Recent preliminary ruling

Recent preliminary ruling from the Court of Justice of the European Union interprets net neutrality rules for the first time.

Recent preliminary ruling from the Court of Justice of the European Union, taken in relation to a decision against Telenor Telecommunications company, interprets net neutrality rules for the first time.


The CJEU issued their preliminary ruling after the Hungarian National Media and Communication Office found the ‘zero tariff’ packages offered by  Telenor, an internet service provider, breached Article 3 (3) of Regulation 2015/2120 of the EU Parliament, with regard to the general obligation of equal and non-discriminatory treatment of traffic , or net neutrality as it is more commonly known.


Under the law, neither restrictions, nor special access can be applied on the basis of one’s internet package.


This ruling will prevent Telenor from providing these separated packages and all applications are to be treated equally under the law. Neither restrictions, nor special access can be granted or denied on the basis of one’s internet package. The CJEU deemed in its preliminary decision that to achieve this, the application of Article 3 (2) makes it so that these policies implemented by companies are subject to review by national authorities and courts to maintain net neutrality and lawful practice.


Data plan policies like these create unfair market advantages and also violate the rights of the end user. 


The unfair advantage of only certain apps being limited while others were considered ‘zero tariffs’ infringes on the open internet concept and skews the market share of internet applications towards the zero tariff applications. This affects the market significantly, as the repercussion of not using zero tariff applications results in higher expenditure on internet services or limited access to the internet. This is in clear violation of the rights of the ‘end user’ and the agreements and contracts constructed by the internet company would have to be restructured to be inclusive of all apps. 


Article 3 (3) states that the blocking or limiting of an app, may be somewhat viable if a technical or objective reasoning behind the limitation can be provided, on the basis that it is done fairly, however it was found that the choices made by the Telenor company were strictly on a commercial/financial basis making it a clear violation of Article 3 (3)


The purpose of net neutrality is to eliminate unnecessary advantages being given to or taken away from companies or end users. 


These preliminary hearings are to be finalized by the national courts of Hungary despite the clauses being defined in the European parliament. However the decisions are more than likely to be based on the recommendations in accordance with the 2015/2150 Regulations of parliament. Net neutrality seeks to make it so that there are no unnecessary advantages given to or taken away from companies or end users. To achieve this accordance the constant reexamining of companies such as the Telenor Telecommunications are built into the legislation to provide the framework for constant and regulated change, and proper balance within the EU member states between consumer protection and economic/commercial freedom.


“Whereas zero rating does not result in the technological discrimination of traffic while the user has their data allowance available, the Court of the EU correctly pointed out that such discrimination might be exactly what happens after the allowance has been used up,” comments Dr Bostjan Makarovic, Aphaia Managing Partner.


Are you worried about the impact this ruling might have on your telecommunications business? Aphaia provides regulatory policy advice to some of the world’s top telecommunications providers. Aphaia also offers both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.


AI Help Prevent COVID-19

Can AI Help Prevent COVID-19?

Can AI help prevent COVID-19? Can it be used to predict or detect outbreaks, and would this be ethical?

Can AI help prevent the spread of COVID-19? Recently, we released an article on the technological initiatives being put in place across Europe to help control the spread of the novel COVID-19. In our latest vlog series, we aim to explore any AI initiatives which may have been implemented globally in this regard, to what extent AI can help fight this global pandemic, and what the privacy implications of these would be in Europe. As the virus spreads globally, and cases have shown up in over 200 countries worldwide, even more initiatives are popping up around the globe to help combat this pandemic.

Last December, a Toronto based startup, through analyzing the data published on the local newspapers and the information available on the internet, identified a cluster of unusual pneumonia cases happening around a market in Wuhan. Thus, the AI based platform, BlueDot was able to identify what would commonly be known as COVID-19, nine days before the World Health Organisation released its statement informing people of the emergence of this virus, mere hours after health officials diagnosed the first cases of coronavirus. 

Currently, countries like South Korea, using apps which track location data, are able to constantly monitor infected and non infected persons, and their movements. AI can also be used to analyze the way in which the disease is being discussed on social media, to paint a more vivid picture of the impact of the virus. It is no secret that AI can help prevent COVID-19’s spread and flatten the curve, but what are the privacy implications of such measures being used in Europe? Do they fall in line with the GDPR? 

In our latest vlog, part 1 of a two part series on the use of AI in the fight against COVID-19, we explore how AI can prevent or predict the spread of this viral disease:

Be sure to subscribe to our content on YouTube,  to make sure that you catch Part 2.

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including Data Protection Impact Assessments, AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

ICO Brexit data protection

The UK’s ICO Releases Statement on Data Protection and Brexit Implementation.

The ICO has released a statement on the implementation of Brexit and the implications on data protection.

