Digibeetle

🥳️We're back, sharing our knowledge of CJEU data protection cases! This is an extra special edition, with info on: 🪲10 𝐧𝐞𝐰 𝐂𝐉𝐄𝐔 𝐜𝐚𝐬𝐞𝐬 about data protection and the GDPR. Some of the questions are not published on Curia yet (!) 🪲4 𝐩𝐮𝐛𝐥𝐢𝐬𝐡𝐞𝐝 𝐀-𝐆 𝐨𝐩𝐢𝐧𝐢𝐨𝐧𝐬, including A-G Szpunar's practical view on customer salutations such as Mr. or Ms. He deems it necessary to communicate about the legitimate interests (if you use those as a legal basis), which makes sense. However, does this also follow from the GDPR? 🪲7 𝐟𝐫𝐞𝐬𝐡 𝐂𝐉𝐄𝐔 𝐣𝐮𝐝𝐠𝐦𝐞𝐧𝐭𝐬. Two Article 82 GDPR cases about the right to compensation under the GDPR stand out (the "PS" and "Scalable Capital" cases). Of course this list also includes the Meta Platforms Ireland case, which is welcomed by class-action organisations 🪲𝐒𝐞𝐩𝐭𝐞𝐦𝐛𝐞𝐫 𝐢𝐬 𝐠𝐨𝐢𝐧𝐠 𝐭𝐨 𝐛𝐞 𝐛𝐮𝐬𝐲! We expect 3 upcoming judgments and 6 A-G opinions. Including a judgment that will answer the question when SA's have to follow-up on complaints. 👀𝐃𝐨𝐧'𝐭 𝐟𝐨𝐫𝐠𝐞𝐭, tomorrow the CJEU Österreichische Datenschutzbehörde - Excessive demands [C-416/23] judgment will be published. When does a complainant complain too much at the SA's door? Let's wait and see! 𝐈𝐟 𝐲𝐨𝐮 𝐝𝐢𝐝 𝐧𝐨𝐭 𝐫𝐞𝐜𝐞𝐢𝐯𝐞 𝐭𝐡𝐢𝐬 𝐧𝐞𝐰𝐬𝐥𝐞𝐭𝐭𝐞𝐫 𝐢𝐧 𝐲𝐨𝐮𝐫 𝐞𝐦𝐚𝐢𝐥 𝐢𝐧𝐛𝐨𝐱, 𝐦𝐚𝐤𝐞 𝐬𝐮𝐫𝐞 𝐲𝐨𝐮 𝐚𝐫𝐞 𝐬𝐮𝐛𝐬𝐜𝐫𝐢𝐛𝐞𝐝. 𝐅𝐨𝐥𝐥𝐨𝐰 𝐭𝐡𝐞 𝐥𝐢𝐧𝐤 𝐛𝐞𝐥𝐨𝐰!

Fellow privacy pro! Don't get confused 🤯-- This is what the Court has in store for us today -- 7 judgments and 1 A-G opinion: PS: one cae went straight to the hudgment, skipping the A-G opinion.

👋While every data protection pro is excited for tomorrow's CJEU day full of presents*, the Court squeezed in one extra judgment. 👉CJEU Bezirkshauptmannschaft Landeck case. An interesting one if you are into the #ePrivacy Directive and LED. However, because of this 'last minute' addition, I assume this case will be deemed inadmissable -- just as the A-G already suspected! *: 🎉 the presents are all the scheduled judgments and A-G opinion. See comments for the link!

Today, the European AI Office kicks off the drawing-up of the first Code of Practice for general-purpose AI under the AI Act.   Nearly 1,000 stakeholders—including general-purpose AI model providers, downstream providers, civil society organizations, academia, and independent experts—will participate in today's first plenary session.   The new Code of Practice aims to facilitate the proper application of the AI Act's rules for general-purpose AI models, including: 🔹 Transparency and copyright-related rules 🔹 Systemic risk taxonomy 🔹 Risk assessment 🔹 And mitigation measures   The Code of Practice process will involve 4 working groups meeting 3 times to discuss the drafts. This process will be led by Chairs & Vice-Chairs, selected after a call for expressions of interest.   ➡️ Learn more about the Code, the process and the working groups here: https://europa.eu/!fPYkcp ➡️ Check out the list of the selected Chairs and Vice-Chairs: https://europa.eu/!X6vVRv #EUAIOffice #AIinEurope #AI #AIAct

If you're interested in how the GDPR applies in the world of Generative AI, start by listening to this podcast episode 🤓 Pilvi Alopaeus and I got to chat with the amazing Dr. Markus Wünschelbaum about the recent discussion paper from the data protection authority of Hamburg ("Discussion Paper: Large Language Models and Personal Data"). The paper is a must-read for all lawyers dealing with AI - and if you have too many "must-reads" open in your tabs, this podcast episode is a must-listen 😉 I think we manage to break it down in a digestible way, so in the future you know to keep separate the concepts of training an AI model, the AI model itself and using an AI system - and how to assess at what stages is personal data being processed. Ah, this is why I love podcasting and keep doing it even when life gets extremely busy at times. Fun yet educating discussions with people who are smarter than me, pure bliss 😌✨✨ Let me know in the comments - did you read the discussion paper or listen to our podcast on it, and what did you think?

