LAWS0366 Internet Law and Policy (15 credits)

Dr Michael Veale, Associate Professor in Digital Rights & Regulation UCL Faculty of Laws, 2023-24 Syllabus

Updated November 2023

      |\      _,,,---,,_
ZZZzz /,`.-'`'    -.  ;-;;,_
     |,4-  ) )-,_. ,\ (  `'-'
    '---''(_/--'  `-'\\_)______

Reading importance labels — Check the labels beside each reading! Compulsory means “please do this before class”. Recommended means “if you’re interested, or if you’re writing an essay or revising this topic, have a look at this”. It does not mean “if you’re a really good student you’ll have done all the recommended reading as well as compulsory reading before class”. Optional means “if you’re writing an essay, or it interest you, this might be something you want look at, but you could also do your own research and find other sources too.”

Open access — Wherever possible, resources are accompanied by an open access link (‘OA link’). Some resources are available freely but only behind for-profit repositories such as SSRN, which heavily push users to register and log-in, and hide the download options for downloading without this in the bottom of the page. These are ‘OA-ish links’. Occasionally, a paper or book is too important not to recommend even though an OA version is unavailable. I have tried to minimise these resources throughout the reading list.

Organising your reading — This module has many different types of resources. I strongly recommend you organise them in a reference manager. The best reference manager is Zotero, which is free to install and use (I strongly recommend against the use of Mendeley and/or Endnote). UCL Library runs a range of Zotero training sessions if you wish to use these. It allows you to annotate and make notes on articles and chapters. Zotero can also can be used to organise your citations for your coursework.

L = Lectures. Slides accompanying the lecture are available on Moodle. T = Tutorials

L1: Welcome to the Internet: Yes, We Have Cats

                               ,  
        ,-.       _,---._ __  / \  
       /  )    .-'       `./ /   \  
      (  (   ,'            `/    /|  
      \  `-"             \\'\   / |  
        `.              ,  \ \ /  |  
         /`.          ,'-`----Y   |  
        (            ;        |   '  
        |  ,-.    ,-'         |  /  
        |  | (   |            | /  
        )  |  \  `.___________|/  
        `--'   `--' is the internet in here? =^^=

We all use the Internet. But how many people know what it is; where it came from; how it works? This session will introduce the history of the Internet and the functioning of core Internet technologies. Why were they designed as they were; and with whose values at the core? We will start to see why and how these design decisions interact with law and policy concerning the online world; a theme that will recur throughout the module.

Learning Objectives

  • What are the core technologies underpinning the Internet and how (in very rough terms) do they work? Note, as legal scholars we have to understand these technologies enough to be able to reason about how law and policy applies to them, not to be able to deploy them ourselves. So don’t worry if you don’t understand everything, or it seems too technical — focus on trying to get a general understanding.
  • What is the difference between the Internet and the Web?
  • What technical design principles underpin the Internet? Whose values do they reflect? How do these compare to broader values, for example those reflected in human rights regimes?
  • What are some of the main actors and organisations that govern the Internet, and how do they make decisions?
  • What is ‘cyberlibertarianism’?

Articles

  • Compulsory Andrés Guadamuz, ‘Internet Regulation’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019). OA link
    • A useful and broad-ranging introduction into what it is to study Internet law and policy.
  • Compulsory Corinne Cath-Speth, ‘Internet Histories: Partial Visions of People and Packets’ in Corinne Cath-Speth, Changing Minds and Machines: A Case Study of Human Rights Advocacy in the Internet Engineering Task Force (IETF) (DPhil Thesis, Oxford University, 2021) pages 27-51. OA link
    • Traces and critiques the cultural and historical values behind the Internet engineers often seen as the main characters in a predominantly white, male, biographical history of the Internet.
  • Recommended William Lehr and others, ‘Whither the Public Internet?’ (2019) 9 Journal of Information Policy 1. read: pages 1-20 OA link
    • This article very usefully unpacks three different ways of understanding what “the Internet” is. Parts of this article use some difficult terminology: it is not key you understand it all.
  • Recommended Malte Ziewitz and Ian Brown, ‘A Prehistory of Internet Governance’ in Research Handbook on Governance of the Internet (Edward Elgar Publishing 2013). OA link
    • A history of the Internet and its early governance, as well as the institutions involved. Perhaps the best of the many “great men” tales of Internet history critiques by Cath-Speth (2021).
  • Optional Kieron O’Hara and Wendy Hall, Four Internets: Data, Geopolitics, and the Governance of Cyberspace (Oxford University Press 2021). paywall link / UCL link
    • A recent overview of the way in which the Internet as we know it is diverging as different nations and jurisdiction have different views on its development and trajectory.

T1: D’oH! Code, Law and Politics of Encrypted DNS

                             __
                   _ ,___,-'",-=-.
       __,-- _ _,-'_)_  (""`'-._\ `.
    _,'  __ |,' ,-' __)  ,-     /. |
  ,'_,--'   |     -'  _)/         `\
,','      ,'       ,-'_,`           :
,'     ,-'       ,(,-(              :
     ,'       ,-' ,    _            ;
    /        ,-._/`---'            /
   /        (____)(----. )       ,'
  /         (      `.__,     /\ /,
 :           ;-.___         /__\\/|
 |  d'oh   ,'      `--.      -,\ |
 :        /            \    .__/
  \      (__            \    |_
   \       ,`-, *       /   _|,\
    \    ,'   `-.     ,'_,-'    \
   (_\\,-'    ,'\\")--,'-'       __\
    \       /  // ,'|      ,--'  `-.
     `-.    `-/ \\'  |   _,'         `.
        `-._ /      `--'/             \
          ,'           |              \
          /             |               \
       ,-'              |               /
      /                 |             -'

The domain name system is a core part of the way that the Internet works. It effectively allows us to browse content without having to remember addresses that were designed only for computers, in particular IP addresses *that look like 43.157.242.47) — however it is also been described as the “Achilles heel” of the Internet, because it has been a serious ground of contestation around issues such as privacy and Internet blocking. This is effectively because if you can control the address book of the Internet, you make resources a lot harder to discover. Most recently, a series of proposals have been made which significantly changed the way that this system works – in particular by encrypting it. These services are typically called DNS over HTTPS — or ‘DoH’, because HTTPS is the encrypted way of delivering services on the Web (the ‘S’ is for Secure). These interact and interfere with a range of existing mechanisms to block content, and so have been controversial. But who is responsible for this change? The standard setters? The Web browsers? The internet service providers? Legislators? In this tutorial, we will use DNS-over-HTTPS as an example to answer these questions.

