Dr Michael Veale,
Associate Professor in Digital Rights & Regulation UCL Faculty of
Laws, 2023-24 Syllabus
Updated November 2023
|\ _,,,---,,_
ZZZzz /,`.-'`' -. ;-;;,_
|,4- ) )-,_. ,\ ( `'-'
'---''(_/--' `-'\\_)______
Reading importance labels — Check the labels beside
each reading! Compulsory means
“please do this before class”. Recommended means “if you’re
interested, or if you’re writing an essay or revising this topic, have a
look at this”. It does not mean “if you’re a really good
student you’ll have done all the recommended reading as well as
compulsory reading before class”. Optional means “if you’re writing
an essay, or it interest you, this might be something you want look at,
but you could also do your own research and find other sources too.”
Open access — Wherever possible, resources are
accompanied by an open access link (‘OA link’). Some resources are
available freely but only behind for-profit repositories such as SSRN,
which heavily push users to register and log-in, and hide the download
options for downloading without this in the bottom of the page. These
are ‘OA-ish links’. Occasionally, a paper or book is too important not
to recommend even though an OA version is unavailable. I have tried to
minimise these resources throughout the reading list.
Organising your reading — This module has many
different types of resources. I strongly recommend you organise them in
a reference manager. The best reference manager is Zotero, which is free to install and
use (I strongly recommend against the use of Mendeley and/or Endnote).
UCL Library runs a range of Zotero training
sessions if you wish to use these. It allows you to annotate and
make notes on articles and chapters. Zotero can also can be used to
organise your citations for your coursework.
L = Lectures. Slides accompanying the lecture are available on
Moodle. T = Tutorials
L1: Welcome to the
Internet: Yes, We Have Cats
,
,-. _,---._ __ / \
/ ) .-' `./ / \
( ( ,' `/ /|
\ `-" \\'\ / |
`. , \ \ / |
/`. ,'-`----Y |
( ; | '
| ,-. ,-' | /
| | ( | | /
) | \ `.___________|/
`--' `--' is the internet in here? =^^=
We all use the Internet. But how many people know what it is; where
it came from; how it works? This session will introduce the history of
the Internet and the functioning of core Internet technologies. Why were
they designed as they were; and with whose values at the core? We will
start to see why and how these design decisions interact with law and
policy concerning the online world; a theme that will recur throughout
the module.
Learning Objectives
- What are the core technologies underpinning the Internet and how (in
very rough terms) do they work? Note, as legal scholars we have to
understand these technologies enough to be able to reason about how law
and policy applies to them, not to be able to deploy them ourselves. So
don’t worry if you don’t understand everything, or it seems too
technical — focus on trying to get a general understanding.
- What is the difference between the Internet and the Web?
- What technical design principles underpin the Internet? Whose values
do they reflect? How do these compare to broader values, for example
those reflected in human rights regimes?
- What are some of the main actors and organisations that govern the
Internet, and how do they make decisions?
- What is ‘cyberlibertarianism’?
Articles
- Compulsory Andrés Guadamuz, ‘Internet
Regulation’ in Lilian
Edwards (ed), Law, Policy, and the Internet (Hart
Publishing 2019). OA
link
- A useful and broad-ranging introduction into what it is to study
Internet law and policy.
- Compulsory Corinne Cath-Speth, ‘Internet
Histories: Partial Visions of People and Packets’ in Corinne Cath-Speth, Changing
Minds and Machines: A Case Study of Human Rights Advocacy in the
Internet Engineering Task Force (IETF) (DPhil Thesis, Oxford
University, 2021) pages 27-51. OA
link
- Traces and critiques the cultural and historical values behind the
Internet engineers often seen as the main characters in a predominantly
white, male, biographical history of the Internet.
- Recommended William Lehr
and others, ‘Whither the Public Internet?’ (2019) 9 Journal of
Information Policy 1. read: pages 1-20 OA link
- This article very usefully unpacks three different ways of
understanding what “the Internet” is. Parts of this article use some
difficult terminology: it is not key you understand it all.
- Recommended Malte Ziewitz
and Ian Brown, ‘A Prehistory of
Internet Governance’ in Research Handbook on Governance of the
Internet (Edward Elgar Publishing 2013). OA link
- A history of the Internet and its early governance, as well as the
institutions involved. Perhaps the best of the many “great men” tales of
Internet history critiques by Cath-Speth (2021).
- Optional Kieron O’Hara
and Wendy Hall, Four Internets: Data, Geopolitics, and the
Governance of Cyberspace (Oxford University Press 2021). paywall link / UCL
link
- A recent overview of the way in which the Internet as we know it is
diverging as different nations and jurisdiction have different views on
its development and trajectory.
T1: D’oH! Code,
Law and Politics of Encrypted DNS
__
_ ,___,-'",-=-.
__,-- _ _,-'_)_ (""`'-._\ `.
_,' __ |,' ,-' __) ,- /. |
,'_,--' | -' _)/ `\
,',' ,' ,-'_,` :
,' ,-' ,(,-( :
,' ,-' , _ ;
/ ,-._/`---' /
/ (____)(----. ) ,'
/ ( `.__, /\ /,
: ;-.___ /__\\/|
| d'oh ,' `--. -,\ |
: / \ .__/
\ (__ \ |_
\ ,`-, * / _|,\
\ ,' `-. ,'_,-' \
(_\\,-' ,'\\")--,'-' __\
\ / // ,'| ,--' `-.
`-. `-/ \\' | _,' `.
`-._ / `--'/ \
,' | \
/ | \
,-' | /
/ | -'
The domain name system is a core part of the way that the Internet
works. It effectively allows us to browse content without having to
remember addresses that were designed only for computers, in particular
IP addresses *that look like 43.157.242.47) — however it is also been
described as the “Achilles heel” of the Internet, because it has been a
serious ground of contestation around issues such as privacy and
Internet blocking. This is effectively because if you can control the
address book of the Internet, you make resources a lot harder
to discover. Most recently, a series of proposals have been made which
significantly changed the way that this system works – in particular by
encrypting it. These services are typically called DNS over HTTPS — or
‘DoH’, because HTTPS is the encrypted way of delivering services on the
Web (the ‘S’ is for Secure). These interact and interfere with a range
of existing mechanisms to block content, and so have been controversial.
But who is responsible for this change? The standard setters? The Web
browsers? The internet service providers? Legislators? In this tutorial,
we will use DNS-over-HTTPS as an example to answer these questions.
💡 This topic is technical but we will approach it as law scholars. You
are not expected to know the technical details of DNS, but you are
expected to understand the broad way it works, and the types of changes
that encrypting it will lead to. Try and avoid getting in the weeds and
continue to ask the question of ‘so what?’ when you read more technical
work, thinking of the legal and policy consequences you might imagine.
The ‘so what?’ question should guide your reading — what questions do
you really need answers to that are technical, and which can you
abstract away and ignore?
Tutorial Questions
Make notes on these three topics to bring to the tutorial to discuss.
- What is DNS? What is important to know about DNS in relation to law
and policy? How is DNS used in Internet blocking? - What kind of body is
the Internet Watch Foundation? Is it a regulator? - Who decides whether
encrypted DNS systems, such as DNS-over-HTTPS (DoH) are introduced? What
does this mean for the power of private firms vis-a-vis the state? - The
UK’s Internet blocking regime is heavily built on DNS filtering. Should
this be considered when encrypted DNS is introduced? Who should consider
it, and how? How might this work internationally? - Many countries have
recently been talking about digital sovereignty (also
souveraineté numérique in France). Do you think that DNS
illustrates a loss, or highlights a lack, of nation states’ digital
sovereignty?
Readings
- Compulsory Video Mike Pound, How DNS
Works (Computerphile, University of Nottingham, 9 July
2020).
- Compulsory Debate in
Hansard on “Internet Encryption” (citation: HL Deb 14 May 2019,
vol 797, cols 1492–1495) OA
link
- A good opportunity to see one of the strangest legislative chambers
in the world talk about a highly technical issue.
