Dr Michael Veale, UCL Faculty of Laws, 2021-22 Syllabus
Updated 10 January 2022
ZZZzz /,`.-'`' -. ;-;;,_
|,4- ) )-,_. ,\ ( `'-'
Reading importance labels — Check the labels beside each reading! Compulsory means “please do this before class”. Recommended means “if you’re interested, or if you’re writing an essay or revising this topic, have a look at this”. It does not mean “if you’re a really good student you’ll have done all the recommended reading as well as compulsory reading before class”. Optional means “if you’re writing an essay, or it interest you, this might be something you want look at, but you could also do your own research and find other sources too.”
Open access — Wherever possible, resources are accompanied by an open access link (‘OA link’). Some resources are available freely but only behind for-profit repositories such as SSRN, which heavily push users to register and log-in, and hide the download options for downloading without this in the bottom of the page. These are ‘OA-ish links’. Occasionally, a paper or book is too important not to recommend even though an OA version is unavailable. I have tried to minimise these resources throughout the reading list.
S1: Welcome to the Internet (we have cats)
October 4 2021
,-. _,---._ __ / \
/ ) .-' `./ / \
( ( ,' `/ /|
\ `-" \\'\ / |
`. , \ \ / |
/`. ,'-`----Y |
( ; | '
| ,-. ,-' | /
| | ( | | /
) | \ `.___________|/
- What are the core technologies underpinning the Internet and how (in very rough terms) do they work?
- What is the difference between the Internet and the Web? (Extra: what, then, are mobile apps?)
- What design principles underpin the Internet, and why are they important to those interested in Internet regulation?
- What are some of the main actors and organisations that govern the Internet and how do they make decisions? In whose interests do these different actors act, and with what incentives?
- What is ‘cyberlibertarianism’?
- Compulsory Andrés Guadamuz, ‘Internet Regulation’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019). OA link
- A useful and broad-ranging introduction into what it is to study Internet Law.
- Compulsory Kieron O’Hara and Wendy Hall, ‘The Vision of the Open Internet’ in Four Internets: Data, Geopolitics, and the Governance of Cyberspace (Oxford University Press 2021). paywall link / UCL link
- A concise summary of the history of the Internet and the Web and how they all fit together. For more in-depth versions, see Zietwitz & Brown and Ryan in the further readings.
- Recommended Corinne Cath-Speth, ‘Internet Histories: Partial Visions of People and Packets’ in Corinne Cath-Speth, Changing Minds and Machines: A Case Study of Human Rights Advocacy in the Internet Engineering Task Force (IETF) (DPhil Thesis, Oxford University, 2021) pages 27-51. OA link
- Recommended Malte Ziewitz and Ian Brown, ‘A Prehistory of Internet Governance’ in Research Handbook on Governance of the Internet (Edward Elgar Publishing 2013). OA link
- A clear and well-written history of the Internet and its early governance, as well as the institutions involved.
- Optional Johnny Ryan, ‘The Web!’ in A History of the Internet and the Digital Future (Reaktion Books 2011).
- A clear description of how the Web emerged and the different players involved.
- Optional Kieron O’Hara and Wendy Hall, Four Internets: Data, Geopolitics, and the Governance of Cyberspace (Oxford University Press 2021). paywall link / UCL link
- A recent overview of the way in which the Internet as we know it is diverging as different nations and jurisdiction have different views on its development and trajectory.
S2: An Unregulable Network?
October 11 2021
/`..'\ _ /`.,'\
/ /`.,' `.,'\ \
\ \ \web / / /
\ \\,'`._,'`./ /
- Does code ‘regulate’? How does this differ from the types of regulation that lawyers are more familiar with discussing?
- What different perspectives exist to understand the different ways it and other actors influence Internet policy through the medium of ‘code’?
- Why might the ‘generativity’ of the Internet pose societal challenges to open technologies? Can you think of more contemporary examples where this dynamic manifests?
- Which actors are well-positioned to regulate the Internet, and why? What factors make it easier or harder for these actors to alter the working of these networks?
- Compulsory Jonathan L Zittrain, ‘The Generative Internet’ (2006) 119 Harv L Rev 1974. OA link
- This article is in some ways a prediction of how ‘walled gardens’ online might emerge. Was Zittrain right?
- Compulsory Julie E Cohen, ‘“Piracy,” “Security,” and Architectures of Control’ in Configuring the Networked Self: Law, Code, and the Play of Everyday Practice (Yale University Press 2012). OA link
- A strong critique of a variety of ways of looking at ‘code’ and ‘law’ - this might be worth coming back to after we talk about these topics some more as it’s a very dense and rewarding read.
- Recommended Michèle Finck, ‘Blockchains as a Regulatable Technology’ in Blockchain Regulation and Governance in Europe (Cambridge University Press 2018). paywall link / UCL link
- This chapter looks at ‘regulatory access points’ in relation to blockchains, which we don’t look at much in this course, but the readings and framework proposed by Finck is more generally accessible.
- Optional Lawrence Lessig, Code: Version 2.0 (Basic Books 2006) OA link
- I suggest looking at pages 61-137 (chapters 5-7). Lessig is referred to a lot in the other readings, and if writing about him you should have a look at what he says in his own words.
- Optional Niels ten Oever, ‘“This is Not How We Imagined It”: Technological Affordances, Economic Drivers, and the Internet Architecture Imaginary’ (2021) 23 New Media & Society 344. OA link
- This paper is good for those interested in some of the ways in which the technical sides of standards are value laden and contested.
T1: D’oH! Code, Law and Politics of Encrypted DNS
October 11 2021
__,-- _ _,-'_)_ (""`'-._\ `.
_,' __ |,' ,-' __) ,- /. |
,'_,--' | -' _)/ `\
,',' ,' ,-'_,` :
,' ,-' ,(,-( :
,' ,-' , _ ;
/ ,-._/`---' /
/ (____)(----. ) ,'
/ ( `.__, /\ /,
: ;-.___ /__\\/|
| d'oh ,' `--. -,\ |
: / \ .__/
\ (__ \ |_
\ ,`-, * / _|,\
\ ,' `-. ,'_,-' \
(_\\,-' ,'\\")--,'-' __\
\ / // ,'| ,--' `-.
`-. `-/ \\' | _,' `.
`-._ / `--'/ \
,' | \
/ | \
,-' | /
/ | -'
Make notes on these three topics to bring to the tutorial to discuss.
- Can we consider the DNS protocol a type of regulation? What about the Internet Watch Foundation? What type of regulating is this, and how do they interact?
- Who is involved in ultimately deciding whether DNS-over-HTTPS or DNS-over-TLS are introduced? (Is there a difference?) What does this mean for the power of private firms vis-a-vis the state?
- The UK’s Internet blocking regime is heavily built on DNS blocking. Should this be considered when encrypted DNS is introduced? Who should consider it, and how? Is this complicated by the international nature of the Internet, and if so, how?
- See a 20min Lawscast on DNS, as the lecture on the topic falls after the tutorial for some - available on the Moodle page.
- Compulsory Debate in Hansard on “Internet Encryption” (citation: HL Deb 14 May 2019, vol 797, cols 1492–1495) OA link
- Compulsory Open Rights Group, ‘DNS Security — Getting it Right’ (24 June 2019) OA link (you don’t need to understand all the technical elements of this, but try to follow as the report is written with legal and policy actors and implications in mind).
- Compulsory Internet Watch Foundation, ‘Briefing on DNS-over-HTTPS’ OA link
- Recommended Vijay Gurbani and others, ‘When DNS Goes Dark: Understanding Privacy and Shaping Policy of an Evolving Protocol’ (2021) TPRC48: The 48th Research Conference on Communication, Information and Internet Policy. OA-ish link
- This is a useful academic paper going a little deeper than the ORG work into the different protocols and some of the broader implications of them.
- Optional Tanya Verma and Sudheesh Singanamalla, ‘Improving DNS Privacy with Oblivious DoH in 220.127.116.11’ (The Cloudflare Blog, 12 August 2020) OA link
- This blog outlines a protocol even newer than DoH or DoT, which also seeks to obscure the identity of the computer querying a website from the DNS resolver (e.g. Cloudflare, Google, or your ISP). You may not understand it all but see if you can understand the rough outline of how and why it works.
S3: Net Neutrality: A Series of Tubes?
October 18 2021
| (_()| .-.
\\_ _/_/ \
|| | | |
||/ \ |
/` .-||-. internet is just
'-/`.____.`\ dumb pipes?