Tutorial Questions

Make notes on these three topics to bring to the tutorial to discuss. - What is DNS? What is important to know about DNS in relation to law and policy? How is DNS used in Internet blocking? - What kind of body is the Internet Watch Foundation? Is it a regulator? - Who decides whether encrypted DNS systems, such as DNS-over-HTTPS (DoH) are introduced? What does this mean for the power of private firms vis-a-vis the state? - The UK’s Internet blocking regime is heavily built on DNS filtering. Should this be considered when encrypted DNS is introduced? Who should consider it, and how? How might this work internationally? - Many countries have recently been talking about digital sovereignty (also souveraineté numérique in France). Do you think that DNS illustrates a loss, or highlights a lack, of nation states’ digital sovereignty?

Readings

  • Compulsory Video Mike Pound, How DNS Works (Computerphile, University of Nottingham, 9 July 2020).
  • Compulsory Debate in Hansard on “Internet Encryption” (citation: HL Deb 14 May 2019, vol 797, cols 1492–1495) OA link
    • A good opportunity to see one of the strangest legislative chambers in the world talk about a highly technical issue.
  • Compulsory Open Rights Group, ‘DNS Security — Getting it Right’ (24 June 2019) OA link
    • The Open Rights Group (ORG)is a UK-based digital rights NGO. This report outlines many of the technical aspects of DNS, and the consequences of this, written from the standpoint of a digital rights advocacy organisation.
  • Compulsory Internet Watch Foundation, ‘Briefing on DNS-over-HTTPS’ OA link
    • A briefing that in many ways poses a counterpoint to the Open Rights Group paper.
  • Recommended Vijay Gurbani and others, ‘When DNS Goes Dark: Understanding Privacy and Shaping Policy of an Evolving Protocol’ (2021) TPRC48: The 48th Research Conference on Communication, Information and Internet Policy. OA-ish link
    • This is a useful academic paper going a little deeper than the ORG work into the different protocols and some of the broader implications of them.

L2: How To Control The Internet

     \\_______/
 `.,-'\\_____/`-.,'
  /`..'\ _ /`.,'\
 /  /`.,' `.,'\  \
/__/__/ nice\\__\\__\\__
\  \  \web  /  /  /
 \  \\,'`._,'`./  /
  \\,'`./___\\,'`./
 ,'`-./_____\\,-'`.
     /       \

The Internet is sometimes described by politicians as a “Wild West”; a regulation-free land that has long resisted control. According to some, it needs bringing to heel. This is an overly simplistic story. In this session, we will build on the previous session’s understanding of Internet technologies and their design principles to think both about the ways in which this network has resisted control, and the ways in which is has been controlled by both public and private actors.

Learning Objectives

  • Does code ‘regulate’? How does this differ from the types of regulation that lawyers are more familiar with discussing?
  • What does it mean to say the Internet is ‘generative’? What are the policy implications of generative technologies?
  • Which actors are well-positioned to regulate the Internet, and why? What factors make it easier or harder for these actors to alter the working of these networks?

Articles

  • Compulsory Jonathan L Zittrain, ‘The Generative Internet’ (2006) 119 Harv L Rev 1974. OA link
    • This article is in some ways a prediction of how ‘walled gardens’ online might emerge. Was Zittrain right?
  • Compulsory Julie E Cohen, ‘“Piracy,” “Security,” and Architectures of Control’ in Configuring the Networked Self: Law, Code, and the Play of Everyday Practice (Yale University Press 2012). OA link
    • A strong critique of a variety of ways of looking at ‘code’ and ‘law’ - this might be worth coming back to after we talk about these topics some more as it’s a very dense and rewarding read.
  • Recommended Michèle Finck, ‘Blockchains as a Regulatable Technology’ in Blockchain Regulation and Governance in Europe (Cambridge University Press 2018). paywall link / UCL link
    • This chapter looks at ‘regulatory access points’ in relation to blockchains, which we don’t look at much in this course (because they’re mostly dumb, overengineered Ponzi schemes, and their relevant uses are modest and arcane), but the readings and framework proposed by Finck is more generally accessible.
  • Optional Lawrence Lessig, Code: Version 2.0 (Basic Books 2006) OA link
    • I suggest looking at pages 61-137 (chapters 5-7). Lessig is referred to a lot in the other readings, and if writing about him you should have a look at what he says in his own words.
  • Optional Niels ten Oever, ‘“This is Not How We Imagined It”: Technological Affordances, Economic Drivers, and the Internet Architecture Imaginary’ (2021) 23 New Media & Society 344. OA link
    • This paper is good for those interested in some of the ways in which the technical sides of standards are value laden and contested. Further readings in this vein can be found in Beatrice Martini, ‘Internet Infrastructure and Human Rights: Reading List’ (Stanford PACS, 2020).
  • Optional Clément Perarnaud and others, ‘“Splinternets”: Addressing the Renewed Debate on Internet Fragmentation’ (European Parliamentary Research Service, 2022).

L3: Intermediaries I: Liability for Online Content

 ____
||""||
||__||--------?------
[ -=.]`)   who intermediates
 ====== 0    your messages?

Learning Objectives

  • What was the initial logic behind intermediary liability laws? Was that logic legitimate at the time, and does it remain so today?
  • What factors have the CJEU indicated do not compromise the shielding of intermediaries? Do you agree with these judgments?
  • What is the concept of the CJEU has built? Are modern platforms neutral in this way?