- Compulsory Open Rights Group, ‘DNS
Security — Getting it Right’ (24 June 2019) OA
link
- The Open Rights Group (ORG)is a UK-based digital rights NGO. This
report outlines many of the technical aspects of DNS, and the
consequences of this, written from the standpoint of a digital rights
advocacy organisation.
- Compulsory Internet Watch
Foundation, ‘Briefing on DNS-over-HTTPS’ OA link
- A briefing that in many ways poses a counterpoint to the Open Rights
Group paper.
- Recommended Vijay Gurbani
and others, ‘When DNS Goes Dark: Understanding Privacy and Shaping
Policy of an Evolving Protocol’ (2021) TPRC48: The 48th Research
Conference on Communication, Information and Internet Policy. OA-ish link
- This is a useful academic paper going a little deeper than the ORG
work into the different protocols and some of the broader implications
of them.
L2: How To Control The
Internet
\\_______/
`.,-'\\_____/`-.,'
/`..'\ _ /`.,'\
/ /`.,' `.,'\ \
/__/__/ nice\\__\\__\\__
\ \ \web / / /
\ \\,'`._,'`./ /
\\,'`./___\\,'`./
,'`-./_____\\,-'`.
/ \
The Internet is sometimes described by politicians as a “Wild West”;
a regulation-free land that has long resisted control. According to
some, it needs bringing to heel. This is an overly simplistic story. In
this session, we will build on the previous session’s understanding of
Internet technologies and their design principles to think both about
the ways in which this network has resisted control, and the ways in
which is has been controlled by both public and private
actors.
Learning Objectives
- Does code ‘regulate’? How does this differ from the types of
regulation that lawyers are more familiar with discussing?
- What does it mean to say the Internet is ‘generative’? What are the
policy implications of generative technologies?
- Which actors are well-positioned to regulate the Internet, and why?
What factors make it easier or harder for these actors to alter the
working of these networks?
Articles
- Compulsory Jonathan L Zittrain, ‘The
Generative Internet’ (2006) 119 Harv L Rev 1974. OA
link
- This article is in some ways a prediction of how ‘walled gardens’
online might emerge. Was Zittrain right?
- Compulsory Julie E Cohen, ‘“Piracy,”
“Security,” and Architectures of Control’ in Configuring the
Networked Self: Law, Code, and the Play of Everyday Practice (Yale
University Press 2012). OA
link
- A strong critique of a variety of ways of looking at ‘code’ and
‘law’ - this might be worth coming back to after we talk about these
topics some more as it’s a very dense and rewarding read.
- Recommended Michèle Finck, ‘Blockchains as a
Regulatable Technology’ in Blockchain Regulation and Governance in
Europe (Cambridge University Press 2018). paywall link / UCL
link
- This chapter looks at ‘regulatory access points’ in relation to
blockchains, which we don’t look at much in this course (because they’re
mostly dumb, overengineered Ponzi schemes, and their relevant uses are
modest and arcane), but the readings and framework proposed by Finck is
more generally accessible.
- Optional Lawrence Lessig, Code: Version
2.0 (Basic Books 2006) OA
link
- I suggest looking at pages 61-137 (chapters 5-7). Lessig is referred
to a lot in the other readings, and if writing about him you should have
a look at what he says in his own words.
- Optional Niels ten Oever, ‘“This is
Not How We Imagined It”: Technological Affordances, Economic Drivers,
and the Internet Architecture Imaginary’ (2021) 23 New Media &
Society 344. OA
link
- This paper is good for those interested in some of the ways in which
the technical sides of standards are value laden and contested. Further
readings in this vein can be found in Beatrice Martini, ‘Internet
Infrastructure and Human Rights: Reading List’ (Stanford PACS,
2020).
- Optional Clément
Perarnaud and others, ‘“Splinternets”:
Addressing the Renewed Debate on Internet Fragmentation’
(European Parliamentary Research Service, 2022).
L3:
Intermediaries I: Liability for Online Content
____
||""||
||__||--------?------
[ -=.]`) who intermediates
====== 0 your messages?
Learning Objectives
- What was the initial logic behind intermediary liability laws? Was
that logic legitimate at the time, and does it remain so today?
- What factors have the CJEU indicated do not compromise the shielding
of intermediaries? Do you agree with these judgments?
- What is the concept of the CJEU has built? Are modern platforms
neutral in this way?
Articles and Chapters
- Compulsory Lilian Edwards, ‘“With
Great Power Comes Great Responsibility?”: The Rise of Platform
Liability’ in Lilian Edwards (ed), Law, Policy, and the
Internet (Hart Publishing 2019). UCL
link
- This chapter looks over the history of intermediary liability law.
Does not quite go up to present day; particularly since then the Digital
Services Act, Copyright in the Digital Single Market Act, and Terrorist
Content Regulation (all in the EU); and in the UK, the Online Safety
Bill, all interact with this.
- Recommended Philippe
Jougleux, ‘Intermediaries’
Liability: Where Is My Chair?’ in Philippe Jougleux (ed),
Facebook and the (EU) Law: How the Social Network Reshaped the Legal
Framework (Springer International Publishing 2022). .
- A slightly more up to date overview than the Edwards chapter above,
with EU focus.
- Recommended Aleksandra Kuczerawy, ‘From
“Notice and Take Down” to “Notice and Stay Down”: Risks and Safeguards
for Freedom of Expression’ in The Oxford Handbook of Intermediary
Liability Online (Oxford University Press 2020). OA-ish
link / UCL
link
- Recommended Folkert Wilman,
‘Between
preservation and clarification: The evolution of the DSA’s liability
rules in light of the CJEU’s case law’ in Joris Van Hoboken and
others (eds) Putting the DSA into Practice: Enforcement, Access to
Justice, and Global Implications (Verfassungsbooks 2023).
- Optional Jennifer Urban
and others, ‘Notice and Takedown in Everyday Practice’ (UC Berkeley
Public Law Research Paper No. 2755628, 2017) OA link
- Read the introduction & executive summary (pp 1-13) and delve
into the bits that interest you - it’s a long report.
- Optional Ben Wagner and others,
‘Regulating Transparency? Facebook, Twitter and the German Network
Enforcement Act’ (2020) Proceedings of the 2020 Conference on
Fairness, Accountability, and Transparency. OA-ish
link / UCL
link / 8
min talk on the paper
- Optional Sophie Stalla-Bourdillon,
‘Internet Intermediaries as Responsible Actors? Why It Is Time to
Rethink the E-Commerce Directive as Well’ in Mariarosaria Taddeo and
Luciano Floridi (eds), The Responsibilities of Online Service
Providers (Springer 2017). OA-ish
link / UCL
link
- Optional Graham Smith, ‘5.6 Liability
of Online Intermediaries’ in Internet Law and Regulation (Sweet
and Maxwell 2020) Book
available on Westlaw UK
- Part of a practitioner textbook on Internet Law. Goes into heavy
detail on the jurisprudence in the area.
- Optional Nico van Eijk
and others, Hosting Intermediary Services and Illegal Content
Online: An Analysis of the Scope of Article 14 ECD in Light of
Developments in the Online Service Landscape : Final Report.
(European Commission 2019). OA
link
- Optional Colten Meisner,
‘The
Weaponization of Platform Governance: Mass Reporting and Algorithmic
Punishments in the Creator Economy’ [2023] Policy & Internet.
(UCL 🔒)
Statute
European Union
- Compulsory Regulation (EU)
2022/2065 of the European Parliament and of the Council of 19
October 2022 on a Single Market For Digital Services and amending
Directive 2000/31/EC (Digital Services
Act) OJ L 277/1, arts 4, 5, 6, 8.
- Optional Directive
2000/31/EC of the European Parliament and of the Council of 8 June 2000
on certain legal aspects of information society services, in particular
electronic commerce, in the Internal Market (‘Directive on electronic
commerce’) OJ L 178/1, recitals 40-49, arts 1, 12–15.
- The Digital Services Act (DSA) replaces the relevant parts of the
e-Commerce Directive from February 2024. ECD, arts 12–15 map to
DSA arts 4, 5, 6, and 8. It is fine to already refer to the DSA
in essays rather than the ECD without outlining this transition, but
you’ll need to be aware of the ECD to refer to relevant case-law.
