It is becoming much easier for individuals to monitor each other at scale.

I remember a time when doorbell cameras were a rarity, and were even perhaps met with a natural reaction to mediums designed to capture data about you. Unnecessary, excessive, creepy.

But now as I walk through most neighbourhoods, doorbell cameras are everywhere. It is becoming rare to see a house that does not have one of these devices slapped onto or next to a front door, gawking at you as you walk past.

What has happened here? How have these devices, once frowned upon, now become almost an imperative for every household?

I think this trend reveals something interesting about how people view privacy.

Many people often acquiesce to convenience, despite the preferences, values or ethics that they might claim to hold. This is ultimately context-dependent, but it is fair to say that people’s boundaries are dynamic such that they may be willing to buy particular products or engage in certain activities which they may have previously disregarded.

We can observe across many different domains in our digital age. Social media is an obvious one, and AI chatbots are probably the next.

But there is something particularly intriguing that the rise of doorbell cameras reveal about the attitudes people have toward privacy, whether their own or that of others.

One norm that seems to be emerging is that if one places themselves in some sort of public realm or area, whether physical or digital, then the collection of their data is basically free game.

There is sometimes a perception that if a person has a public social media account, and posts content on that account that essentially anybody can view, the collection and use of that data is completely legitimate. If it is public, and anybody can see it, then surely anybody can use it? If you didn’t want people to use your content, then don’t post it in a public space.

But this misses an important point about data rights and their purpose. That data are public may mean that the level of privacy one can expect is reduced, but it is not zero and, in any case, the publicity of the data cannot be taken as some sort of implied consent for its endless use by others.

This applies in the physical domain too. Just because you record someone who happens to walk past your property does not mean you can do whatever you want with that recording.

The use of data ought to be dictated by the legitimacy and necessity of its use, as well as be used only for that purpose and accordingly limited in term of its nature and volume.

These principles I think are being respected by individuals less and less. We can talk about certain companies and the poor data practices that they follow. But at an individual level, I think the respect for privacy is getting weaker.

And maybe doorbell cameras are not the strongest example to demonstrate this with. There are some people who simply use them as a deterrent, and do not even bother to use the full range of their functionalities or might even admit if questioned that the damn thing doesn’t even work (or they don’t know how to work it).

So another perhaps more consequential piece of privacy-invasive hardware to cite here is recording glasses. A surveillance device dressed as a fashion accessory.

These are devices that enable a more ambient form of passive data collection. They can basically record anything you see in any location that you go.

The same emerging cultural dynamics are at play here: if you are in a public space where someone happens to be filming with their recording glasses, that is on you.

The thing about both doorbell cameras and recording glasses is that it takes away the agency of the surveilled in terms of whether their data are captured. They have no choice - if someone has one of these devices and you enter their periphery, then your data is collected. No opportunity to consent, to know what it might be used for or who it might be shared with. It is already in the hands of someone else.

And people may not even know that this is happening. The indicators that someone is wearing recording glasses are subtle and very difficult to spot at a distance.

Such devices contribute to a sort of fragmented surveillance at scale.

The question is whether data rights are built for this.

I think our legal frameworks were mostly built to deal with more centralised forms of surveillance, initially by states but then by companies. You regulated singular entities carrying out processing activities concerning lots of people; an easily identifiable bottleneck that can be addressed in one swoop.

But when the means of surveillance are fragmented across the population, giving individuals the ability to monitor lots of other people at scale, what recourse do those being surveilled have?

Share

Read more

Most people simply do not realise the purpose of privacy.

And you are one of those people if you think that you don’t need to worry about privacy if you have nothing to hide.

This is a bad take. Ignorant in fact.

Here’s the truth.

Think about the social…

Read more

And then when trying to access the direct messaging feature on the Substack app, I was presented with this:

In fact, if you are in the UK, you may have noticed a number of websites requiring your age to be verified before being able to access the site. Or you may have seen this in the news.

Now this was not just limited to adult websites. Even platforms like X, Reddit and and TikTok have also been introducing some form of age checks. And lots of people have been wondering why.

The main reason is because of a law in the UK called the Online Safety Act 2023 (OSA). The main purpose of this legislation is to impose obligations on online platform operating in the UK to ensure that they are safe for UK users, especially children.

In this newsletter, I attempt to explain, in simple terms, why OSA has led to certain websites like Substack asking for your age. I will cover:

• What OSA is and what it requires

• What are the specific requirements regarding age checks

• The data protection issues with age checks

• What this all really means

Subscribe now

What is the Online Safety Act and what does it require of Substack?

The main aim of OSA is to provide a regulatory framework for making the use of internet services safer for people in the UK. It does this by:

• Imposing duties on certain service providers to identify, mitigate and manage risks of harm from illegal content and activity and content and activity that is harmful to children

• Conferring certain functions and powers to Ofcom, the UK regulator for broadcasting, internet and telecommunications

Among the service providers caught within the scope of OSA are what are called ‘user-to-user services’, or U2U. Under the Act, a U2U service provider is an internet service that enables and hosts content generated, uploaded or shared by users that other users can also access.1

In its guidance, Ofcom states that a U2U service provider includes the following types of internet services:

• Social media sites or apps

• Photo- or video-sharing services

• Chat or instant messaging services, including dating apps

• Online or mobile gaming services

Substack describes itself in the following way:

...a new media app that connects you with the creators, ideas, and communities you care about most. Here, you can discover world-class video, podcasts, and writing from a diverse set of creators who cover politics, pop culture, food, philosophy, tech, travel, and so much more.

It is pretty clear then that Substack constitutes a U2U service under OSA, which is also implicit in the communications it has been sending out regarding compliance with this law.

If Substack is a U2U service provider under OSA, then what is it required to do?

The obligations falling on Substack can be found in Chapter 2 of the legislation, which in the main include the following:

• Carry out an assessment that evaluates how likely users are to encounter illegal content on the service2

• Take measures to mitigate and manage the risk of illegal content existing on the service, including through, among other things, the design of certain functionalities or other features, drafting policies on terms of use, content moderation or other measures3

• Enable users to report illegal content or content that is harmful to children4

What are the specific requirements regarding child safety and age checks?

So how do the OSA requirements apply to Substack in such a way that it needs to check the ages of its users?

If you read Substack’s 18+ content policy on its support page, we see the following:

Substack supports a wide range of writing and creative expression, including material intended for adult audiences. In compliance with the UK Online Safety Act (“OSA”), we are required to provide UK users with a way to report potentially illegal or age-restricted content.

Let’s unpack this a bit.

As suggested in Substack’s policy, the platform allows material to be published for adult audiences and therefore material that may not be suitable for children. Where this is the case, OSA imposes child safety duties on service providers where that service is “likely to be accessed by children.”5

The likelihood of a child accessing a service depends on the outcome of a children’s access assessment.6 This is an assessment that determines whether it is possible for a child to access the service and whether either a significant number of children use the service or the service likely to attract a significant number of child users.7 All U2U service providers, including Substack, are required to carry out this assessment.8 Interestingly, OSA explicitly states that if a service has not already implemented age checks for its service, it cannot conclude that its service is not likely to be accessed by children.9

If the service is likely to be accessed by children, then a U2U service provider like Substack will also need to carry out a child risk assessment for its service.10 This assessment needs to evaluate how likely child users are to encounter what OSA calls ‘primary priority content’ that is harmful to children. In its guidance, Ofcom has stated that content relating to the following falls in this category:11

• Pornography

• Suicide

• Self-harm

• Eating disorders

• Abuse and hate speech

• Bullying

• Violence

• Harmful substances

• Dangerous stunts and challenges

In carrying out these risk assessment, Ofcom has specified the characteristics of the service that should be taken into account. Among these characteristics include the ability to send direct messages on the service, on which Ofcom states the following in its guidance:

Direct messaging can allow users to share content harmful to children in a closed and more targeted manner. While direct messaging can enable users to protect their privacy, our evidence shows direct messaging can enable abuse and hate content, and bullying content behaviours, particularly between two users, that are more likely to go unnoticed by others. This risk may increase when users are able to message other users without the recipient’s permission. Children can also receive direct messages containing pornographic content, often in the form of hyperlinks and frequently by users they do not know or suspect to be ‘bots’.

