What We're Reading: Europe

June 2019

A round-up of the most important developments in the EU Data Protection world

Enforcement 

• The Italian DPA levied a 2.000.000€ (IT) fine against a telemarketing company and its call-center operations conducted by a de facto “sub-contractor” in Albania for creating contact lists, calling people and sharing their telephone numbers with a third party (their client) without consent. There was no formal arrangement in place between the telemarketing company, the Albanian entity and the third party client. The fine was levied based on the law in force prior to the GDPR, in corroboration with the Law on Administrative Fines in Italy. According to the press release, the sanction was established by summing up each violation for each individual concerned and it takes into account “the seriousness of the company’s conduct, its lack of interest in data protection legislation and the serious implications of acquiring new clients based on informal arrangements and unilateral simplification of the legal obligations”.
• The Spanish DPA issued its first major fine (ES) under the GDPR, against the Professional Soccer League. In particular, the DPA sanctioned the League because its mobile app was considered not transparent enough about accessing the microphone and using it during football matches, together with location data, to identify bars that streamed matches without paying for a license. The DPA considered there was not enough information given to users about this practice and that there was no possibility to withdraw consent provided to users. The fine amounts to approximately 000$ and the League plans to challenge it in Court.
• The Danish DPA sanctioned (DK) a furniture design company with approximately 000$ for keeping the personal data of 385.000 costumers forever. The personal data at issue were names, addresses, phone numbers and purchase history of costumers. The company did not “address when personal data in its old IT systems is no longer required for the purposes for which they were processed, and thus has not defined which deadlines should apply for the deletion of personal data processed by the system”.
• The Lithuanian DPA sanctioned a payment service, Mistertango, for not complying with the principles of data minimization, storage limitation, data security and accountability. For example, in addition to the personal data necessary for the transaction, the company also collected information about the customer’s loans, pension funds, credit cards etc. The fine amounts to approximately 70.000$.

Courts

• The Court of Justice of the EU confirmed in Google v Germany that e-mail services like Gmail do not fall under the definition of “electronic communications service” pursuant to the Framework Directive 2002/21/EC as modified by Directive 2009/140/EC. This finding of the Court means that Gmail and similar services, as Over-The-Top services, are excluded from the scope of application of the current ePrivacy Directive, since the ePrivacy Directive relies on definitions included in Directive 2002/21/EC. However, as the European Commission pointed out recently in an answer submitted to the European Parliament, the definition of electronic communications services was expanded to cover OTTs by the Electronic Communications Code, which was adopted last year, will repeal Directive 2002/21, and will become applicable on December 21, 2020.
• The Spanish Constitutional Court found that one of the articles from the GDPR implementation law was unconstitutional. The article modified the Electoral Code of Spain to exempt political parties from the strict conditions imposed under Article 9 GDPR on processing personal data related to political opinions, including profiling individuals and targeting them online based on political preferences. The Court considered this exception is not in line with the right to personal data protection as detailed by the GDPR and, thus, is breaching the Article in the Spanish Constitution that protects the right to personal data protection. See full text of the judgment (ES).
• In a judgment (DE) on procedural matters and jurisdiction opposing noyb and Facebook, the Supreme Administrative Court of Austria confirmed that there is a general private right of action available to data subjects in Austria to sanction breaches of the GDPR regardless of whether damages are claimed or not. The argument that the Irish Data Protection Commissioner is the only authority competent to sanction breaches of the law by Facebook (as a controller that has the main establishment in Ireland) and that the private right of action can be exercised in Austrian courts only to the extent damages are claimed was rejected by the Court (see here an article in English). Once jurisdictional conflicts were clarified by the court of last instance, the lawsuit alleging GDPR breaches will move forward in Austria.
• A Court in the Netherlands awarded 500€ in damages (NL) to an individual whose personal data was shared by a local authority with other authorities as “best practice” for FOIA-type requests. The Court relied on Article 82 GDPR and the liability provision for moral damages of the Dutch Civil Code to award damages considering that the individual’s personality rights have been infringed “as a consequence of the loss of control of his personal data… by making his data available without justification”. See two comments on this case of Dutch privacy professionals Paul Breitbarth and Jeroen Terstegge.
• A judge in the UK found in Dawson-Damer v Taylor Wessing that a law firm’s paper files held in chronological order are a relevant “filing system” in the scope of data protection law if they are: (1) structured by reference to specific criteria (2) related to individual data subjects (3) the specific criteria enables the data to be easily retrieved. The judgment also clarifies that in the case of a request for access, searching a backup system would be disproportionate and would run the risk of disclosing confidential data about the law firm’s clients or employees. It would also be disproportionate to search ex-employees personal spaces but not those of current employees.
• Advocate General Szpunar advised the Court of Justice of the EU (press release) to interpret the e-commerce Directive as not precluding national Courts to order a platform like Facebook to seek and identify all comments identical to a defamatory comment that has been found to be illegal, and equivalent comments in so far as the latter originate from the same user. The AG also held that the e-commerce Directive does not regulate the territorial scope of such orders and whether they can be issued worldwide. The scope of the order is thus a matter for the Austrian civil law to determine. The case concerns a member of the Austrian Green Party and her request to remove defamatory image of her from Facebook comments (see an article about the case here).