🇬🇧
Brexit Note 🇪🇺: The Digital Services Act (DSA)
replaces the relevant parts of the e-Commerce Directive from February
2024.
ECD, arts 12–15 map to DSA arts 4, 5, 6, and 8.
The DSA does not apply in the UK, which will still use the transposition
of the ECD (
The
Electronic Commerce (EC Directive) Regulations 2002). These
regulations do not explicitly contain art 15 of the ECD, the general
monitoring prohibition, as the UK relied on the vertical direct effect
of the ECD to apply that provision (i.e. to prevent Parliament adopting
contrary laws, and prevent emanations of the state from applying general
monitoring obligations), and that effect has lapsed.
United States
US law in this area centres on ‘Section 230’. This part of US law has
its own mythology and saga-filled history. If interested, you can follow
it in Jeff Kosseff, The
Twenty-Six Words That Created the Internet (Cornell University
Press 2019) (UCL 🔒), and for an alternative, more critical view on this
provision, see Mary Anne Franks, ‘The
Cult of the Internet’, The Cult of the Constitution
(Stanford University Press 2019) (UCL 🔒).
- Recommended 47
U.S.C. 230(c) (‘Section 230’).
- This is the broad-ranging liability shield in US law which does not
have a notice and takedown requirement.
- Often referred to, technically incorrectly, as ‘Section 230 of the
Communications Decency Act’, which amended that section into existence.
This is such a common error that it is more a shorthand, so feel free to
refer to it that way.
Case Law
European Union
- Compulsory Case C-682/18
YouTube and Cyando ECLI:EU:C:2021:503
paras 18-39, 103-118.
- A case concerning whether certain platform features give an “active
role” to intermediaries.
- Recommended Case C‑70/10
Scarlet Extended ECLI:EU:C:2011:771
- On attempted general monitoring obligations applied to mere conduits
(a Belgian ISP).
- Optional Case C-360/10
Netlog ECLI:EU:C:2012:85
- same issue as Scarlet, relates to hosting on Netlog, a
now-defunct Belgian social network.
- Recommended Joined Cases
C-236/08 and C-238/08 Google France ECLI:EU:C:2010:159
- Focus on paras 22-32 and 106-120, you don’t need to understand the
relevant trademark law.
- Recommended Case C‑324/09
L’Oréal SA v eBay ECLI:EU:C:2011:474
- Optional Case C-314/2
Telekabel ECLI:EU:C:2014:192
paras 26-50, 106-114
- Optional Case C-484/14
Mc Fadden ECLI:EU:C:2016:689
💡 Reading the Advocate General opinions for these cases can elaborate
on how they link to previous case law, and they are written in a less
robotic way than the CJEU (although remember that the Court does not
always follow the reasoning of the AG.) You can access these on
the CJEU’s own webpage using the Curia search by entering the case
number.
European Court of Human
Rights
The case-law of the ECHR on intermediary liability has at time seemed
at odds with the CJEU. The case of Delfi v Estonia received
criticism for seeming to ignore EU law. While the ECtHR seemed to draw
some boundaries around the Delfi case, these seem to have been radically
loosened in the more recent 2023 Grand Chamber judgment in Sanchez v
France, which did not find a violation of freedom of expression in
a case where the French state held a politician criminally liable for
not removing hateful comments under his post on a friends-only Facebook
page, despite not being explicitly notified of these posts by those
taking the action.
United Kingdom
The UK and E&W case law on intermediary liability is of less
central interest to this module. Much of it relates to defamation. You
can read more about the trajectory of this case law, including most of
the cases below, in Jaani Riordan, ‘Defamation’
in Jaani Riordan (ed), The Liability of Internet Intermediaries
(Oxford University Press 2016) (UCL 🔒.)
- Optional Godfrey v
Demon Internet Ltd [1999] EWHC
QB 244.
- One, if not the the first defamation cases on the Internet in
England and Wales.
- Optional Payam Tamiz
v Google Inc [2013]
EWCA Civ 68
- Optional Cartier
International AG & Ors v British Telecommunications Plc &
Anor [2018] UKSC
28
- This case is largely of tangential interest, but to date is the only
time the UK Supreme Court has been asked to consider a question relating
explicitly to the liability of internet intermediaries.
______
.-' `-.
.' `.
/ \
; ;`
| illegal content |;
; ;|
'\ / ;
\\`. .' /
`.`-._____.-' .'
/ /`_____.-'
/ / /
/ / /
/ / /
/ / /
/ / / or is it?
/ / /
/ / /
/ / /
/ / /
\\/_/
Learning Objectives
- Why might a prohibition on general monitoring obligations be
justified? What kind of issues it is trying to prevent?
- Has the CJEU changed its understanding of general monitoring over
time? What are the arguments for and against this kind of change?
- Is it easy to search for illegal content now we have more advanced
technologies to help us do it? What can go wrong? Is it just a matter of
time before they become good enough?
Articles
- Compulsory Joris Van Hoboken and Daphne Keller, ‘Design
Principles for Intermediary Liability Laws’ (Transatlantic High Level
Working Group on Content Moderation Online and Freedom of Expression
Working Paper, 8 October 2019) OA
link
- This guide looks at the differerent configurations and components
commonly found in international laws and proposals around intermediary
liability.
- Compulsory Robert Gorwa, Reuben Binns and Christian Katzenbach,
‘Algorithmic Content Moderation: Technical and Political Challenges in
the Automation of Platform Governance’ (2020) 7 Big Data & Society
2053951719897945. OA
link
- This paper critically considers the limits of automation of content
moderation policies.
- Recommended Daphne Keller, ‘Facebook
Filters, Fundamental Rights, and the CJEU’s Glawischnig-Piesczek Ruling’
(2020) 69 GRUR Int 616. paywall link / UCL
link
- This paper is critical of the Glawischnig-Piesczek case, arguing
that many parts of it might end up in overreach.
- Recommended Martin
Senftleben and Christina Angelopoulos, ‘The Odyssey of the Prohibition
on General Monitoring Obligations on the Way to the Digital Services
Act’ (University of Amsterdam and CIPIL Working Paper, October 2020) OA
link
- Recommended Aleksandra Kuczerawy,
‘General Monitoring Obligations: A New Cornerstone of Internet
Regulation in the EU?’ in Rethinking IT and IP Law - Celebrating 30
years CiTiP (Intersentia 2019). OAish
link
- Recommended Giovanni
Sartor, ‘The Impact of Algorithms for Online Content Filtering or
Moderation: Upload Filters’ (European Parliament 2020) OA
link.
- Optional Maayan Perel and
Niva Elkin-Koren, ‘Accountability in Algorithmic Copyright Enforcement’
(2015) 19 Stan Tech L Rev 473. OA
link
- Optional Graham Smith, ‘5.6 Liability
of Online Intermediaries’ in Internet Law and Regulation (Sweet
and Maxwell 2020) Book
available on Westlaw UK
- Optional Giancarlo Frosio
(ed.) _Oxford Handbook of Online Intermediary Liability*_(Oxford
University Press 2020) Closed access
DOI UCL
link
- This is a useful tome for further reading on intermediary liability,
in particular comparing different regimes beyond the UK, Europe or the
United States.
Case Law
European Union
- Compulsory Case C-18/18
Glawischnig-Piesczek v Facebook ECLI:EU:C:2019:821
- Recommended One of
- Case C‑70/10 Scarlet Extended ECLI:EU:C:2011:771
(relates to mere conduits)
- Case C-360/10 Netlog ECLI:EU:C:2012:85
(same issue as Scarlet, relates to hosting on Netlog, a
now-defunct Belgian social network)
- Optional Case C-314/2
Telekabel ECLI:EU:C:2014:192
paras 26-50, 106-114
- Optional Case C-484/14
Tobias Mc Fadden v Sony Music Entertainment Germany GmbH ECLI:EU:C:2016:689.