As part of the child safety duties under OSA, U2U service providers are required to prevent children from encountering primary priority content as well as protect children from the risk of harm of other content on the service.12

To comply with this duty, OSA requires U2U service providers to use age verification or age estimation (or both) to prevent children encountering harmful content.13 In doing so, the service provider must ensure that the age checks are “highly effective at correctly determining whether or not a particular user is a child.”14

OSA is quite specific regarding what counts as age verification or age estimation:

• ‘Age verification’ means “any measure designed to verify the exact age of users of a regulated service.”15

• ‘Age estimation’ means “any measure designed to estimate the age or age-range of users of a regulated servic.”16

Accordingly, any measures where a user simply self-declares that they are of a certain age (for example by ticking a box which says that they are 18 or above) is neither considered age verification or estimation for the purposes of OSA.17 Such mechanisms are not enough to comply with the law.

So putting this altogether:

• Substack allows material suitable for adults and therefore not suitable for children

• Substack has probably concluded that its service is likely to be accessed by children

• Substack’s child risk assessment likely included the risks of having direct messaging features as part of its service

• Substack considers itself to be subject to child safety duties under OSA

• To comply with these duties, Substack has implemented age checks for its service, including for its direct messaging feature

Data protection and age checks

If you have gone ahead and completed the age checks mandated by Substack, you may be wondering how your data is handled as part of this process.

There are different ways for an internet service to carry out age checks on users:

• Verifying ID documents. This requires uploading a picture of an government-issued ID such as a driving licence or passport. The document is then checked for authenticity and to verify the age of the user presented in the documents.

• Computer-vision approach. This is where the service predicts the age of a given user based on an image of their face. With this, users are required to take a selfie using their device from which their age is estimated.

• Analysing account information. This involves using data from or generated about a user on the service to predict their age. For example, YouTube applies machine learning for age estimation of its users by relying various signals such as search history and how long an account has existed.

Third party providers are usually preferred by internet services for carrying out the checks. Substack uses Persona, an online identity verification service based in San Francisco. Substack’s support page describes how an age check is conducted based initially on a selfie or, failing this, a copy of a government-issued ID document.

The handling of user data for age checks is something that OSA does anticipate, as it states that the following duty applies to internet services subject to the legislation:18

When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a user-to-user service (including, but not limited to, any such provision or rule concerning the processing of personal data). (Emphasis added)

OSA does not contain much by way of specific data protection and privacy rules. For this, Ofcom relies on the enforcement activity of the Information Commissioner’s Office (ICO), as the UK’s data protection regulator, stating:

We work closely with the ICO and where we have concerns that a provider has not complied with data protection law, we may refer the matter to the ICO.

To that effect, the ICO has published guidance on the use of age checking technology whilst ensuring compliance with relevant data protection rules, including the UK GDPR. In that guidance, the ICO sets out their expectations for age assurance and compliance with each of the data protection principles.

There are a few issues here that I think are worth highlighting.

The first one concerns accuracy. U2U service providers that estimate a user’s age using computer-vision mechanisms or based on account information are relying on approaches where the likelihood of error is much higher. These errors either result in genuine adults being denied access to the service or part of the service or granting access to children when they should not.

Sometimes the source of this accuracy is the bias ingrained in the facial estimation systems themselves. These systems utilise machine learning classifiers trained on large datasets of facial images. However, these datasets are not always demographically diverse, resulting in varying performance levels when used for different types of people, including in terms of skin colour and gender.

Additionally, as with any system, there are security risks. Back in July 2024, AU10TIX, an Israeli ID verification company, suffered a data breach which exposed its logging platform containing images of identity documents like driving licences and passports. This provider was used by TikTok, Uber X and other well-known internet services at the time.

By relying on third party age checking systems, which has become the standard approach, another entity is added to the data processing chain which in turn increases the lack of control one has over their data. These providers may state that they only use the data to verify identity, but from a user perspective it is difficult to verify if this is really true. Once the ID documents or selfies have been sent to their servers, the fate of that sensitive information is essentially in the hands of the service provider. This is especially if those providers are based in another country where data protection laws may be weaker or basically non-existent.

Read more

When I say legal documents, I am referring to those documents you would have come across or at least heard about before. Think legislation or regulations, codes, contracts, policies and others.

Reading these documents is often a bit of a drag. I often find this to be the case, even as someone who reads such documents on a regular basis as part of my work. This struggle as three strands to it:

1. They are not always easy to read and understand. Legal documents often contain lots of legal jargon and technical terms. I have come to understand many of this, but there are certainly times where I will come across a provision that almost seems like it is written in a foreign language.

2. They are too long. The length of document depends on the type of document. Legislation tends to be the longest, sometimes containing hundreds of provisions each of which could be several paragraphs long. Combined with the jargon, it can feel like it takes forever to get through a single piece of legislation.

3. They are not always clear. The extended length combined with the extended jargon sometimes clouds the crux of the document. I will sometimes read provision after provision and lose sight of what the document is ultimately trying to convey and what is therefore important.

That reading legal documents is often a pain is far from ideal.

These documents are important, as they describe the various rights and obligations that apply to you and others in a given situation. But when that crucial information is buried in a dense packaging of words entangled with alien concepts that take time to decipher, access to that information seems impossible. And this is even before thinking about the more difficult part, which is what actions you can take based on the obligations and rights that apply to you.

Even so, I think the ability to navigate the most tricky of legal documents is a skill that anybody can learn. There are certain principles you can follow and implement that help you to get through the task and identify the information that is most important for you. It may take a bit of time to get the hang of it, but I think investing the time is worth it given the importance of some of the legal documents you will need to read in your time, especially if you are a legal professional.

The principles and guidance that I share below are based on the time I have spent researching, writing and working on data rights over the past 10 years, and hopefully they prove valuable for you.

I should stress though that this newsletter does not constitute legal advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content in this newsletter.

The big secret when reading legal docs

Reading legal text is not the same as reading other types of text.

Read more

There are clear dangers to E2EE and data protection with this proposal. But I think to navigate the debates entailed here, certain truths need to be acknowledged. I have thought of five pertinent ones.

Truth #1: Messaging apps are used for offences against children online
Research from the UK’s Centre of Expertise on Child Sexual Abuse demonstrates how perpetrators tend to move their interactions with children to private messaging platforms.1 Those platforms that protect messages with end-to-end encryption (E2EE) makes it much more difficult to detect instances of grooming or when child sexual abuse material (CSAM) is being generated or shared. The use of E2EE messaging platforms for criminal activity is well-known by law enforcement, and is certainly one part of the threat vector for online CSA.

Truth #2: Messaging apps are one part of the threat vector
The research on CSA offences shows that such activity comprises of several stages, and encrypted messaging apps play a role in some of those stages. Perpetrators may start in public spaces first before moving their interactions with children to private spaces.2

Truth #3: Messaging apps are not the only intervention point
If messaging apps are only one part of the threat vector, then they are not the only point of intervention for detecting and preventing CSA offences. Other intervention points could be much more accessible, such as the more publicly available parts of social media platforms.3

Truth #4: It is hard to know the extent of the role messaging apps play in the threat vector
While encrypted messaging apps form part of the lifecycle, it is difficult to know exactly how involved they are. In particular, with the limited visibility on these apps due to the lack of access to message content (except for the sender and recipient), it is difficult to understand the prevalence of CSA on the platform. This is a crucial missing piece of information.

Truth #5: Targeted surveillance is not possible with E2EE
As has been acknowledged in human rights case law, in the context of encrypted messaging apps, removing encryption for one user effectively removes it for all users. E2EE involves a set up in which the service provider does not have the cryptographic keys to read the encrypted messages exchanged on its service. Giving the provider the ability to generate its own copies of the cryptographic keys to decrypt messages removes protection for all users, even those who are not a threat.4 It is essentially either encryption for all or encryption for none.

Truth #6: The outcomes of this debate will have stark impacts on other areas
Replace CSA with ‘terrorist content’ or ‘misinformation’ or any other online harm and the aforementioned truths and issues remain. If the law requires service providers to implement mechanisms detect and prevent one kind of harm, why just stop at one. Once the mechanism is there, the risk of function creep increases substantially.

Data is the lifeblood of the digital world. If fuels many of the digital products and services that you use and the activities that support their development.

Without people's data, Big Tech cannot extract the behavioural surplus needed to fuel their surveillance capitalist machines that turn quantified experiences into revenue.

But data also comes with risk. Negative consequences can certainly follow from improper uses of data.

Data that is of poor quality or is biased and non-representative that are then fed into machine learning algorithms can produce models that are equally substandard. And if these models are incorporated into systems used in significantly consequential contexts, such as making medical diagnoses, then you've got serious problems.

So data is not just "the new oil" or "an asset." It is something that requires careful and considered use given its ability to be both a boon or a complication, depending on who is using it and how.

2. Privacy and data protection are not the same thing

Privacy regulates who gets access to your data. Data protection regulates how that data can be used once accessed.

