RYANAIR and facial recognition - GDPR
The Irish Data Protection Commission (DPC) has opened an investigation into how Ryanair processes customers' personal data during verification processes, particularly for bookings made through third-party websites or online travel agencies. Ryanair, Ireland-based and Europe's largest airline with 184 million passengers, justifies the additional checks on the grounds that third-party travel agencies do not always correctly transmit essential information, such as passengers' email addresses and payment details.
In response to a complaint filed last year, Ryanair had already stated that its verification methods, whether biometric or not, were fully compliant with GDPR requirements. The company also said these safeguards are intended to protect consumers from certain unapproved travel agencies that provide false information to conceal their overcharging and defrauding practices.
Furthermore, the European Data Protection Board (EDPB), in a recent opinion (opinion 11/2024), recalled that the use of biometric data, in particular facial recognition technologies, presents particular risks for the rights and freedoms of the persons concerned. The EDPB stressed the importance of carefully assessing these risks before resorting to such technologies, given the potential impact on individuals' fundamental rights.
SONY and copyright protection
In a recent decision, the Court of Justice of the European Union (CJEU) clarified the limits of copyright protection in relation to software. The case concerned software developed by Datel, which allowed users to bypass certain restrictions on access to Sony PSP games.
The CJEU emphasized that, despite the modifications made by Datel's software to the game's variable data, these modifications are not considered "a form of expression" protected by European Union copyright law. Indeed, the Court established that the simple fact of modifying temporary variables in a computer's memory does not give software developers the right to prohibit their marketing by third parties.
The Court also affirmed that “the developer of a computer program cannot prohibit the marketing by a third party of software which only modifies variables temporarily transferred to the memory of a computer”. This position means that software that interacts with other copyrighted programs, but does not reproduce or modify their internal structure, can be legally marketed.
This decision has significant implications for the video game industry and software development, as it sets a copyright precedent. It could encourage innovation by allowing developers to create tools that interact with protected software without fear of violating copyright, as long as those tools do not modify fundamental elements of the original program
Legitimate interests: can they be commercial? - GDPR
The judgment of October 4, 2024 by the CJEU:
The concept of legitimate interests as a legal basis for the processing of personal data raises debates, particularly in the Netherlands. According to the Dutch Data Protection Authority, purely commercial interests cannot be invoked as legitimate unless they have a specific legal basis. However, in a judgment of October 4, 2024, the Court of Justice of the European Union (CJEU) broadened the definition of “legitimate interests” under the GDPR, clarifying that they do not necessarily have to be fixed by law, and that a wider range of interests can be considered legitimate.
The EDPB guidelines of October 8, 2024
For its part, on October 8, 2024, the EDPB published draft guidelines on the processing of personal data based on legitimate interests (Article 6(1)(f) of the GDPR). These guidelines specify that for an interest to be legitimate, it must be lawful, well-defined and current, and not speculative. The EDPB also emphasizes the need for a rigorous test of balancing the interests of the controller and the rights of the data subjects. This test must be transparent and based on facts. Furthermore, the rights of individuals often take precedence over the interests of the controller. If the test shows that the interests of the manager conflict with those of the individuals, additional safeguards can be put in place to minimize the impact on those affected and reassess the situation.
Data Protection Framework – personal data
The European Commission recently conducted its first review of the EU-US data protection framework, known as the Data Protection Framework (DPF), a year after its adoption in July 2023. This framework is essential for regulating the transfer of personal data to entities located in the United States. In its report, the Commission concludes that the American authorities have put in place the necessary structures to ensure the proper functioning of the DPF. This aims to ensure the protection of personal data while respecting national security requirements.
The report highlights several key elements, including safeguards put in place to restrict US intelligence services' access to personal data, ensuring that such access remains proportionate and justified by national security concerns. Another important point is the creation of an independent complaints’ mechanism, which allows individuals to report violations of their data protection rights and seek redress.
Additionally, the report makes recommendations to encourage U.S. and European authorities to develop common guidelines to clarify key GDPR requirements. It also suggests maintaining ongoing monitoring, with regular reporting on the effectiveness of the framework.
This review is based on contributions from various stakeholders, including bodies, professional associations and data protection authorities on both sides of the Atlantic. Public consultation was also carried out via the “Have your Say” platform, thus promoting open participation.
The Data Act
The EU Data Law was published in the Official Journal of the EU on December 22, 2023 and will enter into force on September 12, 2025. It is a central part of the European Data Strategy, which aims to promote access to and use of data in the European Union. The aim is to create a data ecosystem that supports innovation, competitiveness and the creation of added value for businesses and citizens.
The European Data Law, proposed by the European Commission in February 2022, aims to facilitate access to data and improve their use. It adds to existing regulations such as GDPR and ePrivacy, with an emphasis on data sharing and portability. The goal is to make it easier for businesses, public institutions and citizens to access data to drive innovation and data-driven growth.
The law requires companies that collect or process data to make it accessible to other companies and public bodies, particularly in sectors using technologies such as the Internet of Things (IoT). It also allows users to transfer their data between different providers, which increases competition and gives them more control over their information.
For businesses, this means reviewing their data processing practices, updating their systems to ensure they meet legal requirements, and exploring new business models based on data exchange. At the same time, this legislation will allow them to better react to market changes by making decisions based on reliable data, thus strengthening their competitiveness. However, non-compliance with these new rules may result in sanctions, fines, or even restrictions on the use of data.