- This case concerned a WiFi network in a shop that was being used to
break the law. A court asked the CJEU whether an injunction against the
shop was legal according to the e-Commerce Directive if it required
scanning of all content, termination of the WiFi network, or password
protecting the network. The CJEU stated that out of the three, only the
latter was allowed, as long as it was effective and required users to
reveal their identity in order to get the password.
- Case C-401/19 Poland v Parliament ECLI:EU:C:2022:297
T2: Regulating Recommending
|\
---|\\--------|-\\\-----
---|/-------0---\\|----
--/|-------------|----
-|-/-\\----------0-----
--\\|/----nice playlist-
In this tutorial, we are going to think about recommender systems, as
well as some of the approaches proposed to regulate them. Look at two
articles, and the proposals in the Digital Services Act, and review your
readings from previous sessions, to think about the questions below:
Tutorial Questions
- Are algorithmic systems essential to deliver content online today?
Is there a world without recommenders, or one where they are neutral? In
what interfaces or media are they most important?
- What kind of logics might be built into recommender systems? What
kind of information about the content, or the users, might you need to
do this, and where does this information come from?
- Are recommender systems a good target for regulation of online
content? What are the potential benefits, and what are the risks?
- How might you actually regulate recommender systems? Do you think
the approaches proposed in, for example, the Digital Services Act, will
work?
- How is being ‘shadow banned’ (or having content ‘reduced’) from a
recommender similar or different to being removed from a hosting
platform?
Articles
- Compulsory Jennifer Cobbe and Jatinder
Singh, ‘Regulating
Recommending: Motivations, Considerations, and Principles’ (2019)
10(3) European Journal of Law and Technology.
- This article predated the case in Youtube and Cyando and so
please read the discussions of recommenders and European intermediary
liability law in the context of that case.
- Compulsory Ulrik Lyngs and others, ‘So, Tell Me What Users Want,
What They Really, Really Want!’ in Extended Abstracts of the
2018 CHI Conference on Human Factors in Computing Systems (CHI EA
’18, New York, NY, USA, ACM 2018).
- Recommended Christoph
Busch, ‘From
Algorithmic Transparency to Algorithmic Choice: European Perspectives on
Recommender Systems and Platform Regulation’ in Sergio Genovesi,
Katharina Kaesling and Scott Robbins (eds), Recommender Systems:
Legal and Ethical Issues (Springer 2023).
- Recommended Arvind
Narayanan, ‘Understanding
Social Media Recommendation Algorithms’ (Knight First Amendment
Institute at Columbia University, 9 March 2023).
- Recommended Paddy Leerssen, ‘The Soap Box as
a Black Box: Regulating Transparency in Social Media Recommender
Systems’ (2020) 11(2) European Journal of Law and Technology.
- Recommended Tarleton Gillespie, ‘Do Not Recommend?
Reduction as a Form of Content Moderation’ (2022) 8 Social Media +
Society 20563051221117550.
- Recommended Axel Bruns, ‘Filter
Bubble’ (2019) 8 Internet Policy Review.
- Recommended Daphne Keller, ‘Amplification
and Its Discontents: Why Regulating the Reach of Online Content Is
Hard’ (2021) 1 Journal of Free Speech Law 227.
- Optional Owen Bennett, ‘The
Promise of Financial Services Regulatory Theory to Address
Disinformation in Content Recommender Systems’ (2021) 10 Internet
Policy Review.
- Optional Nick Seaver, ‘Captivating
Algorithms: Recommender Systems as Traps’ (2019) 24 Journal of
Material Culture 421.
- Optional Natali Helberger and others,
‘Exposure
Diversity as a Design Principle for Recommender Systems’ (2018) 21
Information, Communication & Society 191.
Cases
European Union
- Recommended Case C-682/18
YouTube and Cyando ECLI:EU:C:2021:503
paras 18-39, 103-118.
- You should have read this in the first intermediary liability
session, so consult your notes from then.
Statute
European Union
- Compulsory Regulation (EU)
2022/2065 of the European Parliament and of the Council of 19
October 2022 on a Single Market For Digital Services and amending
Directive 2000/31/EC (Digital Services
Act) OJ L 277/1, arts 27, 38
- Optional Regulation
(EU) 2019/1150 of the European Parliament and of the Council of 20
June 2019 on promoting fairness and transparency for business users of
online intermediation services OJ L 186/57 (‘P2B
Regulation’), art 5.
United States
These are provided not because it is crucial to understand US law in
this class, but instead because they present policy options for
regulating recommenders that at times contrast with those proposed in
e.g. the EU.
#_ d
##_ d#
NN#p j0NN
40NNh_ _gN#B0
4JF@NNp_ _g0WNNL@
JLE5@WRNp_ _g@NNNF3_L
_F`@q4WBN@Np_ _gNN@ZL#p"Fj_
"0^#-LJ_9"NNNMp__ _gN#@#"R_#g@q^9"
a0,3_j_j_9FN@N@0NMp__ __ggNZNrNM"P_f_f_E,0a
j L 6 9""Q"#^q@NDNNNMpg____ ____gggNNW#W4p^p@jF"P"]"j F
rNrr4r*pr4r@grNr@q@Ng@q@N0@N#@NNMpmggggmqgNN@NN@#@4p*@M@p4qp@w@m@Mq@r#rq@r
F Jp 9__b__M,Juw*w*^#^9#""EED*dP_@EZ@^E@*#EjP"5M"gM@p*Ww&,jL_J__f F j
-r#^^0""E" 6 q q__hg-@4""*,_Z*q_"^pwr""p*C__@""0N-qdL_p" p J" 3""5^^0r-
t J __,Jb--N""", *_s0M`""q_a@NW__JP^u_p"""p4a,p" _F""V--wL,_F_ F #
_,Jp*^#""9 L 5_a*N"""q__INr" "q_e^"*,p^""qME_ y"""p6u,f j' f "N^--LL_
L ] k,w@#"""_ "_a*^E ba-" ^qj-""^pe" J^-u_f _f "q@w,j f jL
#_,J@^""p `_ _jp-""q _Dw^" ^cj*""*,j^ "p#_ y""^wE_ _F F"^qN,_j
w*^0 4 9__sAF" `L _Dr" m__m""q__a^"m__* "qA_ j" ""Au__f J 0^--
] J_,x-E 3_ jN^" `u _w^*_ _RR_ _J^w_ j" "pL_ f 7^-L_F #
jLs*^6 `_ _&*" q _,NF "wp" "*g" _NL_ p "-d_ F ]"*u_F
,x-"F ] Ax^" q hp" `u jM""u a^ ^, j" "*g_ p ^mg_ D.H. 1992
Learning Objectives
- Is it useful to try and strictly define platforms? If we do, should
we define them by what they are, by what they do, or by something
else?
- What challenges do platforms pose that we might want to regulate?
Which do you think are the most pressing or important?
- Why is it hard to regulate platforms?
- What are the some of the current regulatory trends to try and
regulate this area? Do you think they will work — and if so, for
whom?
- What are the opportunities and risks of requiring platforms to act
in a more ‘proactive’ manner? What are the implications for the platform
business model, and for the political economy of the Internet?
Articles
- Compulsory Miriam C Buiten,
‘The
Digital Services Act: From Intermediary Liability to Platform
Regulation’ (2022) 12 Journal of Intellectual Property, Information
Technology and E-Commerce Law.
- This paper outlines some of the features of the DSA, and how it
build on, changes and expands existing regimes.
- Compulsory Martin Husovec,
‘Will the DSA
Work? On Money and Effort’ in Joris Van Hoboken and others (eds)
Putting the DSA into Practice: Enforcement, Access to Justice, and
Global Implications (Verfassungsbooks 2023).
- This short piece takes a more practical look at the enforcement of
the DSA, and the promise (and pitfalls) of some of its provisions.
- Recommended Julie E Cohen,
‘Law for
the Platform Economy’ (2017–18) 51 UCD L Rev 133.
- This piece lays out theory and practice of platforms in the legal
order, arguing that platforms construct their power out of law, rather
than exist in a lawless space, and considering some of the tactics and
approaches they use the be slippery and difficult to govern.
- Recommended Centre for
International Governance Innovation (ed.) Models
for Platform Governance (CIGI 2019).