Guidelines

• The EDPB published the final version of the following guidelines:
  • The accreditation of certification bodies;
  • Codes of Conduct and monitoring bodies.

• The ICO updated its guidance on controllers and processors with a checklist that is meant to help organizations identify their role.
• Spanish DPA published technical recommendations for anonymizing personal data. The objective of the guidance is to show the limits of the effectiveness of anonymization techniques up to the point the information is truly anonymized and how could the re-identification risk be managed. (Press Release and Report, both ES).
• The Irish DPC published guidance on the use of CCTV by data controllers.
• The Spanish DPA published a guide on data protection and the use of drones.
• The European Commission published guidance on the meaning of “non-personal data” for the purpose of clarifying how the GDPR and the new Regulation on Free Flow of Non-Personal Data interact. The Commission states that any data which does not fall under the definition of “personal data” in the GDPR is “non-personal data”. This type of data can be categorized depending on its source: (1) data which originally did not relate to an identified or identifiable individual, such as data on weather conditions generated by sensors of wind turbines, and (2) data that was originally personal data but that has been anonymized to the point that it “cannot be attributed to a specific person”. For example, non-personal data can be “data which are aggregated to the extent that individual events, such as a person’s individual trips abroad or travel patterns which could constitute personal data are no longer identifiable”.

EU elections

• At the end of May, Europeans were called to vote for the new European Parliament. Here is an in depth analysis of the results. The new EP will be tasked to appoint the new Commission, while the European Council/the Council of Ministers will remain unchanged since it reunites the governments of the Member States. Things to watch in the near future relevant for digital/tech policy and data protection: who will become the President of the European Commission (Margrethe Vestager is among the candidates being considered), and who will take over the Justice portfolio from Vera Jourova and the Competition portfolio from Vestager.
• Patrick Breyer won a seat in the new European Parliament, representing the German Pirate Party. If the name sounds familiar, that is because he is the plaintiff behind the authoritative judgment of the CJEU in Breyer, which interprets the definition of personal data as covering dynamic IP addresses whenever the law does not prohibit matching data sets with the help of the ISPs to identify the holder of the IP address.
• The Rapporteur of the ePrivacy Regulation, Birgit Sippel, won a new seat in the European Parliament, which means she will likely maintain the file and participate to the trialogue negotiating for the Parliament’s position.

AI/Machine Learning

• The EU Fundamental Rights Agency published a focus paper on “Data quality and Artificial Intelligence – mitigating bias and error to protect fundamental rights”. The Future of Privacy Forum’s work on Artificial Intelligence is featured among the resources relied upon for the paper.
• The ICO and the Alan Turing Institute in the UK published their interim report about explain-ability of AI, called “Project explain”. Their research showed that context is key for the importance of wanting explanations about automated decisions. People who took part in the “citizen juries” felt explaining an AI decision to the individual affected was more important in areas such as recruitment and criminal justice than in healthcare. On another hand, industry round-table participants generally felt confident they could technically explain the decisions made by AI. Among the challenges they raised for explain-ability: cost, commercial sensitivities like infringing IP, the potential for “gaming” or abuse of systems.

Research

• Computer scientists from the UK published a research paper on Data Protection and Tech Start-ups, based on interviews with UK-based emerging tech start-ups as the GDPR came into effect. Their research reveals areas “in which there is a disconnect between the approaches of the startups and the nature and requirements of the GDPR”.
• Researchers started to challenge the viability of a principled approach to AI Ethics, similar to the one that governs developments in medicine. Brent Mittelstadt from the Oxford Internet Institute published a paper – AI Ethics: Too Principled to Fail?– arguing that “compared to medicine, AI development lacks (1) common aims and fiduciary duties, (2) professional history and norms, (3) proven methods to translate principles into practice, and (4) robust legal and professional accountability mechanisms. These differences suggest we should not yet celebrate consensus around high-level principles that hide deep political and normative disagreement.”
• Tilburg Institute for Law and Technology launched Technology and Regulation, an open access interdisciplinary journal (law, technology and society).

Public Consultation

• The Belgian DPA started a public consultation (FR) on direct marketing. Answers can be submitted until 7/31.

Legislation 

• The new EU Cyber Security Act was published in the Official Journal at the beginning of June and it will come into force on June 27. The Act aims to strengthen the cyber security features of everyday products and services and boost cyber resilience in the EU. It sets out a framework through which ICT products, services and processes may be granted EU-wide certification. The mandate of ENISA, the EU Network and Information Security Agency, and strengthened.

GDPR 1 year on

• Access Now published a comprehensive Report about the implementation of the GDPR in the 28 EU Member States, focusing on derogations for the data subjects’ rights. The report shows that “a large number of Member States have interpreted the derogations, exceptions, and restrictions available under the GDPR differently, which may lead to fragmentation in the level of protection for data subjects across the EU”. See the full report here.
• The European Commission published a Eurobarometer measuring perception of Europeans over the GDPR, one year after it became applicable. According to the Survey, 73% of Europeans have heard of at least one of the six rights guaranteed by the GDPR. The highest level of awareness among citizens was recorded for the right to access their own data (65%). Some results are quite surprising: half of the respondents declared they have heard about the right to move their data from a service provider to another (portability), and 41% have heard about the right to have a say when decisions are automated.