The Archives

Everything written by Mikolaj Barczentewicz on law, economics, and more

AI Hallucinations, GDPR, and the Importance of Cautious Optimism

The General Data Protection Regulation (GDPR), the EU’s data-protection law, requires accuracy in processing personal data. But generative-AI services, such as large language models (LLM), may “hallucinate” or reflect information that is false but widely spread. On one hand, such inaccuracies may seem like an inherent feature of the technology. On the other, some major ... AI Hallucinations, GDPR, and the Importance of Cautious Optimism

Should the GDPR Prohibit AI?

The European Data Protection Board’s (EDPB) Nov. 5 stakeholder consultation on AI models and data protection—organized to gather input for an upcoming Irish Data Protection Commission opinion under Article 64(2) of the General Data Protection Regulation (GDPR)—showcased significant lingering disagreement on how the GDPR should apply to AI.  While the event was not intended to ... Should the GDPR Prohibit AI?

The Cookie Plan Crumbles: Stuck in the Middle with Google

Google recently announced that it has changed its plans to phase out third-party cookies in the Chrome web browser. The company had previously planned to disable third-party cookies in Chrome, a change supported by many in the privacy-stakeholder community, but which was met with criticism from the adtech industry and competition lawyers. Google’s new plans ... The Cookie Plan Crumbles: Stuck in the Middle with Google

Google Previews the Coming Tussle Between GDPR and DMA Article 6(11)

Among the less-discussed requirements of the European Union’s Digital Markets Act (DMA) is the data-sharing obligation created by Article 6(11). This provision requires firms designated under the law as “gatekeepers” to share “ranking, query, click and view data” with third-party online search engines, while ensuring that any personal data is anonymized. Given how restrictively the ... Google Previews the Coming Tussle Between GDPR and DMA Article 6(11)

Does the DMA Let Gatekeepers Protect Data Privacy and Security?

It’s been an eventful two weeks for those following the story of the European Union’s implementation of the Digital Markets Act. On April 18, the European Commission began a series of workshops with the companies designated as “gatekeepers” under the DMA: Apple, Meta, Alphabet, Amazon, ByteDance, and Microsoft. And even as those workshops were still ... Does the DMA Let Gatekeepers Protect Data Privacy and Security?

Navigating the AI Frontier, Part I

The European Union is on the verge of enacting the landmark Artificial Intelligence Act (AI Act), which will—for better or worse—usher in a suite of new obligations, and hidden pitfalls, for individuals and firms trying to navigate the development, distribution, and deployment of software. Over the coming months, we will be delving into the nuances ... Navigating the AI Frontier, Part I

EU’s Cybersecurity Draft Shifts Toward Hard Protectionism

A year ago, we cautioned that the EU Cybersecurity Certification Scheme for Cloud Services (EUCS) threatened to embed ill-conceived economic protectionism into the EU’s cybersecurity rules. And, indeed, the European Commission, which has made clear its commitment to pursue “digital sovereignty” for the European Union, can claim some preliminary successes on that front. A recent ... EU’s Cybersecurity Draft Shifts Toward Hard Protectionism

How ETNO’s ‘Fair Share’ Proposal Threatens Europe’s Digital Future:

The digital transformation of Europe—and, indeed, the world—has been a defining theme of the 21st century. As with all significant shifts, it has also come with its share of challenges, opportunities, and controversies.  One such controversy that has recently reemerged is the so-called “fair share” proposal for network traffic—championed most recently in a statement from ... How ETNO’s ‘Fair Share’ Proposal Threatens Europe’s Digital Future:

Will the EU-U.S. Data Privacy Bridge Hold?

With the European Commission’s recent announcement that it had deemed the revamped data-protection framework from the United States to be “adequate” under the European Union’s stringent General Data Protection Regulation (GDPR), the stage is set for what promises to be a legal rollercoaster in the European Court of Justice (CJEU). The Commission’s decision is certain ... Will the EU-U.S. Data Privacy Bridge Hold?

Norwegian Decision Banning Behavioral Advertising on Facebook and Instagram

The Norwegian Data Protection Authority (DPA) on July 14 imposed a temporary three-month ban on “behavioural advertising” on Facebook and Instagram to users based in Norway. The decision relied on the “urgency procedure” under the General Data Protection Regulation (GDPR), which exceptionally allows direct regulatory interventions by other national authorities than the authority of the country ... Norwegian Decision Banning Behavioral Advertising on Facebook and Instagram

The CJEU’s Decision in Meta’s Competition Case: Sensitive Data and Privacy Enforcement by Competition Authorities (Part 2)

Yesterday, I delved into the recent judgment in the Meta case (Case C-252/21) from the Court of Justice of the European Union (CJEU). I gave a preliminary analysis of the court’s view on some of the complexities surrounding the processing of personal data for personalized advertising under the GDPR, focusing on three lawful bases for ... The CJEU’s Decision in Meta’s Competition Case: Sensitive Data and Privacy Enforcement by Competition Authorities (Part 2)

The CJEU’s Decision in Meta’s Competition Case: Consequences for Personalized Advertising Under the GDPR (Part 1)

Today’s judgment from the Court of Justice of the European Union (CJEU) in Meta’s case (Case C-252/21) offers new insights into the complexities surrounding personalized advertising under the EU General Data Protection Regulation (GDPR). In the decision, in which the CJEU gave the green light to an attempt by the German competition authority (FCO) to ... The CJEU’s Decision in Meta’s Competition Case: Consequences for Personalized Advertising Under the GDPR (Part 1)