Articles and Chapters

  • Compulsory Lilian Edwards, ‘“With Great Power Comes Great Responsibility?”: The Rise of Platform Liability’ in Lilian Edwards (ed), Law, Policy, and the Internet (Hart Publishing 2019). UCL link
    • This chapter looks over the history of intermediary liability law. Does not quite go up to present day; particularly since then the Digital Services Act, Copyright in the Digital Single Market Act, and Terrorist Content Regulation (all in the EU); and in the UK, the Online Safety Bill, all interact with this.
  • Recommended Philippe Jougleux, ‘Intermediaries’ Liability: Where Is My Chair?’ in Philippe Jougleux (ed), Facebook and the (EU) Law: How the Social Network Reshaped the Legal Framework (Springer International Publishing 2022). .
    • A slightly more up to date overview than the Edwards chapter above, with EU focus.
  • Recommended Aleksandra Kuczerawy, ‘From “Notice and Take Down” to “Notice and Stay Down”: Risks and Safeguards for Freedom of Expression’ in The Oxford Handbook of Intermediary Liability Online (Oxford University Press 2020). OA-ish link / UCL link
  • Recommended Folkert Wilman, ‘Between preservation and clarification: The evolution of the DSA’s liability rules in light of the CJEU’s case law’ in Joris Van Hoboken and others (eds) Putting the DSA into Practice: Enforcement, Access to Justice, and Global Implications (Verfassungsbooks 2023).
  • Optional Jennifer Urban and others, ‘Notice and Takedown in Everyday Practice’ (UC Berkeley Public Law Research Paper No. 2755628, 2017) OA link
    • Read the introduction & executive summary (pp 1-13) and delve into the bits that interest you - it’s a long report.
  • Optional Ben Wagner and others, ‘Regulating Transparency? Facebook, Twitter and the German Network Enforcement Act’ (2020) Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency. OA-ish link / UCL link / 8 min talk on the paper
  • Optional Sophie Stalla-Bourdillon, ‘Internet Intermediaries as Responsible Actors? Why It Is Time to Rethink the E-Commerce Directive as Well’ in Mariarosaria Taddeo and Luciano Floridi (eds), The Responsibilities of Online Service Providers (Springer 2017). OA-ish link / UCL link
  • Optional Graham Smith, ‘5.6 Liability of Online Intermediaries’ in Internet Law and Regulation (Sweet and Maxwell 2020) Book available on Westlaw UK
    • Part of a practitioner textbook on Internet Law. Goes into heavy detail on the jurisprudence in the area.
  • Optional Nico van Eijk and others, Hosting Intermediary Services and Illegal Content Online: An Analysis of the Scope of Article 14 ECD in Light of Developments in the Online Service Landscape : Final Report. (European Commission 2019). OA link
  • Optional Colten Meisner, ‘The Weaponization of Platform Governance: Mass Reporting and Algorithmic Punishments in the Creator Economy’ [2023] Policy & Internet. (UCL 🔒)

Statute

European Union

  • Compulsory Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) OJ L 277/1, arts 4, 5, 6, 8.
  • Optional Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) OJ L 178/1, recitals 40-49, arts 1, 12–15.
    • The Digital Services Act (DSA) replaces the relevant parts of the e-Commerce Directive from February 2024. ECD, arts 12–15 map to DSA arts 4, 5, 6, and 8. It is fine to already refer to the DSA in essays rather than the ECD without outlining this transition, but you’ll need to be aware of the ECD to refer to relevant case-law.

United States

US law in this area centres on ‘Section 230’. This part of US law has its own mythology and saga-filled history. If interested, you can follow it in Jeff Kosseff, The Twenty-Six Words That Created the Internet (Cornell University Press 2019) (UCL 🔒), and for an alternative, more critical view on this provision, see Mary Anne Franks, ‘The Cult of the Internet’, The Cult of the Constitution (Stanford University Press 2019) (UCL 🔒).

  • Recommended 47 U.S.C. 230(c) (‘Section 230’).
    • This is the broad-ranging liability shield in US law which does not have a notice and takedown requirement.
    • Often referred to, technically incorrectly, as ‘Section 230 of the Communications Decency Act’, which amended that section into existence. This is such a common error that it is more a shorthand, so feel free to refer to it that way.

Case Law

European Union

  • Compulsory Case C-682/18 YouTube and Cyando ECLI:EU:C:2021:503 paras 18-39, 103-118.
    • A case concerning whether certain platform features give an “active role” to intermediaries.
  • Recommended Case C‑70/10 Scarlet Extended ECLI:EU:C:2011:771
    • On attempted general monitoring obligations applied to mere conduits (a Belgian ISP).
  • Optional Case C-360/10 Netlog ECLI:EU:C:2012:85
    • same issue as Scarlet, relates to hosting on Netlog, a now-defunct Belgian social network.
  • Recommended Joined Cases C-236/08 and C-238/08 Google France ECLI:EU:C:2010:159
    • Focus on paras 22-32 and 106-120, you don’t need to understand the relevant trademark law.
  • Recommended Case C‑324/09 L’Oréal SA v eBay ECLI:EU:C:2011:474
  • Optional Case C-314/2 Telekabel ECLI:EU:C:2014:192 paras 26-50, 106-114
  • Optional Case C-484/14 Mc Fadden ECLI:EU:C:2016:689

European Court of Human Rights

The case-law of the ECHR on intermediary liability has at time seemed at odds with the CJEU. The case of Delfi v Estonia received criticism for seeming to ignore EU law. While the ECtHR seemed to draw some boundaries around the Delfi case, these seem to have been radically loosened in the more recent 2023 Grand Chamber judgment in Sanchez v France, which did not find a violation of freedom of expression in a case where the French state held a politician criminally liable for not removing hateful comments under his post on a friends-only Facebook page, despite not being explicitly notified of these posts by those taking the action.

United Kingdom

The UK and E&W case law on intermediary liability is of less central interest to this module. Much of it relates to defamation. You can read more about the trajectory of this case law, including most of the cases below, in Jaani Riordan, ‘Defamation’ in Jaani Riordan (ed), The Liability of Internet Intermediaries (Oxford University Press 2016) (UCL 🔒.)

  • Optional Godfrey v Demon Internet Ltd [1999] EWHC QB 244.
    • One, if not the the first defamation cases on the Internet in England and Wales.
  • Optional Payam Tamiz v Google Inc [2013] EWCA Civ 68
  • Optional Cartier International AG & Ors v British Telecommunications Plc & Anor [2018] UKSC 28
    • This case is largely of tangential interest, but to date is the only time the UK Supreme Court has been asked to consider a question relating explicitly to the liability of internet intermediaries.

L4: Intermediaries II: Moderation, Algorithms and General Monitoring

            ______              
         .-'      `-.           
       .'            `.         
      /                \        
     ;                 ;`       
     | illegal content |;       
     ;                 ;|
     '\               / ;       
      \\`.           .' /        
       `.`-._____.-' .'         
         / /`_____.-'           
        / / /                   
       / / /
      / / /
     / / /
    / / /   or is it?
   / / /
  / / /
 / / /
/ / /
\\/_/

Learning Objectives

  • Why might a prohibition on general monitoring obligations be justified? What kind of issues it is trying to prevent?
  • Has the CJEU changed its understanding of general monitoring over time? What are the arguments for and against this kind of change?
  • Is it easy to search for illegal content now we have more advanced technologies to help us do it? What can go wrong? Is it just a matter of time before they become good enough?

