Commentary – KSLR EU Law Blog

Enhance Legal Experience with Virtual Reality: A Legal Tech Perspective

https://www.healtheuropa.eu/could-virtual-reality-ease-the-burden-of-coronavirus-isolation/99566/

*AVV. ANDREA PULIGHEDDU

1.Introduction

In his most renowned novel Neuromancer, the writer William F. Gibson has introduced the key concept of cyber space. The main character, Henry Dorsett Case, is a low-level hustler that aims to reconnect himself to the Matrix, a virtual reality computing platform sited, precisely in cyberspace. Moving from this fictionalized idea, in 1989 the writer and musician Jaron Lanier developed the concept of virtual reality, referring to it as a three-dimensional realities system implemented with stereo viewing goggles and haptic gloves.

Since those days virtual reality (VR) has typically been portrayed whether as a medium, like a telephone or television, and at the same time delved as a new kind of dimension in its philosophical meaning. In a few years of technological development, this new medium has rapidly reached a high level of commercialization, and the massive use of VR as gaming, educational, and entertainment standard methods, is still right behind the corner. Especially during the first part of COVID-19 pandemic period (from Feb. 2020 to May 2020), we assisted in a speedy utilization of these systems among geek and non-geek consumers. Even from the investors’ point of view, the outlooks seem to sound pretty good: in 2019, venture capitalists invested at least 4.1 billion in the VR industry, and these numbers seem to be destinated to grow up and scaling up faster than the last three years.

As soon as these systems have been starting to be commercialized for the entertainment industry, a huge number of professional sectors start to verify what types of business uses were possible introducing the VR inside the company productive process and internal activities. There are several successful user cases available, such as in the training and control activities carried on by QA operators or in education and law enforcement.

Despite the virtuous models studied, there is one professional category on the others whose absence seems a serious loss of opportunity: the legal services.

In this short contribution, we will delve into the meaning of virtual reality under the legal practice experience perspective. In particular we will try to examine on one hand if those kinds of technologies are effectively disruptive for the lawyer category and on the other hand what legal tech applications are concretely possible in order to place the legal industry into this new tech path.

2. Virtual Reality background

For the purpose of this post, “virtual reality” or “VR” is an immersive three-dimensional computer-generated environment. Secondly, as well as the environment definition, we need to reduce the scope or analysis regarding also on hardware basis. In order to maintain a commonly understandable level of debating, in this brief article we will take in consideration only systems constituted by a minimal corpus of particular machines. Considering this, the basic hardware infrastructure assumed as an example in this post is a pair of common VR eye goggles and wired clothing.

Therefore the VR system as defined consist in a computer generated environment, experienced within a tethered or standalone devices such as the previous ones described. One of the key factors of every VR experience resides in peripherals sensors. Sometimes these sensors are programmed with a dual purpose, such as to allow the user to interact with the real world also within a virtual dimension. Visual tools and motion detection set in a such smart way enable a high level of responsiveness and immersive user experience for several different types of possible applications. We will not examine deeply every hardware component of that systems, nevertheless also a high-response audio and a clear video setup are definitively others essential ingredients for a disruptive VR experience.

At this point is sufficient to focalize at least on these two fundamental points for the post scope: the importance of sensors to assure good quality feedback for users involved in a VR experience and the immersive value that the experience has to own itself in order to be introduce innovation trough work activity carried on. This last profile, already not examined, is delved in the next point through a legal tech point of view.

3. Legal tech and related outcomes

Changing perspective, Legal Technology (briefly known also as “Legal Tech”) represents another phenomenon that rapidly soared in a few years growth span. The term, born in the late 1980s, reached its current notoriety level through the studies published by Richard Susskind in his Tomorrow’s Lawyers: An Introduction to Your Future book. The Susskind’s main standpoint was that at least three innovation driving factors can fundamentally be identified with regard to lawyers’ typical activities: resizing tasks from more to less, full liberalization of legal business, and reinforcing alliance between legal matters and technology.

Starting from these three considerations, legal tech has rapidly evolved: from theory it becomes literally a new re-thinking way of the worldwide law professional area, introducing a massive automatization of legal process within code writing and developing new patterns to solve traditional legal problems.

The range of services offered is several. Some are facing typical legal issues, such as due diligence, invoicing methods, reports creations, assessment, gap analysis, etc.; others, more advanced indeed, are focused on contracts and provide computer code-switching systems able to manage different contracts templates as client’s needs. However, the most visionaries and disruptive services ideated from legal tech experts involved the field of artificial intelligence (AI) and blockchain, combining complicated algorithms for legal research or documents signing and transmission or rather for trial justice in courts activities.

Productivity plays an important role for the law firm overall efficiency real growth, but there are disadvantages also related to an adventuristic method of growth like this one. A software represents, more or less, a further level of intermediation between these two parts, and could annihilates the active interaction part which is one important phase of every good legal practice. How to solve it? VR can represent an opportunity.

4. Improving legal experience: VR scenarios and LT tools synergy

One of the possible ways to reduce the loss of immersivity as described above, should be sought in VR development.

Picture this: an area furnished according to medieval Japan style, with two historiated seats placed in the middle of the room and two digitalized avatars -a legal counselor and his client- arguing about an agreement or rather about due diligence if you preferred it, in a professional meeting. Imagine that their dialogue is being supported within several tools: figure if that the counselor, at a certain point, with a simple hand gesture detected by peripheral sensors, can turn on a new software window shown on the visual hub of both parts. The software chart shown could, of course, change depending on the argument chosen. For example, during a discussion for an agreement can be useful to show the electronic document version using a writing tool. Adding more variations is possible that some notes should be inserted during the dialogue, maybe with the help of a voice recognition software which summarizes all important statements that emerged during the meeting. In the meantime a legal research tool is scanning all the words provided in the agreement, verifying the percentage of the possible positive verdict in case of a claim or the amount of possible legal issues related to the meeting object.

