Data Protection News: December 2019

It’s the time for end of the year summaries

The end of December is usually a time for recollection, for looking back on the accomplishments and challenges of the year almost ending and setting the vision for the following trip around the Sun. So, we’ve compiled a small list of documents offering an overview of data protection themes in the past year, to help you immerse in this reflective mood. Enjoy!

📖 The Irish Data Protection Commission came out with a festive edition of GDPR myths – Does the GDPR really say that? The funny topics include the idea that GDPR bans kids from sending letters to Santa Claus or that Santa profiles naughty and nice children based on legitimate interest. On a more serious note, the DPC also approaches taking photos at school celebrations and buying gift vouchers (spoiler alert – yes, the GDPR applies and data minimisation should be considered).

📖 On a less cheerful note, however, data protection authorities as well as consumer groups are concerned about the problems of GDPR enforcement, as reported in this POLITICO article. Concerns include the bottleneck effect created by the one-stop-shop mechanism applied to cross-border data processing and the length of investigations and enforcement actions.

📖 Finally, if you have some time for a winter reading list, check out the Future of Privacy Forum compilation of these abstracts of the 2019 winners of the Privacy Paper for Policy Makers Awards, as well as the FPF list of titles for their Book Club.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

We’re also engaging with the privacy professionals community through our LinkedIn company page, so please follow us if you want live updates on relevant privacy issues in Romania.

Guidelines & reports

✎ The Irish DPA issues Guidance on Legal Bases for Processing Personal Data.
✎ The Data Protection Authority of Baden-Wuerttemberg publishes template for agreements between joint data controllers (source in German).
✎ ENISA publishes new Best Practices and Techniques for Pseudonymisation.
✎ EDPB adopts a series of documents in its December plenary session, including draft Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1).
✎ EDPB validates proposed Standard Contractual Clauses by the Danish Supervisory Authority.
✎ German Supervisory Authorities propose changes to the GDPR, based on their experience so far.
✎ The Dutch DPA has issues Cookie Compliance Statement.
✎ CNIL: Whistleblowing and data protection (source in French).
✎ CNIL: Facial recognition: for a debate living up to the challenges.
✎ The Irish DPA express their view on the AG opinion on case C-311/18 CJEU, where standard contractual clauses were put to the test.
✎ Protecture: How to get the most out of your DPIA process.
✎ Finnish authorities publish updated cookie guidelines, in the aftermath of the Planet49 decision.
✎ Lichtenstein: Data Protection Office publishes view on impact of the Planet49 CJEU decision concerning the use of cookies (article in English).
✎ Hogan Lovells: Recent Developments on Cookies – a Pan-European Overview.
✎ Berlin Data Protection Authority expresses views on the issues of liability of a group of undertakings (article in English).
✎ The Dutch Accreditation Council (RvA) is working on the topic of accreditation of institutions that will issue GDPR Certifications (article in English).
✎ The EDPS issues guidelines on proportionality, to help policymakers in designing rules which have an impact on the fundamental right to privacy.

Case-law & legislation

⚖ The CJEU Advocate General rendered an Opinion in the Case C-311/18 CJEU, where standard contractual clauses (SCCs) were put to the test. Read also this TechCrunch article on the topic.
⚖ The CJEU rules on a case originating from Romania, on the topic of video surveillance systems installed by landlords’ associations (Case C‑708/18). Issues concerning the collection and use of footage from such CCTV systems has also been scrutinized in the recent Romanian DPA fine imposed on a landlord association for improper disclosure of images to unauthorised third parties.
⚖ Read about this German case-law development about the regulatory scrutiny over Facebook fan pages, on the Global Data Review website.
⚖ The Austrian DPA decided that it is excessive to ask for proof of identity in a case where a user requested the erasure of a profile which was created without any proof of real identity (article in English).
⚖ The Office of the Privacy Commissioner of Canada discusses the case of a videographer who posts client’s wedding video on social media without consent.
⚖ The European Commission adopted an implementing regulation for establishing a template for the contract summary that electronic communications services operators should provide to consumers in the EU.

GDPR enforcement actions

Germany: A hospital was fined for deficits in the patient privacy management framework.
⚡ Germany: The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) fined a telecommunications company with 9,550,000 Euros for lack of appropriate measures to authenticate data subjects (article in English).
⚡ Romania: A telecommunications company in Romania was fined for violating the principle of accuracy and for lack of technical and organisational measures to prevent the violation of confidentiality. The case refers to invoices which were mistakenly sent to another address.
⚡ Romania: Other data controllers in Romania were fined for failing to respond to the Data Protection Authority’s inquiries.

More data protection news

► Reuters: EU antitrust regulators say they are investigating Google’s data collection.
► Facebook gets sanctioned in Hungary for claiming that its services are free.
► Romania: two pharmacists used the personal data from a client’s ID copy for online gambling (article in Romanian).
► noyb.eu files complaints in France against website that implement fake cookie consent banners.
► Finland regulates the secondary use of health data.
► Egypt has a new data protection Draft Law (read this PwC paper: direct download link).
► The Hong Kong Monetary Authority as published a report on the use of AI in banking (direct download link).
► The Information Technology Federation of Japan certifies “information banks”.

Recommended articles

✎ ECHR Blog: López Ribalda and Others v. Spain – covert surveillance in the workplace: attenuating the protection of privacy for employees.
✎ Bloomberg: Tech’s new monopolies.
✎ Alexander Hanff: “None of our competitors are compliant.”​ is NOT a sensible GDPR strategy.
✎ Comparitech: 50 countries ranked by how they’re collecting biometric data and what they’re doing with it.
✎ The Guardian: Patient data from GP surgeries sold to US companies.
Cookie status – a new resources which informs users about the various tracking protection mechanisms implemented by the major browsers and browser engines.
✎ The New York Times: Twelve Million Phones, One Dataset, Zero Privacy.
✎ Reuters: Breakingviews – Margrethe Vestager will open tech’s walled garden.
✎ TLT Solicitors: 10 tips for responding to data subject access requests.
✎ MIT Technology Review: Why an internet that never forgets is especially bad for young people.
✎ DataGuidance: India: Comparing the 2018 and 2019 data protection bills.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Our newsletters are available for information purposes only and cannot be relied on as legal advice.

Comments are closed.