Digibeetle is simply great!

The 4th of October promises to be a landmark day for data protection pros. 𝐖𝐡𝐲? Because we'll have 5 (!) judgments by the Court on the day. Let's see: 📂𝐂𝐉𝐄𝐔 𝐒𝐜𝐡𝐫𝐞𝐦𝐬 - 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐨𝐟 𝐝𝐚𝐭𝐚 𝐭𝐨 𝐭𝐡𝐞 𝐠𝐞𝐧𝐞𝐫𝐚𝐥 𝐩𝐮𝐛𝐥𝐢𝐜 [𝐂-446/21] 🧑🤝🧑If you tell your sexual preference as part of a public meeting, and information of that meeting is on Facebook - would that mean you've manifestly made public sexual information about yourself (Article 9 GPDR)? The A-G said: 'Yes - this can be the case', but that doesn't necessarily mean that that information may be used for advertising purposes. 📂𝐂𝐉𝐄𝐔 𝐋𝐢𝐧𝐝𝐞𝐧𝐚𝐩𝐨𝐭𝐡𝐞𝐤𝐞 [𝐂-21/23] 🧑⚕️Are customer data of a pharmacist that are transmitted when an order is placed on an online sales platform for pharmacy-only but non-prescription medicines health data? No, according to the A-G. In addition, the A-G sees room for national legislators to enact unfair competition laws that afford undertakings the right to rely on GDPR infringements which are alleged to be committed by their competitors. 📂𝐂𝐉𝐄𝐔 𝐀𝐠𝐞𝐧𝐭𝐬𝐢𝐚 𝐩𝐨 𝐯𝐩𝐢𝐬𝐯𝐚𝐧𝐢𝐲𝐚𝐭𝐚 [𝐂-200/23] 🏭The A-G opined that the national commercial register authority (which must ensure the disclosure of the acts transmitted to it) is alone responsible for making available to the public the personal data contained in those acts. This applies even in the case of data disclosure of which is not required and ought to have been redacted from those acts before they were transmitted to that authority. Case also focuses on how authorities should comply with 'right to erasure' procedures. 📂𝐂𝐉𝐄𝐔 𝐊𝐍𝐋𝐓𝐁 [𝐂-621/22] 🎾Epic case! See our post from yesterday (link in comments). 📂𝐂𝐉𝐄𝐔 𝐌𝐢𝐫𝐢𝐧 [𝐂-4/23] 🌈According to the A-G, a Member State’s refusal to recognise changes of forename and gender acquired in another Member State is contrary to the rights of EU citizens. A logical conclusion, in light of cases like "Deldits" and "Mousse". All cases can be found on our platform 𝐝𝐢𝐠𝐢𝐛𝐞𝐞𝐭𝐥𝐞[.]𝐞𝐮, including two A-G opinions also scheduled for the 4th of October! 𝐉𝐨𝐢𝐧 𝐮𝐬 𝐨𝐧 𝐭𝐡𝐞 𝐩𝐥𝐚𝐭𝐟𝐨𝐫𝐦 𝐚𝐬 𝐰𝐞 𝐚𝐧𝐚𝐥𝐲𝐳𝐞 𝐭𝐡𝐞𝐬𝐞 𝐩𝐢𝐯𝐨𝐭𝐚𝐥 𝐫𝐮𝐥𝐢𝐧𝐠𝐬 𝐚𝐧𝐝 𝐭𝐡𝐞𝐢𝐫 𝐢𝐦𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐟𝐨𝐫 𝐝𝐚𝐭𝐚 𝐩𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐥𝐚𝐰 𝐢𝐧 𝐭𝐡𝐞 𝐄𝐔. 𝐘𝐨𝐮𝐫 𝐢𝐧𝐬𝐢𝐠𝐡𝐭𝐬 𝐚𝐧𝐝 𝐝𝐢𝐬𝐜𝐮𝐬𝐬𝐢𝐨𝐧𝐬 𝐚𝐫𝐞 𝐰𝐞𝐥𝐜𝐨𝐦𝐞! 👋

