data it law June 2017: data protection case law by ECHR and GDPR compliance tools

The overview of interesting Data & IT Law articles and news in June 2017!

The overviews of ECHR case law, child consent restrictions in EU Member States or corporate surveillance

This month several websites published articles including overviews of various topics related to personal data protection.

The European Court of Human Rights published a June edition of factsheet focusing on New Technologies. It gives a 19-page long overview of cases of the court regarding the application of its Article 8 on the right to respect for private life.

The cases are divided based on categories:

• electronic data
• e-mail
• GPS
• Internet
• Musical Copyright
• Radio Communications
• Satellite dish
• Telecommunications
• Use of hidden cameras
• Video surveillance

The authors at the betterinternetforkids published an article with an overview consent age restrictions in different EU Member States. The General Data Protection Regulation (“GDPR”) in the Article 8(1): “the processing of the personal data of a child shall be lawful where the child is at least 16 years old.” However, it also includes a provision that “Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.”

At present, some countries might reduce the age to 13 years (Sweden, Poland, UK), other countries might leave it at the level of 16 (Hungary, Italy or the Netherlands).

Finally, crackedlabs published an article about a corporate surveillance in everyday life. The report shows who are the main players in today’s digital tracking. It includes various topics, such as: Analyzing people, Analyzing people in finance, insurance and healthcare, Large-scale collection and use of consumer data, Data brokers and the business of personal data, Real-time monitoring of behaviors across everyday life, Linking, matching and combining digital profiles, Managing consumers and behaviors, personalization and testing, Dragnet – everyday life, marketing data and risk analytics, Mapping the commercial tracking and profiling landscape, Towards a society of pervasive digital social control?

New tools and guides for GDPR and Data Protection Regulation

At dataitlaw.com, you may use the GDPR Compliance Test. It would help you determine a list of GDPR obligations that you have to comply with. It takes only 5 minutes to complete!

TaylorWessing had published a Global Data Protection Guide. It is an online comparison tool for data protection regimes in over 60 countries. You may choose different interfaces: answer data protection question in general, get data protection rules for a single country or compare two or more countries pursuant to a similar set of questions. A handy tool for a comparison of different regimes.

Finally, missinfogeek published a tool to answer the question if it is necessary to obtain consent of a user or not. The purpose of a short questionnaire is to help companies with data collection in a situation when they don’t need to obtain consent, but can collect personal data based on other lawful reasons.

The liability of algorithms?

The authors at TheRegister reported about a submission by the European Union to the OECD about the algorithms used to track or adapt prices.

The article deals with implications in both vertical or horizontal cases. Vertical cases include algorithms:

• used to detect deviations from a fixed or minimum resale price
• used to enable detection of retailers deviating from a manufacturer’s pricing recommendations
• relied upon by retailer A to monitor that retailer B adheres to an RPM, and A then follows B in adhering to the price

In horizontal cases, algorithms are:

• used to monitor prices already agreed between competitors;
• used to implement pre-existing explicit collusion
• used as a means of communication to engage in explicit collusion, including through “hub and spoke” collusion and signalling.

The authors argue that “(i)f pricing practices are illegal when implemented offline, they are very likely to be illegal when implemented online as well. Firms involved in illegal pricing practices cannot avoid liability on the grounds that their prices were determined by algorithms.”

In other article at digitalbusiness.law, the authors argue that the problem is that it is very difficult to determine who is liable for a failure of an algorithm. Using an example of trading algorithms, they show different causes of an error that such an algorithm can cause:

• “Markets can be volatile so liability shouldn’t be attributed to bad investment decisions
• it’s very unlikely that the background to the making of the decision could be unpicked to see what previous experience caused the decision to be made.
• Without this ability to interrogate the decision, it would not be possible to say if it was an error in the original code written by the software house or resulting from the diet of data it was fed (and in the latter case, whether it arose from the training data or the real “live” decisions made once in use by the bank).”

New EU Portability Regulation – data protection implications

At KU Leuven, the author dealt with the new EU Regulation on cross-border portability of online content services in the internal market. Its purpose is to enable consumers who have lawful access to online content services, or content that they purchased or rented online in their country of residence, to use it and have an access to them when travelling in the EU.

As for the data protection, the tricky part is the determination of a state of being “temporarily present” in a Member State. The author argues: “The Regulation clarifies that it means “being present in a Member State other than the Member State of residence for a limited period of time”. This only provides for a geographical interpretation, but does not clarify how long “a limited period of time” is. It furthermore also does not clarify how the limitation of the period of time is verified (…) However, it would need to be ensured that this does not result in a kind of ‘data retention through the back door’, requiring service providers to keep information from where every subscriber has logged in, in order to assure whether they are still considered to be “temporarily” in the other Member State.”

Browser setting does not completely prevent the tracking

At privacy-news.net, they published an interesting article about new settings in Apple’s Safari browser. The author warns that even though it is one of the most advanced approaches to data protection in browsers, it still does not mean that there is no tracking of a user.

“What many people do not understand is that the servers we connect to for information on the web, are perfectly capable of communicating with other servers and sharing your fingerprint along with information relating to the web pages you requested from them. So even if a third party script may not be able to be loaded in the new version of Safari, there is nothing to stop a script on the web server itself from gathering the same information, packaging it up and sending it off to the very same third party without you being able to do anything to stop it or your browser ever being aware of it. They can even use client side (browser based javascripts) to send very detailed information back to their own server and then forward that to the third parties (information such as where you moved your mouse, how long you looked at a particular web page, the unique way your sound card or graphic card works and much more).”