanding of general monitoring over time? What are the arguments for and against this kind of change?
• Is it easy to search for illegal content now we have more advanced technologies to help us do it? What can go wrong? Is it just a matter of time before they become good enough?

Articles

• Compulsory Joris Van Hoboken and Daphne Keller, ‘Design Principles for Intermediary Liability Laws’ (Transatlantic High Level Working Group on Content Moderation Online and Freedom of Expression Working Paper, 8 October 2019) OA link
• Compulsory Robert Gorwa, Reuben Binns and Christian Katzenbach, ‘Algorithmic Content Moderation: Technical and Political Challenges in the Automation of Platform Governance’ (2020) 7 Big Data & Society 2053951719897945. OA link
• Recommended Daphne Keller, ‘Facebook Filters, Fundamental Rights, and the CJEU’s Glawischnig-Piesczek Ruling’ (2020) 69 GRUR Int 616. paywall link / UCL link
• Recommended Martin Senftleben and Christina Angelopoulos, ‘The Odyssey of the Prohibition on General Monitoring Obligations on the Way to the Digital Services Act’ (University of Amsterdam and CIPIL Working Paper, October 2020) OA link
• Recommended Aleksandra Kuczerawy, ‘General Monitoring Obligations: A New Cornerstone of Internet Regulation in the EU?’ in Rethinking IT and IP Law - Celebrating 30 years CiTiP (Intersentia 2019). OAish link
• Recommended Giovanni Sartor, ‘The Impact of Algorithms for Online Content Filtering or Moderation: Upload Filters’ (European Parliament 2020) OA link.
• Optional Maayan Perel and Niva Elkin-Koren, ‘Accountability in Algorithmic Copyright Enforcement’ (2015) 19 Stan Tech L Rev 473. OA link
• Optional Graham Smith, ‘5.6 Liability of Online Intermediaries’ in Internet Law and Regulation (Sweet and Maxwell 2020) Book available on Westlaw UK
• Optional Giancarlo Frosio (ed.) _Oxford Handbook of Online Intermediary Liability*_(Oxford University Press 2020) Closed access DOI UCL link

Case Law

European Union

• Compulsory Case C-18/18 Glawischnig-Piesczek v Facebook ECLI:EU:C:2019:821
• Recommended One of
  • Case C‑70/10 Scarlet Extended ECLI:EU:C:2011:771 (relates to mere conduits)
  • Case C-360/10 Netlog ECLI:EU:C:2012:85 (same issue as Scarlet, relates to hosting on Netlog, a now-defunct Belgian social network)
• Optional Case C-314/2 Telekabel ECLI:EU:C:2014:192 paras 26-50, 106-114
• Optional Case C-484/14 Tobias Mc Fadden v Sony Music Entertainment Germany GmbH ECLI:EU:C:2016:689.
  • This case concerned a WiFi network in a shop that was being used to break the law. A court asked the CJEU whether an injunction against the shop was legal according to the e-Commerce Directive if it required scanning of all content, termination of the WiFi network, or password protecting the network. The CJEU stated that out of the three, only the latter was allowed, as long as it was effective and required users to reveal their identity in order to get the password.
• Case C-401/19 Poland v Parliament ECLI:EU:C:2022:297

#####  ######   ##   #####  # #    #  ####     #    # ###### ###### #    #
#    # #       #  #  #    # # ##   # #    #    #    # #      #      #   #  
#    # #####  #    # #    # # # #  # #         #    # #####  #####  ####   
#####  #      ###### #    # # #  # # #  ###    # ## # #      #      #  #   
#   #  #      #    # #    # # #   ## #    #    ##  ## #      #      #   #  
#    # ###### #    # #####  # #    #  ####     #    # ###### ###### #    #

L6: Because You Attended the Last Seminar, You Might Like: Regulating Recommending

             |\
---|\\--------|-\\\-----
---|/-------0---\\|----
--/|-------------|----
-|-/-\\----------0-----
--\\|/----nice playlist-

Learning Objectives

• Are algorithmic systems essential to deliver content online today? Is there a world without recommenders, or one where they are neutral? In what interfaces or media are they most important?
• What kind of logics might be built into recommender systems? What kind of information about the content, or the users, might you need to do this, and where does this information come from?
• Are recommender systems a good target for regulation of online content? What are the potential benefits, and what are the risks?
• How is being ‘shadow banned’ (or having content ‘reduced’) from a recommender similar or different to being removed from a hosting platform?

Articles

• Compulsory Paddy Leerssen, ‘The Soap Box as a Black Box: Regulating Transparency in Social Media Recommender Systems’ (2020) 11(2) European Journal of Law and Technology.
• Compulsory Jennifer Cobbe and Jatinder Singh, ‘Regulating Recommending: Motivations, Considerations, and Principles’ (2019) 10(3) European Journal of Law and Technology.
• Recommended Ulrik Lyngs and others, ‘So, Tell Me What Users Want, What They Really, Really Want!’ in Extended Abstracts of the 2018 CHI Conference on Human Factors in Computing Systems (CHI EA ’18, New York, NY, USA, ACM 2018).
• Recommended Tarleton Gillespie, ‘Do Not Recommend? Reduction as a Form of Content Moderation’ (2022) 8 Social Media + Society 20563051221117550.
• Recommended Axel Bruns, ‘Filter Bubble’ (2019) 8 Internet Policy Review.
• Recommended Daphne Keller, ‘Amplification and Its Discontents: Why Regulating the Reach of Online Content Is Hard’ (2021) 1 Journal of Free Speech Law 227.
• Optional Owen Bennett, ‘The Promise of Financial Services Regulatory Theory to Address Disinformation in Content Recommender Systems’ (2021) 10 Internet Policy Review.
• Optional Nick Seaver, ‘Captivating Algorithms: Recommender Systems as Traps’ (2019) 24 Journal of Material Culture 421.
• Optional Natali Helberger and others, ‘Exposure Diversity as a Design Principle for Recommender Systems’ (2018) 21 Information, Communication & Society 191.

Statute

European Union

• Compulsory Draft Bill European Parliament legislative resolution of 5 July 2022 on the proposal for a regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC (COM(2020)0825 – C9-0418/2020 – 2020/0361(COD)). look at arts 24a, 29.
• Compulsory Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services OJ L 186/57 (‘P2B Regulation’). look at article 5

Cases

European Union

• Recommended Case C-682/18 YouTube and Cyando ECLI:EU:C:2021:503 paras 18-39, 103-118.

T3: Appraising Recommender Laws

In this tutorial, we are going to look at some of the approaches to recommender systems proposed in current draft bills and compare them. Read the following texts. They’re different proposals made in recent months and years to regulate recommender systems - none of them have passed as of the end of 2021, but they range from highly likely to pass in some form (DSA, Online Safety Bill) to indicative of the potential form of regulation (US Congressional texts).

As you read each, assess the strengths and weaknesses of each document. What is similar or different about them? Where might they succeed and fail? Which one, if any, do you support most, and how would you adjust it if you were a legislator?

Bills

European Union

• Compulsory Draft Bill European Commission, Proposal for a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC Act (COM/2020/825 final) (Articles 25-33, and skim the rest as appropriate) link
• Compulsory Draft Bill ARTICLE 19, ‘Digital Services Act: ARTICLE 19 proposed amendment to Article 29 Recommender systems’ (14 May 2021) link (this is a document from a civil society group proposing a concrete amendment to the DSA)

United States

• Compulsory Draft Bill Protecting Americans From Dangerous Algorithms Act, H.R. 8636, 116th Cong. (2020) (entire instrument, remind yourself also of the contents of s 230 CDA for context from the intermediary liability sessions) link
• Compulsory Draft Bill Filter Bubble Transparency Act, H.R. __ 117th Cong. (2021) link

United Kingdom

• Optional Draft Bill HM Government, Online Safety Bill (2021), part 1 and part 2 (much of it repeats. Try to get the gist - it’s a big and complex instrument, and don’t get bogged down in the details.) link

L7: Platforms and Proactive Duties

Guest: Dr Tim Squirrell, Institute for Strategic Dialogue

___  ,--.  __________________________/   ,   /_______
   'O---O'~                                           
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _   ,--.   _ _ _ _ _
           _______________         ~'O---O'           
________< Responsibility?|     _______________________
                    ||  /   ,   /              

Learning objectives

• Is it useful to try and strictly define platforms? If we do, should we define them by what they are, by what they do, or by something else?
• What challenges do platforms pose that we might want to regulate? Which do you think are the most pressing or important?
• Why is it hard to regulate platforms?
• What are some of the major areas of tension in the European intermediary liability regime when it comes to platforms?
• What are the some of the current regulatory trends to try and regulate this area? Do you think they will work — and if so, for whom?