The protection of your data does not stop once you had it over. Data protection is concerned with the whole data lifecycle, to ensure that its use is done fairly and responsibly.

Data protection can therefore be a means to ensure privacy. But data protection can also be a means to protect other rights and interests:

For example, the GDPR protects people from being subject to decisions based solely on automated processing producing significant affects on them, with some exceptions. Even where those exceptions apply, individuals have the right to obtain meaningful information about the logic involved in the automated processing and to contest such a decision.

These rights become highly relevant when, for instance, a company algorithmically manages the shift of its gig economy workers. Such workers have the right to know exactly how this automated processing works, especially when it determines their job opportunities.

This is not really about privacy, since the employer would need to know the availability of its workers to assign shifts for the delivery of its service. But how this is done is important, for this still ought to be done in a manner that does not lead to unfair outcomes.

3. Only take what you need

Data minimisation requires that you only collect and use the data that are necessary for fulfilling the intended purpose.

This means that the type, nature and amount of data should be of relevance and utility to the processing purpose. If the processing purpose is not clearly articulated, data minimisation is not possible.

When you buy a product from an online retailer to be delivered to your home, you only need to provide them with your contact details, payment details and home address. Nothing more is required for that processing activity.

4. Don’t keep it “just in case”

Excess data can be messy and risky.

Maintaining multiple datasets across multiple systems is not easy. Plus, the more data one holds, the higher the possibility that it gets misused and the higher the severity of a breach if it is accessed by a malicious third-party attacking your systems.

So do not keep any more data than you actually need. Again, articulating the processing purpose is essential for this - once you know the purpose of its collection, you know whether you need to keep it and for how long for.

For example, why keep CVs of previously rejected job applicants. Those CVs are likely to get outdated over time, and in any case the data are from people who ended up not joining the organisation. What is the point of keeping such records?

If you do not need to keep the data, then do not keep that data.

5. The use of data must be clear and justifiable to the data subject

If you cannot justify the use of data to the person that it belongs to, then should you be using it at all?

This requires considering things from the perspective of the data subject. If you were a data subject, would you accept the justification for the proposed use of your data and is that justification clear to you?

The context of the data processing and the reasonable expectations of the data subject are therefore key factors here. If you post content on a social media platform for your connections to see, you may not reasonably expect that that content is also used to train an AI model developed by the platform provider. One use of data does not automatically justify another, even if it is remotely related.

And even if the use of data is justifiable, this needs to be made clear to the data subject. Stuffing the justification in a privacy policy which is linked at the bottom of a website is sometimes not enough. Information about how data is used ought to be delivered in a manner convenient for the data subject, namely at the time that the data are collected.

Collecting one's data through deceptive does not really suggest that its use is justifiable or fair.

6. You don’t always need consent

Consent is one way for obtaining someone's data, but it is not the only way.

Sometimes asking for consent may not actually be appropriate. This could be the case in a employer-employee relationship; the power imbalance is such that employees will feel pressured to accept the use of their data by their employer. They may often feel that there is not a genuine choice.

Other times, asking for consent simply does not make sense. If processing personal data is necessary to perform a contract with the data subject, asking for their consent to process their personal data is not needed. If the data subject does not give their consent, then performing the contract cannot be done. Consent is not needed in this case.

This newsletter is about a decision by the Court of Justice of the European Union (CJEU) in EDPS v SRB. It looks at the Court's view on how the GDPR applies to pseudonymised data and the implications this has for certain data processing activities.

Here are the key takeaways:

• Pseudonymisation refers to techniques that reduce the identifiability of personal data. It consists of taking original data, applying a pseudonymisation technique to that data with the output consisting of pseudonymised data.

• EDPS v SRB is essentially a case about in what circumstances pseudonymised data may be regarded as personal data under the GDPR. It considers whether it is correct to apply a strict approach to this question, whereby pseudonymised data should always be considered personal data.

• The CJEU upheld a relative approach to this issue. This means that, under the GDPR, pseudonymised data is not always personal data.

• If an entity receives pseudonymised data from a controller without the additional information required to link the data to a data subject, and also does not have any other reasonable means to identify the data subject, then that entity has not received personal data. The position of the receiving entity in this case is therefore pertinent to the question of whether the information is indeed personal data.

• The CJEU's decision in EDPS v SRB could have interesting implications for certain types of data processing activities. This includes on-device processing and encryption, as well as the personal data potentially stored in deployed LLMs.

The issues at play

Back in February this year, I took a look at an Advocate General opinion in the case of EDPS v SRB before the Court of Justice of the European Union (CJEU). This case tests the presumption that pseudonymised data is always personal data under the GDPR.

Pseudonymisation refers to techniques that reduce the identifiability of personal data. It consists of taking original data, applying a pseudonymisation technique to that data with the output consisting of pseudonymised data. It therefore consists of three elements:

1. The original data

2. The pseudonymisation technique applied

3. The pseudonymised data (which itself consists of the output pseudonym and the additional information that can be used to elucidate the original data)

An example of a pseudonymisation technique is encryption:

• The original data is the plaintext that is being encrypted

• Applied to this plaintext is the cryptographic protocol

• The output of this application is the cipher text and the cryptographic keys to decrypt the cipher and turn it back to into the plaintext

A full summary of the facts of the case can be found in my previous post, but to quickly recap:

• The Single Resolution Board (SRB) is the resolution authority for the European Bank union.

• In June 2017, SRB hired Deloitte to carry out some analysis that involved comments that SRB had collected from shareholders of a bank.

• SRB therefore shared with Deloitte copies of the comments along with alphanumeric codes generated for each comment.

• SRB did not share with Deloitte any other data SRB had initially collected from the shareholders.

• Those shareholders complained to the European Data Protection Supervisor (EDPS) that SRB had not informed them that their personal data would be shared with Deloitte.

• SRB argued that the information it shared with Deloitte was not personal data since the comments and alphanumeric codes could not be used by Deloitte to identify individuals.

• The EDPS disagreed with SRB's view and found that the information shared with Deloitte constituted personal data.

• SRB brought proceedings against the EDPS before the General Court of the CJEU, which ended up ruling in SRB's favour holding that the information shared with Deloitte was not personal data.

• The EDPS appealed this verdict by the General Court, which is the subject of this latest case.

AG Spielmann's opinion on the matter was that the information shared with Deloitte was not personal data. The reasoning was threefold:

• As per Recital (16), the identifiability of a data subject could be achieved by a data controller 'or by another person.' The reasonable likelihood of identifiability needs to be considered, taking into account the cost and time required to do so and the technology available to achieve identifiability.1

• CJEU caselaw has previously set out the parameters for such identifiability. In particular, the Court has held that, in certain circumstances, information could still considered personal data even if "dissociated from the identification data held by someone else."2

• Pseudonymised data may not be considered personal data if "the risk of identification is non-existent or insignificant."3

Therefore:

According to AG, this reasoning supports a relative, rather than a strict, approach to the concept of personal data and pseudonymisation. Taking a relative approach to the current case, the AG suggests that the key question for the Court to consider is whether "Deloitte had reasonable means to identify [the data subjects]."4 If Deloitte did have such means, only then should the comments and alphanumeric codes it received from the SRB should be considered personal data.

The case is ultimately about the following question:
If entity A collects personal data, pseudonymises it and shares only the pseudonymised with entity B, with only entity A possessing the additional information required to use the pseudonymised data to identify specific individuals, is the pseudonymised data shared with entity B personal data under the GPDR?

Read more

This newsletter is about a 2023 case on data security under the GDPR. It looks at what is required of data controllers in this regard, the extent of their liability for data breaches and what data subjects can claim compensation for in the context of a breach.

Here are the key takeaways:

• The case of VB v Natsionalna agentsia za prihodite involves the…

Read more

This newsletter is about a decision by the Court of Justice of the European Union (CJEU) on legitimate interests under the GDPR. It looks the conditions under which a commercial interest can justify the processing of personal data.

Here are the key takeaways:

• In Koninklijke Nederlandse Lawn Tennisbond, the CJEU sought to answer the following question: for an interest to qualify as a 'legitimate interest' under the GDPR as a legal basis for the use of personal data, does it need to be derived from a law or be a legal norm?

• The short answer to this was in the negative. In other words, legitimate interests do not need to be derived from a law or be a legal norm.

• However, the Court emphasised that whilst this means that a commercial interest can be a legitimate interest under the GDPR, such an interest still needs to satisfy a three-part test:

  1. It needs to be shown that the controller or a third party is pursuing a legitimate interest.

  2. The processing of personal data must be necessary to pursue that legitimate interest

  3. The legitimate interest being pursued, and the data processing it entails, must not take precedence over the interests or fundamental freedoms and rights of the data subjects

• Only if the controller can demonstrate that the this three-part test has been satisfied may it rely on a commercial interest to process personal data.

