Proposition Walhalla. ‘The algorithms of the law must keep pace with new and emerging technologies.’

Update 18 August 2020 the judgment was overturned upon appeal and a breach of Article 8 ECHR found: [2020] EWCA Civ 1058 Bridges, R (On the Application Of) v South Wales Police. reviewed here.

Update 17 January 2020 the European Commission reportedly has a different view and is preparing a proposal to ban this use temporarily.

‘The algorithms of the law must keep pace with new and emerging technologies’ is the opening sentence of Hadon-Cave LJ and Swift J in R v The Chief Constable of South Wales Police and others [2019] EWHC 2341.

The central issue is whether the current legal regime in the United Kingdom is adequate to ensure the appropriate and non-arbitrary use of AFR (automated face recognition) in a free and civilized society. The High Court finds it is. No doubt appeal will follow. I leave the assessment of the findings (discussing in particular Article 8 ECHR: right to respect for one’s private and family life, one’s home and one’s correspondence) of the Court to others. It is the opening sentence which drew my attention as, inevitably, it did others’. It is a sentence upon which one can hinge en entire regulatory /new technologies course. Must the algorithms of the law (whatever these may be) keep pace with technology?  Or rather, guard against the challenges of same?

Discuss.

Geert.

The innovation principle’s continued journey.

A short update on the innovation principle‘s continued (corporate-sponsored, let’s be frank) journey.

Thank you first of all prof Maria Lee for signalling the UK’s planned introduction of an ‘innovation test’, to be piloted as part of industrial strategy. Its goal is expressed as ‘We will create an outcome-focused, flexible regulatory system that enables innovation to thrive while protecting citizens and the environment.’ Not much more detail is given. Formulated as such, it does nothing that the current EU regulatory model does not already address – its true goal undoubtedly is a post-Brexit libertarian regulatory environment.

Further, Nina Holland observed with eagle eyes the link between Nafta 2.0 (USMCA) and innovation, in particular Article 12-A-4 ‘parties’ “recognize the importance of developing and implementing measures in a manner that achieves their respective level of protection without creating unnecessary economic barriers or impediments to technological innovation’ (like the UK initiative: meaningless for already addressed by current international trade agreements; the real intention actually is deregulation). American industry has been arguing that the US should ‘build on’ the new NAFTA when negotiating with the EU (should TTIP ever be resuscitated).

Geert.

 

Ghostbusters and the Marshmallow Man. The European Commission covert consultation and study on the innovation principle.

Update 29 November 2019 for our assessment of the results of the study see here and press response here.

I have reported before on the innovation principle, the industry efforts behind it and the European Commission response to same. I have linked our initial paper as well as media and other reports in an earlier posting. The most comprehensive overview of the genesis of the principle is included here.

One of the comments I made in that earlier post is that Commissioner Moedas has emphasised verbatim that the innovation principle is not binding EU law: ‘“I think we have some misunderstanding here … The Horizon Europe proposal does not in any way establish the innovation principle or incorporate it into EU law. It is referred to in the recitals but it is not something that is [in] the proposal,” he said.

At the end of the original Ghostbusters movie, a giant Marshmallow Man appears as a result of the main ghost’s conjuring up himself as the physical manifestation of the first thought popping up into the mind of the lead characters’ mind (further info here). The road to turning the imagination of the innovation principle into reality is currently equally continuing with no less than a Commission-ordered Consultation Report, from the Centre for European Policy Studies, on the evaluation of the innovation principle: see the Directorate-General’s invitation letter and the questionnaire.

Both documents reached me via a little Berlaymont bird. I have anonymised individuals mentioned in the documents and I have also changed the order of questions in the questionnaire just in case individual copies were drafted to facilitate the coveted ‘confidentiality’ – contents of the questionnaire have stayed the same. The questionnaire is meant for ‘selected stakeholders’ who are instructed not to ‘share, quote or cite it’.

The principle even if it does exist certainly does not do so in EU law – as confirmed by the Commissioner. Yet it is his DG which has instructed CEPS to carry out the study, confidentially: not exactly a driving principle of the Better Regulation Agenda to which the documents purport to answer.

