As other chapters in this volume show, the EU remedies system is difficult to employ when it comes to EU fundamental right violations. When discussing (im)possibilities of procedural rules and how these encourage or discourage litigation, socio-legal scholars have referred to the concept of legal opportunity structures. In relation to this concept, the EU is a system with closed procedural legal opportunities: rules on directly accessing the CJEU severely limit the possibilities to pursue strategic litigation. At the same time, the EU has opened up legal opportunities as well, by bringing litigants a new catalogue of rights to invoke. In the context of fundamental rights accountability, strategic litigation is used extensively. This begs the question: how are actors (NGOs, lawyers, individuals) making use of the (partially) closed EU system and what lessons can be drawn therefrom? This chapter delves into several cases of mobilisation of the EU remedies system and describes the way in which the actors involved worked with or around EU legal opportunity structures, both inside and outside the context of formal legal procedures. The lessons drawn from these actions can inform future action in this field.

This contribution examines the possibilities for individuals to access remedies against potential violations of their fundamental rights by EU actors, specifically EU agencies’ deployment of artificial intelligence (AI). Presenting the intricate landscape of the EU’s border surveillance, the chapter sheds light on the prominent role of Frontex in developing and managing AI systems, including automated risk assessments and drone-based aerial surveillance. These two examples are used to illustrate how the EU?s AI-powered conduct endangers fundamental rights protected under the EU Charter of Fundamental Rights. Risks emerge for privacy and data protection rights, non-discrimination, and other substantive rights, such as the right to asylum. In light of these concerns, the chapter then examines the possibilities to access remedies by first considering the impact of AI uses on the procedural rights to good administration and effective judicial protection, before clarifying the emerging remedial system under the AI Act in its interplay with the EU’s existing data protection framework. Lastly, the chapter sketches the evolving role of the European Data Protection Supervisor, pointing out the key areas demanding further clarifications in order to fill the remedial gaps.

Society needs to influence and mould our expectations so AI is used for the collective good. we should be reluctant to throw away hard (and recently) won consumer rights and values on the altar of technological developments.

Non-fungible tokens (NFTs) introduce unique concerns related to the privacy of personal data. To create an NFT, users upload data to publicly accessible and searchable databases. This data can encompass information essential for the creation, transfer, and storage of the NFT, as well as personal details pertaining to the creator. Additionally, users might inadvertently engage with technology crafted to gather personal data. Traditional paradigms of privacy have not evolved in tandem with advancements in NFT and blockchain technology. To pinpoint where current privacy paradigms falter, this chapter delves into an introduction of NFTs, elucidating their foundational technical mechanisms and processes. Subsequently, the chapter juxtaposes current and historical privacy frameworks with NFTs, underscoring how these models may be either overly expansive or excessively restrictive for this emerging technology. This chapter suggests that Helen Nissenbaum’s concept of “contextual integrity” might offer the requisite flexibility to cater to the distinct attributes of NFTs. In conclusion, while there is a pronounced societal drive to safeguard citizen data and privacy, the overarching aim remains the enhancement of the collective good. Balancing this objective, governments should be afforded the latitude to equate society’s privacy interests with its imperative for transparency.

Digital traces that people leave behind can be useful evidence in criminal courts. However, in many jurisdictions, the legal provisions setting the rules for the use of evidence in criminal courts were formulated long before these digital technologies existed, and there seems to be an increasing discrepancy between legal frameworks and actual practices. This chapter investigates this disconnect by analyzing the relevant legal frameworks in the EU for processing data in criminal courts, and comparing and contrasting these with actual court practices. The relevant legal frameworks are criminal and data protection law. Data protection law is mostly harmonized throughout the EU, but since criminal law is mostly national law, this chapter focuses on criminal law in the Netherlands. We conclude that existing legal frameworks do not appear to obstruct the collection of data for evidence, but that regulation on collection in criminal law and regulation on processing and analysis in data protection law are not integrated. We also characterize as remarkable the almost complete absence of regulation of automated data analysis – in contrast with the many rules for data collection.

Remote care technologies help patients connect with their caregivers through monitoring, alerts, anomaly detection, and so on. Due to their nature, remote care technologies cross a number of legal fields, such as privacy and data protection, cybersecurity, and medical devices regulation. This paper aims to close the gap between high-level legal principles and practical implementation by mapping the challenges in European Union (EU) law and combining them with initial results from the TeNDER project. Specifically, we focus on technologies, which create an alert system by combining data sources from electronic health records and connected devices. Using these solutions as a starting point, we analyze the obligations the EU law lays upon the stakeholders, that is, the designers or developers, and the users, who are patients and caregivers. We answer the following research question: Which challenges does EU law pose for designers and users of remote care solutions, and in what manner can those questions be addressed in practice? We then analyze and apply the principles of privacy and data protection (proportionality, lawfulness, and data quality), and cybersecurity notification duties, and discuss the possible classification as a medical device. For all three areas, we use the two-pronged approach from the project, that is, a big-picture description of the legal challenges posed by remote care technologies, and a detailed description of the legal obligations applicable to the developers as well as users (i.e., caregivers and patients). We will follow up our work in repeated impact assessments in order to determine the benefits and pitfalls of the current approach.

