Big UK GDPR case: Court of Appeal rules in favour of the @OpenRightsGroup@the3million: Immigration Exemption to SARs is incompatible with Art 23 GDPR. This is a new exemption from 2018 the Home Office uses to withhold data rights info in 59% of cases. bailii.org/ew/cases/EWCA/…
Warby LJ is sympathetic to CJEU jurisprudence that 'the legal basis which permits the interference with those rights must itself define the scope of the limitation', noting that the Immigration E is highly discretionary, and the DPA18 does not contain limits on its scope.
However, Warby LJ judges the case more narrowly on a reading of Article 23(2), which permits Member States to restrict a GDPR right for public interest only if a 'legislative measure' contains limiting provisions.
This is different from the DPD1995, so cannot be meaningless. He does not disapply the measure immediately but invites further evidence on relief.
It looks likely that the outcome of this case, at least at this stage, may be the Secretary of State, by regulations, amending Schedule 2 of the DPA 2018 to limit the exemption's scope in law. This has consequences for other exemptions made in the extensive DPA 2018 schedules too
Note, that although they were available to use, this judgement does *not* turn on the application of the Charter.
This is also going to interplay with current political discussions about UK adequacy. Just last week the European Parliament passed a resolution condemning the Immigration Exemption.
This judgement does not necessarily mean that the EP's concerns are resolved. Even if the scope of the limitation is defined, they may still be concerned that the newly clarified scope does not respect the essence of Charter rights and is not nec/prop in a democratic society.
Regardless, it is a victory against UK adding hugely wide-ranging exemptions which effectively render data rights meaningless. Note however that the ability to quash the law by the CoA relies on the fact that retained Regulations trump pre-exit day domestic legislation: complex.
Courts do not usually this ability to set aside contradictory parts of an Act (unless secondary legislation involved). This case is a remnant of the vanishing shadow of the supremacy of EU law in the UK. Of interest to @jeff_a_king (a teaching case for post-Brexit Public Law?)
If I understand right (calling Withdrawal Act SI experts like @alexandrasinc10), a SoS is bound by Art 23 GDPR restrictions on permissible DPA18 exemptions to data rights if adding by Regulations (EUWA 5(2)) BUT would not be if these were added through primary legislation.
Of course, they might be politically concerned it would endanger UK adequacy to make something that the CJEU might consider to disregard the essence of the right to data protection, but that's a political choice.
This would stem from the fact EU law supremacy is only between pre-exit domestic legislation and retained EU law, but a primary amendment to pre-exit domestic legislation would therefore create bubbles in the text where supremacy did not apply. @colmocinneide please help
(although it's all moot I suppose if an Act sought to selectively set aside supremacy and CJEU judgments in the case of data protection as a whole — given DRI, Tele2/Watson, PI/LQDN decisions on data retention, it would not surprise me if the UK tried that)
Not to mention Schrems II and a trade or data deal with the United States...
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Hey Microsoft Research people who think that constant facial emotion analysis might not be a great thing (among others), what do you think of this proposed Teams feature published at CHI to spotlight videos of audience members with high affective ‘scores’? microsoft.com/en-us/research…
Requires constantly pouring all face data on Teams through Azure APIs. Especially identifies head gestures and confusion to pull audience members out to the front, just in case you weren’t policing your face enough during meetings already.
Also note that Microsoft announced on Tuesday that it is opening up its Teams APIs to try to become a much wider platform to eat all remote work, so even if Teams didn’t decide to implement this directly, employers could through third party integration! protocol.com/newsletters/so…
Big Brother Watch now out. Looking at the dissents, it does not look good for anti-surveillance campaigners: 'with the present judgment the Strasbourg Court has just opened the gates for an electronic “Big Brother” in Europe' hudoc.echr.coe.int/eng?i=001-2100…
and we go live to Strasbourg
Going to post some interesting pieces (not a judgment summary!) here. Firstly, that Contracting States can transfer Convention-compliant bulk intercept material to non-Contracting states that only have minimal protections (e.g. on keeping it secure/confidential). AKA the USA.
thank you for all the nice comments about the @BBCNewsnight interview! I tried to communicate infrastructure's importance. if new to you, here is a 🧵of some (not all!) academic work by others which highlights the power of technical infrastructure (rather than eg data).
The Luca QR code Covid app, (for-profit system flogged to 🇩🇪 Länder) has been compromised (in a way that the official CoronaWarnApp’s QR system can’t be), through a website that lets you check in any phone number to wherever you want—even regional prime ministers! 🧵 on the saga:
While hard to believe, Luca was adopted by Länder after huge lobbying from hospitality who convinced them that a hasty app w a 6 mo free trial for venues & big cost for health authorities would i) allow reopening, ii) help Länder win upcoming 🗳 by making national gov look slow
Luca’s slick PR campaign, where they became mostly known to health authorities by aggressive marketing w celebrities, meant that no-one discussed or scrutinised the technical details. Politicians have even admitted this, and DPAs accepted statements of ‘encryption’ as secure.
Lots of selected thoughts on the draft leaked EU AI regulation follow. Not a summary but hopefully useful. 🧵
Blacklisted art 4 AI (except general scoring) exempts include state use for public security, including by contractors. Tech designed to ‘manipulate’ ppl ‘to their detriment’, to ‘target their vulnerabilities’ or profile comms metadata in indiscriminate way v possible for states.
This is clearly designed in part not to eg further upset France in the La Quadrature du Net case, where black boxes algorithmic systems inside telcos were limited. Same language as CJEU used in Art 4(c). Clear exemptions for orgs ‘on behalf’ of state to avoid CJEU scope creep.