Articles

  • Compulsory Joris Van Hoboken and Daphne Keller, ‘Design Principles for Intermediary Liability Laws’ (Transatlantic High Level Working Group on Content Moderation Online and Freedom of Expression Working Paper, 8 October 2019) OA link
    • This guide looks at the differerent configurations and components commonly found in international laws and proposals around intermediary liability.
  • Compulsory Robert Gorwa, Reuben Binns and Christian Katzenbach, ‘Algorithmic Content Moderation: Technical and Political Challenges in the Automation of Platform Governance’ (2020) 7 Big Data & Society 2053951719897945. OA link
    • This paper critically considers the limits of automation of content moderation policies.
  • Recommended Daphne Keller, ‘Facebook Filters, Fundamental Rights, and the CJEU’s Glawischnig-Piesczek Ruling’ (2020) 69 GRUR Int 616. paywall link / UCL link
    • This paper is critical of the Glawischnig-Piesczek case, arguing that many parts of it might end up in overreach.
  • Recommended Martin Senftleben and Christina Angelopoulos, ‘The Odyssey of the Prohibition on General Monitoring Obligations on the Way to the Digital Services Act’ (University of Amsterdam and CIPIL Working Paper, October 2020) OA link
  • Recommended Aleksandra Kuczerawy, ‘General Monitoring Obligations: A New Cornerstone of Internet Regulation in the EU?’ in Rethinking IT and IP Law - Celebrating 30 years CiTiP (Intersentia 2019). OAish link
  • Recommended Giovanni Sartor, ‘The Impact of Algorithms for Online Content Filtering or Moderation: Upload Filters’ (European Parliament 2020) OA link.
  • Optional Maayan Perel and Niva Elkin-Koren, ‘Accountability in Algorithmic Copyright Enforcement’ (2015) 19 Stan Tech L Rev 473. OA link
  • Optional Graham Smith, ‘5.6 Liability of Online Intermediaries’ in Internet Law and Regulation (Sweet and Maxwell 2020) Book available on Westlaw UK
  • Optional Giancarlo Frosio (ed.) _Oxford Handbook of Online Intermediary Liability*_(Oxford University Press 2020) Closed access DOI UCL link
    • This is a useful tome for further reading on intermediary liability, in particular comparing different regimes beyond the UK, Europe or the United States.

Case Law

European Union

  • Compulsory Case C-18/18 Glawischnig-Piesczek v Facebook ECLI:EU:C:2019:821
  • Recommended One of
    • Case C‑70/10 Scarlet Extended ECLI:EU:C:2011:771 (relates to mere conduits)
    • Case C-360/10 Netlog ECLI:EU:C:2012:85 (same issue as Scarlet, relates to hosting on Netlog, a now-defunct Belgian social network)
  • Optional Case C-314/2 Telekabel ECLI:EU:C:2014:192 paras 26-50, 106-114
  • Optional Case C-484/14 Tobias Mc Fadden v Sony Music Entertainment Germany GmbH ECLI:EU:C:2016:689.
    • This case concerned a WiFi network in a shop that was being used to break the law. A court asked the CJEU whether an injunction against the shop was legal according to the e-Commerce Directive if it required scanning of all content, termination of the WiFi network, or password protecting the network. The CJEU stated that out of the three, only the latter was allowed, as long as it was effective and required users to reveal their identity in order to get the password.
  • Case C-401/19 Poland v Parliament ECLI:EU:C:2022:297

T2: Regulating Recommending

             |\
---|\\--------|-\\\-----
---|/-------0---\\|----
--/|-------------|----
-|-/-\\----------0-----
--\\|/----nice playlist-

In this tutorial, we are going to think about recommender systems, as well as some of the approaches proposed to regulate them. Look at two articles, and the proposals in the Digital Services Act, and review your readings from previous sessions, to think about the questions below:

Tutorial Questions

  • Are algorithmic systems essential to deliver content online today? Is there a world without recommenders, or one where they are neutral? In what interfaces or media are they most important?
  • What kind of logics might be built into recommender systems? What kind of information about the content, or the users, might you need to do this, and where does this information come from?
  • Are recommender systems a good target for regulation of online content? What are the potential benefits, and what are the risks?
  • How might you actually regulate recommender systems? Do you think the approaches proposed in, for example, the Digital Services Act, will work?
  • How is being ‘shadow banned’ (or having content ‘reduced’) from a recommender similar or different to being removed from a hosting platform?

Articles

Cases

European Union

  • Recommended Case C-682/18 YouTube and Cyando ECLI:EU:C:2021:503 paras 18-39, 103-118.
    • You should have read this in the first intermediary liability session, so consult your notes from then.

Statute

European Union

  • Compulsory Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) OJ L 277/1, arts 27, 38
  • Optional Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services OJ L 186/57 (‘P2B Regulation’), art 5.

United States

These are provided not because it is crucial to understand US law in this class, but instead because they present policy options for regulating recommenders that at times contrast with those proposed in e.g. the EU.

L5: Intermediaries III: Platform Regulation and Regulating-by-Design

     #_                                                                       d
     ##_                                                                     d#
     NN#p                                                                  j0NN
     40NNh_                                                              _gN#B0
     4JF@NNp_                                                          _g0WNNL@
     JLE5@WRNp_                                                      _g@NNNF3_L
     _F`@q4WBN@Np_                                                _gNN@ZL#p"Fj_
     "0^#-LJ_9"NNNMp__                                         _gN#@#"R_#g@q^9"
     a0,3_j_j_9FN@N@0NMp__                                __ggNZNrNM"P_f_f_E,0a
      j  L 6 9""Q"#^q@NDNNNMpg____                ____gggNNW#W4p^p@jF"P"]"j  F
     rNrr4r*pr4r@grNr@q@Ng@q@N0@N#@NNMpmggggmqgNN@NN@#@4p*@M@p4qp@w@m@Mq@r#rq@r
       F Jp 9__b__M,Juw*w*^#^9#""EED*dP_@EZ@^E@*#EjP"5M"gM@p*Ww&,jL_J__f  F j
     -r#^^0""E" 6  q  q__hg-@4""*,_Z*q_"^pwr""p*C__@""0N-qdL_p" p  J" 3""5^^0r-
       t  J  __,Jb--N""",  *_s0M`""q_a@NW__JP^u_p"""p4a,p" _F""V--wL,_F_ F  #
     _,Jp*^#""9   L  5_a*N"""q__INr" "q_e^"*,p^""qME_ y"""p6u,f  j'  f "N^--LL_
        L  ]   k,w@#"""_  "_a*^E   ba-" ^qj-""^pe"  J^-u_f  _f "q@w,j   f  jL
        #_,J@^""p  `_ _jp-""q  _Dw^" ^cj*""*,j^  "p#_  y""^wE_ _F   F"^qN,_j
     w*^0   4   9__sAF" `L  _Dr"  m__m""q__a^"m__*  "qA_  j" ""Au__f   J   0^--
        ]   J_,x-E   3_  jN^" `u _w^*_  _RR_  _J^w_ j"  "pL_  f   7^-L_F   #
        jLs*^6   `_  _&*"  q  _,NF   "wp"  "*g"   _NL_  p  "-d_   F   ]"*u_F
     ,x-"F   ]    Ax^" q    hp"  `u jM""u  a^ ^, j"  "*g_   p  ^mg_   D.H. 1992