The audio and visual impact plays a fundamental role as well. For this reason, coming back to our scenario, while both are dialoguing the software chart shown should be endowed with some audio alerts accorded to the complex passage of the legal writing or with the same visual evidence that shows possible interpretative issues or mistakes. A perspective like the one given can definitively raise the number of possible variations. The list of scenarios could be absolutely huge but in order to maintain a synthetic pattern we limit our vision to this one: a more accurate portrayal of human emotions by virtual characters can definitively help law firms to challenge any inherent bias within the firm and their clients’ businesses and boosting the identification of legal needs, preventing several judicial issues that could be delivered to Courts and discharging at the same time the jurisdiction system from useless trials as well as from others administrative costs.

It is evident that this unique synergy between Legal Tech and Virtual Reality represents a disruptive opportunity: the former add some tools that, if integrated, can definitively accelerate legal counseling activities, the latter demolish the immersivity absence of the first one joining the participants to wonderful scenarios that protect the touchy relationship between the client and his lawyer.

5.Current legal issues, risks and challenges.

Based on the facts exposed, it can be affirmed that a synergy between VR application and Legal Tech methods should represent a clear plus to enhancing the legal experience of the future. Nevertheless -especially regarding the EU area regulation- there are several legal issues related to this constantly evolving process, that deserve to be briefly delved.

First of all, there is an unsolved dilemma related to the preservation of a full confidentiality status between client and lawyer, considering both as categories. In other words: cybersecurity and how to preserve it.

In fact, regarding this aspect, some of the challenges that lawyers will face in this new environment will be familiar to the on-life one. These should include, just, for instance, concerns about the security of conversation and documents shared within the VR ambiance, retaining company secrets during the development process, and protecting communications in the virtual world. Is client confidentiality safe and secure, just as it is commonly presumed during on-life counseling?

The European Union has just developed through the ENISA activity a framework of the legal basis for cyber law application. Following this set of rules is basically a guarantee for key users a minimum level of proper security incidence response, also according to the recent review of the Directive on Security of Network and Information Systems (aka NIS2 Directive).

On the other hand, a proper impact assessment for that hybrid VR/L-Tech system has to consider intellectual property rights protection, and facing this task is not easy at all. The aim to preserve Clients secrets from possible violations that occurred during several moments (such as integrations with external tools like documents software-based add-ons or research engines) is literally in contrast with the current VR based sharing methods, which currently are not covered with specific information security tools as antivirus or firewall dedicated. Naturally, their development could represent an easy obstacle to cross, even if information security history teaches us that hurried solutions for complex problems often represent a risk instead of a solution.

The third problem is related to cultural issues as well as legal, or rather the privacy-compliant adoption by clients as digitalized perspective of legal services. In fact, according to statistics, one of the most diffused concerns about VR systems used for different scope than gaming is related to data security and privacy: in 2020 more or less the 50% of subjects interviewed individuated it has the major problem for that systems, dropping that amount in comparison to 2019 (which provided a percentage number higher than 60).

Although the GDPR has already faced the problem within the article 22 provision, this is not sufficient at all to ensure a high level of protection for personal data processed through these virtual environments. Some of the main aspects that will definitively be delved in order to reach a proper level of processing security are, among others, targeted Data Protection Impact Assessment (DPIA) conduction (art. 35 GDPR), security measures individuation according to art. 32 GDPR provisions and data breach management such as enucleated by art. 30 of the Regulation mentioned.

Personal data are constantly involved in the VR process. From digitalization of bodies or avatar creation in the starting part of almost all software designed for social interaction in VR until the data collection during sessions of activities. Voice records, behavior profiling, and huge amounts of identifiable and sensitive data different for variety, volumes, and velocity of processing are continually used by algorithms in common software as well as VR applications. Privacy risks to VR users are particularly relevant, given the new information that Facebook -for instance- will be able to collect from its immersive VR platforms. These platforms currently track a user’s head movement and could potentially have the capability to track eye movement and, to one extent or another, also biometric information. Biometric issues are only part of the problem.

Conclusion

As virtual reality and legal tech software become normally used worldwide, lawyers that want to face the future challenges of law practice need to become used to innovation. Perhaps there are several legal and operative risks involved and not solved yet, but the immensity of VR systems blended with Legal Tech integration represents a path to cross, a morning star to strive for. Even if liabilities and privacy issues are still open, is our duty -and passion, for legal tech experts- to study and tailor a new body of law and practical guidelines where necessary, able to guide wisely this transition for another great era of human beings. The paradigm is already changed. Are we prepared for it?

Andrea Puligheddu – Privacy & Cybersecurity Lawyer. He held the role of Data Protection Officer for many primary public and private entities in the world of health software & technologies companies, internet service providers, Infosec, TELCO and hardware suppliers. Lecturer in photography and artistic production law for a national accredited media school. Lecturer in GDPR and Privacy Law at several EM (Executive Master’s of Law) on UNI ISO 11697:2017 e UNI PdR 43:2018 standard controls. Accredited as Cyber Security Auditor for international certifications authorities.

More at: https://www.studiolegaleprivacy.com/en/andrea-puligheddu/

Book Review: Federico Fabbrini, Brexit and the Future of the European Union

Book Review of Federico Fabbrini, Brexit and the Future of the European Union, Oxford University Press, 2020, 160 pp, ISBN: 9780198871262.

