Skip to main content

Posts

The digital euro passes another obstacle

It actually happened after the big hearing: the EPP rapporteur withdrew his opposition to the draft, thus enabling the file to progress. The Council already adopted its common position last December while this did not happen in the European Parliament - normally the Parliament is more ahead than the Council where the diverging interest of Member States are not easy to be reconciled. Piero Cipollone, member of the Governing Board of the European Central Bank was the guest of the EP Commitee of Economic and Monetary Affairs. After a general denial of the Patriots - which was actually countered by Mr. Cipollone that the offline version of the digital euro will actually enhance the liberty of citizens in effecting payments - other parliamentary groups asked more relevant questions. Of course the ECB board member could not name the two countries where banks may have difficulties to provide sufficient funds for the digital euro, but emphasised that the findings were based on the extreme cond...
Post a Comment
Read more
Recent posts

First AI case on copyright – but authors were not in the room

English version of my article on portfolio.hu The hearing in the case C-250/25, Like Company, took place the 10th March – and the Court had a lot of questions about how large language models (LLMs) use the information they are trained on and how chatbots reflect the training data on one hand and data found on the Internet on the other – in the context of copyright on the digital market (Directive 2001/29/EC and Directive 2019/790). The questions, whether using a published article to train an LLM involves reproduction and whether repeating a part of the article large enough to be protected by copyright or a related right in the response of a chatbot is communication to the public, are to frame the decision whether the publisher’s right was infringed. Namely, it was not the author but the publisher who sued Google for infringement of copyright. An article in a small local portal about a celebrity wanting to settle dolphins in the biggest warm water lake of Europe, the Balaton in Hungary,...
Post a Comment
Read more

A Hungarian case about processing data based on law - what are the requirements?

This question can be interesting in respect of the latest change in Hungarian health data processing: doctors performing health on the workplace tests are obliged to upload the entire files to the common health space where access is not as limited as it should be. The concrete case adjudicated by the European Court of Justice concerns the processing of COVID vaccination data, also based on national law. For processing based on a legal obligation to which the controller is subject, Member Statesmay maintan and introduce specific provisions determining more specific requirements and can also describe features of the processing, including measures to ensure fair and lawful processing. Processing of special categories of data (including health data) for reasons of substantial public interest (in any area) or of public interest in the area of public health requires that the élaw should provide for suitable and specific measures to safeguard the fundamental rights and interests of the data ...
Post a Comment
Read more

The right to information and data subject access requests

The European Court of Justice dealt with some cases concerning data subject access requests and clarified the scope of certain information to be provided. 1. The right to informationThe data subjects have the right to be informed about how their personal data are processed by the controller. This information has to be provided using a privacy statement which is also called data protection notice. The privacy statement has a set content which serves not only to inform data subjects about which of their personal data are processed and how but also to assure them that their personal data are processed in compliance with EU rules. Some information in the privacy statements is nevertheless general and therefore data subjects can request further information and access to the personal data the controller processes about them. Privacy statements can be displayed on the webpages of the controller. Some controllers publish one comprehensive privacy statement which contains information about vari...
Post a Comment
Read more

The Transatlantic Data Privacy Framework - new way to transfer personal data to US organisations

 After long negotiations, the new adequacy decision for processing personal data of EU data subjects in the United States resulted in new rules and the setting up of new organisations in the US and an adequacy decision by the European Commission. This enables the transfer of personal data only by organisations in the US who register to the EU-U.S. Transatlantic Data Privacy Framework. Organisations registered to the predecessor of the new framework, the Privacy Shield, retain their registration if they maintained it and continue to fulfil the conditions. The list of organisations registered can be found here: https://www.dataprivacyframework.gov/s/participant-search .   As mentioned above, it is not only the Commission adequacy decision which is new, the United States also undertook a number of measures, in particular concerning the regulation of surveillance of electronic communications, to harmonise the American rules more with the European data protection requirements. ...
Post a Comment
Read more

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam...
Post a Comment
Read more

What the games... tricks in cookie banners

 The e-privacy directive and the draft e-privacy regulation prescribe the rules internet sites have to follow in placing cookies. One of the main differences in opinion between the European Parliament and the Council, even within the Council was whether sites can place cookies based on legitimate interest. It is generally accepted that the e-privacy rules  should not be softer than the GDPR requirements. Many data protection experts believe that placing information on the terminal equipment of the user is so intrusive, that it should not be justified by legitimate interest. On the other hand, in case of processing of personal data based on legitimate interest, the user has the right to object - but only based on his/her particular situation. Cookies sometimes are absolutely necessary to provide the on line service. Most of these, maybe all, do not have to be kept after the session is closed (for example those which indicate that the user has been authenticated, which serve tha...
Post a Comment
Read more