Articles

• Compulsory Julie E Cohen, ‘Law for the Platform Economy’ (2017–18) 51 UCD L Rev 133.
• Compulsory Daithí Mac Síthigh, ‘The Road to Responsibilities: New Attitudes Towards Internet Intermediaries’ (2020) 29 Information & Communications Technology Law 1.
• Recommended Centre for International Governance Innovation (ed.) Models for Platform Governance (CIGI 2019).
  • There are many essays in this collection, all very short and of relevance to the topics we are discussing.
• Recommended Thomas Poell and others, ‘Platformisation’ (2019) 8 Internet Policy Review.
• Optional Robert Gorwa, ‘What is Platform Governance?’ (2019) 22 Information, Communication & Society 854.

L8: Redecentralise This! Interoperability Law and Policy

      ____      *         *
 ____|    \  *      *          * 
(____|     `.____________ _ _ _  _  _  _
 ____|       ____________ _ _ _  _  _  _
(____|     .'
     |____/

Learning Objectives

• What is “interoperability”? What exactly is interoperating with what under different visions of the policy?
• Who would need to be regulated in order to make interoperability a reality? What might the challenges of this be?
• What are some of the current regulatory regimes that touch upon interoperabiity, and how do they function?
• What kind of digital power does interoeprability seek to reduce? Would it be effective in this?
• What are some of the policy concerns people have raised around interoperability?
• Are these concerns valid? In particular, are there ways to moderate content, or to ensure privacy, in an interoperable world?

Readings

• Compulsory Ian Brown, ‘From “Walled Gardens” to Open Meadows’ (Ada Lovelace Institute, 8 November 2021) and Ian Brown, ‘Making Interoperability Work in Practice: Forms, Business Models and Safeguards’ (Ada Lovelace Institute, 16 December 2021) (two-part series).
• Compulsory Daphne Keller, ‘The Future of Platform Power: Making Middleware Work’ (2021) 32 Journal of Democracy 168.
• Recommended Bennett Cyphers and Cory Doctorow, ‘Privacy Without Monopoly: Data Protection and Interoperability’ (Electronic Frontier Foundation, 12 February 2021).
• Optional ‘The EU Framework on Interoperability’ in Marc Bourreau, Jan Kraemer and Miriam Buiten, ‘Interoperability in Digital Markets’ (Centre on Regulation in Europe, March 2022).
• Optional Mitch Stoltz, Andrew Crocker and Christoph Schmon, ‘The EU Digital Markets Act’s Interoperability Rule Addresses An Important Need, But Raises Difficult Security Problems for Encrypted Messaging’ (Electronic Frontier Foundation (EFF), 2 May 2022).

Statute

European Union

• Compulsory Regulation of the European Parliament and of the Council on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (link to Council of Ministers approved version of 11 July 2022, pending publication in the Official Journal of the European Union), particularly arts 1-7.
• Optional Draft Bill European Commission, Proposal for a Regulation of the European Parliament and the Council on harmonised rules on fair access to and use of data (Data Act), COM/2022/68 final, particularly arts 1–12.

United States

• Optional Draft Bill ‘American Innovation and Online Choice Act’, S. 2992, 117th Congr. (2022) (Bill sponsored by Sen. Amy Klobuchar, as amended in the Senate on 25 May 2022), particularly s. 2-3.

L9: Being Forgotten Online

               O             O _J""-.
        .-""L_  o           o /o )   \ ,';
   ;`, /   ( o\               \ ,'    ;  /
   \  ;    `, /                "-.__.'"\\_;
   ;_/"`.__.-"   google or goldfish?

Guest: Andrew Strait, Ada Lovelace Institute (TBC)

Learning Objectives

• How does the right to be forgotten function? Where did it come from?
• What kind of information and process is needed to assess a RTBF request according to the existing jurisprudence? What kind of a process might this be, and how does that compare to what we know of the processes that are used in practice?
• Who does the RTBF benefit?
• Is the balance correct in the RTBF? Should there be more or less emphasis on freedom of expression?
• Is the RTBF adequately governed? How do private decisions and judicial decisions interplay, and are there potential reforms that you might want to see implemented at this interface?

Articles

• Compulsory Andrés Guadamuz, ‘Developing a Right to Be Forgotten’ in Tatiana-Eleni Synodinou and others (eds), EU Internet Law: Regulation and Enforcement (Springer 2017). OA-ish link UCL paywall link
  • An overview of some of the debates and sides people take concerning the Right to Be Forgotten.
• Compulsory Paul De Hert and Vagelis Papakonstantinou, ‘Right to Be Forgotten’, Elgar Encyclopedia of Law and Data Science (2022).
  • A concise encyclopaedia entry providing a guide to the RTBF’s origin and jurisprudence up through the start of 2022.
• Recommended Aleksandra Kuczerawy and Jef Ausloos, ‘From Notice-and-Takedown to Notice-and-Delist: Implementing Google Spain’ (2015–16) 14 Colo Tech LJ 219. OA link
  • A discussion of some of the roles (as they were and are emerging) of different governance actors in the run up to, and in the wake of, the judgment in Google Spain.
• Recommended Theo Bertram and others, ‘Five Years of the Right to Be Forgotten’ in (ACM 2019) Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security 959. OA link
  • A scholarly article on how the RTBF has panned out from the point of view of Google employees, who authored it. Read alongside the firm’s regularly updated, quantitative Transparency Report into EU delisting on the basis of the right.
• Recommended Joris Van Hoboken, ‘Search Engine Freedom’ in Search Engine Freedom: On the Implications of the Right to Freedom of Expression for the Legal Governance of Web Search Engines (University of Amsterdam 2012) pp 168-213. OA link
  • A discussion of the theoretical and legal manners in which freedom of expression applies to search engines, given their crucial role in enabling access to information. Pre-dates Google Spain, although not the debates about the RTBF.
• Optional Jean-François Blanchette and Deborah G Johnson, ‘Data Retention and the Panoptic Society: The Social Benefits of Forgetfulness’ (2002) 18 The Information Society 33. OA link paywalled, typeset link
  • A less legal view of why we might want a right to be forgotten from the standpoint of privacy.
• Optional Tarleton Gillespie, ‘To Remove or to Filter?’ in Custodians of the Internet (Yale University Press 2018). UCL link (paywalled)
  • A broader discussion of the different tactics that internet intermediaries, and particularly platforms, use to limit the distribution of content online.
• Optional David Erdos, ‘The “Right to Be Forgotten” beyond the EU: An Analysis of Wider G20 Regulatory Action and Potential Next Steps’ (2021) 13 Journal of Media Law 1. OA-ish link UCL link
  • Examines how similar rights to be forgotten work in jurisdiction including Canada, Turkey and Australia.
• Optional Stefan Kulk and Frederik Zuiderveen Borgesius, ‘Privacy, Freedom of Expression, and the Right to Be Forgotten in Europe’ in Evan Selinger and others (eds), The Cambridge Handbook of Consumer Privacy (Cambridge University Press 2018). OA-ish link UCL paywall link
  • A useful introduction to how freedom of expression is balanced by the CJEU and ECtHR, focussing on the right to be forgotten. Overlaps otherwise in terms of content with Guadamuz 2017.

Policy Documents

• Optional European Data Protection Board, Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (EDPB 2020) OA link
  • Guidance from the European regulators in charge of enforcing Google Spain and the Right to Erasure. See also the ary on these guidelines by David Erdos, University of Cambridge.
• Optional Access Now, Understanding the Right to Be Forgotten Globally (Access Now 2017) OA link
  • A short policy paper from an NGO indicating the surrounding conditions and a safeguard wishlist for global implementation of a right to be delisted on privacy grounds.