A judgement from the Court of Justice of the European Union (CJEU) handed down in October 2024 answers this simple question:

For an interest to qualify as a 'legitimate interest' under the GDPR as a legal basis for the use of personal data, does it need to be derived from a law or be a legal norm?

In short, the CJEU's answer in Koninklijke Nederlandse Lawn Tennisbond to this was no - legitimate interests do not need to be derived from a law or be a legal norm. However, that still does not mean that any interest can be a legitimate interest and form as a legal basis for personal data processing.

Read more

It stated:

The decision...finds that TikTok infringed the GDPR regarding its transfers of EEA User Data to China and its transparency requirements. The decision includes administrative fines totalling €530 millio…

Read more

This newsletter is about data adequacy decisions made by the European Commission under the GDPR. It looks the assessments and procedure that must be carried out by the Commission for these decisions, the form that these decisions can take and their legal status.

Here are the key takeaways:

• Under the GDPR, transfers of personal data to countries outsi…

Read more

TL;DR

This newsletter is about a pseudonymisation and personal data. It looks at a recent AG opinion on the matter and the implications this has for on-device processing and encryption.

Here are the key takeaways:

• Pseudonymisation refers to techniques that reduce the identifiability of personal data. It consists of taking original data, applying a pseudonymisation technique to that data with the output consisting of pseudonymised data.

• There are different ways to pseudonymise data. For example, if you have a database containing the dates of birth of customers, this can be pseudonymised by replacing the dates with age ranges.

• Under the GDPR, pseudonymised data is still considered personal data. However, a recent case (EDPS v SRB) brought before the Court of Justice (CJEU) of the European Union tests this presumption.

• The verdict of the Court is still forthcoming. In the meantime, the opinion of the Advocate General (AG) Spielmann was published on 6 February, providing his view on the matter in question:

  • As per Recital (16) of Regulation 2018/1725, the identifiability of a data subject from pseudonymised data could be achieved by a data controller 'or by another person.' The reasonable likelihood of identifiability needs to be considered, taking into account the cost and time required to do so and the technology available to achieve identifiability.

  • CJEU caselaw has previously set out the parameters for such identifiability. In particular, the Court has held that, in certain circumstances, information could still considered personal data even if "dissociated from the identification data held by someone else."

  • Pseudonymised data may not be considered personal data if "the risk of identification is non-existent or insignificant."

• So according to the AG, for the pseudonymising controller, the data remains personal data. But for any recipient of the pseudonymised data with no reasonable means to use the data to identify a data subject, the data are effectively anonymised and therefore not personal data.

• If this view is adopted by the Court, then this could have interesting implications for a range of different processing contexts. This includes on-device processing and encryption.

What is pseudonymisation?

The GDPR provides a definition of pseudonymisation under Article 4.5:

...the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

In essence, pseudonymisation refers to techniques that reduce the identifiability of personal data. There are therefore different degrees of identifiability:

• Identified individual. Identity is clear when we know exactly who the individual is, i.e., the data are linked to a single person.

• Pseudonymity. Different data points can be linked to someone, but we do not know who that someone is.

• Anonymity. We both do not know the identity of the individual that the data is about nor whether the data are about the same person

There also various ways that data can be pseudonymised. Some of these include the following:

• Summarisation. This is about reducing the granularity or particularity of the data. For example, if you have a database containing the dates of birth of customers, this can be pseudonymised by replacing the dates with age ranges.

• Perturbation. This is about obfuscating the data. For example, you can use a cryptographic hash function to transform personal data into a hash value.

Pseudonymisation techniques consist of three key elements:1

1. The original data

2. The pseudonymisation technique/transformation

3. The pseudonymised data (which itself consists of the output pseudonym and the additional information that can be used to elucidate the original data)

Let's say you have a dataset of customers and you wanted to pseudonymise their names using a cryptographic hash function. In this case:

• The original data would be the customer name

• The pseudonymisation technique/transformation would be the cryptographic hash function

• The pseudonymised data would consist of the hash value outputted by the function as well as the cryptographic keys

Under the GDPR, pseudonymisation is mentioned as a security measure. Article 32 lists examples of organisational and technical measures that can be used to secure personal data, including "the pseudonymisation and encryption of personal data."

This technical measure is also mentioned in Article 25.1 in the context of data protection by design and by default:

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. (Emphasis added)

Pseudonymised data has always been considered personal data under the GDPR. The output of a pseudonymisation technique may not easily be used to identify a data subject, but the data subject can still be identifiable if additional information is used.

Examples of such additional information can include cryptographic keys or tables of the original personal data matching pseudonyms that they have been replaced with.2 This additional information enables the pseudonymised data to be used to identify a data subject, hence the pseudonymised data ultimately remains personal data as it is still information relating to an identified or identifiable person.3

But a case currently before the CJEU, EDPS vs SRB, touches on when pseudonymised data is personal data.

EDPS vs SRB

Summary of the Facts

This case concerns a dispute between the European Data Protection Supervisor (EDPS) and the Single Resolution Board (SRB):

• The EDPS is the data protection regulator of the EU institutions. It ensures that these institutions process personal data in accordance with Regulation (EU) 2018/1725, which can be thought of as the GDPR for EU institutions.

• The SRB is the resolution authority for the European Bank union. Its role is to ensure the orderly resolution of failing banks and help maintain market stability and confidence of participating EU countries.

In June 2017, the SRB adopted a resolution under which Banco Popular Español S.A. transferred all its shares and capital instruments to Banco Santander S.A (Santander). As part of this process, the SRB procured the services of Deloitte to determine whether shareholders and creditors affected by the resolution would have received better treatment had normal insolvency proceedings been used.

Deloitte provided the SRB with a 'valuation of different in treatment' to help the SRB decide whether compensation should be granted to the affected shareholders and creditors. To further help with its decision, the SRB also launched a right to be heard process to verify the eligibility and interest of the relevant parties and receive comments from affected shareholders and creditors.

During the registration phase, a range of data was collected. This included proof of the participants' identity and ownership of capital instruments of Banco Popular. These data were accessible to a limited number of SRB staff responsible for processing the data to determine eligibility.

During the consultation phase, eligible participants submitted their comments to SRB staff responsible for processing these comments. These SRB staff did not have visibility of the data processed during the registration phase. Additionally, each individual comment was allocated an alphanumeric code.

The comments and their codes were then shared with Deloitte, and not the data collected during the registration phase. The consultation data were categorised, filtered and aggregated before being shared:

The comments transferred to Deloitte were solely those that were received during the consultation phase and that bore an alphanumeric code, developed for audit purposes to enable the SRB to verify, and if necessary to demonstrate subsequently, that each comment had been handled and duly considered. On account of that code, only the SRB could link the comments to the data received in the registration phase. Deloitte had, and still has, no access to the database of data collected during the registration phase.4

Upon learning of this data sharing with Deloitte, affected shareholders and creditors submitted complaints to the EDPS. They alleged that the SRB had failed to include in its privacy statement that data would be shared with Deloitte as per Article 15(1)(d) of Regulation (EU) 2018/1725.

The EDPS adopted its decision on the matter in which it stated that the data shared with Deloitee (the comments along with the codes) were personal data. It also stated that in the future the SRB should state in its data protection notices the entities with whom personal data may be shared.

The SRB brought proceedings against the EDPS before the General Court of the Court of Justice of the European Union (CJEU) in September 2020. In its claim, the SRB contended that the data transmitted to Deloitte did not constitute personal data.

The General Court sided with the SRB in its original judgment, holding that the data transferred to Deloitte was not personal data:

...with regard to the condition laid down in Article 3(1) of Regulation 2018/1725 that the information must relate to an ‘identified or identifiable’ natural person, the General Court held that, in the present case, it was for the EDPS to examine whether the comments transmitted to Deloitte constituted personal data for Deloitte. According to the judgment under appeal, the EDPS merely examined whether it was possible to re-identify the authors of the comments from the SRB’s perspective and not from Deloitte’s. Therefore, since the EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments, the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725.5 (Emphasis added)

The EDPS appealed against this decision in July 2023 on the grounds that the Court's interpretation of 'personal data' under Regulation 2018/1725 was incorrect. The appeal concerned two key matters:

1. The meaning personal data

2. The concept of pseudonymisation

These are the issues that the General Court will address in its decision on the appeal. In the meantime, the opinion of Advocate General Spielmann was published on 6 February, providing his view on the matter in question.

