newtech.law - legal aspects of new technologies

On 10 January 2019 Advocate General Maciej Szpunar at the Court of Justice of the European Union issued an opinion on the right to be forgotten in the Google search engine, in CNIL (C-136/17). The specific issue is whether, if a data subject requests to be forgotten with respect to sensitive data, Google has an absolute duty to remove the person’s data. The case arose in France before the General Data Protection Regulation entered into force on 25 May 2018, but the conclusions stated in the opinion are also relevant to how the right to be forgotten will be interpreted under the GDPR going forward.

Until now, despite countless warnings before entry into force of the EU’s General Data Protection Regulation in May 2018, administrative authorities have not imposed high fines for violation of regulations on processing of personal data. But this situation seems to be changing, at least in France. On 21 January 2019 the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), imposed a fine of EUR 50 million on Google LLC. The CNIL found that Google had not processed personal data transparently, providing data subjects inadequate information on processing and personalising ads without the consent of the persons who were shown the ads.

At the end of 2017, we wrote about the possibility of using artificial intelligence in the financial services sector. We pointed out that AI algorithms can be used by the financial industry to automate customer contacts and issue initial credit decisions. The use of algorithms by government bodies seemed to be less important at the time. However, this issue ignited much controversy at the end of 2018 due to a ruling by the Province Administrative Court in Warsaw on the freezing of a bank account under a recently introduced section of the Tax Ordinance, which also introduced the digital clearinghouse STIR into the Polish legal system.

Apart from potentially very high administrative penalties that national data protection authorities may impose on violators of the EU’s General Data Protection Regulation (as has already occurred, for example, in France), under the GDPR any person who has suffered material or non-material damage has the right to obtain compensation from the controller or processor of his personal data for the damage suffered. This is an instrument that has attracted much less attention than administrative sanctions, but it may have very serious financial consequences.

Just before the most intensive holiday online sales period, businesses need to implement changes ensuring customers have equal access to goods and services regardless of their nationality, place of residence or place of business. From 3 December 2018, the Geo-blocking Regulation (2018/302) applies throughout the European Union.

We wrote about this proposal earlier (text only in Polish), but due to the commencement of the bans and changes to the adopted final regulation, we come back to the subject.

The discussion about the legal status of tokens and, in particular, whether and when a token is a security or other financial instrument, is still gaining momentum. There are more and more proposals around this discussion that resolve this issue at the outset, recognising that tokens are intended to become securities. These are so-called security tokens, and the issues are sometimes called security token offerings (STOs).