On 7 March 2025, the Changshu People’s Court (in China’s Jiangsu province) announced that it had recently concluded a case on the topical issue of whether AI-generated works can be protected by copyright. In the case, a plaintiff surnamed Lin used the AI tool Midjourney to create an image, and then Photoshop to further refine it. The image depicted a half-heart structure floating on the water in front of a cityscape, in which the other half of the heart was ‘completed’ by its reflection in the water. The plaintiff posted the image on social media and also obtained copyright registration for the image in China. An inflatable model company and a real estate company posted images substantially similar to the plaintiff’s image on their social media accounts and the inflatable model company’s 1688 online store, and also created a real 3D installation based on the image at one of the real estate company’s projects. The court found for the plaintiff, requiring that the inflatable model company publicly apologise to the plaintiff on its Xiaohongshu (RedNote) account for three consecutive days, and that the defendants compensate the plaintiff for economic losses and reasonable expenses totalling RMB 10,000. Although both the plaintiff and the defendants had rights of appeal, neither party appealed and the decision is now effective.

In reaching its decision, the court first examined the Midjourney user agreement which stipulates that the rights in outputs prompted by users belong to the user with very few exceptions. The court then examined the iterative process by which Midjourney users can modify the prompt text and other details of the output images. On this basis, the court held that the plaintiff’s crafting of their prompt and subsequent modification of the image reflected their unique choices and arrangement, making the ultimate image an original work of fine art protected by copyright. The defendants infringed the copyright in that image by disseminating it online without the plaintiff’s permission and using it without naming the plaintiff as the author. However, the court held that the copyright enjoyed by Lin was limited to the 2D image as recorded in the copyright registration certificate (rather than the idea of the 3D half-heart art installation as depicted in the image); the construction of the physical 3D installation by the defendants based on the central idea of Lin’s work (i.e. a half-heart floating on the water, an idea used by many prior works) did not infringe Lin’s copyright.

In the court’s WeChat post, some illustrative comments were shared from Hu Yue, Deputy Director of the court’s Intellectual Property Tribunal. “The premise for AI-generated content to be recognised as a work is that it should be able to reflect the original intellectual input of a human,” Hu states. He comments that “for creators, this judgement is a ‘reassurance’. It clarifies that creators who use AI tools to create have legal copyright over their works provided that the works have innovative design and expression (…) In addition, this case lawfully determined that the use of the ideas and concepts of another person’s work does not constitute infringement, which avoids overprotection of copyrights and abuse of rights, and is conducive to guiding the people on how to further innovate on the basis of using AI.”

Our comments

Cases involving generative AI and IP issues are going through courts around the world. US cases dominate, particularly on the issue of whether use of copyright works to train an AI model constitutes copyright infringement. However, courts in China have been notable for their boldness on the issue of copyright subsistence. Decisions in 2019 and 2020 from the Shenzhen City Nanshan District People’s Court, the Beijing Internet Court and the Beijing Intellectual Property Court have all found that AI-assisted text-based works could be protected by copyright. Most importantly, the Beijing Internet Court in November 2023 issued a significant decision in which it held that the plaintiff enjoyed copyright in an image generated using the AI tool Stable Diffusion. It was critical to the decision that the plaintiff had engaged in a process of “intellectual creation” by independently designing and refining the features of the image through several rounds of input prompts and parameter adjustments, and by making artistic choices regarding the final outcome. Applying similar reasoning, this latest case from the Changshu People’s Court is the second in China granting copyright protection to AI-generated images reflecting the “original intellectual input of a human”.

The relative willingness of Chinese courts to find subsistence of copyright in AI-generated works created by user prompts can be compared with the position in the United States, in which the United States Copyright Office has refused protection for AI-generated visual artworks in at least four cases. Guidance issued by the Office in March 2023 and January 2025 reiterate that: copyright protects only materials that are the product of human creativity; copyright protection is not available for purely AI-generated content, but human contributions to AI-assisted works are protectable, with protection analyzed on a case-by-case basis; and user prompts alone are insufficient to justify copyright protection for the output. The importance attributed to human input is shared with China, however it is safe to say a global consensus on this issue has yet to emerge.