Learning Objectives

  • Is it useful to try and strictly define platforms? If we do, should we define them by what they are, by what they do, or by something else?
  • What challenges do platforms pose that we might want to regulate? Which do you think are the most pressing or important?
  • Why is it hard to regulate platforms?
  • What are the some of the current regulatory trends to try and regulate this area? Do you think they will work — and if so, for whom?
  • What are the opportunities and risks of requiring platforms to act in a more ‘proactive’ manner? What are the implications for the platform business model, and for the political economy of the Internet?

Articles

  • Compulsory Miriam C Buiten, ‘The Digital Services Act: From Intermediary Liability to Platform Regulation’ (2022) 12 Journal of Intellectual Property, Information Technology and E-Commerce Law.
    • This paper outlines some of the features of the DSA, and how it build on, changes and expands existing regimes.
  • Compulsory Martin Husovec, ‘Will the DSA Work? On Money and Effort’ in Joris Van Hoboken and others (eds) Putting the DSA into Practice: Enforcement, Access to Justice, and Global Implications (Verfassungsbooks 2023).
    • This short piece takes a more practical look at the enforcement of the DSA, and the promise (and pitfalls) of some of its provisions.
  • Recommended Julie E Cohen, ‘Law for the Platform Economy’ (2017–18) 51 UCD L Rev 133.
    • This piece lays out theory and practice of platforms in the legal order, arguing that platforms construct their power out of law, rather than exist in a lawless space, and considering some of the tactics and approaches they use the be slippery and difficult to govern.
  • Recommended Centre for International Governance Innovation (ed.) Models for Platform Governance (CIGI 2019).
  • Recommended Graham Smith, ‘Take Care with That Social Media Duty of Care’ (Cyberleagle, 19 October 2018).
    • There are many essays in this collection, all very short and of relevance to the topics we are discussing.
  • Optional Robert Gorwa, ‘What is Platform Governance?’ (2019) 22 Information, Communication & Society 854.
  • Optional Lorna Woods and Will Perrin, ‘Obliging Platforms to Accept a Duty of Care’ in Martin Moore and Damian Tambini (eds), Regulating Big Tech (Oxford University Press 2021) (🔒 UCL)

Statute

European Union

  • Compulsory Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) OJ L 277/1, ensuring to look at least at: arts 14(4) (Terms and conditions), 22 (Trusted flaggers), 25 (Online interface design and organisation), 27 (Recommender system transparency), 28 (Online protection of minors), 33 (Very large online platforms and very large online search engines), 34 (Risk assessment), 35 (Mitigation of risks), 37 (Independent audit), 38 (Recommender systems), 39 (Additional online advertising transparency), 40 (Data access and scrutiny), 44 (Standards), 74 (Fines).

United Kingdom

  • Compulsory Draft Bill Online Safety Bill, HL Bill 164 (as amended on Report) (19 July 2023), focus on clauses 7–23, 35–37, 55–62, 122–130, 144, although you may need to read around these for context..

Singapore

Australia

  • Optional Online Safety Act 2021, part 4.
    • In relation to proactive duties, while the act does function with codes of conduct, similar to Singapore, social media firms only have reporting obligations on how they are meeting these duties; the eSafety Commissioner does not have substantive powers unless these reporting duties are not met.
#####  ######   ##   #####  # #    #  ####     #    # ###### ###### #    #
#    # #       #  #  #    # # ##   # #    #    #    # #      #      #   #  
#    # #####  #    # #    # # # #  # #         #    # #####  #####  ####   
#####  #      ###### #    # # #  # # #  ###    # ## # #      #      #  #   
#   #  #      #    # #    # # #   ## #    #    ##  ## #      #      #   #  
#    # ###### #    # #####  # #    #  ####     #    # ###### ###### #    #

L6: Data Protection: Form and Function

In this session, we introduce a parallel but interwoven regime to privacy and private life: data protection. Lynskey introduces where data protection came from, what is does, and how it relates to privacy. Her book was written before the passing of the General Data Protection Regulation, which builds on previous privacy statutes; this is the topic of Hoofnagle and others, who seek to summarise the Regulation. You should also read the GDPR alongside this article as appropriate.

Further readings look at the history of data protection law (González Fuster), and elaborate theoretically on the functioning of data protection and its place within the EU legal order (Lynskey, Ausloos).

Think while reading about what data protection seeks to do and protect. How does it secure the aims we discussed when considering privacy? What other ends does it pursue, or ways might it protect or empower people? Is it a subset of privacy, or a separate, complementary regime? How many of the rights and obligations were you aware of, and how does the text of data protection law relate to the practices of firms and governments that you are aware of?

Articles

  • Compulsory Orla Lynskey, ‘The Key Characteristics of the EU Data Protection Regime’ and ‘The Link between Data Protection and Privacy in the EU Legal Order’ in The Foundations of EU Data Protection Law (Oxford University Press 2015) UCL link
  • Compulsory Chris Jay Hoofnagle and others, ‘The European Union General Data Protection Regulation: What It Is and What It Means’ (2019) 28 Information & Communications Technology Law 65 OA link
  • Recommended Gloria González Fuster, ‘The Materialisation of Data Protection in International Instruments’ in The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014) UCL link
  • Recommended Orla Lynskey, The Foundations of EU Data Protection Law (Oxford University Press 2015) UCL link
  • Optional Jef Ausloos, ‘Foundations of Data Protection Law’ in The Right to Erasure in EU Data Protection Law: From Individual Rights to Effective Protection (Oxford University Press 2020) UCL link

Policy Documents

  • Optional European Court of Human Rights, Guide to the Case Law of the European Court of Human Rights: Data Protection (Council of Europe, updated regularly) (look at relevant parts to bolster your understanding) OA link
    • Note, that the ECHR is distinct from the CJEU in its privacy and data protection jurisprudence. There is no explicit right to data protection in the Convention; this does not mean the Court has not developed jurisprudence in this area, however.