💥 #ArtificialIntelligence 🚀 Legal AI Use Case Radar 2024 Hey everyone! The "Legal AI Use Case Radar 2024" report by the Technical University of Munich is out, and it's a fascinating dive into how AI is transforming the legal world. They explored 34 different AI applications in legal settings, looking at things like legal importance, academic interest, and potential risks. Some of the key areas they checked out include compliance management, document analysis, risk assessment, and even contract management. Backed by solid research—including literature reviews, expert interviews, and surveys—the report shines a light on how AI can make tasks like auditing, GDPR compliance, document management, and information extraction a whole lot easier. But it's not all smooth sailing—they also delve into the ethical challenges of adopting AI in the legal field. Issues like ensuring transparency, fairness, and accountability in AI algorithms are front and center. The report emphasizes the importance of training employees not just in using AI tools but also in understanding their ethical implications. Data protection compliance is another major concern, especially when dealing with sensitive legal data. Integrating AI into existing legal workflows requires careful consideration to maintain client confidentiality and adhere to regulations. The report highlights that ethical AI isn't just about following the rules; it's about building trust with clients and stakeholders by demonstrating responsible and ethical use of technology. 🔗 Check it out from the Technical University of Munich 👥 Big thanks to the authors: Stephen Meisenbacher, Nektarios Makrystathis, Juraj Vladika, and Florian Matthes

The 4th of October promises to be a landmark day for data protection pros. 𝐖𝐡𝐲? Because we'll have 5 (!) judgments by the Court on the day. Let's see: 📂𝐂𝐉𝐄𝐔 𝐒𝐜𝐡𝐫𝐞𝐦𝐬 - 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐨𝐟 𝐝𝐚𝐭𝐚 𝐭𝐨 𝐭𝐡𝐞 𝐠𝐞𝐧𝐞𝐫𝐚𝐥 𝐩𝐮𝐛𝐥𝐢𝐜 [𝐂-446/21] 🧑🤝🧑If you tell your sexual preference as part of a public meeting, and information of that meeting is on Facebook - would that mean you've manifestly made public sexual information about yourself (Article 9 GPDR)? The A-G said: 'Yes - this can be the case', but that doesn't necessarily mean that that information may be used for advertising purposes. 📂𝐂𝐉𝐄𝐔 𝐋𝐢𝐧𝐝𝐞𝐧𝐚𝐩𝐨𝐭𝐡𝐞𝐤𝐞 [𝐂-21/23] 🧑⚕️Are customer data of a pharmacist that are transmitted when an order is placed on an online sales platform for pharmacy-only but non-prescription medicines health data? No, according to the A-G. In addition, the A-G sees room for national legislators to enact unfair competition laws that afford undertakings the right to rely on GDPR infringements which are alleged to be committed by their competitors. 📂𝐂𝐉𝐄𝐔 𝐀𝐠𝐞𝐧𝐭𝐬𝐢𝐚 𝐩𝐨 𝐯𝐩𝐢𝐬𝐯𝐚𝐧𝐢𝐲𝐚𝐭𝐚 [𝐂-200/23] 🏭The A-G opined that the national commercial register authority (which must ensure the disclosure of the acts transmitted to it) is alone responsible for making available to the public the personal data contained in those acts. This applies even in the case of data disclosure of which is not required and ought to have been redacted from those acts before they were transmitted to that authority. Case also focuses on how authorities should comply with 'right to erasure' procedures. 📂𝐂𝐉𝐄𝐔 𝐊𝐍𝐋𝐓𝐁 [𝐂-621/22] 🎾Epic case! See our post from yesterday (link in comments). 📂𝐂𝐉𝐄𝐔 𝐌𝐢𝐫𝐢𝐧 [𝐂-4/23] 🌈According to the A-G, a Member State’s refusal to recognise changes of forename and gender acquired in another Member State is contrary to the rights of EU citizens. A logical conclusion, in light of cases like "Deldits" and "Mousse". All cases can be found on our platform 𝐝𝐢𝐠𝐢𝐛𝐞𝐞𝐭𝐥𝐞[.]𝐞𝐮, including two A-G opinions also scheduled for the 4th of October! 𝐉𝐨𝐢𝐧 𝐮𝐬 𝐨𝐧 𝐭𝐡𝐞 𝐩𝐥𝐚𝐭𝐟𝐨𝐫𝐦 𝐚𝐬 𝐰𝐞 𝐚𝐧𝐚𝐥𝐲𝐳𝐞 𝐭𝐡𝐞𝐬𝐞 𝐩𝐢𝐯𝐨𝐭𝐚𝐥 𝐫𝐮𝐥𝐢𝐧𝐠𝐬 𝐚𝐧𝐝 𝐭𝐡𝐞𝐢𝐫 𝐢𝐦𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐟𝐨𝐫 𝐝𝐚𝐭𝐚 𝐩𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐥𝐚𝐰 𝐢𝐧 𝐭𝐡𝐞 𝐄𝐔. 𝐘𝐨𝐮𝐫 𝐢𝐧𝐬𝐢𝐠𝐡𝐭𝐬 𝐚𝐧𝐝 𝐝𝐢𝐬𝐜𝐮𝐬𝐬𝐢𝐨𝐧𝐬 𝐚𝐫𝐞 𝐰𝐞𝐥𝐜𝐨𝐦𝐞! 👋