In the meantime, China is becoming a world leader in both AI innovation and regulation. China’s National Intellectual Property Administration in December 2024 issued guidelines on patent applications for AI-related inventions, providing welcome guidance to firms seeking IP protection for innovations involving or assisted by AI. This follows the National Technical Committee 260 on Cybersecurity’s September 2024 release of an AI Safety Governance Framework, outlining principles for tackling AI-related risks in accordance with a “people-centered approach” and the “principle of developing AI for good.”

Edward Chatterton is a Partner at DLA Piper where he is Global Co-Chair of Trademark, Copyright and Media Group and Co-Head of IPT, Asia

Joanne Zhang is a Registered Foreign Lawyer (New York, USA) in the Intellectual Property & Technology team based in DLA Piper’s Hong Kong office. She is dually qualified in New York, USA, and China.

Liam is a Knowledge Development Lawyer in DLA Piper’s Intellectual Property and Technology group. He is based in the APAC region and focuses on trademark, copyright, media and artificial intelligence issues across the international practice.

The post Another Chinese court finds that AI-generated images can be protected by copyright: the Changshu People’s Court and the ‘half heart’ case appeared first on Society for Computers & Law.

The High Court has recently considered a dispute arising from a miscommunication regarding the claimant’s winnings on an online game. 

The claimant in Durber v PPB Entertainment Ltd [2025] EWHC 498 (KB) played the Wild Hatter game in October 2020 – a two-part game involving a fruit machine and a wheel of fortune. After spinning the jackpot wheel, the screen displayed she had won the “Monster Jackpot” which was stated as £1,097,132.71. The dispute revolved around the discrepancy between what was displayed on the claimant’s screen and the defendant’s server records which led to a significant reduction in the payout from the claimed Monster Jackpot of well over £1 million to a much smaller Daily Jackpot of £20,265.14. The claimant claimed the difference between this and the Monster Jackpot. 

The defendant said that the outcome was determined by a random number generator which had said she had only won the daily jackpot, but an error affected the animations of the game and showed her the wrong result. It sought to rely on its terms and conditions and referred to the decision in Parker-Grennan v Camelot UK Lotteries Ltd. 

What did the court say?

The court ruled that the rules of the online gambling game took precedence over the terms and conditions. The rules explicitly stated that the outcome of the game, including the determination of the jackpot, was based on what was displayed on the claimant’s screen. This “what you see is what you get” (WYSIWYG) approach was central to the claimant’s understanding and expectation of the game.

The terms and conditions included a clause that purported to make the defendant’s server records definitive if there was a discrepancy between the screen display and the server records. The court found this clause to be inconsistent with the game rules which clearly indicated that the screen display took precedence. Consequently, the court held that this clause was unenforceable.

The defendant also sought to rely on an exclusion clause that purported to absolve them of liability for any errors, including those in the generation of game results. However, the court found that this clause did not cover the specific human error in programming that caused the discrepancy between the server records and the claimant’s screen display. The error in question was a mapping error in the software which was a direct result of human programming and not a system or communication error as envisaged by the exclusion clause.

The court also examined whether the relevant terms were properly incorporated into the contract. It concluded that the terms were unusual and onerous and that the defendant had failed to take reasonable steps to bring these terms to the claimant’s attention. The terms were buried within a lengthy document and were not adequately signposted, making it unreasonable to expect the claimant to have been aware of them. 

Even if the terms had been properly incorporated, the court found them to be unfair and unenforceable under the Consumer Rights Act 2015. The Act requires that terms be fair and transparent and that they do not create a significant imbalance in the parties’ rights and obligations to the detriment of the consumer. The court held that the terms in question failed this test, as they included a very wide limitation of liability. It said that a more focused disclaimer would have created less imbalance. The terms also contradicted the game rules, causing an imbalance. 