AG Opinion

The meaning of personal data

The view of the AG here is straightforward. The data collected during the consultation phase (namely the comments and their respective alphanumeric codes) did constitute personal data.

The AG reasoned that this was clear by looking at the context in which the information was collected and used:

...it is clear from the applicable legal framework that the purpose of the right to be heard process, in the context of which the comments at issue were submitted, was to enable the affected shareholders and creditors to contribute to the process, in particular to enable the SRB to have all the information necessary to take a final decision on whether the shareholders and creditors affected by the resolution of Banco Popular should be granted compensation in accordance with the principle that no creditor should be worse off than in the event of liquidation under normal insolvency proceedings. Furthermore, those comments, once taken into account by the SRB, were liable to have an effect on the complainants’ interests and rights regarding financial compensation.

I conclude on that basis that the comments at issue relate to the data subjects in the present case, including by reason of their purpose and effect.

I would add that it is true that the comments at issue, as transferred to Deloitte, were ‘filtered, categorised and aggregated’, with the result that, as is clear from the facts established by the General Court, individual comments could not be distinguished within a single theme; however, it may be accepted that, even when aggregated, those collective comments, in terms of their content, reflect personal views regarding Valuation 3. They constitute a sum of opinions which, as such, constitute information relating to the persons who expressed them. Their filtering, categorisation and aggregation do not alter that finding, otherwise it would be sufficient, in order to avoid the requirement of information ‘relating’ to a natural person, to aggregate several points of view. The fact that it is not possible, within that sum of comments, to distinguish the various individual opinions seems to me to fall more within the scope of the second cumulative condition, relating to the identifiability of the data subjects, examined in the context of the second part of the present ground of appeal, than within the scope of the condition requiring the comment to be ‘linked’ to a natural person.6

The concept of pseudonymisation

The argument put forward by the EDPS in this case is that pseudonymised data are still personal data because the data subject remains identifiable as the additional information that enables identification still exists. The AG disagrees with this argument.

The AG relies on the wording of Recital (16) of Regulation 2018/1725, which states the following:

The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person, to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.7

It is argued by the AG that this Recital presents the possibility that pseudonymisation, in some circumstances, could result in data subjects not being identifiable from the pseudonymised data.8 This could be the case even if the additional data that could be used to make the data subject identifiable still exists but its access is sufficiently limited.9 Accordingly, there may be some forms of pseudonymised data that fall outside the scope of the concept of personal data.10

The exact reasoning of the AG is as follows:

• As per Recital (16), the identifiability of a data subject could be achieved by a data controller 'or by another person.' The reasonable likelihood of identifiability needs to be considered, taking into account the cost and time required to do so and the technology available to achieve identifiability.11

• CJEU caselaw has previously set out the paramaters for such identifiability. In particular, the Court has held that, in certain circumstances, information could still considered personal data even if "dissociated from the identification data held by someone else."12

• Pseudonymised data may not be considered personal data if "the risk of identification is non-existent or insignificant."13

According to AG, this reasoning supports a relative, rather than a strict, approach to the concept of personal data and pseudonymisation. Taking a relative approach to the current case, the AG suggests that the key question for the Court to consider is whether "Deloitte had reasonable means to identify [the data subjects]."14 If Deloitte did have such means, only then should the comments and alphanumeric codes it received from the SRB should be considered personal data.

The AG states further:

...it seems to me disproportionate to impose on an entity, which could not reasonably identify the data subjects, obligations arising from Regulation 2018/1725, obligations which that entity could not, in theory, comply with or which would specifically require it to attempt to identify the data subjects.15

Read more

This posts lists some of the best books on data rights that I have read (so far). The list is neither in any particular order nor exhaustive.

The list for this post includes the following:

1. Future Politics: Living Together in a World Transformed by Tech (OUP 2018) by Jamie Susskind

2. Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (Profile Books 2019) by Shoshana Zuboff

3. Privacy is Hard and Seven Other Myths: Achieving Privacy Through Careful Design (MIT Press) by Jaap-Henk Hoepman

Please leave comments on your thoughts on these books if you have read them, or if there other books on data rights that you like.

Future Politics: Living Together in a World Transformed by Tech (OUP 2018) by Jamie Susskind

This Substack is about the intersection between law, technology and society. Susskind I think presents the best explanation for why this intersection is so important to our future.

As a practising barrister who has dealt with plenty of matters in this space, Susskind's Future Politics provides a well-explained conceptualisation of how technology shapes our lives and how we should respond to this. He proposes using political theory to analyse our future as impacted by technology in terms of power, liberty, democracy, justice and politics.

The introductory chapter of the book includes my favourite passage and I have quoted several times in my previous posts:

Politics in the twentieth century was dominated by a central question: how much of our collective life should be determined by the state, and what should be left to the market and civil society? For the generation now approaching political maturity, the debate will be different: to what extent should our lives be directed and controlled by powerful digital systems - and on what terms? This question is at the heart of Future Politics.1

If you are not familiar at all with the data rights space, and want a text that introduces you to what it is all about, this is the book to start with.

Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (Profile Books 2019) by Shoshana Zuboff

While Future Politics is a more introductory tome, the Age of Surveillance Capitalism is a more comprehensive look into the perils of the powerful digital systems that control our lives.

Zuboff's work is a heavy read. But if you want to intimately understand the risks posed by today's technology companies, the Age of Surveillance Capitalism is essential.

The book includes the story of how Google came to embrace surveillance capitalism, and how Facebook went on to master it. Such companies operate a system focused on profiting from the collection and analysis of behavioural data left behind when we interact with their services and platforms, resulting in a system that leaves one group powerful (Big Tech) and other rather powerless (users of Big Tech). You can read more about this in my previous looking at the surveillance capitalist model.

In covering the story about Google's embracement of surveillance capitalism, Zuboff reminds us how this system, and the way it dominants much of modern technology today, was never an inevitability, but a choice made by tech companies:

Key to our conversation is this fact: surveillance capitalism was invented by a specific group of human beings in a specific time and place. It is not an inherent result of digital technology, nor is it a necessary expression of information capitalism. It was intentionally constructed at a moment in history.2

Privacy is Hard and Seven Other Myths: Achieving Privacy Through Careful Design (MIT Press) by Jaap-Henk Hoepman

Future Politics and Age of Surveillance Capitalism deal with the theories underlying data rights. Privacy is Hard and Seven Other Myths deals with the practical.

Hoepman tackles the common misconceptions regarding privacy in the modern digital age. This includes how easily seemingly 'anonymised' data can be used to identify a person, everything wrong with the argument against privacy in the form of 'you have nothing to hide', and why privacy does not need to come at the expense of security.

An important point that Hoepman makes regarding privacy is that its implementation, fundamentally, requires a cultural shift where privacy is valued more than just a regulatory tick-box:

Even though proper privacy protection requires a fundamental shift in how systems are designed, it is really not as hard as people tend to think. Throughout this book, we have encountered many examples in which a simple shift in the underlying approach, a change of perspective, makes it much easier to cater for privacy. We have also seen that there are many privacy-enhancing technologies ready to be used for the implementation of more privacy-friendly systems.3

In addition to this though, ensuring sound privacy does also require a rewiring of the underlying systems that we have become so familiar with over the years:

Significantly improving the privacy of the apps and services we use should be our first priority. But at some point, we need to dig deeper down into the technology stack and reconsider the designs for our computers and networks, both at the hardware and operating system levels. These designs are half a century old by now and never fundamentally changed, while the world in which they are used has changed beyond recognition. We are stretching the boundaries of their use beyond the breaking point - not only in terms of privacy, by the way, but also in terms of security and reliability. It's time to start redoing the plumbing, instead of applying Band-Aids to temporarily stop some leakage while we frantically mop the floor against all odds.4

TL;DR

This newsletter is about why organisations should care about data rights and how to comply with them in practice. It looks at the value of data rights compliance, how this can be done in a more integrated manner and what this looks like in the context of AI governance.

Here are the key takeaways:

• Data rights compliance is sometimes viewed as an annoying inconvenience that stifles innovation and progress. Those in the data rights space involved in the shaping, applying or enforcing of data rights may therefore be perceived as perpetuators of stagnation.

• There is some evidence of this happening in Europe. Mario Draghi's report shows how the EU's complex web of regulations may be partly responsible for the lagging growth in the region as well as the lack of a thriving tech sector.

• However, rather than stifling innovation and growth, data rights professionals can help organisations to better position themselves to improve their products or services or how they do things. This includes taking advantage of the opportunities presented by the latest AI wave.