- In which ways are internet access providers like historical common carriers — and in which ways are they not?
- Are you convinced by the human rights issues with zero rating? Do they apply similarly to all forms of zero rating, or should some forms be permissible? Under what conditions?
- How do net neutrality laws sit with the emerging (and arguably not empirically ‘neutral’) architecture of the internet, such as content delivery networks?
- Is net neutrality still an important principle to fight for online, or has it been displaced by other concerns?
Bonus Watch the early viral 2006 YouTube remix ‘Series of Tubes’, mocking the anti-net neutrality speech by Sen. Ted Stevens (R-Alaska) (obituary on it here).
- Compulsory Christopher T Marsden, ‘Introduction: neutrality, discrimination and common carriage’, in Network Neutrality: From Policy to Law to Regulation (Manchester University Press 2017). OA link
- This chapter outlines the broad debate and shape of net neutrality issues - what is at stake, and what are the main developments and actors?
- Compulsory Toussaint Nothias, ‘Access Granted: Facebook’s Free Basics in Africa’ (2020) 42 Media, Culture & Society 329. OA link
- This article focusses on net neutrality issues in relation to Facebook’s mobile offering on the African continent, documenting some of the civil society twists and turns concerning it.
- Recommended William Lehr and others, ‘Whither the Public Internet?’ (2019) 9 Journal of Information Policy 1. read: pages 1-20 OA link
- This article introduces three ‘lenses’ on the Internet - what do we, consumers, businesses, other actors, really mean when we say we are seeking to regulate the Internet?
- Optional Christopher T Marsden, Network Neutrality: From Policy to Law to Regulation (Manchester University Press 2017). OA link
- The whole book beyond the Introduction is very useful, in particular, Chapter 5 (Three Wise Monkeys of Net Neutrality) and Chapter 7 (Zero Rating).
- Recommended Helani Galpaya, ‘Zero-Rating in Emerging Economies’  Global Commission on Internet Governance Paper Series, Chatham House (No 47). OA link
- Optional Julianne Romanosky and Marshini Chetty, ‘Understanding the Use and Impact of the Zero-Rated Free Basics Platform in South Africa’ in (ACM Press 2018) Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18. OA link
- Optional Peter Cihon and Helani Galpaya, ‘Navigating the Walled Garden: Free and Subsidized Data Use in Myanmar’ (LIRNEasia, 2017) OA link
- See chapters in Luca Belli and Primavera De Filippi (eds), Net Neutrality Compendium (Springer 2016).
- Recommended One of
- Case C‑34/20 Telekom Deutschland GmbH ECLI:EU:C:2021:677;
- Case C‑854/19 Vodaphone (Roaming) ECLI:EU:C:2021:675;
- Case C‑5/20 Vodafone (Tethering) ECLI:EU:C:2021:676.
- (They are effectively all the same and were delivered on the same day)
- Optional Joined Cases C-807/18 and C-39/19 Telenor Magyarország Zrt v Nemzeti Média- és Hírközlési Hatóság Elnöke, ECLI:EU:C:2020:708.
- Compulsory Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union, OJ L 310/1, recitals 1-17 and art 3.
- Optional The Open Internet Access (EU Regulation) Regulations 2016.
- Subordinate legislation to the above EU Regulation, which is part of retained direct EU legislation in EU law. It has been amended by The Open Internet Access (Amendment etc.) (EU Exit) Regulations 2018 to remove references to e.g. BEREC.
T2: Age Verification and its Discontents
October 25 2021
,'~~^ ~\ are you really
( \\\ ,,) as old as you
\ '' ,|_ claim
` C .-' ---
` , _ ' | |
,--~, | |
/~ \ | |-\
/ . ~/--, |_|__|_____
, .__~-_--__\__ |
|___/ ,/\ /~|_______________|
\\_____-\\///~ || ||
- What are the practical challenges of regulating to ensure that children cannot access pornographic material?
- What are the implications of a country implementing an age verification law? How might it be enforced? What are the wider consequences for the functioning of the Internet?
- Was the UK right to abandon its 2017 plans? What should happen next?
I suggest you do the Compulsory reading and research the questions above using a mix of the Optional reading and your own research skills.
- Compulsory John Woodhouse, Online pornography: age verification (House of Commons Library Briefing Paper Number 8551, 18 October 2019) link
- Recommended TJ McIntyre, ‘Internet Censorship in the United Kingdom’ in Lilian Edwards (ed.) Law, Policy and the Internet (Hart 2019) OA link particularly page 17-23 of the OA preprint link, page 309-315 of the physical book
- Optional Digital Economy Act 2017, Part 3. note that this Part has not yet been commenced pursuant to s 118..
- Optional Open Rights Group Wiki, ‘Age Verification’ OA link
- Optional NSPCC, ‘Age Verification in the Digital Economy Bill’ (Evidence Submitted to the Digital Economy Act Public Bill Committee, House of Commons 2016) OA link
- Optional GCHQ, DCMS and Home Office, ‘VoCO (Verification of Children Online) Phase 2 Report’ (HM Government, November 2020) OA link mostly focus on the sections on the techniques of ‘age assurance’ and skim.
- Optional Information Commissioner’s Office, ‘Age appropriate application’ in Age Appropriate Design Code OA link
- This is a statutory code made by the ICO under the Data Protection Act 2018. Some have argued that since it came into force in 2021, it has led to some changes amongst the largest platform companies. See e.g. Alex Hern, ‘Social media giants increase global child safety after UK regulations introduced’ (The Guardian 5 September 2021) OA link
October 25 2021
[ -=.]`) who intermediates
====== 0 your messages?
- What was the initial logic behind intermediary liability laws? Was that logic legitimate at the time, and does it remain so today?
- What factors have the CJEU indicated do not compromise the shielding of intermediaries? Do you agree with these judgments?
- What is the concept of neutrality the CJEU has built? Are modern platforms neutral in this way?
Articles and Chapters
- Compulsory Lilian Edwards, ‘“With Great Power Comes Great Responsibility?”: The Rise of Platform Liability’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019). UCL link
- Recommended Aleksandra Kuczerawy, ‘From “Notice and Take Down” to “Notice and Stay Down”: Risks and Safeguards for Freedom of Expression’ in The Oxford Handbook of Intermediary Liability Online (Oxford University Press 2020). OA-ish link / UCL link
- Recommended Jennifer Urban and others, ‘Notice and Takedown in Everyday Practice’ (UC Berkeley Public Law Research Paper No. 2755628, 2017) OA link read the introduction & executive summary (pp 1-13) and delve into the bits that interest you - it’s a long report.
- Optional Ben Wagner and others, ‘Regulating Transparency? Facebook, Twitter and the German Network Enforcement Act’ (2020) Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency. OA-ish link / UCL link / 8 min talk on the paper
- Optional Sophie Stalla-Bourdillon, ‘Internet Intermediaries as Responsible Actors? Why It Is Time to Rethink the E-Commerce Directive as Well’ in Mariarosaria Taddeo and Luciano Floridi (eds), The Responsibilities of Online Service Providers (Springer 2017). OA-ish link / UCL link
- Optional Graham Smith, ‘5.6 Liability of Online Intermediaries’ in Internet Law and Regulation (Sweet and Maxwell 2020) Book available on Westlaw UK
- Optional Nico van Eijk and others, Hosting Intermediary Services and Illegal Content Online: An Analysis of the Scope of Article 14 ECD in Light of Developments in the Online Service Landscape : Final Report. (European Commission 2019). OA link
- Recommended One of
- Case C‑70/10 Scarlet Extended ECLI:EU:C:2011:771 (relates to mere conduits)
- Case C-360/10 Netlog ECLI:EU:C:2012:85 (same issue as Scarlet, relates to hosting on Netlog, a now-defunct Belgian social network)
- Recommended Joined Cases C-236/08 and C-238/08 Google France ECLI:EU:C:2010:159 focus on paras 22-32 and 106-120, you don’t need to understand the relevant trademark law.
- Recommended Case C‑324/09 L’Oréal SA v eBay ECLI:EU:C:2011:474
- Optional Case C-314/2 Telekabel ECLI:EU:C:2014:192 paras 26-50, 106-114
- Optional Case C-484/14 Mc Fadden ECLI:EU:C:2016:689
- Compulsory Case C-682/18 YouTube and Cyando ECLI:EU:C:2021:503 paras 18-39, 103-118.
