To save content items to your account,
please confirm that you agree to abide by our usage policies.
If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account.
Find out more about saving content to .
To save content items to your Kindle, first ensure no-reply@cambridge.org
is added to your Approved Personal Document E-mail List under your Personal Document Settings
on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part
of your Kindle email address below.
Find out more about saving to your Kindle.
Note you can select to save to either the @free.kindle.com or @kindle.com variations.
‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi.
‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.
This chapter discusses the gradual consolidation of the dual-sided framework in the contemporary digital era. Despite the decades-long transatlantic battle between ‘free flow’ and privacy protection, serious disagreement over how to conceptualize data, and the inter-regime tension between human rights and world trade, this chapter argues that the consolidation of the dual-sided framework is precisely a result of such internal tensions and contradictions. The more this dichotomy seems hard to resolve, the more the two framings of free trade and human rights get reinforced, and the more they monopolize the policy terrain for the governance of information and data. This chapter also shows that, despite the entrenched dichotomy, free trade and human rights regimes have been mutually influencing in the ways they respectively approach transborder data flows and the responsibility of big tech, hence further reinforcing the transnationalization of capital and unequal distribution of power in information capitalism.
Clinicians and consumers have long been interested in using purpose-built chatbots to provide mental health support. Specifically designed therapy chatbots are now available direct-to-consumer, even though researchers have yet to establish their efficacy, safety and viability. However, whatever their clinical merits or limitations, the role for specialised therapy chatbots has been overshadowed by the increasing number of people using AI companions and general-purpose generative AI for mental health support. Reports have implicated these offerings in instances of user self-harm, prompting calls for more robust regulation across the entire field. This Element examines the opportunities, risks and legal landscape of AI for direct-to-consumer mental health support and considers a response of distributed regulatory networks. This approach abandons any pretence of a single body of law providing an effective and palatable response for concerns raised by therapy chatbots and the challenges posed by evolving technologies operating in sensitive domains.
This first study of the 2023 Council of Europe (CoE) Data Protection Regulations focuses on the institutional design of the Data Protection Commissioner and the Data Protection Officer (DPO). It shows that the reform of both offices was inspired by the EU offices of the EDPS and the EU DPOs. In the context of an EU-CoE dialectical relationship in data protection, the EU exerts significant influence over institutional design. The article highlights differences between those offices and their EU counterparts. In particular, the weak enforcement/monitoring powers of the CoE Commissioner limit possibilities for accountability within the organisation. The study ends with recommendations to strengthen the Commissioner’s mandate.
One of the most contentious issues relting to sex and gender identity is whether a transgener person has a right to keep informaiton about their biological sex private from others. Related to the right to freedom of expression, discussed in previous chapters, is the countervailing right to private life. Nowhere encapsulates the potential for human rights to conflict more clearly than the tension between the interest of one person to disclose information that another party would rather be kept private. This chapter examines circumstances when it may be lawful to disclose information about the biological sex of another when they would strongly wish that information not be shared at all. Relatedly, it explores circumstances when heightened rights of privacy may obtain as a result of data protection obligations placed on businesses and public bodies. There is no absolute right to keep the fact of one’s sex private, but there may be some circumstances where one has a reasonable expectation of privacy and where disclosure may be unlawful.
For as vivid the academic debate around issues of algorithmic bias, discrimination and unfairness has been in the context of EU law, little attention has been paid thus far to the way in which such instances have been dealt with by courts. This article examines from a non-discrimination law perspective how domestic courts of Member States as well as the European Court of Justice have approached cases of algorithmic bias in automated decision-making, by focusing on the judges’ engagement with discrimination-related considerations. For the purposes of my analysis, I propose a taxonomy of judgments dealing with cases of algorithmic bias and analyse a number of examples accordingly to showcase the distinct features of each category. In this regard, a first distinction is drawn between judgments relating to cases of ‘algorithmic discrimination’ and those concerning cases of ‘unfair algorithmic differentiation’. Depending on the extent to which courts take into account any risks of discrimination in the cases falling under the second category, I further distinguish between judgments of ‘discrimination reflection’, those of ‘discrimination awareness’, and those of ‘discrimination silence’. On the basis of this classification, I then attempt to shed more light on how non-discrimination and data protection law may interact with each other in practice in cases of algorithmic bias. Finally, the article concludes with some reflections on the prevailing tendency to address equality concerns through recourse to data protection rules.