A European Defining Moment: The ‘Ever Closer Union’ in the Aftermath of Brexit

*Michele Corgatelli

Five years after the end of World War II, French statesman Robert Schuman proposed a Franco-German cooperation in the coal and steel industry aimed at making future conflicts between the two countries ‘not merely unthinkable, but materially impossible’.[1] On such foundations, Europe was envisioned as a dynamic process of integration: ‘(it) will not be made all at once, or according to a single plan’, the Schuman Declaration states; ‘It will be built through concrete achievements which first create a de facto solidarity’.[2]

The strive towards an ‘ever closer union’ [3] represents therefore a purpose, a goal, and even a promise. However, the fact that Europe was not meant to be built in a day can determine a state of permanent institutional restlessness, especially when the integration path cyclically stalls, or shows its weaknesses. In this sense, it has been argued that the United Kingdom’s departure (‘Brexit’) caused a ‘Machiavellian moment’, forcing the Union to face its own temporal finitude, proving that the project could eventually fail and fall apart.[4] Unquestionably, Brexit tests once again the willingness to take the project a step further after a considerable jolt to the European institutional architecture.

In his recent book ‘Brexit and the Future of the European Union’, Federico Fabbrini proposes a multi-facet analysis of this disruptive event through normative and historical lens, thus reconstructing its concise and clear record, from which to draw, through easy consultation, the sequence of facts that overlapped in the past years. Moreover, his inquiry conveys the dynamic dimension of the integration process, separately considering the Union ‘during’, ‘because of’, ‘besides’, ‘after’, and ‘beyond’ Brexit.

The book starts by outlining the remarkable synergy among European institutions and unity among other member States that emerged during the withdrawal negotiations (p. 9). However, the challenges posed by the ‘transitional’ implications of Brexit, for example the re-equilibrium of the balance of powers within European institutions (p. 36) add up to a series of past and present crises that have shaken the Union, namely the Euro-crisis, the migration crisis, the rule of law crisis, climate change, the enlargement to new members, and coronavirus (pp. 61-75).

The first chapters, through a logical progression, functionally lead to the dissertation of the post-Brexit future, where Fabbrini shows that the real paralysing obstacle to a further European integration is represented by the unanimity requirement for the amendment of the treaties (p. 95).

The incoming Conference on the Future of Europe could carry the transformative power of the Messina Conference of 1955 (p. 119) which broke through a paralyzed European project leading to the establishment of the European Economic Community and the European Atomic Energy Community (pp. 119-121) but could also fail like other previous attempts (pp. 121-123). Fabbrini proposes a solution to overcome the fossilization of the treaties: the draft of a new one, the ‘Political Compact’, submitted to a different ratification rule – not the unanimity, but a super-majority of for example three-quarters of the EU Member States (pp. 110, 124-129). [5] Moreover, ‘the treaty would not apply to the non-ratifying states, guaranteeing them the free choice of whether or not to join the Political Compact, with all the consequences that follow’ (p. 125).

Although the negotiation for further integration will certainly be easier without a champion of opt-outs halting it, [6] it is worth recalling that the European Constitution was turned down in 2005 by voters in France and the Netherland, while Irish voters rejected the Treaty of Nice in 2001 and the Treaty of Lisbon in 2007 (p. 98) proving that veto is an obstacle to future progresses even after Brexit.

The Author’s choice to recall the American precedent of the Philadelphia Convention of 1787, which reinterpreted its mandate to propose amendments to the Articles of Confederation and drafted the Constitution instead (pp. 127-128), is particularly significant. Indeed, that precise historical outcome has been considered one of the very few ‘constitutional moments’, a concept ‘distinguished by lasting constitutional arrangements that result from specific, emotionally shared responses to shared fundamental political experiences’.[7]

The American example, whose historical scope and value were not vitiated by the presence of a super-majority ratification mechanism, proves that unanimity is not necessary to lay the foundation of a lasting constitutional architecture. The existential threat to the European Union posed by Brexit, and the coronavirus crisis, could in fact play the role of one of those unique path-dependent moments. Fabbrini’s proposal of a ‘Political Compact’ provides a remedy to the block represented by the unanimity rule, that prevents the Union to effectively utilize this moment and to progress towards an ‘ever closer union’, although merely concentrical.[8]

If the Schuman Declaration of 1950 successfully led to the establishment of the European Coal and Steel Community in 1951, the other proposed area of European cooperation, namely the one in military and defence, was rejected by the French Assemblée Nationale, that voted down the European Defence Community in 1954 (pp. 119-120). After a momentary paralysis, the transformative power of the Messina Conference, a year later, founded the modern Europe (pp. 119-121).

After Brexit, a big halting force to integration is no longer part of the Union; [9] the Conference on the Future of Europe, striving on a renewed Franco-German cooperation, could in fact turn out to be a defining moment, if the right normative solutions – such as the ‘Political Compact’ proposed by Fabbrini – are taken to overcome the current European architectural rigidity caused by the unanimity impasse.

To conclude, ‘Brexit and the Future of the European Union’ stand out for clarity: it combines a holistic approach to a complex event, with a concise writing, devoid of unnecessary socio-political mannerisms. At the same time, the objective analysis is not an aseptic reconstruction of Brexit’s implications, being constantly integrated with original systematic reconstructions.[10] Most importantly, the analysis flows from a problem, namely the obstacles to reform, to a proposed solution, making the book not only academically original, but socially useful as well.