Therefore, the court ruled that summary judgment should be entered for the claimant.

So what?

The court’s decision emphasises the importance of clarity and fairness in the terms and conditions of online gambling games and consumer-facing terms more generally. If you run online games, you need to clearly communicate your terms to consumers and also make sure that they are consistent with the rules of the game. Terms need to be fair and properly incorporated, especially those which aim to limit liability or alter the consumer’s understanding of the game outcomes. More widely, you need to make sure that your terms and rules hang together – it’s quite common for there to be different documents that affect the relationship with the consumer – but they need to be consistent and cross-referenced. 

Readers may remember the case of Green v Betfair where the court ruled in Mr Green’s favour, saying that Betfair’s terms were not adequate to exempt Betfred from the obligation to pay out on an ostensibly winning bet or series of bets.    

As the CMA gets greater powers in the coming weeks, businesses are advised to review their customer journeys and make sure that they comply with the law.

This report was first published on the Lewis Silkin website and is reproduced with permission

The post Monster Jackpot wins the day appeared first on Society for Computers & Law.

The case arose in the context of a dispute between EE and Virgin Mobile.  VM had stated that EE’s claim was for loss of profit and, therefore, the claim was excluded by the following clause which formed part of a suite of detailed liability clauses:

“34.5… neither Party shall have liability to the other in respect of:

(a) anticipated profits, or

(b) anticipated savings.”

VM was granted summary judgment ruling out this type of claim.

EE appealed – the question as whether EE’s clam was excluded as being one “in respect of … anticipated profits”, on the proper interpretation of that phrase in clause 34.5(a),

The Court of Appeal, by majority decision, dismissed the appeal. It said that for EE’s claim to fall outside the exclusion clause it had to show that “anticipated profits” meant profits anticipated to be outside the agreement. However, the agreement did not say that, and as Coulson LJ explained, to import such a qualification would “do violence” to the actual language of the exclusion clause.

Zacaroli gave the leading judgment, saying that, in summary:

• there is no overarching principle of law that limits an exclusion of liability for loss of anticipated profits to losses other than expectation loss or diminution in price;
• in some cases, similar wording has been found to be so limited, but in other cases it has not;
• the wording of the exclusion in this case was clear and unequivocal;
• clauses 34.4 and 34.5 were intended to be read cumulatively, so that liability for anticipated profits was intended to indicate something additional to loss which did not arise directly from the performance of the agreement, and if the parties had intended clause 34.5(a) to cover only direct loss of profit claims that do not fall within the ambit of expectation loss, they would have done so specifically;
• “anticipated profits” is used within clause 34.5 interchangeably with “loss of profits”;
• the fact that at least the paradigm case that falls within clause 34.3(c), and is thus carved out from the exclusion in 34.5(a), is a claim for expectation loss points towards such a claim otherwise being covered by clause 34.5(a);
• the clause was part of a lengthy contract drafted with the assistance of legal advice on both sides, involving a careful allocation of risk for both parties; and
• the consequences of this reading of clause 34.5(a), in the context of the range of its possible applications when the contract was agreed, were commercially reasonable, and no less so than the alternative reading, particularly in view of the substantive remedies that remained across those applications (whether by way of damages or equitable relief).

Accordingly, EE’s claim was excluded by clause 34.5(a).

However, there was a dissenting judgment. Phillips LJ said that it was far from clear that the exclusion of damages claims for “anticipated profits” encompasses a claim for loss of revenue by reason of a breach of the exclusivity provision. His view was that the loss was properly to be regarded as a readily ascertainable sum that would have been payable to EE by way of the contractual price for the use of its services had VM not diverted its business elsewhere. In contrast, the term “anticipated profits” indicated hoped for but uncertain profits which would arise as a consequence of, but outside, performance of the contract, not sums directly payable under the contract. Therefore, he would have allowed the appeal.