- Recommended Graham Smith,
‘Take
Care with That Social Media Duty of Care’ (Cyberleagle, 19
October 2018).
- There are many essays in this collection, all very short and of
relevance to the topics we are discussing.
- Optional Robert Gorwa,
‘What is
Platform Governance?’ (2019) 22 Information, Communication &
Society 854.
- Optional Lorna Woods and
Will Perrin, ‘Obliging
Platforms to Accept a Duty of Care’ in Martin Moore and Damian
Tambini (eds), Regulating Big Tech (Oxford University Press
2021) (🔒 UCL)
Statute
European Union
- Compulsory Regulation (EU)
2022/2065 of the European Parliament and of the Council of 19
October 2022 on a Single Market For Digital Services and amending
Directive 2000/31/EC (Digital Services
Act) OJ L 277/1, ensuring to look at least at: arts 14(4)
(Terms and conditions), 22 (Trusted flaggers), 25 (Online interface
design and organisation), 27 (Recommender system transparency), 28
(Online protection of minors), 33 (Very large online platforms and very
large online search engines), 34 (Risk assessment), 35 (Mitigation of
risks), 37 (Independent audit), 38 (Recommender systems), 39 (Additional
online advertising transparency), 40 (Data access and scrutiny), 44
(Standards), 74 (Fines).
United Kingdom
- Compulsory Draft Bill Online
Safety Bill, HL Bill 164 (as amended on Report) (19 July 2023),
focus on clauses 7–23, 35–37, 55–62, 122–130, 144, although you
may need to read around these for context..
Singapore
Australia
- Optional Online Safety
Act 2021, part 4.
- In relation to proactive duties, while the act does function with
codes of conduct, similar to Singapore, social media firms only have
reporting obligations on how they are meeting these duties; the eSafety
Commissioner does not have substantive powers unless these
reporting duties are not met.
##### ###### ## ##### # # # #### # # ###### ###### # #
# # # # # # # # ## # # # # # # # # #
# # ##### # # # # # # # # # # # ##### ##### ####
##### # ###### # # # # # # # ### # ## # # # # #
# # # # # # # # # ## # # ## ## # # # #
# # ###### # # ##### # # # #### # # ###### ###### # #
In this session, we introduce a parallel but interwoven regime to
privacy and private life: data protection. Lynskey
introduces where data protection came from, what is does, and how it
relates to privacy. Her book was written before the passing of the
General Data Protection Regulation, which builds on previous privacy
statutes; this is the topic of Hoofnagle and others,
who seek to summarise the Regulation. You should also read the
GDPR alongside this article as appropriate.
Further readings look at the history of data protection law
(González Fuster), and elaborate theoretically on the
functioning of data protection and its place within the EU legal order
(Lynskey, Ausloos).
Think while reading about what data protection seeks to do and
protect. How does it secure the aims we discussed when considering
privacy? What other ends does it pursue, or ways might it protect or
empower people? Is it a subset of privacy, or a separate, complementary
regime? How many of the rights and obligations were you aware of, and
how does the text of data protection law relate to the practices of
firms and governments that you are aware of?
Articles
- Compulsory Orla Lynskey, ‘The Key
Characteristics of the EU Data Protection Regime’ and
‘The Link between Data Protection and Privacy in the EU Legal Order’ in
The Foundations of EU Data Protection Law (Oxford University
Press 2015) UCL
link
- Compulsory Chris Jay Hoofnagle and others,
‘The European Union General Data Protection Regulation: What It Is and
What It Means’ (2019) 28 Information & Communications Technology Law
65 OA
link
- Recommended Gloria González Fuster, ‘The
Materialisation of Data Protection in International Instruments’ in
The Emergence of Personal Data Protection as a Fundamental Right of
the EU (Springer 2014) UCL
link
- Recommended Orla Lynskey, The
Foundations of EU Data Protection Law (Oxford University Press
2015) UCL
link
- Optional Jef Ausloos, ‘Foundations of
Data Protection Law’ in The Right to Erasure in EU Data Protection
Law: From Individual Rights to Effective Protection (Oxford
University Press 2020) UCL
link
Policy Documents
- Optional European Court
of Human Rights, Guide to the Case Law of the European Court of Human
Rights: Data Protection (Council of Europe, updated regularly) (look at
relevant parts to bolster your understanding) OA
link
- Note, that the ECHR is distinct from the CJEU in its privacy and
data protection jurisprudence. There is no explicit right to data
protection in the Convention; this does not mean the Court has not
developed jurisprudence in this area, however.
Statute
- Compulsory Regulation (EU)
2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1.
Read this alongside the Hoofnagle and others article. You do not
need to read all of the recitals yet, and this takes most of the length
out; but they do help shine light on the main articles, and are
important interpretative tools, so refer back as
appropriate.
💡 Now is a good time to make a printed copy of the GDPR and start
annotating it. The cleanest version to do that from is
here.
Technically there have been some minor changes due to typos and similar
but they do not matter at the time of writing.
- Compulsory Charter of
Fundamental Rights of the European Union, articles 7–8.
🇬🇧
Brexit Note 🇪🇺: The GDPR applies in the UK as the
so-called ‘UK GDPR’. This is effectively the EU regulation, as of the
end of 2020,
as
retained through the European Union (Withdrawal) Act 2018, and as
amended by several instruments since. Currently, these amendments are
light, but there are heavier ones forthcoming in the (as of yet
unpassed) Data Protection and Digital Information Bill. The core parts
of the regime are the same, and the EU case-law from before the end of
2020 still applies in the UK. I will be explicit in the case of
divergence. However, it is fine to refer to EU cases from after 2020,
just be careful you do not make statements about them binding the UK.
Some people make the error of saying that the equivalent of the GDPR in
the UK is the Data Protection Act 2018 — this is false. The Data
Protection Act 2018 sits alongside the UK GDPR, tailors its
institutions, adds national exemptions and restrictions, and transposes
some other instruments such as the Law Enforcement Directive (data
protection for policing) and Convention 108+ to apply to intelligence
services, albeit weakly and with mostly carveouts.
L7:
The Law of Everything? Anonymisation and the Scope of Personal Data
One of the main concepts in data protection is the concept of
personal data. The boundaries of this concept have been
hotly contested, and are an important point of interaction for law,
policy, computer and data science alike; all of these disciplines work
on this issue intensely. McAuley describes why computer
scientists find anonymisation difficult to achieve.
Purtova argues that the CJEU has interpreted the GDPR
in an expansive manner which has led an unmanageable array of
information types to be classifiable as personal data (but compare to
optional reading, Dalla Corte, who critiques this
reading). Elliot and others propose a different
approach, which looks at the risk of data to be reidentified in its
environment. What would be the benefits or risks of adopting this
approach? You should also read the Breyer case, which
is looked at considerably in the Purtova article.
You may also choose to read further reading, such as a technical
analyis of why it is difficult or impossible to anonymise some types of
location data from the perspective of computer science by de
Montjoye and others, the application to smart environments and
technologies by Gellert. You should also consider the
household exemption, part of the scope of data protection law,
which is importantly limited by the cases Lindqvist and
Ryneš.
How should a controller in practice go about considering what is
personal data or not? How might this differ for different types of data
— text; location; tabular data; video data or photographs? Is there a
good balance between personal or non personal data classification that
is possible, or will any approach inevitably be gamed and abused? If so,
is there a way out of this quandary?
While reading it all, as well as when you have read both the papers
and the cases, think through the following questions:
- What is it about data that makes anonymisation particularly
hard?
- Can you think of a good example of data which is reliably
non-personal under data protection law?
- What sort of test does Breyer imply? What kind of
capacities might data controllers need to carry out this test?
- Is this approach to personal data a sensible one for data protection
law? What might be the challenges if a narrower approach was taken? What
about a broader one?
- Is the household exemption too narrow in scope?
Statute
European Union
- Compulsory GDPR, recitals
26-30, arts 2, 4(1).
Videos
Articles
- Compulsory Nadezhda Purtova, ‘The
Law of Everything. Broad Concept of Personal Data and Future of EU Data
Protection Law’ (2018) 10 Law, Innovation and Technology 40.