This review essay critically examines three recent books on the digitalization and datafication of humanitarian action: #Help, Humanitarian Extractivism, and Technocolonialism. Each monograph offers a compelling analysis of the myriad ways that humanitarians’ use of digital technologies has reshaped governance and the international order, created new risks, and exacerbated power imbalances. Fundamentally, each book concludes that the various transformations technology has wrought in humanitarianism are, at best, unintended, inconsistent, or unfulfilled in their impact and, at worst, deeply problematic. Setting aside the books’ contributions, each leaves out two important elements. First, in selecting examples, the authors leave mostly unanswered the question of what, if any, positive impacts data and technology have had on or for humanitarian response and those whom it is intended to help. Second, each is mostly silent with regard to practical steps that can be taken to address its critiques, with only Technocolonialism offering three broad avenues for reform. In the context of the current crisis in the humanitarian sector, with the closure of USAID and dramatic declines in funding, there is a need for pragmatic options for the future that, by necessity, involve a creative reimagining of the digital infrastructures underpinning the humanitarian response.
This volume shows how remote work is regulated by a holistic set of arrangements that govern all forms of employment, weaving together labor institutions in complex ways that the book presents and explains. The scholarship assembled here examines the handling of remote work through institutional analysis cutting across national cases and focusing on both fundamental rights and regulatory challenges. The rights that are examined – by analyzing their nteraction with employer powers – include privacy, equality and non-discrimination as well as collective rights and the distribution of responsibilities in the workplace. The book shows how the location of work interacts with new technologies redefining the universe of labor relations and the institutional system governing employment. This title is also available as open access on Cambridge Core.
This article examines the governance challenges of human genomic data sharing. The analysis builds upon the unique characteristics that distinguish genomic data from other forms of personal data, particularly its dual nature as both uniquely identifiable to individuals and inherently collective, reflecting familial and ethnic group characteristics. This duality informs a tripartite risk taxonomy: individual privacy violations, group-level harms, and bioterrorism threats. Examining regulatory frameworks in the European Union (EU) and China, the article demonstrates how current data protection mechanisms—primarily anonymisation and informed consent—prove inadequate for genomic data governance due to the impossibility of true anonymisation and the limitations of consent-based models in addressing the risks of such sharing. Drawing on the concept of “genomic contextualism,” the article proposes a nuanced framework that incorporates interest balancing, comprehensive data lifecycle management, and tailored technical safeguards. The objective is to protect individuals and underrepresented groups while maximising the scientific and clinical value of genomic data.
Dark patterns are the subject of a surge of regulatory interest in the EU. Much new legislation in the areas of consumer law, data protection and competition law include provisions on dark patterns. Businesses use dark patterns to increase their revenue at the expense of consumers who purchase products they may not need, spend more time or give up more personal data than they would otherwise. Instead of focusing on the more normative issue of when dark patterns should be considered harmful, the chapter compares the different legal frameworks applicable to these practices and asks to what extent the increasingly fragmented EU regulatory landscape can offer effective overall protection against dark patterns. While useful complementarities may arise when parallel sets of rules target different concerns or protect different values, there are also risks of inconsistencies that may lead to either under- or overenforcement due to the fragmentation of the overall regulatory framework. The chapter submits that three needs result from the state of play and offers suggestions to improve the enforcement against dark patterns based on the current EU regulatory framework.