Tip Reading the Advocate General opinions for these cases can elaborate on how they link to previous case law, and they are written in a less robotic way than the CJEU (although remember that the Court does not always follow the reasoning of the AG.) You can access these on the CJEU’s own webpage using the Curia search by entering the case number.
- Optional Godfrey v Demon Internet Ltd  EMLR 542
- Optional Payam Tamiz v Google Inc  EWCA Civ 68
- Optional Cartier International AG & Ors v British Telecommunications Plc & Anor  UKSC 28
European Court of Human Rights
- Compulsory Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’)  OJ L 178/1 (focus on recitals 40-49, arts 1, 12–15).
- Recommended 47 U.S.C. 230(c) (‘Section 230’) OA link
- Optional The Electronic Commerce (EC Directive) Regulations 2002 OA link
- these are currently the same as the EU ECD at the time of writing; this is for reference purposes only.
S5: General Monitoring: The Blindfold is Off?
November 1 2021
| illegal content |;
'\ / ;
\\`. .' /
/ / /
/ / /
/ / /
/ / /
/ / / or is it?
/ / /
/ / /
/ / /
/ / /
- Why might a prohibition on general monitoring obligations be justified? What kind of issues it is trying to prevent?
- Has the CJEU changed its understanding of general monitoring over time? What are the arguments for and against this kind of change?
- Is it easy to search for illegal content now we have more advanced technologies to help us do it? What can go wrong? Is it just a matter of time before they become good enough?
- Compulsory Joris Van Hoboken and Daphne Keller, ‘Design Principles for Intermediary Liability Laws’ (Transatlantic High Level Working Group on Content Moderation Online and Freedom of Expression Working Paper, 8 October 2019) OA link
- Compulsory Robert Gorwa, Reuben Binns and Christian Katzenbach, ‘Algorithmic Content Moderation: Technical and Political Challenges in the Automation of Platform Governance’ (2020) 7 Big Data & Society 2053951719897945. OA link
- Recommended Daphne Keller, ‘Facebook Filters, Fundamental Rights, and the CJEU’s Glawischnig-Piesczek Ruling’ (2020) 69 GRUR Int 616. paywall link / UCL link
- Recommended Martin Senftleben and Christina Angelopoulos, ‘The Odyssey of the Prohibition on General Monitoring Obligations on the Way to the Digital Services Act’ (University of Amsterdam and CIPIL Working Paper, October 2020) OA link
- Recommended Aleksandra Kuczerawy, ‘General Monitoring Obligations: A New Cornerstone of Internet Regulation in the EU?’ in Rethinking IT and IP Law - Celebrating 30 years CiTiP (Intersentia 2019). OAish link
- Recommended Giovanni Sartor, ‘The Impact of Algorithms for Online Content Filtering or Moderation: Upload Filters’ (European Parliament 2020) OA link.
- Optional Maayan Perel and Niva Elkin-Koren, ‘Accountability in Algorithmic Copyright Enforcement’ (2015) 19 Stan Tech L Rev 473. OA link
- Optional Graham Smith, ‘5.6 Liability of Online Intermediaries’ in Internet Law and Regulation (Sweet and Maxwell 2020) Book available on Westlaw UK
- Optional Giancarlo Frosio (ed.) _Oxford Handbook of Online Intermediary Liability*_(Oxford University Press 2020) Closed access DOI UCL link
- Compulsory Case C-18/18 Glawischnig-Piesczek v Facebook ECLI:EU:C:2019:821
- Recommended One of
- Case C‑70/10 Scarlet Extended ECLI:EU:C:2011:771 (relates to mere conduits)
- Case C-360/10 Netlog ECLI:EU:C:2012:85 (same issue as Scarlet, relates to hosting on Netlog, a now-defunct Belgian social network)
- Optional Case C-314/2 Telekabel ECLI:EU:C:2014:192 paras 26-50, 106-114
- Optional Case C-484/14 Tobias Mc Fadden v Sony Music Entertainment Germany GmbH ECLI:EU:C:2016:689.
##### ###### ## ##### # # # #### # # ###### ###### # #
# # # # # # # # ## # # # # # # # # #
# # ##### # # # # # # # # # # # ##### ##### ####
##### # ###### # # # # # # # ### # ## # # # # #
# # # # # # # # # ## # # ## ## # # # #
# # ###### # # ##### # # # #### # # ###### ###### # #
S6: Because You Attended the Last Seminar, You Might Like: Regulating Recommending
- Are algorithmic systems essential to deliver content online today? Is there a world without recommenders, or one where they are neutral? In what interfaces or media are they most important?
- What kind of logics might be built into recommender systems? What kind of information about the content, or the users, might you need to do this, and where does this information come from?
- Are recommender systems a good target for regulation of online content? What are the potential benefits, and what are the risks?
- How is being ‘shadow banned’ from a recommender similar or different to being removed from a hosting platform?
- Compulsory Paddy Leerssen, ‘The Soap Box as a Black Box: Regulating Transparency in Social Media Recommender Systems’ (2020) 11 EJLT 2. OA link
- Recommended Ulrik Lyngs and others, ‘So, Tell Me What Users Want, What They Really, Really Want!’ in Extended Abstracts of the 2018 CHI Conference on Human Factors in Computing Systems (CHI EA ’18, New York, NY, USA, ACM 2018). OA link
- Compulsory Jennifer Cobbe and Jatinder Singh, ‘Regulating Recommending: Motivations, Considerations, and Principles’ (2019) 10 EJLT. OA link
- Recommended Axel Bruns, ‘Filter Bubble’ (2019) 8 Internet Policy Review. OA link
- Optional Daphne Keller, ‘Amplification and Its Discontents: Why Regulating the Reach of Online Content Is Hard’ (2021) 1 Journal of Free Speech Law 227. OA link
- Optional Nick Seaver, ‘Captivating Algorithms: Recommender Systems as Traps’ (2019) 24 Journal of Material Culture 421. OA link
- Optional Natali Helberger and others, ‘Exposure Diversity as a Design Principle for Recommender Systems’ (2018) 21 Information, Communication & Society 191. OA link
- Compulsory Draft Bill European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and Amending Directive 2000/31/EC (COM(2020) 825 Final)’ (15 December 2020). look at article 29.
- Compulsory Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services OJ L 186/57 (‘P2B Regulation’). look at article 5
T3: Appraising Regulatory Approaches to Recommending
In this tutorial, we are going to look at some of the approaches to recommender systems proposed in current draft bills and compare them. Read the following texts. They’re different proposals made in recent months and years to regulate recommender systems - none of them have passed as of the end of 2021, but they range from highly likely to pass in some form (DSA, Online Safety Bill) to indicative of the potential form of regulation (US Congressional texts).
As you read each, assess the strengths and weaknesses of each document. What is similar or different about them? Where might they succeed and fail? Which one, if any, do you support most, and how would you adjust it if you were a legislator?
- Compulsory Draft Bill European Commission, Proposal for a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC Act (COM/2020/825 final) (Articles 25-33, and skim the rest as appropriate) link
- Compulsory Draft Bill ARTICLE 19, ‘Digital Services Act: ARTICLE 19 proposed amendment to Article 29 Recommender systems’ (14 May 2021) link (this is a document from a civil society group proposing a concrete amendment to the DSA)
- Compulsory Draft Bill Protecting Americans From Dangerous Algorithms Act, H.R. 8636, 116th Cong. (2020) (entire instrument, remind yourself also of the contents of s 230 CDA for context from the intermediary liability sessions) link
- Compulsory Draft Bill Filter Bubble Transparency Act, H.R. __ 117th Cong. (2021) link
- Optional Draft Bill HM Government, Online Safety Bill (2021), part 1 and part 2 (much of it repeats. Try to get the gist - it’s a big and complex instrument, and don’t get bogged down in the details.) link
S7: Platforms: Enclosing the Internet and the (long?) Road to Responsibilities
___ ,--. __________________________/ , /_______
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ,--. _ _ _ _ _
________< Responsibility?| _______________________
|| / , /
- Is it useful to try and strictly define platforms? If we do, should we define them by what they are, by what they do, or by something else?
- What challenges do platforms pose that we might want to regulate? Which do you think are the most pressing or important?
- Why is it hard to regulate platforms?
- What are some of the major areas of tension in the European intermediary liability regime when it comes to platforms?
- What are the some of the current regulatory trends to try and regulate this area? Do you think they will work — and if so, for whom?
- Compulsory Julie E Cohen, ‘Law for the Platform Economy’ (2017–18) 51 UCD L Rev 133.