The invite states that ‘the overall aim of this evaluation is to describe the status quo and prepare recommendations for future action in accordance with the better regulation guidelines. These recommendations will serve to apply the Innovation Principle in a way which helps the achievement of EU policy objectives and is consistent with identified stakeholder needs.’

The text pays lip service to the general interest which ‘innovation’ is meant to serve, yet also repeatedly emphasises that existing regulatory hurdles to ‘innovation’ ought to be classified and potentially removed; that the EC may take the necessary steps to initiate this; and nowhere does it question the very existence of the principle.

It is noteworthy in this respect that Horizon Europe, Europe’s next flagship research and development program, refers drastically less to responsibly research and innovation -RRI than did its predecessor. Parliament did not halt references to the innovation principle in its recitals.

I would like to emphasise again that with my co-authors of the paper, I am not an unshakable opponent of the introduction of an innovation principle. Provided the discussion on it is done in the appropriate institutions and at the very least in the public domain. A confidential survey confirms the reactionary character which this principle so far represents on the EU scene.

Geert.

 

Towards an innovation principle: our paper on an industry horse knocking at the EU door.

Update 14 December 2018 Parliament failed to halt references to the innovation principle in Horizon Europe (recital 3 in COM(2018) 435: ‘The promotion of research and innovation activities deemed necessary to help realise Union policy objectives should take into account the innovation principle as put forward in the Commission  Communication of 15 May 2018 ‘A renewed European Agenda for Research and Innovation – Europe’s chance to shape its future’ (COM(2018)306).’ An initial report on the failure is here, I shall have a post soon. Of crucial note is that Commissionner Moedas has emphasised verbatim that the innovation principle is not binding EU law: from the Politico Report: ‘“I think we have some misunderstanding here … The Horizon Europe proposal does not in any way establish the innovation principle or incorporate it into EU law. It is referred to in the recitals but it is not something that is [in] the proposal,” he said.
Moedas continued: “We need an innovation principle as we need a precautionary principle. Both are complimentary.”
Commission officials say the innovation principle does not have the same legal weight as the precautionary principle, which is included in the EU treaties.

Update 12 December 2018. There has been quite a bot of noise around the principle in recent days – see our comments in pieces by Le Monde, Politico, and Follow the Money.

Our paper on the innovation principle, with Kathleen Garnett and Leonie Reins is just out in Law, Innovation and Technology. We discuss how industry has been pushing for the principle to be added as a regulatory driver. Not as a trojan horse: industry knocks politely but firmly at the EU door, it is then simply let in by the European Commission. We discuss the ramifications of such principle and the wider consequences for EU policy making.

Happy reading.

Geert.

(Handbook of) EU Environmental Law (with Dr Reins), 1st ed. 2017, Chapter 2.

It’s true! Belgian Supreme Court confirms order for Yahoo! to hand over IP-addresses.

Jurisdiction and the internet is a topic which has featured once or twice on this blog recently (and in a  paper which I have already referred to in those earlier postings). Belgian’s Supreme Court in ordinary (the Hof van Cassatie /Cour de Cassation) employed the objective territoriality principle in a case with roots going back to 2007 (the fraudulent purchase of and subsequent failure to pay for electronic equipment from a shop in Dendermonde, Belgium), Yahoo! was requested to hand over the IP addresses associated with e-mail accounts registered to Yahoo!’s e-mail service. Yahoo! Inc, domiciled in California, refused to comply, triggering fines under criminal law. (It’s corporate slogan btw used to be ‘it’s true!’ Hence the title of the post).

Responding to Yahoo!s claims that Belgium was imposing its criminal laws extraterritorially, the Court of Appeal had held that Yahoo! is territorially present in Belgium, hereby voluntarily submitting itself to the jurisdiction of the Belgian authorities: it takes an active part in economic life in Belgium, among others by use of the domain name http://www.yahoo.be, the use of the local language(s) on that website, pop-up of advertisements based on the location of the users, and accessibility in Belgium of Belgium-focussed customer services (among others: a ‘Belgian’ Q&A, FAQ, and post box). [Notice the similarity with the Pammer /Alpenhof criteria]. The Court of Appeal had suggested that the accusations of extraterritoriality could only be accepted had there been a request for the handover of data or objects which are located in the USA, with which there is no Belgian territorial link whatsoever, and if the holder of these objects or data is not accessible in Belgium (either physically or virtually).

