Data Protection News: November 2019

Back to the drawing board with the ePrivacy Regulation proposal

In a demoralising turn of events after a long period of negotiations, this November, COREPER did not support the Council’s position on a draft of the ePrivacy Regulation. In the following year, the legal text will have to be either withdrawn or redrafted – a significant setback to the initiative of harmonising EU roles on online tracking, unsolicited direct marketing and other important e-privacy topics.

Currently, the EU presents a mosaic of e-privacy rules, created by the different transpositions of the ePrivacy Directive. For instance, in 2019, authorities from the UK, France, Spain and Finland published guidance on the use of cookies and similar technologies. While official orientations are indeed welcome on this (still) controversial topic, the positions express significant differences in traditionally soft spots such as the use of analytics cookies and the acceptable means of obtaining user consent.

It is yet difficult to predict how long it will take before the EU reconciles the e-privacy legislative differences. In the meantime, we must wrestle with the present legal landscape and wait for further perspectives from the CJEU.

Read more on this topic on the Lexology, EDRi websites and this critical study prepared by Hogan Lovells.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

We’re also engaging with the privacy professionals community through our LinkedIn company page, so please follow us if you want live updates on relevant privacy issues in Romania.

Guidelines & reports

✎ Documents adopted during the EDPB’s 15th plenary session: final guidelines on territorial scope (see here a redline), guidelines on data protection by design and by default and others.
✎ The Privacy Shield scheme has also been reviewed by the EDPB this November.
✎ EDPS and Spanish data protection authority publish essay on using the hash function as a technique for personal data pseudonymisation.
✎ German DPAs: Consent of the users should be the legal basis for using third party services for online tracking.
✎ EDPS publishes Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725.
✎ Italian DPA publishes FAQ on the topic of access to banking data.
✎ Spain published guidance on the use of cookies (English version available here).
✎ German DPAs are thinking about imposing privacy obligations on for producers of software and hardware (read here an article in English).
✎ The Spanish Data Protection Authority has just published its opinion on DNS security, data protection, and privacy as well as a guide on the protection of personal data of patients.
✎ Fundamental Rights Agency: Facial recognition technology: fundamental rights considerations in the context of law enforcement.
✎ Irish DPA issues General Portable Storage Device Recommendations and Guidance for Organisations on Phishing and Social Engineering Attacks.
✎ Finnish authorities publish updated cookie guidelines, in the aftermath of the Planet49 decision.
✎ The ICO provides updated guidance on the processing of special categories of personal data.
✎ Bavarian Data Protection Authority answers FAQ on connected vehicles (see here an article in English).
✎ Data Protection Authority of Brandenburg comments on the transfer of group employee data to a third country (see here an article in English).

Case-law & legislation

⚖ Dutch Court hears a case on the issues of an employer’s access to the e-mail account of the employee (read here an article in English).
⚖ UK Supreme Court to decide whether a supermarket can be held liable for the actins of an employee who misused personal data.
⚖ A Bill registered with the Romanian Senate aims at repealing the articles in the Romanian GDPR Application Law which regulate the processing of personal data for political purposes and the processing of special categories of data for performing tasks in the public interest.
⚖ The Romanian DPA published a draft Decision for amending and replacing an annex in its Investigations Procedure.

More EU data protection news

► Youtube updates its Terms of Service starting 10 December 2019 – the clauses governing the termination of the provision of services to users will include the situation when such provision is “no longer commercially viable”.
► Privacy professionals advise on Avoiding Conflicts of Interest in Selecting a Data Protection Officer.
► Eduardo Ustaran writes on Getting cookie consent right.
► The Council of the European Union has reached agreement on a draft directive on representative actions for the protection of the collective interests of consumers.
► Google announces more transparency regarding political ads and limits political ad microtargeting.
► The Romanian Electoral Bureau came under heat for allowing representatives of political parties to make copies of additional electoral lists in the Romanian Presidential Elections. The Bureau explained their decision in this press release (RO).
► Read here this noyb article on Facebookțs reliance on contract as a legal basis for data processing.

GDPR enforcement actions

Poland: City municipality fined for failure to conclude a data processing agreement with its processors. Company fined for obstructing withdrawal of consent by data subjects.
⚡ Germany: Berlin Commissioner for Data Protection and Freedom of Information issued a fine of around 14.5 million Euros against Deutsche Wohnen SE for violations of the General Data Protection Regulation.
⚡ Romania: The Romanian DPA sanctioned Fan Courier Express SRL with 11,000 EUR for not implementing technical and organizational security measures in order prevent data breach.
⚡ Romania: Royal President S.R.L. has been fined with a 2,500 EUR by the Romanian DPA for not respecting the provisions of art. 5 paragraph (1) letter f) GDPR, art. 12 paragraph (3) and paragraph (5) GDPR, art. 15 GDPR and art. 32 GDPR. At the same time, the data controller has been obliged to implement a data breach procedure within its organization.
⚡ France: Futura Internationale has been fined with 500,000 EUR by the France DPA (CNIL) for lack of compliance with the minimization principle and certain data subject rights (to be informed, to object) and, also, for not signing agreements for international data transfer.
⚡ The EDPS investigates European Parliament’s 2019 election activities.
⚡ Denmark: Automatic denial of access request is prohibited.

GDPR enforcement actions

✎ The New York Times: The Real Reason Facebook Won’t Fact-Check Political Ads
✎ TechRepublic: Google moves closer to letting Chrome web apps edit your files despite warning it could be ‘abused in terrible ways’
✎ Ian Gauci: Transparency, auditability and accountability in software
✎ Justin Banda on IAPP: Inherently identifiable: Is it possible to anonymize health and genetic data?
✎ The Guardian: I’m the Google whistleblower. The medical data of millions of Americans is at risk
✎ Dr. Carlo Pilz: GDPR accountability: German DPA on the retention of consent documentation
✎ Mashable: Facebook quietly discloses another serious privacy breach
✎ The Guardian: These new rules were meant to protect our privacy. They don’t work
✎ Fieldfisher: Does the EDPB answer frequently asked questions on territorial scope? (Update)
✎ Charlotte Ducuing: On the Edge of the NIS Directive: The Proposed C-ITS Delegated Regulation, Friend or Foe?
✎ Dr. Carlo Pilz: The term “without undue delay” in context of the GDPR – 1 day, 1 week, 1 month?

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Our newsletters are available for information purposes only and cannot be relied on as legal advice.

Comments are closed.