Statute

European Union

• Optional Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, art 17.
  • We will look at the statutory data protection regime, its scope and functioning, in much more detail in Term 2.

Case Law

European Union

• Compulsory Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González ECLI:EU:C:2014:317.
• Compulsory Case C‑136/17 GC and Others v Commission nationale de l’informatique et des libertés (CNIL) ECLI:EU:C:2019:773.
• Compulsory Case C‑507/17 Google LLC v Commission nationale de l’informatique et des libertés (CNIL) ECLI:EU:C:2019:772.

It may help to read a few case s on GC and Others and Google v CNIL if you are struggling with them. You can search these out on Westlaw, Google Scholar or just the plain old search engine of your choice.

United Kingdom

• Recommended NT1 & NT2 v Google LLC [2018] EWHC 799 (QB). BAILII
  • The first Google Spain case applied by English courts. One applicant had his delisting refusal by Google overturned by the High Court, and one had it confirmed. What was the difference between them?

T4: “Fake News”: Governing Misinformation

Tutorial Questions

• What kind of a problem is misinformation online? What are its causes, and how can we best understand it?
• How is misinformation currently governed?

Readings

• Compulsory Ronan Ó Fathaigh, Natali Helberger and Naomi Appelman, ‘The Perils of Legally Defining Disinformation’ (2021) 10 Internet Policy Review.
• Compulsory ‘Chapter 2: Prioritise promoting good information over restricting content’ in Full Fact, Full Fact Report 2022 - Tackling Online Misinformation in an Open Society (Full Fact, February 2022).
• Recommended Law Commission of England and Wales, ‘Modernising Communications Offences: A Final Report’ (2021) HC 547, Law Com No 399.
• Recommended Broadband Commission for Sustainable Development, ITU, and UNESCO, ‘Balancing Act: Countering Digital Disinformation While Respecting Freedom of Expression’ (UNESCO, September 2020)
  • A long, rich report - read the Executive Summary, and skim parts, particularly relating to policy solutions, that interest you.
• Optional Joris Van Hoboken and others, The Legal Framework on the Dissemination of Disinformation through Internet Services and the Regulation of Political Advertising (Institute for Information Law (IViR), University of Amsterdam 2019).

Case Law

ECHR

• Optional Salov v Ukraine, ECLI:CE:ECHR:2005:0906JUD006551801
• Optional Brzeziński v Poland, ECLI:CE:ECHR:2019:0725JUD004754207 (currently French only, English press summary here)

L10: Image-Based Sexual Abuse and Platforms

Guest: Dr María Bjarnadóttir, Director for Internet Safety at the Icelandic National Commissioner for Police.

         _
     _n_|_|_,_
    |===.-.===|
    |  ((_))  |
    '==='-'==='

Learning Objectives

• What is image-based sexual abuse, and what are the wrongs and harms of such abuse?
• Why can it be difficult to tackle image-based sexual abuse using the law?
• How is this abuse currently dealt with under English and Scottish law, and what are the difficulties and shortcomings of this offence?
• What is the impact of image-based sexual abuse being “priority illegal content’ in the draft UK Online Safety Bill?
• What might the consequences be if the Law Commission’s new offences were introduced and deemed “priority illegal content”?
• Questions from the further reading
  • What are ‘intimate threats’, as characterised by Levy and Schneier? How should law and policy makers think about ameliorating or protecting against such threats? In particular, what can be done at the level of engineering and product design?
  • Do you agree with Danielle Keats Citron that ‘sexual privacy’ is a distinct category of privacy interests and that traditional privacy law is ill-equipped to protect this interest? If so, what implications might that have for law and policy makers in this jurisdiction e.g. in the context of intermediary liability and the regulation of platforms?

Articles

• Compulsory Nicola Henry and Asher Flynn, ‘Image-Based Sexual Abuse: Online Distribution Channels and Illicit Communities of Support’ (2019) 25 Violence Against Women 1932.
  • This paper focusses on the online communities and spaces that encourage and facilitate image-based sexual abuse, and distribute the materials that form part of the act. When reading, think about how the platforms and spaces described may be within or out of effective reach of the platform regulation discussed so far in the course.
• CompulsoryLaw Commission of England and Wales, ‘Intimate Image Abuse: Summary of the Final Report’ (July 2022)
  • For areas that you are interested in, you should refer to the full report, which is huge but thorough, and will test your skills of skimming: Law Commission of England and Wales, ‘Intimate Image Abuse: A Final Report’ (HC 326, Law Com No 407, July 2022).
• Recommended ‘Seeking Justice for Victim-Survivors of Image-Based Sexual Abuse’, in Nicola Henry and others, Image-based Sexual Abuse: A Study on the Causes and Consequences of Non-consensual Nude or Sexual Imagery (Routledge 2020). to check link functions.
• Recommended Clare McGlynn and Erika Rackley, ‘Image-Based Sexual Abuse’ (2017) 37 Oxford Journal of Legal Studies 534
• Recommended Nicola Henry and Alice Witt, ‘Governing Image-Based Sexual Abuse: Digital Platform Policies, Tools, and Practices’ in Jane Bailey, Asher Flynn and Nicola Henry (eds), The Emerald International Handbook of Technology-Facilitated Violence and Abuse (Emerald Publishing Limited 2021).
• Optional Karen Levy and Bruce Schneier, ‘Privacy Threats in Intimate Relationships’ (2020) 6 J Cyber Security OA link
  • As an alternative to reading this paper you can watch Karen Levy’s talk on the paper from HotPETS 2020
• Optional Danielle Keats Citron, ‘Sexual Privacy’ (2019) 128 Yale Law Journal OA link
• Optional Diana Freed and others, ‘“A Stalker’s Paradise”: How Intimate Partner Abusers Exploit Technology’ in Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI ’18, New York, NY, USA, ACM 2018) OA link

Statute

• Compulsory Draft Bill Online Safety Bill, cl 8-9; 52; 177; sch 7 para 18. check current Bill status before teaching week
  • Here, please consider what the practical implications for in-scope platforms would be for proactively detecting priority illegal content, were it to include intimate image abuse as proposed. Which elements of the offence would it be easier for platforms to discern, and which harder? Note that only the English offence is listed as “priority”, however the Scottish offence is also relevant due to the provisions in cl 52.
• Compulsory Criminal Justice and Courts Act 2015 s 33-35
  • The current English law criminalising certain aspects of intimate image abuse; overhaul of this has been suggested by the Law Commission in its report, above.
• Compulsory Abusive Behaviour and Sexual Harm (Scotland) Act 2016 s 2-4
  • The Scottish criminal law around the issue — has been praised for being wider than the English law, covering also deepfake sexual content, at least to some degree. May have impact in England regardless via platforms through the operation of the Online Safety Bill, if passed.
• Optional Justice Act (Northern Ireland) 2016 s 51.

Part 2: Privacy, Data and Surveillance

L11: Protecting Privacy Online

What is privacy all about, and why might we seek it? In this session, we will take a look at some of the different issues privacy might, or has been thought to, protect. The three compulsory readings approach this from different angles: Solove offers a taxonomy to cover a breadth of the issues; Viljoen looks at what ‘data law’ might do, focussing on the way that technologies construct and mediate human relations; while Lynskey consider the developing approach(es) that courts in the UK have taken to a set of rights that have only relatively recently made their way into law in this jurisdiction.

For very different views, the optional readings present different viewpoints. Gürses unpacks how computer scientists often think about privacy; O’Hara tries to understand why people talk over each other when talking about what privacy is or should do; Hildebrandt thinks about how privacy might be theorised in relation to a world of profiling machines; while Warren and Brandeis, in a seminal article, try to locate privacy as a right in the US constitution — influential on later thought, not least as Brandeis became a US Supreme Court justice.

What do you think privacy is or should protect? What should the priorities for law be in an informationalised world, and have courts so far appeared to be up to these challenges?