- Compulsory Mark Elliot and
others, ‘Functional Anonymisation: Personal Data and the Data
Environment’ (2018) 34 Computer Law & Security Review 204. OA
preprint link / UCL
typeset link
- Recommended Michèle Finck and Frank Pallas, ‘They Who Must Not Be
Identified—Distinguishing Personal from Non-Personal Data under the
GDPR’ (2020) 10 International Data Privacy Law 11.
- Contains useful context about pseudonymisation methods such as
hashing and salted hashing, as well as detailed legal analysis up to
2020.
- Recommended Nadezhda Purtova, ‘From Knowing by Name to
Targeting: The Meaning of Identification under the GDPR’ (2022) 12
International Data Privacy Law 163.w
- Considers whether there is an alternative way to justify personal
data, focusing on ideas of singling out and individuation rather than
reidentifiability.
- Recommended Lorenzo Dalla Corte, ‘Scoping Personal Data: Towards a
Nuanced Interpretation of the Material Scope of EU Data Protection
Law’ (2019) 10 European Journal of Law and Technology.
- Critiques Purtova (2018), arguing that the scope she indicates is
too broad and highlighting rhetorical flaws in the argument.
- Recommended Raphaël Gellert, ‘Personal
Data’s Ever-Expanding Scope in Smart Environments and Possible Path(s)
for Regulating Emerging Digital Technologies’ (2021) 11 International
Data Privacy Law 196. UCL
typeset link / OA
preprint
- Optional Yves-Alexandre de Montjoye
and others, ‘Unique
in the Crowd: The Privacy Bounds of Human Mobility’ (2013) 3
Scientific Reports 1376.
- A seminal computer science paper on the futility of anonymising
location data.
- Optional Draft Guidance Information
Commissioner’s Office (2021), ICO
call for views: Anonymisation, pseudonymisation and privacy enhancing
technologies guidance
- Optional Benjamin Wong,
‘Delimiting the Concept of Personal Data after the GDPR’ (2019) 39 Legal
Studies 517. UCL
link
- Optional Michael Veale, Reuben Binns and Lilian Edwards, ‘Algorithms
that Remember: Model Inversion Attacks and Data Protection Law’
(2018) 376 Phil Trans R Soc A 20180083.
- A paper arguing that machine learned models may contain personal
data. Relevant for discussions of chatGPT and similar large language
models.
Cases
European Union
- Compulsory Case C-582/14
Patrick Breyer v Bundesrepublik Deutschland ECLI:EU:C:2016:779
(on the identifiability of personal data)
- Recommended Case C‑434/16
Nowak ECLI:EU:C:2017:994 (on exam scripts and comments)
- Recommended C-184/20
Vyriausioji tarnybinės etikos komisija ECLI:EU:C:2022:601 (on
conditions for inference of special category data)
- Recommended Case
C-101/01 Lindqvist EU:C:2003:596 (on the scope of the household
exemption)
- Recommended Case C‑212/13
Ryneš ECLI:EU:C:2014:2428. (on a CCTV camera on a house and the
household exemption)
Pending Cases
Provided for information; the topics they explore may be useful for
coursework or formatives, and AG opinions or judgments may emerge during
the year.
- Case C-604/22 IAB Europe (on whether a compliance mechanism
for online tracking comprises personal data)
- Case C-659/22 Ministerstvo zdravotnictví (Czech Ministry of
Health) (on whether scanning vaccination certs amounts to
processing)
- Case C-115/22 NADA and Others (on health data and
doping)
- Case C-446/21 Schrems (on sexuality and special category
data in advertising)
United Kingdom
- Optional Durant v
Financial Services Authority [2003] EWCA Civ 1746.
- Optional Edem v The
Information Commissioner & Anor [2014] EWCA Civ 92
- Optional Secretary of
State for the Home Department & Anor v TLU & Anor [2018]
EWHC 2217 (QB).
💡 See commentary on how these interplay with EU law in Wong (2019)
above.
T3: Data Rights and Wrongs
Preparation
(in class, in part. We did this at the end of L5.)
For this tutorial, there is a short preparatory activity we will use
as a basis for discussion about the right of access. Carrying out steps
1-2 are essential, but step 3 is optional (writing further to a company
to request your data). I advise doing it, however, as it is free, and
interesting to see how they interact with you, and what you get
back.
- Try to use a “download my data” tool” on one or more services that
you use. Some examples of those from the largest services are
below:
If you get a copy of the data, try to locate the privacy policy
for that company. Privacy policies are usually implemented as to provide
some of the information required in Article 13 of the GDPR (have a
look). Re-read articles 13–15, and article 20, of the GDPR. Is this all
the data you requested? What personal data might be missing? Do you also
think (e.g. from your usage of a service) that the controller might have
additional data about you they are not telling you about?
[Optional, but recommended] Write an email or other message to
the firm (how should be detailed in the privacy policy) asking for a
full copy of you data, highlighting any omissions you discovered or
suspected based on point 2. I have made a template for a very
full version of how to do this here, but you are welcome to just
type something shorter or more focussed.
If you get to 2 and 3, save all the files you get from this process
in one place (e.g. a copy of relevant parts of the privacy policy, and
any data), so we can talk about the process during the tutorial.
Regardless, save and look at any data you receive.
In this session, we’ll discuss the access rights made earlier in
class. Please come having done the reading and try to bring whatever you
have received in a form on your computer you can use to discuss and
refer to (although no need to share it!).
Questions to consider: - What is the right of access for? What is its
scope? What are its limits? - How powerful is the right of access at
achieving its various purposes? - What barriers exist to make access
rights useful or powerful? - What barriers did you face getting access
to, or scrutinising data? How might you reform the right of access to
make it more useful - or is such reform futile?
Readings
- Compulsory GDPR, arts 12,
15, 20.
- Compulsory European Data
Protection Board (2023) ‘Guidelines 01/2022 on data subject rights -
Right of access’ OA
link
- Recommended Jef Ausloos and
Michael Veale, ‘Researching with Data Rights’ (2020) 2020 Technology and
Regulation 136.
- Optional Jef Ausloos and
Pierre Dewitte, ‘Shattering One-Way Mirrors – Data Subject Access Rights
in Practice’ (2018) 8 International Data Privacy Law 4. UCL
link OA
link
- Optional René Mahieu,
‘The Right of Access to Personal Data: A Genealogy’ (2021) 2021 TechReg
62. OA link
- Optional Case C‑434/16
Nowak ECLI:EU:C:2017:994
- On the broad scope of the right of access.
- Optional Case C‑154/21
RW v Österreichische Post AG ECLI:EU:C:2023:3
- On the right to know ‘recipients’ of personal data, and that
requests have to be tailored to the individual if required, not
generic.
- Optional Joined Cases
C‑141/12 and C‑372/12 YS and Others ECLI:EU:C:2014:2081.
- On the distinction between data and documents.
- Optional Case C‑487/21
F.F. v Österreichische Datenschutzbehörde and CRIF ECLI:EU:C:2023:369
- Clarifying YS and Others that individuls have a right to
database extracts or documents if the provision of this copy is
necessary to exercise rights.
- Optional Dawson-Damer
& Ors v Taylor Wessing LLP [2017] EWCA Civ 74 at [104]–[108];
B v The General Medical Council [2019] EWCA Civ 1497 at [79]
- On ‘purpose-blind’ access rights - ‘the general position is that the
rights of subject access to personal data […] are not dependent on
appropriate motivation on the part of the requester’
- Optional Case-307/22
FT (Copies du dossier médical) ECLI:EU:C:2023:811
- Purpose-blind nature under post-Brexit EU case law - ‘the controller
is under an obligation to provide the data subject, free of charge, with
a first copy of his or her personal data [..] even where the reason for
that request is not related to those referred to in the first sentence
of recital 63 of that regulation’.
L8: Being Forgotten Online
O O _J""-.
.-""L_ o o /o ) \ ,';
;`, / ( o\ \ ,' ; /
\ ; `, / "-.__.'"\\_;
;_/"`.__.-" google or goldfish?