As there was a dissenting judgment, and as Coulson LJ said he “had not found the central issue in this case easy to decide”, there may well be an appeal to the Supreme Court.

The post Court of Appeal dismisses appeal in EE v Virgin Mobile case appeared first on Society for Computers & Law.

The claimant RTM described himself as a recovering online gambling addict. He was a private individual with no national profile. He was anonymised in the litigation because of the risk that the privacy interests he was seeking to protect could not otherwise be fully and fairly adjudicated upon without encroaching on them.

The defendants operate under the Sky Betting and Gaming (SBG) brand of online gambling platforms. The first defendant provides paid-for betting and gaming products, and the second defendant free-to-play games.

RTM used to gamble online and said it was compulsive, out of control and destructive. He said that although he did not gamble exclusively with SBG, it was his preferred and predominant online platform at the time, and he used several of its products.

He brought a privacy claim in data protection and the misuse of private information. He says SBG gathered and used extensive information, generated by his use of its platforms, unlawfully, including by analysing and combining it through sophisticated profiling algorithms, and especially by way of personalised and targeted marketing which he could not handle, and which fed his compulsive behaviour. He sought compensation for harm, distress and loss.

SBG argued that it complied with all its legal obligations throughout and, in particular, that much of what RTM said he objected to, he consented to at the time.

The court considered the case in the context of the Gambling Act 2005, the Data Protection Act 1998, the General Data Protection Regulation (GDPR), and the Privacy and Electronic Communications Regulations 2003 (PECR).  In particular, the court examined the statutory principles governing the processing of personal data, particularly the requirements for lawful processing, consent, and the protection of vulnerable individuals.

The judge said that the relevant legislation and authorities, both European and domestic, indicated that to provide a lawful basis for direct marketing, and for the underlying use of cookies for that purpose, a data subject’s consenting behaviour has to be of a ‘relatively high’ quality. That involves individual qualities such as ‘free’, ‘active’, ‘informed’, ‘unambiguous’, and ‘specific’ or ‘distinct’. What that means in practice is highly context-specific.

The judge pointed out that the measures required to obtain and evidence consent could fall short in the context of problem gambling as “it  will be consenting behaviour which is too overborne, passive, unfocused and ambiguous, and too bound up with the craving or compulsion to access gambling, to which the consenting is experienced as a condition to be overcome, to meet the necessary legal standard.”

The court accepted RTM’s evidence about the nature and extent of his decision-making, and looked at all the evidence of the nature and context of his consenting behaviour towards SBG. It found that he lacked subjective consent. The judge was also satisfied that the autonomous quality of his consenting behaviour was impaired to a real degree. In particular, his consent was insufficiently freely given because the circumstances of his consenting behaviour are not recognisable as amounting to free, unambiguous, informed, specific, or distinct from the uncontrolled craving to gamble. Standards of consent set in data protection law are not insensitive to that sort of context.

Consequently, the judge held that SBG’s use of cookies for the purposes of personalised direct marketing to RTM and SBG’s direct marketing to RTM were not lawful processing.

The judge said that the profiling was parasitic on the obtaining of the data and the ultimate delivery of the marketing, and had no other standalone purpose; it necessarily disclosed no distinct basis for lawful processing. SBG had no legitimate interest in profiling for personalised marketing to problem gamblers without their consent. In addition, the judge was unpersuaded that, on the facts of this case, the claim for misuse of private information was sufficiently likely to add anything material to the analysis to make it proportionate to analyse it in any detail.

The post High Court rules on targeting advertising to “recovering online gambling addict” appeared first on Society for Computers & Law.

Mousse (a LGTB association) complained to the French data protection authority (CNIL) about the French railway company SNCF Connect, which requires customers to indicate their title (Mr or Ms) when purchasing tickets online. Mousse argued that this requirement breaches the GDPR because the title, which indicates gender identity, is not needed to buy a train ticket.