Articles

• Compulsory Daniel J Solove, ‘A Taxonomy of Privacy’ (2005–06) 154 U Pa L Rev 477 OA link
• Compulsory Salomé Viljoen, ‘A Relational Theory of Data Governance’ (2021) 131 Yale Law Journal 573 OA link
• Compulsory Orla Lynskey, ‘Courts, Privacy and Data Protection in the UK: Why Two Wrongs Don’t Make a Right’ in Courts, Privacy and Data Protection in the Digital Environment (Edward Elgar Publishing 2017) UCL link
• Recommended Julie E Cohen, ‘What Privacy is For’ (2012–13) 126 Harv L Rev 1904 OA link
• Recommended Kieron O’Hara, ‘The Seven Veils of Privacy’ (2016) 20 IEEE Internet Computing 86 UCL link
• Recommended Seda Gürses, ‘Can You Engineer Privacy?’ (2014) 57 Communications of the ACM 20. UCL typeset link / OA preprint link
• Optional Mireille Hildebrandt, ‘Privacy as Protection of the Incomputable Self: From Agnostic to Agonistic Machine Learning’ (2019) 20 Theoretical Inquiries in Law 83 OA link
• Optional Samuel D Warren and Louis D Brandeis, ‘The Right to Privacy’ (1890) 4 Harvard Law Review 193 OA link
• Optional Julie E Cohen, ‘Turning Privacy Inside Out’ (2019) 20 Theoretical Inquiries in Law OA link

Cases

United Kingdom

• Recommended Kaye v Robertson [1991] FSR 62 link
• Recommended Wainwright v Home Office [2003] UKHL 53, [2004] 2 AC 406 (see particularly paragraphs [15]-[35] from Lord Hoffman’s judgment) link
• Recommended Campbell v MGN Ltd [2004] UKHL 22, [2004] AC 457 (see particularly paragraphs [11]-[22] from Lord Nicholl’s judgment) link

Podcasts

• Optional Episode 15 of Constitutional on ‘Privacy’. It includes some very useful background and further detail, particularly on Warren and Brandeis’ article, and why it is relevant today. link

T5: Data Rights

Preparation (in class, in part)

For this tutorial, there is a short preparatory activity we will use as a basis for discussion about the right of access. Carrying out steps 1-2 are essential, but step 3 is optional (writing further to a company to request your data). I advise doing it, however, as it is free, and interesting to see how they interact with you, and what you get back.

1. Try to use a “download my data” tool” on one or more services that you use. Some examples of those from the largest services are below:

• Facebook
• Twitter
• Instagram
• Amazon
• Apple
• Google
• Microsoft
• TikTok

2. If you get a copy of the data, try to locate the privacy policy for that company. Privacy policies are usually implemented as to provide some of the information required in Article 13 of the GDPR (have a look). Re-read articles 13–15, and article 20, of the GDPR. Is this all the data you requested? What personal data might be missing? Do you also think (e.g. from your usage of a service) that the controller might have additional data about you they are not telling you about?

3. [Optional, but recommended] Write an email or other message to the firm (how should be detailed in the privacy policy) asking for a full copy of you data, highlighting any omissions you discovered or suspected based on point 2. I have made a template for a very full version of how to do this here, but you are welcome to just type something shorter or more focussed.

If you get to 2 and 3, save all the files you get from this process in one place (e.g. a copy of relevant parts of the privacy policy, and any data), so we can talk about the process during the tutorial. Regardless, save and look at any data you receive.

In this session, we’ll discuss the access rights made earlier in class. Please come having done the reading and try to bring whatever you have received in a form on your computer you can use to discuss and refer to (although no need to share it!).

Questions to consider: - What is the right of access for? What is its scope? What are its limits? - How powerful is the right of access at achieving its various purposes? - What barriers exist to make access rights useful or powerful? - What barriers did you face getting access to, or scrutinising data? How might you reform the right of access to make it more useful - or is such reform futile?

Readings

• Compulsory GDPR, arts 12, 15, 20.
• Compulsory European Data Protection Board, ‘Guidelines 01/2022 on data subject rights - Right of access’ (Version for Public Consultation, 2022) OA link
• Compulsory Jef Ausloos and Pierre Dewitte, ‘Shattering One-Way Mirrors – Data Subject Access Rights in Practice’ (2018) 8 International Data Privacy Law 4. UCL link OA link
• Optional René Mahieu, ‘The Right of Access to Personal Data: A Genealogy’ (2021) 2021 TechReg 62. OA link
• Optional Jef Ausloos and Michael Veale, ‘Researching with Data Rights’ (2020) 2020 Technology and Regulation 136.
• Optional Case C‑434/16 Nowak ECLI:EU:C:2017:994
• Optional Joined Cases C‑141/12 and C‑372/12 YS and Others ECLI:EU:C:2014:2081.

L12: Data Protection: Form and Function

In this session, we introduce a parallel but interwoven regime to privacy and private life: data protection. Lynskey introduces where data protection came from, what is does, and how it relates to privacy. Her book was written before the passing of the General Data Protection Regulation, which builds on previous privacy statutes; this is the topic of Hoofnagle and others, who seek to summarise the Regulation. You should also read the GDPR alongside this article as appropriate.

Further readings look at the history of data protection law (González Fuster), and elaborate theoretically on the functioning of data protection and its place within the EU legal order (Lynskey, Ausloos).

Think while reading about what data protection seeks to do and protect. How does it secure the aims we discussed when considering privacy? What other ends does it pursue, or ways might it protect or empower people? Is it a subset of privacy, or a separate, complementary regime? How many of the rights and obligations were you aware of, and how does the text of data protection law relate to the practices of firms and governments that you are aware of?

Articles

• Compulsory Orla Lynskey, ‘The Key Characteristics of the EU Data Protection Regime’ and ‘The Link between Data Protection and Privacy in the EU Legal Order’ in The Foundations of EU Data Protection Law (Oxford University Press 2015) UCL link
• Compulsory Chris Jay Hoofnagle and others, ‘The European Union General Data Protection Regulation: What It Is and What It Means’ (2019) 28 Information & Communications Technology Law 65 OA link
• Recommended Gloria González Fuster, ‘The Materialisation of Data Protection in International Instruments’ in The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014) UCL link
• Recommended Orla Lynskey, The Foundations of EU Data Protection Law (Oxford University Press 2015) UCL link
• Optional Jef Ausloos, ‘Foundations of Data Protection Law’ in The Right to Erasure in EU Data Protection Law: From Individual Rights to Effective Protection (Oxford University Press 2020) UCL link

Policy Documents

• Optional European Court of Human Rights, Guide to the Case Law of the European Court of Human Rights: Data Protection (Council of Europe, updated regularly) (look at relevant parts to bolster your understanding) OA link
  • Note, that the ECHR is distinct from the CJEU in its privacy and data protection jurisprudence. There is no explicit right to data protection in the Convention; this does not mean the Court has not developed jurisprudence in this area, however.

Statute

• Compulsory Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1. Read this alongside the Hoofnagle and others article. You do not need to read all of the recitals yet, and this takes most of the length out; but they do help shine light on the main articles, and are important interpretative tools, so refer back as appropriate.

• Compulsory Charter of Fundamental Rights of the European Union, articles 7–8.

L13: The Law of Everything? Anonymisation and the Scope of Personal Data

One of the main concepts in data protection is the concept of personal data. The boundaries of this concept have been hotly contested, and are an important point of interaction for law, policy, computer and data science alike; all of these disciplines work on this issue intensely. McAuley describes why computer scientists find anonymisation difficult to achieve. Purtova argues that the CJEU has interpreted the GDPR in an expansive manner which has led an unmanageable array of information types to be classifiable as personal data (but compare to optional reading, Dalla Corte, who critiques this reading). Elliot and others propose a different approach, which looks at the risk of data to be reidentified in its environment. What would be the benefits or risks of adopting this approach? You should also read the Breyer case, which is looked at considerably in the Purtova article.

You may also choose to read further reading, such as a technical analyis of why it is difficult or impossible to anonymise some types of location data from the perspective of computer science by de Montjoye and others, the application to smart environments and technologies by Gellert. You should also consider the household exemption, part of the scope of data protection law, which is importantly limited by the cases Lindqvist and Ryneš.

How should a controller in practice go about considering what is personal data or not? How might this differ for different types of data — text; location; tabular data; video data or photographs? Is there a good balance between personal or non personal data classification that is possible, or will any approach inevitably be gamed and abused? If so, is there a way out of this quandary?

