LAWS0339 Internet Law and Policy

Dr Michael Veale, Associate Professor in Digital Rights & Regulation UCL Faculty of Laws, 2022-23 Syllabus Updated 30 Jan 2023.

      |\      _,,,---,,_
ZZZzz /,`.-'`'    -.  ;-;;,_
     |,4-  ) )-,_. ,\ (  `'-'
    '---''(_/--'  `-'\\_)______

Reading importance labels — Check the labels beside each reading! Compulsory means “please do this before class”. Recommended means “if you’re interested, or if you’re writing an essay or revising this topic, have a look at this”. It does not mean “if you’re a really good student you’ll have done all the recommended reading as well as compulsory reading before class”. Optional means “if you’re writing an essay, or it interest you, this might be something you want look at, but you could also do your own research and find other sources too.”

Open access — Wherever possible, resources are accompanied by an open access link (‘OA link’). Some resources are available freely but only behind for-profit repositories such as SSRN, which heavily push users to register and log-in, and hide the download options for downloading without this in the bottom of the page. These are ‘OA-ish links’. Occasionally, a paper or book is too important not to recommend even though an OA version is unavailable. I have tried to minimise these resources throughout the reading list.

Organising your reading — This module has many different types of resources. I strongly recommend you organise them in a reference manager. The best reference manager is Zotero, which is free to install and use (I strongly recommend against the use of Mendeley and/or Endnote). UCL Library runs a range of Zotero training sessions if you wish to use these. It allows you to annotate and make notes on articles and chapters. Zotero can also can be used to organise your citations for your coursework.

L = Lectures. Slides accompanying the lecture are available on Moodle. T = Tutorials

Part 1: Infrastructures and Platforms

L1: Welcome to the Internet: Technologies and Histories

                               ,  
        ,-.       _,---._ __  / \  
       /  )    .-'       `./ /   \  
      (  (   ,'            `/    /|  
      \  `-"             \\'\   / |  
        `.              ,  \ \ /  |  
         /`.          ,'-`----Y   |  
        (            ;        |   '  
        |  ,-.    ,-'         |  /  
        |  | (   |            | /  
        )  |  \  `.___________|/  
        `--'   `--' is the internet in here? =^^=

We all use the Internet. But how many people know what it is; where it came from; how it works? This session will introduce the history of the Internet and the functioning of core Internet technologies. Why were they designed as they were; and with whose values at the core? We will start to see why and how these design decisions interact with law and policy concerning the online world; a theme that will recur throughout the module.

Learning Objectives

  • What are the core technologies underpinning the Internet and how (in very rough terms) do they work? Note, as legal scholars we have to understand these technologies enough to be able to reason about how law and policy applies to them, not to be able to deploy them ourselves. So don’t worry if you don’t understand everything, or it seems too technical — focus on trying to get a general understanding.
  • What is the difference between the Internet and the Web?
  • What technical design principles underpin the Internet? Whose values do they reflect? How do these compare to broader values, for example those reflected in human rights regimes?
  • What are some of the main actors and organisations that govern the Internet, and how do they make decisions?
  • What is ‘cyberlibertarianism’?

Articles

  • Compulsory Andrés Guadamuz, ‘Internet Regulation’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019). OA link
    • A useful and broad-ranging introduction into what it is to study Internet law and policy.
  • Compulsory Corinne Cath-Speth, ‘Internet Histories: Partial Visions of People and Packets’ in Corinne Cath-Speth, Changing Minds and Machines: A Case Study of Human Rights Advocacy in the Internet Engineering Task Force (IETF) (DPhil Thesis, Oxford University, 2021) pages 27-51. OA link
    • Traces and critiques the cultural and historical values behind the Internet engineers often seen as the main characters in a predominantly white, male, biographical history of the Internet.
  • Recommended William Lehr and others, ‘Whither the Public Internet?’ (2019) 9 Journal of Information Policy 1. read: pages 1-20 OA link
    • This article very usefully unpacks three different ways of understanding what “the Internet” is. Parts of this article use some difficult terminology: it is not key you understand it all.
  • Recommended Malte Ziewitz and Ian Brown, ‘A Prehistory of Internet Governance’ in Research Handbook on Governance of the Internet (Edward Elgar Publishing 2013). OA link
    • A history of the Internet and its early governance, as well as the institutions involved. Perhaps the best of the many “great men” tales of Internet history critiques by Cath-Speth (2021).
  • Optional Kieron O’Hara and Wendy Hall, Four Internets: Data, Geopolitics, and the Governance of Cyberspace (Oxford University Press 2021). paywall link / UCL link
    • A recent overview of the way in which the Internet as we know it is diverging as different nations and jurisdiction have different views on its development and trajectory.

L2: An Unregulable Network?

     \\_______/
 `.,-'\\_____/`-.,'
  /`..'\ _ /`.,'\
 /  /`.,' `.,'\  \
/__/__/ nice\\__\\__\\__
\  \  \web  /  /  /
 \  \\,'`._,'`./  /
  \\,'`./___\\,'`./
 ,'`-./_____\\,-'`.
     /       \

The Internet is sometimes described by politicians as a “Wild West”; a regulation-free land that has long resisted control. According to some, it needs bringing to heel. This is an overly simplistic story. In this session, we will build on the previous session’s understanding of Internet technologies and their design principles to think both about the ways in which this network has resisted control, and the ways in which is has been controlled by both public and private actors.

Learning Objectives

  • Does code ‘regulate’? How does this differ from the types of regulation that lawyers are more familiar with discussing?
  • What does it mean to say the Internet is ‘generative’? What are the policy implications of generative technologies?
  • Which actors are well-positioned to regulate the Internet, and why? What factors make it easier or harder for these actors to alter the working of these networks?

Articles

  • Compulsory Jonathan L Zittrain, ‘The Generative Internet’ (2006) 119 Harv L Rev 1974. OA link
    • This article is in some ways a prediction of how ‘walled gardens’ online might emerge. Was Zittrain right?
  • Compulsory Julie E Cohen, ‘“Piracy,” “Security,” and Architectures of Control’ in Configuring the Networked Self: Law, Code, and the Play of Everyday Practice (Yale University Press 2012). OA link
    • A strong critique of a variety of ways of looking at ‘code’ and ‘law’ - this might be worth coming back to after we talk about these topics some more as it’s a very dense and rewarding read.
  • Recommended Michèle Finck, ‘Blockchains as a Regulatable Technology’ in Blockchain Regulation and Governance in Europe (Cambridge University Press 2018). paywall link / UCL link
    • This chapter looks at ‘regulatory access points’ in relation to blockchains, which we don’t look at much in this course, but the readings and framework proposed by Finck is more generally accessible.
  • Optional Lawrence Lessig, Code: Version 2.0 (Basic Books 2006) OA link
    • I suggest looking at pages 61-137 (chapters 5-7). Lessig is referred to a lot in the other readings, and if writing about him you should have a look at what he says in his own words.
  • Optional Niels ten Oever, ‘“This is Not How We Imagined It”: Technological Affordances, Economic Drivers, and the Internet Architecture Imaginary’ (2021) 23 New Media & Society 344. OA link
    • This paper is good for those interested in some of the ways in which the technical sides of standards are value laden and contested.
  • Optional Clément Perarnaud and others, ‘“Splinternets”: Addressing the Renewed Debate on Internet Fragmentation’ (European Parliamentary Research Service, 2022).

T1: D’oH! Code, Law and Politics of Encrypted DNS

                             __
                   _ ,___,-'",-=-.
       __,-- _ _,-'_)_  (""`'-._\ `.
    _,'  __ |,' ,-' __)  ,-     /. |
  ,'_,--'   |     -'  _)/         `\
,','      ,'       ,-'_,`           :
,'     ,-'       ,(,-(              :
     ,'       ,-' ,    _            ;
    /        ,-._/`---'            /
   /        (____)(----. )       ,'
  /         (      `.__,     /\ /,
 :           ;-.___         /__\\/|
 |  d'oh   ,'      `--.      -,\ |
 :        /            \    .__/
  \      (__            \    |_
   \       ,`-, *       /   _|,\
    \    ,'   `-.     ,'_,-'    \
   (_\\,-'    ,'\\")--,'-'       __\
    \       /  // ,'|      ,--'  `-.
     `-.    `-/ \\'  |   _,'         `.
        `-._ /      `--'/             \
          ,'           |              \
          /             |               \
       ,-'              |               /
      /                 |             -'

Tutorial Questions

Make notes on these three topics to bring to the tutorial to discuss. - What is DNS? What is important to know about DNS in relation to law and policy? How is DNS used in Internet blocking? - What kind of body is the Internet Watch Foundation? Is it a regulator? - Who decides whether encrypted DNS systems, such as DNS-over-HTTPS (DoH) are introduced? What does this mean for the power of private firms vis-a-vis the state? - The UK’s Internet blocking regime is heavily built on DNS filtering. Should this be considered when encrypted DNS is introduced? Who should consider it, and how? How might this work internationally? - Many countries have recently been talking about digital sovereignty (also souveraineté numérique in France). Do you think that DNS illustrates a loss, or highlights a lack, of nation states’ digital sovereignty?

