If you want a change from relentless bad news, here is a more cheerful wander through the world of data protection.

Jonathan Goldsmith

Jonathan Goldsmith

The most arresting recent development in a key field affecting all our rights was the opinion of the Advocate General of the Court of Justice of the European Union (CJEU) in a case involving the Austrian data activist, Max Schrems.

For those who follow data protection, Max Schrems is the equivalent of a caped hero, with two epochal CJEU judgments named after him, Schrems l (2015 – don’t transfer our data to the US without adequate protections) and Schrems ll (2020 – again don’t transfer our data to the US, since the new US protections are still inadequate).

In his new case, once more concerning Facebook, Max Schrems complains about Facebook’s use of data to target advertising at him. The facts are a little scary, although most of us have experienced it: ads suddenly appear on our screen based on apparently unrelated previous purchases or searches.

Max Schrems is gay, but he had never mentioned his sexual orientation on his Facebook profile, nor published any sensitive data. Nor had he authorised Facebook to use, for the purposes of targeted advertising, the fields in his profile relating to his relationship status, employer, job title or education.

He found, however, that he regularly received ads aimed at homosexuals, and invitations to corresponding events, even though he had never previously shown an interest in similar events and was not familiar with the venues. The ads and invitations were based not directly on his sexual orientation nor that of his ‘friends’ on Facebook, but on an analysis of their particular interests. He claimed that Facebook recorded all his data, including those obtained through third parties or plug-ins, and stored them for an indefinite period. He sought a declaration and an injunction concerning unlawful processing of his personal data.

The Advocate General said that the law does not allow personal data for the purposes of targeted advertising to be processed without restriction as to time or type of data, and the referring court would have to decide the extent to which the data retention period and the amount of data processed were justified for the purposes of personalised ads.

There was a second leg to the case. After putting in his initial claim, Max Schrems spoke at a discussion organised by the European Commission in Vienna, during which he referred to his sexual orientation while criticising Facebook’s processing of his data. Did this public admission change the position, and allow Facebook to process data about his sexual orientation, since it had been ‘manifestly made public’ (a term from the GDPR)?

The answer from the Advocate General was that the public statement does not in itself permit the processing of such data for the purposes of personalised advertising.

We will wait to see whether the CJEU follows this opinion in its judgment, although it usually does.

Whether we are in or out of the EU, such cases are of interest, if only because they throw light on the practices of the digital giants, and also because of the continuing similarity of our data regimes.

As it happens, the House of Lords has recently published a call for evidence into data adequacy (the process whereby the EU recognises our own data regime, and so permits data to be freely transferred back and forwards) and its implications for the UK-EU relationship. The inquiry will focus on how current arrangements are working in practice, and the possible implications of divergence in our respective regimes.

It is taking place at the same time as the government is shepherding the Data Protection and Digital Information Bill (DPDIB) through parliament, which aims to escape from the GDPR template, presumably without endangering the UK’s adequacy status.

The European Parliament’s Justice Committee has contributed evidence, drawing attention to three areas of concern in the UK: that DIPDIB changes the definition of ‘personal data’, loosening its GDPR definition; that DIPDIB appears to undermine the effectiveness and independence of the role of the Information Commissioner’s Office; and that DIPDIB permits the UK to declare third countries not following EU standards to have adequate data regimes, which could by pass the EU’s adequacy rules.

The use of our data is at the heart of modern life, and our control over it is dependent on governments regulating gigantic companies and hidden practices.

(In a side development also of interest to lawyers whose websites are scraped for the purpose of training generative AI, the New York Times has sued OpenAI and Microsoft for using its articles for such training, while the Financial Times has just come to a deal with OpenAI to allow use of its articles.)

We lawyers have data concerns not only as citizens, but also as lawyers, chiefly in relation to confidentiality. Data activists protect our interests.

 

Jonathan Goldsmith is Law Society Council member for EU & International, chair of the Law Society’s Policy & Regulatory Affairs Committee and a member of its board. All views expressed are personal and are not made in his capacity as a Law Society Council member, nor on behalf of the Law Society

Topics