Data & IT Law Monthly March 2016: Data protection and competition law or discovery under the new EU regime

The overview of interesting Data & IT Law articles and news in March 2016!

Data protection and competition law – the case in Germany

This month, the German Competition authority (Bundeskartellamt) decided to initiate proceedings against Facebook that it is abusing its dominant position by infringing data protection rules. The decision of the competition authority is the first to address the data protection aspects of the competition law.

A nice overview of an interaction between data protection law and competition law in the EU context was published in LSE blog. “The increased attention from data protection advocates for competition enforcement seems to stem from the concentrated nature of online markets which may reduce possibilities for users to exercise effective control over their personal data. Against this background, it is often argued that strong competition enforcement could render data protection rules more effective by facilitating genuine consumer choice.”

At Lexology, the author describes the abuse of dominant position in this way: “users would not accept the Ts & Cs should Facebook not be dominant.  An alleged violation of data protection provisions therefore becomes an abuse of dominance, but there needs to be a connection between that infringement and Facebook’s dominance (if it exists).”

Discovery after new EU regulation and Privacy Shield

The authors at the ediscoveryblog had addressed the new developments in the e-discovery process in the EU.

The basic problem, according to the article, is that “(i)n US litigation, the fundamental principle of broad discovery conflicts with the wide-ranging privacy framework of the European Union.“ The author also mentions the extraterritoriality of the new Regulation and its impact on US judges.

Finally, the author argues that an inclusion of obligations for data processors has an impact on e-discovery companies. The new obligations include:

• “Maintain documentation about the processing operations under their responsibility
• Implement appropriate security measures
• Carry out data protection impact assessments
• Obtain prior authorization or undertake prior consultation
• Comply with the international data transfer requirements
• Cooperate with a supervisory authority”

Discrimination by data – removing sensitive characteristics might not be the solution

We have already written a lot about discriminating by data at dataitlaw (see an article here). Many authors had addressed this issue too. The Conversation published an article about how to use big data to actually counter human prejudices.

The author uses an example of a data scientist developing models for homeless services in New York City. The models predicted how long would a person stay in the homeless services system and showed that black families are less likely to get jobs. The usual way how to tackle the situation is to exclude characteristics that may be used to reinforce the bias. However, the author argues differently:

“The moral responsibility lies with those responsible for interpreting and acting on the model, not the model itself (…)Of course, collecting sensitive data should be carefully regulated because it can easily be misused. But misuse is not inevitable, and in some cases, collecting sensitive attributes could prove absolutely essential in uncovering, predicting, and correcting unjust discrimination. For example, in the case of homeless services discussed above, the city would need to collect data on ethnicity in order to discover potential biases in employment practices.”

A critique of the EU’s post-Schrems position published in a recent paper

Christopher Kuner had published a paper “Reality and Illusion in EU Data Transfer Regulation Post Schrems”  in University of Cambridge Faculty of Law Research Paper No. 14/2016.

He notes that the Court of Justice of the European Union case Schrems v. Data Protection Commissioner “is a landmark in the Court’s data protection case law, and illustrates the tension between the high level of legal protection for data transfers in EU law and the illusion of protection in practice. The judgment has undermined the logical consistency of the other legal bases for data transfer besides the Safe Harbour, and reactions to it have largely been based on formalism or data localization measures that are unlikely to provide real protection. Schrems also illustrates how many legal disagreements concerning data transfers are essentially political arguments in disguise.”