Readings

  • Compulsory Debate in Hansard on “Internet Encryption” (citation: HL Deb 14 May 2019, vol 797, cols 1492–1495) OA link
    • A good opportunity to see one of the strangest legislative chambers in the world talk about a highly technical issue.
  • Compulsory Open Rights Group, ‘DNS Security — Getting it Right’ (24 June 2019) OA link
    • The Open Rights Group (ORG)is a UK-based digital rights NGO. This report outlines many of the technical aspects of DNS, and the consequences of this, written from the standpoint of a digital rights advocacy organisation.
  • Compulsory Internet Watch Foundation, ‘Briefing on DNS-over-HTTPS’ OA link
    • A briefing that in many ways poses a counterpoint to the Open Rights Group paper.
  • Recommended Vijay Gurbani and others, ‘When DNS Goes Dark: Understanding Privacy and Shaping Policy of an Evolving Protocol’ (2021) TPRC48: The 48th Research Conference on Communication, Information and Internet Policy. OA-ish link
    • This is a useful academic paper going a little deeper than the ORG work into the different protocols and some of the broader implications of them.
  • Optional Tanya Verma and Sudheesh Singanamalla, ‘Improving DNS Privacy with Oblivious DoH in 1.1.1.1’ (The Cloudflare Blog, 12 August 2020) OA link
    • This blog outlines a protocol even newer than DoH or DoT, which also seeks to obscure the identity of the computer querying a website from the DNS resolver (e.g. Cloudflare, Google, or your ISP). You may not understand it all but see if you can understand the rough outline of how and why it works.

L3: Net Neutrality: Is the Internet Just a Series of Tubes?

      /` _`\
     |  (_()| .-.
      \\_  _/_/   \
        ||=\[_\]   |
        || | |   |
        ||/   \  |
        ||`---'  /
    .--'||-.___.'
  /`  .-||-.   internet is just
  '-/`.____.`\  dumb pipes?
    '.______.'

Learning Objectives

  • In which ways are internet access providers like historical common carriers — and in which ways are they not?
  • Are you convinced by the human rights issues with zero rating? Do they apply similarly to all forms of zero rating, or should some forms be permissible? Under what conditions?
  • How do net neutrality laws sit with the emerging (and arguably not empirically ‘neutral’) architecture of the internet, such as content delivery networks?
  • Is net neutrality still an important principle to fight for online, or has it been displaced by other concerns?

Bonus Watch the early viral 2006 YouTube remix ‘Series of Tubes’, mocking the anti-net neutrality speech by Sen. Ted Stevens (R-Alaska) (obituary on it here).

Articles

  • Compulsory Christopher T Marsden, ‘[Introduction: neutrality, discrimination and common carriage]((https://www.manchesteropenhive.com/view/9781526105479/9781526105479.00020.xml)’, in Network Neutrality: From Policy to Law to Regulation (Manchester University Press 2017).
    • This chapter outlines the broad debate and shape of net neutrality issues - what is at stake, and what are the main developments and actors?
  • Compulsory Toussaint Nothias, ‘Access Granted: Facebook’s Free Basics in Africa’ (2020) 42 Media, Culture & Society 329.
    • This article focusses on net neutrality issues in relation to Facebook’s mobile offering on the African continent, documenting some of the civil society twists and turns concerning it.
  • Recommended William Lehr and others, ‘Whither the Public Internet?’ (2019) 9 Journal of Information Policy 1. read: pages 1-20
    • This article introduces three ‘lenses’ on the Internet - what do we, consumers, businesses, other actors, really mean when we say we are seeking to regulate the Internet?
  • Recommended Helani Galpaya, ‘Zero-Rating in Emerging Economies’ [2017] Global Commission on Internet Governance Paper Series, Chatham House (No 47).
  • Recommended Podcast POLITICO, ‘Big Tech v Telecoms Battle’, EU Confidential (Podcast) (4 August 2022) from 9min 30 until end.
    • A debate on whether Big Tech should pay more given they are popular destinations for users to request traffic from. Featuring in favour of the propsal, Alessandro Gropelli from the European Telecommunications Network Operators’ Association (ETNO) and Jan-Niklas Steinhauer, head of policy and regulatory affairs at the German Broadband Association (BREKO); and against the proposal, Christian Borggreen from the Computer and Communications Industry Association (CCIA), and Thomas Lohninger, executive director of the digital rights NGO epicenter.works.
  • Optional Vipulya Chari, ‘Internet.Org and the Rhetoric of Connectivity’ (2022) 19 Communication and Critical/Cultural Studies 54. UCL link
  • Optional Oles Andriychuk, Angela Daly and Arletta Gorecka, ‘Net Neutrality in New Times: Revisiting the Open Internet Regulation in the UK’ (Leverhulme Research Centre for Forensic Science, 30 September 2021).
  • Optional Christopher T Marsden,Network Neutrality: From Policy to Law to Regulation (Manchester University Press 2017).
    • The whole book beyond the Introduction is very useful, in particular, Chapter 5 (Three Wise Monkeys of Net Neutrality) and Chapter 7 (Zero Rating).
  • Optional Julianne Romanosky and Marshini Chetty, ‘Understanding the Use and Impact of the Zero-Rated Free Basics Platform in South Africa’ in (ACM Press 2018) Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18. pages 5-10
  • Optional Peter Cihon and Helani Galpaya, ‘Navigating the Walled Garden: Free and Subsidized Data Use in Myanmar’ (LIRNEasia, 2017).
  • See chapters in Luca Belli and Primavera De Filippi (eds), Net Neutrality Compendium: Human Rights, Free Competition and the Future of the Internet (Springer 2016).

Case Law

  • Recommended One of
    • Case C‑34/20 Telekom Deutschland GmbH ECLI:EU:C:2021:677;
    • Case C‑854/19 Vodaphone (Roaming) ECLI:EU:C:2021:675;
    • Case C‑5/20 Vodafone (Tethering) ECLI:EU:C:2021:676.
    • (They are effectively all the same and were delivered on the same day)
  • Optional Joined Cases C-807/18 and C-39/19 Telenor Magyarország Zrt v Nemzeti Média- és Hírközlési Hatóság Elnöke, ECLI:EU:C:2020:708.

Statute

  • Compulsory Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union, OJ L 310/1, recitals 1-17 and art 3.
  • Optional The Open Internet Access (EU Regulation) Regulations 2016.
    • Subordinate legislation to the above EU Regulation, which is part of retained direct EU legislation in EU law. It has been amended by The Open Internet Access (Amendment etc.) (EU Exit) Regulations 2018 to remove references to e.g. BEREC.

T2: Bugs in our Pockets: Debating Client-Side Scanning.

        .--.       .--.
    _  `    \     /    `  _
     `\\.===. \\.^./ .===./`
            \\/`"`\\/
         ,  |     |  ,
        / `\\|;-.-'|/` \
       /    |::\  |    \
    .-' ,-'`|:::; |`'-, '-.
        |   |::::\\|   | 
        |   |::::;|   |
        |   \\:::://   |
        |    `.://'   |
       .'             `.
    _,'                 `,_

Encryption technologies, when deployed correctly, allow one entity to send a message to another where the content cannot be examined even if the message is obtained in transit. More and more services online are encrypted ‘end-to-end’, with the defined sender and recipients being the people who want to talk or interact. Signal, WhatsApp, iMessage are all examples of this. Law enforcement agencies have claimed that this hampers their ability to analyse messages for illegal content, although that ability has only been possible due to the migration of messaging onto computers, and the fairly recent development of large-scale analytic techniques. This is often called “going dark”. Attempts to weaken encryption to allow access by third parties to data, often known as introducing “backdoors”, have long been controversial, as weakening encryption can bring significant social and economic consequences for those that rely on secure communication. A recent set of proposals instead suggests “client-side scanning”, a set of technologies where the end-points, such as a mobile phone, are told to scan content after it has been decrypted by the recipient or before it has been sent by the sender, and take some action based on what they find. In this tutorial, we will consider the debates around this technology, particularly in the emerging policy context of child sexual exploitation and abuse.

Tutorial Questions

  • What is client-side scanning? How does it differ from alternatives to scanning content, and why has it been proposed now?
  • What are the main issues with client-side scanning that critics identify?
  • How does client-side scanning connect to discussions of ‘code’ as regulation?
  • Do you agree that client-side scanning ‘must be treated like wiretapping’?
  • What are the practical challenges of deploying client-side scanning? Who might be involved in deciding how it works, particularly in a global context?