On January 31, 2020, the UK officially left the European Union and entered a Brexit Transition Period, which runs through December 2020. Prior to that, on January 29th, the UK’s ICO released a statement on the implications of this Brexit implementation on data protection. The ICO iterates that they will continue to act as the lead supervisory authority for businesses and organizations that operate within the UK.

During this transition, the GDPR will steadily apply, and the ICO suggests that businesses that process customers’ personal data continue to follow their guidelines, and the protocol already in place. The GDPR will cease to apply at the end of this transitional period. However, the UK government intends to incorporate the provisions of the GDPR into UK data protection law beyond December 2020.

That said, businesses and organisations that offer goods or services to people in the EU are still expected to follow the EU’s version of the GDPR beyond the transitional period. However, for now, these companies and organizations will not need to appoint a European representative. GDPR transfer rules will apply to any data coming from the EEA into the UK. As a result, these companies  may need help deciding how to transfer personal data to the UK in line with the GDPR.

The ICO has also updated their Brexit FAQs to reflect any recent changes. They will continue to update their external guidance as they regularly monitor the situation.

Does this sound like too much to plan? We have prepared a summary of the ICO guidance below:

During the transition period (until the end of 2020).

After the transition period.

Will the GDPR continue to apply in the UK? Yes It will depend on negotiations. The default position is the same as for a no-deal Brexit. However, the GDPR will be brought into UK law as the ‘UK GDPR’
Is a EU Representative necessary? No Yes, If you are offering goods or services to or monitoring the behavior of individuals in the EEA.
What will the UK data protection law be? Data Protection Act 2018 (DPA 2018). The provisions of the GDPR will be incorporated directly into UK law from the end of the transition period, to sit alongside the DPA 2018.
What role will the ICO have? The ICO will remain the independent supervisory body regarding the UK’s data protection legislation. The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.
Can we still transfer data to and from Europe? Yes From the end of the transition period, GDPR transfer rules will apply to any data coming from the EEA into the UK.



Does your company process customers’ personal information in the UK? If so, Brexit may affect the way you process personal data. Aphaia’s data protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance.

Japan GDPR adequacy

Japan GDPR adequacy to create the world’s largest area of safe data flows

With a successful conclusion to their talks on reciprocal adequacy, the EU and Japan have agreed to recognise each other’s data protection systems as ‘equivalent’, which will allow data to flow safely between the EU and Japan.

Each side will now launch its relevant internal procedures for the adoption of its adequacy finding. For the EU, this involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure will have been completed, the Commission will adopt the adequacy decision on Japan.

Věra Jourová, Commissioner for Justice, Consumers and Gender Equality: “Japan and EU are already strategic partners. Data is the fuel of global economy and this agreement will allow for data to travel safely between us to the benefit of both our citizens and our economies. At the same time we reaffirm our commitment to shared values concerning the protection of personal data. This is why I am fully confident that by working together, we can shape the global standards for data protection and show common leadership in this important area.”

This mutual adequacy arrangement will create the world’s largest area of safe transfers of data based on a high level of protection for personal data. Europeans will benefit from strong protection of their personal data in line with EU privacy standards when their data is transferred to Japan. This arrangement will also complement the EU-Japan Economic Partnership Agreement, European companies will benefit from uninhibited flow of data with this key commercial partner, as well as from privileged access to the 127 million Japanese consumers. With this agreement, the EU and Japan affirm that, in the digital era, promoting high privacy standards and facilitating international trade go hand in hand. Under the GDPR, an adequacy decision is the most straightforward way to ensure secure and stable data flows.

The key elements of the adequacy decisions

The agreement found on the 17 of July, foresees a mutual recognition of an equivalent level of data protection by the EU and Japan. Once adopted, this will cover personal data exchanged for commercial purposes, ensuring that in all exchanges a high level of data protection is applied.

To live up to European standards, Japan has committed to implementing the following additional safeguards to protect EU citizens’ personal data, before the Commission formally adopts its adequacy decision:

  • A set of rules providing individuals in the EU whose personal data are transferred to Japan, with additional safeguards that will bridge several differences between the two data protection systems. These additional safeguards will strengthen, for example, the protection of sensitive data, the conditions under which EU data can be further transferred from Japan to another third country, the exercise of individual rights to access and rectification. These rules will be binding on Japanese companies importing data from the EU and enforceable by the Japanese independent data protection authority (PPC) and courts.
  • A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the Japanese independent data protection authority.

Next steps

The Commission is planning on adopting the adequacy decision in autumn this year, following the usual procedure:

  • Approval of the draft adequacy decision by the College
  • Opinion from the European Data Protection Board (EDPB), followed by a comitology procedure
  • Update of the European Parliament Committee on Civil Liberties, Justice and Home Affairs
  • Adoption of the adequacy decision by the College

In parallel, Japan will finalise the adequacy finding on their side.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.