The Supreme Court on 1 December confirmed all of the Court of Appeal’s arguments, essentially linking them to the objective territoriality principle. Yahoo! actively directs its activities towards consumers present in Belgium.

Even though the case involves a criminal proceeding, the Court’s judgment inevitably (not necessarily justifiably) will be used as further support for the Belgian tussle with Facebook.

Geert.

A bar to ‘extraterritorial’ EU law. Landgericht Koln refuses to extend ‘right to be forgotten’ to .com domain .

Postcript 11 March 2016 Google have announced a new policy which  goes some way to addressing the EU’s concerns. An unusually conciliatory move.

An inevitable consequence of the rulings in Google Spain, Weltimmo and Schrems /Facebook /Safe harbour, is whether courts in the EU can or perhaps even must insist on extending EU data protection rules to websites outside of EU domain. The case has led to suggestions of ‘exterritorial reach’ of Google Spain or the ‘global reach’ of the RTBF, coupled with accusations that the EU oversteps its ‘jurisdictional boundaries’. This follows especially the order or at least intention, by the French and other data protection agencies, that Google extend its compliance policy to the .com webdomain.

The Landgericht Köln mid September (the case has only now reached the relevant databases) in my view justifiably upheld enforcement jurisdiction in a libel case only against Google.de for that is the website aimed at the German market. It rejected extension of the removal order vis-à-vis Google.com, in spite of a possibility for German residents to reach Google.com, because that service is not intended for the German speaking area and anyone wanting to reach it, has to do so intentionally. (See the ruling under 1, para 3 and 4).

I have further context to this issue in a paper which is on SSRN and which is being peer reviewed as we speak (I count readers of this blog as peers hence do please forward any comments).

Geert.

The EU’s ‘Bio economy’. Utopian?, realistic?, protectionist? Or all of these?

I have just recently stumbled across the EU’s Bioeconomy strategy, classified in the administrative organogram at least under ‘Research and innovation’. It could also be DG Industry. Or DG Trade. Or DG  Env. Or indeed DG Agri. Tucking it away under Research and innovation was a good idea, I believe: best to keep it safely away from daily policy concerns and ditto lobbying. The Bioeconomy – which is defined as encompassing the sustainable production of renewable resources from land, fisheries and aquaculture environments and their conversion into food, feed, fiber bio-based products and bio-energy as well as the related public goods – is seen by the EC as a successor to the EU’s Biosociety program, which however was more scientific in outlook (lots of talk of new technologies).

A big gap in its approach, to me at least, is its lack of discussion on reduced consumption and ‘need‘ (the Club of Rome has some powerful insight into this) which is a pitty. It talks mostly about increasing and diversifying ‘output’, rather than on reducing it or matching it to true need. For in its current outlook, the Bioeconomy feels more like a postersite for EU ‘innovative’ technologies than one for foresight in development priorities. And no, that is not properly done elsewhere in the EC.

Geert.

 

ECJ in Google Spain confirms reach of EU Data Protection Directive. Right to be forgotten not upheld verbatim but may be realised in practice.

I reported earlier on the AG’s Opinion in Google Spain. The Court held this morning. It broadly confirms the AG’s view on jurisdiction however it did effectively read a (conditional and incrimental) right to be forgotten in the current Directive, in contrast with the AG.

The ECJ confirmed earlier case-law in which it held that the operation of loading personal data on an internet page must be considered to be such ‘processing’ within the meaning of Article 2(b) of Directive 95/46. This finding is not affected  by the fact that those data have already been published on the internet and are not altered by the search engine.

Who is the ‘controller’ of these data?  The activity of a search engine is liable to affect significantly, and additionally compared with that of the publishers of websites, the fundamental rights to privacy and to the protection of personal data. The operator of the search engine as the person determining the purposes and means of that activity must ensure, within the framework of its responsibilities, powers and capabilities, that the activity meets the requirements of Directive 95/46 in order that the guarantees laid down by the directive may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved.  It is this operator who is the ‘controller’ within the meaning of the Directive.