While reading it all, as well as when you have read both the papers and the cases, think through the following questions:

1. What is it about data that makes anonymisation particularly hard?
2. Can you think of a good example of data which is reliably non-personal under data protection law?
3. What sort of test does Breyer imply? What kind of capacities might data controllers need to carry out this test?
4. Is this approach to personal data a sensible one for data protection law? What might be the challenges if a narrower approach was taken? What about a broader one?
5. Is the household exemption too narrow in scope?

Statute

European Union

• Compulsory GDPR, recitals 26-30, arts 2, 4(1).

Videos

• Compulsory Video Derek McAuley, The Anonymisation Problem (Computerphile 2017) length: 10 mins
• Optional Latanya Sweeney, Reidentification Risks and the HIPAA Privacy Rule (US Department of Health and Human Services Conference on Data Privacy in the Digital Age, 26 October 2017) first 22 mins

Articles

• Compulsory Nadezhda Purtova, ‘The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law’ (2018) 10 Law, Innovation and Technology 40.
• Compulsory Mark Elliot and others, ‘Functional Anonymisation: Personal Data and the Data Environment’ (2018) 34 Computer Law & Security Review 204. OA preprint link / UCL typeset link
• Recommended Michèle Finck and Frank Pallas, ‘They Who Must Not Be Identified—Distinguishing Personal from Non-Personal Data under the GDPR’ (2020) 10 International Data Privacy Law 11.
  • Contains useful context about pseudonymisation methods such as hashing and salted hashing, as well as detailed legal analysis up to 2020.
• Recommended Nadezhda Purtova, ‘From Knowing by Name to Targeting: The Meaning of Identification under the GDPR’ (2022) 12 International Data Privacy Law 163.w
  • Considers whether there is an alternative way to justify personal data, focusing on ideas of singling out and individuation rather than reidentifiability.
• Recommended Lorenzo Dalla Corte, ‘Scoping Personal Data: Towards a Nuanced Interpretation of the Material Scope of EU Data Protection Law’ (2019) 10 European Journal of Law and Technology.
  • Critiques Purtova (2018), arguing that the scope she indicates is too broad and highlighting rhetorical flaws in the argument.
• Recommended Raphaël Gellert, ‘Personal Data’s Ever-Expanding Scope in Smart Environments and Possible Path(s) for Regulating Emerging Digital Technologies’ (2021) 11 International Data Privacy Law 196. UCL typeset link / OA preprint
• Optional Yves-Alexandre de Montjoye and others, ‘Unique in the Crowd: The Privacy Bounds of Human Mobility’ (2013) 3 Scientific Reports 1376.
  • A seminal computer science paper on the futility of anonymising location data.
• Optional Draft Guidance Information Commissioner’s Office (2021), ICO call for views: Anonymisation, pseudonymisation and privacy enhancing technologies guidance
• Optional Benjamin Wong, ‘Delimiting the Concept of Personal Data after the GDPR’ (2019) 39 Legal Studies 517. UCL link
• Optional Michael Veale, Reuben Binns and Lilian Edwards, ‘Algorithms that Remember: Model Inversion Attacks and Data Protection Law’ (2018) 376 Phil Trans R Soc A 20180083.
  • A paper arguing that machine learned models may contain personal data. Relevant for discussions of chatGPT and similar large language models.

Cases

European Union

• Compulsory Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland ECLI:EU:C:2016:779 (on the identifiability of personal data)
• Recommended Case C‑434/16 Nowak ECLI:EU:C:2017:994 (on exam scripts and comments)
• Recommended C-184/20 Vyriausioji tarnybinės etikos komisija ECLI:EU:C:2022:601 (on conditions for inference of special category data)
• Recommended Case C-101/01 Lindqvist EU:C:2003:596 (on the scope of the household exemption)
• Recommended Case C‑212/13 Ryneš ECLI:EU:C:2014:2428. (on a CCTV camera on a house and the household exemption)

Pending Cases

• Case C-604/22 IAB Europe (on whether a compliance mechanism for online tracking comprises personal data)
• Case C-659/22 Ministerstvo zdravotnictví (Czech Ministry of Health) (on whether scanning vaccination certs amounts to processing)
• Case C-115/22 NADA and Others (on health data and doping)
• Case C-446/21 Schrems (on sexuality and special category data in advertising)

United Kingdom

• Optional Durant v Financial Services Authority [2003] EWCA Civ 1746.
• Optional Edem v The Information Commissioner & Anor [2014] EWCA Civ 92
• Optional Secretary of State for the Home Department & Anor v TLU & Anor [2018] EWHC 2217 (QB).

L14: Revenge of the Cookie Monster

Somebody is prying through your files, probably
Somebody's hand is in your tin of Netscape magic cookies
But relax: if you're an interesting person
Morally good in your acts
You have nothing to fear from facts

The Age of Infomation (Momus, 1997)

Cookie pop ups when you browse the web are hardly anything new to most Internet users, particularly in Europe. But what exactly are cookies? How do they something that we should be concerned about? How does the law understand cookies, and how has that developed over time? In the session, we’re going to try and get some answers to some of these questions. While reading and examining the below, it will be good to think about the following questions:

1. What conceptual role do cookies play in online tracking and profiling?
2. Consent is a large part of the way that we govern cookies in Europe. But is it a good way to do this? What would the alternatives look like, and in what ways would they be better or worse?
3. If many of the ways the cookies are used on the Internet are currently illegal, why hasn’t anything been done about it? What are the main challenges and regulatory hurdles that prevent affective enforcement?

Also pay attention to the issue of controllership — this topic should be considered in tandem with the tutorial on controllership. Who is the controller when it comes to tracking on a website?

Articles

• Compulsory Michael Veale and Frederik Zuiderveen Borgesius, ‘Adtech and Real-Time Bidding under European Data Protection Law’ (2022) 23 German Law Journal. OA link
• Compulsory Midas Nouwens and others, ‘Dark Patterns after the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence’ in (ACM 2020) Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI 2020). OA link
• Compulsory René Mahieu and Joris Van Hoboken, ‘Fashion-ID: Introducing a Phase-Oriented Approach to Data Protection?’ (European Law Blog, 30 September 2019) OA link
• Recommended Reuben Binns and others, ‘Third Party Tracking in the Mobile Ecosystem’ in Proceedings of the 10th ACM Conference on Web Science (WebSci ’18) (ACM 2018). OA link
• Optional Michael Veale, Midas Nouwens and Cristiana Santos, ‘Impossible Asks: Can the Transparency and Consent Framework Ever Authorise Real-Time Bidding After the Belgian DPA Decision?’ (2022) 2022 Technology and Regulation 12.
• Optional Günes Acar and others, ‘The Web Never Forgets: Persistent Tracking Mechanisms in the Wild’ in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14) (ACM 2014) UCL link / OA link
• Optional René Mahieu and others, Responsibility for Data Protection in a Networked World: On the Question of the Controller, “Effective and Complete Protection” and its Application to Data Access Rights in Europe, 10 (2019) JIPITEC 85
• Optional Konrad Kollnig and others, ‘Before and after GDPR: Tracking in Mobile Apps’ (2021) 10 Internet Policy Review. OA link
• Optional Jiahong Chen and others, ‘Who is Responsible for Data Processing in Smart Homes? Reconsidering Joint Controllership and the Household Exemption’ (2021) 10 International Data Privacy Law 279.

Policy Documents

• Optional Information Commissioner’s Office, ‘Update Report into Adtech and Real Time Bidding’ (20 June 2019) link
• Optional Information Commissioner’s Office, ‘Data Protection and Privacy Expectations for Online Advertising Proposals’ (25 November 2021). link
• Optional CNIL (French DPA), ‘Cookies: FACEBOOK IRELAND LIMITED Fined 60 Million Euros’ (6 January 2022) link; CNIL (French DPA), ‘Cookies: GOOGLE Fined 150 Million Euros’ (6 January 2022) link. see also English language decisions within

Cases

European Union

• Compulsory Case C-210/16 Wirtschaftsakademie Schleswig-Holstein ECLI:EU:C:2018:388.
• Compulsory Case C-49/17 Fashion ID ECLI:EU:C:2019:629.
• Recommended Case C‑252/21 Meta Platforms and Others ECLI:EU:C:2022:704, Opinion of Advocate General Rantos **particularly concerning the interaction of web tracking data and Article 9 sensitive data characteristics*.
• Optional Case C‑25/17 Jehovan todistajat ECLI:EU:C:2018:551. consider how the controllership argument might analogise
• Optional Case C-673/17 Planet49 GmbH ECLI:EU:C:2019:801.
• Optional Case C-131/12 Google Spain ECLI:EU:C:2014:317. particularly around questions of controllership

• Recommended Case C‑210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2017:796, Opinion of AG Bot.
• Recommended Case C-49/17 Fashion ID GmbH & CoKG v Verbraucherzentrale NRW eV ECLI:EU:C:2018:1039, Opinion of AG Bobek.

