There are a small handful of interesting aspects to the Planet49 cookie-consent CJEU judgement today (only in FR/DE right now): curia.europa.eu/juris/fiche.js…
Firstly, unlike the AG, the Court expressly says that because they were not asked about bundling services (e.g. tracking walls, conditional/coerced consent), they will no comment on it.
The most interesting thing is how the Court justifies that info on cookie duration/those who can access should be provided. ePrivacy refers to data protection law on the information provided, but as ePrivacy is not always about personal data, the info reqs in DP don't always fit
The AG did this effectively by saying 'what do you need to make an informed decision' (AG Opinion 112-121) curia.europa.eu/juris/document…
The Court focusses more directly on the fairness principle of data protection law (@damicli@Jausl00s), and says explicitly that the 'at least' in arts 13-14 of the GDPR may, depending on the case, need to be extended based on this principle because of the situation. (para 78)
Considering eg algorithmic accountability, this situational, fairness-focussed view of 'at least' falls in support of the view of @aselbst@juliapowles (the extent of 'right to an explanation' is contextual) cf to the constrained literal reading of @SandraWachter5@b_mittelstadt
It also falls in support of e.g. the A29 Working Party, on transparency, who note that whether you should provide full recipients or categories of recipients is a contextual choice. Furthermore, they apply a mutadis mutandis approach to art 13-14 wrt recipients/access (para 80).
To me, the end of Planet49 lays firmer groundwork than had previously existed for the judicial expansion of the qualitative requirements for data controllers processing in high risk sitatuions under EU data protection law.
Finally! @FD_Nieuws reports the Dutch DPA is telling all actors in NL to stop profiling users w/ real-time bidding & associated tracking architectures, after the Belgian DPA's ruling on structural inadequacies of the IAB Europe's 'cookie banner' fix, TCF. fd.nl/tech-en-innova…
They are not currently announcing an enforcement plan relating to publishers.
IAB Europe didn't comment, but have already said they think, according to hand-wavey legal logic, that enforcement against any RTB actor shouldn't be allowed while a *national* appeal concerning *them*, not any other actor, is pending in Belgium. Really? perma.cc/SS32-P6D9
Scholars! Your regular reminder not to use Mendeley to manage refs; this Elsevier product force encrypts your local database (lying that it’s for GDPR) so you can’t migrate to eg Zotero, leaving the only export via an online API they can kill whenever. zotero.org/support/kb/men…
as the @zotero team notes, “Elsevier later stated that the change was required by new European privacy regulations — a bizarre claim, given that those regulations are designed to give people control over their data and guarantee data portability, not the opposite”.
I wonder why Elsevier wants to see, on their servers, copies of all the downloaded scholarly PDFs in the world…
Significant news for the AI Act from the Commission as it proposes its new Standardisation Strategy, involving amending the 2012 Regulation. Remember: private bodies making standards (CEN/CENELEC/ETSI) are the key entities in the AI Act that determine the final rules. 🧵
Firstly, the Commission acknowledges that standards are increasingly touching not on technical issues but on European fundamental rights (although doesn’t highlight the AI Act here). This has long been an elephant in the room: accused private delegation of rule making by the EC.
They point to CJEU case law James Elliot in that respect (see 🖼), where the Court has brought the interpretation of harmonised standards (created by private bodies!) within the scope of preliminary references. Could have also talked about Fra.Bo and Comm v DE.
Admittedly, the Chamber at the end says it wasn't really trying to anonymise.
So, the EDAA runs a site called "Your Online Choices", an incredibly little used, awkward & archiaic self regulatory initiative of the ad industry to try and claim that people have online choices in the absence of them. This website is linked to by ads, and itself places cookies.
The French presidency of the Council send around a compromise text last week on arts 8-15 of the EU AI Act (some of the requirements for high risk systems). My analysis of them below: 🧵 1/
Remember that the AI Act hinges on proprietary, privately determined standards from CEN/CENELEC. The Commission always holds these are optional, but the proposal goes (further) in making it impossible to comply without buying them (~100 EUR) and referring to them.
Scholars have long said that harmonised standards are not simply a substitute for the essential requirements laid down in legislation, but a de facto requirement. Note Art 9(3) of the AIA also makes reference to them universally compulsory. Law behind paywalls, made privately.