Learning Objectives
- How does the right to be forgotten function? Where did it come
from?
- What kind of information and process is needed to assess a RTBF
request according to the existing jurisprudence? What kind of a process
might this be, and how does that compare to what we know of the
processes that are used in practice?
- Who does the RTBF benefit?
- Is the balance correct in the RTBF? Should there be more or less
emphasis on freedom of expression?
- Is the RTBF adequately governed? How do private decisions and
judicial decisions interplay, and are there potential reforms that you
might want to see implemented at this interface?
Articles
- Compulsory Andrés Guadamuz, ‘Developing
a Right to Be Forgotten’ in Tatiana-Eleni Synodinou and others (eds),
EU Internet Law: Regulation and Enforcement (Springer 2017). OA-ish
link UCL
paywall link
- An overview of some of the debates and sides people take concerning
the Right to Be Forgotten.
- Compulsory Paul De Hert and
Vagelis Papakonstantinou, ‘Right
to Be Forgotten’, Elgar Encyclopedia of Law and Data
Science (2022).
- A concise encyclopaedia entry providing a guide to the RTBF’s origin
and jurisprudence up through the start of 2022.
- Recommended Aleksandra
Kuczerawy and Jef Ausloos, ‘From Notice-and-Takedown to
Notice-and-Delist: Implementing Google Spain’ (2015–16) 14 Colo Tech LJ
219. OA link
- A discussion of some of the roles (as they were and are emerging) of
different governance actors in the run up to, and in the wake of, the
judgment in Google Spain.
- Recommended Theo Bertram
and others, ‘Five Years of the Right to Be Forgotten’ in (ACM 2019)
Proceedings of the 2019 ACM SIGSAC Conference on Computer and
Communications Security 959. OA link
- A scholarly article on how the RTBF has panned out from the point of
view of Google employees, who authored it. Read alongside the firm’s
regularly updated, quantitative Transparency
Report into EU delisting on the basis of the right.
- Recommended Joris Van
Hoboken, ‘Search Engine Freedom’ in Search Engine Freedom: On the
Implications of the Right to Freedom of Expression for the Legal
Governance of Web Search Engines (University of Amsterdam 2012) pp
168-213. OA link
- A discussion of the theoretical and legal manners in which freedom
of expression applies to search engines, given their crucial role in
enabling access to information. Pre-dates Google Spain,
although not the debates about the RTBF.
- Optional Jef Ausloos,
The Right to Erasure in EU Data Protection Law: From Individual
Rights to Effective Protection (1st edn, Oxford University Press
2020). UCL
link 🔒
- Optional Jean-François
Blanchette and Deborah G Johnson, ‘Data Retention and the Panoptic
Society: The Social Benefits of Forgetfulness’ (2002) 18 The Information
Society 33. OA
link paywalled,
typeset link
- A less legal view of why we might want a right to be forgotten from
the standpoint of privacy.
- Optional Tarleton
Gillespie, ‘To Remove or to Filter?’ in Custodians of the
Internet (Yale University Press 2018). UCL
link (paywalled)
- A broader discussion of the different tactics that internet
intermediaries, and particularly platforms, use to limit the
distribution of content online.
- Optional David Erdos,
‘The “Right to Be Forgotten” beyond the EU: An Analysis of Wider G20
Regulatory Action and Potential Next Steps’ (2021) 13 Journal of Media
Law 1. OA-ish
link UCL
link
- Examines how similar rights to be forgotten work in jurisdiction
including Canada, Turkey and Australia.
- Optional Stefan Kulk and
Frederik Zuiderveen Borgesius, ‘Privacy, Freedom of Expression, and the
Right to Be Forgotten in Europe’ in Evan Selinger and others (eds),
The Cambridge Handbook of Consumer Privacy (Cambridge
University Press 2018). OA-ish
link UCL
paywall link
- A useful introduction to how freedom of expression is balanced by
the CJEU and ECtHR, focussing on the right to be forgotten. Overlaps
otherwise in terms of content with Guadamuz 2017.
Policy Documents
- Optional European Data
Protection Board, Guidelines 5/2019 on the criteria of the Right to
be Forgotten in the search engines cases under the GDPR (EDPB 2020)
OA
link
- Guidance from the European regulators in charge of enforcing
Google Spain and the Right to Erasure. See also the ary
on these guidelines by David Erdos, University of
Cambridge.
- Optional Access Now,
Understanding the Right to Be Forgotten Globally (Access Now
2017) OA
link
- A short policy paper from an NGO indicating the surrounding
conditions and a safeguard wishlist for global implementation of a right
to be delisted on privacy grounds.
Statute
European Union
- Compulsory Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation) OJ L
119/1, art 17.
United Kingdom
- Optional Data Protection
Act 2018, sch
2 part 1
- This contains exemptions to the right to erasure (among other data
rights) that were set down on the basis of GDPR, art 23
(Restrictions).
Case Law
European Union
- Compulsory Case C-131/12
Google Spain SL and Google Inc v Agencia Española de Protección de
Datos (AEPD) and Mario Costeja González ECLI:EU:C:2014:317.
- Compulsory Case C‑136/17
GC and Others v Commission nationale de l’informatique et des
libertés (CNIL) ECLI:EU:C:2019:773.
- Compulsory Case C‑507/17
Google LLC v Commission nationale de l’informatique et des libertés
(CNIL) ECLI:EU:C:2019:772.
💡 It may help to read a few case notes on GC and Others and
Google v CNIL if you are struggling with them. You can search
these out on Westlaw, Google Scholar or just the plain old search engine
of your choice.
ECtHR
- Optional Hurbain v
Belgium ECLI:CE:ECHR:2023:0704JUD005729216
- This case was an Article 10 ECHR claim by the Belgian newspaper
Le Soir, which had been ordered to anonymise a digital archived
version of a 1994 article about a driving offence. No breach of article
10 was found.
United Kingdom
- Recommended NT1 &
NT2 v Google LLC [2018]
EWHC 799 (QB). BAILII
- The first Google Spain case applied by English courts. One
applicant had his delisting refusal by Google overturned by the High
Court, and one had it confirmed. What was the difference between
them?
L9: Online
Tracking: Revenge of the Cookie Monster
Somebody is prying through your files, probably
Somebody's hand is in your tin of Netscape magic cookies
But relax: if you're an interesting person
Morally good in your acts
You have nothing to fear from facts
The Age of
Infomation (Momus, 1997)
Cookie pop ups when you browse the web are hardly anything new to
most Internet users, particularly in Europe. But what exactly are
cookies? How do they something that we should be concerned about? How
does the law understand cookies, and how has that developed over time?
In the session, we’re going to try and get some answers to some of these
questions. While reading and examining the below, it will be good to
think about the following questions:
- What conceptual role do cookies play in online tracking and
profiling?
- Consent is a large part of the way that we govern cookies in Europe.
But is it a good way to do this? What would the alternatives look like,
and in what ways would they be better or worse?
- If many of the ways the cookies are used on the Internet are
currently illegal, why hasn’t anything been done about it? What are the
main challenges and regulatory hurdles that prevent affective
enforcement?
Also pay attention to the issue of controllership — this topic should
be considered in tandem with the tutorial on controllership. Who is the
controller when it comes to tracking on a website?
Articles
- Compulsory Michael Veale and Frederik Zuiderveen Borgesius,
‘Adtech and Real-Time Bidding under European Data Protection Law’ (2022)
23 German Law Journal. OA link
- Compulsory Midas Nouwens and others,
‘Dark Patterns after the GDPR: Scraping Consent Pop-Ups and
Demonstrating Their Influence’ in (ACM 2020) Proceedings of the ACM
Conference on Human Factors in Computing Systems (CHI 2020). OA link
- Compulsory René Mahieu and Joris Van Hoboken,
‘Fashion-ID: Introducing a Phase-Oriented Approach to Data Protection?’