As managers digitize judgment using AI, their evaluations of persons risk imposing benefits and burdens in opaque and unaccountable ways. A wide range of harms may occur when access to one's personal data (and meaningful information about its use) is denied. Key data access rights and AI explainability guarantees in US. and EU law are designed to ameliorate the harms caused by irresponsible digitization, but their definition and range of application is contested. A robust policy evaluation framework will be needed to inform the proper level and scope of information access, as regulators clarify the contours of such rights and guarantees. By revealing the stakes of data access, this Element offers a useful evaluative framework for those interpreting and applying laws of data protection and AI explainability. This title is also available as Open Access on Cambridge Core.
The EU has been represented as a singular ‘Digital Empire’ speaking with one voice on matters of EU digital regulation. Closer examination of discrete areas of EU digital regulation reveals a more nuanced picture suggesting clear institutional divergence between the EU institutions regarding the substantive protection afforded by EU law. A detailed analysis of EU data protection adequacy decisions brings to the surface intra-EU tensions concerning the substance of core EU fundamental rights. This analysis reveals that the EU Commission has taken on a more prominent role in adequacy decision-making since the entry into force of the EU’s General Data Protection Regulation at the expense of other relevant stakeholders. Furthermore, the Commission’s decisional practice does not align fully with the stance of the Court of Justice on the right to data protection. New sites of intra-EU human rights tensions are therefore uncovered with consequences for the legitimacy of the EU as a digital regulator and the role of the Commission as a guardian of the treaties.
Generative AI has catapulted into the legal debate through the popular applications ChatGPT, Bard, Dall-E, and others. While the predominant focus has hitherto centred on issues of copyright infringement and regulatory strategies, particularly within the ambit of the AI Act, it is imperative to acknowledge that generative AI also engenders substantial tension with data protection laws. The example of generative AI puts a finger on the sore spot of the contentious relationship between data protection law and machine learning built on the unresolved conflict between the protection of individuals, rooted in fundamental data protection rights and the massive amounts of data required for machine learning, which renders data processing nearly universal. In the case of LLMs, which scrape nearly the whole internet, this training inevitably relies on and possibly even creates personal data under the GDPR. This tension manifests across multiple dimensions, encompassing data subjects’ rights, the foundational principles of data protection, and the fundamental categories of data protection. Drawing on ongoing investigations by data protection authorities in Europe, this paper undertakes a comprehensive analysis of the intricate interplay between generative AI and data protection within the European legal framework.
The recent paradigm shift from predictive to generative AI has accelerated a new era of innovation in artificial intelligence. Generative AI, exemplified by large language models (LLMs) like GPT (Generative Pre-trained Transformer), has revolutionized this landscape. This transition holds profound implications for the legal domain, where language is central to practice. The integration of LLMs into AI and law research and legal practice presents both opportunities and challenges. This chapter explores the potential enhancements of AI through LLMs, particularly the CLAUDETTE system, focusing on consumer empowerment and privacy protection. On this basis, we also investigate what new legal issues can emerge in the context of the AI Act and related regulations. Understanding the capabilities and limitations of LLMs vis-à-vis conventional approaches is crucial in harnessing their full potential for legal applications.
The concept of identifiability remains a foundational yet contentious criterion in European Union (EU) data protection law. Similarly, anonymisation has sparked intense debate.
This paper examines recent developments that have shaped the EU’s approaches to identifiability and anonymisation, including trends in the Court of Justice of the European Union (CJEU) case law, national supervisory authority (SA) assessments of anonymisation processes, and the recent European Data Protection Board (EDPB) Opinion 28/2024 addressing the anonymity of artificial intelligence models and EDPB Guidelines 01/2025 on pseudonymisation.
The paper explores how the balance between over-inclusiveness and under-inclusiveness is being calibrated, suggesting the emergence of a functional definition of personal data in CJEU case law. It underscores the importance of the burden of proof in evaluating anonymisation processes, as confirmed by national SA assessments. Finally, it highlights how to ensure consistency between the GDPR and data sharing mandates stemming from the new generation of EU data regulations.