Readings

  • Compulsory Hal Abelson and others, ‘Bugs in Our Pockets: The Risks of Client-Side Scanning’ (arXiv, 14 October 2021) (pp 3-14, 21-39) OA link
    • A paper by a group of academic privacy and security engineers analysing issues with client-side scanning that they see from multiple perspectives.
  • Compulsory Ian Levy and Crispin Robinson, ‘Thoughts on Child Safety on Commodity Platforms’ (arXiv, 19 July 2022) OA link s 2.5 (pp 21-22), s 5 and s 6 (pp 33-47) (optional for context and further information, sections 2 and 8)
    • A paper from the main scientific leads at GCHQ and the National Cyber Security Centre in the UK, arguing in favour of client-side scanning. It is in part a response to Abelson et al.
  • Recommended Ross Anderson, ‘Chat Control or Child Protection?’ (University of Cambridge Computer Lab, 13 October 2022) link
    • This is in turn a rebuttal to Levy and Robinson, questioning some of their empirical assumptions.
  • Recommended Kashmir Hill, ‘A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal.’ The New York Times (21 August 2022) link.
  • Optional European Data Protection Board and European Data Protection Supervisor, EDPB-EDPS Joint Opinion 4/2022 on the Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse (2022) link
    • A critical report by two EU bodies tasked with overseeing data protection issues in Member States and Union institutions respectively. Focusses on privacy and data protection concerns but with important analysis of proportionality.
  • Optional European Commission, Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse (COM(2022) 209 final, 11 May 2022). link particuarly arts 7–10, 44.
    • The proposed legislation by the European Commission which would allow client-side scanning to be implemented through ‘detection orders’.

L4: Intermediary Liability: With Great Power Comes Great Responsibility?

 ____
||""||
||__||--------?------
[ -=.]`)   who intermediates
 ====== 0    your messages?

Learning Objectives

  • What was the initial logic behind intermediary liability laws? Was that logic legitimate at the time, and does it remain so today?
  • What factors have the CJEU indicated do not compromise the shielding of intermediaries? Do you agree with these judgments?
  • What is the concept of the CJEU has built? Are modern platforms neutral in this way?

Articles and Chapters

  • Compulsory Lilian Edwards, ‘“With Great Power Comes Great Responsibility?”: The Rise of Platform Liability’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019). UCL link
    • This chapter looks over the history of intermediary liability law. Does not quite go up to present day; particularly since then the Digital Services Act, Copyright in the Digital Single Market Act, and Terrorist Content Regulation (all in the EU); and in the UK, the Online Safety Bill, all interact with this.
  • Recommended Philippe Jougleux, ‘Intermediaries’ Liability: Where Is My Chair?’ in Philippe Jougleux (ed), Facebook and the (EU) Law: How the Social Network Reshaped the Legal Framework (Springer International Publishing 2022). .
    • A slightly more up to date overview than the Edwards chapter above, with EU focus.
  • Recommended Aleksandra Kuczerawy, ‘From “Notice and Take Down” to “Notice and Stay Down”: Risks and Safeguards for Freedom of Expression’ in The Oxford Handbook of Intermediary Liability Online (Oxford University Press 2020). OA-ish link / UCL link
  • Optional Jennifer Urban and others, ‘Notice and Takedown in Everyday Practice’ (UC Berkeley Public Law Research Paper No. 2755628, 2017) OA link
    • Read the introduction & executive summary (pp 1-13) and delve into the bits that interest you - it’s a long report.
  • Optional Ben Wagner and others, ‘Regulating Transparency? Facebook, Twitter and the German Network Enforcement Act’ (2020) Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency. OA-ish link / UCL link / 8 min talk on the paper
  • Optional Sophie Stalla-Bourdillon, ‘Internet Intermediaries as Responsible Actors? Why It Is Time to Rethink the E-Commerce Directive as Well’ in Mariarosaria Taddeo and Luciano Floridi (eds), The Responsibilities of Online Service Providers (Springer 2017). OA-ish link / UCL link
  • Optional Graham Smith, ‘5.6 Liability of Online Intermediaries’ in Internet Law and Regulation (Sweet and Maxwell 2020) Book available on Westlaw UK
    • Part of a practitioner textbook on Internet Law. Goes into heavy detail on the jurisprudence in the area.
  • Optional Nico van Eijk and others, Hosting Intermediary Services and Illegal Content Online: An Analysis of the Scope of Article 14 ECD in Light of Developments in the Online Service Landscape : Final Report. (European Commission 2019). OA link

Case Law

European Union

  • Compulsory Case C-682/18 YouTube and Cyando ECLI:EU:C:2021:503 paras 18-39, 103-118.
    • A case concerning whether certain platform features give an “active role” to intermediaries.
  • Recommended Case C‑70/10 Scarlet Extended ECLI:EU:C:2011:771
    • On attempted general monitoring obligations applied to mere conduits (a Belgian ISP).
  • Optional Case C-360/10 Netlog ECLI:EU:C:2012:85
    • same issue as Scarlet, relates to hosting on Netlog, a now-defunct Belgian social network.
  • Recommended Joined Cases C-236/08 and C-238/08 Google France ECLI:EU:C:2010:159
    • Focus on paras 22-32 and 106-120, you don’t need to understand the relevant trademark law.
  • Recommended Case C‑324/09 L’Oréal SA v eBay ECLI:EU:C:2011:474
  • Optional Case C-314/2 Telekabel ECLI:EU:C:2014:192 paras 26-50, 106-114
  • Optional Case C-484/14 Mc Fadden ECLI:EU:C:2016:689

Tip Reading the Advocate General opinions for these cases can elaborate on how they link to previous case law, and they are written in a less robotic way than the CJEU (although remember that the Court does not always follow the reasoning of the AG.) You can access these on the CJEU’s own webpage using the Curia search by entering the case number.

United Kingdom

  • Optional Godfrey v Demon Internet Ltd [1999] EMLR 542
  • Optional Payam Tamiz v Google Inc [2013] EWCA Civ 68
  • Optional Cartier International AG & Ors v British Telecommunications Plc & Anor [2018] UKSC 28

European Court of Human Rights

Statute

European Union

  • Compulsory Digital Services Act TO ADD LINK AND FULL REFERENCE, ARTICLES, AFTER COUNCIL APPROVAL.
  • Optional Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) [2000] OJ L 178/1 (focus on recitals 40-49, arts 1, 12–15).
    • Note that this has now been superseded by the Digital Services Act, although technically the applicable law is still the e-Commerce Directive until the Digital Services Act is commenced. The transposition of the e-Commerce Directive is still the relevant law in the UK, although with caveats discussed in the lecture.

United States

  • Recommended 47 U.S.C. 230(c) (‘Section 230’) OA link

United Kingdom

  • Optional The Electronic Commerce (EC Directive) Regulations 2002 OA link
    • These are currently the same as the EU e-Commerce Directive at the time of writing; this is for reference purposes only. Note that Article 15 of the e-Commerce Directive on general monitoring, which forbids Member States from passing certain kinds of laws (as well as judicial authorities from making certain kinds of orders) was never transposed and so has not been clearly retained.

L5: General Monitoring: The Blindfold is Off?

            ______              
         .-'      `-.           
       .'            `.         
      /                \        
     ;                 ;`       
     | illegal content |;       
     ;                 ;|
     '\               / ;       
      \\`.           .' /        
       `.`-._____.-' .'         
         / /`_____.-'           
        / / /                   
       / / /
      / / /
     / / /
    / / /   or is it?
   / / /
  / / /
 / / /
/ / /
\\/_/

Learning Objectives

  • Why might a prohibition on general monitoring obligations be justified? What kind of issues it is trying to prevent?
  • Has the CJEU changed its understanding of general monitoring over time? What are the arguments for and against this kind of change?
  • Is it easy to search for illegal content now we have more advanced technologies to help us do it? What can go wrong? Is it just a matter of time before they become good enough?