The territorial scope of the Directive is the most relevant to the conflicts community: It is noteworthy that in the current version of the data protection directive, targeting of consumers is not a jurisdictional criterion for providers established outside of the EU.

The referring court had stated that Google Search is operated and managed by Google Inc. and that it has not been established that Google Spain carries out in Spain an activity directly linked to the indexing or storage of information or data contained on third parties’ websites. Nevertheless, according to the referring court, the promotion and sale of advertising space, which Google Spain attends to in respect of Spain, constitutes the bulk of the Google group’s commercial activity and may be regarded as closely linked to Google Search.

The ECJ notes that Google Spain engages in the effective and real exercise of activity through stable arrangements in Spain. As it moreover has separate legal personality, it constitutes a subsidiary of Google Inc. on Spanish territory and, therefore, an ‘establishment’ within the meaning of Article 4(1)(a) of Directive 95/46. However, is the processing of personal data by the controller ‘carried out in the context of the activities’ of an establishment of the controller on the territory of a Member State (necessary to trigger application of the Directive)?

Google Spain and Google Inc. dispute that this is the case since the processing of personal data at issue in the main proceedings is carried out exclusively by Google Inc., which operates Google Search without any intervention on the part of Google Spain; the latter’s activity is limited to providing support to the Google group’s advertising activity which is separate from its search engine service.

The court disagreed: Article 4(1)(a) of Directive 95/46 does not require the processing of personal data in question to be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities’ of the establishment (at 52): that is the case if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable (at 55). The very display of personal data on a search results page constitutes processing of such data. Since that display of results is accompanied, on the same page, by the display of advertising linked to the search terms, it is clear that the processing of personal data in question is carried out in the context of the commercial and advertising activity of the controller’s establishment on the territory of a Member State, in this instance Spanish territory (at 57).

This view confirms broadly the AG’s use of Google’s ‘business model’ as a jurisdictional trigger.

 

The AG had also opined on the supposed ‘right to be forgotten’ concluding that it does not exist in current EU law (neither directive nor Charter). The ECJ’s findings work towards such right (without mentioning it specifically)  following a thorough review of the requirements of the Directive and the proportionality test implied, and by holding that given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites.

The operator of a search engine may therefore be obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful (at 88). The right to privacy however has to be assessed vis-a-vis the right of the public to information, in an ad hoc manner.

The judgment has plenty for the data protection community to chew over (sse e.g. Orla Linskey over at the EU law blog). For those of us who are conflicts lawyers, the jurisdictional trigger is most interesting (and will feed into the review of the Directive, one imagines).

Geert.

‘Where law and new technology meet’ – JÄÄSKINEN AG turns to business model in Google Spain to establish scope of application of the data protection Directive. No right to be forgotten under the Directive or Charter.

As announced on the blog earlier, JÄÄSKINEN AG has opined this morning in Case C-131/12 Google Spain. The Opinion covers a lot of issues in relatively condensed space – one of these Opinions where you should not trust the summary of a blogger, for invariably the blog posting does not do justice to all issues addressed. Below my highlights on the basis of diagonal reading: for I find this too important an Opinion not to flag it immediately.

As summarised by the AG, according to Article 4(1) of the Directive, the primary factor that gives rise to the territorial applicability of the national data protection legislation is the processing of personal data carried out in the context of the activities of an establishment of the controller on the territory of the Member State. Further, when a controller is not established on EU territory but uses means or equipment situated on the territory of the Member State for processing of personal data, the legislation of that Member State applies unless such equipment or means is used only for purposes of transit through the territory of the EU. The territorial scope of application of the Directive and the national implementing legislation is triggered therefore either by the location of the establishment of the controller, or the location of the means or equipment being used when the controller is established outside the EEA. Nationality or place of habitual residence of data subjects is not decisive, nor is the physical location of the personal data – at least not in the current versions of the Directive. The AG points out that in future legislation relevant targeting of individuals could be taken into account in relation to controllers not established in the EU. Such an approach, attaching the territorial applicability of EU legislation to the targeted public, is consistent with the Court’s case-law on the applicability of the e-commerce Directive 2000/31, the Brussels I (‘jurisdiction’) Regulation and Directive 2001/29, the on copyright and related rights in the information society to cross-border situations. Again, though, it is not a criterion in the current version of the data protection Directive, with respect to providers established outside of the EU.

