After the Brexit vote, politicians, businesses and citizens are all wondering what’s next. In general, legal uncertainty permeates Brexit, but in the world of bits and bytes, Brussels and London have in fact been on a collision course at least since the 90s. The new British prime minister, Theresa May, has been personally responsible for a deepening divide across the North Sea on data and communication policy. Although EU citizens will see stronger privacy and cybersecurity protections through EU law post-Brexit, multinational companies should be particularly worried about how future regulation will treat the loads of data they traffic about customers, employees, and deals between the EU and the UK. [Read more…]
Today, the vulnerable state of electronic communications security dominates headlines across the globe, while surveillance, money and power increasingly permeate the ‘cybersecurity’ policy arena. With the stakes so high, how should communications security be regulated? Deirdre Mulligan (UC Berkeley), Ashkan Soltani (independent, Washington Post), Ian Brown (Oxford) and Michel van Eeten (TU Delft) weighed in on this proposition at an expert panel on my doctoral project at the Amsterdam Information Influx conference. [Read more…]
The European Court of Justice (CJEU) has decided the Google Spain case, which involves the “right to be forgotten” on the Internet. The case was brought by Mario Costeja González, a lawyer who, back in 1998, had unpaid debts that resulted in the attachment and public auction of his real estate. Notices of the auctions, including Mr. Costeja’s name, were published in a Spanish newspaper that was later made available online. Google indexed the newspaper’s website, and links to pages containing the announcements appeared in search results when Mr. Costeja’s name was queried. After failing in his effort to have the newspaper publisher remove the announcements from its website, Mr. Costeja asked Google not to return search results relating to the auction. Google refused, and Mr. Costeja filed a complaint with Spanish data protection authorities, the AEPD. In 2010, the AEPD ordered Google to de-index the pages. In the same ruling, the AEPD declined to order the newspaper publisher to take any action concerning the primary content, because the publication of the information by the press was legally justified. In other words, it was legal in the AEPD’s view for the newspaper to publish the information but a violation of privacy law for Google to help people find it. Google appealed the AEPD’s decision, and the appeal was referred by the Spanish court to the CJEU for a decision on whether Google’s publication of the search results violates the EU Data Protection Directive.
The Wall Street Journal headlines: “EU Court Opinion: Data Retention Directive Incompatible With Fundamental Rights”. The Opinion is strong, but in fact not yet an outright victory to privacy and civil liberties. The jury is out: the Opinion is a non-binding, but influential advice to the E.U. Court, that will deliver its final judgment come next spring. Now is a perfect moment to analyze the Opinion, as well as the institutional politics of the E.U. Court — critical in understanding the two-tier approach to surveillance and fundamental rights in Europe. The two-tier approach converges, after 60 years, when the E.U. accedes to the European Convention of Human Rights anytime soon. Amidst the Snowden revelations, these are the fundamental legal developments that will ultimately answer the question whether European law can end mass surveillance.