• To do this, organisations need to focus on moving data rights left. This means considering data rights compliance issues in a more integrated and efficient fashion so that they are not addressed at the last moment and become a bottleneck.

• By moving data rights left, organisations can achieve three things:

  • Be in a position to take advantage of new technologies

  • Avoid data rights disasters

  • Gain a valuable USP

• Moving data rights left in the context of AI development and adoption requires data rights professionals to be proactive in their compliance work and collaborate with different stakeholders. This is to ensure that there is a balance between the business goals of the organisation and data rights.

• In the context of AI governance, moving data rights left means addressing three key questions:

  1. What is the AI landscape/how are companies currently using AI?

  2. What are the problems/pain points of this journey?

  3. How do we solve these problems/ease the pain (balancing data rights with business goals)?

Intro

In What data rights are for, I put forward a concise case for why I think data rights in this modern digital age are so important and therefore why people should exercise them when they can.

What data rights are for (#2) expanded on these ideas by looking at the surveillance capitalist model and the negative externalities that data rights are designed to protect you from.

With these previous posts, I explored why data rights are important from the perspective of the users of powerful digital systems. But with this post, I take a slightly different approach by looking at why data rights are important for the builders of powerful digital systems.

In other words, in this post I attempt to answer the following question:

To what extent should builders of powerful digital systems be concerned with data rights, and what does this look like in practice?

Ultimately, data rights law is about protecting individuals. But to achieve this, organisations building and operating powerful digital systems need to implement various measures to ensure compliance with the law and in turn respect people's rights. These measures (whether they are legal, organisational or technical in nature) are designed to tackle some of the harms and risks that arise from the deployment or use of powerful digital systems. However, such compliance work is sometimes viewed as an annoying inconvenience or even a means of stagnation.

I briefly make reference to this in What data rights are for (#2) in the context of the surveillance capitalist model and the nature of such a system:

Data rights provide a means for confronting the surveillance capitalist machine.

But in the first place, as an individual, if you can help it, do not feed the machine!

Do not give your data to entities that are not incentivised to use it in your best interests. Do not give your data to those who are not incentivised to use it ethically or fairly.

Do not give your data to those who will not look after it.

If you understand the system at play, which is set out in this post, then you will understand why:

[...]

• A system that is represented by mantras like 'move fast and break things' whereby the supposed beneficial ends always, somehow, justify the means and anyone who argues otherwise are simply luddites determined to stifle progress and growth. (Emphasis added)

I used 'luddites' ironically to essentially refer to those in the data rights space. This includes the legal/compliance/policy experts, practitioners, auditors, regulators and any others involved in the shaping, applying or enforcing of data rights.

(I say ironically because I too am in the data rights space.)

But are these various people and entities in the data rights space actually luddites? Some definitely seem to think so.

One such person is Marc Andreessen, co-founder and general partner of the prominent Silicon Valley venture capital firm Andreessen Horowitz. In his Techno Optimist Manifesto, Andreessen describes how technological development is essential for progress and improving the human condition:

Lies

We are being lied to.

We are told that technology takes our jobs, reduces our wages, increases inequality, threatens our health, ruins the environment, degrades our society, corrupts our children, impairs our humanity, threatens our future, and is ever on the verge of ruining everything.

We are told to be angry, bitter, and resentful about technology.

We are told to be pessimistic.

The myth of Prometheus – in various updated forms like Frankenstein, Oppenheimer, and Terminator – haunts our nightmares.

We are told to denounce our birthright – our intelligence, our control over nature, our ability to build a better world.

We are told to be miserable about the future.

Truth

Our civilization was built on technology.

Our civilization is built on technology.

Technology is the glory of human ambition and achievement, the spearhead of progress, and the realization of our potential.

For hundreds of years, we properly glorified this – until recently.

I am here to bring the good news.

We can advance to a far superior way of living, and of being.

We have the tools, the systems, the ideas.

We have the will.

It is time, once again, to raise the technology flag.

It is time to be Techno-Optimists.

Notice how Andreessen frames concerns about technology taking our jobs, reducing wages, increasing inequality, threatening health, ruining the environment, degrading our society, corrupting children, impairing our humanity, threatening the future and being on the verge of ruining everything as part of "the lie". This means that advocates of these concerns are opposing ‘the truth’, which is that technological development has been the key to the success of civilization and ‘the glory of human ambition and achievement’.

So who would be the advocates of "the lie"? Perhaps it would be ‘techno-pessimists’, the ones who raise concerns about data protection, online safety, influence operations, surveillance capitalism, algorithmic bias and the other various risks of modern technology. In fact, in his manifesto, Andreessen explicitly calls out such people:

The Enemy

We have enemies.

Our enemies are not bad people – but rather bad ideas.

Our present society has been subjected to a mass demoralization campaign for six decades – against technology and against life – under varying names like “existential risk”, “sustainability”, “ESG”, “Sustainable Development Goals”, “social responsibility”, “stakeholder capitalism”, “Precautionary Principle”, “trust and safety”, “tech ethics”, “risk management”, “de-growth”, “the limits of growth”.

This demoralization campaign is based on bad ideas of the past – zombie ideas, many derived from Communism, disastrous then and now – that have refused to die.

Our enemy is stagnation.

Our enemy is anti-merit, anti-ambition, anti-striving, anti-achievement, anti-greatness.

Our enemy is statism, authoritarianism, collectivism, central planning, socialism.

Our enemy is bureaucracy, vetocracy, gerontocracy, blind deference to tradition.

Our enemy is corruption, regulatory capture, monopolies, cartels.

Our enemy is institutions that in their youth were vital and energetic and truth-seeking, but are now compromised and corroded and collapsing – blocking progress in increasingly desperate bids for continued relevance, frantically trying to justify their ongoing funding despite spiraling dysfunction and escalating ineptness.

Our enemy is the ivory tower, the know-it-all credentialed expert worldview, indulging in abstract theories, luxury beliefs, social engineering, disconnected from the real world, delusional, unelected, and unaccountable – playing God with everyone else’s lives, with total insulation from the consequences.

[…]

Our enemy is the Precautionary Principle, which would have prevented virtually all progress since man first harnessed fire. The Precautionary Principle was invented to prevent the large-scale deployment of civilian nuclear power, perhaps the most catastrophic mistake in Western society in my lifetime. The Precautionary Principle continues to inflict enormous unnecessary suffering on our world today. It is deeply immoral, and we must jettison it with extreme prejudice.

[…]

We will explain to people captured by these zombie ideas that their fears are unwarranted and the future is bright.

We believe these captured people are suffering from ressentiment – a witches’ brew of resentment, bitterness, and rage that is causing them to hold mistaken values, values that are damaging to both themselves and the people they care about.

We believe we must help them find their way out of their self-imposed labyrinth of pain.

We invite everyone to join us in Techno-Optimism.

With this worldview, Andreessen is attempting to illustrate a contrast between the so-called builders and so-called luddites.

The builders are concerned with building the future and improving the human condition. Luddites are more concerned with the risks of such activity.

However, according to Andreessen, the missions of both groups are fundamentally contradictory. There is no way to develop technology that progresses society if we are constantly critiquing such technology and placing limits on its very development based on its various risks.

Andreessen is very clearly against those placing such limits on technology. In his piece called Why AI Will Save the World, he characterises the luddites as Baptists, namely those who "legitimately feel – deeply and emotionally, if not rationally – that new restrictions, regulations, and laws are required to prevent societal disaster" (drawing parallels with the advocates of the prohibition of alcohol in the US during the 1920s). These Baptist, or 'doomers', include "AI safety experts", "AI ethicists", "AI risk researchers" and essentially all those in the data rights space. These people believe more in the risks of AI than the benefits of AI.

And if they believe more in the risks than the benefits of AI, then the precautionary principle suggests that more limits and controls must be placed on such a technology.

For Andreessen, given his strong belief in AI providing a way to "make everything we care about better", placing limits or controls on its development is akin to being anti-progress. It is akin to being a luddite.

In some ways, Andreessen could be right. But I ultimately believe that he cannot be right.

In fact, if data rights are implemented correctly, there is a way to balance the missions of the so-called builders and the so-called luddites. There is a way to help build machines of loving grace.

Why Andreessen could be right

It is important to clarify what data rights professionals like myself actually do.

We basically help solve legal/policy problems within an existing legal/policy framework.

Laws are the rules that govern our society in various ways. They dictate what we can and cannot do, and stipulate our rights and responsibilities.

However, these rules cover the many events, transactions and activities that feature in our societies. It makes understanding and following all these rules very difficult for the average person.

This is what makes the law a barrier for people as they try navigate their way through society. They struggle to find the laws that apply to their particular situations and the actions they are permitted to take based on those applicable laws.