(European Law Blog, 30 September 2019) OA
link
- Recommended Reuben Binns and others, ‘Third
Party Tracking in the Mobile Ecosystem’ in Proceedings of the 10th
ACM Conference on Web Science (WebSci ’18) (ACM 2018). OA link
- Optional Michael Veale,
Midas Nouwens and Cristiana Santos, ‘Impossible Asks: Can
the Transparency and Consent Framework Ever Authorise Real-Time Bidding
After the Belgian DPA Decision?’ (2022) 2022 Technology and
Regulation 12.
- Optional Günes Acar and
others, ‘The Web Never Forgets: Persistent Tracking Mechanisms in the
Wild’ in Proceedings of the 2014 ACM SIGSAC Conference on Computer
and Communications Security (CCS ’14) (ACM 2014) UCL
link / OA
link
- Optional René Mahieu and others,
Responsibility for Data Protection in a Networked World: On the Question
of the Controller, “Effective and Complete Protection” and its
Application to Data Access Rights in Europe, 10 (2019) JIPITEC 85
- Optional Konrad Kollnig and
others, ‘Before and after GDPR: Tracking in Mobile Apps’ (2021) 10
Internet Policy Review. OA link
- Optional Jiahong Chen and
others, ‘Who is
Responsible for Data Processing in Smart Homes? Reconsidering Joint
Controllership and the Household Exemption’ (2021) 10 International
Data Privacy Law 279.
Policy Documents
- Optional Information
Commissioner’s Office, ‘Update Report into Adtech and Real Time Bidding’
(20 June 2019) link
- Optional Information
Commissioner’s Office, ‘Data Protection and Privacy Expectations for
Online Advertising Proposals’ (25 November 2021). link
- Optional CNIL (French
DPA), ‘Cookies: FACEBOOK IRELAND LIMITED Fined 60 Million Euros’ (6
January 2022) link;
CNIL (French DPA), ‘Cookies: GOOGLE Fined 150 Million Euros’ (6 January
2022) link.
see also English language decisions within
Cases
European Union
- Compulsory Case C-210/16
Wirtschaftsakademie Schleswig-Holstein ECLI:EU:C:2018:388.
- Compulsory Case C-49/17
Fashion ID ECLI:EU:C:2019:629.
- Recommended Case C‑252/21
Meta Platforms and Others ECLI:EU:C:2022:704, Opinion of
Advocate General Rantos **particularly concerning the interaction of web
tracking data and Article 9 sensitive data characteristics*.
- Optional Case C‑25/17
Jehovan todistajat ECLI:EU:C:2018:551. consider how the
controllership argument might analogise
- Optional Case C-673/17
Planet49 GmbH ECLI:EU:C:2019:801.
- Optional Case C-131/12
Google Spain ECLI:EU:C:2014:317. particularly around
questions of controllership
💡 For both the compulsory cases it can be useful too to read the
Advocate General opinions if you are unclear about the points and
context:
- Recommended Case C‑210/16
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v
Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2017:796,
Opinion of AG Bot.
- Recommended Case C-49/17
Fashion ID GmbH & CoKG v Verbraucherzentrale NRW eV
ECLI:EU:C:2018:1039, Opinion of AG Bobek.
United Kingdom
These cases are not directly about the substance of tracking but
consider the issues of a workaround concerning cookie and the ability to
claim damages on that basis. They are included here mainly for
completeness, but are also of interest (both the final judgments listed
and the prior cases appealed) in relation to how courts understand
issues of tracking.
- Optional Vidal-Hall v
Google Inc [2015] EWCA Civ 311.
- Optional Lloyd v
Google LLC [2021] 3 UKSC 50.
Belgium
Statute
United Kingdom
- Compulsory Privacy and
Electronic Communications (EC Directive) Regulations 2003, reg
6
- This derives from the e-Privacy Directive, art 5(3), below.
- Optional Draft Bill Data Protection and Digital
Information HC Bill (2022–23) 143, cl
79.
- Whether this law will be reintroduced is currently unclear.
European Union
- Recommended Directive
2002/58/EC of the European Parliament and of the Council of 12 July 2002
concerning the processing of personal data and the protection of privacy
in the electronic communications sector (Directive on privacy and
electronic communications) OJ L 201/37, art
5(3).
- This is implemented in the UK by PECR reg 6, above
T4:
Let’s Do It At My Place: Privacy Sandbox and the Future of Online
Targeting
Questions
Consider the readings from the seminar, the lecture, and at least the
compulsory reading above.
- What are the main privacy and other policy challenges from ‘classic’
targeted advertising? What kind of forms does online advertising take,
and how does this link to harms and policy challenges?
- Many proposed advertising techniques take the advertising and
targeting into the browser or operating system, rather than collected by
remote servers. Is this good or bad for privacy? For data
protection?
- Why might large advertising platforms want to ensure they target
on-device, and/or in a way where they cannot see the personal
data?
- Is there a data controller of this on-device advertising? Who? Can
they fulfil the full rights and obligations of a data controller?
- How should a data regulator, or internet law, react to the move to
on-device processing?
L10:
Computer Says No? Machine Learning and Automated Decision-making
Computers are intermediating the content of decisions now, rather
than just transmitting them. The governing of algorithms and automated
systems is big news, and big business for some. But what role for data
protection law? In this session, we’ll dig into the details.
When doing the reading, think about the following:
- What are the main issues concerning algorithms that require
governance? What has the last few years indicated are the most pressing
of them, and which might be the most pressing in the future?
- Should we be worried about algorithms, or “decisions”, both or
neither?
- How can we reconcile the purpose of Article 22 with the rest of the
GDPR? Does it connect to form a coherent whole, or does it not make
sense?
- Is Article 22 a relic that will fail to govern algorithms going
forward, or is there hope that it can be usefully repurposed? If so, as
a simple safety net, or an active tool of governance?
- Are there simple changes, or court interpretations, that might make
the governance of algorithms through the GDPR function more effectively?
Which? Are they likely without new legislation?
Articles
- Compulsory Margot E
Kaminski, ‘Binary Governance:
Lessons from the GDPR’s Approach to Algorithmic Accountability’
(2019) 92 Southern California Law Review
- Compulsory Reuben Binns
and Michael Veale, ‘Is that Your
Final Decision? Multi-Stage Profiling, Selective Effects, and Article 22
of the GDPR’ [2021] International Data Privacy Law
- Compulsory Andrew D Selbst
and others, ‘Fairness and
Abstraction in Sociotechnical Systems’ in Proceedings of the
Conference on Fairness, Accountability, and Transparency (FAT* ’19, New
York, NY, USA, ACM 2019).
- Recommended Lilian Edwards
and Michael Veale, ‘Slave to the
Algorithm? Why a “Right to an Explanation” Is Probably Not the Remedy
You Are Looking For’ (2017) 16 Duke Law & Technology Review
18
- Recommended Andrew Selbst
and Solon Barocas, ‘The Intuitive
Appeal of Explainable Machines’ (2018) 87 Fordham Law Review
1085.
- Recommended Mireille
Hildebrandt, ‘Privacy
as Protection of the Incomputable Self: From Agnostic to Agonistic
Machine Learning’ (2019) 20 Theoretical Inquiries in Law 83.
- Optional Margot E
Kaminski, ‘The Right to Explanation,
Explained’ (2019) 34 Berkeley Technology Law Journal OA link
- Optional Andrew D Selbst
and Julia Powles, ‘Meaningful
Information and the Right to Explanation’ (2017) 7 International
Data Privacy Law 233.
- Optional Sandra Wachter
and others, ‘Why
a Right to Explanation of Automated Decision-Making Does Not Exist in
the General Data Protection Regulation’ (2017) 7 International Data
Privacy Law 76.
Policy Documents
Statute
European Union
- Compulsory General Data
Protection Regulation (GDPR), articles 15, 21, 22, recital 71.
United Kingdom
- Optional Draft Bill Data Protection and Digital
Information HC Bill (2022–23) 143, cl
11. - Whether this law will be reintroduced is currently
unclear.
Case-Law
European Union
Acknowledgments
ASCII art from link, link, link, link, link, link.
Credits where artist known: Felix Lee, hfw, jgs (Joan Stark), hrr, fsc,
Veronica Karlsson, David S. Issel.