All issues > Volume 17 > Issue 17:2 (194-454)

Most privacy laws contain two obligations: that processing of personal data must be minimised, and that security breaches must be detected and mitigated as quickly as possible. These two requirements appear to conflict, since detecting breaches requires additional processing of logfiles and other personal data to determine what went wrong. Fortunately Europe’s General Data Protection Regulation (GDPR) – considered the strictest such law – recognises this paradox and suggests how both requirements can be satisfied. This paper assesses security breach detection in the light of the principles of purpose limitation and necessity, finding that properly-conducted breach detection should satisfy both principles. Indeed the same safeguards that are required by data protection law are essential in practice for breach detection to achieve its purpose. The increasing use of automated breach detection is then examined, finding opportunities to further strengthen these safeguards as well as those that might be required by the GDPR provisions on profiling and automated decision-making. Finally we consider how processing for breach detection relates to the context of providing and using on-line services concluding that, far from being paradoxical, it should be expected and welcomed by regulators and all those whose data may be stored in networked computers.

The paper analyses to what extent the owners of smart speakers, such as Amazon Echo and Google Home, can be considered joint controllers, and what are the implications of the household exemption under the GDPR, with regard to the personal data of guests or other individuals temporarily present in their houses. Based on the relevant interpretations of the elements constituting control and joint control, as given by the Art. 29 Working Party and by the European Court of Justice (in particular in the landmark cases Wirtschaftsakademie, Jehovah’s Witness, Ryneš, and Fashion ID), this paper shows how the definition of joint control could be potentially stretched to the point of including the owners of smart speakers. The purpose of the paper is, however, to show how the preferred interpretation should be the one exempting owners of smart speakers from becoming liable under the GDPR (with certain exceptions), in the light of the asymmetry of positions between individuals and companies such as Google or Amazon and of the rationales and purposes of the GDPR. In doing so, this paper unveils a difficult balancing exercise between the rights of one individual (the data subject) and those of another individuals (the owner of a smart speaker used for private and household purposes only).

Information is a central concept in data protection law. Yet, there is no clear definition of the concept in law – in legal text or jurisprudence. Nor has there been extensive scholarly consideration of the concept. This lack of attention belies a concept which is complex, multifaceted and functionally problematic in the GDPR. This paper takes an in-depth look at the concept of information in the GDPR and offers up three theses: (i) the concept of information plays two different roles in the GPDR – as an applicability criterion and as an object of regulation; (ii) the substantive boundaries of the concepts populating these two roles differ; and (iii) these differences are significant for the efficacy of the GDPR as an instrument of law.

Google’s Duplex illustrates the great strides made in AI to provide synthetic agents the capabilities to intuitive and seemingly natural human-machine interaction, fostering a growing acceptance of AI systems as social actors. Following BJ Fogg’s captology framework, we analyse the persuasive and potentially manipulative power of emotionally intelligent conversational agents (EICAs). By definition, human-sounding conversational agents are ‘designed to deceive’. They do so on the basis of vast amounts of information about the individual they are interacting with. We argue that although the current data protection and privacy framework in the EU offers some protection against manipulative conversational agents, the real upcoming issues are not acknowledged in regulation yet.

The law classically provides strong protection to whatever is inside a home. That protection is lost now that our photo albums, notes and other documents have become digital and are increasingly stored in the cloud. Even if their owner never intended these documents to be shared, their copies in the cloud may be accessed by law enforcement, under possibly lower conditions than apply to home searches. In this paper, we study this problem from a theoretical perspective, asking whether it is possible to establish home-equivalent legal protection of those private digital storage spaces (smartphones, private cloud storage accounts) that most closely resemble the home as a storage environment for private things. In particular, we study whether it is possible, using technological design, to clearly separate digital storage spaces that are used privately versus storage spaces used to share data with others. We sketch a theoretical architecture for such a ‘digital home’ that most closely resembles the physical home in terms of the space that is the most personal storage environment for private files. The architecture guarantees the data are indeed only stored for private use, and can never be shared with others unless the device used for storage itself is shared. We subsequently argue that the law should offer ‘home’ protection to data stored using this system, as an intermediate stepping-stone towards more comprehensive legal protection of cloud-stored data. Such protection is needed, since nowadays, not the home or the smartphone, but the smartphone/cloud ecosystem holds ‘the privacies of life’.

We live in a world where technological corporations hold unprecedented power and influence. Technological solutions to social, political, and economic challenges are rampant. In the Global South, technology that is developed with Western perspectives, values, and interests is imported with little regulation or critical scrutiny. This work examines how Western tech monopolies, with their desire to dominate, control and influence social, political, and cultural discourse, share common characteristics with traditional colonialism. However, while traditional colonialism is driven by political and government forces, algorithmic colonialism is driven by corporate agendas. While the former used brute force domination, colonialism in the age of AI takes the form of ‘state-of-the-art algorithms’ and ‘AI driven solutions’ to social problems. Not only is Western-developed AI unfit for African problems, the West’s algorithmic invasion simultaneously impoverishes development of local products while also leaving the continent dependent on Western software and infrastructure. By drawing examples from various parts of the continent, this paper illustrates how the AI invasion of Africa echoes colonial era exploitation. This paper then concludes by outlining a vision of AI rooted in local community needs and interests.

The General Court of the EU confirmed the decision of the EUIPO Second Board of Appeal in relation to the EU figurative trade mark registered by adidas AG, according to which this mark, consisting of “three parallel equidistant stripes”, is devoid of distinctive character. The General Court confirmed that adidas AG had failed to demonstrate use of this mark throughout the EU or that the mark, which is inherently devoid of distinctive character, had, by virtue of that use, come to identify the goods for which it was registered and thus had acquired distinctiveness. The General Court, in reaching this conclusion, relied on its assessment that most of the evidence provided by adidas AG was irrelevant for the purposes of establishing that the mark had acquired distinctive character through use as it was not directly linked to the use of the mark in its registered form. In addition, the General Court recognized that there was nothing in the application of adidas AG to suggest that the registered trade mark could be interpreted as a “pattern mark”. Finally, in relation to the “law of permissible variations”, the General Court stated that because the figurative mark at issue is so simple, even a slight change can alter its distinctiveness.