Articles

  • Compulsory Joris Van Hoboken and Daphne Keller, ‘Design Principles for Intermediary Liability Laws’ (Transatlantic High Level Working Group on Content Moderation Online and Freedom of Expression Working Paper, 8 October 2019) OA link
  • Compulsory Robert Gorwa, Reuben Binns and Christian Katzenbach, ‘Algorithmic Content Moderation: Technical and Political Challenges in the Automation of Platform Governance’ (2020) 7 Big Data & Society 2053951719897945. OA link
  • Recommended Daphne Keller, ‘Facebook Filters, Fundamental Rights, and the CJEU’s Glawischnig-Piesczek Ruling’ (2020) 69 GRUR Int 616. paywall link / UCL link
  • Recommended Martin Senftleben and Christina Angelopoulos, ‘The Odyssey of the Prohibition on General Monitoring Obligations on the Way to the Digital Services Act’ (University of Amsterdam and CIPIL Working Paper, October 2020) OA link
  • Recommended Aleksandra Kuczerawy, ‘General Monitoring Obligations: A New Cornerstone of Internet Regulation in the EU?’ in Rethinking IT and IP Law - Celebrating 30 years CiTiP (Intersentia 2019). OAish link
  • Recommended Giovanni Sartor, ‘The Impact of Algorithms for Online Content Filtering or Moderation: Upload Filters’ (European Parliament 2020) OA link.
  • Optional Maayan Perel and Niva Elkin-Koren, ‘Accountability in Algorithmic Copyright Enforcement’ (2015) 19 Stan Tech L Rev 473. OA link
  • Optional Graham Smith, ‘5.6 Liability of Online Intermediaries’ in Internet Law and Regulation (Sweet and Maxwell 2020) Book available on Westlaw UK
  • Optional Giancarlo Frosio (ed.) _Oxford Handbook of Online Intermediary Liability*_(Oxford University Press 2020) Closed access DOI UCL link

Case Law

European Union

  • Compulsory Case C-18/18 Glawischnig-Piesczek v Facebook ECLI:EU:C:2019:821
  • Recommended One of
    • Case C‑70/10 Scarlet Extended ECLI:EU:C:2011:771 (relates to mere conduits)
    • Case C-360/10 Netlog ECLI:EU:C:2012:85 (same issue as Scarlet, relates to hosting on Netlog, a now-defunct Belgian social network)
  • Optional Case C-314/2 Telekabel ECLI:EU:C:2014:192 paras 26-50, 106-114
  • Optional Case C-484/14 Tobias Mc Fadden v Sony Music Entertainment Germany GmbH ECLI:EU:C:2016:689.
    • This case concerned a WiFi network in a shop that was being used to break the law. A court asked the CJEU whether an injunction against the shop was legal according to the e-Commerce Directive if it required scanning of all content, termination of the WiFi network, or password protecting the network. The CJEU stated that out of the three, only the latter was allowed, as long as it was effective and required users to reveal their identity in order to get the password.
  • Case C-401/19 Poland v Parliament ECLI:EU:C:2022:297
#####  ######   ##   #####  # #    #  ####     #    # ###### ###### #    #
#    # #       #  #  #    # # ##   # #    #    #    # #      #      #   #  
#    # #####  #    # #    # # # #  # #         #    # #####  #####  ####   
#####  #      ###### #    # # #  # # #  ###    # ## # #      #      #  #   
#   #  #      #    # #    # # #   ## #    #    ##  ## #      #      #   #  
#    # ###### #    # #####  # #    #  ####     #    # ###### ###### #    #

L6: Because You Attended the Last Seminar, You Might Like: Regulating Recommending

             |\
---|\\--------|-\\\-----
---|/-------0---\\|----
--/|-------------|----
-|-/-\\----------0-----
--\\|/----nice playlist-

Learning Objectives

  • Are algorithmic systems essential to deliver content online today? Is there a world without recommenders, or one where they are neutral? In what interfaces or media are they most important?
  • What kind of logics might be built into recommender systems? What kind of information about the content, or the users, might you need to do this, and where does this information come from?
  • Are recommender systems a good target for regulation of online content? What are the potential benefits, and what are the risks?
  • How is being ‘shadow banned’ (or having content ‘reduced’) from a recommender similar or different to being removed from a hosting platform?

Articles

Statute

European Union

  • Compulsory Draft Bill European Parliament legislative resolution of 5 July 2022 on the proposal for a regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC (COM(2020)0825 – C9-0418/2020 – 2020/0361(COD)). look at arts 24a, 29.
  • Compulsory Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services OJ L 186/57 (‘P2B Regulation’). look at article 5

Cases

European Union

T3: Appraising Recommender Laws

In this tutorial, we are going to look at some of the approaches to recommender systems proposed in current draft bills and compare them. Read the following texts. They’re different proposals made in recent months and years to regulate recommender systems - none of them have passed as of the end of 2021, but they range from highly likely to pass in some form (DSA, Online Safety Bill) to indicative of the potential form of regulation (US Congressional texts).

As you read each, assess the strengths and weaknesses of each document. What is similar or different about them? Where might they succeed and fail? Which one, if any, do you support most, and how would you adjust it if you were a legislator?

Bills

European Union

  • Compulsory Draft Bill European Commission, Proposal for a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC Act (COM/2020/825 final) (Articles 25-33, and skim the rest as appropriate) link
  • Compulsory Draft Bill ARTICLE 19, ‘Digital Services Act: ARTICLE 19 proposed amendment to Article 29 Recommender systems’ (14 May 2021) link (this is a document from a civil society group proposing a concrete amendment to the DSA)

United States

  • Compulsory Draft Bill Protecting Americans From Dangerous Algorithms Act, H.R. 8636, 116th Cong. (2020) (entire instrument, remind yourself also of the contents of s 230 CDA for context from the intermediary liability sessions) link
  • Compulsory Draft Bill Filter Bubble Transparency Act, H.R. __ 117th Cong. (2021) link

United Kingdom

  • Optional Draft Bill HM Government, Online Safety Bill (2021), part 1 and part 2 (much of it repeats. Try to get the gist - it’s a big and complex instrument, and don’t get bogged down in the details.) link

L7: Platforms and Proactive Duties

Guest: Dr Tim Squirrell, Institute for Strategic Dialogue

___  ,--.  __________________________/   ,   /_______
   'O---O'~                                           
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _   ,--.   _ _ _ _ _
           _______________         ~'O---O'           
________< Responsibility?|     _______________________
                    ||  /   ,   /              

Learning objectives

  • Is it useful to try and strictly define platforms? If we do, should we define them by what they are, by what they do, or by something else?
  • What challenges do platforms pose that we might want to regulate? Which do you think are the most pressing or important?
  • Why is it hard to regulate platforms?
  • What are some of the major areas of tension in the European intermediary liability regime when it comes to platforms?
  • What are the some of the current regulatory trends to try and regulate this area? Do you think they will work — and if so, for whom?

Articles

L8: Redecentralise This! Interoperability Law and Policy

      ____      *         *
 ____|    \  *      *          * 
(____|     `.____________ _ _ _  _  _  _
 ____|       ____________ _ _ _  _  _  _
(____|     .'
     |____/

Learning Objectives

  • What is “interoperability”? What exactly is interoperating with what under different visions of the policy?
  • Who would need to be regulated in order to make interoperability a reality? What might the challenges of this be?
  • What are some of the current regulatory regimes that touch upon interoperabiity, and how do they function?
  • What kind of digital power does interoeprability seek to reduce? Would it be effective in this?
  • What are some of the policy concerns people have raised around interoperability?
  • Are these concerns valid? In particular, are there ways to moderate content, or to ensure privacy, in an interoperable world?

Readings

Statute

European Union

United States

  • Optional Draft Bill ‘American Innovation and Online Choice Act’, S. 2992, 117th Congr. (2022) (Bill sponsored by Sen. Amy Klobuchar, as amended in the Senate on 25 May 2022), particularly s. 2-3.

L9: Being Forgotten Online

               O             O _J""-.
        .-""L_  o           o /o )   \ ,';
   ;`, /   ( o\               \ ,'    ;  /
   \  ;    `, /                "-.__.'"\\_;
   ;_/"`.__.-"   google or goldfish?

Guest: Andrew Strait, Ada Lovelace Institute (TBC)

Learning Objectives

  • How does the right to be forgotten function? Where did it come from?
  • What kind of information and process is needed to assess a RTBF request according to the existing jurisprudence? What kind of a process might this be, and how does that compare to what we know of the processes that are used in practice?
  • Who does the RTBF benefit?
  • Is the balance correct in the RTBF? Should there be more or less emphasis on freedom of expression?
  • Is the RTBF adequately governed? How do private decisions and judicial decisions interplay, and are there potential reforms that you might want to see implemented at this interface?