Statute

  • Compulsory Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1. Read this alongside the Hoofnagle and others article. You do not need to read all of the recitals yet, and this takes most of the length out; but they do help shine light on the main articles, and are important interpretative tools, so refer back as appropriate.
  • Compulsory Charter of Fundamental Rights of the European Union, articles 7–8.

L7: The Law of Everything? Anonymisation and the Scope of Personal Data

One of the main concepts in data protection is the concept of personal data. The boundaries of this concept have been hotly contested, and are an important point of interaction for law, policy, computer and data science alike; all of these disciplines work on this issue intensely. McAuley describes why computer scientists find anonymisation difficult to achieve. Purtova argues that the CJEU has interpreted the GDPR in an expansive manner which has led an unmanageable array of information types to be classifiable as personal data (but compare to optional reading, Dalla Corte, who critiques this reading). Elliot and others propose a different approach, which looks at the risk of data to be reidentified in its environment. What would be the benefits or risks of adopting this approach? You should also read the Breyer case, which is looked at considerably in the Purtova article.

You may also choose to read further reading, such as a technical analyis of why it is difficult or impossible to anonymise some types of location data from the perspective of computer science by de Montjoye and others, the application to smart environments and technologies by Gellert. You should also consider the household exemption, part of the scope of data protection law, which is importantly limited by the cases Lindqvist and Ryneš.

How should a controller in practice go about considering what is personal data or not? How might this differ for different types of data — text; location; tabular data; video data or photographs? Is there a good balance between personal or non personal data classification that is possible, or will any approach inevitably be gamed and abused? If so, is there a way out of this quandary?

While reading it all, as well as when you have read both the papers and the cases, think through the following questions:

  1. What is it about data that makes anonymisation particularly hard?
  2. Can you think of a good example of data which is reliably non-personal under data protection law?
  3. What sort of test does Breyer imply? What kind of capacities might data controllers need to carry out this test?
  4. Is this approach to personal data a sensible one for data protection law? What might be the challenges if a narrower approach was taken? What about a broader one?
  5. Is the household exemption too narrow in scope?

Statute

European Union

  • Compulsory GDPR, recitals 26-30, arts 2, 4(1).

Videos

Articles

Cases

European Union

  • Compulsory Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland ECLI:EU:C:2016:779 (on the identifiability of personal data)
  • Recommended Case C‑434/16 Nowak ECLI:EU:C:2017:994 (on exam scripts and comments)
  • Recommended C-184/20 Vyriausioji tarnybinės etikos komisija ECLI:EU:C:2022:601 (on conditions for inference of special category data)
  • Recommended Case C-101/01 Lindqvist EU:C:2003:596 (on the scope of the household exemption)
  • Recommended Case C‑212/13 Ryneš ECLI:EU:C:2014:2428. (on a CCTV camera on a house and the household exemption)

Pending Cases

  • Case C-604/22 IAB Europe (on whether a compliance mechanism for online tracking comprises personal data)
  • Case C-659/22 Ministerstvo zdravotnictví (Czech Ministry of Health) (on whether scanning vaccination certs amounts to processing)
  • Case C-115/22 NADA and Others (on health data and doping)
  • Case C-446/21 Schrems (on sexuality and special category data in advertising)

United Kingdom

  • Optional Durant v Financial Services Authority [2003] EWCA Civ 1746.
  • Optional Edem v The Information Commissioner & Anor [2014] EWCA Civ 92
  • Optional Secretary of State for the Home Department & Anor v TLU & Anor [2018] EWHC 2217 (QB).

T3: Data Rights and Wrongs

Preparation (in class, in part. We did this at the end of L5.)

For this tutorial, there is a short preparatory activity we will use as a basis for discussion about the right of access. Carrying out steps 1-2 are essential, but step 3 is optional (writing further to a company to request your data). I advise doing it, however, as it is free, and interesting to see how they interact with you, and what you get back.

  1. Try to use a “download my data” tool” on one or more services that you use. Some examples of those from the largest services are below:

  1. If you get a copy of the data, try to locate the privacy policy for that company. Privacy policies are usually implemented as to provide some of the information required in Article 13 of the GDPR (have a look). Re-read articles 13–15, and article 20, of the GDPR. Is this all the data you requested? What personal data might be missing? Do you also think (e.g. from your usage of a service) that the controller might have additional data about you they are not telling you about?

  2. [Optional, but recommended] Write an email or other message to the firm (how should be detailed in the privacy policy) asking for a full copy of you data, highlighting any omissions you discovered or suspected based on point 2. I have made a template for a very full version of how to do this here, but you are welcome to just type something shorter or more focussed.

If you get to 2 and 3, save all the files you get from this process in one place (e.g. a copy of relevant parts of the privacy policy, and any data), so we can talk about the process during the tutorial. Regardless, save and look at any data you receive.

In this session, we’ll discuss the access rights made earlier in class. Please come having done the reading and try to bring whatever you have received in a form on your computer you can use to discuss and refer to (although no need to share it!).

Questions to consider: - What is the right of access for? What is its scope? What are its limits? - How powerful is the right of access at achieving its various purposes? - What barriers exist to make access rights useful or powerful? - What barriers did you face getting access to, or scrutinising data? How might you reform the right of access to make it more useful - or is such reform futile?