*Michele Corgatelli, LLM by Research Candidate, University of Glasgow.

————————————————————-

[1] Schuman Declaration (9 May 1950, whose recurrence is named ‘Europe Day’). Robert Schuman, who during the War escaped deportation to the Dachau concentration camp, was given the title of ‘Father of Europe’ after he left the office of first President of what is now the European Parliament. For the contribute of Jean Monnet to the Declaration, see Michael Burgess, ‘Entering the Path of Transformation in Europe: The Federal Legacy of the Schuman Declaration’ (2011) 29(2) Fr. Politics Cult. Soc. 4.

[2] ibid.

[3] Solemn Declaration on European Union (Stuttgart, 19 June 1983).

[4] Luuk van Middelaar, ‘Brexit as the European Union’s “Machiavellian Moment”’ (2018) 55 CML Rev. 3, 5.

[5] Fabbrini championed the ‘Political Compact’ in his previous study commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs (‘Possible Avenues for Further Political Integration in Europe – A Political Compact for a More Democratic and Effective Union?’), available at: <https://www.europarl.europa.eu/thinktank/it/document.html?reference=IPOL_STU%282020%29651849>.

[6] The other champion of opt-outs is Denmark. Rebecca Adler-Nissen, ‘Behind the scenes of differentiated integration: circumventing national opt-outs in Justice and Home Affairs’ (2009) 16(1) JEPP 62, 63.

[7] ‘The overwhelming majority of the constitutions that we know do not have these specifics. Constitutions serve other, more technical, goals (…). One of the drawbacks of a constitution that emerges without the blessing of a constitutional moment is that it does not contribute to a sense of union, or to the formation of identity, among members of the society to which it applies’. András Sajó, ‘Constitution without the constitutional moment: A view from the new member states’ (2005) 3(2-3) ICON 243, 243.

[8] The post-Brexit attraction to the ‘variable geometry’ model of European integration is indeed a peculiar phenomenon, that could come from two sources: ‘According to one view, the distrust of the EU expressed by the majority of British voters reflects similar feelings in other parts of the European Union, and this implies that the Union should evolve into a less centralized and more flexible organization so as to assuage the growing mass of Eurosceptic citizens across Europe. Another explanation might be that the UK’s defection may act as an incentive for some other countries to advance the integration project more vigorously.’ Bruno De Witte, ‘The future of variable geometry in a post-Brexit European Union’ (2017) 24(2) MJECL 153, 155-156.

[9] ibid, 154.

[10] For instance, the Author detects three competing visions of European integration: ‘polity, which requires solidarity and a communion of efforts towards a shared destiny; (…) market, designed to enhance wealth through commerce, but with as limited redistribution as possible; (…) [autocracy,] which instead sees the EU as a vehicle to entrench state authoritarian rule, based on national identity and sovereignty claims, but with crucial transnational financial support.’ (60, 75-80).

The UK Adequacy Decision and the Looming Possibility of a Schrems III

by Osal Stephen Kelly*

Introduction

In July 2020, the Court of Justice of the European Union (“CJEU”) delivered its judgment in the Schrems II case brought by the Austrian lawyer and activist Max Schrems, with far-reaching implications for data protection policy and practice. One question of particular urgency is what the consequences will be for the continued flow of personal data from the EU to the UK; while the EU-UK Trade and Cooperation Agreement temporarily allows these flows to continue on the same terms as between member states, this will end on 30^th June 2021. The purpose of this period is to allow for the EU Commission to determine whether or not to grant an “adequacy decision” that would confirm that the UK provides a level of protection essentially equivalent to that of member states, which would allow for these important transfers to continue indefinitely. While the Commission has issued a draft adequacy decision, some of the issues identified by the European Data Protection Board (“EDPB”) in its recent opinion on the draft expose frailties in these protections that could form the basis for a legal challenge in the future. It is submitted that there are two areas of particular vulnerability that would be key in any such challenge. First, there are serious unresolved questions around the powers of UK and US authorities to access data for security purposes. Second, the UK’s emerging post-Brexit constitutional and legal framework is likely to be somewhat less advantageous to data subjects vindicating their rights than was the case when EU law had direct effect.

Schrems II

Schrems II comes after another case brought forward by Mr Schrems who had already challenged the previous framework as well (Schrems I). The Schrems II case arose from a complaint concerning the transfer of his data from Facebook Ireland to Facebook Inc. (based in the United States). The complaint was made to the Irish Data Protection Commissioner and resulted in the Irish High Court making a preliminary reference to the CJEU. In its submissions, Facebook sought to justify these transfers as permitted by the EU Commission’s Privacy Shield decision, which set additional safeguards for data moving from the EU to the US. However, the Court found that the Privacy Shield was invalid as the protections offered by US law did not in fact afford the required level of protection. The Court stressed the importance of “effective and enforceable data subject rights” (para. 177 of judgment) and found that data subjects did not enjoy such rights under the Privacy Shield. Particular emphasis was placed on the lack of limits on the power of surveillance agencies to collect data on individuals held by companies such as Facebook (para. 180). While the Court recognised that data controllers could in principle rely on standard contractual clauses approved by the Commission to allow cross-border data transfers to continue, it noted that such clauses did not necessarily protect data from unlawful access by the authorities of the receiving country (para. 141).

from jonesday.com

Schrems III?