- Compulsory Daithí Mac Síthigh, ‘The Road to Responsibilities: New Attitudes Towards Internet Intermediaries’ (2020) 29 Information & Communications Technology Law 1.next
- Recommended Centre for International Governance Innovation (ed.) Models for Platform Governance (CIGI 2019). OA web version OA combined PDF
- There are many essays in this collection, all short and of relevance to the topics we are discussing.
- Recommended Thomas Poell and others, ‘Platformisation’ (2019) 8 Internet Policy Review.
- Optional Robert Gorwa, ‘What is Platform Governance?’ (2019) 22 Information, Communication & Society 854.
S8: Right to Be Forgotten
O O _J""-.
.-""L_ o o /o ) \ ,';
;`, / ( o\ \ ,' ; /
\ ; `, / "-.__.'"\\_;
;_/"`.__.-" google or goldfish?
- How does the right to be forgotten function? Where did it come from?
- What kind of information and process is needed to assess a RTBF request according to the existing jurisprudence? What kind of a process might this be, and how does that compare to what we know of the processes that are used in practice?
- Who does the RTBF benefit?
- Is the balance correct in the RTBF? Should there be more or less emphasis on freedom of expression?
- Is the RTBF adequately governed? How do private decisions and judicial decisions interplay, and are there potential reforms that you might want to see implemented at this interface?
- Compulsory Andrés Guadamuz, ‘Developing a Right to Be Forgotten’ in Tatiana-Eleni Synodinou and others (eds), EU Internet Law: Regulation and Enforcement (Springer 2017). OA-ish link UCL paywall link
- An overview of some of the debates and sides people take concerning the Right to Be Forgotten.
- Recommended Aleksandra Kuczerawy and Jef Ausloos, ‘From Notice-and-Takedown to Notice-and-Delist: Implementing Google Spain’ (2015–16) 14 Colo Tech LJ 219. OA link
- A discussion of some of the roles (as they were and are emerging) of different governance actors in the run up to, and in the wake of, the judgment in Google Spain.
- Recommended Theo Bertram and others, ‘Five Years of the Right to Be Forgotten’ in (ACM 2019) Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security 959. OA link
- A scholarly article on how the RTBF has panned out from the point of view of Google employees, who authored it. Read alongside the firm’s regularly updated, quantitative Transparency Report into EU delisting on the basis of the right.
- Recommended Joris Van Hoboken, ‘Search Engine Freedom’ in Search Engine Freedom: On the Implications of the Right to Freedom of Expression for the Legal Governance of Web Search Engines (University of Amsterdam 2012) pp 168-213. OA link
- A discussion of the theoretical and legal manners in which freedom of expression applies to search engines, given their crucial role in enabling access to information. Pre-dates Google Spain, although not the debates about the RTBF.
- Optional Jean-François Blanchette and Deborah G Johnson, ‘Data Retention and the Panoptic Society: The Social Benefits of Forgetfulness’ (2002) 18 The Information Society 33. OA link paywalled, typeset link
- A less legal view of why we might want a right to be forgotten from the standpoint of privacy.
- Optional Tarleton Gillespie, ‘To Remove or to Filter?’ in Custodians of the Internet (Yale University Press 2018). UCL link (paywalled)
- A broader discussion of the different tactics that internet intermediaries, and particularly platforms, use to limit the distribution of content online.
- Optional David Erdos, ‘The “Right to Be Forgotten” beyond the EU: An Analysis of Wider G20 Regulatory Action and Potential Next Steps’ (2021) 13 Journal of Media Law 1. OA-ish link UCL link
- Examines how similar rights to be forgotten work in jurisdiction including Canada, Turkey and Australia.
- Optional Stefan Kulk and Frederik Zuiderveen Borgesius, ‘Privacy, Freedom of Expression, and the Right to Be Forgotten in Europe’ in Evan Selinger and others (eds), The Cambridge Handbook of Consumer Privacy (Cambridge University Press 2018). OA-ish link UCL paywall link
- A useful introduction to how freedom of expression is balanced by the CJEU and ECtHR, focussing on the right to be forgotten. Overlaps otherwise in terms of content with Guadamuz 2017.
- Optional European Data Protection Board, Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (EDPB 2020) OA link
- Guidance from the European regulators in charge of enforcing Google Spain and the Right to Erasure. See also the commentary on these guidelines by David Erdos, University of Cambridge.
- Optional Access Now, Understanding the Right to Be Forgotten Globally (Access Now 2017) OA link
- A short policy paper from an NGO indicating the surrounding conditions and a safeguard wishlist for global implementation of a right to be delisted on privacy grounds.
- Optional Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, art 17.
- We will look at the statutory data protection regime, its scope and functioning, in much more detail in Term 2.
- Compulsory Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González ECLI:EU:C:2014:317.
- Compulsory Case C‑136/17 GC and Others v Commission nationale de l’informatique et des libertés (CNIL) ECLI:EU:C:2019:773.
- Compulsory Case C‑507/17 Google LLC v Commission nationale de l’informatique et des libertés (CNIL) ECLI:EU:C:2019:772.
It may help to read a few case comments on GC and Others and Google v CNIL if you are struggling with them. You can search these out on Westlaw, Google Scholar or just the plain old search engine of your choice.
- Recommended NT1 & NT2 v Google LLC  EWHC 799 (QB). BAILII
- The first Google Spain case applied by English courts. One applicant had his delisting refusal by Google overturned by the High Court, and one had it confirmed. What was the difference between them?
S9: Algorithms and Machine Learning
- What is machine learning, and how, in broad terms, does it work?
- Why might people want to make machine learning ‘intelligible’, and why is it difficult in practice?
- Why is their concern about the ‘fairness’ of machine learning systems? How much of this issue is a specific challenged faced by machine learning, and how much represents deeper societal tensions? Why might algorithms surface some of these tensions?
- What societal challenges relating to the use of technology are groups solving by ‘debiasing’ or ‘explaining’ algorithms, and which challenges remain less affected by these methods?
- Compulsory The Royal Society, Machine Learning: The Power and Promise of Computers that Learn by Example (April 2017). OA link pages 19-31.
- This is a policy report from the UK’s main academy of science which explains what machine learning is from a computational point of view for a policy audience, and demystifies some of the main terms.
- Compulsory Jennifer Wortman Vaughan and Hanna Wallach, ‘A Human-Centered Agenda for Intelligible Machine Learning’ in Marcello Pelillo and Teresa Scantamburlo (eds), Machines We Trust: Perspectives on Dependable AI (MIT Press 2021). OA link | UCL link
- Compulsory Reuben Binns, ‘Fairness in Machine Learning: Lessons from Political Philosophy’ (2018) 81 Proceedings of Machine Learning Research: Conference on Fairness, Accountability and Transparency (FAT) 2018 149-159. OA link
- Recommended Andrew D Selbst and others, ‘Fairness and Abstraction in Sociotechnical Systems’ in Proceedings of the Conference on Fairness, Accountability, and Transparency (FAT* ’19, New York, NY, USA, ACM 2019). OA link
- Recommended ‘Alternative framings for AI policymakers’ in Agathe Balayn and Seda Gürses, Beyond Debiasing: Regulating AI and Its Inequalities (European Digital Rights (EDRi), 2021) pages 81-110. OA link
- Recommended Emily M Bender, Timnit Gebru, Angelina McMillan-Major and ‘Shmargaret Shmitchell’, ‘On the Dangers of Stochastic Parrots: Can Language Models Be Too Big?’ (2021) Proceedings of the 2021 ACM Conference on Fairness, Accountability and Transparency in Computing Systems (FAccT 2021) 610. OA link
- Optional Oscar H Gandy Jr., ‘Information and Power’ in The Panoptic Sort (first published 1993, Oxford University Press 2021). UCL link
- Optional Jevan A Hutson and others, ‘Debiasing Desire: Addressing Bias & Discrimination on Intimate Platforms’ (2018) 2 Proc ACM Hum-Comput Interact 73:1. OA link
- Optional Nithya Sambasivan and others, ‘Re-Imagining Algorithmic Fairness in India and Beyond’ (2021) Proceedings of the Conference on Fairness, Accountability, and Transparency. OA link
- Optional Lily Hu, ‘Direct Effects’ (Phenomenal World, 25 September 2020) https://phenomenalworld.org/analysis/direct-effects accessed 11 April 2021.
T4: Algorithms and Automated Hiring
- What are the different forms of the use of algorithms in the domain of hiring?
- What social issues do they bring?