The AG turns to the business model of a company to assist him in establishing applicability of the Directive for the case at issue, where Google (domiciled in California) does have establishments in the EU (the establishment of the controller therefore being the trigger), as well as at least two known data centres:

‘Google Inc. is a Californian firm with subsidiaries in various EU Member States. Its European operations are to a certain extent coordinated by its Irish subsidiary. It currently has data centres at least in Belgium and Finland. Information on the exact geographical location of the functions relating to its search engine is not made public. Google claims that no processing of personal data relating to its search engine takes place in Spain. Google Spain acts as commercial representative of Google for its advertising functions. In this capacity is has taken responsibility for the processing of personal data relating to its Spanish advertising customers. Google denies that its search engine performs any operations on the host servers of the source web pages, or that it collects information by means of cookies of non registered users of its search engine.’ (at 62).

‘In my opinion the Court should approach the question of territorial applicability from the perspective of the business model of internet search engine service providers. This, as I have mentioned, normally relies on keyword advertising which is the source of income and, as such, the economic raison d’être for the provision of a free information location tool in the form of a search engine. The entity in charge of keyword advertising (called ‘referencing service provider’ in the Court’s case-law) is linked to the internet search engine. This entity needs presence on national advertising markets. For this reason Google has established subsidiaries in many Member States which clearly constitute establishments within the meaning of Article 4(1)(a) of the Directive. It also provides national web domains such as google.es or google.fi. The activity of the search engine takes this national diversification into account in various ways relating to the display of the search results because the normal financing model of keyword advertising follows the pay-per-click principle.’ (…) ‘In conclusion, processing of personal data takes place within the context of a controller’s establishment if that establishment acts as the bridge for the referencing service to the advertising market of that Member State, even if the technical data processing operations are situated in other Member States or third countries.’ (…)

‘For this reason, I propose that the Court should answer the first group of preliminary questions in the sense that processing of personal data is carried out in the context of the activities of an ‘establishment’ of the controller within the meaning of Article 4(1)(a) of the Directive when the undertaking providing the search engine sets up in a Member State for the purpose of promoting and selling advertising space on the search engine, an office or subsidiary which orientates its activity towards the inhabitants of that State.’  [footnotes omitted]

The AG uses the terms ‘targeted at’ [cf in this respect ‘intended target of information’ in Football Dataco] and ‘oriented at’ – not, as had become custom, ‘directed at’: presumably to emphasise the contrast with the other Directives mentioned above.

The AG then turns his attention inter alia to the alleged ‘right to be forgotten’: not one, he suggests, which exists under the current Directive, not even when read in conjunction with the Charter on Fundamental Rights and Freedoms (the EU’s version of the Human Rights Act). That surely is an important observation.

Much to chew on – not quite all digested above, however I do hope these first impressions may act as an appetizer for discussion elsewhere.

Geert.

Proposed geo-engineering amendment to London Protocol

Australia, Nigeria and South Korea (a bit of an unusual troika, truth to be told) have jointly proposed an amendment to the London Protocol [Convention on the Prevention of Marine Pollution
by Dumping of Wastes and Other Matter 1972 and 1996 Protocol Thereto]. The Amendment would severely and formally restrict the legality of geo-engineering among signatory States. As reported earlier, in 2008, Parties to the London Convention and Protocol adopted a resolution prohibiting ocean fertilization other than for legitimate scientific research. The proposed amendment would strengthen the nature of that prohibition.

Ocean fertilisation would be the only accepted form of geo-engineering which can continue to be researched, under monitoring and supervision of the Protocol. All other activities would remain subject to the general ban on dumping of wastes at sea. Evidently the Protocol does not capture all geo-engineering techniques, whence even if accepted, the amendment would fall short of a global regime for geo-engineering, thereby confirming the incremental process of regulating global environmental concerns.

I have searched high and low but have as yet not located a copy of the actual proposal: this post is based on the Australian government’s press release, on reporting in The Age, Environment and the geo-engineering blogspot.

Geert.