Articles

  • Compulsory Andrés Guadamuz, ‘Developing a Right to Be Forgotten’ in Tatiana-Eleni Synodinou and others (eds), EU Internet Law: Regulation and Enforcement (Springer 2017). OA-ish link UCL paywall link
    • An overview of some of the debates and sides people take concerning the Right to Be Forgotten.
  • Compulsory Paul De Hert and Vagelis Papakonstantinou, ‘Right to Be Forgotten’, Elgar Encyclopedia of Law and Data Science (2022).
    • A concise encyclopaedia entry providing a guide to the RTBF’s origin and jurisprudence up through the start of 2022.
  • Recommended Aleksandra Kuczerawy and Jef Ausloos, ‘From Notice-and-Takedown to Notice-and-Delist: Implementing Google Spain’ (2015–16) 14 Colo Tech LJ 219. OA link
    • A discussion of some of the roles (as they were and are emerging) of different governance actors in the run up to, and in the wake of, the judgment in Google Spain.
  • Recommended Theo Bertram and others, ‘Five Years of the Right to Be Forgotten’ in (ACM 2019) Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security 959. OA link
    • A scholarly article on how the RTBF has panned out from the point of view of Google employees, who authored it. Read alongside the firm’s regularly updated, quantitative Transparency Report into EU delisting on the basis of the right.
  • Recommended Joris Van Hoboken, ‘Search Engine Freedom’ in Search Engine Freedom: On the Implications of the Right to Freedom of Expression for the Legal Governance of Web Search Engines (University of Amsterdam 2012) pp 168-213. OA link
    • A discussion of the theoretical and legal manners in which freedom of expression applies to search engines, given their crucial role in enabling access to information. Pre-dates Google Spain, although not the debates about the RTBF.
  • Optional Jean-François Blanchette and Deborah G Johnson, ‘Data Retention and the Panoptic Society: The Social Benefits of Forgetfulness’ (2002) 18 The Information Society 33. OA link paywalled, typeset link
    • A less legal view of why we might want a right to be forgotten from the standpoint of privacy.
  • Optional Tarleton Gillespie, ‘To Remove or to Filter?’ in Custodians of the Internet (Yale University Press 2018). UCL link (paywalled)
    • A broader discussion of the different tactics that internet intermediaries, and particularly platforms, use to limit the distribution of content online.
  • Optional David Erdos, ‘The “Right to Be Forgotten” beyond the EU: An Analysis of Wider G20 Regulatory Action and Potential Next Steps’ (2021) 13 Journal of Media Law 1. OA-ish link UCL link
    • Examines how similar rights to be forgotten work in jurisdiction including Canada, Turkey and Australia.
  • Optional Stefan Kulk and Frederik Zuiderveen Borgesius, ‘Privacy, Freedom of Expression, and the Right to Be Forgotten in Europe’ in Evan Selinger and others (eds), The Cambridge Handbook of Consumer Privacy (Cambridge University Press 2018). OA-ish link UCL paywall link
    • A useful introduction to how freedom of expression is balanced by the CJEU and ECtHR, focussing on the right to be forgotten. Overlaps otherwise in terms of content with Guadamuz 2017.

Policy Documents

  • Optional European Data Protection Board, Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (EDPB 2020) OA link
    • Guidance from the European regulators in charge of enforcing Google Spain and the Right to Erasure. See also the ary on these guidelines by David Erdos, University of Cambridge.
  • Optional Access Now, Understanding the Right to Be Forgotten Globally (Access Now 2017) OA link
    • A short policy paper from an NGO indicating the surrounding conditions and a safeguard wishlist for global implementation of a right to be delisted on privacy grounds.

Statute

European Union

  • Optional Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, art 17.
    • We will look at the statutory data protection regime, its scope and functioning, in much more detail in Term 2.

Case Law

European Union

  • Compulsory Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González ECLI:EU:C:2014:317.
  • Compulsory Case C‑136/17 GC and Others v Commission nationale de l’informatique et des libertés (CNIL) ECLI:EU:C:2019:773.
  • Compulsory Case C‑507/17 Google LLC v Commission nationale de l’informatique et des libertés (CNIL) ECLI:EU:C:2019:772.

It may help to read a few case s on GC and Others and Google v CNIL if you are struggling with them. You can search these out on Westlaw, Google Scholar or just the plain old search engine of your choice.

United Kingdom

  • Recommended NT1 & NT2 v Google LLC [2018] EWHC 799 (QB). BAILII
    • The first Google Spain case applied by English courts. One applicant had his delisting refusal by Google overturned by the High Court, and one had it confirmed. What was the difference between them?

T4: “Fake News”: Governing Misinformation

Tutorial Questions

  • What kind of a problem is misinformation online? What are its causes, and how can we best understand it?
  • How is misinformation currently governed?

Readings

Case Law

ECHR

L10: Image-Based Sexual Abuse and Platforms

Guest: Dr María Bjarnadóttir, Director for Internet Safety at the Icelandic National Commissioner for Police.

         _
     _n_|_|_,_
    |===.-.===|
    |  ((_))  |
    '==='-'==='

Learning Objectives

  • What is image-based sexual abuse, and what are the wrongs and harms of such abuse?
  • Why can it be difficult to tackle image-based sexual abuse using the law?
  • How is this abuse currently dealt with under English and Scottish law, and what are the difficulties and shortcomings of this offence?
  • What is the impact of image-based sexual abuse being “priority illegal content’ in the draft UK Online Safety Bill?
  • What might the consequences be if the Law Commission’s new offences were introduced and deemed “priority illegal content”?
  • Questions from the further reading
    • What are ‘intimate threats’, as characterised by Levy and Schneier? How should law and policy makers think about ameliorating or protecting against such threats? In particular, what can be done at the level of engineering and product design?
    • Do you agree with Danielle Keats Citron that ‘sexual privacy’ is a distinct category of privacy interests and that traditional privacy law is ill-equipped to protect this interest? If so, what implications might that have for law and policy makers in this jurisdiction e.g. in the context of intermediary liability and the regulation of platforms?

Articles

Statute

  • Compulsory Draft Bill Online Safety Bill, cl 8-9; 52; 177; sch 7 para 18. check current Bill status before teaching week
    • Here, please consider what the practical implications for in-scope platforms would be for proactively detecting priority illegal content, were it to include intimate image abuse as proposed. Which elements of the offence would it be easier for platforms to discern, and which harder? Note that only the English offence is listed as “priority”, however the Scottish offence is also relevant due to the provisions in cl 52.
  • Compulsory Criminal Justice and Courts Act 2015 s 33-35
    • The current English law criminalising certain aspects of intimate image abuse; overhaul of this has been suggested by the Law Commission in its report, above.
  • Compulsory Abusive Behaviour and Sexual Harm (Scotland) Act 2016 s 2-4
    • The Scottish criminal law around the issue — has been praised for being wider than the English law, covering also deepfake sexual content, at least to some degree. May have impact in England regardless via platforms through the operation of the Online Safety Bill, if passed.
  • Optional Justice Act (Northern Ireland) 2016 s 51.

Part 2: Privacy, Data and Surveillance

L11: Protecting Privacy Online

What is privacy all about, and why might we seek it? In this session, we will take a look at some of the different issues privacy might, or has been thought to, protect. The three compulsory readings approach this from different angles: Solove offers a taxonomy to cover a breadth of the issues; Viljoen looks at what ‘data law’ might do, focussing on the way that technologies construct and mediate human relations; while Lynskey consider the developing approach(es) that courts in the UK have taken to a set of rights that have only relatively recently made their way into law in this jurisdiction.

For very different views, the optional readings present different viewpoints. Gürses unpacks how computer scientists often think about privacy; O’Hara tries to understand why people talk over each other when talking about what privacy is or should do; Hildebrandt thinks about how privacy might be theorised in relation to a world of profiling machines; while Warren and Brandeis, in a seminal article, try to locate privacy as a right in the US constitution — influential on later thought, not least as Brandeis became a US Supreme Court justice.

What do you think privacy is or should protect? What should the priorities for law be in an informationalised world, and have courts so far appeared to be up to these challenges?

Articles

  • Compulsory Daniel J Solove, ‘A Taxonomy of Privacy’ (2005–06) 154 U Pa L Rev 477 OA link
  • Compulsory Salomé Viljoen, ‘A Relational Theory of Data Governance’ (2021) 131 Yale Law Journal 573 OA link
  • Compulsory Orla Lynskey, ‘Courts, Privacy and Data Protection in the UK: Why Two Wrongs Don’t Make a Right’ in Courts, Privacy and Data Protection in the Digital Environment (Edward Elgar Publishing 2017) UCL link
  • Recommended Julie E Cohen, ‘What Privacy is For’ (2012–13) 126 Harv L Rev 1904 OA link
  • Recommended Kieron O’Hara, ‘The Seven Veils of Privacy’ (2016) 20 IEEE Internet Computing 86 UCL link
  • Recommended Seda Gürses, ‘Can You Engineer Privacy?’ (2014) 57 Communications of the ACM 20. UCL typeset link / OA preprint link
  • Optional Mireille Hildebrandt, ‘Privacy as Protection of the Incomputable Self: From Agnostic to Agonistic Machine Learning’ (2019) 20 Theoretical Inquiries in Law 83 OA link
  • Optional Samuel D Warren and Louis D Brandeis, ‘The Right to Privacy’ (1890) 4 Harvard Law Review 193 OA link
  • Optional Julie E Cohen, ‘Turning Privacy Inside Out’ (2019) 20 Theoretical Inquiries in Law OA link

Cases

United Kingdom

  • Recommended Kaye v Robertson [1991] FSR 62 link
  • Recommended Wainwright v Home Office [2003] UKHL 53, [2004] 2 AC 406 (see particularly paragraphs [15]-[35] from Lord Hoffman’s judgment) link
  • Recommended Campbell v MGN Ltd [2004] UKHL 22, [2004] AC 457 (see particularly paragraphs [11]-[22] from Lord Nicholl’s judgment) link

Podcasts

  • Optional Episode 15 of Constitutional on ‘Privacy’. It includes some very useful background and further detail, particularly on Warren and Brandeis’ article, and why it is relevant today. link

T5: Data Rights

Preparation (in class, in part)

For this tutorial, there is a short preparatory activity we will use as a basis for discussion about the right of access. Carrying out steps 1-2 are essential, but step 3 is optional (writing further to a company to request your data). I advise doing it, however, as it is free, and interesting to see how they interact with you, and what you get back.