- What roles might law have in addressing these issues? Which issues are easier to fix, and which are harder? What choices would need to be made by a regulatory regime addressing the challenges of automation in the area of hiring, who should make them and how should they be made and enforced?
- Compulsory Javier Sánchez-Monedero and others, ‘What Does It Mean to “solve” the Problem of Discrimination in Hiring?: Social, Technical and Legal Perspectives from the UK on Automated Hiring Systems’ in (ACM 27 January 2020) Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency 458. OA link
- Compulsory Miranda Bogen and Aaron Rieke, Help Wanted - An Exploration of Hiring Algorithms, Equity and Bias (Upturn 2018)
S10: Computer Says No? Machine Learning and Automated Decision-making
- What are the main issues concerning algorithms that require governance? What has the last few years indicated are the most pressing of them, and which might be the most pressing in the future?
- Should we be worried about algorithms, or “decisions”, both or neither?
- How can we reconcile the purpose of Article 22 with the rest of the GDPR? Does it connect to form a coherent whole, or does it not make sense?
- Is Article 22 a relic that will fail to govern algorithms going forward, or is there hope that it can be usefully repurposed? If so, as a simple safety net, or an active tool of governance?
- Are there simple changes, or court interpretations, that might make the governance of algorithms through the GDPR function more effectively? Which? Are they likely without new legislation?
- Compulsory Margot E Kaminski, ‘Binary Governance: Lessons from the GDPR’s Approach to Algorithmic Accountability’ (2019) 92 Southern California Law Review OA link
- Compulsory Reuben Binns and Michael Veale, ‘Is that Your Final Decision? Multi-Stage Profiling, Selective Effects, and Article 22 of the GDPR’  International Data Privacy Law OA link
- Compulsory Andrew D Selbst and others, ‘Fairness and Abstraction in Sociotechnical Systems’ in Proceedings of the Conference on Fairness, Accountability, and Transparency (FAT* ’19, New York, NY, USA, ACM 2019). OA link
- Recommended Lilian Edwards and Michael Veale, ‘Slave to the Algorithm? Why a “Right to an Explanation” Is Probably Not the Remedy You Are Looking For’ (2017) 16 Duke Law & Technology Review 18 OA link
- Recommended Andrew Selbst and Solon Barocas, ‘The Intuitive Appeal of Explainable Machines’ (2018) 87 Fordham Law Review 1085 OA link.
- Recommended Mireille Hildebrandt, ‘Privacy as Protection of the Incomputable Self: From Agnostic to Agonistic Machine Learning’ (2019) 20 Theoretical Inquiries in Law 83. OA link
- Optional Margot E Kaminski, ‘The Right to Explanation, Explained’ (2019) 34 Berkeley Technology Law Journal OA link
- Optional Luca Tosoni, ‘The Right to Object to Automated Individual Decisions: Resolving the Ambiguity of Article 22(1) of the General Data Protection Regulation’ (2021) 11 International Data Privacy Law 145. OA-ish link UCL link
- Optional Andrew D Selbst and Julia Powles, ‘Meaningful Information and the Right to Explanation’ (2017) 7 International Data Privacy Law 233. OA link
- Optional Sandra Wachter and others, ‘Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation’ (2017) 7 International Data Privacy Law 76. OA link
- Compulsory Article 29 Working Party, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679 (WP251rev.01)’ (6 February 2018) alongside article 15, 22, recital 71, GDPR — just skim read the guidance.
- Optional Information Commissioner’s Office, ‘Guidance on AI and data protection’ (2021) link
- Compulsory General Data Protection Regulation (GDPR), articles 15, 21, 22, recital 71.
S11: Protecting Privacy Online: A Historical and Theoretical Introduction
Lecturer: Jeevan Hariharan, Associate Lecturer, UCL Laws
|LI //# \\ |*
| \\__// |
| '--' |
Privacy and data protection are at the heart of internet law and privacy. But what exactly is privacy and why is it important? What is the connection between privacy and data protection? And in what ways are privacy and data protected under UK law? This seminar aims to address these and other foundational questions about privacy and data protection. In the pre-seminar lawcasts and the seminar, we will look at four matters in particular:
- We will consider the historical context behind the concepts of privacy and data protection.
- We will look at the broad framework for the protection of privacy and data protection under UK law.
- We will ask some important conceptual questions about what privacy is and how it connects with data protection.
- We will look at why privacy and data protection are important (or, put another way, the values that each serves). And we will also think about the clash between privacy and other values.
The overall purpose of the class is to get you thinking about privacy and data protection in a theoretical way, which will be helpful as you move through the rest of the course. As such, this is a week to provide you with some useful background, which you can think about applying in a more practical way in subsequent weeks.
- Compulsory Samuel D Warren and Louis D Brandeis, ‘The Right to Privacy’ (1890) 4 Harvard Law Review 193 OA link
- Compulsory Daniel J Solove, ‘I’ve Got Nothing to Hide and Other Misunderstandings of Privacy’ (2007) 44 San Diego L Rev 745. OA link
- Compulsory Orla Lynskey, ‘Courts, Privacy and Data Protection in the UK: Why Two Wrongs Don’t Make a Right’ in Courts, Privacy and Data Protection in the Digital Environment (Edward Elgar Publishing 2017) UCL link
- Recommended Judith DeCew, ‘Privacy’ in Edward N Zalta (ed), The Stanford Encyclopedia of Philosophy (Stanford University 2018) OA link
- Recommended Julie E Cohen, ‘What Privacy is For’ (2012–13) 126 Harv L Rev 1904 OA link
- Optional Lilian Edwards (ed), ‘Privacy and Data Protection 1: What is Privacy? Human Right, National Law, Global Problem’ in Law, Policy, and the Internet (Hart Publishing 2019) (available from library in physical form).
- Optional Recommended European Union Agency for Fundamental Rights and others, Handbook on European Data Protection Law (Publications Office of the European Union 2018), chapter 1. OA link
- Recommended Kaye v Robertson  FSR 62 link
- Recommended Wainwright v Home Office  UKHL 53,  2 AC 406 (see particularly paragraphs - from Lord Hoffman’s judgment) link
- Recommended Campbell v MGN Ltd  UKHL 22,  AC 457 (see particularly paragraphs - from Lord Nicholl’s judgment) link
- Optional Episode 15 of Constitutional on ‘Privacy’. It includes some very useful background and further detail, particularly on Warren and Brandeis’ article, and why it is relevant today. link
S12: Data Protection: Form and Function
In this session, we introduce a parallel but interwoven regime to privacy and private life: data protection. Lynskey introduces where data protection came from, what is does, and how it relates to privacy. Her book was written before the passing of the General Data Protection Regulation, which builds on previous privacy statutes; this is the topic of Hoofnagle and others, who seek to summarise the Regulation. You should also read the GDPR alongside this article as appropriate.
Further readings look at the history of data protection law (González Fuster), and elaborate theoretically on the functioning of data protection and its place within the EU legal order (Lynskey, Ausloos).
Think while reading about what data protection seeks to do and protect. How does it secure the aims we discussed when considering privacy? What other ends does it pursue, or ways might it protect or empower people? Is it a subset of privacy, or a separate, complementary regime? How many of the rights and obligations were you aware of, and how does the text of data protection law relate to the practices of firms and governments that you are aware of?
- Compulsory Orla Lynskey, ‘The Key Characteristics of the EU Data Protection Regime’ and ‘The Link between Data Protection and Privacy in the EU Legal Order’ in The Foundations of EU Data Protection Law (Oxford University Press 2015) UCL link
- Compulsory Chris Jay Hoofnagle and others, ‘The European Union General Data Protection Regulation: What It Is and What It Means’ (2019) 28 Information & Communications Technology Law 65 OA link
- Recommended Gloria González Fuster, ‘The Materialisation of Data Protection in International Instruments’ in The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014) UCL link
- Recommended Orla Lynskey, The Foundations of EU Data Protection Law (Oxford University Press 2015) UCL link
- Optional Jef Ausloos, ‘Foundations of Data Protection Law’ in The Right to Erasure in EU Data Protection Law: From Individual Rights to Effective Protection (Oxford University Press 2020) UCL link
- Optional European Court of Human Rights, Guide to the Case Law of the European Court of Human Rights: Data Protection (Council of Europe, updated regularly) (look at relevant parts to bolster your understanding) OA link
- Compulsory Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1. Read this alongside the Hoofnagle and others article. You do not need to read all of the recitals yet, and this takes most of the length out; but they do help shine light on the main articles, and are important interpretative tools, so refer back as appropriate.