United Kingdom

• Optional Vidal-Hall v Google Inc [2015] EWCA Civ 311.
• Optional Lloyd v Google LLC [2021] 3 UKSC 50.

Belgium

• Optional Regulatory decision Belgian Data Protection Authority, ‘Decision on the Merits 21/2022 of 2 February 2022, Complaint Relating to Transparency & Consent Framework (IAB Europe), DOS-2019-01377’ (2 February 2022).
  • Summarised and analysed in Veale, Nouwens and Santos (2022) above. An appeal is currently stayed pending a preliminary reference to the CJEU in Case C-604/22 IAB Europe.

Statute

United Kingdom

• Compulsory Privacy and Electronic Communications (EC Directive) Regulations 2003, reg 6
  • This derives from the e-Privacy Directive, art 5(3), below.
• Optional Draft Bill Data Protection and Digital Information HC Bill (2022–23) 143, cl 79.
  • Whether this law will be reintroduced is currently unclear.

European Union

• Recommended Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201/37, art 5(3).
  • This is implemented in the UK by PECR reg 6, above

L15: Computer Says No? Machine Learning and Automated Decision-making

Computers are intermediating the content of decisions now, rather than just transmitting them. The governing of algorithms and automated systems is big news, and big business for some. But what role for data protection law? In this session, we’ll dig into the details.

When doing the reading, think about the following:

• What are the main issues concerning algorithms that require governance? What has the last few years indicated are the most pressing of them, and which might be the most pressing in the future?
• Should we be worried about algorithms, or “decisions”, both or neither?
• How can we reconcile the purpose of Article 22 with the rest of the GDPR? Does it connect to form a coherent whole, or does it not make sense?
• Is Article 22 a relic that will fail to govern algorithms going forward, or is there hope that it can be usefully repurposed? If so, as a simple safety net, or an active tool of governance?
• Are there simple changes, or court interpretations, that might make the governance of algorithms through the GDPR function more effectively? Which? Are they likely without new legislation?

Articles

• Compulsory Margot E Kaminski, ‘Binary Governance: Lessons from the GDPR’s Approach to Algorithmic Accountability’ (2019) 92 Southern California Law Review
• Compulsory Reuben Binns and Michael Veale, ‘Is that Your Final Decision? Multi-Stage Profiling, Selective Effects, and Article 22 of the GDPR’ [2021] International Data Privacy Law
• Compulsory Andrew D Selbst and others, ‘Fairness and Abstraction in Sociotechnical Systems’ in Proceedings of the Conference on Fairness, Accountability, and Transparency (FAT* ’19, New York, NY, USA, ACM 2019).
• Recommended Lilian Edwards and Michael Veale, ‘Slave to the Algorithm? Why a “Right to an Explanation” Is Probably Not the Remedy You Are Looking For’ (2017) 16 Duke Law & Technology Review 18
• Recommended Andrew Selbst and Solon Barocas, ‘The Intuitive Appeal of Explainable Machines’ (2018) 87 Fordham Law Review 1085.
• Recommended Mireille Hildebrandt, ‘Privacy as Protection of the Incomputable Self: From Agnostic to Agonistic Machine Learning’ (2019) 20 Theoretical Inquiries in Law 83.
• Optional Margot E Kaminski, ‘The Right to Explanation, Explained’ (2019) 34 Berkeley Technology Law Journal OA link
• Optional Andrew D Selbst and Julia Powles, ‘Meaningful Information and the Right to Explanation’ (2017) 7 International Data Privacy Law 233.
• Optional Sandra Wachter and others, ‘Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation’ (2017) 7 International Data Privacy Law 76.

Policy Documents

• Compulsory Article 29 Working Party, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679 (WP251rev.01)’ (6 February 2018) alongside article 15, 22, recital 71, GDPR. skim read
• Optional Information Commissioner’s Office, ‘Guidance on AI and data protection’ (2021) link

Statute

European Union

• Compulsory General Data Protection Regulation (GDPR), articles 15, 21, 22, recital 71.

United Kingdom

• Optional Draft Bill Data Protection and Digital Information HC Bill (2022–23) 143, cl 11. - Whether this law will be reintroduced is currently unclear.

Case-Law

European Union

Pending

• Case C-634/21 SCHUFA Holding and Others (scoring) (on downstream algorithmic decisions)
• Case C-203/22 Dun & Bradstreet Austria

L16: State Surveillance: Introducing Bulk Powers

In 2013, documents leaked by Edward Snowden had a transformative effect on law, business practices, and perceptions. In this first surveillance seminar, we will try to look at the bigger picture, of technologies being used and some of the human rights fights around the old and new regimes.

When reading, consider the following:

• What kind of impact on privacy is there from using content of communications? What kind from metadata?
• How might you conceptualise the ECtHR’s trend in attitudes towards bulk collection/mass surveillance regimes?
• What are the geopolitical implications of bulk collection, interception and interference practices? How does this relate to the jurisdiction and physical location of cloud companies?
• Intelligence agencies commonly argue that bulk regimes are not particularly invasive as only some material is ever selected and read by humans. Do you consider that a sufficient safeguard?
• What does surveillance of these types tell us about the role of the intermediaries we looked at previously? What powers and responsibilities do they have; how have they used these; and how should they use them?

Articles

• Compulsory Alan Z Rozenshtein, ‘Surveillance Intermediaries’ (2018) 70 Stanford Law Review 99. OA link
• RecommendedAndrew Murray, ‘State Surveillance and Data Retention’ in Information Technology Law (Oxford University Press 2019). UCL link
• Optional Graham Smith, Internet Law and Regulation (Sweet and Maxwell 2020) s 8.1–8.2 available on WestLaw for subscribers, no direct UCL link
• Optional David Lyon, Surveillance after Snowden (Polity Press 2015). UCL link
• Optional Hal Abelson and others, Bugs in our Pockets: The Risks of Client-Side Scanning (preprint, 2021) OA link

Policy Documents

• Compulsory David Anderson, Report of the Bulk Powers Review (Her Majesty’s Stationery Office 2016). OA link
• Compulsory Unknown Author (OPC-MCR/GCHQ), ‘HIMR Data Mining Research Problem Book’ (Contained in the Snowden Leaks, 20 September 2011) OA link
  • Skim the top-secret research ‘open question’ problem book of the Heilbron Institute for Mathematical Research (University of Bristol), a GCHQ funded research centre that works on highly classified research. This book, part of the Snowden leaks, describes the kind of data and practices that GCHQ have and provide to the researchers that develop the techniques to analyse it. (some of this is very technical, I recommend pages 7-15, 51-53, 67-68. The data sources at the end, particularly pp 69–74 may also be interesting)**
• Recommended David Anderson, A Question of Trust (Her Majesty’s Stationery Office 2015). OA link
• Optional Caspar Bowden, The US Surveillance Programmes and Their Impact on EU Citizens’ Fundamental Rights (European Parliament 2013) OA link

News Articles

• Recommended Phineas Rueckert, ‘Pegasus: The New Global Weapon for Silencing Journalists’ (Forbidden Stories, 18 July 2021) link.
  • More on Pegasus and the NSO in the podcast Darknet Diaries, interviewing John Scott-Railton from Citizen Lab at the University of Toronto, in episode 100 ‘NSO’ audio / full transcript.

Videos

• Recommended Caspar Bowden, The Cloud Conspiracy 2008-14 (The 31st Chaos Computer Congress, 31C3 2014) OA link

Databases

• Compulsory Browse the Snowden Archive. Look by Program, and for each entry, you can click on the news article analysing it at the bottom, or access the original PDF of the document itself.