🚨*The* 𝐥𝐞𝐠𝐢𝐭𝐢𝐦𝐚𝐭𝐞 𝐢𝐧𝐭𝐞𝐫𝐞𝐬𝐭𝐬 case will receive its judgment on 4 Oct. 2024: Unless you've been on a sabbatical the past years, you probably know the Dutch "legitimate interests cannot be purely commercial interests" discussion. For those who haven't (and hopefully have enjoyed a great holiday), here it goes: On 1 N𝐨𝐯𝐞𝐦𝐛𝐞𝐫 2019, the Dutch DPA published a so-called 'interpretation of norms' document about the legitimate interests legal ground. You know: Article 6.1.f #GDPR. The document contains phrasing like: 𝘞𝘩𝘢𝘵 (...) 𝘥𝘰𝘦𝘴 𝘯𝘰𝘵 𝘲𝘶𝘢𝘭𝘪𝘧𝘺 𝘢𝘴 𝘢 𝘭𝘦𝘨𝘪𝘵𝘪𝘮𝘢𝘵𝘦 𝘪𝘯𝘵𝘦𝘳𝘦𝘴𝘵 𝘪𝘴, 𝘧𝘰𝘳 𝘦𝘹𝘢𝘮𝘱𝘭𝘦: 𝘮𝘦𝘳𝘦𝘭𝘺 𝘴𝘦𝘳𝘷𝘪𝘯𝘨 𝘱𝘶𝘳𝘦𝘭𝘺 𝘤𝘰𝘮𝘮𝘦𝘳𝘤𝘪𝘢𝘭 𝘪𝘯𝘵𝘦𝘳𝘦𝘴𝘵𝘴, 𝘱𝘳𝘰𝘧𝘪𝘵 𝘮𝘢𝘹𝘪𝘮𝘪𝘴𝘢𝘵𝘪𝘰𝘯, (...), 𝘦𝘵𝘤. Panic among lawyers and other ensued: 'do (purely) commercial interests indeed fall out of the scope of Article 6.1.f GDPR'? This would have significant consequences for their (commercial) clients who rely on this legal ground. If the DPA's view is followed, then you don't even start the balancing act of Art. 6.1.f, simply because the interests are purely commercial. The European Commission wrote a letter on 6 𝐌𝐚𝐫𝐜𝐡 2022, in which it argues that the Dutch DPA is too strict in interpreting the concept of 'legitimate interest'. The Commission's concern is that the Dutch DPA's interpretation may hinder the market too much. The Dutch DPA put its view to the test in the VoetbalTV-case, where VoetbalTV wanted to film amateur soccer (football!) players using smart cameras. See Joost Gerritsen's case note about it in the comments. Long story short, in 𝐉𝐮𝐥𝐲 2022 this case ended when the Dutch highest administrative court confirmed VoetbalTV did not have to pay the imposed fine by the DPA. This court left the lower court's view in tact, in which it became clear that purely commercial interests are eligible as 'legitimate interests'. Meanwhile, another case, known as the KNLTB case, started. This one is aimed against the Dutch association for tennis players, who sold their members' data commercial parties (!). Here, too, the Dutch DPA maintained its (stubborn?) view about legitimate interests, so no balancing act was needed. The Dutch court wasn't sure how this approach should be interpreted in light of the GDPR, and asked questions to the CJEU on 22 September 2022 (see screenshot). And now, two years later, we will hear how this epic saga will end. 𝐈𝐬 𝐭𝐡𝐞 𝐃𝐮𝐭𝐜𝐡 𝐃𝐏𝐀 𝐫𝐢𝐠𝐡𝐭, 𝐚𝐧𝐝 𝐚𝐫𝐞 𝐰𝐞 (𝐥𝐚𝐰𝐲𝐞𝐫𝐬, 𝐭𝐡𝐞 𝐂𝐨𝐦𝐦𝐢𝐬𝐬𝐢𝐨𝐧, 𝐨𝐭𝐡𝐞𝐫𝐬) 𝐚𝐥𝐥 𝐰𝐫𝐨𝐧𝐠? Our expectations regarding the Court's answers: 💠 The CJEU will answer the questions in a polite manner, leaving the Dutch DPA's 'ego' more or less in tact. 💠 The polite response could result in ambiguous wording. As a consequence, both parties (KNLTB and the Dutch DPA) will say the CJEU answered in their favour. 𝐓𝐨𝐨 𝐜𝐲𝐧𝐢𝐜𝐚𝐥? 𝐎𝐫 𝐫𝐞𝐚𝐥𝐢𝐬𝐭𝐢𝐜?