- Compulsory Charter of Fundamental Rights of the European Union, articles 7–8.
T5: Gender, Sexual Privacy and the Internet
Tutorials led this week by Jeevan Hariharan
In class, we will be discussing the following issues:
- Conceptual issues: What is ‘image-based sexual abuse’? What are the wrongs and harms of such abuse identified by McGlynn and Rackley and in the Law Commission Consultation Paper? Why might it be important to think about this issue separately from other types of privacy violations, especially in the online context?
- The law: How is ‘image-based sexual abuse’ currently dealt with under English law? Are these protections fit for purpose given the way such abuse is perpetuated online? What is the Law Commission’s current approach to legal reform in this area? Do you agree with the Law Commission’s broad approach and the specific offences that have been suggested?
Some questions to think about on the further reading (we won’t have time to address these in class, but may touch on these points when discussing the questions above):
- What are ‘intimate threats’, as characterised by Levy and Schneier? How should law and policy makers think about ameliorating or protecting against such threats? In particular, what can be done at the level of engineering and product design?
- Do you agree with Danielle Keats Citron that ‘sexual privacy’ is a distinct category of privacy interests and that traditional privacy law is ill-equipped to protect this interest? If so, what implications might that have for law and policy makers in this jurisdiction e.g. in the context of intermediary liability and the regulation of platforms?
- Compulsory Clare McGlynn and Erika Rackley, ‘Image-Based Sexual Abuse’ (2017) 37 Oxford Journal of Legal Studies 534
- Recommended Karen Levy and Bruce Schneier, ‘Privacy Threats in Intimate Relationships’ (2020) 6 J Cyber Security OA link - as an alternative to reading this paper you can watch Karen Levy’s talk on the paper from HotPETS 2020
- Recommended Danielle Keats Citron, ‘Sexual Privacy’ (2019) 128 Yale Law Journal OA link
- Optional Diana Freed and others, ‘“A Stalker’s Paradise”: How Intimate Partner Abusers Exploit Technology’ in Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI ’18, New York, NY, USA, ACM 2018) OA link
- Compulsory Law Commission’s current project on Intimate Image Abuse. The Consultation Paper (CP) is very long (and you do not need to read it in full for this class). Before the seminar, have a look at the project website itself and the summary of the CP. Please also have a quick skim through Chapters 3 and 5 of the CP.
S13: The Law of Everything? Anonymisation and the Scope of Personal Data
One of the main concepts in data protection is the concept of personal data. The boundaries of this concept have been hotly contested, and are an important point of interaction for law, policy, computer and data science alike; all of these disciplines work on this issue intensely. McAuley describes why computer scientists find anonymisation difficult to achieve. Purtova argues that the CJEU has interpreted the GDPR in an expansive manner which has led an unmanageable array of information types to be classifiable as personal data (but compare to optional reading, Dalla Corte, who critiques this reading). Elliot and others propose a different approach, which looks at the risk of data to be reidentified in its environment. What would be the benefits or risks of adopting this approach? You should also read the Breyer case, which is looked at considerably in the Purtova article.
You may also choose to read further reading, such as a technical analyis of why it is difficult or impossible to anonymise some types of location data from the perspective of computer science by de Montjoye and others, the application to smart environments and technologies by Gellert. You should also consider the household exemption, part of the scope of data protection law, which is importantly limited by the cases Lindqvist and Ryneš.
How should a controller in practice go about considering what is personal data or not? How might this differ for different types of data — text; location; tabular data; video data or photographs? Is there a good balance between personal or non personal data classification that is possible, or will any approach inevitably be gamed and abused? If so, is there a way out of this quandary?
- Compulsory Nadezhda Purtova, ‘The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law’ (2018) 10 Law, Innovation and Technology 40 OA link
- Compulsory Michèle Finck and Frank Pallas, ‘They Who Must Not Be Identified—Distinguishing Personal from Non-Personal Data under the GDPR’ (2020) 10 International Data Privacy Law 11. OA link
- Recommended Mark Elliot and others, ‘Functional Anonymisation: Personal Data and the Data Environment’ (2018) 34 Computer Law & Security Review 204. OA preprint link / UCL typeset link
- Recommended Lorenzo Dalla Corte, ‘Scoping Personal Data: Towards a Nuanced Interpretation of the Material Scope of EU Data Protection Law’ (2019) 10 European Journal of Law and Technology. OA link
- Recommended Raphaël Gellert, ‘Personal Data’s Ever-Expanding Scope in Smart Environments and Possible Path(s) for Regulating Emerging Digital Technologies’ (2021) 11 International Data Privacy Law 196. UCL typeset link / OA preprint
- Optional Yves-Alexandre de Montjoye and others, ‘Unique in the Crowd: The Privacy Bounds of Human Mobility’ (2013) 3 Scientific Reports 1376. OA link
- Optional Draft Guidance Information Commissioner’s Office (2021), ICO call for views: Anonymisation, pseudonymisation and privacy enhancing technologies guidance OA link
- Optional Benjamin Wong, ‘Delimiting the Concept of Personal Data after the GDPR’ (2019) 39 Legal Studies 517. UCL link
- Optional Michael Veale, Reuben Binns and Lilian Edwards, ‘Algorithms that Remember: Model Inversion Attacks and Data Protection Law’ (2018) 376 Phil Trans R Soc A 20180083. OA link
- Compulsory Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland ECLI:EU:C:2016:779 (on the identifiability of personal data)
- Recommended Case C‑434/16 Nowak ECLI:EU:C:2017:994 (on exam scripts and comments)
- Recommended Case C-101/01 Lindqvist EU:C:2003:596 (on the scope of the household exemption)
- Recommended Case C‑212/13 Ryneš ECLI:EU:C:2014:2428. (on a CCTV camera on a house and the household exemption)
- Optional Durant v Financial Services Authority  EWCA Civ 1746.
- Optional Edem v The Information Commissioner & Anor  EWCA Civ 92
- Optional Secretary of State for the Home Department & Anor v TLU & Anor  EWHC 2217 (QB).
- Compulsory GDPR, recitals 26-30, arts 2, 4(1).
S14: Revenge of the Cookie Monster
Somebody is prying through your files, probably
Somebody's hand is in your tin of Netscape magic cookies
But relax: if you're an interesting person
Morally good in your acts
You have nothing to fear from facts
The Age of Infomation (Momus, 1997)
Cookie pop ups when you browse the web are hardly anything new to most Internet users, particularly in Europe. But what exactly are cookies? How do they something that we should be concerned about? How does the law understand cookies, and how has that developed over time? In the session, we’re going to try and get some answers to some of these questions. While reading and examining the below, it will be good to think about the following questions:
- What conceptual role do cookies play in online tracking and profiling?
- Consent is a large part of the way that we govern cookies in Europe. But is it a good way to do this? What would the alternatives look like, and in what ways would they be better or worse?
- If many of the ways the cookies are used on the Internet are currently illegal, why hasn’t anything been done about it? What are the main challenges and regulatory hurdles that prevent affective enforcement?
- Compulsory Michael Veale and Frederik Zuiderveen Borgesius, ‘Adtech and Real-Time Bidding under European Data Protection Law’ (2022) 23 German Law Journal. OA link
- Compulsory Midas Nouwens and others, ‘Dark Patterns after the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence’ in (ACM 2020) Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI 2020). OA link
- Compulsory René Mahieu and Joris Van Hoboken, ‘Fashion-ID: Introducing a Phase-Oriented Approach to Data Protection?’ (European Law Blog, 30 September 2019) OA link
- Recommended Reuben Binns and others, ‘Third Party Tracking in the Mobile Ecosystem’ in Proceedings of the 10th ACM Conference on Web Science (WebSci ’18) (ACM 2018). OA link
- Optional Günes Acar and others, ‘The Web Never Forgets: Persistent Tracking Mechanisms in the Wild’ in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14) (ACM 2014) UCL link / OA link
- Optional René Mahieu and others, Responsibility for Data Protection in a Networked World: On the Question of the Controller, “Effective and Complete Protection” and its Application to Data Access Rights in Europe, 10 (2019) JIPITEC 85
- Optional Konrad Kollnig and others, ‘Before and after GDPR: Tracking in Mobile Apps’ (2021) 10 Internet Policy Review. OA link
- Optional Information Commissioner’s Office, ‘Update Report into Adtech and Real Time Bidding’ (20 June 2019) link
- Optional Information Commissioner’s Office, ‘Data Protection and Privacy Expectations for Online Advertising Proposals’ (25 November 2021). link
- Optional CNIL (French DPA), ‘Cookies: FACEBOOK IRELAND LIMITED Fined 60 Million Euros’ (6 January 2022) link; CNIL (French DPA), ‘Cookies: GOOGLE Fined 150 Million Euros’ (6 January 2022) link. see also English language decisions within
- Compulsory Case C-210/16 Wirtschaftsakademie Schleswig-Holstein ECLI:EU:C:2018:388.