  1. Try to use a “download my data” tool” on one or more services that you use. Some examples of those from the largest services are below:
  1. If you get a copy of the data, try to locate the privacy policy for that company. Privacy policies are usually implemented as to provide some of the information required in Article 13 of the GDPR (have a look). Re-read articles 13–15, and article 20, of the GDPR. Is this all the data you requested? What personal data might be missing? Do you also think (e.g. from your usage of a service) that the controller might have additional data about you they are not telling you about?

  2. [Optional, but recommended] Write an email or other message to the firm (how should be detailed in the privacy policy) asking for a full copy of you data, highlighting any omissions you discovered or suspected based on point 2. I have made a template for a very full version of how to do this here, but you are welcome to just type something shorter or more focussed.

If you get to 2 and 3, save all the files you get from this process in one place (e.g. a copy of relevant parts of the privacy policy, and any data), so we can talk about the process during the tutorial. Regardless, save and look at any data you receive.

In this session, we’ll discuss the access rights made earlier in class. Please come having done the reading and try to bring whatever you have received in a form on your computer you can use to discuss and refer to (although no need to share it!).

Questions to consider: - What is the right of access for? What is its scope? What are its limits? - How powerful is the right of access at achieving its various purposes? - What barriers exist to make access rights useful or powerful? - What barriers did you face getting access to, or scrutinising data? How might you reform the right of access to make it more useful - or is such reform futile?

Readings

  • Compulsory GDPR, arts 12, 15, 20.
  • Compulsory European Data Protection Board, ‘Guidelines 01/2022 on data subject rights - Right of access’ (Version for Public Consultation, 2022) OA link
  • Compulsory Jef Ausloos and Pierre Dewitte, ‘Shattering One-Way Mirrors – Data Subject Access Rights in Practice’ (2018) 8 International Data Privacy Law 4. UCL link OA link
  • Optional René Mahieu, ‘The Right of Access to Personal Data: A Genealogy’ (2021) 2021 TechReg 62. OA link
  • Optional Jef Ausloos and Michael Veale, ‘Researching with Data Rights’ (2020) 2020 Technology and Regulation 136.
  • Optional Case C‑434/16 Nowak ECLI:EU:C:2017:994
  • Optional Joined Cases C‑141/12 and C‑372/12 YS and Others ECLI:EU:C:2014:2081.

L12: Data Protection: Form and Function

In this session, we introduce a parallel but interwoven regime to privacy and private life: data protection. Lynskey introduces where data protection came from, what is does, and how it relates to privacy. Her book was written before the passing of the General Data Protection Regulation, which builds on previous privacy statutes; this is the topic of Hoofnagle and others, who seek to summarise the Regulation. You should also read the GDPR alongside this article as appropriate.

Further readings look at the history of data protection law (González Fuster), and elaborate theoretically on the functioning of data protection and its place within the EU legal order (Lynskey, Ausloos).

Think while reading about what data protection seeks to do and protect. How does it secure the aims we discussed when considering privacy? What other ends does it pursue, or ways might it protect or empower people? Is it a subset of privacy, or a separate, complementary regime? How many of the rights and obligations were you aware of, and how does the text of data protection law relate to the practices of firms and governments that you are aware of?

Articles

  • Compulsory Orla Lynskey, ‘The Key Characteristics of the EU Data Protection Regime’ and ‘The Link between Data Protection and Privacy in the EU Legal Order’ in The Foundations of EU Data Protection Law (Oxford University Press 2015) UCL link
  • Compulsory Chris Jay Hoofnagle and others, ‘The European Union General Data Protection Regulation: What It Is and What It Means’ (2019) 28 Information & Communications Technology Law 65 OA link
  • Recommended Gloria González Fuster, ‘The Materialisation of Data Protection in International Instruments’ in The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014) UCL link
  • Recommended Orla Lynskey, The Foundations of EU Data Protection Law (Oxford University Press 2015) UCL link
  • Optional Jef Ausloos, ‘Foundations of Data Protection Law’ in The Right to Erasure in EU Data Protection Law: From Individual Rights to Effective Protection (Oxford University Press 2020) UCL link

Policy Documents

  • Optional European Court of Human Rights, Guide to the Case Law of the European Court of Human Rights: Data Protection (Council of Europe, updated regularly) (look at relevant parts to bolster your understanding) OA link
    • Note, that the ECHR is distinct from the CJEU in its privacy and data protection jurisprudence. There is no explicit right to data protection in the Convention; this does not mean the Court has not developed jurisprudence in this area, however.

Statute

  • Compulsory Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1. Read this alongside the Hoofnagle and others article. You do not need to read all of the recitals yet, and this takes most of the length out; but they do help shine light on the main articles, and are important interpretative tools, so refer back as appropriate.
  • Compulsory Charter of Fundamental Rights of the European Union, articles 7–8.

L13: The Law of Everything? Anonymisation and the Scope of Personal Data

One of the main concepts in data protection is the concept of personal data. The boundaries of this concept have been hotly contested, and are an important point of interaction for law, policy, computer and data science alike; all of these disciplines work on this issue intensely. McAuley describes why computer scientists find anonymisation difficult to achieve. Purtova argues that the CJEU has interpreted the GDPR in an expansive manner which has led an unmanageable array of information types to be classifiable as personal data (but compare to optional reading, Dalla Corte, who critiques this reading). Elliot and others propose a different approach, which looks at the risk of data to be reidentified in its environment. What would be the benefits or risks of adopting this approach? You should also read the Breyer case, which is looked at considerably in the Purtova article.

You may also choose to read further reading, such as a technical analyis of why it is difficult or impossible to anonymise some types of location data from the perspective of computer science by de Montjoye and others, the application to smart environments and technologies by Gellert. You should also consider the household exemption, part of the scope of data protection law, which is importantly limited by the cases Lindqvist and Ryneš.

How should a controller in practice go about considering what is personal data or not? How might this differ for different types of data — text; location; tabular data; video data or photographs? Is there a good balance between personal or non personal data classification that is possible, or will any approach inevitably be gamed and abused? If so, is there a way out of this quandary?

While reading it all, as well as when you have read both the papers and the cases, think through the following questions:

  1. What is it about data that makes anonymisation particularly hard?
  2. Can you think of a good example of data which is reliably non-personal under data protection law?
  3. What sort of test does Breyer imply? What kind of capacities might data controllers need to carry out this test?
  4. Is this approach to personal data a sensible one for data protection law? What might be the challenges if a narrower approach was taken? What about a broader one?
  5. Is the household exemption too narrow in scope?

Statute

European Union

  • Compulsory GDPR, recitals 26-30, arts 2, 4(1).

Videos

Articles

Cases

European Union

  • Compulsory Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland ECLI:EU:C:2016:779 (on the identifiability of personal data)
  • Recommended Case C‑434/16 Nowak ECLI:EU:C:2017:994 (on exam scripts and comments)
  • Recommended C-184/20 Vyriausioji tarnybinės etikos komisija ECLI:EU:C:2022:601 (on conditions for inference of special category data)
  • Recommended Case C-101/01 Lindqvist EU:C:2003:596 (on the scope of the household exemption)
  • Recommended Case C‑212/13 Ryneš ECLI:EU:C:2014:2428. (on a CCTV camera on a house and the household exemption)

Pending Cases

  • Case C-604/22 IAB Europe (on whether a compliance mechanism for online tracking comprises personal data)
  • Case C-659/22 Ministerstvo zdravotnictví (Czech Ministry of Health) (on whether scanning vaccination certs amounts to processing)
  • Case C-115/22 NADA and Others (on health data and doping)
  • Case C-446/21 Schrems (on sexuality and special category data in advertising)

United Kingdom

  • Optional Durant v Financial Services Authority [2003] EWCA Civ 1746.
  • Optional Edem v The Information Commissioner & Anor [2014] EWCA Civ 92
  • Optional Secretary of State for the Home Department & Anor v TLU & Anor [2018] EWHC 2217 (QB).

L14: Revenge of the Cookie Monster

Somebody is prying through your files, probably
Somebody's hand is in your tin of Netscape magic cookies
But relax: if you're an interesting person
Morally good in your acts
You have nothing to fear from facts

The Age of Infomation (Momus, 1997)

Cookie pop ups when you browse the web are hardly anything new to most Internet users, particularly in Europe. But what exactly are cookies? How do they something that we should be concerned about? How does the law understand cookies, and how has that developed over time? In the session, we’re going to try and get some answers to some of these questions. While reading and examining the below, it will be good to think about the following questions:

  1. What conceptual role do cookies play in online tracking and profiling?
  2. Consent is a large part of the way that we govern cookies in Europe. But is it a good way to do this? What would the alternatives look like, and in what ways would they be better or worse?
  3. If many of the ways the cookies are used on the Internet are currently illegal, why hasn’t anything been done about it? What are the main challenges and regulatory hurdles that prevent affective enforcement?