Readings

  • Compulsory GDPR, arts 12, 15, 20.
  • Compulsory European Data Protection Board (2023) ‘Guidelines 01/2022 on data subject rights - Right of access’ OA link
  • Recommended Jef Ausloos and Michael Veale, ‘Researching with Data Rights’ (2020) 2020 Technology and Regulation 136.
  • Optional Jef Ausloos and Pierre Dewitte, ‘Shattering One-Way Mirrors – Data Subject Access Rights in Practice’ (2018) 8 International Data Privacy Law 4. UCL link OA link
  • Optional René Mahieu, ‘The Right of Access to Personal Data: A Genealogy’ (2021) 2021 TechReg 62. OA link
  • Optional Case C‑434/16 Nowak ECLI:EU:C:2017:994
    • On the broad scope of the right of access.
  • Optional Case C‑154/21 RW v Österreichische Post AG ECLI:EU:C:2023:3
    • On the right to know ‘recipients’ of personal data, and that requests have to be tailored to the individual if required, not generic.
  • Optional Joined Cases C‑141/12 and C‑372/12 YS and Others ECLI:EU:C:2014:2081.
    • On the distinction between data and documents.
  • Optional Case C‑487/21 F.F. v Österreichische Datenschutzbehörde and CRIF ECLI:EU:C:2023:369
    • Clarifying YS and Others that individuls have a right to database extracts or documents if the provision of this copy is necessary to exercise rights.
  • Optional Dawson-Damer & Ors v Taylor Wessing LLP [2017] EWCA Civ 74 at [104]–[108]; B v The General Medical Council [2019] EWCA Civ 1497 at [79]
    • On ‘purpose-blind’ access rights - ‘the general position is that the rights of subject access to personal data […] are not dependent on appropriate motivation on the part of the requester’
  • Optional Case-307/22 FT (Copies du dossier médical) ECLI:EU:C:2023:811
    • Purpose-blind nature under post-Brexit EU case law - ‘the controller is under an obligation to provide the data subject, free of charge, with a first copy of his or her personal data [..] even where the reason for that request is not related to those referred to in the first sentence of recital 63 of that regulation’.

L8: Being Forgotten Online

               O             O _J""-.
        .-""L_  o           o /o )   \ ,';
   ;`, /   ( o\               \ ,'    ;  /
   \  ;    `, /                "-.__.'"\\_;
   ;_/"`.__.-"   google or goldfish?

Learning Objectives

  • How does the right to be forgotten function? Where did it come from?
  • What kind of information and process is needed to assess a RTBF request according to the existing jurisprudence? What kind of a process might this be, and how does that compare to what we know of the processes that are used in practice?
  • Who does the RTBF benefit?
  • Is the balance correct in the RTBF? Should there be more or less emphasis on freedom of expression?
  • Is the RTBF adequately governed? How do private decisions and judicial decisions interplay, and are there potential reforms that you might want to see implemented at this interface?

Articles

  • Compulsory Andrés Guadamuz, ‘Developing a Right to Be Forgotten’ in Tatiana-Eleni Synodinou and others (eds), EU Internet Law: Regulation and Enforcement (Springer 2017). OA-ish link UCL paywall link
    • An overview of some of the debates and sides people take concerning the Right to Be Forgotten.
  • Compulsory Paul De Hert and Vagelis Papakonstantinou, ‘Right to Be Forgotten’, Elgar Encyclopedia of Law and Data Science (2022).
    • A concise encyclopaedia entry providing a guide to the RTBF’s origin and jurisprudence up through the start of 2022.
  • Recommended Aleksandra Kuczerawy and Jef Ausloos, ‘From Notice-and-Takedown to Notice-and-Delist: Implementing Google Spain’ (2015–16) 14 Colo Tech LJ 219. OA link
    • A discussion of some of the roles (as they were and are emerging) of different governance actors in the run up to, and in the wake of, the judgment in Google Spain.
  • Recommended Theo Bertram and others, ‘Five Years of the Right to Be Forgotten’ in (ACM 2019) Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security 959. OA link
    • A scholarly article on how the RTBF has panned out from the point of view of Google employees, who authored it. Read alongside the firm’s regularly updated, quantitative Transparency Report into EU delisting on the basis of the right.
  • Recommended Joris Van Hoboken, ‘Search Engine Freedom’ in Search Engine Freedom: On the Implications of the Right to Freedom of Expression for the Legal Governance of Web Search Engines (University of Amsterdam 2012) pp 168-213. OA link
    • A discussion of the theoretical and legal manners in which freedom of expression applies to search engines, given their crucial role in enabling access to information. Pre-dates Google Spain, although not the debates about the RTBF.
  • Optional Jef Ausloos, The Right to Erasure in EU Data Protection Law: From Individual Rights to Effective Protection (1st edn, Oxford University Press 2020). UCL link 🔒
  • Optional Jean-François Blanchette and Deborah G Johnson, ‘Data Retention and the Panoptic Society: The Social Benefits of Forgetfulness’ (2002) 18 The Information Society 33. OA link paywalled, typeset link
    • A less legal view of why we might want a right to be forgotten from the standpoint of privacy.
  • Optional Tarleton Gillespie, ‘To Remove or to Filter?’ in Custodians of the Internet (Yale University Press 2018). UCL link (paywalled)
    • A broader discussion of the different tactics that internet intermediaries, and particularly platforms, use to limit the distribution of content online.
  • Optional David Erdos, ‘The “Right to Be Forgotten” beyond the EU: An Analysis of Wider G20 Regulatory Action and Potential Next Steps’ (2021) 13 Journal of Media Law 1. OA-ish link UCL link
    • Examines how similar rights to be forgotten work in jurisdiction including Canada, Turkey and Australia.
  • Optional Stefan Kulk and Frederik Zuiderveen Borgesius, ‘Privacy, Freedom of Expression, and the Right to Be Forgotten in Europe’ in Evan Selinger and others (eds), The Cambridge Handbook of Consumer Privacy (Cambridge University Press 2018). OA-ish link UCL paywall link
    • A useful introduction to how freedom of expression is balanced by the CJEU and ECtHR, focussing on the right to be forgotten. Overlaps otherwise in terms of content with Guadamuz 2017.

Policy Documents

  • Optional European Data Protection Board, Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (EDPB 2020) OA link
    • Guidance from the European regulators in charge of enforcing Google Spain and the Right to Erasure. See also the ary on these guidelines by David Erdos, University of Cambridge.
  • Optional Access Now, Understanding the Right to Be Forgotten Globally (Access Now 2017) OA link
    • A short policy paper from an NGO indicating the surrounding conditions and a safeguard wishlist for global implementation of a right to be delisted on privacy grounds.

Statute

European Union

  • Compulsory Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, art 17.

United Kingdom

  • Optional Data Protection Act 2018, sch 2 part 1
    • This contains exemptions to the right to erasure (among other data rights) that were set down on the basis of GDPR, art 23 (Restrictions).

Case Law

European Union

  • Compulsory Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González ECLI:EU:C:2014:317.
  • Compulsory Case C‑136/17 GC and Others v Commission nationale de l’informatique et des libertés (CNIL) ECLI:EU:C:2019:773.
  • Compulsory Case C‑507/17 Google LLC v Commission nationale de l’informatique et des libertés (CNIL) ECLI:EU:C:2019:772.