- Compulsory Case C-49/17 Fashion ID GmbH & CoKG v Verbraucherzentrale NRW eV ECLI:EU:C:2019:629.
- Optional Case C‑25/17 Jehovan todistajat ECLI:EU:C:2018:551. consider how the controllership argument might analogise
- Optional Case C-673/17 Planet49 GmbH ECLI:EU:C:2019:801.
- Optional Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González ECLI:EU:C:2014:317. particularly around questions of controllership
For both the compulsory cases it can be useful too to read the Advocate General opinions if you are unclear about the points and context: * Recommended Case C‑210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2017:796, Opinion of AG Bot. * Recommended Case C-49/17 Fashion ID GmbH & CoKG v Verbraucherzentrale NRW eV ECLI:EU:C:2018:1039, Opinion of AG Bobek.
These cases are not directly about the substance of tracking but consider the issues of a workaround concerning cookie and the ability to claim damages on that basis. They are included here mainly for completeness, but are also of interest (both the final judgments listed and the prior cases appealed) in relation to how courts understand issues of tracking.
- Optional Vidal-Hall v Google Inc  EWCA Civ 311.
- Optional Lloyd v Google LLC  3 UKSC 50.
T6: Controllership and Household Devices (or “If You Own It Then Might As Well Be A Chip In It”)
Tutorials this week led by Jeevan Hariharan.
In this tutorial, you’ll be looking at mixed questions of controllership and the personal scope of EU data protection law.
The Internet is built into more and more devices that enter our personal spheres. These might be connected domestic devices, sometimes captured by industry monikers such as the ‘smart home’ or the ‘Internet of Things’, or wearables that process data generated by or about a individual’s person while they are out-and-about.
We’ll be discussing the following questions:
- Recap: What is the household exemption, and its scope? What is (joint) controllership and what are its features?
- How conceptually useful is the Court’s test of whether processing is “directed outwards from the private setting of the person processing the data” in determining whether the household exemption applies? What tensions might you imagine would emerge from such a test?
- Does the changing definition of joint controller stand in the way of a more decentralised Internet, with fewer powerful actors?
- How could, or should, data protection deal with individuals processing personal data themselves? What are the challenges or risks of different approaches?
To prepare for this tutorial, please read one paper, and one case:
- Compulsory Jiahong Chen and others, ‘Who is Responsible for Data Processing in Smart Homes? Reconsidering Joint Controllership and the Household Exemption’ (2021) 10 International Data Privacy Law 279. OA link
- Compulsory Case C‑212/13 František Ryneš v Úřad pro ochranu osobních údajů, ECLI:EU:C:2014:2428 (Ryneš).
- Recommended Fairhurst v Woodard, Oxford Country Court, 12 October 2021 (unreported) link
S15: State Surveillance: Introducing Bulk Powers
I know that you will be
I don't know which me to be
I know that you know me better than I know me
Holly Herndon, ‘Home’ (2014), an ode to an NSA monitor using PRISM, XKEYSCORE and other tools to watch the artist as she puzzles over which identity to portray. Music video link.
In 2013, documents leaked by Edward Snowden had a transformative effect on law, business practices, and perceptions. In this first surveillance seminar, we will try to look at the bigger picture, of technologies being used and some of the human rights fights around the old and new regimes.
When reading, consider the following:
- What kind of impact on privacy is there from using content of communications? What kind from metadata?
- How might you conceptualise the ECtHR’s trend in attitudes towards bulk collection/mass surveillance regimes?
- What are the geopolitical implications of bulk collection, interception and interference practices? How does this relate to the jurisdiction and physical location of cloud companies?
- Intelligence agencies commonly argue that bulk regimes are not particularly invasive as only some material is ever selected and read by humans. Do you consider that a sufficient safeguard?
- What does surveillance of these types tell us about the role of the intermediaries we looked at previously? What powers and responsibilities do they have; how have they used these; and how should they use them?
- Compulsory David Anderson, Report of the Bulk Powers Review (Her Majesty’s Stationery Office 2016). OA link
- Compulsory Unknown Author (OPC-MCR/GCHQ), ‘HIMR Data Mining Research Problem Book’ (Contained in the Snowden Leaks, 20 September 2011) OA link
- Skim the top-secret research ‘open question’ problem book of the Heilbron Institute for Mathematical Research (University of Bristol), a GCHQ funded research centre that works on highly classified research. This book, part of the Snowden leaks, describes the kind of data and practices that GCHQ have and provide to the researchers that develop the techniques to analyse it. (some of this is very technical, I recommend pages 7-15, 51-53, 67-68. The data sources at the end, particularly pp 69–74 may also be interesting)**
- Recommended David Anderson, A Question of Trust (Her Majesty’s Stationery Office 2015). OA link
- Optional Caspar Bowden, The US Surveillance Programmes and Their Impact on EU Citizens’ Fundamental Rights (European Parliament 2013) OA link
- Recommended Phineas Rueckert, ‘Pegasus: The New Global Weapon for Silencing Journalists’ (Forbidden Stories, 18 July 2021) link.
- Recommended Caspar Bowden, The Cloud Conspiracy 2008-14 (The 31st Chaos Computer Congress, 31C3 2014) OA link
- Compulsory Browse the Snowden Archive. Look by Program, and for each entry, you can click on the news article analysing it at the bottom, or access the original PDF of the document itself.
S16: Cancelled Due to Industrial Action
T3: Cancelled Due to Industrial Action
S17: Cancelled Due to Industrial Action
S18: State Surveillance: Bulk Powers and Human Rights
Arguably the most control over state surveillance is exercised by the European Convention on Human Rights. In this session, we’re going to look at how it has understood state surveillance across the years, and some of the key tensions it has faced going forward.
- How can we characterise the way the ECtHR has or has not changed in relation to the changing nature of surveillance?
- Should courts play closer attention to the substance of surveillance powers? How?
- Is a bulk collection or interception regime a natural progression or a disjunct leap from targeted collection/interception? What is the view of the ECtHR on this?
- Should individuals be notified that they have been subject to surveillance measures, when it would not undermine investigations to do so?
- Compulsory Eleni Kosta, ‘Surveilling Masses and Unveiling Human Rights: Uneasy Choices for the Strasbourg Court’ (Inaugural Address, Tilburg Law School, 2017) <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3167723>.
- Recommended Nóra Ní Loideáin, ‘A Bridge Too Far? The Investigatory Powers Act 2016 and Human Rights Law’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019). UCL link
- Recommended Bernard Keenan, ‘The Evolution Of Elucidation: The Snowden Cases Before The Investigatory Powers Tribunal’  The Modern Law Review. UCL link
- Recommended Théodore Christakis and Katia Bouslimani, ‘National Security, Surveillance, and Human Rights’, in the Oxford Handbook of the International Law of Global Security (OUP 2021). UCL link
- Recommended Eleni Kosta, ‘Algorithmic State Surveillance: Challenging the Notion of Agency in Human Rights’ (2020) Regulation & Governance. OA link
- Recommended European Court of Human Rights, Guide on Art 8 of the European Convention of Human Rights (Council of Europe, updated regularly) (look at relevant parts to bolster your understanding) OA link
- Optional Andrew Murray, ‘State Surveillance and Data Retention’ in Information Technology Law (Oxford University Press 2019). (a more simplified high-level overview)
- Optional Bart van der Sloot and Eleni Kosta, ‘Big Brother Watch and Others v UK: Lessons from the Latest Strasbourg Ruling on Bulk Surveillance Case Notes’ (2019) 5 Eur Data Prot L Rev 252.
- Optional Pierre Notermans, ‘Surveillance Measures and the Exception of National Security in the Case Law of the European Court of Human Rights’ in Human Rights in Times of Transition (Edward Elgar Publishing 2020) UCL link
- Compulsory Big Brother Watch and Others v the United Kingdom (Grand Chamber) ECLI:CE:ECHR:2021:0525JUD005817013.
- Optional Malone v the United Kingdom ECLI:CE:ECHR:1984:0802JUD000869179.