Although the UK ceased to be subject to EU law from 31^st December 2020, the GDPR has been incorporated (with amendments) into UK domestic law, in line with Section 3 of the European Union (Withdrawal) Act 2018. This amended version, referred to as the “UK GDPR”, now forms the basis of the UK’s legal framework for data protection, along with the UK’s existing Data Protection Act 2018 (draft adequacy decision, Recital 14), and this is the framework that was examined in the Commission’s draft adequacy decision, and, subsequently, the EDPB’s opinion, released on 13^th April 2021. Although important, the opinion in itself is non-binding and the final decision on adopting the adequacy decision rests with the Commission, so it is likely to be approved.

The EDPB opinion, read in light of Schrems II, would require the UK’s intelligence operations to apply particular scrutiny over the compliance with the (EU) GDPR. While the tone of the opinion as a whole is very measured, the EDPB nonetheless expresses “strong concerns” (para. 88 of opinion) over the data-sharing agreement between US and UK authorities pursuant to the US CLOUD Act. The Act requires US companies to disclose information stored on overseas-based servers on foot of a valid warrant. The EDPB notes that the Commission’s draft decision refers to non-binding “explanations” that were provided to it by UK authorities (para. 88 of opinion). Critically, however, the EDPB notes that these explanations did not seem to comprise “any concrete written assurance or commitment” on the part of the UK Government. It is difficult to see how mere explanations without substantive legal force could be relied upon by data subjects in enforcing their rights, which is concerning, given that the existence of “effective and enforceable data subject rights” was deemed vitally important in Schrems II.

Moreover, para. 189 of the opinion highlights how broad the general exemption is for intelligence-related processing, stating that “national security certificate DPA/S27/Security Service provides that until 24 July 2024, personal data processed ‘for, on behalf of, at the request of or with the aid or assistance of the Security Service or’ and ‘where such processing is necessary to facilitate the proper discharge of the functions of the Security Service described in section 1 of the Security Service Act 1989’ are exempted from the corresponding provisions in UK law to Chapter V GDPR in relation to transfers of personal data to third countries or international organisations”.

This provision is similarly open-ended to Section 702 of the US Foreign Intelligence Surveillance Act, which had been considered not to afford a sufficient level of protection to data flows in Schrems II (para. 180 of judgment). If Part V GDPR (and equivalent provisions in the UK GDPR) does not apply to intelligence processing, personal data would be transferred to US authorities and thus fall within the scope of the Court’s ruling in Schrems II.

Given that the UK is no longer a member of the EU and subject to the jurisdiction of the CJEU, issues also arise in relation to the UK’s overall legal framework (para. 54 of opinion). The Commission has placed great emphasis on the fact that the UK will continue to be a party to the European Convention on Human Rights (“ECHR”) and thus of the “European privacy family” (press release accompanying the adequacy decision). However, while the set of rights listed in the ECHR are also included in the EU’s Charter of Fundamental Rights, in Schrems II the Court notes that the ECHR is not part of the EU law acquis (paras. 98, 99 of judgment). Furthermore, the UK Government will review the Human Rights Act 1998 which implements the ECHR in the UK. The review will consider whether courts have been “unduly drawn into matters of policy”. Given that the CJEU identified “effective and enforceable data subject rights” as key in determining whether a country provided an adequate level of protection (para. 45 of judgment), any dilution of the rights of citizens to invoke their ECHR rights would be likely to count against the UK in the event of a legal challenge.

Conclusion

The foregoing indicates that a credible case could be brought before the Court to challenge the validity of the adequacy decision in the future. On a practical note, data controllers can at least be reassured by the CJEU’s clarification in Schrems II that an adequacy decision enjoys, in effect, a presumption of legality until it is successfully challenged (para. 156 of judgment), and accordingly they should not incur any liability for data transfers while the adequacy decision remains in place, for whatever period that may be.

*Osal Kelly is a postgraduate Law student in the Law Society of Ireland in Dublin and holds an undergraduate degree in Philosophy from Trinity College, Dublin. He currently works in the Irish public service. This article is written in a personal capacity.

EU Travel: The EU’s Package Travel Directive and COVID-19

by Robert Babirad *

I Introduction

The unexpected cancellation of a long awaited, pre-paid vacation is nothing to joke about. Naturally, if this happens and particularly during these turbulent times, the next question is how does one obtain a refund? Secondly, under what conditions is this even possible and especially given the current global pandemic? In November 2015, Directive 2015/2302/EU on Package Travel and Linked Travel was enacted. In light of the recent Coronavirus pandemic, guidance was again recently issued on current interpretations of this Directive and particularly with regard to how it will impact today’s travelers within the European Union.

II The Package Travel Directive

The Package Travel Directive aims to enhance the European Union’s internal and single market performance. This is expected to occur through attaining, to the highest degree possible, a “uniform” and “high” degree of protection for EU consumers with regard to those contracts executed between both merchants and travelers and “relating to package travel and linked travel arrangements. The Directive aids in the “approximating” of the various laws pertaining to packaged travel across the EU’s Member States, as well as to particular aspects of their respective regulations, laws and those provisions that govern the administration of this area.

Harmonisation in consumer protection through legal approximation across the EU is the overarching objective of this Directive.

