The “pay or OK” debate in the EU continues, and it is still unclear what its outcome will be, for Meta and everyone else. Today, the European Commission announced their preliminary finding that Meta’s approach is not compliant with the law. Importantly, the Commission investigates this issue not under data protection law (the GDPR), but under the EU Digital Markets Act (DMA). Meanwhile, data protection authorities continue to investigate from the GDPR perspective.

Read the full piece here.

Abstract

Scholars have widely criticized the Supreme Court’s Fourth Amendment jurisprudence as incoherent, especially in cases involving emerging technologies. This Article argues that to understand Fourth Amendment doctrine, one must consider how the values that underlie the Court’s decisions are balanced against each other and shift over time. To do so, this Article first proposes a novel, bottom-up approach to identifying the relevant values that focuses on the specific evidence that the Court considers in each case. Distilling the values underlying the Fourth Amendment provides a more coherent understanding of Fourth Amendment doctrine. This Article then applies this framework to three biometric technologies: facial recognition, iris recognition, and DNA profiling. Law enforcement use of these technologies may all raise Fourth Amendment challenges, but the framework shows how these challenges implicate different values. Recognition and application of this framework can result in a better appreciation of the impact of emerging technologies on Fourth Amendment doctrine.

Read at SSRN.

ICLE Senior Scholar Mikolaj Barczentewicz took part in a virtual panel hosted by Arthur Cox LLP on the European Data Protection Board’s recent opinion concerning whether “pay or consent” platform models comply with the EU’s General Data Protection Regulation (GDPR). Video of the full panel is embedded below.

Abstract

Understanding how institutions, technology and social welfare coevolve is essential to understanding economic and social development, and the evolution of privacy alongside institutions and technology in the modern era sheds valuable light on this question. Privacy has both private individual value and public social value, even as privacy rights tradeoff directly with the ability of the government to enforce the law. We deem this inherent defect in the government’s incentives to protect privacy the “institutional privacy dilemma,” a defect which results in a greater role for technological innovation and individual choice to preserve rights to privacy alongside the public institutions that both protect and infringe it. In the digital age, technological change has led to greater private use of encryption to preserve individuals and organizations’ rights to privacy. Yet, this technology itself poses a challenge for law enforcement, for encryption shields those with innocent and criminal motives alike. Unsurprisingly then, governments have sought to weaken or eliminate encryption in the face of the privacy dilemma, with an emerging set of technological solutions preserving private actors’ rights to a measure of privacy while applying zero-knowledge proofs to simultaneously satisfy legitimate enforcement objectives. Our case study of applications of zero-knowledge proofs and privacy institutions illuminates how a coevolving blend of polycentric forces governs social welfare in practice and emphasizes how individual demand for rights the government is especially likely to infringe plays an essential governance role.

Among the less-discussed requirements of the European Union’s Digital Markets Act (DMA) is the data-sharing obligation created by Article 6(11). This provision requires firms designated under the law as “gatekeepers” to share “ranking, query, click and view data” with third-party online search engines, while ensuring that any personal data is anonymized.

Given how restrictively the notion of “anonymization” has been interpreted under the EU’s General Data Protection Regulation (GDPR), the DMA creates significant tension without pointing to a clear resolution. Sophie Stalla-Bourdillon and Bárbara da Rosa Lazarotto recently published a helpful analysis of the relevant legal questions on the European Law Blog. In this post, I will examine Google’s proposed solution.

Read the full piece here.

While myriad attempts to pass federal privacy legislation have all fizzled out in recent years, House Energy and Commerce Committee Chairwoman Cathy McMorris Rodgers (R-WA) and Senate Commerce Committee Chairwoman Maria Cantwell (D-WA) recently introduced the American Privacy Rights Act of 2024 as a compromise approach that could pass both chambers.

But before it does, it’s worth considering whether the United States really wants to follow the European privacy model, which has led to much confusion and consumer harm.

Read the full piece here.

Abstract

Concerns over the ownership, use, security, and flows of consumer data information are not new. Yet the dominance of the Internet and electronic payments has elevated such concerns to a high level. Traditionally there was perceived to be a tradeoff between the flow of information necessary for the consumer financial system to work well (such as to solve information asymmetries necessary in order to make credit-granting decisions) and consumer control over their data and keeping their information private. Data security approaches historically pursued a state “fortress” model that rested on the ability of consumers to keep private a small amount of information the consumer uniquely knew, such as a PIN or password.

Today, however, it is becoming apparent that this static model is no longer viable and can be expected to grow less viable with the growth of artificial intelligence and machine-learning. But such approaches have costs as well—not only are they often more cumbersome, when the fortress walls are breached these systems can be slower to adapt and can result in increased harm to consumers on the back end. Some people have suggested that we respond to these emergent threats by trying to build taller and thicker fortress walls and other static, such as the use of biometric identification. The approach suggested here, by contrast, attempts to model what a more dynamic approach to information security would look like and how such a system would be dependent on more data flows rather than less. I suggest some areas of current and proposed regulation that should be reexamined in light of the analysis presented here.

Read at SSRN.

ICLE Senior Scholar Miko?aj Barczentewicz was a guest on the Mobile Dev Memo podcast to discuss the European Data Protection Board’s recent ruling on the so-called “pay or okay” business model, and whether it complies with the requirements of the EU’s General Data Protection Regulation (GDPR). Audio of the full interview is embedded below.

It’s easy for politicians to make unrealistic promises. Indeed, without a healthy skepticism on the part of the public, they can grow like weeds. In the world of digital policy, the European Union’s Digital Markets Act (DMA) has proven fertile ground for just such promises. We’ve been told that large digital platforms are the source of many economic and social ills, and that handing more discretionary power to the government can solve these problems with no apparent side effects or costs.

Read the full piece here.