As facial recognition technology (FRT) becomes more widespread, and its productive processes, supply chains, and circulations more visible and better understood, privacy concepts become more difficult to consistently apply. This chapter argues that privacy and data protection law’s clunkiness in regulating facial recognition is a product of how privacy and data protection conceptualise the nature of online images. Whereas privacy and data protection embed a ‘representational’ understanding of images, the dynamic facial recognition ecosystem of image scraping, dataset production, and searchable image databases used to build FRT suggest that online images are better understood as ‘operational’. Online images do not simply present their referent for easy human consumption, but rather enable and participate in a sequence of automated operations and machine–machine communications that are foundational for the proliferation of biometric techniques. This chapter demonstrates how privacy law’s failure to accommodate this theorisation of images leads to confusion and diversity in the juridical treatment of facial recognition and the declining coherence of legal concepts.

There is a convergence on the protection of the traditional right to privacy and today’s right to data protection as evidenced by judicial rulings. However, there are still distinct differences among the jurisdictions based on how personal data is conceived (as a personality or proprietary right) and on the aims of the regulation. These have implications for how the use of AI will impact the laws of US and EU. Nevertheless, there are some regulatory convergences between US and EU law in terms of the realignment of traditional rights through data-driven technologies, the convergence between data protection safeguards and consumer law, and the dynamics of legal transplantation and reception in data protection and consumer law.

Having ideas is easy for technology-enabled care, but implementing them is hard. The chances of success can be improved by building a broad coalition of essential stakeholders, persuading the sceptical, respecting your information governance colleagues, careful planning, and thinking about and minimising risks. Leadership, strategic thinking, persuasion, attention to detail and a team approach are needed. Professional project management, good marketing and communication are vital for implementation, and a robust evaluation is essential for sustainability.

The chapter explores the question of how different domestic and international law approaches to regulating the international transfer of personal data deal with cybersecurity threats. It examines the 2016 EU General Data Protection Regulation, the 2021 UK National Security and Investment Act, and the 2018 United States, Mexico and Canada Agreement, as representing distinct approaches for regulating international data transfers, namely data protection legislation, investment screening legislation, and digital trade agreements. The analysis demonstrates that a lack of uniformity in terms of what constitutes an adequate level and design of data protection mechanisms has left the issue of how to distinguish between acceptable and non-acceptable data-transfer restrictions largely unresolved.

Europe’s path to digitisation and datafication in finance has rested upon four apparently unrelated pillars: (1) extensive reporting requirements imposed after the Global Financial Crisis to control systemic risk and change financial sector behaviour; (2) strict data protection rules; (3) the facilitation of open banking to enhance competition in banking and particularly payments; and (4) a legislative framework for digital identification imposed to further the European Single Market. This chapter suggests that together these seemingly unrelated pillars have driven a transition to data-driven finance. The emerging ecosystem based on these pillars aims to promote a balance among a range of sometimes conflicting objectives, including systemic risk, data security and privacy, efficiency, and customer protection. Furthermore, we argue that Europe’s financial services and data protection regulatory reforms have unintentionally driven the use of regulatory technologies (RegTech), thereby laying the foundations for the digital transformation of European Union (‘EU’) financial services and financial regulation. The EU experiences provide insights for other countries in developing regulatory approaches to the intersection of data, finance, and technology.

The contribution of antitrust de lege lata to the separation of powers is rather limited. A role should nevertheless be granted to specific legislation, regulation or practices and, possibly, antitrust de lege ferenda, especially with respect to the control of the digital infrastructure of democracy, the prohibition of distortions of the electoral and democratic process, the conclusion of certain governmental contracts with large or, a fortiori, dominant platforms, as well as the regulation and deconcentration or decentralization of artificial intelligence and the Metaverse. Artificial intelligence and, notably, machine learning based on data face a cycle of concentration accentuating the need for regulation. Deconcentration or decentralization may be envisaged, imposed or incentivized. Furthermore, limits are especially necessary when substantial autonomous powers are granted to forms of artificial intelligence. The Metaverse, for its part, may reshape society, politics, and economy around the globe in the future. From an antitrust perspective, the Metaverse poses at least two main issues: antitrust on the Metaverse and antitrust in the Metaverse.