This chapter covers civil rights under international human rights law. It includes the right to legal personality, the right to a name, the right to family life, the right to marry, the right to privacy, and the right to respect for home and correspondence. The chapter discusses the legal standards and protections for these rights, the obligations of states to respect and fulfill them, and the role of international bodies in monitoring compliance. It also highlights the challenges in implementing civil rights protections and the importance of adopting comprehensive measures to address violations and ensure effective remedies for victims.
This chapter scrutinizes the operation of public sector privacy and data protection laws in relation to AI data in the United States, the United Kingdom and Australia, to assess the potential for utilizing these laws to challenge automated government decision-making. Government decision-making in individual cases will almost inevitably involve the collection, use, or storage of personal information, and may also involve drawing inferences from data already collected. At the same time increased usage of automated decision-making encourages the large-scale collection and mining of personal data. Privacy and data protection laws provide a useful chokepoint for limiting discrimination and other harms that arise from misuses of personal information.
The implementation of the General Data Protection Regulation (GDPR) in the EU, rather than the regulation itself, is holding back technological innovation. The EU’s data protection governance architecture is complex, leading to contradictory interpretations among Member States. This situation is prompting companies of all kinds to halt the deployment of transformative projects in the EU. The case of Meta is paradigmatic: both the UK and the EU broadly have the same regulation (GDPR), but the UK swiftly determined that Meta could train its generative AI model using first-party public data under the legal basis of legitimate interest, while in the EU, the European Data Protection Board (EDPB) took months to issue an Opinion that national authorities must still interpret and implement individually, leading to legal uncertainty. Similarly, the case of Deepseek has demonstrated how some national data protection authorities, such as the Italian Garante, have moved to ban the AI model outright, while others have opted for investigations. This fragmented enforcement landscape exacerbates regulatory uncertainty and hampers EU’s competitiveness, particularly for startups, which lack the resources to navigate an unpredictable compliance framework. For the EU to remain competitive in the global AI race, strengthening the EDPB’s role is essential.
This study, authored by Dr Fahimeh Abedi, Prof. Tim Miller and Prof. Atif Ahmad, explores the skills gaps lawyers face when advising on emerging technologies in an increasingly complex digital landscape. Using an exploratory sequential mixed methods approach, the authors conducted qualitative interviews with 26 in-house lawyers and a broader quantitative survey revealed key challenges, including complex legislation, unclear regulatory frameworks and ethical concerns in data use. Findings highlight a significant gap in technological literacy within the legal profession, emphasising the need for improved knowledge, skills and ethical awareness. This research provides a roadmap for equipping legal professionals for responsible leadership in a technology-driven future, offering significant insights for policymakers and regulators.
There is no doubt that AI systems, and the large-scale processing of personal data that often accompanies their development and use, has put a strain on individuals’ fundamental rights and freedoms. Against that background, this chapter aims to walk the reader through a selection of key concerns arising from the application of the GDPR to the training and use of such systems. First, it clarifies the position and role of the GDPR within the broader European data protection regulatory framework. Next, it delineates its scope of application by delving into the pivotal notions of “personal data,” “controller,” and “processor.” Lastly, it highlights some friction points between the characteristics inherent to most AI systems and the general principles outlined in Article 5 GDPR, including lawfulness, transparency, purpose limitation, data minimization, and accountability.
Public administrations are increasingly deploying algorithmic systems to facilitate the application, execution, and enforcement of regulation, a practice that can be denoted as algorithmic regulation. While their reliance on digital technology is not new, both the scale at which they automate administrative acts and the importance of the decisions they delegate to algorithmic tools is on the rise. In this chapter, I contextualize this phenomenon and discuss the implementation of algorithmic regulation across several public sector domains. I then assess some of the ethical and legal conundrums that public administrations face when outsourcing their tasks to such systems and provide an overview of the legal framework that governs this practice, with a particular focus on the European Union. This framework encompasses not only constitutional and administrative law but also data protection law and AI-specific law. Finally, I offer some take-aways for public administrations to consider when seeking to deploy algorithmic regulation.