In 2021, CNIL rejected the complaint, stating that the practice did not violate the GDPR. Mousse disagreed and took the matter to the French courts, seeking to overturn CNIL’s decision.

The French courts referred the issue to the Court of Justice of the EU, asking if collecting customers’ titles for personalised commercial communication is lawful and consistent with the principle of data minimisation.

The Court of Justice has reiterated that, under the GDPR, data collected must be adequate, relevant, and limited to what is necessary for the purpose. The Court also stated that personalising commercial communication based on gender identity is not essential to fulfil a rail transport contract. The railway company could use generic, inclusive terms instead.

The Court further explained that processing personal data is lawful only if it is necessary for the contract’s performance or for the legitimate interests of the data controller or a third party. In this case, personalising communication based on gender identity is not necessary to perform the contract. Additionally, customers were not informed of the legitimate interest pursued, and the processing was not strictly necessary to achieve that interest. The fundamental rights and freedoms of customers, including the risk of gender identity discrimination, outweigh the legitimate interest.

The post GDPR and rail transport: gender identity is not necessary data for the purchase of a transport ticket appeared first on Society for Computers & Law.

The individual claimed that the US does not have an adequate level of protection and the transfers risked his data being accessed by the US security and intelligence services. The Commission had not indicated any of the appropriate safeguards that might justify those transfers. He sought compensation of €400 in compensation for the non-material damage which he claimed to have suffered due to the transfers.

He also sought annulment of the transfers of his personal data, a declaration that the Commission unlawfully failed to define its position on a request for information and an order that the Commission pay him €800 in compensation for the non-material damage which he claimed to have suffered because of the infringement of his right of access to information.

The General Court dismissed the application for annulment as inadmissible and found that there was no need to adjudicate on the claim for a declaration of failure to act. The General Court also dismissed the claim for damages based on infringement of the right of access to information, finding that there was no non-material damage as alleged. In addition, regarding the claim for damages based on the disputed transfers of data, the General Court dismissed that claim in relation to the transfers of data via Amazon CloudFront.  This was because the data was actually transferred to a server in Munich rather than the US. Amazon Web Services was contractually required to ensure that data remained in Europe. On another occasion it was the individual concerned who directed his data to the US.  

However, when it came to the registration for the event, the General Court found that the “Sign in with Facebook” hyperlink displayed on the EU Login webpage meant that the individual’s IP address was transmitted to Facebook. That IP address constituted personal data which, by means of that hyperlink, was transmitted to Meta Platforms, an undertaking established in the US. That transfer was caused by the Commission.

At the time of that transfer, on 30 March 2022, there was no Commission decision finding that the US ensured an adequate level of protection for the personal data of EU citizens. The display of the “Sign in with Facebook” hyperlink on the EU Login website was entirely governed by Facebook’s general terms and conditions.

This meant that the Commission did not comply with EU law rules for the transfer by an EU institution, body, office or agency of personal data to a third country.

The General Court found that the Commission committed a sufficiently serious breach of a rule of law that is intended to confer rights on individuals. The individual concerned suffered non-material damage, in that he found himself in a position of some uncertainty as regards the processing of his personal data, in particular his IP address. There was a sufficiently direct causal link between the Commission’s infringement and the non-material damage sustained by the individual concerned.

The General Court ordered the European Commission to pay the individual concerned the sum of €400 claimed.

While this case was not brought under the GDPR but similar legislation which applies to EU institutions, the UK GDPR and Data Protection Act 2018 allow damages for non-material damage, so this may be an interesting (non-binding) precedent from a UK perspective.

Although €400 does not sound like a lot, if there were a successful class action along similar lines, it could be very expensive as many websites use Facebook log-in mechanisms.

The post General Court orders Commission to pay damages to website visitor due to transfer of personal data to the US appeared first on Society for Computers & Law.