These are the legal problems that data rights professionals solve. They provide solutions to these problems by helping to figure out three things:

• The objective that the client wants to pursue

• The laws that apply to the pursuance of this objective

• The actions that can be taken by the client as permitted by the applicable laws

But herein lies the potential problem with data rights professionals that Andreessen hints at; they are essentially trained to be risk-averse pessimists by default.

When data rights professionals are developing their legal solutions, they are trying to eliminate or mitigate risks for the client. They are trying to ensure that the client does not fall on the wrong side of the law whilst achieving what they want to achieve.

But this means that data rights professionals are predominantly looking for how things can go wrong. And it is this kind of mindset that Andreessen is referring to in his depiction of "the enemy."

This includes his criticism of the 'precautionary principle', a concept codified in EU law:

The precautionary principle is an approach to risk management, where, if it is possible that a given policy or action might cause harm to the public or the environment and if there is still no scientific agreement on the issue, the policy or action in question should not be carried out. However, the policy or action may be reviewed when more scientific information becomes available. The principle is set out in Article 191 of the Treaty on the Functioning of the European Union (TFEU).

The problem that people like Andreessen have with the precautionary principle and the mindset it embodies is that it promotes a crippling form of risk intolerance upheld by the "tyranny of bureaucratization."1 Such bureaucratization is evident across various different social domains, partly manifested in a massive bloating of legal codes and regulation.

Andreessen and other like-minded people view all of this as part of an ideology of stasis that stifles innovation and progress in society:

...bureaucratic norms, organizations, and languages have become institutionalized, transferring more power to a managerial elite. This constant bureaucratization is paralleled by the desire for total quantification across government, business, and academia, wherein progress depends on meeting predefined metrics. Granted, risk management, which often requires quantification, has been critical for civilization's progress; some have even claimed that advances in probability theory, which helps control risk, ignited the scientific and industrial revolutions that separated the preindustrial era from modernity. But while quantification has contributed to increased managerial efficiency and scientific progress, our current desire to measure and control all risk has reduced our collective willingness to take any. Instead of mastering uncertainty and embracing ambiguity, we quantify risk in hopes of eliminating it. This zero-risk bias not only impedes innovation, it can backfire.2

A culture based on risk avoidance and intolerance is one that prefers the status quo over change. This inevitably makes great advances and innovation much more difficult, since such efforts are inherently risky and threaten the status quo. Less volatility may mean more stasis, but there is also less chance of improving things if they more-or-less stay the same.

Where does such a culture exist? One might point to the EU. Or you could even say the EU has pointed to itself.

Back in September 2024, Mario Draghi, former prime minister of Italy and president of the European Central Bank, released his report on European competitiveness. Below is an extract from the Foreword:

Europe has been worrying about slowing growth since the start of this century. Various strategies to raise growth rates have come and gone, but the trend has remained unchanged.

Across different metrics, a wide gap in GDP has opened up between the EU and the US, driven mainly by a more pronounced slowdown in productivity growth in Europe. Europe’s households have paid the price in foregone living standards. On a per capita basis, real disposable income has grown almost twice as much in the US as in the EU since 2000.

[...]

Technological change is accelerating rapidly. Europe largely missed out on the digital revolution led by the internet and the productivity gains it brought: in fact, the productivity gap between the EU and the US is largely explained by the tech sector. The EU is weak in the emerging technologies that will drive future growth. Only four of the world’s top 50 tech companies are European.

[...]

This is an existential challenge.

The only way to meet this challenge is to grow and become more productive, preserving our values of equity and social inclusion. And the only way to become more productive is for Europe to radically change.3

But how has Europe managed to find itself confronted with this existential challenge? It could be at least partly to do with its vast and complex regulatory framework. Further on in the report it states:

Europe is stuck in a static industrial structure with few new companies rising up to disrupt existing industries or develop new growth engines. In fact, there is no EU company with a market capitalisation over EUR 100 billion that has been set up from scratch in the last fifty years, while all six US companies with a valuation above EUR 1 trillion have been created in this period. This lack of dynamism is self-fulfilling.

The problem is not that Europe lacks ideas or ambition. We have many talented researchers and entrepreneurs filing patents. But innovation is blocked at the next stage: we are failing to translate innovation into commercialisation, and innovative companies that want to scale up in Europe are hindered at every stage by inconsistent and restrictive regulations. (Emphasis added)4

In the area of tech law and policy, the EU has passed/brought into force plenty of legislation in recent years. The GDPR came into force in 2018, the Digital Services Act and the Digital Markets Act were passed in 2022, and the AI Act was passed in 2023. That is a lot of hefty and impactful regulation coming into existence over a 5-year period. The Draghi report suggests that such legislation forms as regulatory barriers that are particularly onerous on young companies in the tech sector.5

And the EU prides itself as a 'world leader' in terms of regulation. Dubbed the 'Brussels effect', the EU is known for the extra-territorialisation of its laws that ends up influencing standards in other jurisdictions. When the EU passed the AI Act in late 2023, there was this tweet from the then Internal Markets Commissioner in the European Commission Thierry Breton:

It seems clear from the likes of Draghi and Breton that the EU is more focused on regulating AI than building it. As a consequence, Europe has experienced slow growth, a slacking tech sector relative to the US and very little innovation coming from the continent. Europe has suffered from an ideology of stasis.

For Andreessen et al, those in the data rights space perpetuate this ideology and its constituent problems. With a complex web of regulations in place, data rights professionals guide others on the actions they can and cannot take in pursuing their respective objectives. But in doing so, they perform their role as risk-averse pessimists who impose the various restrictions dictated by the bureaucracies above. 'No you cannot do x because provision y of law z says you cannot do x.' 'Before you do x you need to consult y stakeholders and carry out z impact assessment before doing x.' 'If you do x you will be exploiting a legal grey area and you are at a high risk of being sanctioned by regulators or being sued.' Party poopers, naysayers, killjoys, cynics. Data rights professionals are luddites.

Why Andreessen cannot be right

Abeba Birhane's thesis, Automating Ambiguity: Challenges and Pitfalls of Artificial Intelligence, (which I have written about previously) is a brilliant antithesis of the current hype that exists around AI. But while her work contains heavy critiques of AI and the industry behind it, Birhane does admit this at the end:

This thesis is first and foremost an endeavour to critically examine both the scientific basis and ethical dimensions of current ML/AI. Thus, it primarily lays bare the limitations, failings, and problems surrounding AI systems broadly construed. But this is not to imply that AI systems cannot be beneficial (to marginalized communities, AI is already beneficial to the wealthy and powerful), or cannot function in a way that serves the most disenfranchised or minoritized. Far from it. It is possible and important to envision such a future. (Emphasis added)6

Technological development does encompass benefits and risks. This is especially when the development is driven by corporations with their motives and incentives (see What data rights are for #2).

We therefore need data rights professionals. We need them in order to minimise the risks and maximise the benefits. We get criticised for focusing too much on the former and not enough of the latter. This is why we are seen as risk-averse pessimists.

But data rights professionals can be more than this.

Data rights professionals cannot just be part of a managerial class merely concerned with "the organization and allocation of productive activity as opposed to the production of anything in particular." They cannot just be a conveyer belt for "orders flowing in from above."

Compliance with data rights provide a way for organisations to better position themselves to improve their products or services or how they do things.

Look at the current AI wave. More and more companies are using open models to either improve internal processes or to build/augment their products or services. Whilst there remains a lot of hype around exactly how capable these models are and what they can therefore be used for, lots of companies are experimenting or at least thinking about how to use them. But for any company to be able to take full advantage of these open models, there is no escaping the fundamental first-order issue of data rights.

Let's say a European retail company wants to fine-tune an open LLM to build a customer service chatbot. To do this, the company will need large datasets of conversational text, customer queries and customer responses. To pursue such a project, the company will need to know what they can use to make this chatbot a reality. It will need to know about its data lifecycle (including the data they collect, what its used for, where its stored, who it is shared with etc). This knowledge is not just needed for legal compliance purposes, such as identifying an appropriate legal basis under the GDPR to use the data for building a chatbot (to the extent that the dataset contains personal data). This type of knowledge is crucial for knowing whether building such a product is even feasible in the first place.

This is the value that data rights professionals can provide. They can help with the work required to get an organisations' data rights in order. They can help organisations better understand what data they hold, how it is used and what they can use it for. So if a company wanted to build a customer chatbot, data rights professionals could be relied on to provide the crucial guidance on the feasibility of such an endeavour, both from a compliance and a business perspective. They can help ensure that the right infrastructure and measures are in place to take advantage of open AI models.