Also pay attention to the issue of controllership — this topic should be considered in tandem with the tutorial on controllership. Who is the controller when it comes to tracking on a website?

Articles

Policy Documents

  • Optional Information Commissioner’s Office, ‘Update Report into Adtech and Real Time Bidding’ (20 June 2019) link
  • Optional Information Commissioner’s Office, ‘Data Protection and Privacy Expectations for Online Advertising Proposals’ (25 November 2021). link
  • Optional CNIL (French DPA), ‘Cookies: FACEBOOK IRELAND LIMITED Fined 60 Million Euros’ (6 January 2022) link; CNIL (French DPA), ‘Cookies: GOOGLE Fined 150 Million Euros’ (6 January 2022) link. see also English language decisions within

Cases

European Union

  • Compulsory Case C-210/16 Wirtschaftsakademie Schleswig-Holstein ECLI:EU:C:2018:388.
  • Compulsory Case C-49/17 Fashion ID ECLI:EU:C:2019:629.
  • Recommended Case C‑252/21 Meta Platforms and Others ECLI:EU:C:2022:704, Opinion of Advocate General Rantos **particularly concerning the interaction of web tracking data and Article 9 sensitive data characteristics*.
  • Optional Case C‑25/17 Jehovan todistajat ECLI:EU:C:2018:551. consider how the controllership argument might analogise
  • Optional Case C-673/17 Planet49 GmbH ECLI:EU:C:2019:801.
  • Optional Case C-131/12 Google Spain ECLI:EU:C:2014:317. particularly around questions of controllership
  • Recommended Case C‑210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2017:796, Opinion of AG Bot.
  • Recommended Case C-49/17 Fashion ID GmbH & CoKG v Verbraucherzentrale NRW eV ECLI:EU:C:2018:1039, Opinion of AG Bobek.

United Kingdom

  • Optional Vidal-Hall v Google Inc [2015] EWCA Civ 311.
  • Optional Lloyd v Google LLC [2021] 3 UKSC 50.

Belgium

Statute

United Kingdom

  • Compulsory Privacy and Electronic Communications (EC Directive) Regulations 2003, reg 6
    • This derives from the e-Privacy Directive, art 5(3), below.
  • Optional Draft Bill Data Protection and Digital Information HC Bill (2022–23) 143, cl 79.
    • Whether this law will be reintroduced is currently unclear.

European Union

  • Recommended Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201/37, art 5(3).
    • This is implemented in the UK by PECR reg 6, above

L15: Computer Says No? Machine Learning and Automated Decision-making

Computers are intermediating the content of decisions now, rather than just transmitting them. The governing of algorithms and automated systems is big news, and big business for some. But what role for data protection law? In this session, we’ll dig into the details.

When doing the reading, think about the following:

  • What are the main issues concerning algorithms that require governance? What has the last few years indicated are the most pressing of them, and which might be the most pressing in the future?
  • Should we be worried about algorithms, or “decisions”, both or neither?
  • How can we reconcile the purpose of Article 22 with the rest of the GDPR? Does it connect to form a coherent whole, or does it not make sense?
  • Is Article 22 a relic that will fail to govern algorithms going forward, or is there hope that it can be usefully repurposed? If so, as a simple safety net, or an active tool of governance?
  • Are there simple changes, or court interpretations, that might make the governance of algorithms through the GDPR function more effectively? Which? Are they likely without new legislation?

Articles

Policy Documents

Statute

European Union

  • Compulsory General Data Protection Regulation (GDPR), articles 15, 21, 22, recital 71.

United Kingdom

  • Optional Draft Bill Data Protection and Digital Information HC Bill (2022–23) 143, cl 11. - Whether this law will be reintroduced is currently unclear.

Case-Law

European Union

Pending

  • Case C-634/21 SCHUFA Holding and Others (scoring) (on downstream algorithmic decisions)
  • Case C-203/22 Dun & Bradstreet Austria

L16: State Surveillance: Introducing Bulk Powers

In 2013, documents leaked by Edward Snowden had a transformative effect on law, business practices, and perceptions. In this first surveillance seminar, we will try to look at the bigger picture, of technologies being used and some of the human rights fights around the old and new regimes.

When reading, consider the following:

  • What kind of impact on privacy is there from using content of communications? What kind from metadata?
  • How might you conceptualise the ECtHR’s trend in attitudes towards bulk collection/mass surveillance regimes?
  • What are the geopolitical implications of bulk collection, interception and interference practices? How does this relate to the jurisdiction and physical location of cloud companies?
  • Intelligence agencies commonly argue that bulk regimes are not particularly invasive as only some material is ever selected and read by humans. Do you consider that a sufficient safeguard?
  • What does surveillance of these types tell us about the role of the intermediaries we looked at previously? What powers and responsibilities do they have; how have they used these; and how should they use them?

Articles

Policy Documents

  • Compulsory David Anderson, Report of the Bulk Powers Review (Her Majesty’s Stationery Office 2016). OA link
  • Compulsory Unknown Author (OPC-MCR/GCHQ), ‘HIMR Data Mining Research Problem Book’ (Contained in the Snowden Leaks, 20 September 2011) OA link
    • Skim the top-secret research ‘open question’ problem book of the Heilbron Institute for Mathematical Research (University of Bristol), a GCHQ funded research centre that works on highly classified research. This book, part of the Snowden leaks, describes the kind of data and practices that GCHQ have and provide to the researchers that develop the techniques to analyse it. (some of this is very technical, I recommend pages 7-15, 51-53, 67-68. The data sources at the end, particularly pp 69–74 may also be interesting)**
  • Recommended David Anderson, A Question of Trust (Her Majesty’s Stationery Office 2015). OA link
  • Optional Caspar Bowden, The US Surveillance Programmes and Their Impact on EU Citizens’ Fundamental Rights (European Parliament 2013) OA link

News Articles

  • Recommended Phineas Rueckert, ‘Pegasus: The New Global Weapon for Silencing Journalists’ (Forbidden Stories, 18 July 2021) link.
    • More on Pegasus and the NSO in the podcast Darknet Diaries, interviewing John Scott-Railton from Citizen Lab at the University of Toronto, in episode 100 ‘NSO’ audio / full transcript.

Videos

  • Recommended Caspar Bowden, The Cloud Conspiracy 2008-14 (The 31st Chaos Computer Congress, 31C3 2014) OA link

Databases

  • Compulsory Browse the Snowden Archive. Look by Program, and for each entry, you can click on the news article analysing it at the bottom, or access the original PDF of the document itself.

L17 - Likely Subject to Industrial Action Unless Movement in Negotiations

T6 - Likely Subject to Industrial Action Unless Movement in Negotiations

L18: State Surveillance: Bulk Powers and Human Rights

Arguably the most control over state surveillance is exercised by the European Convention on Human Rights. In this session, we’re going to look at how it has understood state surveillance across the years, and some of the key tensions it has faced going forward.

  1. How can we characterise the way the ECtHR has or has not changed in relation to the changing nature of surveillance?
  2. Should courts play closer attention to the substance of surveillance powers? How?
  3. Is a bulk collection or interception regime a natural progression or a disjunct leap from targeted collection/interception? What is the view of the ECtHR on this?
  4. Should individuals be notified that they have been subject to surveillance measures, when it would not undermine investigations to do so?

Readings

  • Compulsory Eleni Kosta, ‘Surveilling Masses and Unveiling Human Rights: Uneasy Choices for the Strasbourg Court’ (Inaugural Address, Tilburg Law School, 2017) <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3167723>.
  • Recommended Nóra Ní Loideáin, ‘A Bridge Too Far? The Investigatory Powers Act 2016 and Human Rights Law’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019). UCL link
  • Recommended Bernard Keenan, ‘The Evolution Of Elucidation: The Snowden Cases Before The Investigatory Powers Tribunal’ [2021] The Modern Law Review. UCL link
  • Recommended Théodore Christakis and Katia Bouslimani, ‘National Security, Surveillance, and Human Rights’, in the Oxford Handbook of the International Law of Global Security (OUP 2021). UCL link
  • Recommended Eleni Kosta, ‘Algorithmic State Surveillance: Challenging the Notion of Agency in Human Rights’ (2020) Regulation & Governance. OA link
  • Recommended European Court of Human Rights, Guide on Art 8 of the European Convention of Human Rights (Council of Europe, updated regularly) (look at relevant parts to bolster your understanding) OA link
  • Optional Andrew Murray, ‘State Surveillance and Data Retention’ in Information Technology Law (Oxford University Press 2019). (a more simplified high-level overview)
  • Optional Bart van der Sloot and Eleni Kosta, ‘Big Brother Watch and Others v UK: Lessons from the Latest Strasbourg Ruling on Bulk Surveillance Case Notes’ (2019) 5 Eur Data Prot L Rev 252.
  • Optional Pierre Notermans, ‘Surveillance Measures and the Exception of National Security in the Case Law of the European Court of Human Rights’ in Human Rights in Times of Transition (Edward Elgar Publishing 2020) UCL link

Cases

  • Compulsory Big Brother Watch and Others v the United Kingdom (Grand Chamber) ECLI:CE:ECHR:2021:0525JUD005817013.
  • Optional Malone v the United Kingdom ECLI:CE:ECHR:1984:0802JUD000869179.
  • Optional S and Marper v the United Kingdom ECLI:CE:ECHR:2008:1204JUD003056204.
  • Recommended Privacy International v Secretary of State for Foreign And Commonwealth Affairs & Ors [2016] UKIPTrib 15_110-CH.
  • Recommended Liberty & Ors v GCHQ & Ors [2014] UKIPTrib 13_77-H and Liberty & Ors v The Secretary of State for Foreign And Commonwealth Affairs & Ors [2015] UKIPTrib 13_77-H.