The court gave a lengthy judgment, acknowledging that this was because the relevant legal points are “novel, contentious or both”. Novel points are not new in this case: in an earlier decision, the High Court gave Mr D’Aloia permission to serve proceedings on the defendants via a non-fungible token on a blockchain and email.

Background

Mr D’Aloia alleged that he was the victim of a cryptocurrency scam orchestrated by the First Defendants (referred to as Persons Unknown Category A). He claimed that he was induced to transfer USDT totalling around £2.5 million, to online wallets controlled by the First Defendants. The funds were then allegedly transferred through various blockchain wallets before being withdrawn by the Seventh Defendants (referred to as Persons Unknown Category B). Other defendants, including a Thai company, Bitkub Online Co Limited (Bitkub), were cryptocurrency exchanges where the Seventh Defendants held accounts.

The primary focus of the trial was on the liability of Bitkub. Mr D’Aloia argued that his cryptocurrency was identifiable as being comprised within the transfer to the ‘82e6 Wallet’ held with Bitkub and could be traced. He alleged that Bitkub held his identifiable cryptocurrency on constructive trust or that it had been unjustly enriched by having received it, and was liable to him accordingly.

In assessing these points, the court considered several issues as to the status and treatment of cryptocurrency under English law.

Are cryptocurrencies property?

The court referred to previous case law, including AA v Persons Unknown [2019] EWHC 3556 (Comm) and Tulip Trading v Van der Laan [2023] EWCA Civ 83, which recognised on (an interim basis) that cryptoassets such as bitcoin could be treated as property. The court also considered academic commentary and the Law Commission’s Digital Assets Final Report, which supported the view that digital assets could be objects of personal property rights. The Law Commission’s report emphasised the need for the legal system to adapt to technological advancements and recognise the proprietary nature of digital assets.

Following a thorough analysis, the court confirmed that USDT is capable of attracting property rights under English law, which aligns with the evolving legal landscape that increasingly recognises the unique characteristics of digital assets.

Can cryptocurrency be, as a matter of law, traced through a mixed fund or followed?

The court noted the distinction between following (tracking the same asset as it moves from hand to hand) and tracing (identifying a new asset as the substitute for the old). These are both methods of locating assets which are, or can be taken to be, an asset belonging to the party asserting ownership of them.

The court comprehensively reviewed the law on tracing in equity and at common law and concluded that it is not possible to trace at common law through a mixed fund. Tracing was available to Mr D’Aloia in respect of his equitable claims and USDT can also be followed as a matter of law, but on the facts, it was not possible to follow the USDT to the 82e6 wallet.

The court scrutinised the tracing process, which involved understanding multiple transactions (or ‘hops’) across various wallets, supported by expert evidence. The court criticised the expert evidence before it, concluding that it was unhelpful and noting, “That is especially problematic in a case such as this, where much turns on their work to understand the flow of funds, if any, from Mr D’Aloia to the 82e6 wallet.” The court found that the methodology of Mr D’Aloia’s expert, Mr Moore, was unclear and inconsistent and concluded that it was not able to rely on the approach taken.

Given the claimant failed to show that any of his funds were received in the 82e6 wallet, the tracing claim against Bitkub failed. The court highlighted the need for precise and reliable evidence in tracing claims, which was not provided in this case.

Was Bitkub unjustly enriched at Mr D’Aloia’s expense?

The court went on to consider whether Bitkub was enriched at the expense of Mr D’Aloia and whether the enrichment was unjust. The court addressed the four questions from Banque Financière de la Cité v Parc (Battersea) Ltd [1999] 1 AC 221: (i) Has the defendant been benefitted, in the sense of being enriched?; (ii) Was the enrichment at the expense of the claimant?; (iii) Was the retention of the enrichment unjust?; and (iv) Are there any defences?