Essentially, data rights professionals help companies avoid looking like this:

The complex web of regulations that exist may indeed be complicated, but they are not completely unnavigable. You can think of legal frameworks like the rules of chess and the chess board. It is true that the rules and the board restrict the moves that one can make with the different pieces. However, even within these restrictions, there are many moves that can nevertheless be made and therefore many different strategies that can be used to ensure success. The job of data rights professionals is to study this chessboard and help come up with the right moves to win. Their job is to figure out the objective, identify the applicable law, and provide a set of actions to achieve the objective that also complies with the applicable law.

But in order to do this the right way, you need to move data rights left.

What is moving data rights left?

This meme does a good job at capturing how data rights professionals and legal teams are sometimes used or consulted:

Legal/compliance teams are sometimes consulted at the last moment. And then when legal/compliance look at the project and say 'sorry but you can't do this because of x, y and z law', they are seen as unreasonable bottlenecks.

But this is all wrong.

Moving data rights left means considering data rights in a more integrated and efficient fashion:

It is about considering data rights implications at the earliest possible moment of a project and shaping it accordingly. By doing this, you can navigate through the chessboard in a more effective way and avoid legal becoming bottlenecks and basically killing projects.

If you want to ride the latest AI wave, you need to move data rights left.

Why move data rights left?

Moving data rights left allows organisations to achieve three things:

• Be in a position to take advantage of new technologies. For any AI project, having the right data and knowing how to use it is key. Data rights compliance helps organisations with this work as it requires organisations to have a good understanding of what data they hold and how it is used. Such compliance will in turn help implement the necessary processes, policies and procedures in place that will be essential for any AI project, including leveraging open models. Moving data rights left means doing this work earlier, and the earlier this is done the easier AI adoption becomes.

• Avoid data rights disasters. I mentioned several data rights disasters in What data rights are for (#2) in relation to the development of Facebook. For example, with the news feed, the customer support team warned about the perceived invasion of privacy that the feature would invoke, but these concerns were just "brushed off" and seen as a "distraction" by Zuckerberg and others who went ahead with the launch regardless. Luckily for Facebook, the backlash it received after ignoring these warnings did not bring it down, as was the case with the introduction of its targeted advertising features and the Like button. But this may not always be the case for companies taking risks with data rights. provides some great coverage of various privacy disasters at companies that are more existentially threatening, such as the rather unbelievable (and slightly comical) story of Calmera. Moving data rights left means spotting the glaring issues earlier, and providing time to fix them before it is too late.

• Gain a valuable USP. Many will not see the value creation that data rights compliance brings. But doing this compliance in a more integrated fashion rather than as a late add-on not only ensures being on the right side of the law, but also signals to others that you take data rights seriously. Whether B2B or B2C, this can be an incredibly valuable USP or competitive advantage, especially in the midst of a sprawling regulatory framework where achieving effective compliance can be difficult.

How do you move data rights left?

Moving data rights left requires data rights professionals to be collaborative enablers.

They need to be capable of working with various different teams. This requires professionals in the form of expert generalists (or T-shaped individuals); they ought to have a deep knowledge in at least one area combined with a good level of knowledge spread across a number of neighbouring areas. Such a skillset is what can enable data rights professionals to communicate legal and policy requirements to various stakeholders within an organisation and work towards practical solutions to achieve compliance.

This is the way to balance data rights with business goals, and will therefore be crucial for effective AI governance. And with more AI-related laws and policies being developed across the world, the need for effective governance will also increase. If this is done the right way by moving data rights left, and organisations can ride the AI wave whilst remaining compliant.

In the context of AI governance, moving data rights left means addressing three key questions:

1. What is the AI landscape/how are companies currently using AI?

2. What are the problems/pain points of this journey?

3. How do we solve these problems/ease the pain (balancing data rights with business goals)?

Read more

TL;DR

This newsletter is about the powerful digital systems that data rights are designed to protect you from. It looks at the system that underpins Facebook, how it works and its negative externalities.

Here are the key takeaways:

• During the mid-to-late 2000s…

Read more

Regulation is about establishing rules that maximise the benefits and minimise the risks of a particular thing.

These rules can take different forms to achieve this objective. In fact, various rule axes can shape the nature of regulation:

Read more

The first post in this series looked at whether behavioural advertising can be carried out on the basis of contractual necessity (spoiler, it cannot!).

The second…

Read more

Originally published on Backbench UK on November 24, 2020.

In 1599, a group of 218 merchants in London led by Sir Thomas Smythe, put their investments together to form a joint stock company. Raising over £3 million, the corporation was set up to obtain spices from the East Indies to then be sold in England for the “Honour of our Nation” and the “Wealth of our People”.

Back then a royal charter issued by the Crown was needed create a company, of which was not forthcoming until September 1600. That charter gave the company freedom from customs duties for its first six voyages, a monopoly over trade in the East Indies for 15 years and semi-sovereign privileges to rule territories and raise armies. Such sanctions were what created the East India Company, one of the most powerful companies the world has ever seen.

Fast forward to June 1945, around the end of World War II, the famous report entitled “Science: the Endless Frontier” was presented to President Harry Truman. Instead of science falling “flat on its face” after its great contribution to the war effort, it proposed the creation of a new national research system to spur the technological progress essential for economic growth, national security and fighting disease. This report would go on to inspire the creation of the GPS, personal computers, the internet and much more. It was thus a military industrial complex that was behind the growth of a certain high technology hub located on the West Coast; Silicon Valley, home to some of the most powerful companies the world has ever seen.

That the similarities between the East India Company and Silicon Valley go beyond their origin stories may not be apparent at first glance. The legacy of the East India Company is one of a trading corporation absent of any limits to its scope. Reigning over swaths of India, it controlled the law, raised taxes, and waged war. Today’s largest corporations are “tame beasts” compared to what transpired several centuries before.

Yet, such a depiction may be mistaken. Silicon Valley has long outgrown its defence-centric roots, becoming a beacon for a new agile market economy and assuming a status eerily similar to the heights reached by its predecessor. As articulated by Jamie Susskind, the author of Future Politics: Living Together in a World Transformed by Tech, it has created a digital lifeworld comprising of “dense and teeming systems that link human beings, powerful machines, and abundant data in a web of great delicacy and complexity”. It is from this that numerous developments have emerged, from the advancements in artificial intelligence to the growth of surveillance capitalism.

Perhaps it is Silicon Valley that makes the East India Company the tame beast? The former may not be capable of controlling the law, raising taxes or waging wars, but it has produced companies capable of exercising great influence in their own way.

Through mass data extraction and analysis, Google has amassed a fortune with its targeted advertising model and cemented itself as the gatekeeper of the internet recording billions of searches per day. Facebook has followed a similar fate in becoming the biggest social media platform whilst demonstrating its potential to facilitate mass manipulation and herding on an unprecedented scale. Amazon boasts around 40% of online retail sales in the US and provides cloud-computing services supporting copious businesses around the world.

The common thread that runs through these tech companies and others is how they view their place in the world. These organisations are fuelled by a formidable desire to change society in profound ways for the better. They are ruthlessly focused on building the future through rapacious entrepreneurialism and groundbreaking technology. This spirit, stemming from the political impetus of 1940s America, is not too dissimilar to the grand ventures envisaged by the founders of the East India Company.

But also worryingly reminiscent is the cognitive dissonance. Ironically, tech firms have tasked themselves with building the future without considering all the consequences of their creations. The mantra of ‘move fast and break things’ has long dominated the cultural backcloth of Silicon Valley, threatening to put privacy, free speech and democracy among the pile of broken things left in its wake.

In its day, the East India Company was a monopoly, colonial proprietor and corporate State all in one. Yet for a long while, it existed without the checks and balances of a national government and was accountable only to its investors. It thus illustrates how corporations can inconspicuously usurp great power without the imposition of great responsibility. In this respect, it could be argued that Silicon Valley is home to a number of contemporary East India Companies.

Susskind outlines a question for the 21st century: to what extent should our lives be directed and controlled by powerful digital systems and on what terms? As the latest anti-trust action against Google in the US shows, this is the question, among others, that politicians of the future will need to grapple with.

This newsletter is about the EU's proposed Regulation laying down rules to prevent and combat online child sexual abuse, colloquially known as 'chat control' (May 2022 version). It looks at the scope of the legislation, the detection obligations it imposes on service providers and its potential incompatibility with end-to-end encryption.

Here are th…

Read more

Accordingly, a data protection risk refers to the exploitation of a vulnerability which leads to an event that negatively impacts the protection of a data subjects' personal data and h…

Read more