III Cancellations and Refunds

Throughout the European Union, the governments of the Member States have been and continue to be, enacting measures, which have the intended objective of reducing the continued proliferation of the COVID-19 virus. One example is the introduction of the tier system in the UK. A system of three tiers has been implemented in order to limit an increase in the infection rate. These three tiers range from Tier One at “Medium Alert” to Tier 3, which is classified as a “Very High Alert” area. These labels are based upon where the infection rate is the greatest and contain varying levels of restrictions. An example is that of not being permitted to “socialise in a group” outside publicly with more than six people with whom you regularly reside or whom are not included within your regular “support bubble. These actions have additionally extended beyond border controls and internal, national restrictions, to the overall limiting and restricting of travel both within the EU and from abroad. Travel is regulated on a Member State basis throughout the EU. As a result, the measures that have been enacted in the fight against COVID vary widely based on the country that is implementing them. In other words, each country within the EU is implementing their own restrictions on where and with how many people you may socialize, testing requirements for the virus, where a mask is required and what an individual has to do if they want to travel to another location within the same country or abroad. At the EU level, it is the Directive on Package Travel and Linked Travel Arrangements that provides overall guidance to those impacted by unexpected cancellations of pre-booked packaged holidays. This Directive acts as a unified means of providing consumer protection despite the new restrictions and limitations being introduced by the Member States individually at the present time.

Article 12(2) of the Package Travel Directive states that prior to the start or execution of a purchased travel package, the traveler may terminate the contract and receive a full refund, as well as not be responsible for incurring any termination fees, if certain conditions are met. These conditions are namely “unavoidable and extraordinary circumstances occurring at the place of destination or its immediate vicinity,” and which are “significantly affecting the performance of the package,” or those which “significantly affect the carriage of passengers to the destination. The concept of that which “significantly” impacts the “performance of the package” is somewhat ambiguous and seemingly open to varying interpretations. The definition of significance remains unclear.

However, trips may be cancelled without any penalty to the organiser, where that entity is unable to execute the contract between the person booking the trip and the entity offering the package, and where these “unavoidable” and “extraordinary circumstances” exist. Similar protections exist on the consumer side as well.

IV Undue Delay

It is of interest to note that the Directive also requires that travelers who booked the package be notified promptly and without “undue delay” and prior to “the start of the package” if the organiser cancels the trip. The Directive does not clarify the interpretation of “undue delay” in the notification to the consumer. Therefore, the scenario is possible where the seller of the travel package already has knowledge of restrictions or limitations that have been or are about to be imposed by a national government, because of the Corona Virus. Perhaps, in not wanting to lose their profits, the merchant holds off on informing the consumer, with the hope that the restrictions will soon be lifted or invalidated and the package will not need to be cancelled. How long would constitute “undue delay” in informing the consumer in a scenario such as this? Unfortunately, the Directive fails to provide meaningful guidance to the consumer in this regard.

V Unavoidable and Extraordinary Circumstances

Article 12(2) of the Package Travel Directive permits travelers to be free of any penalty when cancelling a package trip as well, where the condition of “unavoidable and extraordinary circumstances” is present “at the place of destination or its immediate vicinity. The guidance which has recently been provided in light of the Coronavirus pandemic suggests that these circumstances entail a situation in which the traveler faces that which is beyond their control, and the results of those same circumstances were unable to be prevented by the consumer. This is in spite of taking of all “reasonable measures. The question is then raised as to what “reasonable measures” does the traveler need to take in order to be free of cancellation penalties for their package trip where there are “unavoidable and extraordinary circumstances” present? It seems obvious that in most cases, there would be nothing that the traveler would be able to do, where, for example, the virus is present in a Member State and travel is otherwise blocked. However, what situation would require “reasonable measures” to be taken by the consumer and what would those entail for purposes of meeting the criteria under this aspect of the Directive?

The information provided is helpful in that it states that COVID-19, another disease, or some other substantial health risk at the intended place of travel in the booking, would satisfy the criteria of constituting situations which are “extraordinary” and “unavoidable. On this, the Directive and the guidance recently provided is clear. In other words, if the virus is present and travel is being blocked by national authorities upon your arrival in another EU nation, there is nothing more that you can do as a traveler. This would be a situation considered “extraordinary” and “unavoidable” and there are no further “reasonable measures” in this regard that need to be taken by you.

Additionally, a traveler can employ the use of a national warning related to their travel, as a possibly effective strategy for demonstrating that there has been a circumstance, which is “extraordinary” and “unavoidable” and would justify them or the seller of the package in cancelling the contract, because of the impact on the actual trip’s execution. In other words, a national travel warning could be enough to constitute the “extraordinary” and “unavoidable” criteria necessary for fulfilment of the Directive and obtaining a full refund.

The guidance provided does also state that if the package travel contract cannot be executed, because of the authorities in a Member State prohibiting a certain type of movement or travel, this indeed would meet the criteria of circumstances, which are otherwise considered “extraordinary” and “unavoidable. Limitations enacted by an official authoritative body in a Member State relating to your trip, such as an attraction being closed, are also in all likelihood, qualifying measures that enable a package travel purchase to be effectively cancelled by the operator or the traveler.

VI Significantly Affecting the Package’s Performance

However, there is room for discretion and ambiguity in determining whether the circumstances actually constitute having an impact on the execution of the travel package and to the degree that a court would consider these to be “significant” enough for purposes of the Directive. There is a definite lack of clarity in this regard, and the Directive has in all likelihood been left purposefully vague and ambiguous here in order to allow each national court to make an assessment and interpretation that is specific to the circumstances. However, although seemingly done intentionally, this wording still leaves a certain degree of confusion on the traveler’s behalf.

Interestingly enough, fear is also not enough for a refund. If a traveler feels a sense of fear toward going to a destination in their package travel arrangement, this will not be adequate enough for a traveler to cancel their package and receive a full refund.^[i] Instead, there must be a determination based on reasonableness in the context of potential life and health risks with regard to the decision as to whether travel to the place(s) in the contract would merit cancellation and entitle the traveler to a refund. If this situation is found to exist, the traveler or the purveyor of the package retains the right to cancel.