ECtHR

  • Optional Hurbain v Belgium ECLI:CE:ECHR:2023:0704JUD005729216
    • This case was an Article 10 ECHR claim by the Belgian newspaper Le Soir, which had been ordered to anonymise a digital archived version of a 1994 article about a driving offence. No breach of article 10 was found.

United Kingdom

  • Recommended NT1 & NT2 v Google LLC [2018] EWHC 799 (QB). BAILII
    • The first Google Spain case applied by English courts. One applicant had his delisting refusal by Google overturned by the High Court, and one had it confirmed. What was the difference between them?

L9: Online Tracking: Revenge of the Cookie Monster

Somebody is prying through your files, probably
Somebody's hand is in your tin of Netscape magic cookies
But relax: if you're an interesting person
Morally good in your acts
You have nothing to fear from facts

The Age of Infomation (Momus, 1997)

Cookie pop ups when you browse the web are hardly anything new to most Internet users, particularly in Europe. But what exactly are cookies? How do they something that we should be concerned about? How does the law understand cookies, and how has that developed over time? In the session, we’re going to try and get some answers to some of these questions. While reading and examining the below, it will be good to think about the following questions:

  1. What conceptual role do cookies play in online tracking and profiling?
  2. Consent is a large part of the way that we govern cookies in Europe. But is it a good way to do this? What would the alternatives look like, and in what ways would they be better or worse?
  3. If many of the ways the cookies are used on the Internet are currently illegal, why hasn’t anything been done about it? What are the main challenges and regulatory hurdles that prevent affective enforcement?

Also pay attention to the issue of controllership — this topic should be considered in tandem with the tutorial on controllership. Who is the controller when it comes to tracking on a website?

Articles

Policy Documents

  • Optional Information Commissioner’s Office, ‘Update Report into Adtech and Real Time Bidding’ (20 June 2019) link
  • Optional Information Commissioner’s Office, ‘Data Protection and Privacy Expectations for Online Advertising Proposals’ (25 November 2021). link
  • Optional CNIL (French DPA), ‘Cookies: FACEBOOK IRELAND LIMITED Fined 60 Million Euros’ (6 January 2022) link; CNIL (French DPA), ‘Cookies: GOOGLE Fined 150 Million Euros’ (6 January 2022) link. see also English language decisions within

Cases

European Union

  • Compulsory Case C-210/16 Wirtschaftsakademie Schleswig-Holstein ECLI:EU:C:2018:388.
  • Compulsory Case C-49/17 Fashion ID ECLI:EU:C:2019:629.
  • Recommended Case C‑252/21 Meta Platforms and Others ECLI:EU:C:2022:704, Opinion of Advocate General Rantos **particularly concerning the interaction of web tracking data and Article 9 sensitive data characteristics*.
  • Optional Case C‑25/17 Jehovan todistajat ECLI:EU:C:2018:551. consider how the controllership argument might analogise
  • Optional Case C-673/17 Planet49 GmbH ECLI:EU:C:2019:801.
  • Optional Case C-131/12 Google Spain ECLI:EU:C:2014:317. particularly around questions of controllership
  • Recommended Case C‑210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2017:796, Opinion of AG Bot.
  • Recommended Case C-49/17 Fashion ID GmbH & CoKG v Verbraucherzentrale NRW eV ECLI:EU:C:2018:1039, Opinion of AG Bobek.

United Kingdom

  • Optional Vidal-Hall v Google Inc [2015] EWCA Civ 311.
  • Optional Lloyd v Google LLC [2021] 3 UKSC 50.

Belgium

Statute

United Kingdom

  • Compulsory Privacy and Electronic Communications (EC Directive) Regulations 2003, reg 6
    • This derives from the e-Privacy Directive, art 5(3), below.
  • Optional Draft Bill Data Protection and Digital Information HC Bill (2022–23) 143, cl 79.
    • Whether this law will be reintroduced is currently unclear.

European Union

  • Recommended Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201/37, art 5(3).
    • This is implemented in the UK by PECR reg 6, above

T4: Let’s Do It At My Place: Privacy Sandbox and the Future of Online Targeting

Questions

Consider the readings from the seminar, the lecture, and at least the compulsory reading above.

  • What are the main privacy and other policy challenges from ‘classic’ targeted advertising? What kind of forms does online advertising take, and how does this link to harms and policy challenges?
  • Many proposed advertising techniques take the advertising and targeting into the browser or operating system, rather than collected by remote servers. Is this good or bad for privacy? For data protection?
  • Why might large advertising platforms want to ensure they target on-device, and/or in a way where they cannot see the personal data?
  • Is there a data controller of this on-device advertising? Who? Can they fulfil the full rights and obligations of a data controller?
  • How should a data regulator, or internet law, react to the move to on-device processing?

L10: Computer Says No? Machine Learning and Automated Decision-making

Computers are intermediating the content of decisions now, rather than just transmitting them. The governing of algorithms and automated systems is big news, and big business for some. But what role for data protection law? In this session, we’ll dig into the details.

When doing the reading, think about the following:

  • What are the main issues concerning algorithms that require governance? What has the last few years indicated are the most pressing of them, and which might be the most pressing in the future?
  • Should we be worried about algorithms, or “decisions”, both or neither?
  • How can we reconcile the purpose of Article 22 with the rest of the GDPR? Does it connect to form a coherent whole, or does it not make sense?
  • Is Article 22 a relic that will fail to govern algorithms going forward, or is there hope that it can be usefully repurposed? If so, as a simple safety net, or an active tool of governance?
  • Are there simple changes, or court interpretations, that might make the governance of algorithms through the GDPR function more effectively? Which? Are they likely without new legislation?

Articles

Policy Documents

Statute

European Union

  • Compulsory General Data Protection Regulation (GDPR), articles 15, 21, 22, recital 71.

United Kingdom

  • Optional Draft Bill Data Protection and Digital Information HC Bill (2022–23) 143, cl 11. - Whether this law will be reintroduced is currently unclear.

Case-Law

European Union

  • Recommended Case C-634/21 SCHUFA Holding and Others (scoring) ECLI:EU:C:2023:957

  • Pending

    (on downstream algorithmic decisions)
  • Case C-203/22 Dun & Bradstreet Austria

Acknowledgments

ASCII art from link, link, link, link, link, link. Credits where artist known: Felix Lee, hfw, jgs (Joan Stark), hrr, fsc, Veronica Karlsson, David S. Issel.