This claim failed on the basis that Mr D’Aloia failed to show that Bitkub was enriched with his USDT (i.e., the enrichment was not at his expense). He did not demonstrate that any of his funds reached the 82e6 wallet.

Did the circumstances give rise to a constructive trust on Bitkub?

The court examined whether a constructive trust could be imposed on Bitkub based on various grounds (the equitable proprietary claim): fraud, vitiated intention (here, due to alleged mistake), rescission of the original contract pursuant to which Mr D’Aloia transferred his funds, and failure of Bitkub to act in a commercially reasonable manner and freeze the account from which payment out of funds was ultimately made, due to suspicious activity.

The court considered each basis in detail and, in short, concluded that while a constructive trust arose over the funds received by the First Defendants (who would be the trustees, not Bitkub), Mr D’Aloia failed to show that Bitkub received any of his funds. The equitable proprietary claim against Bitkub failed. (Interestingly, no claim in knowing receipt or dishonest assistance was pursued by Mr D’Aloia against Bitkub on the facts.)

Concluding thoughts

The court concluded its analysis quite clearly: “Mr D’Aloia has failed to show on the balance of probabilities that any of his USDT ever arrived at the 82e6 wallet. In the circumstances, Mr D’Aloia has no claim against Bitkub because it did not receive anything from him. It holds no trust funds; there is no normatively defective transaction as between Bitkub and Mr D’Aloia to undo.”

Throughout the judgment, the court also noted issues with the pleadings, in that the case advanced was not as pleaded in key respects. In this context, the court noted in its conclusion that no claim for knowing receipt was advanced against Bitkub and as such, “the legal link connecting Mr D’Aloia with Bitkub is simply missing from his claim”.

This judgment will provide a particularly useful reference point for other claims of this nature involving crypto fraud, especially where the fraudsters themselves cannot be identified and the victim of the fraud looks to pursue the currency exchanges in the chain. As demonstrated, clear analysis and interrogation of the legal and evidential links to these entities on the facts of each case are of key importance. 

Duran Ross, partner, Lewis Silkin and Nicola Thompson, senior practice development lawyer, Lewis Silkin

The post High Court considers cryptocurrency status in English law and key aspects of cryptocurrency fraud claims appeared first on Society for Computers & Law.

In 2018, Meta Platforms Ireland started using new Facebook terms of service in the EU. Consent to those terms is required to sign up for, or access, Facebook’s accounts and services. Mr Maximilian Schrems (S) a Facebook user and well-known activist in the field of data protection, accepted these terms.

Following that, he said he had regularly received advertisements directed at homosexuals and invitations to corresponding events. He argued that those advertisements were not based directly on his sexual orientation, but were based on an analysis of his particular interests.

S was dissatisfied with the processing of his data which he considered to be unlawful and so brought an action before the Austrian courts. Subsequently, during a panel discussion, he publicly referred to his homosexuality, but did not publish anything on his Facebook profile.

The Austrian Supreme Court referred the issue to the CJEU, asking if:

• a network such a Facebook may analyse and process all the personal data available to it for an indefinite period to produce targeted advertising; and
• if a statement made by a person about their sexual orientation as part of a panel discussion permits the processing of other data concerning that topic to offer that person targeted advertising.

The Advocate-General gave an opinion in April 2024 and the Court has now given its judgment.

It said that the principle of data minimisation in the GDPR precludes all of the personal data obtained by a controller, such as the operator of an online social network platform, from the data subject or third parties and collected either on or outside that platform, from being aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data.

Second, the Court said that the possibility cannot be ruled out that, by his statement at the panel discussion in question, S manifestly made his sexual orientation public. It is for the Supreme Court, Austria, to verify if this was the case. If a data subject manifestly makes public data concerning their sexual orientation, that information may be processed in compliance with the GDPR. However, that fact alone does not authorise the processing of other personal data relating to that data.