T6: Controllership and the Internet of Things

In this tutorial, you’ll be looking at mixed questions of controllership and the personal scope of EU data protection law.

The Internet is built into more and more devices that enter our personal spheres. These might be connected domestic devices, sometimes captured by industry monikers such as the ‘smart home’ or the ‘Internet of Things’, or wearables that process data generated by or about a individual’s person while they are out-and-about.

We’ll be discussing the following questions:

• Recap: What is the household exemption, and its scope? What is (joint) controllership and what are its features?
• How conceptually useful is the Court’s test of whether processing is “directed outwards from the private setting of the person processing the data” in determining whether the household exemption applies? What tensions might you imagine would emerge from such a test?
• Does the changing definition of joint controller stand in the way of a more decentralised Internet, with fewer powerful actors?
• How could, or should, data protection deal with individuals processing personal data themselves? What are the challenges or risks of different approaches?
• What are the consequences of the judgments in Ryneš and Fairhurst v Woodard for conventional devices?

To prepare for this tutorial, please read one paper, and one case. Some additional reading is provided.

Articles

• Compulsory Jiahong Chen and others, ‘Who is Responsible for Data Processing in Smart Homes? Reconsidering Joint Controllership and the Household Exemption’ (2021) 10 International Data Privacy Law 279.
• Optional Jurriaan van Mil and João Pedro Quintais, ‘A Matter of (Joint) Control? Virtual Assistants and the General Data Protection Regulation’ (2022) 45 Computer Law & Security Review 105689.

Cases

European Union

• Compulsory Case C‑212/13 František Ryneš v Úřad pro ochranu osobních údajů, ECLI:EU:C:2014:2428 (Ryneš).

United Kingdom

• <Compulsory Fairhurst v Woodard [2021] 10 WLUK 151 (CC (Oxford)) (unreported)

L17: State Surveillance: Bulk Powers and Human Rights

Arguably the most control over state surveillance is exercised by the European Convention on Human Rights. In this session, we’re going to look at how it has understood state surveillance across the years, and some of the key tensions it has faced going forward.

1. How can we characterise the way the ECtHR has or has not changed in relation to the changing nature of surveillance?
2. Should courts play closer attention to the substance of surveillance powers? How?
3. Is a bulk collection or interception regime a natural progression or a disjunct leap from targeted collection/interception? What is the view of the ECtHR on this?
4. Should individuals be notified that they have been subject to surveillance measures, when it would not undermine investigations to do so?

Readings

• Compulsory Eleni Kosta, ‘Surveilling Masses and Unveiling Human Rights: Uneasy Choices for the Strasbourg Court’ (Inaugural Address, Tilburg Law School, 2017) <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3167723>.
• Recommended Nóra Ní Loideáin, ‘A Bridge Too Far? The Investigatory Powers Act 2016 and Human Rights Law’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019). UCL link
• Recommended Bernard Keenan, ‘The Evolution Of Elucidation: The Snowden Cases Before The Investigatory Powers Tribunal’ [2021] The Modern Law Review. UCL link
• Recommended Théodore Christakis and Katia Bouslimani, ‘National Security, Surveillance, and Human Rights’, in the Oxford Handbook of the International Law of Global Security (OUP 2021). UCL link
  
• Recommended Eleni Kosta, ‘Algorithmic State Surveillance: Challenging the Notion of Agency in Human Rights’ (2020) Regulation & Governance. OA link
• Recommended European Court of Human Rights, Guide on Art 8 of the European Convention of Human Rights (Council of Europe, updated regularly) (look at relevant parts to bolster your understanding) OA link
• Optional Andrew Murray, ‘State Surveillance and Data Retention’ in Information Technology Law (Oxford University Press 2019). (a more simplified high-level overview)
• Optional Bart van der Sloot and Eleni Kosta, ‘Big Brother Watch and Others v UK: Lessons from the Latest Strasbourg Ruling on Bulk Surveillance Case Notes’ (2019) 5 Eur Data Prot L Rev 252.
• Optional Pierre Notermans, ‘Surveillance Measures and the Exception of National Security in the Case Law of the European Court of Human Rights’ in Human Rights in Times of Transition (Edward Elgar Publishing 2020) UCL link

Cases

• Compulsory Big Brother Watch and Others v the United Kingdom (Grand Chamber) ECLI:CE:ECHR:2021:0525JUD005817013.
• Optional Malone v the United Kingdom ECLI:CE:ECHR:1984:0802JUD000869179.
• Optional S and Marper v the United Kingdom ECLI:CE:ECHR:2008:1204JUD003056204.
• Recommended Privacy International v Secretary of State for Foreign And Commonwealth Affairs & Ors [2016] UKIPTrib 15_110-CH.
• Recommended Liberty & Ors v GCHQ & Ors [2014] UKIPTrib 13_77-H and Liberty & Ors v The Secretary of State for Foreign And Commonwealth Affairs & Ors [2015] UKIPTrib 13_77-H.

L18: Data Retention - the Never Ending Story

Guest: Neil Brown, senior solicitor and founder at Internet law firm decoded.legal

Who called who, and when? When governments wish to understand what communication individuals had with each other in the past, they want somewhere to look back upon for reference. But keeping hold of all that data is expensive, and telecoms companies are loathe to do it. Enter data retention, a dynamic area of law characterised mainly by an ongoing between the CJEU and EU member states as to its permissible extent.

• Why does data retention fall within EU law? Should it?
• Has the Court of Justice gone too far, or has the ECHR not gone far enough?
• Do you agree that metadata might have a chilling effect on freedom of expression?
• What do you think Internet Communication Records are in the IPA? Does retaining these present additional human rights concerns? (hint: this was a novelty not present in RIPA).
• How do the safeguards proposed in La Quadrature du Net compare to other aspects of the intelligence regime (e.g. in the UK)? Which might be easy to carry out, and which might be more difficult, or represent a significant change from e.g. the safeguards in the IPA?

Articles

• Compulsory Marcin Rojszczak, ‘National Security and Retention of Telecommunications Data in Light of Recent Case Law of the European Courts’ [2021] European Constitutional Law Review. OA link
• Compulsory Eleni Kosta, ‘The Retention of Communications Data in Europe and the UK’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019) OA link
• Recommended Marcin Rojszczak, ‘The Uncertain Future of Data Retention Laws in the EU: Is a Legislative Reset Possible?’ (2021) 41 Computer Law & Security Review 105572. UCL link OA link
• Optional Privacy International, ‘National Data Retention Laws since the CJEU’s Tele-2/Watson Judgment. A Concerning State of Play for the Right to Privacy in Europe’ (Privacy International, September 2017) OA link

Cases

European Union

• Compulsory Joined Cases C‑511/18, C‑512/18 and C‑520/18 La Quadrature du Net and Others ECLI:EU:C:2020:791.
  • If you read French, you can read the result in the referring case: Conseil d’État, 21 April 2021, ECLI:FR:CEASS:2021:393099.20210421.
• Recommended Case C-623/17 Privacy International ECLI:EU:C:2020:790.
• Recommended Case C-140/20 Commissioner of An Garda Síochána ECLI:EU:C:2022:258
• Optional Case C-793/19 SpaceNet ECLI:EU:C:2022:702
• Optional Case C‑746/18 HK v Prokuratuur ECLI:EU:C:2021:152.
• Optional Case C-350/21 Spetsializirana prokuratura ECLI:EU:C:2022:896
• Recommended Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland and Others ECLI:EU:C:2014:238.
• Recommended Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others ECLI:EU:C:2016:970.

United Kingdom

• Optional R (on the application of Davis and others) v The Secretary of State for the Home Department [2015] EWHC 2092 (Admin)
  • and in the Court of Appeal, Secretary of State for the Home Department v Watson MP & Ors [2018] EWCA Civ 70.

ECtHR

• Optional Ekimdzhiev and Others v Bulgaria ECLI:CE:ECHR:2022:0111JUD007007812.

Statute

• Recommended Investigatory Powers Act 2016 part 4 (Retention of Communications Data) link.

T7: Big Brother Watch

In this tutorial, we will be looking at Big Brother Watch and Others v UK.