After the contract is cancelled, there will also be a period of fourteen days in which the traveler may receive a refund for their package travel purchase.

Vouchers for taking the trip at a later date may also be issued to travelers in lieu of a refund. However, there is also a lack of clarity here with regard to the possibility of a refund for a voucher that is not used or cannot be used within the time allotted. In all likelihood, the voucher itself would be issued under a separate contract with its own terms, conditions and refund policy and therefore not pose a problem under the Directive. This does not appear to be a cause of concern to the prospective traveler, but there is little guidance regarding vouchers otherwise given in this regard.

It is advised though that travelers should be open to accepting that their packaged tours are postponed until sometime in the future, because of the “strains on liquidity of tour operators,” which has resulted in them being burdened with claims for reimbursement and “missing new bookings. Travelers are encouraged to consider the possibility of accepting these vouchers or “credit note(s),” as long as the possibility remains of a full refund if the voucher is not ultimately used. The universal “uncertainty” surrounding travel arrangements is acknowledged and vouchers are offered as a potential option with the final possibility of a refund if needed by the traveler.

VII Traveler Assistance

The operator of a booked tour is required to provide travelers with assistance if they encounter blocks while on their trip and outside of their own respective Member State. This is particularly relevant given the rapidity of the changing situation regarding restrictions, quarantine and other limitations being imposed on a day to day basis under the current global pandemic. Health service information, as well as information regarding consular and help from regional authorities must be provided by the operator of the tour, to a traveler encountering challenges on their trip.

If a traveler is unable to return from their packaged tour, because of circumstances which are “unavoidable” and “extraordinary,” the operator of the tour has additional responsibilities. They must pay for the stranded traveler’s accommodation for up to three nights where the traveler’s transport back home was included in the pre-purchased travel package’s cost.

If the authorities in a locale that one travels to require the traveler to go under quarantine, and as a result, that individual does not make their flight back home, there are options. The national rules of the respective Member State in question, with regard to the quarantine, may enable the traveler to make a claim for repatriation and greater accommodation costs.

VIII Conclusion

The recent guidance is helpful regarding when a traveler with a pre-booked package trip may seek a full refund under EU law. This is especially useful in light of the current global pandemic. However, there are still vagaries that remain leaving a degree of uncertainty as to whether a consumer is eligible for a full refund of their trip from a vendor with regard to EU law. This is particularly true with regard to “unavoidable and extraordinary circumstances” under the Directive, as well as with regard to the consumer’s responsibility to take preventative measures, which are considered reasonable. Additionally, a travel package’s performance being “significantly” impacted remains open to varying interpretations. Finally, the “undue delay” responsibility on the part of the vendor of the package emerges as clear and uncertain with regard to consumer protection and their respective rights under the Directive. In summary, there are positive aspects of the Package Travel Directive and its unified approach across the Member States, particularly with regard to the current Coronavirus pandemic. However, there are aspects under the Directive that even with the current guidance, which has been provided, remain uncertain and vague for consumes of travel packages within the European Union.

* Robert Babirad holds a Masters in European Union Law from King’s College London and is the author of an upcoming, non-fiction travel memoir titled: In-Transit Passenger: Making the Journey Matter coming out in the Spring of 2021.

Location privacy and data retention in times of pandemic and the importance of harmonisation at European level

Patrícia Corrêa

In this time of pandemic, many countries are starting to actively monitor cellphone data to try to contain the spread of the new coronavirus. Governments are using location data to trace contacts or monitor and enforce quarantine of persons who have tested positive for COVID-19 or those with whom they have come into contact with.

The United States’ Government is in discussions with the tech industry about how to use Americans’ cellphone location data to track the spread of the novel coronavirus. In Iceland, authorities have launched an app that tracks users’ movements in order to help tracking coronavirus cases by collecting data about other phones in the area. In India, state authorities have also launched an application to track the movement history of persons tested positive, also providing the date and time of the visit to spots by the patients. In Brazil, at least one city is already using cellphone data to monitor gathering of people and take action to disperse them and soon federal government will follow. There are reports of similar approaches in many other countries as well.

At European level, Internal Market Commissioner Thierry Breton has held a videoconference with CEOs of European telecommunication companies and GSMA to discuss the sharing of anonymised metadata for modelling and predicting the propagation of the virus.

Does this approach necessarily put data privacy at risk? Is the trade-off between data privacy and public health necessary? Whereas it is true that in exceptional circumstances fundamental rights need to be balanced against each other, data privacy shall not be an insurmountable obstacle to the implementation of exceptional public health policies.

Some basics on data and metadata

Simply put, data consists of potential information that has to be processed to be useful. [1] Metadata, on the other hand, is “data about data”, comprising all the information about data at any given time, at any level of aggregation. It is structured information about an information resource of any media type or format. [2]

In order to safeguard privacy, personal data must be anonymised before its processing. Anonymisation refers to the process of de-identifying sensitive data while preserving its format and type [3] so it cannot be tied to specific individuals. Privacy can be also be assured by means of aggregation, which refers to the “process where raw data is gathered and expressed in a summary form for statistical analysis.”

Conditions for the use of location data

While in some countries the use of information to combat the COVID-19 outbreak seems to go beyond anonymised data (individual location and contacts tracking, for instance, requires device-level data), in Europe, so far, collaboration between telecommunication companies and governments appears to encompass only the exchange of anonymised data or databased models. On that level of data processing, the European Data Protection Board issued an approval statement based on some conditions, such as the anonymity of the processed data and the applicability of administrative controls, including security, limited access and limited retention periods.