Consequently, the fact that someone has made a statement about their sexual orientation during a public panel discussion does not authorise an online social network platform to process other data relating to that person’s sexual orientation, with a view to aggregating and analysing that data, to offer that person personalised advertising.

The post Court of Justice rules in another case brought by Max Schrems appeared first on Society for Computers & Law.

The Austrian police seized the mobile telephone of the recipient of a parcel following the discovery that the parcel contained 85 grams of cannabis. The police then tried unsuccessfully to unlock the mobile telephone to access the data it contained. The police were not authorised by the Public Prosecutor’s Office or a court, they did not document their attempt to unlock the telephone and did not inform the owner. The owner went to court to challenge the seizure of his mobile telephone and during those proceedings, he became aware of the attempts to unlock the telephone.

The Austrian court referred the case to the CJEU and asked if the Austrian legislation which, in its view, allows the police to act in this way, is compatible with EU law. It observed that the telephone’s owner was accused of an offence which was punishable by a maximum of one year’s imprisonment and so was only a minor offence.

Firstly, the Court of Justice stated that contrary to what certain governments have argued, the relevant EU legislation applies to attempts to access data as well as to successful access.

It then said that access to all the data contained in a mobile telephone may constitute a serious, or even particularly serious, interference with the fundamental rights of the data subject. That data, which may include messages, photos and internet browsing history, may, depending on the circumstances, allow very precise conclusions to be drawn concerning that data subject’s private life. In addition, the information may include particularly sensitive data.

The seriousness of the offence under investigation is one of the main parameters when examining the proportionality of such serious interference. However, to consider that only the fight against serious crime is capable of justifying access to data contained in a mobile telephone would unduly limit the investigative powers of the competent authorities. This would result in an increased risk of impunity for criminal offences in general and therefore in a risk for the creation of an area of freedom, security and justice in the EU.

However, such an interference with private life and data protection must be provided for by law, which implies that the national legislature must define with sufficient precision the factors to be taken into account, in particular the nature or categories of offences concerned. Such access must be subject to a review carried out in advance by a court or an independent administrative authority, except when a case is urgent. A review must strike a fair balance between the legitimate interests relating to the needs of the investigation in the context of combating crime and the fundamental rights to private life and the protection of personal data.

Finally, the data subject must be informed of the grounds on which the authorisation to access their data is based, once telling them will not jeopardise the investigation.

The post CJEU considers police access to data in a mobile telephone appeared first on Society for Computers & Law.

Booking.com is incorporated under Netherlands law with its registered office in Amsterdam. It offers a worldwide online intermediation service to reserve accommodation. Hotels pay commission to Booking.com for reservations made via the platform.  Although hotels can use alternative sales channels, they may not offer prices lower than the prices they offer on Booking.com. Initially, that prohibition applied both to offers on hoteliers’ own sales channels and to offers on sales channels operated by third parties (a ‘wide parity’ clause). Since 2015, a limited version of that clause has prohibited only the offer of overnight stays at a lower price through hoteliers’ own sales channels.

The German courts held that the price parity clauses (narrow or wide) used by hotel reservation platforms breached EU competition law. The German Federal Cartel Office agreed. However, the Dutch courts were asked to look at the issue as well and referred the case to the CJEU for guidance on price parity clauses.

The Court says that the online hotel reservation services have had a neutral to positive effect on competition. Those services enable consumers to have access to a wide range of accommodation offers and to compare those offers simply and quickly according to various criteria and they enable accommodation providers to acquire greater visibility.

However, it has not been established that price parity clauses, whether wide or narrow, are objectively necessary or proportionate. It says that wide price parity clauses can reduce competition between the various hotel reservation platforms, and can carry the risk of ousting small platforms and new entrants.

The same is true of narrow parity clauses. They have a less restrictive effect on competition and are intended to address the risk of free-riding, but they do not appear to be objectively necessary to ensure the economic viability of the hotel reservation platform.

The post Online accommodation reservation platforms appeared first on Society for Computers & Law.