Specifically, we will look at the following questions:

1. What were the alleged violations of Article 8 in Big Brother Watch? (In particular, what were the three discrete regimes at issue in the case?). What are the requirements for finding a violation of Art 8? How did Article 10 feature in the case?
2. Do you agree with the way the court analysed the intrusiveness of metadata? Does the acquisition of metadata deserve an equivalent level of protection to the content of communications
3. To what extent would you describe BBW as a pyrrhic victory for the applicants?
4. How much do you sympathise with the dissents? Is the trajectory of the ECtHR fit for the 21st century?

Required

• Compulsory Big Brother Watch and Others v the United Kingdom (Grand Chamber) ECLI:CE:ECHR:2021:0525JUD005817013.
• If you’re unclear on the functioning of the ECtHR (perhaps because you haven’t studied it before), skim David Harris and others, Harris, O’Boyle, and Warbrick: Law of the European Convention on Human Rights (Oxford University Press 2018).

Recommended

• Recommended Théodore Christakis and Katia Bouslimani, ‘National Security, Surveillance, and Human Rights’, in the Oxford Handbook of the International Law of Global Security (OUP 2021). UCL link
  
• Recommended Eleni Kosta, ‘Algorithmic State Surveillance: Challenging the Notion of Agency in Human Rights’ (2020) Regulation & Governance. OA link
• Guide on Art 8 of the European Convention of Human Rights (look at relevant parts to bolster your understanding)

L19: Data Transfers

  ___   _      ___   _      ___   _ 
 [(_)] |=|    [(_)] |=|    [(_)] |=| 
  '-`  |_|     '-`  |_|     '-`  |_|
 /mmm/  /     /mmm/  /     /mmm/  / 
       |____________|____________|
                             | 
                         ___  \_ 
                        [(_)] |=|  
                         '-`  |_| 
                        /mmm/  

See the photos of the undersea data cables entering the US (and likely being tapped by the NSA) as photographed by artist Trevor Paglen here.

Surveillance law meets data protection law in the world of data transfers. Information moves easily, but as we’ve seen, as it crosses borders it becomes vulnerable to use and abuse by different governments. Legal spotlights have been particularly bright on EUUS data transfers, following complaints by Max Schrems against Facebook in Ireland after the Snowden revelations in 2013. This strategic litigation has ended in the striking down of not one but two international transfer agreements, and leaving other mechanisms used for international transfers, such a standard contractual clauses, on really shaky ground. In this session, we’ll be looking at the intersection of national security law and the Charter in light of data transfers.

• What were the reasons the CJEU struck down Safe Harbour in Schrems I, and why wasn’t Privacy Shield an improvement in the Court’s eyes?
• What might an arrangement that the CJEU would not strike down look like?
• Do the Schrems cases show the EU as a defender of privacy, or an international hypocrite?
• Is there currently any valid way to transfer data to the United States from the European Union?

Articles

• Compulsory Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2017) 18 German Law Journal 881. OA link
• Recommended Douwe Korff, ‘The inadequacy of the October 2022 new US Presidential Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities’ (2022)
• Optional Christopher Kuner, ‘Schrems II Re-Examined’ (Verfassungsblog, 25 Aug 2020) OA link
  • Recommended Read alongside Douwe Korff, ‘Comments on Prof. Chris Kuner’s Blog Schrems II Re-Examined of 25 August 2020’ (26 August 2020) OA-ish link (alt link)
• Optional Barbara Sandfuchs, ‘The Future of Data Transfers to Third Countries in Light of the CJEU’s Judgment C-311/18 – Schrems II’ (2021) GRUR Int ikaa204 UCL link
• Recommended Andrew D Murray, ‘Data Transfers between the EU and UK Post Brexit?’ (2017) 7 International Data Privacy Law 149 OA link
• Optional Graham Greenleaf, ‘Japan: EU Adequacy Discounted’ (2018) 155 Privacy Laws & Business International Report 8-10 OA link

Policy Documents

• RecommendedPrivacy International, ‘Secret Global Surveillance Networks’ (Privacy International, 2018) OA link
• Optional European Data Protection Board, ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2’ (18 June 2021) OA link
• Read the account of the saga and related blog posts by Max Schrems’ NGO noyb.eu here.

Statute

• Compulsory GDPR, chapter V.
• RecommendedCommission Implementing Decision (EU) 2021/1773 of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (notified under document C(2021) 4801) OJ L360/69. OA link

Cases

European Union

• Compulsory Case C-311/18 Data Protection Commissioner v Facebook Ireland and Schrems ECLI:EU:C:2020:559 (“Schrems II”) link
• Recommended Case C-362/14 Maximillian Schrems v Data Protection Commissioner ECLI:EU:C:2015:65 (“Schrems I”)

It might be useful to read the AG Opinions in both cases too: * Optional Case C‑362/14 Maximillian Schrems v Data Protection Commissioner ECLI:EU:C:2015:627 (Opinion of Advocate General Bot). * Optional Case C-311/18 Data Protection Commissioner v Facebook Ireland and Schrems ECLI:EU:C:2019:1145, Opinion of Advocate General Saugmandsgaard Øe.

Ireland

• Optional The Data Protection Commissioner -v- Facebook Ireland Ltd & Anor [2017] IEHC 545 (Ireland)
  • This case is very useful in restating the facts of data transfers in the context of Facebook and US surveillance under FISA 702 and EO 12333. It is the case which led to the questions being referred to the CJEU in Schrems II.

L20: How to Change The Internet

This is a week where we take stock of what we can do about what we have learned. Ultimately, making change in Internet law and policy has driven many of the cases we have read, scholars we have studied, NGOs we have heard about, and has frustrated companies and governments, at times.

We’ll be asking a broad question: how do you make change on the Internet? As a law student (and soon graduate) — what can you do?

Reading and activity

• Lina Dencik and others, ‘Towards Data Justice? The Ambiguity of Anti-Surveillance Resistance in Political Activism’ (2016) 3 Big Data & Society 2053951716679678.
• Kari Karppinen and Outi Puukko, ‘Four Discourses of Digital Rights: Promises and Problems of Rights-Based Politics’ (2020) 10 Journal of Information Policy 304.

Further reading

• Seeta Peña Gangadharan and Jędrzej Niklas, ‘Decentering Technology in Discourse on Discrimination’ (2019) 22 Information, Communication & Society 882.
• Mark Townsend, ‘Home Office under Fire for Blocking New Spy Watchdog’ (the Guardian, 19 January 2019) http://www.theguardian.com/world/2019/jan/19/edward-snowden-defender-eric-king-vetoed-top-surveillance-watchdog-job\ accessed 16 March 2021.

Research a civil society organisation/NGO:

Pick an NGO active in Internet law and/or digital rights. I’ve put some examples below but you might know some others. They can be active in any country and any language. Choose one of its areas of activity. In class we will look at (and research in small groups)

1. How does the NGO seek to make change in this area? Has it had any major victories, either alone or in collaboration with others?

2. Look at one of the NGO’s most recent actions or initiatives in relation to law and policy. What are the main barriers to its success, and how might it best overcome them?

3. Do you agree with their views? Who might disagree?

Some civil society organisations:

Active in the UK

• Open Rights Group
• Privacy International
• Foxglove
• Big Brother Watch
• Liberty
• Amnesty International
• Foundation for Information Policy Research
• AWO
• Glitch (fixtheglitch)
• Ada Lovelace Institute
• 5 Rights Foundation
• Doteveryone (disbanded)
• Nesta
• Internet Society (UK Chapter)
• Cybersalon
• ARTICLE 19
• Open Data Institute

Internationally

• Many European digital rights groups are members of EDRi, the European Digital Rights Initiative. There is a large list of member organisations spanning the vast majority of EU member states on their members page here.
  
• You can also find organisations outside Europe by looking at the grantee list of major digital rights funders.
  • The Open Society Foundations Information Programme Grantee List
  • Luminate’s Data and Digital Rights funding
    
• Some European NGOs:
  • noyb
  • Panoptykon Foundation
  • Statewatch
  • Access Now
  • EFF
  • Digital Freedom Fund (DFF)

Acknowledgments

ASCII art from link, link, link, link, link. Credits where artist known: Felix Lee, hfw, jgs (Joan Stark), hrr, fsc, Veronica Karlsson.