L18: Data Retention - the Never Ending Story

Guest: Neil Brown, senior solicitor and founder at Internet law firm decoded.legal

Who called who, and when? When governments wish to understand what communication individuals had with each other in the past, they want somewhere to look back upon for reference. But keeping hold of all that data is expensive, and telecoms companies are loathe to do it. Enter data retention, a dynamic area of law characterised mainly by an ongoing between the CJEU and EU member states as to its permissible extent.

  • Why does data retention fall within EU law? Should it?
  • Has the Court of Justice gone too far, or has the ECHR not gone far enough?
  • Do you agree that metadata might have a chilling effect on freedom of expression?
  • What do you think Internet Communication Records are in the IPA? Does retaining these present additional human rights concerns? (hint: this was a novelty not present in RIPA).
  • How do the safeguards proposed in La Quadrature du Net compare to other aspects of the intelligence regime (e.g. in the UK)? Which might be easy to carry out, and which might be more difficult, or represent a significant change from e.g. the safeguards in the IPA?

Articles

  • Compulsory Marcin Rojszczak, ‘National Security and Retention of Telecommunications Data in Light of Recent Case Law of the European Courts’ [2021] European Constitutional Law Review. OA link
  • Compulsory Eleni Kosta, ‘The Retention of Communications Data in Europe and the UK’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019) OA link
  • Recommended Marcin Rojszczak, ‘The Uncertain Future of Data Retention Laws in the EU: Is a Legislative Reset Possible?’ (2021) 41 Computer Law & Security Review 105572. UCL link OA link
  • Optional Privacy International, ‘National Data Retention Laws since the CJEU’s Tele-2/Watson Judgment. A Concerning State of Play for the Right to Privacy in Europe’ (Privacy International, September 2017) OA link

Cases

European Union

  • Compulsory Joined Cases C‑511/18, C‑512/18 and C‑520/18 La Quadrature du Net and Others ECLI:EU:C:2020:791.
  • Recommended Case C-623/17 Privacy International ECLI:EU:C:2020:790.
  • Recommended Case C-140/20 Commissioner of An Garda Síochána ECLI:EU:C:2022:258
  • Optional Case C-793/19 SpaceNet ECLI:EU:C:2022:702
  • Optional Case C‑746/18 HK v Prokuratuur ECLI:EU:C:2021:152.
  • Optional Case C-350/21 Spetsializirana prokuratura ECLI:EU:C:2022:896
  • Recommended Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland and Others ECLI:EU:C:2014:238.
  • Recommended Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others ECLI:EU:C:2016:970.

United Kingdom

  • Optional R (on the application of Davis and others) v The Secretary of State for the Home Department [2015] EWHC 2092 (Admin)
    • and in the Court of Appeal, Secretary of State for the Home Department v Watson MP & Ors [2018] EWCA Civ 70.

ECtHR

  • Optional Ekimdzhiev and Others v Bulgaria ECLI:CE:ECHR:2022:0111JUD007007812.

Statute

  • Recommended Investigatory Powers Act 2016 part 4 (Retention of Communications Data) link.

T7: Big Brother Watch

In this tutorial, we will be looking at Big Brother Watch and Others v UK.

Specifically, we will look at the following questions:

  1. What were the alleged violations of Article 8 in Big Brother Watch? (In particular, what were the three discrete regimes at issue in the case?). What are the requirements for finding a violation of Art 8? How did Article 10 feature in the case?
  2. Do you agree with the way the court analysed the intrusiveness of metadata? Does the acquisition of metadata deserve an equivalent level of protection to the content of communications
  3. To what extent would you describe BBW as a pyrrhic victory for the applicants?
  4. How much do you sympathise with the dissents? Is the trajectory of the ECtHR fit for the 21st century?

Required

L19 - Likely Subject to Industrial Action Unless Movement in Negotiations

L20: Data Transfers

  ___   _      ___   _      ___   _ 
 [(_)] |=|    [(_)] |=|    [(_)] |=| 
  '-`  |_|     '-`  |_|     '-`  |_|
 /mmm/  /     /mmm/  /     /mmm/  / 
       |____________|____________|
                             | 
                         ___  \_ 
                        [(_)] |=|  
                         '-`  |_| 
                        /mmm/  

See the photos of the undersea data cables entering the US (and likely being tapped by the NSA) as photographed by artist Trevor Paglen here.

Surveillance law meets data protection law in the world of data transfers. Information moves easily, but as we’ve seen, as it crosses borders it becomes vulnerable to use and abuse by different governments. Legal spotlights have been particularly bright on EUUS data transfers, following complaints by Max Schrems against Facebook in Ireland after the Snowden revelations in 2013. This strategic litigation has ended in the striking down of not one but two international transfer agreements, and leaving other mechanisms used for international transfers, such a standard contractual clauses, on really shaky ground. In this session, we’ll be looking at the intersection of national security law and the Charter in light of data transfers.

  • What were the reasons the CJEU struck down Safe Harbour in Schrems I, and why wasn’t Privacy Shield an improvement in the Court’s eyes?

  • What might an arrangement that the CJEU would not strike down look like?

  • Do the Schrems cases show the EU as a defender of privacy, or an international hypocrite?

  • Is there currently any valid way to transfer data to the United States from the European Union?

  • Compulsory Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2017) 18 German Law Journal 881. OA link

  • Optional Christopher Kuner, ‘Schrems II Re-Examined’ (Verfassungsblog, 25 Aug 2020) OA link

    • Recommended Read alongside Douwe Korff, ‘Comments on Prof. Chris Kuner’s Blog Schrems II Re-Examined of 25 August 2020’ (26 August 2020) OA-ish link (alt link)
  • Optional Barbara Sandfuchs, ‘The Future of Data Transfers to Third Countries in Light of the CJEU’s Judgment C-311/18 – Schrems II’ (2021) GRUR Int ikaa204 UCL link

  • Recommended Andrew D Murray, ‘Data Transfers between the EU and UK Post Brexit?’ (2017) 7 International Data Privacy Law 149 OA link

  • Optional Graham Greenleaf, ‘Japan: EU Adequacy Discounted’ (2018) 155 Privacy Laws & Business International Report 8-10 OA link

Policy Documents

  • RecommendedPrivacy International, ‘Secret Global Surveillance Networks’ (Privacy International, 2018) OA link
  • Optional European Data Protection Board, ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2’ (18 June 2021) OA link
  • Read the account of the saga and related blog posts by Max Schrems’ NGO noyb.eu here.

Statute

  • Compulsory GDPR, chapter V.
  • RecommendedCommission Implementing Decision (EU) 2021/1773 of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (notified under document C(2021) 4801) OJ L360/69. OA link

Cases

European Union

  • Compulsory Case C-311/18 Data Protection Commissioner v Facebook Ireland and Schrems ECLI:EU:C:2020:559 (“Schrems II”) link
  • Recommended Case C-362/14 Maximillian Schrems v Data Protection Commissioner ECLI:EU:C:2015:65 (“Schrems I”)

It might be useful to read the AG Opinions in both cases too: * Optional Case C‑362/14 Maximillian Schrems v Data Protection Commissioner ECLI:EU:C:2015:627 (Opinion of Advocate General Bot). * Optional Case C-311/18 Data Protection Commissioner v Facebook Ireland and Schrems ECLI:EU:C:2019:1145, Opinion of Advocate General Saugmandsgaard Øe.

Ireland

  • Optional The Data Protection Commissioner -v- Facebook Ireland Ltd & Anor [2017] IEHC 545 (Ireland)
    • This case is very useful in restating the facts of data transfers in the context of Facebook and US surveillance under FISA 702 and EO 12333. It is the case which led to the questions being referred to the CJEU in Schrems II.

Acknowledgments

ASCII art from link, link, link, link, link. Credits where artist known: Felix Lee, hfw, jgs (Joan Stark), hrr, fsc, Veronica Karlsson.