On April 8, the European Commission issued a Recommendation on a Common Union Toolbox for the Use of Technology and Data to Combat and Exit from the COVID-19 Crisis, in particular concerning mobile applications and the use of anonymised mobility data. The Recommendation acknowledges the value of digital technologies and data in combating the COVID-19 crisis stating, however, that fragmented and uncoordinated approaches could hamper the effectiveness of measures aimed at combating the pandemic and violate fundamental rights and freedoms. It sets up a process for developing a common approach (Toolbox) to use digital means to address the crisis. The Toolbox will consist of practical measures for making effective use of technologies and data, with a focus on a pan-European approach for the use of mobile applications, coordinated at Union level and a common scheme for using anonymised and aggregated data on mobility of populations.

Regarding the use of mobility data, the Recommendation provides, inter alia, for safeguards to be put in place to prevent de-anonymisation and avoid reidentifications of individuals, including guarantees of adequate levels of data and IT security, and assessment of reidentification risks when correlating the anonymised data with other data.

The right to location privacy

According to the Article 4(1) of the GDPR, personal data comprises any information relating to an identified or identifiable natural person, including location data. Location data, as stated by the ePrivacy Directive, means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service. It can be tied to a known individual (e.g. a name linked to a cell phone subscription) or to an identifier associated with a specific device (anonymised data). In other cases, a dataset is modified to display the location of groups of people, instead of individuals (aggregated data).

Location privacy, hence, relates to the location information of an individual in a sense that prevents others to learn about one’s current or past location. [4] In other words, “This definition captures the idea that the person whose location is being measured should control who can know it.”

The right to location privacy encompasses two fundamental rights, both guaranteed by the Charter of Fundamental Rights of the EU: the respect for private and family life (Article 7) and the protection of personal data (Article 8). Notwithstanding its importance, fundamental rights are not absolute and can be restricted in exceptional situations. As stated by Article 52(1), restrictions on these rights can only be imposed when lawful, legitimate and proportionate.

Location privacy is also protected under the Article 8 of the European Convention on Human Rights and cannot be limited either, if not for derogation in time of emergency consisting of war or other public emergency threatening the life of the nation. In that case, the measures shall be taken strictly to the extent required by the situation and cannot be inconsistent with other obligations under international law (Article 15).

Data retention in EU context

In Digital Rights Ireland case, the ECJ declared the invalidity of the Directive 2006/24/EC, which required providers of publicly available electronic communication services or public communication networks to retain telecommunication data of individuals for the purposes of preventing, investigating and prosecuting serious crime. The ECJ took the view that the Directive does not “provide for sufficient safeguards … to ensure effective protection of the data retained against the risk of abuse and against any unlawful access…” According to the ECJ, although the Directive satisfies a valid objective of general interest (public security), it does not meet the principle of proportionality.

To date, there is no EU legislation regarding data retention. Filling up the void, the ECJ decided in Tele2 Sverige case on the scope and effect of its previous judgment on Digital Rights Ireland, establishing minimum safeguards that must be included in any national law regarding data retention. ECJ therefore concluded that national legislation that did not contemplate minimum safeguards would be precluded pursuant to Article 15(1) of ePrivacy Directive.

Despite the guidelines set out in the Tele2 Sverige judgement, a survey by Privacy International indicates that, as of 2017, a large number of Member States still had not yet made necessary changes to ensure national legislation compliance. This is especially important in this time of pandemic, as many States in Europe are recurring to private telecom companies to disclose retained location data in order to fight the COVID-19 outbreak.

Data retention and location privacy: the need for harmonisation

This scenario highlights the importance of harmonisation on the subject at European level, what would contribute to safeguard citizens’ privacy rights. That coordination between private companies and governments shall reveal how access to sensitive telecommunication data by public authorities will affect the retention of data for private purposes.

In the light of the COVID-19 pandemic, location data can be very useful for epidemiological analysis, medical research and measures against disease spread. This importance, however, does not preclude the respect for privacy rights. In that context, a European framework for data retention is paramount to location privacy, since it can effectively regulate what data can be retained, for how long, and what measures must be taken in order to reduce violations risks and making it is being stored and shared in legitimate and responsible ways.

Final remarks

The retention, processing and exchange of location data to handle the pandemic do not necessarily have to violate privacy. There are mechanisms that, although not infallible, minimise risks of breach in the processing of personal data, in particular aggregation and anonymization. Besides, even in exceptional cases in which personal identifiable information processing is needed, EU Regulation and case law have already set some boundaries, especially amounting to proportionality. What really matters is the approach authorities will choose to take after the outbreak subsides, so mass surveillance does not become the norm.

[1] POMERANTZ, Jeffrey. Metadata. Cambridge : The MIT Press, 2015. p. 21.
[2] BACA, Murtha (ed). Introduction to Metadata. 3. ed. Los Angeles : Getty Research Institute, 2016. p. 2.
[3] RAGHUNATHAN, Balaji. The Complete Book of Data Anonymization: From Planning to Implementation. Boca Raton, FL, USA : CRC Press, 2013. p. 4.
[4] ATAEI, Mehrnaz; KRAY, Christian. Ephemerality is the New Black: A Novel Perspective on Location Data Management and Location Privacy in LBS. In GERTNER, Georg; HUANG, Haosheng (ed. ) Progress in Location-Based Services 2016. Switzerland : Spring, 2017. p. 360.

The Author

Patrícia Corrêa is a Portuguese qualified lawyer currently pursuing a Master’s Degree in International and European Law at Universidade Católica do Porto, Portugal.