- Optional S and Marper v the United Kingdom ECLI:CE:ECHR:2008:1204JUD003056204.
- Recommended Privacy International v Secretary of State for Foreign And Commonwealth Affairs & Ors  UKIPTrib 15_110-CH.
- Recommended Liberty & Ors v GCHQ & Ors  UKIPTrib 13_77-H and Liberty & Ors v The Secretary of State for Foreign And Commonwealth Affairs & Ors  UKIPTrib 13_77-H.
T4: Data Rights
In this session, we’ll discuss the access rights made earlier. Please come having done the reading and try to bring whatever you have received in a form on your computer you can use to discuss and refer to (although no need to share it!).
Questions to consider: - What is the right of access for? What is its scope? What are its limits? - How powerful is the right of access at achieving its various purposes? - What barriers exist to make access rights useful or powerful? - What barriers did you face getting access to, or scrutinising data? How might you reform the right of access to make it more useful - or is such reform futile?
- Compulsory GDPR, arts 12, 15, 20.
- CompulsoryEuropean Data Protection Board, ‘Guidelines 01/2022 on data subject rights - Right of access’ (Version for Public Consultation, 2022) OA link
- Compulsory Jef Ausloos and Pierre Dewitte, ‘Shattering One-Way Mirrors – Data Subject Access Rights in Practice’ (2018) 8 International Data Privacy Law 4. UCL link OA link
- Optional René Mahieu, ‘The Right of Access to Personal Data: A Genealogy’ (2021) 2021 TechReg 62. OA link
- Optional Jef Ausloos and Michael Veale, ‘Researching with Data Rights’ (2020) 2020 Technology and Regulation 136.
- Optional Case C‑434/16 Nowak ECLI:EU:C:2017:994
- Optional Joined Cases C‑141/12 and C‑372/12 YS and Others ECLI:EU:C:2014:2081.
S19: Data Retention - the Never Ending Story
__i ----------- ?
Who called who, and when? When governments wish to understand what communication individuals had with each other in the past, they want somewhere to look back upon for reference. But keeping hold of all that data is expensive, and telecoms companies are loathe to do it. Enter data retention, a dynamic area of law characterised mainly by an ongoing battle between the CJEU and EU member states as to its permissible extent.
- Why does data retention fall within EU law? Should it?
- Has the Court of Justice gone too far, or has the ECHR not gone far enough?
- Do you agree that metadata might have a chilling effect on freedom of expression?
- What do you think Internet Communication Records are in the IPA? Does retaining these present additional human rights concerns? (hint: this was a novelty not present in RIPA).
- How do the safeguards proposed in La Quadrature du Net compare to other aspects of the intelligence regime (e.g. in the UK)? Which might be easy to carry out, and which might be more difficult, or represent a significant change from e.g. the safeguards in the IPA?
- Compulsory Marcin Rojszczak, ‘National Security and Retention of Telecommunications Data in Light of Recent Case Law of the European Courts’  European Constitutional Law Review. OA link
- Compulsory Eleni Kosta, ‘The Retention of Communications Data in Europe and the UK’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019) OA link
- Recommended Marcin Rojszczak, ‘The Uncertain Future of Data Retention Laws in the EU: Is a Legislative Reset Possible?’ (2021) 41 Computer Law & Security Review 105572. UCL link OA link
- Optional Privacy International, ‘National Data Retention Laws since the CJEU’s Tele-2/Watson Judgment. A Concerning State of Play for the Right to Privacy in Europe’ (Privacy International, September 2017) OA link
- Compulsory Joined Cases C‑511/18, C‑512/18 and C‑520/18 La Quadrature du Net and Others ECLI:EU:C:2020:791.
- Recommended Case C-623/17 Privacy International ECLI:EU:C:2020:790.
- Optional Case C‑746/18 HK v Prokuratuur ECLI:EU:C:2021:152.
- Recommended Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland and Others ECLI:EU:C:2014:238.
- Recommended Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others ECLI:EU:C:2016:970.
Advocate General Opinions
- Optional Joined Cases C‑793/19 and C‑794/19 SpaceNet and Telekom Deutschland ECLI:EU:C:2021:939 (Opinion of Advocate General Campos Sánchez-Bordona)
- Optional Case C-140/20 Commissioner of the Garda Síochána and Others ECLI:EU:C:2021:942 (Opinion of Advocate General Campos Sánchez-Bordona).
- Optional R (on the application of Davis and others) v The Secretary of State for the Home Department  EWHC 2092 (Admin)
- and in the EWCA: Secretary of State for the Home Department v Watson MP & Ors  EWCA Civ 70.
- Recommended Ekimdzhiev and Others v Bulgaria ECLI:CE:ECHR:2022:0111JUD007007812.
- Recommended Investigatory Powers Act 2016 part 4 (Retention of Communications Data) link.
S20: Data Transfers
___ _ ___ _ ___ _
[(_)] |=| [(_)] |=| [(_)] |=|
'-` |_| '-` |_| '-` |_|
/mmm/ / /mmm/ / /mmm/ /
See the photos of the undersea data cables entering the US (and likely being tapped by the NSA) as photographed by artist Trevor Paglen here.
Surveillance law meets data protection law in the world of data transfers. Information moves easily, but as we’ve seen, as it crosses borders it becomes vulnerable to use and abuse by different governments. Legal spotlights have been particularly bright on EUUS data transfers, following complaints by Max Schrems against Facebook in Ireland after the Snowden revelations in 2013. This strategic litigation has ended in the striking down of not one but two international transfer agreements, and leaving other mechanisms used for international transfers, such a standard contractual clauses, on really shaky ground. In this session, we’ll be looking at the intersection of national security law and the Charter in light of data transfers.
What were the reasons the CJEU struck down Safe Harbour in Schrems I, and why wasn’t Privacy Shield an improvement in the Court’s eyes?
What might an arrangement that the CJEU would not strike down look like?
Do the Schrems cases show the EU as a defender of privacy, or an international hypocrite?
Is there currently any valid way to transfer data to the United States from the European Union?
Compulsory Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2017) 18 German Law Journal 881. OA link
Optional Christopher Kuner, ‘Schrems II Re-Examined’ (Verfassungsblog, 25 Aug 2020) OA link
- Recommended Read alongside Douwe Korff, ‘Comments on Prof. Chris Kuner’s Blog Schrems II Re-Examined of 25 August 2020’ (26 August 2020) OA-ish link (alt link)
Optional Barbara Sandfuchs, ‘The Future of Data Transfers to Third Countries in Light of the CJEU’s Judgment C-311/18 – Schrems II’ (2021) GRUR Int ikaa204 UCL link
Recommended Andrew D Murray, ‘Data Transfers between the EU and UK Post Brexit?’ (2017) 7 International Data Privacy Law 149 OA link
Optional Graham Greenleaf, ‘Japan: EU Adequacy Discounted’ (2018) 155 Privacy Laws & Business International Report 8-10 OA link
- RecommendedPrivacy International, ‘Secret Global Surveillance Networks’ (Privacy International, 2018) OA link
- Optional European Data Protection Board, ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2’ (18 June 2021) OA link
- Read the account of the saga and related blog posts by Max Schrems’ NGO noyb.eu here.
- Compulsory GDPR, chapter V.
- RecommendedCommission Implementing Decision (EU) 2021/1773 of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (notified under document C(2021) 4801) OJ L360/69. OA link
- Compulsory Case C-311/18 Data Protection Commissioner v Facebook Ireland and Schrems ECLI:EU:C:2020:559 (“Schrems II”) link
- Recommended Case C-362/14 Maximillian Schrems v Data Protection Commissioner ECLI:EU:C:2015:65 (“Schrems I”)
It might be useful to read the AG Opinions in both cases too: * Optional Case C‑362/14 Maximillian Schrems v Data Protection Commissioner ECLI:EU:C:2015:627 (Opinion of Advocate General Bot). * Optional Case C-311/18 Data Protection Commissioner v Facebook Ireland and Schrems ECLI:EU:C:2019:1145, Opinion of Advocate General Saugmandsgaard Øe.
- Optional The Data Protection Commissioner -v- Facebook Ireland Ltd & Anor  IEHC 545 (Ireland)
- This case is very useful in restating the facts of data transfers in the context of Facebook and US surveillance under FISA 702 and EO 12333. It is the case which led to the questions being referred to the CJEU in Schrems II. —>
ASCII art from link, link, link, link, link. Credits where artist known: Felix Lee, hfw, jgs (Joan Stark), hrr, fsc.